stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
b444284be530f1bc9c91321cbf230684fe338e57
git.stella-ops.org/docs2/operations/replay-and-determinism.md
master b444284be5 docs: Archive Sprint 3500 (PoE), Sprint 7100 (Proof Moats), and additional sprints 
Archive completed sprint documentation and deliverables:

## SPRINT_3500 - Proof of Exposure (PoE) Implementation (COMPLETE )
- Windows filesystem hash sanitization (colon → underscore)
- Namespace conflict resolution (Subgraph → PoESubgraph)
- Mock test improvements with It.IsAny<>()
- Direct orchestrator unit tests
- 8/8 PoE tests passing (100% success)
- Archived to: docs/implplan/archived/2025-12-23-sprint-3500-poe/

## SPRINT_7100.0001 - Proof-Driven Moats Core (COMPLETE )
- Four-tier backport detection system
- 9 production modules (4,044 LOC)
- Binary fingerprinting (TLSH + instruction hashing)
- VEX integration with proof-carrying verdicts
- 42+ unit tests passing (100% success)
- Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/

## SPRINT_7100.0002 - Proof Moats Storage Layer (COMPLETE )
- PostgreSQL repository implementations
- Database migrations (4 evidence tables + audit)
- Test data seed scripts (12 evidence records, 3 CVEs)
- Integration tests with Testcontainers
- <100ms proof generation performance
- Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/

## SPRINT_3000_0200 - Authority Admin & Branding (COMPLETE )
- Console admin RBAC UI components
- Branding editor with tenant isolation
- Authority backend endpoints
- Archived to: docs/implplan/archived/

## Additional Documentation
- CLI command reference and compliance guides
- Module architecture docs (26 modules documented)
- Data schemas and contracts
- Operations runbooks
- Security risk models
- Product roadmap

All archived sprints achieved 100% completion of planned deliverables.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 15:02:38 +02:00

1.6 KiB
Raw Blame History

Replay and determinism

Deterministic replay lets any scan be reproduced byte for byte. The replay system captures every input, environment detail, and output hash.

Core artifacts

  • Replay manifest (canonical JSON)
  • Input bundle (feeds, policies, tools)
  • Output bundle (SBOM, findings, VEX, logs)
  • DSSE envelopes for each artifact
  • Merkle summaries for layers and feed chunks

Replay manifest sections

  • scan: id, time, versions, crypto profile
  • subject: image digest and layer merkle roots
  • inputs: feeds, rules, tool hashes, env normalization
  • policy: lattice and mute hashes
  • outputs: hashes for SBOM, findings, VEX, logs
  • reachability: graph and runtime trace references
  • provenance: signer and optional ledger anchors

Deterministic execution rules

  • Freeze time to scan.time unless explicitly overridden.
  • Use stable ordering for traversal and output serialization.
  • Derive RNG seeds from scan id and layer merkle roots.
  • Canonicalize JSON before hashing or signing.

Verification and CLI

  • stella scan --record produces manifest and bundles.
  • stella verify checks hashes and DSSE signatures.
  • stella replay re-runs with strict or what-if modes.
  • stella diff compares manifests and highlights drift.

Storage

  • replay_runs, bundles, subjects tables in PostgreSQL.
  • CAS locations use content addressed naming.

Offline posture

  • All inputs must be included in the replay bundle.
  • Trust anchors are supplied via RootPack snapshots.

Related references

  • docs/replay/DETERMINISTIC_REPLAY.md
  • docs/replay/DEVS_GUIDE_REPLAY.md
  • docs/replay/TEST_STRATEGY.md
  • docs/runbooks/replay_ops.md