stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/compliance/COMPLIANCE_READINESS_TRACKER.md

321 lines
12 KiB
Markdown
Raw Permalink Blame History

# Compliance Readiness Tracker
**Version**: 1.0.0
**Created**: 2026-01-15
**Last Updated**: 2026-01-15
**Status**: Active
This document tracks implementation progress for the 7-Item Compliance Readiness Checklist for regulated customer deployments.
## Executive Summary
| Item | Description | Coverage | Status | Target |
|------|-------------|----------|--------|--------|
| 1 | Attestation caching (offline) | 75% | In Progress | Demo Ready |
| 2 | Offline RBAC & break-glass | 60% | In Progress | Demo Ready |
| 3 | Signed SBOM archives | 55% | In Progress | Demo Ready |
| 4 | HSM / key escrow | 50% | In Progress | RFP Ready |
| 5 | Local Rekor mirrors | 60% | In Progress | RFP Ready |
| 6 | Offline policy engine | 80% | In Progress | RFP Ready |
| 7 | Upgrade & evidence migration | 45% | In Progress | Audit Ready |
## Sprint Allocation
### Phase 1: Demo Blockers (016)
Target: Features needed for 10-minute compliance demo.
| Sprint | Module | Description | Status |
|--------|--------|-------------|--------|
| [016_CLI_attest_verify_offline](../implplan/SPRINT_20260112_016_CLI_attest_verify_offline.md) | CLI | Offline attestation verification CLI | TODO |
| [016_CLI_sbom_verify_offline](../implplan/SPRINT_20260112_016_CLI_sbom_verify_offline.md) | CLI | Offline SBOM verification CLI | TODO |
| [016_SCANNER_signed_sbom_archive_spec](../implplan/SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec.md) | Scanner | Signed SBOM archive format | TODO |
| [016_DOCS_blue_green_deployment](../implplan/SPRINT_20260112_016_DOCS_blue_green_deployment.md) | Docs | Blue/green deployment guide | TODO |
### Phase 2: RFP Compliance (017)
Target: Features needed to pass RFP security questionnaires.
| Sprint | Module | Description | Status |
|--------|--------|-------------|--------|
| [017_CRYPTO_pkcs11_hsm_implementation](../implplan/SPRINT_20260112_017_CRYPTO_pkcs11_hsm_implementation.md) | Crypto | PKCS#11 HSM implementation | TODO |
| [017_ATTESTOR_periodic_rekor_sync](../implplan/SPRINT_20260112_017_ATTESTOR_periodic_rekor_sync.md) | Attestor | Periodic Rekor checkpoint sync | TODO |
| [017_ATTESTOR_checkpoint_divergence_detection](../implplan/SPRINT_20260112_017_ATTESTOR_checkpoint_divergence_detection.md) | Attestor | Checkpoint divergence detection | TODO |
| [017_POLICY_cvss_threshold_gate](../implplan/SPRINT_20260112_017_POLICY_cvss_threshold_gate.md) | Policy | CVSS threshold policy gate | TODO |
| [017_POLICY_sbom_presence_gate](../implplan/SPRINT_20260112_017_POLICY_sbom_presence_gate.md) | Policy | SBOM presence policy gate | TODO |
| [017_POLICY_signature_required_gate](../implplan/SPRINT_20260112_017_POLICY_signature_required_gate.md) | Policy | Signature required policy gate | TODO |
### Phase 3: Audit Readiness (018)
Target: Features needed to pass security audits.
| Sprint | Module | Description | Status |
|--------|--------|-------------|--------|
| [018_SIGNER_dual_control_ceremonies](../implplan/SPRINT_20260112_018_SIGNER_dual_control_ceremonies.md) | Signer | Dual-control signing ceremonies | TODO |
| [018_CRYPTO_key_escrow_shamir](../implplan/SPRINT_20260112_018_CRYPTO_key_escrow_shamir.md) | Crypto | Key escrow with Shamir | TODO |
| [018_AUTH_local_rbac_fallback](../implplan/SPRINT_20260112_018_AUTH_local_rbac_fallback.md) | Authority | Local RBAC policy fallback | TODO |
| [018_EVIDENCE_reindex_tooling](../implplan/SPRINT_20260112_018_EVIDENCE_reindex_tooling.md) | Evidence | Evidence re-index tooling | TODO |
| [018_DOCS_upgrade_runbook_evidence_continuity](../implplan/SPRINT_20260112_018_DOCS_upgrade_runbook_evidence_continuity.md) | Docs | Upgrade runbook with evidence | TODO |
## Detailed Item Status
### Item 1: Attestation Caching (Offline)
**Why it matters**: Regulated shops can't reach public Sigstore/Rekor during audits.
| Requirement | Implementation | Status | Sprint |
|-------------|---------------|--------|--------|
| DSSE caching | `TrustVerdictCache`, `CachedAttestorVerificationService` | DONE | Existing |
| Transparency proofs | `RekorOfflineReceiptVerifier` | DONE | Existing |
| Exportable bundles | `EvidencePortableBundleService` | DONE | Existing |
| Hash manifest | `EvidenceBundleManifest` | DONE | Existing |
| Offline CLI verify | `stella attest verify --offline` | TODO | 016_CLI |
| Bundle test fixtures | Golden test fixtures | TODO | 016_CLI |
| VERIFY.md generation | Bundled verification script | TODO | 016_SCANNER |
**Proof Artifacts**:
- [ ] Demo verifying image on laptop with Wi-Fi off
- [ ] SHA-256 match + signature chain report
### Item 2: Offline RBAC & Break-Glass
**Why it matters**: No cloud IdP during outages/air-gap. Auditors want least-privilege and emergency access trails.
| Requirement | Implementation | Status | Sprint |
|-------------|---------------|--------|--------|
| Incident mode tokens | `obs:incident` scope | DONE | Existing |
| 5-minute freshness | `auth_time` claim validation | DONE | Existing |
| Reason codes | `incident_reason` claim | DONE | Existing |
| Audit logging | `/authority/audit/incident` endpoint | DONE | Existing |
| Local file policy | `FileBasedPolicyStore` | TODO | 018_AUTH |
| Break-glass account | Bootstrap bypass account | TODO | 018_AUTH |
| Auto-revocation | Session timeout enforcement | TODO | 018_AUTH |
**Proof Artifacts**:
- [ ] RBAC matrix (roles -> verbs -> resources)
- [ ] Audit log showing break-glass entry/exit
### Item 3: Signed SBOM Archives (Immutable)
**Why it matters**: SBOMs must be tamper-evident and tied to exact build inputs.
| Requirement | Implementation | Status | Sprint |
|-------------|---------------|--------|--------|
| CycloneDX/SPDX | `SbomExportService` | DONE | Existing |
| DSSE signing | `SignerPipeline` | DONE | Existing |
| Archive format | Signed SBOM archive spec | TODO | 016_SCANNER |
| Tool versions | `metadata.json` in archive | TODO | 016_SCANNER |
| Source hashes | Scanner image digest capture | TODO | 016_SCANNER |
| One-click verify | `stella sbom verify` CLI | TODO | 016_CLI |
| RFC 3161 TSA | TSA integration | DEFERRED | Future |
**Proof Artifacts**:
- [ ] One-click "Verify SBOM" checking signature, timestamps, content hashes
### Item 4: HSM / Key Escrow Patterns
**Why it matters**: Key custody is a governance hotspot.
| Requirement | Implementation | Status | Sprint |
|-------------|---------------|--------|--------|
| PKCS#11 support | `HsmPlugin` architecture | PARTIAL | Existing |
| AWS/GCP KMS | `AwsKmsClient`, `GcpKmsClient` | DONE | Existing |
| Key rotation | `KeyRotationService` | DONE | Existing |
| PKCS#11 impl | `Pkcs11HsmClient` with Interop | TODO | 017_CRYPTO |
| Dual-control | M-of-N ceremonies | TODO | 018_SIGNER |
| Key escrow | Shamir secret sharing | TODO | 018_CRYPTO |
| HSM runbook | Setup and config guide | TODO | 017_CRYPTO |
**Proof Artifacts**:
- [ ] Config targeting HSM slot
- [ ] Simulated key rotation with attestation continuity
### Item 5: Local Rekor (Transparency) Mirrors
**Why it matters**: Auditors want inclusion proofs even when offline.
| Requirement | Implementation | Status | Sprint |
|-------------|---------------|--------|--------|
| Tile verification | `IRekorTileClient`, `HttpRekorTileClient` | DONE | Existing |
| Checkpoint verify | `CheckpointSignatureVerifier` | DONE | Existing |
| Offline receipts | `RekorOfflineReceiptVerifier` | DONE | Existing |
| Periodic sync | `RekorSyncBackgroundService` | TODO | 017_ATTESTOR |
| Checkpoint store | `PostgresRekorCheckpointStore` | TODO | 017_ATTESTOR |
| Divergence detect | Root mismatch alarms | TODO | 017_ATTESTOR |
**Proof Artifacts**:
- [ ] Verify inclusion proof against local checkpoint without internet
- [ ] Mismatch alarm if roots diverge
### Item 6: Offline Policy Engine (OPA/Conftest-class)
**Why it matters**: Gates must hold when the network doesn't.
| Requirement | Implementation | Status | Sprint |
|-------------|---------------|--------|--------|
| Policy bundles | `PolicyBundle` with versioning | DONE | Existing |
| Sealed mode | `SealedModeService` | DONE | Existing |
| VEX gates | `VexProofGate`, `VexTrustGate` | DONE | Existing |
| Unknowns gate | `UnknownsBudgetGate` | DONE | Existing |
| Evidence gates | `EvidenceFreshnessGate`, etc. | DONE | Existing |
| CVSS gate | `CvssThresholdGate` | TODO | 017_POLICY |
| SBOM gate | `SbomPresenceGate` | TODO | 017_POLICY |
| Signature gate | `SignatureRequiredGate` | TODO | 017_POLICY |
**Proof Artifacts**:
- [ ] Local policy pack on sample image showing fail
- [ ] Compliant pass after adding VEX exception with justification
### Item 7: Upgrade & Evidence-Migration Paths
**Why it matters**: "Can we upgrade without invalidating proofs?" is a top blocker.
| Requirement | Implementation | Status | Sprint |
|-------------|---------------|--------|--------|
| DB migrations | Forward-only strategy | DONE | Existing |
| Evidence bundles | Merkle roots in manifests | DONE | Existing |
| Backup/restore | Per-module procedures | DONE | Existing |
| Blue/green docs | Deployment guide | TODO | 016_DOCS |
| Upgrade runbook | Step-by-step procedures | TODO | 018_DOCS |
| Re-index tools | `stella evidence reindex` | TODO | 018_EVIDENCE |
| Root cross-ref | Old/new root mapping | TODO | 018_EVIDENCE |
**Proof Artifacts**:
- [ ] Staged upgrade in test namespace
- [ ] Before/after verification reports
- [ ] Unchanged artifact digests
## Documentation Deliverables
| Document | Path | Status |
|----------|------|--------|
| Blue/Green Deployment | [docs/operations/blue-green-deployment.md](../operations/blue-green-deployment.md) | DONE |
| Upgrade Runbook | [docs/operations/upgrade-runbook.md](../operations/upgrade-runbook.md) | DONE |
| HSM Setup Runbook | [docs/operations/hsm-setup-runbook.md](../operations/hsm-setup-runbook.md) | DONE |
| Signed SBOM Spec | [docs/modules/scanner/signed-sbom-archive-spec.md](../modules/scanner/signed-sbom-archive-spec.md) | DONE |
| Break-Glass Account | [docs/modules/authority/operations/break-glass-account.md](../modules/authority/operations/break-glass-account.md) | DONE |
## Demo Script (10 Minutes)
### Preparation
```bash
# Ensure test artifacts are available
export DEMO_IMAGE="registry.company.com/demo-app:v1.0"
export DEMO_BUNDLE="demo-evidence.tar.gz"
export DEMO_SBOM="demo-sbom.tar.gz"
```
### Demo 1: Verify Image + SBOM Offline (2 min)
```bash
# Disconnect network (demo mode)
# Verify attestation bundle offline
stella attest verify --offline \
--bundle ${DEMO_BUNDLE} \
--trust-root /demo/roots/
# Verify SBOM archive offline
stella sbom verify --offline \
--archive ${DEMO_SBOM}
# Show pass/fail output
```
### Demo 2: Policy Gate with VEX Exception (2 min)
```bash
# Show policy gate denying high CVSS
stella policy evaluate \
--artifact sha256:demo123 \
--environment production
# Output: BLOCKED - CVE-2024-12345 (CVSS 9.8) exceeds threshold
# Add VEX exception with justification
stella vex add \
--cve CVE-2024-12345 \
--status not_affected \
--justification "Vulnerable code path not reachable" \
--sign
# Re-evaluate - should pass
stella policy evaluate \
--artifact sha256:demo123 \
--environment production
# Output: PASSED - VEX exception applied
```
### Demo 3: HSM Key Rotation (2 min)
```bash
# Show current signing key
stella key list --active
# Rotate signing key in HSM
stella key rotate \
--new-key-label "signing-2027" \
--hsm-slot 0
# Re-sign attestation
stella attest sign \
--subject sha256:demo123 \
--key signing-2027
# Show proofs remain valid
stella attest verify --bundle new-attestation.tar.gz
```
### Demo 4: Local Rekor Mirror Verification (2 min)
```bash
# Query local Rekor mirror
stella rekor query \
--artifact sha256:demo123 \
--offline
# Verify inclusion proof against local checkpoint
stella rekor verify \
--proof inclusion-proof.json \
--checkpoint checkpoint.sig \
--offline
# Output: VERIFIED - Inclusion proof valid
```
### Demo 5: Upgrade Simulation (2 min)
```bash
# Run upgrade pre-check
stella evidence verify-all --output pre-upgrade.json
# Simulate upgrade (in demo namespace)
stella upgrade simulate --target 2027.Q2
# Re-index proofs
stella evidence reindex --dry-run
# Show continuity report
stella evidence verify-continuity \
--baseline pre-upgrade.json \
--output continuity-report.html
# Open report showing unchanged digests
```
## Stakeholder Sign-Off
| Role | Name | Date | Signature |
|------|------|------|-----------|
| Engineering Lead | | | |
| Security Lead | | | |
| Product Manager | | | |
| Customer Success | | | |
## Change Log
| Date | Version | Author | Changes |
|------|---------|--------|---------|
| 2026-01-15 | 1.0.0 | Planning | Initial tracker creation |
Reference in New Issue View Git Blame Copy Permalink