stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
b6b9ffc050b55d812f794da0770419e49be5c6cd
git.stella-ops.org/docs/implplan/SPRINT_0513_0001_0001_provenance.md
StellaOps Bot b6b9ffc050
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add PHP Analyzer Plugin and Composer Lock Data Handling 
- Implemented the PhpAnalyzerPlugin to analyze PHP projects.
- Created ComposerLockData class to represent data from composer.lock files.
- Developed ComposerLockReader to load and parse composer.lock files asynchronously.
- Introduced ComposerPackage class to encapsulate package details.
- Added PhpPackage class to represent PHP packages with metadata and evidence.
- Implemented PhpPackageCollector to gather packages from ComposerLockData.
- Created PhpLanguageAnalyzer to perform analysis and emit results.
- Added capability signals for known PHP frameworks and CMS.
- Developed unit tests for the PHP language analyzer and its components.
- Included sample composer.lock and expected output for testing.
- Updated project files for the new PHP analyzer library and tests.
2025-11-22 14:02:49 +02:00

6.6 KiB
Raw Blame History

Sprint 0513-0001-0001 · Ops & Offline · Provenance

Topic & Scope

  • Prove container provenance offline: model DSSE/SLSA build metadata, signing flows, and promotion predicates for orchestrator/job/export subjects.
  • Deliver signing + verification toolchain that is deterministic, air-gap ready, and consumable from CLI (stella forensic verify) and services.
  • Working directory: src/Provenance/StellaOps.Provenance.Attestation. Active items only; completed/historic work lives in docs/implplan/archived/tasks.md (updated 2025-11-08).

Dependencies & Concurrency

  • Upstream sprints: 100.A Attestor, 110.A AdvisoryAI, 120.A AirGap, 130.A Scanner, 140.A Graph, 150.A Orchestrator, 160.A EvidenceLocker, 170.A Notifier, 180.A CLI.
  • Task sequencing: PROV-OBS-53-001 → PROV-OBS-53-002 → PROV-OBS-53-003 → PROV-OBS-54-001 → PROV-OBS-54-002; downstream tasks stay TODO/BLOCKED until predecessors verify in CI.
  • Concurrency guardrails: keep deterministic ordering in Delivery Tracker; no cross-module code changes unless noted under Interlocks.

Documentation Prerequisites

  • docs/07_HIGH_LEVEL_ARCHITECTURE.md
  • docs/modules/platform/architecture-overview.md
  • docs/modules/attestor/architecture.md
  • docs/modules/signer/architecture.md
  • docs/modules/orchestrator/architecture.md
  • docs/modules/export-center/architecture.md

Delivery Tracker

# Task ID Status Key dependency / next step Owners Task Definition
1 PROV-OBS-53-001 DONE (2025-11-17) Baseline models available for downstream tasks Provenance Guild / src/Provenance/StellaOps.Provenance.Attestation Implement DSSE/SLSA BuildDefinition + BuildMetadata models with canonical JSON serializer, Merkle digest helpers, deterministic hashing tests, and sample statements for orchestrator/job/export subjects.
2 PROV-OBS-53-002 DONE (2025-11-22) Tests green locally; relies on CI rerun for parity Provenance Guild; Security Guild / src/Provenance/StellaOps.Provenance.Attestation Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture.
3 PROV-OBS-53-003 DONE (2025-11-22) Promotion predicate builder implemented; depends on 53-002 outputs Provenance Guild / src/Provenance/StellaOps.Provenance.Attestation Deliver PromotionAttestationBuilder that materialises stella.ops/promotion@v1 predicate (image digest, SBOM/VEX materials, promotion metadata, Rekor proof) and feeds canonicalised payload bytes to Signer via StellaOps.Cryptography.
4 PROV-OBS-54-001 TODO Start after PROV-OBS-53-002 clears; needs signer verified Provenance Guild; Evidence Locker Guild / src/Provenance/StellaOps.Provenance.Attestation Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody; expose reusable CLI/service APIs; include negative fixtures and offline timestamp verification.
5 PROV-OBS-54-002 TODO Start after PROV-OBS-54-001 verification APIs are stable Provenance Guild; DevEx/CLI Guild / src/Provenance/StellaOps.Provenance.Attestation Generate .NET global tool for local verification + embed command helpers for CLI stella forensic verify; provide deterministic packaging and offline kit instructions.

Wave Coordination

  • Single wave covering Provenance attestation + verification; sequencing enforced in Delivery Tracker.

Wave Detail Snapshots

  • Wave 1 (Provenance chain): Signer abstraction → Promotion predicate builder → Verification library → CLI/global tool packaging.

Interlocks

  • Attestor/Orchestrator schema alignment for promotion predicates and job/export subjects.
  • Evidence Locker timeline proofs required for DSSE verification chain-of-custody.
  • CLI integration depends on DevEx/CLI guild packaging conventions.

Upcoming Checkpoints

  • 2025-11-23 · CI rerun for PROV-OBS-53-002 to resolve MSB6006 and unblock downstream tasks.
  • 2025-11-26 · Schema alignment touchpoint with Orchestrator/Attestor guilds on promotion predicate fields.
  • 2025-11-29 · Offline kit packaging review for verification global tool (PROV-OBS-54-002) with DevEx/CLI guild.

Action Tracker

  • Schedule CI environment rerun for PROV-OBS-53-002 with full dependency restore and logs attached.
  • Prepare schema notes for promotion predicate (image digest, SBOM/VEX materials, Rekor proof) ahead of 2025-11-26 checkpoint.
  • Draft offline kit instructions outline for PROV-OBS-54-002 to accelerate packaging once verification APIs land.

Decisions & Risks

Risk table

Risk Impact Mitigation Owner
PROV-OBS-53-002 CI parity pending If CI differs from local, could reopen downstream Rerun in CI; publish logs; align SDK version Provenance Guild
Promotion predicate schema mismatch with Orchestrator/Attestor Rework builder and verification APIs Hold 2025-11-26 alignment; track deltas in docs; gate merges behind feature flag Provenance Guild / Orchestrator Guild
Offline verification kit drift vs CLI packaging rules Users cannot verify in air-gap Pair with DevEx/CLI guild; publish deterministic packaging steps and checksums DevEx/CLI Guild
  • PROV-OBS-53-002 remains BLOCKED until CI rerun resolves MSB6006; PROV-OBS-53-003/54-001/54-002 stay gated.
  • Archived/complete items move to docs/implplan/archived/tasks.md after closure.

Execution Log

Date (UTC) Update Owner
2025-11-22 PROV-OBS-53-003 delivered: promotion attestation builder signs canonical predicate, enforces predicateType claim, tests passing. Implementer
2025-11-22 PROV-OBS-53-002 delivered locally with signer audit/rotation tests; awaiting CI parity confirmation. Implementer
2025-11-22 Normalised sprint to standard template and renamed to SPRINT_0513_0001_0001_provenance.md; no scope changes. Project Mgmt
2025-11-18 Marked PROV-OBS-53-002 as BLOCKED (tests cannot run locally: dotnet test MSB6006). Downstream PROV-OBS-53-003 blocked on 53-002 verification. Provenance
2025-11-18 PROV-OBS-53-002 tests blocked locally (dotnet test MSB6006 after long dependency builds); rerun required in CI/less constrained agent. Provenance
2025-11-17 Started PROV-OBS-53-002: added cosign/kms/offline signer abstractions, rotating key provider, audit hooks, and unit tests; full test run pending. Provenance
2025-11-17 PROV-OBS-53-001 delivered: canonical BuildDefinition/BuildMetadata hashes, Merkle helpers, deterministic tests, and sample DSSE statements for orchestrator/job/export subjects. Provenance