stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
150b3730ef592c761bd7064f0d09e4ea4d5a0df8
git.stella-ops.org/docs/modules/excititor/observability/locker-manifest.md
StellaOps Bot 150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
api-governance / spectral-lint (push) Has been cancelled
Details
up
2025-11-24 07:52:25 +02:00

1.4 KiB
Raw Blame History

Excititor Locker Manifest (OBS-53-001)

Defines the manifest for evidence snapshots stored in Evidence Locker / sealed-mode bundles.

Manifest structure

{
  "tenant": "default",
  "manifestId": "locker:excititor:2025-11-23:0001",
  "createdAt": "2025-11-23T23:10:00Z",
  "items": [
    {
      "observationId": "vex:obs:sha256:...",
      "providerId": "ubuntu-csaf",
      "contentHash": "sha256:...",
      "linksetId": "CVE-2024-0001:pkg:maven/org.demo/app@1.2.3",
      "dsseEnvelopeHash": "sha256:...",  
      "provenance": {
        "source": "mirror|ingest",
        "mirrorGeneration": 12,
        "exportCenterManifest": "sha256:..."
      }
    }
  ],
  "merkleRoot": "sha256:...",            // over `items[*].contentHash`
  "signature": null,                       // populated in OBS-54-001 (DSSE)
  "metadata": {"sealed": true}
}

Rules

  • items sorted by observationId, then providerId.
  • merkleRoot uses SHA-256 over concatenated item hashes (stable order above).
  • signature is a DSSE envelope (hash recorded in dsseEnvelopeHash) when OBS-54-001 is enabled; otherwise null.
  • Manifests are immutable; version using manifestId suffix.

Storage and replay

  • Store manifests alongside payloads in object storage; key prefix: locker/excititor/<tenant>/<manifestId>.
  • Replay tools must verify merkleRoot before loading payloads; reject if mismatched.