stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
49922dff5ad4435420dac177e832ba4290ceaea9
git.stella-ops.org/docs/modules/evidence-locker/evidence-bundle-v1.md
StellaOps Bot f214edff82 feat: Add Storybook configuration and motion tokens implementation 
- Introduced Storybook configuration files (`main.ts`, `preview.ts`, `tsconfig.json`) for Angular components.
- Created motion tokens in `motion-tokens.ts` to define durations, easing functions, and transforms.
- Developed a Storybook story for motion tokens showcasing their usage and reduced motion fallback.
- Added SCSS variables for motion durations, easing, and transforms in `_motion.scss`.
- Implemented accessibility smoke tests using Playwright and Axe for automated accessibility checks.
- Created portable and sealed bundle structures with corresponding JSON files for evidence locker.
- Added shell script for verifying notify kit determinism.
2025-12-04 21:36:06 +02:00

59 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Evidence Bundle v1 Contract (2025-11-19)
## Scope
Frozen contract for Evidence Bundle v1 covering AdvisoryAI/Concelier/Excititor evidence exports used by air-gap and attestation flows.
## Artefact layout
- Tarball name: `evidence-bundle-<id>.tar.gz`
- Manifest (required): `manifest.json`
- Payloads (required): `observations.ndjson`, `linksets.ndjson`
- Optional: `timeline.ndjson` (time anchors), `transparency.json` (Rekor UUID or skip_reason)
- Hash list: `hashes.sha256` (sha256 of each file)
### manifest.json fields
```json
{
"bundle_id": "evidence-bundle-m0",
"version": "1.0.0",
"created": "2025-11-19T00:00:00Z",
"tenant": "demo",
"scope": "vex",
"inputs": ["sha256:payload-obs", "sha256:payload-linksets"],
"aoc": {"guardrails": true, "details": ["schema:frozen:1.0", "limits:chunk:max=2000"]}
}
```
### observations.ndjson (sample record)
```json
{"observationId":"obs-ossl-001","advisoryId":"CVE-2024-1234","component":"pkg:deb/openssl@1.1.1w","source":"nvd","fetchedAt":"2025-11-18T12:00:00Z"}
```
### linksets.ndjson (sample record)
```json
{"linksetId":"lnm-ossl-001","advisoryId":"CVE-2024-1234","components":["pkg:deb/openssl@1.1.1w"],"normalized":true,"createdAt":"2025-11-18T12:05:00Z"}
```
### transparency.json (optional)
```json
{"rekor_uuid": null, "skip_reason": "offline"}
```
## Determinism rules
- All timestamps must be UTC RFC3339.
- Ordering: sort NDJSON by `advisoryId`, then `component`, ascending.
- Hashes: compute sha256 on raw file bytes; record in `hashes.sha256` and in manifest `inputs`.
- Tenant must be lowercase; include in manifest and any attestation subject claims.
## Example bundle (sample)
- Path: `docs/samples/evidence-bundle/evidence-bundle-m0.tar.gz`
- SHA256: `$(cat docs/samples/evidence-bundle/evidence-bundle-m0.tar.gz.sha256 | awk '{print $1}')`
- Contains sample manifest/observations/linksets/transparency per above.
## Attestation linkage
- See `attestation-scope-note.md` for required claims.
- DSSE subject uses the Merkle root derived from `checksums.txt` (sha256 of sorted entry hashes). Record the OCI tarball digest as metadata, not the subject.
## Change log
- 2025-12-04: Updated subject to Merkle root and aligned with EB1EB10 docs/fixtures.
- 2025-11-19: v1 frozen (initial publication). Add real sample tarball + hashes once produced.
Reference in New Issue View Git Blame Copy Permalink