stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/findings-ledger/dsse-policy-linkage.md
StellaOps Bot 47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00

1.9 KiB
Raw Blame History

DSSE & Policy Hash Linkage (FL6)

Goal: Every export, replay report, and anchor manifest is tied to the exact policy digest that produced it and is verifiable offline via DSSE.

Binding rules

  1. Policy digest: policyVersion (SHA-256 over policy bundle) is mandatory in ledger events, projections, exports, and replay reports.
  2. DSSE payload types
    • application/vnd.stella-ledger-export+json — export manifests (hashlist + filtersHash).
    • application/vnd.stella-ledger-anchor+json — Merkle anchors (see merkle-anchor-policy.md).
    • application/vnd.stella-ledger-harness+json — replay harness report.
  3. Hashlists: export manifests contain sha256 for each emitted NDJSON line (lineDigest), plus a dataset digest (datasetSha256) over concatenated line digests. Replay harness exposes eventStreamChecksum and projectionChecksum.
  4. Policy linkage: DSSE payload must include policyHash and schemaVersion to prevent replay under mismatched policy versions.

Offline verification flow

  1. Verify DSSE signature (local key or Rekor transparency log if online).
  2. Recompute dataset checksum with tools/LedgerReplayHarness/scripts/verify_export.py --input <export.ndjson> --expected <datasetSha256>.
  3. Cross-check policyHash in payload matches policy bundle in use; mismatch → block import/export.

File locations

  • Harness DSSE placeholder now embeds policyHash when LEDGER_POLICY_HASH env var is set.
  • Export manifests and checksums: docs/modules/findings-ledger/golden-checksums.json.
  • External anchors: docs/modules/findings-ledger/merkle-anchor-policy.md (DSSE template).
  • Set LEDGER_POLICY_HASH before running tools/LedgerReplayHarness to imprint the policy digest into the generated .sig file.

Change management

  • Any change to payloadType or hash recipe bumps schema version in schema-catalog.md and requires new DSSE key roll announcement.