stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
079284f4b764de9f4ad63dce01ada0b59fb4d91f
git.stella-ops.org/docs/product/portable-audit-pack-plan.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

2.9 KiB
Raw Blame History

Portable Audit Pack Plan (2026-02-10)

Objective

Deliver a portable, signed, offline-verifiable software supply-chain audit pack profile that auditors and air-gapped operators can validate end-to-end without network calls.

Why now

  • Stella Ops already has strong DSSE/Rekor/offline primitives, but contracts are split across multiple bundle formats.
  • Current implementation has partial deterministic guarantees and inconsistent manifest models.
  • A single contract and rollout plan is needed before scaling evidence export/import across modules.

Planned outcome

  • One canonical portable pack profile with:
    • JCS-canonicalized manifest
    • SBOM + DSSE attestation references
    • Rekor inclusion/checkpoint anchors with tile material references
    • deterministic file inventory and content digests
    • optional analytics index profile (components.parquet)

Scope

In scope

  • Contract unification across AuditPack, Attestor EvidencePack, EvidenceLocker exports, and CLI verifier paths.
  • Deterministic generation and offline verification hardening.
  • Golden fixtures and deterministic replay verification matrix.

Out of scope (initial phase)

  • Mandatory Parquet generation in baseline profile.
  • Runtime policy model changes unrelated to pack generation/verification.
  • External transparency services beyond current supported Rekor-compatible model.

Delivery phases

  1. Contract freeze
    • Canonical manifest/schema and compatibility mapping.
    • Required/optional artifact matrix and fail-closed verification rules.
  2. Generator hardening
    • Deterministic serialization, archive metadata, ordering, and digest workflows.
  3. Verification parity
    • Offline signature, digest, and Rekor inclusion verification aligned across services and CLI.
  4. Optional analytics profile
    • components.parquet schema profile, fingerprinting, and operator guidance.
  5. QA and release readiness
    • Deterministic fixtures, tamper scenarios, and regression coverage.

Key risks

  • Contract drift between modules.
  • Hidden non-determinism (timestamps, traversal order, serializer differences).
  • Operator confusion from overlapping legacy bundle formats.
  • Optional analytics dependencies introducing rollout friction.

Mitigations

  • Single schema contract and explicit compatibility tables.
  • Pinned toolchains and fixture-based byte-stability checks.
  • Clear migration/runbook guidance for legacy formats.
  • Optional analytics profile behind explicit enablement.

Traceability

  • Translation sprint (completed): docs-archived/implplan/2026-02-10-completed-sprints/SPRINT_20260210_003_DOCS_portable_audit_pack_translation.md
  • Active implementation sprint: docs/implplan/SPRINT_20260210_005_EvidenceLocker_portable_audit_pack_implementation.md
  • Detailed contract: docs/modules/evidence-locker/portable-audit-pack-contract.md
  • Advisory archive record: docs-archived/product/advisories/10-Feb-2026 - Portable software supply chain audit pack.md