# Epic 8200 · SBOM/VEX Pipeline Reproducibility ## Status: ✅ ARCHIVED (93% Complete) **Archived:** 2025-12-25 **Archive Location:** `docs/implplan/archived/2025-12-25-sprint-8200-reproducibility/` ## Overview This epic implements the reproducibility, verifiability, and audit-readiness requirements identified in the product advisory analysis of December 2024. **Goal:** Ensure StellaOps produces byte-for-byte identical outputs given identical inputs, with full attestation and offline verification capabilities. ## Final Completion Status | Sprint | Topic | Status | Tasks | |--------|-------|--------|-------| | 8200.0001.0001 | Verdict ID Content-Addressing | ✅ **COMPLETE** | 12/12 DONE | | 8200.0001.0001 | Provcache Core Backend | ✅ **COMPLETE** | 44/44 DONE | | 8200.0001.0002 | DSSE Round-Trip Testing | ✅ **COMPLETE** | 20/20 DONE | | 8200.0001.0002 | Provcache Invalidation & Air-Gap | 🟡 **90%** | 50/56 DONE, 6 BLOCKED | | 8200.0001.0003 | Provcache UX & Observability | ✅ **COMPLETE** | 56/56 DONE | | 8200.0001.0003 | SBOM Schema Validation CI | ✅ **COMPLETE** | 17/17 DONE | | 8200.0001.0004 | E2E Reproducibility Test | ✅ **COMPLETE** | 26/26 DONE | | 8200.0001.0005 | Sigstore Bundle Implementation | 🟡 **79%** | 19/24 DONE, 1 N/A, 4 BLOCKED | | 8200.0001.0006 | Budget Threshold Attestation | 🟡 **61%** | 11/18 DONE, 1 N/A, 6 BLOCKED | **Total:** 255/273 tasks DONE (93%), 2 N/A, 16 BLOCKED (cross-module integration) ## Epic Timeline | Phase | Sprints | Duration | Focus | |-------|---------|----------|-------| | **Phase 1: Foundation** | 8200.0001.0001 | Week 1 | VerdictId content-addressing (critical fix) | | **Phase 2: Validation** | 8200.0001.0002, 8200.0001.0003 | Week 1-2 | DSSE round-trips, schema validation | | **Phase 3: E2E** | 8200.0001.0004 | Week 2-3 | Full pipeline reproducibility test | | **Phase 4: Packaging** | 8200.0001.0005, 8200.0001.0006 | Week 3 | Sigstore bundles, budget attestation | ## Sprint Summary ### P0: SPRINT_8200_0001_0001 — Verdict ID Content-Addressing **Status:** TODO | **Effort:** 2 days | **Blocks:** All other sprints **Problem:** `DeltaVerdict.VerdictId` uses random GUID instead of content hash. **Solution:** Implement `VerdictIdGenerator` using SHA-256 of canonical JSON. | Task Count | Files Modified | Tests Added | |------------|----------------|-------------| | 12 tasks | 5 files | 4 tests | **Key Deliverables:** - [ ] `VerdictIdGenerator` helper class - [ ] Content-addressed VerdictId in all verdict creation sites - [ ] Regression tests for determinism --- ### P1: SPRINT_8200_0001_0002 — DSSE Round-Trip Testing **Status:** TODO | **Effort:** 3 days | **Depends on:** P0 **Problem:** No tests validate sign → verify → re-bundle → re-verify cycle. **Solution:** Comprehensive round-trip test suite with cosign compatibility. | Task Count | Files Created | Tests Added | |------------|---------------|-------------| | 20 tasks | 4 files | 15 tests | **Key Deliverables:** - [ ] `DsseRoundtripTestFixture` with key management - [ ] Round-trip serialization tests - [ ] Cosign compatibility verification - [ ] Multi-signature envelope handling --- ### P2: SPRINT_8200_0001_0003 — SBOM Schema Validation CI **Status:** TODO | **Effort:** 1 day | **Depends on:** None **Problem:** No external validator confirms schema compliance. **Solution:** Integrate sbom-utility for CycloneDX 1.6 and SPDX 3.0.1 validation. | Task Count | Files Created | CI Jobs Added | |------------|---------------|---------------| | 17 tasks | 7 files | 4 jobs | **Key Deliverables:** - [ ] Schema files committed to repo - [ ] `schema-validation.yml` workflow - [ ] Validation scripts for all SBOM formats - [ ] Required PR check --- ### P3: SPRINT_8200_0001_0004 — Full E2E Reproducibility Test **Status:** TODO | **Effort:** 5 days | **Depends on:** P0, P1 **Problem:** No test covers full pipeline: ingest → normalize → diff → decide → attest → bundle. **Solution:** Create `StellaOps.Integration.E2E` project with cross-platform verification. | Task Count | Files Created | CI Jobs Added | |------------|---------------|---------------| | 26 tasks | 8 files | 4 jobs | **Key Deliverables:** - [ ] Full pipeline test fixture - [ ] Cross-platform hash comparison (Linux, Windows, macOS) - [ ] Golden baseline fixtures - [ ] Nightly reproducibility gate --- ### P4: SPRINT_8200_0001_0005 — Sigstore Bundle Implementation **Status:** TODO | **Effort:** 3 days | **Depends on:** P1 **Problem:** Sigstore bundle type defined but not implemented. **Solution:** Implement v0.3 bundle marshalling/unmarshalling with offline verification. | Task Count | Files Created | Tests Added | |------------|---------------|-------------| | 24 tasks | 9 files | 4 tests | **Key Deliverables:** - [ ] `StellaOps.Attestor.Bundle` library - [ ] `SigstoreBundleBuilder` and `SigstoreBundleVerifier` - [ ] cosign bundle compatibility - [ ] CLI command `stella attest bundle` --- ### P6: SPRINT_8200_0001_0006 — Budget Threshold Attestation **Status:** TODO | **Effort:** 2 days | **Depends on:** P0 **Problem:** Unknown budget thresholds not attested in DSSE bundles. **Solution:** Create `BudgetCheckPredicate` and include in verdict attestations. | Task Count | Files Created/Modified | Tests Added | |------------|------------------------|-------------| | 18 tasks | 7 files | 4 tests | **Key Deliverables:** - [ ] `BudgetCheckPredicate` model - [ ] Budget config hash for determinism - [ ] Integration with `VerdictPredicateBuilder` - [ ] Verification rule for config drift --- ## Dependency Graph ``` ┌─────────────────┐ │ P0: Verdict │ │ Content-Hash │ └────────┬────────┘ │ ┌──────────────┼──────────────┐ │ │ │ ▼ ▼ ▼ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ P1: DSSE │ │ P2: Schema │ │ P6: Budget │ │ Round-Trip │ │ Validation │ │ Attestation │ └────────┬────────┘ └─────────────────┘ └─────────────────┘ │ ┌────────┴────────┐ │ │ ▼ ▼ ┌─────────────────┐ ┌─────────────────┐ │ P3: E2E Test │ │ P4: Sigstore │ │ │ │ Bundle │ └─────────────────┘ └─────────────────┘ ``` ## Total Effort Summary | Sprint | Priority | Effort | Tasks | Status | |--------|----------|--------|-------|--------| | 8200.0001.0001 (Verdict) | P0 | 2 days | 12 | ✅ DONE | | 8200.0001.0001 (Provcache) | P0 | 5 days | 44 | ✅ DONE | | 8200.0001.0002 (DSSE) | P1 | 3 days | 20 | ✅ DONE | | 8200.0001.0002 (Provcache) | P1 | 5 days | 56 | 🟡 90% (6 BLOCKED) | | 8200.0001.0003 (UX) | P2 | 4 days | 56 | ✅ DONE | | 8200.0001.0003 (Schema) | P2 | 1 day | 17 | ✅ DONE | | 8200.0001.0004 | P3 | 5 days | 26 | ✅ DONE | | 8200.0001.0005 | P4 | 3 days | 24 | 🟡 79% (4 BLOCKED) | | 8200.0001.0006 | P6 | 2 days | 18 | 🟡 61% (6 BLOCKED) | | **Total** | — | **30 days** | **273 tasks** | **93% Complete** | ## Success Criteria ### Must Have (Phase 1-2) - [x] VerdictId is content-addressed (SHA-256) - [x] DSSE round-trip tests pass - [x] Schema validation in CI - [x] All existing tests pass (no regressions) ### Should Have (Phase 3) - [x] Full E2E pipeline test - [x] Cross-platform reproducibility verified - [x] Golden baseline established ### Nice to Have (Phase 4) - [x] Sigstore bundle support (core library complete) - [x] Budget attestation in verdicts (models complete) - [x] cosign interoperability (mock-based verification complete) ## Documentation Deliverables | Document | Sprint | Status | |----------|--------|--------| | `docs/reproducibility.md` | Pre-req | ✅ DONE | | `docs/testing/schema-validation.md` | P2 | ✅ DONE | | `docs/testing/e2e-reproducibility.md` | P3 | ✅ DONE | | `docs/modules/attestor/bundle-format.md` | P4 | ✅ DONE | | `docs/modules/policy/budget-attestation.md` | P6 | ✅ DONE | | `docs/modules/provcache/architecture.md` | P1 | ✅ DONE | | `docs/modules/provcache/metrics-alerting.md` | P2 | ✅ DONE | | `docs/modules/ui/provcache-components.md` | P2 | ✅ DONE | ## Risk Register | Risk | Impact | Probability | Mitigation | Owner | |------|--------|-------------|------------|-------| | Breaking change for stored verdicts | High | Medium | Migration logic for old GUID format | Policy Guild | | Cross-platform determinism failures | High | Medium | Canonical serialization; path normalization | Platform Guild | | Sigstore spec changes | Medium | Low | Pin to v0.3; monitor upstream | Attestor Guild | | CI performance impact | Medium | Medium | Parallelize validation jobs | Platform Guild | ## Execution Checkpoints | Checkpoint | Date | Criteria | |------------|------|----------| | Phase 1 Complete | Week 1 end | VerdictId fix merged; tests green | | Phase 2 Complete | Week 2 end | DSSE round-trips pass; schema validation active | | Phase 3 Complete | Week 3 end | E2E test running nightly; baselines established | | Phase 4 Complete | Week 3 end | Sigstore bundles working; budget attestation active | | Epic Complete | Week 3 end | All success criteria met; docs complete | ## Related Documents - [Product Advisory Analysis](../product-advisories/) — Original gap analysis - [Reproducibility Specification](../reproducibility.md) — Verdict ID formula and replay procedure - [Determinism Verification](../testing/determinism-verification.md) — Existing determinism infrastructure - [Attestor Module](../modules/attestor/README.md) — DSSE and attestation architecture ## Changelog | Date | Version | Changes | |------|---------|---------| | 2025-12-24 | 1.0 | Initial epic creation based on product advisory gap analysis | | 2025-12-25 | 2.0 | **Epic archived at 93% completion.** All 9 sprints moved to `archived/2025-12-25-sprint-8200-reproducibility/`. 255/273 tasks DONE. 16 tasks BLOCKED pending cross-module integration (Signer event publishing, Attestor service integration). Follow-up sprints required for remaining integration work. |