bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
1.0 KiB
1.0 KiB
Forensics and evidence locker
The evidence locker is a WORM friendly store for audit and forensic artifacts such as bundles, logs, and attestations.
Storage model
- Object storage with immutable retention and versioning.
- PostgreSQL index with metadata and retention fields.
Ingest rules
- Append only, content addressed paths.
- Require tenant, hash, size, and provenance.
- Reject partial uploads or missing signatures.
Retention and legal hold
- Default retention per tenant.
- Legal hold blocks deletion until cleared by approval.
- Daily retention job emits audit logs.
Access and verification
- RBAC scopes for read, write, and legal hold.
- Verify hashes and DSSE signatures on demand.
- Background sampling emits failure events.
Minimum bundle layout
- manifest.json with hashes and provenance
- data/ payloads
- signatures/ for DSSE or sigstore bundles
Related references
- provenance/attestation-workflow.md
- security/timeline.md
- security/evidence-locker-publishing.md
- docs/forensics/evidence-locker.md
- docs/evidence-locker/evidence-pack-schema.md