bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
938 B
938 B
Rekor submission policy
Purpose
- Balance transparency log usage with budget limits and offline safety.
Submission tiers
- Tier 1: graph-level attestations per scan (default).
- Tier 2: edge bundle attestations for escalations.
Budgets
- Hourly limits for graph submissions.
- Daily limits for edge bundle submissions.
- Burst windows for Tier 1 only.
Enforcement
- Queue excess submissions with backpressure.
- Retry failed submissions with backoff.
- Store overflow locally for later submission.
Offline behavior
- Queue submissions in attestor.rekor_offline_queue.
- Bundle pending submissions in offline kits.
- Drain queue when connectivity returns.
Monitoring
- attestor_rekor_submissions_total
- attestor_rekor_submission_latency_seconds
- attestor_rekor_queue_depth
- attestor_rekor_budget_remaining
Related references
- provenance/attestation-workflow.md
- security/crypto-and-trust.md
- docs/operations/rekor-policy.md