# Replay and determinism

Deterministic replay lets any scan be reproduced byte for byte. The replay
system captures every input, environment detail, and output hash.

Core artifacts
- Replay manifest (canonical JSON)
- Input bundle (feeds, policies, tools)
- Output bundle (SBOM, findings, VEX, logs)
- DSSE envelopes for each artifact
- Merkle summaries for layers and feed chunks

Replay manifest sections
- scan: id, time, versions, crypto profile
- subject: image digest and layer merkle roots
- inputs: feeds, rules, tool hashes, env normalization
- policy: lattice and mute hashes
- outputs: hashes for SBOM, findings, VEX, logs
- reachability: graph and runtime trace references
- provenance: signer and optional ledger anchors

Deterministic execution rules
- Freeze time to scan.time unless explicitly overridden.
- Use stable ordering for traversal and output serialization.
- Derive RNG seeds from scan id and layer merkle roots.
- Canonicalize JSON before hashing or signing.

Verification and CLI
- stella scan --record produces manifest and bundles.
- stella verify checks hashes and DSSE signatures.
- stella replay re-runs with strict or what-if modes.
- stella diff compares manifests and highlights drift.

Storage
- replay_runs, bundles, subjects tables in PostgreSQL.
- CAS locations use content addressed naming.

Offline posture
- All inputs must be included in the replay bundle.
- Trust anchors are supplied via RootPack snapshots.

Related references
- docs/replay/DETERMINISTIC_REPLAY.md
- docs/replay/DEVS_GUIDE_REPLAY.md
- docs/replay/TEST_STRATEGY.md
- docs/runbooks/replay_ops.md