stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
199aaf74d879d22d78a872ea93cb4849a82a0760
git.stella-ops.org/docs/ops/evidence-locker-handoff.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

42 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Evidence Locker Handoff (Signals & Zastava)
## Inputs required (from Ops)
- `EVIDENCE_LOCKER_URL` (base URL, no trailing slash)
- `CI_EVIDENCE_LOCKER_TOKEN` (Bearer token with write to `zastava/*` and `signals/*`)
- **Signals production signing key** for final re-sign (one of):
- `COSIGN_PRIVATE_KEY_B64` (base64 of private key) + optional `COSIGN_PASSWORD`, or
- key file at `tools/cosign/cosign.key` + password.
## Whats ready (deterministic artefacts)
- Zastava tar: `evidence-locker/zastava/2025-12-02/zastava-evidence.tar`
- sha256: `e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9ac019cf0f1c9`
- Signals tar (dev key): `evidence-locker/signals/2025-12-05/signals-evidence.tar`
- sha256: `a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d`
## Publish both bundles (once URL/token are available)
```bash
export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/upload-all-evidence.sh
```
## Verify locally (hash + inner SHA lists)
- Zastava: `./tools/zastava-verify-evidence-tar.sh [path/to/zastava-evidence.tar]`
- Signals: `./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]`
## Re-sign Signals for production trust (optional but recommended)
```bash
export COSIGN_PRIVATE_KEY_B64="<prod-key-b64>"
export COSIGN_PASSWORD="<pwd-if-any>"
OUT_DIR=evidence-locker/signals/2025-12-05 \
tools/cosign/sign-signals.sh
# Rebuild + upload tar
./tools/signals-upload-evidence.sh
```
## Notes
- All packaging is deterministic (`tar --sort=name --mtime='UTC 1970-01-01' --owner=0 --group=0 --numeric-owner`).
- Tlog upload is disabled for offline parity; Evidence Locker trust comes from the provided keys.
- Upload scripts exit non-zero on hash mismatch to prevent pushing corrupted artefacts.
Reference in New Issue View Git Blame Copy Permalink