stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/orchestrator/job-export-contract.md
StellaOps Bot e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add DigestUpsertRequest and LockEntity models 
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
2025-12-03 07:51:50 +02:00

2.7 KiB
Raw Blame History

Orchestrator → Findings Ledger Export Contract

Status: Available (2025-12-03) Scope: defines the deterministic payload Orchestrator emits for job/run exports that Findings Ledger ingests for provenance (LEDGER-34-101).

Payload shape

{
  "runId": "uuid",                 // job/run correlation id
  "jobType": "string",             // e.g., mirror-build, policy-sim, scan
  "artifactHash": "sha256:...",    // CAS digest of primary artifact
  "policyHash": "sha256:...",      // optional; policy bundle hash
  "startedAt": "2025-12-02T00:00:00Z",
  "completedAt": "2025-12-02T00:05:30Z",
  "status": "succeeded|failed|canceled",
  "manifestPath": "cas://.../manifest.json",  // DSSE or CAS path
  "logsPath": "cas://.../logs.ndjson",
  "tenantId": "string",
  "environment": "prod|stage|dev",
  "idempotencyKey": "sha256:...",   // runId+artifactHash
  "signatures": [ { "type": "dsse", "keyId": "...", "signature": "..." } ]
}

Determinism & ordering

  • Entries sorted by runId when streamed; pagination stable via runId, startedAt ascending.
  • idempotencyKey = sha256(runId + artifactHash + tenantId); duplicate submissions are rejected with 409.
  • Timestamps UTC ISO-8601; no clock-skew correction performed by Ledger.

Transport

  • REST: POST /internal/orchestrator/exports (Orchestrator) → Findings Ledger ingest queue.
  • Events: orchestrator.export.created carries the same payload; consumers must verify DSSE before persistence.

Validation rules (Ledger side)

  • Require DSSE signature (Ed25519) when signatures present; fail closed if verification fails.
  • Enforce presence of runId, artifactHash, startedAt, status.
  • Hash fields must match ^sha256:[A-Fa-f0-9]{64}$.
  • Allowed status transitions: pending→running→succeeded/failed/canceled; replays only allowed when idempotencyKey matches existing record.

Mapping to Findings Ledger

  • Stored in collection/table orchestrator_exports with index (artifactHash, runId) and TTL optional on logs if configured.
  • Timeline entry type ledger_export references runId, artifactHash, policyHash, manifestPath, logsPath, DSSE envelope digest, and idempotencyKey.
  • Cross-links: bundleId (if mirror build) or scanId (if scan job) may be added as optional fields; Ledger treats them as opaque strings.

Security / scopes

  • Required scope: orchestrator:exports:write for producer; Ledger ingress validates tenant headers and scope.
  • Max payload: 1 MiB; logs must be CAS/DSSE referenced, not inline.

Offline/air-gap considerations

  • CAS/DSSE paths must resolve within offline kit bundles; no external URIs permitted.
  • Deterministic ordering + idempotency allow replay without side effects; Ledger rejects writes when DSSE or hash mismatch.