8768c27f30
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties. - Implemented JSON serialization attributes for proper data interchange. - Created project files for the new signal contracts library and corresponding test projects. - Added deterministic test fixtures for micro-interaction testing. - Included cryptographic keys for secure operations with cosign.
4.2 KiB
4.2 KiB
EB1–EB10 Gap Closure Plan (EVID-GAPS-161-007)
Purpose: track remediation items from the 28-Nov-2025 advisory so Evidence Locker bundles, replay payloads, and portable exports are provably deterministic and verifiable offline.
Working directory: docs/implplan (sprint coordination) with artefacts in docs/modules/evidence-locker and tests/EvidenceLocker.
Scope Items
| ID | Deliverable | Artifact / Path | Owner(s) | Acceptance / Notes | Status |
|---|---|---|---|---|---|
| EB1 | Publish canonical manifest schema | docs/modules/evidence-locker/schemas/bundle.manifest.schema.json |
Evidence Locker Guild | JSON Schema matches EvidenceBundleManifest (bundleId, tenantId, kind, metadata, entries) and captures replay/incident/redaction hooks. | DONE (2025-12-04) |
| EB2 | Publish checksums schema | docs/modules/evidence-locker/schemas/checksums.schema.json |
Evidence Locker Guild | Canonical map for checksums.txt; Merkle root + chunking metadata; sorted entry rule recorded. |
DONE (2025-12-04) |
| EB3 | Hash/Merkle recipe doc | docs/modules/evidence-locker/bundle-packaging.md (new section) |
Evidence Locker Guild | Normative steps for Merkle root + DSSE subject; clarifies gzip/tar invariants and CAS compatibility. | DONE (2025-12-04) |
| EB4 | Mandatory DSSE predicate/log policy | docs/modules/evidence-locker/attestation-contract.md |
Evidence Locker Guild · Security Guild | Required claims + signing profiles; Rekor/log policy (optional vs required); aligns with crypto registry defaults. | DONE (2025-12-04) |
| EB5 | Replay provenance block | docs/modules/evidence-locker/replay-payload-contract.md + manifest schema |
Evidence Locker Guild · Replay Delivery Guild | Replay digest + DSSE envelope recorded; ordering rules match DETERMINISTIC_REPLAY.md; portable bundle retains linkage. |
DONE (2025-12-04) |
| EB6 | Chunking/CAS rules | checksums.schema.json + bundle-packaging.md |
Evidence Locker Guild · Storage/DevOps | Defines chunk sizing, CAS digest, and stability guarantees; CI test to catch ordering changes. | DONE (2025-12-04) |
| EB7 | Incident-mode signed activation/exit | docs/modules/evidence-locker/incident-mode.md |
Evidence Locker Guild · Security Guild | Manifest/DSSE captures activation + deactivation events with signer identity; API/CLI steps documented. | DONE (2025-12-04) |
| EB8 | Tenant isolation + redaction manifest | bundle-packaging.md + portable bundle guidance |
Evidence Locker Guild · Privacy Guild | Portable bundles omit tenant identifiers; redaction map recorded; verifier asserts redacted fields absent. | DONE (2025-12-04) |
| EB9 | Offline verifier script | docs/modules/evidence-locker/verify-offline.md |
Evidence Locker Guild | POSIX script included; no network dependencies; emits Merkle root used by DSSE subject. | DONE (2025-12-04) |
| EB10 | Golden bundles/replay fixtures + SemVer/changelog | tests/EvidenceLocker/Bundles/Golden/ + docs/modules/evidence-locker/CHANGELOG.md |
Evidence Locker Guild · CLI Guild | Golden sealed + portable bundles and replay NDJSON with expected roots; changelog bump covering EB1–EB9. | DONE (2025-12-04) |
Near-Term Actions (to move EB1–EB10 to DONE)
- Wire schemas into EvidenceLocker CI (manifest + checksums validation) and surface in API/CLI OpenAPI/Help.
- Update
attestation-contract.mdandincident-mode.mdwith DSSE predicate/log policy and signed incident toggles (EB4, EB7). - Extend replay contract with provenance block and ordering example, and mirror in manifest schema (EB5).
- Add normative Merkle/CAS section to
bundle-packaging.md, ensuring DSSE subject references the root hash (EB3, EB6). - Create golden fixtures under
tests/EvidenceLocker/Bundles/Golden/with recorded expected hashes and replay traces; hook into xUnit tests (EB10). - Bump Evidence Locker and CLI SemVer and changelog once above artefacts are wired (EB10) — completed with changelog v1.1.0 and fixture drop; wire binaries/CLI version in next release cut.
Dependencies and Links
- Advisory:
docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md - Replay rules:
docs/replay/DETERMINISTIC_REPLAY.md - Sprint tracking:
docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md(EVID-GAPS-161-007)