stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
0987cd6ac81edc2540d8abce362e822e2f0ecef3
git.stella-ops.org/docs/modules/concelier/schemas/README.md
StellaOps Bot 47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00

33 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Concelier schema bundle (CI1CI10 remediation)
This folder publishes the signed JSON Schemas for Link-Not-Merge ingestion artifacts and the offline bundle manifest used by Offline Kit builds.
- `advisory-observation.schema.json` — canonical observation shape (provenance + content hash enforced).
- `advisory-linkset.schema.json` — linkset materialization with conflict reasons and deterministic IDs.
- `offline-advisory-bundle.schema.json` — manifest for air-gapped advisory bundles, including staleness and signature metadata.
- `schema.manifest.json` — digest manifest over all schemas.
- `schema.manifest.sig` — detached ECDSA (P-256) signature over the manifest (public key: `schema-signing-pub.pem`).
- `schema.manifest.sig.b64` — base64 view of the signature for air-gapped copy/paste.
- `samples/` — deterministic sample payloads for CI fixtures (see `tests` notes below).
## Verify locally (deterministic, offline)
```bash
# 1) Validate schemas are unchanged
sha256sum -c schema.manifest.json
# 2) Verify detached signature with the published public key
openssl dgst -sha256 -verify schema-signing-pub.pem \
-signature schema.manifest.sig \
schema.manifest.json
```
## Test coverage
The fixtures in `samples/` are consumed by `StellaOps.Concelier.Core.Tests` to assert:
- deterministic idempotency keys and conflict ordering (`Linksets/AdvisoryLinksetIdempotencyTests`),
- tenant normalization and signature requirements for observations (`Aoc/AdvisoryObservationWriteGuardTests`),
- offline bundle manifest validation (`Schemas/OfflineBundleSchemaTests`).
Keep the manifest and signature updated whenever schema files change. Keys are dev/test-only; production signing happens in the release pipeline.
Reference in New Issue View Git Blame Copy Permalink