stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
b058dbe031053c47bd2fbaa513608f24862b0f1a
git.stella-ops.org/docs/modules/scanner/design/entropy-transport.md
StellaOps Bot 49922dff5a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Details
Risk Bundle CI / publish-checksums (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
up the blokcing tasks
2025-12-11 02:32:18 +02:00

1.5 KiB
Raw Blame History

Entropy Evidence Transport Contract

Purpose: unblock SCAN-ENTROPY-186-012 by defining worker → webservice transport for entropy reports.

Endpoint

  • POST /api/v1/scans/{scanId}/entropy
  • Headers: X-Tenant-Id, Content-Type: application/json
  • Body: EntropyReportRequest

EntropyReportRequest (JSON)

  • subject_digest (string, required) — image digest.
  • report_path (string, required) — relative path inside replay bundle (e.g., artifacts/entropy.report.json).
  • hash (string, required) — SHA256 hex of the report file.
  • penalties (object) — { overall: number, layers: [{ digest, score, high_entropy_regions: [ { offset, length, reason } ] }] }.
  • created_at (string, ISO-8601 UTC).
  • tool: { id, version, rng_seed, max_parallel }.

WebService behavior

  • Validate tenant, scanId, subject_digest matches scan record.
  • Validate SHA256 by re-reading report from bundle if available; else accept hash and queue verification job.
  • Persist entropy metadata with scan record and attach to replay manifest.
  • Respond 202 Accepted with { status_url }; return 409 if entropy already recorded for scanId+subject_digest.

Error handling

  • 400 malformed request; 401/403 auth; 404 scan not found; 422 hash mismatch; 500 transient CAS/read errors.

Determinism

  • No clocks added server-side; use provided created_at.
  • No recalculation of entropy; only verification.
  • Log deterministic reasons for rejection to aid reproducible replay.