bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
1.4 KiB
1.4 KiB
Score proofs and replay
Purpose
- Provide deterministic score proofs with replayable inputs and attestations.
When to replay
- Determinism audits and compliance checks.
- Dispute resolution or vendor verification.
- Regression investigation after feed or policy changes.
Replay operations
- Trigger replay via CLI or API with scan or job id.
- Support batch replay with concurrency limits.
- Nightly replay jobs validate determinism at scale.
Verification
- Online verification uses DSSE and Rekor proofs.
- Offline verification uses embedded proofs and local trust bundles.
- Verification checks include bundle hash, signature, and input digests.
Bundle contents
- Manifest with inputs and hashes.
- SBOM, advisories, VEX snapshots.
- Deterministic scoring outputs and explain traces.
- DSSE bundle and transparency proof.
Retention and export
- Retain bundles per policy; export for audit with manifests.
- Store in Evidence Locker and Offline Kits.
Monitoring metrics
- score_replay_duration_seconds
- proof_verification_success_rate
- proof_bundle_size_bytes
- replay_queue_depth
- proof_generation_failures
Alerting cues
- Replay latency p95 > 30s.
- Verification failures or queue backlog spikes.
Related references
- operations/proof-verification.md
- operations/replay-and-determinism.md
- docs/operations/score-proofs-runbook.md
- docs/operations/score-replay-runbook.md