stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c2f13fe588232dd125d2b70ae9ad653b41269d5b
git.stella-ops.org/docs/modules/ui/v2-rewire/pack-20.md
master c2f13fe588 preparation for ui re-shelling
2026-02-18 23:03:07 +02:00

549 lines
30 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Pack 20 — Evidence & Audit consolidated around **who needs what evidence, when** (release/bundle/envcentric; preserves all PoC screens)
Below you get:
1. **Evidence menu graph (Mermaid)**
2. For **each screen**:
* **Formerly** (old name/location)
* **Why moved/reshaped**
* **Screen navigation graph (Mermaid)**
* **ASCII mock**
This pack covers the PoC evidence screens you showed:
* **Evidence Bundles** (`evidence bundles.png`)
* **Export Center** (`export.png`)
* **Replay/Verify (Verdict Replay)** (`reply verify.png`)
* **Packets / Proof Chains** (present in the left menu in earlier screenshots; you referenced them)
* **Trust & Signing** (`trust and signing .png`)
…and makes them decision-connected for **Release / Bundle / Env**.
---
# 20.1 Evidence & Audit menu graph (Mermaid)
```mermaid
flowchart TD
EVID[Evidence & Audit (ROOT)] --> HOME[Evidence Home]
EVID --> PACK[Evidence Packs]
EVID --> BUND[Evidence Bundles]
EVID --> EXP[Export Center]
EVID --> CHAIN[Proof Chains]
EVID --> VERIFY[Replay & Verify]
EVID --> TRUST[Trust & Signing]
EVID --> AUDIT[Audit Log]
%% Entry points from decision areas
REL[Releases] --> HOME
APPR[Approvals] --> HOME
RCENV[Env Detail] --> HOME
BVER[Bundle Version Detail] --> HOME
%% Cross-links
HOME --> EXP
BUND --> CHAIN
VERIFY --> CHAIN
TRUST --> CHAIN
EXP --> BUND
```
**Design rule:** Evidence is not “a folder of files.”
Its **a pipeline artifact** tied to:
* a **Release/Hotfix**,
* a **Bundle Version**,
* an **Environment Promotion Run**,
* and the **policy decision** that allowed/blocked it.
---
# 20.2 Evidence screen — Evidence Home (new “router” page)
### Formerly
* Evidence was scattered under **Evidence** section items: Packets, Proof Chains, Replay/Verify, Export, Bundles.
* No single “Im an auditor / Im an approver / Im an operator” entry point.
### Why changed like this
Evidence Home is the **entry router**:
* “Give me evidence for **Release X**
* “Give me evidence for **Bundle Version digest**
* “Give me evidence for **Env us-prod today**
* “Give me evidence for **Approval request A**
This reduces bounce across Export/Bundles/Proof Chains.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Evidence Home] --> B[Search: Release / Bundle / Env / Approval / Digest]
A --> C[Quick tiles: Latest packs, latest bundles, failed verifies]
A --> D[Entry: Export Center]
A --> E[Entry: Evidence Bundles]
A --> F[Entry: Replay & Verify]
A --> G[Entry: Proof Chains]
A --> H[Entry: Trust & Signing]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ HOME │
│ Formerly: evidence functions scattered (Packets/Proof Chains/Export/Replay/Bundles) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Find evidence for: [ Release ▾ ] [ Bundle Version ▾ ] [ Environment ▾ ] [ Approval ▾ ] │
│ Or paste: digest / verdict-id / bundle-id │
│ [Search] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Quick views │
│ - Latest promotion evidence packs (24h) - Latest sealed bundles (7d) │
│ - Failed verification / replay (7d) - Expiring trust/certs (30d) │
│ │
│ Shortcuts: [Export Center] [Evidence Bundles] [Replay & Verify] [Proof Chains] [Trust & Signing]│
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.3 Evidence screen — Evidence Packs (formerly “Packets”)
### Formerly
* **Evidence → Packets** (left nav in earlier screenshots)
* Not shown as a main content screenshot, but it exists as PoC menu item.
### Why changed like this
“Pack” becomes the atomic evidence artifact tied to:
* a **promotion run**
* a **policy decision**
* a **bundle version**
* an **environment snapshot**
It should be the default evidence object used internally and optionally exported.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Evidence Packs] --> B[Pack Detail]
A --> C[Filter: Release / Env / Bundle Version / Time]
A --> D[Open linked Approval / Run]
A --> E[Export pack -> Export Center]
B --> F[Proof Chain refs]
B --> G[Verify signatures -> Replay & Verify]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ EVIDENCE PACKS │
│ Formerly: Evidence ▸ Packets │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Release ▾ Env ▾ Bundle Version ▾ Status ▾ Time window ▾ │
│ Actions: [Export selected packs] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Packs │
│ pack-9001 Feb 18 08:33 env us-prod bundle Hotfix 1.2.4 status: sealed ✓ [Open] │
│ pack-9002 Feb 18 07:30 env us-uat bundle web-frontend v2 status: sealed ✓ [Open] │
│ pack-9003 Feb 17 08:30 env us-prod bundle worker v3.1.0 status: sealed ✓ [Open] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.4 Evidence screen — Pack Detail (new “case file” for a pack)
### Formerly
* Evidence details were spread across Export/Bundles/Replay.
### Why changed like this
One place to answer:
* What decision was made?
* Which bundle manifest/digests?
* Which SBOM/finding snapshot?
* Which signatures / proof chain refs?
* What can I export?
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Pack Detail] --> B[Decision summary (policy gates + approvals)]
A --> C[Artifacts list (SBOM, findings, attestations, provenance)]
A --> D[Proof chain refs]
A --> E[Verify / Replay]
A --> F[Export as bundle / attach to audit report]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE PACK DETAIL: pack-9001 │
│ Formerly: no unified pack “case file” │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Context │
│ Release: Hotfix 1.2.4 Env: us-prod Promotion Run: run-7712 │
│ Bundle manifest: sha256:beef... Created: Feb 18 08:33 by alice.johnson │
│ Decision: PASS policy gates 1/2 (Approval pending) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Included artifacts │
│ [✓] SBOM snapshot (SPDX) [✓] Findings snapshot (with reachability) │
│ [✓] Attestations (build) [✓] Provenance │
│ [✓] VEX statements [✓] Policy decision record │
│ [✓] Replay log / determinism result (if present) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Integrity │
│ DSSE envelope: present ✓ Rekor entry: present ✓ Proof chain: chain-9912 │
│ Actions: [Verify now] [Replay verdict] [Export as Audit Bundle] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.5 Evidence screen — Evidence Bundles
### Formerly
* **Evidence → Bundles** (`evidence bundles.png`)
“Download and verify sealed evidence bundles for audit and compliance.”
### Why changed like this
Keep the screen, but make “bundle” explicitly:
* a **compiled export artifact**, usually for external auditors
* built from **packs**
* and searchable by Release/Env/Approval.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Evidence Bundles] --> B[Bundle Detail]
A --> C[Generate bundle -> Export Center]
A --> D[Verify bundle -> Replay & Verify]
B --> E[Proof chain refs]
B --> F[Download]
```
### ASCII mock (aligned to your current UI, but with better routing)
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ EVIDENCE BUNDLES │
│ Formerly: Evidence ▸ Bundles (evidence bundles.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Release ▾ Env ▾ Approval ▾ Status ▾ Time window ▾ │
│ Note: Bundles are compiled exports (from packs) for auditors / compliance teams. │
│ [Go to Export Center] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Bundles │
│ (none found) │
│ Example rows: │
│ bundle-2026-02-18-us-prod.zip sealed ✓ contains packs: 3 [Open] [Download] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.6 Evidence screen — Bundle Detail (new)
### Formerly
* Bundle list existed, but bundle “composition” was not surfaced as a primary view.
### Why changed like this
Auditors ask “what exactly is inside” and “can I verify it independently.”
Bundle Detail shows:
* included packs
* signatures (DSSE)
* transparency log references (Rekor)
* verification status
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Bundle Detail] --> B[Included packs list]
A --> C[Included artifacts inventory]
A --> D[Signatures / DSSE / certificates]
A --> E[Transparency log refs]
A --> F[Verify / Replay]
A --> G[Download]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE BUNDLE DETAIL: bundle-2026-02-18-us-prod.zip │
│ Formerly: not first-class; users downloaded without seeing composition │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Contents │
│ Packs: pack-9001, pack-9002, pack-9003 │
│ Includes: SBOM, Findings, Attestations, Provenance, VEX, Policy Decisions, Logs │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Integrity │
│ DSSE: present ✓ Rekor entry: present ✓ Cert chain: valid ✓ │
│ Verification status: VERIFIED │
│ Actions: [Verify bundle] [Open Proof Chain] [Download] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.7 Evidence screen — Export Center
### Formerly
* **Evidence → Export** (`export.png`)
“Configure export profiles and monitor export runs.”
### Why changed like this
Keep it intact, but:
* export profiles should be **release/bundle/env aware**
* add “Export Env Snapshot” and “Export Approval Decision Pack” as standard profiles
* export runs are auditable artifacts tied to proofs
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Export Center] --> B[Profiles]
A --> C[Export Runs]
B --> D[Profile Editor]
D --> E[Scope: Release / Bundle / Env / Approval]
D --> F[Destinations: S3/OCI/ZIP]
A --> G[Generated bundle -> Evidence Bundles]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ EXPORT CENTER │
│ Formerly: Evidence ▸ Export (export.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Profiles (standardized) │
│ - Approval Decision Pack (ZIP) scope: Approval ID → includes gates + findings + evidence │
│ - Env Snapshot Export (TAR.GZ) scope: Env + time → includes deploy+sbom+reachability+data │
│ - Audit Bundle (ZIP) scope: Release → full auditor bundle │
│ - Daily Compliance Export (TAR) scope: org-wide nightly report │
│ Actions: [Create Profile] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Export Runs │
│ run-8811 Feb 18 08:40 profile: Env Snapshot (us-prod) status: COMPLETED [Open bundle] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.8 Evidence screen — Proof Chains
### Formerly
* **Evidence → Proof Chains** (menu exists; you referenced proof chains repeatedly)
### Why changed like this
Proof chains must be:
* searchable by release/bundle/env/pack
* linked from every exported artifact and decision
* verifiable with a single click trail
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Proof Chains] --> B[Chain Detail]
A --> C[Filter by pack/bundle/release/env]
B --> D[Linked artifacts]
B --> E[Transparency log (Rekor) refs]
B --> F[Verify chain]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ PROOF CHAINS │
│ Formerly: Evidence ▸ Proof Chains (menu only in PoC) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Release ▾ Env ▾ Pack ▾ Bundle ▾ Status ▾ │
│ Chains │
│ chain-9912 linked: pack-9001 bundle-2026-02-18-us-prod status: VALID [Open] │
│ chain-9913 linked: pack-9002 status: VALID [Open] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.9 Evidence screen — Replay & Verify (Verdict Replay)
### Formerly
* **Evidence → Replay/Verify** (`reply verify.png`)
“Re-evaluate verdicts for determinism verification and audit trails.”
### Why changed like this
Keep the screen, but integrate it into audit flows:
* every pack/bundle can be replayed/verified from within its detail page
* the replay results are stored back into a pack (audit trail)
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Replay & Verify] --> B[Request Replay (verdict id / image ref)]
A --> C[Replay Requests list]
A --> D[Determinism overview]
A --> E[Open pack detail (source)]
A --> F[Write result into proof chain]
```
### ASCII mock (aligned to your current one, with clearer context)
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ REPLAY & VERIFY │
│ Formerly: Evidence ▸ Replay/Verify (reply verify.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Request Replay │
│ Verdict ID / Image Ref: [ verdict-123 or registry.example.com/app:v1.2.3 ] │
│ Reason: [ audit verification / policy change test / determinism check ] │
│ [Request Replay] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Replay Requests │
│ rr-001 api-service:v1.2.3 COMPLETED Feb 18 08:30 [Open Pack] │
│ rr-002 web-frontend:v2.0.0 RUNNING Feb 18 07:30 [Open Pack] │
├───────────────────────────────────────────────────────────────────────────────┬──────────────┤
│ Determinism Overview │ Notes │
│ total: 2 matching: 1 mismatches: 1 match rate: 50% │ mismatches │
│ │ block exports?│
└──────────────────────────────────────────────────────────────────────────────┴──────────────┘
```
---
# 20.10 Evidence screen — Trust & Signing
### Formerly
* **Settings → Trust & Signing** (`trust and signing .png`)
Contains: Signing Keys, Issuers, Certificates, Transparency Log, Trust Scoring, Audit Log.
### Why changed like this
This is **evidence infrastructure**, not general “settings”.
It should live under Evidence & Audit (root), with a pointer in Settings if needed, because:
* VEX verification depends on issuers/certs
* Rekor integration depends on transparency log configuration
* evidence packs/bundles must be verifiable independently
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Trust & Signing] --> B[Signing Keys]
A --> C[Issuers]
A --> D[Certificates]
A --> E[Transparency Log (Rekor)]
A --> F[Trust Scoring]
A --> G[Audit Log (trust events)]
A --> H[Link: VEX Hub issuer status]
```
### ASCII mock (your card layout preserved)
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ TRUST & SIGNING │
│ Formerly: Settings ▸ Trust & Signing (trust and signing .png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Signing Keys Issuers Certificates │
│ [Manage Keys] [Manage Issuers] [Manage Certificates] │
│ │
│ Transparency Log Trust Scoring Audit Log │
│ [Configure Rekor] [Edit Score Config] [View Audit Log] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.11 Evidence screen — Audit Log (new consolidated view)
### Formerly
* Trust & Signing had its own audit log tile.
* Other audit events were likely scattered.
### Why changed like this
Auditors dont want separate “trust audit” vs “export audit” vs “approval audit.”
This creates a unified log with filters and links to artifacts.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Audit Log] --> B[Filter: release/env/approval/user/type]
A --> C[Event detail with links: pack/bundle/proof chain]
A --> D[Export audit log slice -> Evidence export]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ AUDIT LOG │
│ Formerly: scattered audit signals (Trust & Signing / Export Runs / Approvals) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Event type ▾ Release ▾ Env ▾ Approval ▾ User ▾ Time ▾ │
│ Events │
│ Feb 18 08:40 ExportRun created run-8811 profile Env Snapshot us-prod by admin [Open] │
│ Feb 18 08:33 Promotion decision PASS run-7712 pack-9001 by alice.johnson [Open] │
│ Feb 18 07:10 Trust: cert rotated issuer RegistryCA by admin [Open] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
## What this pack accomplishes
* Evidence now has a **clear chain**:
**Promotion/Decision → Pack → Bundle → Proof Chain → Verify/Replay**
with exports available at each step.
* **Trust & Signing** is treated as evidence infrastructure and tied to VEX issuer trust and proof verification.
* Everything is searchable by **Release / Bundle / Env / Approval**, which is what auditors and release managers actually ask for.
---
If you want the next pack, **Pack 21** can consolidate **Settings** into:
* **Release Control** (root already)
* **Org & Access**
* **Integrations**
* **Notifications**
* **Usage & Limits**
* **System Admin**
…and provide Mermaid+ASCII for each of those screens with “formerly/why” mapping.
Reference in New Issue View Git Blame Copy Permalink