47168fec38
- Introduced a new VEX compact fixture for testing purposes. - Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests. - Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations. - Documented tasks related to the Mirror Creator. - Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs. - Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases. - Added tests for symbol ID normalization in the reachability scanner. - Enhanced console status service with comprehensive unit tests for connection handling and error recovery. - Included Cosign tool version 2.6.0 with checksums for various platforms.
118 lines
4.3 KiB
JSON
118 lines
4.3 KiB
JSON
{
|
|
"artifacts": {
|
|
"artifact_hashes": {
|
|
"path": "artifact-hashes.json",
|
|
"sha256": "55f24bdc3d28a5596f4f8a36292820356de50aa2e9c5c2fb81397bfe2891ca4d"
|
|
},
|
|
"bundle_dsse": {
|
|
"path": "mirror-thin-v1.bundle.dsse.json",
|
|
"sha256": null
|
|
},
|
|
"bundle_meta": {
|
|
"path": "mirror-thin-v1.bundle.json",
|
|
"sha256": null
|
|
},
|
|
"manifest": {
|
|
"path": "mirror-thin-v1.manifest.json",
|
|
"sha256": "1affb0b796ff037117b46aa1f1d8056a9c80755e925af058ea72132ba158becf"
|
|
},
|
|
"manifest_dsse": {
|
|
"path": "mirror-thin-v1.manifest.dsse.json",
|
|
"sha256": null
|
|
},
|
|
"mirror_policy": {
|
|
"path": "mirror-policy.json",
|
|
"sha256": "d7059d4b9e7e207f2420520bf73cf69b644eec0e866f039a1f7d0dc2b3bc1192"
|
|
},
|
|
"oci_index": {
|
|
"path": "oci/index.json",
|
|
"sha256": "5daf8024f0f3b37c2077497c54ac3d7bda4aaed59b3c47c605c535662f7a53a5"
|
|
},
|
|
"offline_policy": {
|
|
"path": "offline-kit-policy.json",
|
|
"sha256": "ae2513f9768f3f7c0b0994b54f539b2a933e1e851c25c26c8fe46fd963d90579"
|
|
},
|
|
"rekor_policy": {
|
|
"path": "rekor-policy.json",
|
|
"sha256": "652df157628db73e9aa0110e7390f8773319c24530e00873afcfdf972644717e"
|
|
},
|
|
"tarball": {
|
|
"path": "mirror-thin-v1.tar.gz",
|
|
"sha256": "fb1ce26388a1f1ab2eb90aae6d63ac05de326fbbd947fbf7a17b980232c9fc7d"
|
|
},
|
|
"time_anchor": {
|
|
"path": "time-anchor.json",
|
|
"sha256": "c27a0fb0dfa8a9558aaabf8011040abcd4170cf62e36d16b5b1767368f7828ff"
|
|
},
|
|
"transport_plan": {
|
|
"path": "transport-plan.json",
|
|
"sha256": "df82a56d9bacb00a1882f5d6d9f9ba469b62b89bd949899b7049e123c1e65914"
|
|
}
|
|
},
|
|
"bundle": "mirror-thin-v1",
|
|
"chain_of_custody": [
|
|
{
|
|
"sha256": "dd11c674629fe94bf37ac9a29d7ae32241f6a17815bb275532d9a78b3d851049",
|
|
"step": "build",
|
|
"tool": "make-thin-v1.sh"
|
|
},
|
|
{
|
|
"key_present": true,
|
|
"keyid": "db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8",
|
|
"step": "sign",
|
|
"tool": "sign_thin_bundle.py"
|
|
}
|
|
],
|
|
"checkpoint_freshness_seconds": 86400,
|
|
"chunk_size_bytes": 5242880,
|
|
"created": "2025-12-02T18:08:34Z",
|
|
"environment": "lab",
|
|
"gaps": {
|
|
"ms": [
|
|
"MS1 mirror schema versioned in mirror-policy.json",
|
|
"MS2 DSSE/TUF rotation days recorded",
|
|
"MS3 delta spec includes tombstones + base hash",
|
|
"MS4 time-anchor freshness enforced",
|
|
"MS5 tenant/env scoping captured",
|
|
"MS6 distribution integrity rules documented",
|
|
"MS7 chunking/size rules recorded",
|
|
"MS8 verify script pinned",
|
|
"MS9 metrics/alerts required",
|
|
"MS10 semver/changelog noted"
|
|
],
|
|
"ok": [
|
|
"OK1 key manifest + PQ co-sign recorded in offline-kit-policy.json",
|
|
"OK2 tool hashing captured in bundle_meta.tooling",
|
|
"OK3 DSSE top-level manifest planned via bundle.dsse",
|
|
"OK4 checkpoint freshness enforced with checkpoint_freshness_seconds",
|
|
"OK5 deterministic packaging flags recorded in offline-kit-policy.json",
|
|
"OK6 scan/VEX/policy/graph hashes captured in artifact-hashes.json",
|
|
"OK7 time anchor bundled as layers/time-anchor.json",
|
|
"OK8 transport + chunking defined in transport-plan.json",
|
|
"OK9 tenant/environment scoping recorded in bundle meta",
|
|
"OK10 scripted verify path is scripts/mirror/verify_thin_bundle.py"
|
|
],
|
|
"rk": [
|
|
"RK1 enforce dsse/hashedrekord policy in rekor-policy.json",
|
|
"RK2 payload size preflight rk2_payloadMaxBytes",
|
|
"RK3 routing policy for public/private recorded",
|
|
"RK4 shard-aware checkpoints per-tenant-per-day",
|
|
"RK5 idempotent submission keys enabled",
|
|
"RK6 Sigstore bundle inclusion flagged true",
|
|
"RK7 checkpoint freshness seconds recorded",
|
|
"RK8 PQ dual-sign toggle matches pqDualSign",
|
|
"RK9 error taxonomy enumerated",
|
|
"RK10 policy/graph annotations required"
|
|
]
|
|
},
|
|
"pq_cosign_required": false,
|
|
"tenant": "tenant-demo",
|
|
"tooling": {
|
|
"make_thin_v1_sh": "dd11c674629fe94bf37ac9a29d7ae32241f6a17815bb275532d9a78b3d851049",
|
|
"sign_script": "30268f3b6d11a1108a8cb5a5ebc9723c34a67cf1e12944b1014cc76965619b73",
|
|
"verify_oci": "04b6b0424a725d2081275e67820c580b532646fd640ee9bf62bc75bc7554eb77",
|
|
"verify_script": "0794f79851bd71c0e07425e6928f038286957f3babc95ca66660acb6c5d8c31b"
|
|
},
|
|
"version": "1.0.0"
|
|
}
|