stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6c1177a6ceab81b77b16ec01a6c859b9e3c12f6a
git.stella-ops.org/docs/modules/signals/evidence/README.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

112 lines
4.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Signals DSSE Evidence Staging (runtime/signals gaps)
Artifacts prepared 2025-12-05 (UTC) for DSSE signing and Evidence Locker ingest:
| Artifact | Path | Predicate |
|----------|------|-----------|
| Decay config | `docs/modules/signals/decay/confidence_decay_config.yaml` | `stella.ops/confidenceDecayConfig@v1` |
| Unknowns manifest | `docs/modules/signals/unknowns/unknowns_scoring_manifest.json` | `stella.ops/unknownsScoringManifest@v1` |
| Heuristics catalog | `docs/modules/signals/heuristics/heuristics.catalog.json` | `stella.ops/heuristicCatalog@v1` |
| Checksums | `docs/modules/signals/SHA256SUMS` | — |
## CI Automated Signing
The `.gitea/workflows/signals-dsse-sign.yml` workflow automates DSSE signing.
### Prerequisites (CI Secrets)
| Secret | Description |
|--------|-------------|
| `COSIGN_PRIVATE_KEY_B64` | Base64-encoded cosign private key (required for production) |
| `COSIGN_PASSWORD` | Password for encrypted key (if applicable) |
| `CI_EVIDENCE_LOCKER_TOKEN` | Token for Evidence Locker push (optional) |
### Trigger
- **Automatic**: Push to `main` affecting `docs/modules/signals/**` or `tools/cosign/sign-signals.sh`
- **Manual**: Workflow dispatch with `allow_dev_key=1` for testing
### Output
Signed artifacts uploaded as workflow artifact `signals-dsse-signed-{run}` and optionally pushed to Evidence Locker.
## Development Signing (Local Testing)
A development key pair is available for smoke tests. Recent dev bundles live under `docs/modules/signals/dev-smoke/2025-12-04/` and `docs/modules/signals/dev-smoke/2025-12-05/`.
```bash
# Sign with dev key
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
OUT_DIR=docs/modules/signals/dev-smoke/2025-12-05 \
tools/cosign/sign-signals.sh
# Verify signature
cosign verify-blob \
--key tools/cosign/cosign.dev.pub \
--bundle docs/modules/signals/dev-smoke/2025-12-05/confidence_decay_config.sigstore.json \
docs/modules/signals/decay/confidence_decay_config.yaml
```
**Note**: Dev key signatures are NOT suitable for Evidence Locker or production use; tlog upload is disabled.
## Production Signing (Manual)
For production signing without CI:
```bash
# Option 1: Place key file
cp /path/to/production.key tools/cosign/cosign.key
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh
# Option 2: Use base64 env var
export COSIGN_PRIVATE_KEY_B64=$(cat production.key | base64 -w0)
export COSIGN_PASSWORD=your-password
OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh
```
## Evidence Locker Paths
Post-signing, artifacts go to:
- `evidence-locker/signals/2025-12-05/confidence_decay_config.sigstore.json`
- `evidence-locker/signals/2025-12-05/unknowns_scoring_manifest.sigstore.json`
- `evidence-locker/signals/2025-12-05/heuristics_catalog.sigstore.json`
- `evidence-locker/signals/2025-12-05/SHA256SUMS`
Deterministic tarball (dev-key signing 2025-12-05) for locker push/testing:
```
evidence-locker/signals/2025-12-05/signals-evidence.tar sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d
```
Verification helper:
```
./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]
```
Local locker upload (once creds are available):
```bash
export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/signals-upload-evidence.sh
# or to push both Signals and Zastava in one go
./tools/upload-all-evidence.sh
```
CI upload path:
- Workflow: `.gitea/workflows/signals-evidence-locker.yml`
- Secrets required: `CI_EVIDENCE_LOCKER_TOKEN`, `EVIDENCE_LOCKER_URL`
- Artifact name: `signals-evidence-2025-12-05`
- Retention input (optional): `retention_target` (default 180 days)
## Post-Signing Checklist
1. Verify signatures against public key
2. Update sprint tracker (SPRINT_0140) Delivery Tracker rows 57
3. Add signer ID to Execution Log
4. Copy to offline kit bundle for air-gap parity
## Notes
- All timestamps use UTC ISO-8601 format
- Signatures disable tlog upload (`--tlog-upload=false`) for offline compatibility
- See `tools/cosign/README.md` for detailed key management and CI setup
Reference in New Issue View Git Blame Copy Permalink