8768c27f30
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties. - Implemented JSON serialization attributes for proper data interchange. - Created project files for the new signal contracts library and corresponding test projects. - Added deterministic test fixtures for micro-interaction testing. - Included cryptographic keys for secure operations with cosign.
Evidence Locker Golden Fixtures (EB10)
Purpose: reference bundles and replay records used by CI to prove deterministic packaging, DSSE subject stability, and portable redaction behaviour.
Layout
sealed/– sealed bundle ingredients (manifest.json,checksums.txt, DSSEsignature.json,bundle.json, evidence ndjson) plusexpected.json.portable/– redacted bundle ingredients andexpected.jsonnoting masked fields and tenant token.replay/–replay.ndjsonwithexpected.json(recordDigest, sequence, ledger URI); ordering is canonical (recordedAtUtc, scanId).
Expectations
- Gzip timestamp pinned to
2025-01-01T00:00:00Z; tar entries use0644perms and fixed mtime. checksums.txtsorted lexicographically bycanonicalPath; Merkle root equalssha256sum checksums.txt.- DSSE subject ties to the Merkle root; manifest validates against
schemas/bundle.manifest.schema.json. - Portable bundles must exclude tenant identifiers and include redaction metadata in the manifest.
How to (re)generate
- Set
TZ=UTCand ensure deterministic tool versions. - Run EvidenceLocker pipeline to produce sealed bundle; copy outputs here with expected hash values.
- Produce portable bundle and replay records using the same input set; write
expected.jsoncapturing root hashes and replay digests. - Update xUnit tests in
StellaOps.EvidenceLocker.Teststo consume these fixtures without network calls.