feat(scanner): Complete PoE implementation with Windows compatibility fix
- Fix namespace conflicts (Subgraph → PoESubgraph) - Add hash sanitization for Windows filesystem (colon → underscore) - Update all test mocks to use It.IsAny<>() - Add direct orchestrator unit tests - All 8 PoE tests now passing (100% success rate) - Complete SPRINT_3500_0001_0001 documentation Fixes compilation errors and Windows filesystem compatibility issues. Tests: 8/8 passing Files: 8 modified, 1 new test, 1 completion report 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
54
docs2/architecture/evidence-and-trust.md
Normal file
54
docs2/architecture/evidence-and-trust.md
Normal file
@@ -0,0 +1,54 @@
|
||||
# Evidence and trust model
|
||||
|
||||
## Determinism rules
|
||||
- Content-address all artifacts by digest.
|
||||
- Canonicalize JSON and sort arrays deterministically.
|
||||
- Use UTC timestamps only.
|
||||
- Do not use wall-clock or RNG in decision paths.
|
||||
- Pin inputs: analyzer versions, policy hash, advisory and VEX snapshots.
|
||||
|
||||
## Evidence categories
|
||||
- Inputs: SBOMs, advisories, VEX statements, provenance, runtime facts.
|
||||
- Transforms: normalization outputs, linksets, reachability graphs.
|
||||
- Decisions: verdicts, explain traces, derived VEX.
|
||||
- Audit: token issuance, policy changes, signing events.
|
||||
|
||||
## Decision Capsules
|
||||
A Decision Capsule is the minimal audit bundle for a decision. It includes:
|
||||
- The exact SBOM (inventory and usage views)
|
||||
- Advisory and VEX snapshot identifiers
|
||||
- Reachability evidence and unknowns metadata
|
||||
- Policy version and policy hash
|
||||
- Decision trace and derived VEX
|
||||
- DSSE envelopes and optional Rekor proofs
|
||||
|
||||
## Attestation chain
|
||||
- in-toto statements wrapped in DSSE envelopes.
|
||||
- Signer produces DSSE; Attestor logs and verifies in Rekor when enabled.
|
||||
- Offline kits include cached proofs for air-gapped verification.
|
||||
|
||||
## Aggregation-Only Contract (AOC)
|
||||
- Ingestion services store raw facts only.
|
||||
- No derived severity, consensus, or policy hints at ingest time.
|
||||
- All derived findings are produced by the Policy Engine.
|
||||
- Idempotent writes use content hash and supersedes chains.
|
||||
- Append-only revisions preserve upstream provenance and conflicts.
|
||||
|
||||
## Content-addressed storage
|
||||
- RustFS stores SBOM fragments, reports, reachability graphs, and evidence bundles.
|
||||
- Replay bundles store inputs and outputs with deterministic ordering.
|
||||
|
||||
## Replay bundles (typical layout)
|
||||
- manifest.json and manifest.dsse.json
|
||||
- input bundle with feeds, policy, and tool manifests
|
||||
- output bundle with SBOMs, findings, VEX, and logs
|
||||
|
||||
## Verification steps (offline or online)
|
||||
1) Verify DSSE envelope signature against trusted keys.
|
||||
2) Recompute payload hash and compare to manifest digest.
|
||||
3) Verify Rekor proof when available or against offline checkpoints.
|
||||
4) Ensure all referenced CAS objects are present and hashed.
|
||||
|
||||
## Retention
|
||||
- Evidence retention is configurable, but must preserve decision reproducibility
|
||||
for the required audit window.
|
||||
Reference in New Issue
Block a user