stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/security/aoc-invariants.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

33 lines
2.3 KiB
Markdown
Raw Permalink Blame History

# Aggregation-Only Contract (AOC) Invariants
Last updated: 2025-11-25 (DOCS-ATTEST-75-002)
## Core invariants (all components)
- **Tenant isolation**: Every API call requires `X-Stella-Tenant`; storage and caches are keyed by tenant.
- **Append-only inputs**: Evidence, advisories, and attestations are stored immutably; no in-place edits.
- **Determinism**: Sorting and pagination are stable; timestamps are UTC ISO-8601; hashes are lowercase hex.
- **No consensus**: Components enforce validation/verification only; no severity or policy decisions inside AOC services.
- **Offline-first**: All external data (feeds, keys, checkpoints) must be supplied via bundled inputs; no live fetches when sealed.
## Attestor-specific invariants
- **Trust roots**: Verification keys are loaded exclusively from the bundled trust store; network key discovery is disabled in sealed mode.
- **DSSE only**: Inputs must be DSSE envelopes; detached signatures are rejected with a deterministic error code.
- **Transparency optional, explicit**: If a mirrored checkpoint is provided, inclusion proof is validated; otherwise results record `transparency=skipped` without failing the request.
- **Rationale trail**: Each verification emits a rationale list (e.g., `key.match`, `transparency.included`, `transparency.skipped`) so results are replayable.
- **Immutability**: Verified statements and rationale are recorded append-only in the delivery/verification ledger; retries must not overwrite prior entries.
## Guardrails for implementers
- Never permit unsigned or partially signed payloads to proceed past parsing.
## Pending Update
- Add risk scoring provenance guarantees (DOCS-RISK-68-002) once Export/Risk inputs land; due 2025-12-11 per sprint action tracker. Include deterministic hash list for any new examples or schemas.
- Reject any outbound HTTP/S fetch during verification when `Attestor__Offline__Enabled=true`.
- Keep secret material out of logs; log statement digests and key ids only.
- Round numeric scores/weights only at the presentation boundary; internal math stays high-precision.
## Audit checklist
- [ ] Tenant header enforced on every endpoint.
- [ ] Trust bundle hash matches the signed manifest on disk.
- [ ] Transparency verification results are captured per request.
- [ ] Ledger entries are append-only and carry rationale + trace ids.
Reference in New Issue View Git Blame Copy Permalink