stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
79b8e53441e92dbc63684f42072434d40b80275f
git.stella-ops.org/docs/modules/policy/design/policy-mirror-bundle-schema.md
master 79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add new features and tests for AirGap and Time modules 
- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
2025-11-20 23:29:54 +02:00

2.4 KiB
Raw Blame History

Policy Mirror Bundle Schema (Draft) — PREP-POLICY-AIRGAP-56-001

Status: Draft (2025-11-20) Owners: Policy Guild · Cartographer Guild Scope: Define sealed/offline-ready mirror bundle schema for policy packs to unblock air-gap ingestion (Mirror Bundles v1).

1) Bundle container

  • Format: tar.gz with deterministic ordering, UTC mtime 1970-01-01T00:00:00Z.
  • Root: mirror.manifest.json plus optional mirror.manifest.dsse (post-quantum ready profile TBD).

2) Manifest fields

  • bundle_id (string, required): ULID.
  • schema_version (string): policy.mirror.v1.
  • created_at (RFC3339 UTC).
  • producer (object): {name, version, build} of the mirror tool.
  • provenance (object): {source_registry, source_digest, fetch_time, trust_roots[]}.
  • policies (array) of policy pack descriptors:
    • pack_id (string): content-addressed ID of the pack archive.
    • version (string): semver or commit hash.
    • sha256 (string): hash of pack bytes.
    • signatures[] (optional): detached signatures (Sigstore/DSSE) with key hints.
    • metadata (object): {rules_count, dependencies, min_engine_version}.
  • attestations (optional array): references to DSSE statements covering manifest or pack artefacts.
  • integrity (object): {merkle_root, entries[]} mirroring file tree for audit.

3) File layout

  • packs/{pack_id}.tar.gz: raw policy pack.
  • signatures/{pack_id}.sig: detached signature per pack (optional).
  • notes/compliance.md: optional compliance notes per pack.

4) Sealed-mode rules

  • Whole-bundle DSSE signature required when sealed=true (header flag in manifest).
  • No post-fetch mutation; ingest must verify merkle root and DSSE before unpack.
  • Trust roots pinned per bundle (provenance.trust_roots[]), defaulting to org-configured roots when absent.

5) Determinism & validation

  • All arrays sorted; use lowercase hex for hashes.
  • Validation checklist: bundle hash matches manifest; merkle root recomputes; DSSE signer authorized; engine version compatibility enforced before import.

6) Open decisions

  • Final DSSE profile (FIPS/eIDAS/GOST) depending on deployment region.
  • Retention/GC policy for stale mirror bundles in sealed mode.
  • Whether to embed policy docs or keep external references; draft assumes external docs are excluded for air-gap safety.

7) Handoff

Treat this file as the publishable artefact for PREP-POLICY-AIRGAP-56-001. Update when Authority/Platform finalize DSSE and trust-root policies.