stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
2c2bbf10050ecf8ffcc35823205bf86c65bcefb1
git.stella-ops.org/docs/implplan/SPRINT_8200_REPRODUCIBILITY_EPIC_SUMMARY.md

8.7 KiB
Raw Blame History

Epic 8200 · SBOM/VEX Pipeline Reproducibility

Overview

This epic implements the reproducibility, verifiability, and audit-readiness requirements identified in the product advisory analysis of December 2024.

Goal: Ensure StellaOps produces byte-for-byte identical outputs given identical inputs, with full attestation and offline verification capabilities.

Epic Timeline

Phase Sprints Duration Focus
Phase 1: Foundation 8200.0001.0001 Week 1 VerdictId content-addressing (critical fix)
Phase 2: Validation 8200.0001.0002, 8200.0001.0003 Week 1-2 DSSE round-trips, schema validation
Phase 3: E2E 8200.0001.0004 Week 2-3 Full pipeline reproducibility test
Phase 4: Packaging 8200.0001.0005, 8200.0001.0006 Week 3 Sigstore bundles, budget attestation

Sprint Summary

P0: SPRINT_8200_0001_0001 — Verdict ID Content-Addressing

Status: TODO | Effort: 2 days | Blocks: All other sprints

Problem: DeltaVerdict.VerdictId uses random GUID instead of content hash. Solution: Implement VerdictIdGenerator using SHA-256 of canonical JSON.

Task Count Files Modified Tests Added
12 tasks 5 files 4 tests

Key Deliverables:

  • VerdictIdGenerator helper class
  • Content-addressed VerdictId in all verdict creation sites
  • Regression tests for determinism

P1: SPRINT_8200_0001_0002 — DSSE Round-Trip Testing

Status: TODO | Effort: 3 days | Depends on: P0

Problem: No tests validate sign → verify → re-bundle → re-verify cycle. Solution: Comprehensive round-trip test suite with cosign compatibility.

Task Count Files Created Tests Added
20 tasks 4 files 15 tests

Key Deliverables:

  • DsseRoundtripTestFixture with key management
  • Round-trip serialization tests
  • Cosign compatibility verification
  • Multi-signature envelope handling

P2: SPRINT_8200_0001_0003 — SBOM Schema Validation CI

Status: TODO | Effort: 1 day | Depends on: None

Problem: No external validator confirms schema compliance. Solution: Integrate sbom-utility for CycloneDX 1.6 and SPDX 3.0.1 validation.

Task Count Files Created CI Jobs Added
17 tasks 7 files 4 jobs

Key Deliverables:

  • Schema files committed to repo
  • schema-validation.yml workflow
  • Validation scripts for all SBOM formats
  • Required PR check

P3: SPRINT_8200_0001_0004 — Full E2E Reproducibility Test

Status: TODO | Effort: 5 days | Depends on: P0, P1

Problem: No test covers full pipeline: ingest → normalize → diff → decide → attest → bundle. Solution: Create StellaOps.Integration.E2E project with cross-platform verification.

Task Count Files Created CI Jobs Added
26 tasks 8 files 4 jobs

Key Deliverables:

  • Full pipeline test fixture
  • Cross-platform hash comparison (Linux, Windows, macOS)
  • Golden baseline fixtures
  • Nightly reproducibility gate

P4: SPRINT_8200_0001_0005 — Sigstore Bundle Implementation

Status: TODO | Effort: 3 days | Depends on: P1

Problem: Sigstore bundle type defined but not implemented. Solution: Implement v0.3 bundle marshalling/unmarshalling with offline verification.

Task Count Files Created Tests Added
24 tasks 9 files 4 tests

Key Deliverables:

  • StellaOps.Attestor.Bundle library
  • SigstoreBundleBuilder and SigstoreBundleVerifier
  • cosign bundle compatibility
  • CLI command stella attest bundle

P6: SPRINT_8200_0001_0006 — Budget Threshold Attestation

Status: TODO | Effort: 2 days | Depends on: P0

Problem: Unknown budget thresholds not attested in DSSE bundles. Solution: Create BudgetCheckPredicate and include in verdict attestations.

Task Count Files Created/Modified Tests Added
18 tasks 7 files 4 tests

Key Deliverables:

  • BudgetCheckPredicate model
  • Budget config hash for determinism
  • Integration with VerdictPredicateBuilder
  • Verification rule for config drift

Dependency Graph

                    ┌─────────────────┐
                    │   P0: Verdict   │
                    │  Content-Hash   │
                    └────────┬────────┘
                             │
              ┌──────────────┼──────────────┐
              │              │              │
              ▼              ▼              ▼
    ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
    │  P1: DSSE       │ │  P2: Schema     │ │  P6: Budget     │
    │  Round-Trip     │ │  Validation     │ │  Attestation    │
    └────────┬────────┘ └─────────────────┘ └─────────────────┘
             │
    ┌────────┴────────┐
    │                 │
    ▼                 ▼
┌─────────────────┐ ┌─────────────────┐
│  P3: E2E Test   │ │  P4: Sigstore   │
│                 │ │  Bundle         │
└─────────────────┘ └─────────────────┘

Total Effort Summary

Sprint Priority Effort Tasks Status
8200.0001.0001 P0 2 days 12 TODO
8200.0001.0002 P1 3 days 20 TODO
8200.0001.0003 P2 1 day 17 TODO
8200.0001.0004 P3 5 days 26 TODO
8200.0001.0005 P4 3 days 24 TODO
8200.0001.0006 P6 2 days 18 TODO
Total 16 days 117 tasks

Success Criteria

Must Have (Phase 1-2)

  • VerdictId is content-addressed (SHA-256)
  • DSSE round-trip tests pass
  • Schema validation in CI
  • All existing tests pass (no regressions)

Should Have (Phase 3)

  • Full E2E pipeline test
  • Cross-platform reproducibility verified
  • Golden baseline established

Nice to Have (Phase 4)

  • Sigstore bundle support
  • Budget attestation in verdicts
  • cosign interoperability

Documentation Deliverables

Document Sprint Status
docs/reproducibility.md Pre-req DONE
docs/testing/schema-validation.md P2 TODO
docs/testing/e2e-reproducibility.md P3 TODO
docs/modules/attestor/bundle-format.md P4 TODO
docs/modules/policy/budget-attestation.md P6 TODO

Risk Register

Risk Impact Probability Mitigation Owner
Breaking change for stored verdicts High Medium Migration logic for old GUID format Policy Guild
Cross-platform determinism failures High Medium Canonical serialization; path normalization Platform Guild
Sigstore spec changes Medium Low Pin to v0.3; monitor upstream Attestor Guild
CI performance impact Medium Medium Parallelize validation jobs Platform Guild

Execution Checkpoints

Checkpoint Date Criteria
Phase 1 Complete Week 1 end VerdictId fix merged; tests green
Phase 2 Complete Week 2 end DSSE round-trips pass; schema validation active
Phase 3 Complete Week 3 end E2E test running nightly; baselines established
Phase 4 Complete Week 3 end Sigstore bundles working; budget attestation active
Epic Complete Week 3 end All success criteria met; docs complete

Related Documents

Changelog

Date Version Changes
2025-12-24 1.0 Initial epic creation based on product advisory gap analysis