stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
17613acf57402a4e1da74a13e1c61449478f2e8d
git.stella-ops.org/docs/implplan/archived/2025-12-25-sprint-8200-reproducibility/README.md
StellaOps Bot ed3079543c save dev progress
2025-12-26 00:32:58 +02:00

113 lines
4.9 KiB
Markdown
Raw Blame History

# Sprint Batch 8200.0001 - Reproducibility & Provenance Epic
**Archived:** 2025-12-25
**Epic Theme:** Deterministic decision-making, reproducibility proof chains, and provenance caching
## Summary
This sprint batch implemented the foundational reproducibility and provenance infrastructure for StellaOps, enabling deterministic policy decisions, verifiable attestations, and efficient caching for offline/air-gap scenarios.
## Sprint Completion Status
| Sprint | Topic | Status | Tasks |
|--------|-------|--------|-------|
| 8200.0001.0001 | Verdict ID Content-Addressing | ✅ **COMPLETE** | 12/12 DONE |
| 8200.0001.0001 | Provcache Core Backend | ✅ **COMPLETE** | 44/44 DONE |
| 8200.0001.0002 | DSSE Round-Trip Testing | ✅ **COMPLETE** | 20/20 DONE |
| 8200.0001.0002 | Provcache Invalidation & Air-Gap | 🟡 **90% COMPLETE** | 50/56 DONE, 6 BLOCKED |
| 8200.0001.0003 | Provcache UX & Observability | ✅ **COMPLETE** | 56/56 DONE |
| 8200.0001.0003 | SBOM Schema Validation CI | ✅ **COMPLETE** | 17/17 DONE |
| 8200.0001.0004 | E2E Reproducibility Test | ✅ **COMPLETE** | 26/26 DONE |
| 8200.0001.0005 | Sigstore Bundle Implementation | 🟡 **79% COMPLETE** | 19/24 DONE, 1 N/A, 4 BLOCKED |
| 8200.0001.0006 | Budget Threshold Attestation | 🟡 **61% COMPLETE** | 11/18 DONE, 1 N/A, 6 BLOCKED |
**Total:** 255/273 tasks DONE (93%), 2 N/A, 16 BLOCKED
## Key Deliverables
### 1. Verdict ID Content-Addressing (Sprint 0001/Verdict)
- `VerdictIdGenerator` with SHA-256 content-addressed IDs
- Deterministic verdict hashing across runs
- 14 unit tests validating stability
### 2. Provcache Core Backend (Sprint 0001/Provcache)
- VeriKey composite hash (source, SBOM, VEX, policy, signer, time)
- DecisionDigest wrapping TrustLattice output
- Valkey read-through cache with Postgres write-behind
- `/v1/provcache/*` API endpoints
- Policy engine integration with bypass support
- OpenTelemetry traces and Prometheus metrics
### 3. DSSE Round-Trip Testing (Sprint 0002/DSSE)
- Sign → serialize → deserialize → re-bundle → verify tests
- Cosign compatibility with mock Fulcio/Rekor
- Multi-signature envelope support
- 55+ determinism and negative tests
### 4. Provcache Invalidation & Air-Gap (Sprint 0002/Provcache)
- Signer revocation fan-out via `SignerRevokedEvent`
- Feed epoch binding via `FeedEpochAdvancedEvent`
- Evidence chunk storage with Merkle verification
- Minimal proof export (lite/standard/strict density)
- CLI commands: `stella prov export/import/verify`
- Lazy evidence fetch for air-gap
### 5. Provcache UX & Observability (Sprint 0003/Provcache)
- ProvenanceBadgeComponent (cached/computed/stale/unknown)
- TrustScoreDisplayComponent with donut chart
- ProofTreeComponent with collapsible Merkle tree
- InputManifestComponent showing decision inputs
- Grafana dashboards (hit rate, latency, invalidations)
- OCI attestation attachment (`stella.ops/provcache@v1`)
### 6. SBOM Schema Validation CI (Sprint 0003/Schema)
- CycloneDX 1.6, SPDX 3.0.1, OpenVEX 0.2.0 schemas
- Validation scripts and CI workflow
- Golden corpus validation on every PR
### 7. E2E Reproducibility Test (Sprint 0004)
- Full pipeline: ingest → normalize → diff → decide → attest → bundle
- Cross-platform verification (Linux/Windows/macOS)
- Golden baseline with expected hashes
- Nightly reproducibility gate
### 8. Sigstore Bundle (Sprint 0005)
- Sigstore Bundle v0.3 models and serialization
- Certificate chain and Merkle proof verification
- DSSE signature verification (ECDSA/Ed25519/RSA)
- 36 unit tests
### 9. Budget Threshold Attestation (Sprint 0006)
- BudgetCheckPredicate with environment, limits, counts
- Deterministic config hash for reproducibility
- VerdictPredicateBuilder integration
- 12 unit tests
## Blocked Tasks (Follow-Up Required)
### Cross-Module Integration (Signer → Provcache)
- PROV-8200-101: Publish `SignerRevokedEvent` from `KeyRotationService.RevokeKey()`
- PROV-8200-105, 106: SignerSetInvalidator DI and tests
### Service Integration
- PROV-8200-112, 113: FeedEpochInvalidator DI and tests
- PROV-8200-143: CLI e2e tests (requires deployed services)
### Attestor Integration
- BUNDLE-8200-016-018, 022: Sigstore Bundle integration with AttestorBundleService, ExportCenter, CLI
- BUDGET-8200-008-010, 014-016: BudgetCheckStatement and DSSE envelope integration
## Files Changed
- **New Projects:** `StellaOps.Provcache`, `StellaOps.Attestor.Bundle`
- **Documentation:** `docs/modules/provcache/`, `docs/modules/attestor/`, `docs/testing/`
- **CI/CD:** `.gitea/workflows/schema-validation.yml`, `.gitea/workflows/e2e-reproducibility.yml`
- **Deploy:** `deploy/grafana/dashboards/provcache-overview.json`
## Next Steps
1. Create follow-up sprint for Signer module to publish `SignerRevokedEvent`
2. Create follow-up sprint for service-level DI registration of invalidators
3. Create follow-up sprint for Attestor integration with Sigstore Bundle and Budget attestation
4. Run full E2E reproducibility test in CI to validate cross-platform determinism
Reference in New Issue View Git Blame Copy Permalink