stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
ca91f400512fb871ef935772c66ac38b2bed8e7e
git.stella-ops.org/docs/modules/signals/evidence/README.md
StellaOps Bot e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add DigestUpsertRequest and LockEntity models 
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
2025-12-03 07:51:50 +02:00

2.7 KiB
Raw Blame History

Signals DSSE Evidence Staging (runtime/signals gaps)

Artifacts prepared 2025-12-01 (UTC) for DSSE signing and Evidence Locker ingest:

  • Decay config: docs/modules/signals/decay/confidence_decay_config.yaml
  • Unknowns scoring manifest: docs/modules/signals/unknowns/unknowns_scoring_manifest.json
  • Heuristic catalog + schema + fixtures: docs/modules/signals/heuristics/
  • Checksums: docs/modules/signals/SHA256SUMS

Planned Evidence Locker paths (to fill post-signing):

  • evidence-locker/signals/decay/2025-12-01/confidence_decay_config.dsse
  • evidence-locker/signals/unknowns/2025-12-01/unknowns_scoring_manifest.dsse
  • evidence-locker/signals/heuristics/2025-12-01/heuristics_catalog.dsse
  • evidence-locker/signals/heuristics/2025-12-01/fixtures/ (golden inputs/outputs)

Pending steps: 0) Provide signing key: CI/ops should supply COSIGN_PRIVATE_KEY_B64 (base64 of private key) and optional COSIGN_PASSWORD. Local dev can place a key at tools/cosign/cosign.key (see tools/cosign/cosign.key.example stub) or decode the env var to /tmp/cosign.key. The helper script tools/cosign/sign-signals.sh auto-detects the key and cosign version.

  1. Sign each artifact with its predicate (cosign v3.0.2 in /usr/local/bin, use --bundle; v2.6.0 fallback in tools/cosign also works with --output-signature):
    • stella.ops/confidenceDecayConfig@v1
    • stella.ops/unknownsScoringManifest@v1
    • stella.ops/heuristicCatalog@v1 Shortcut: OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh Example (v3, replace KEY):
    cosign sign-blob \
  --key cosign.key \
  --predicate-type stella.ops/confidenceDecayConfig@v1 \
  --bundle confidence_decay_config.sigstore.json \
  decay/confidence_decay_config.yaml
    v2.6.0 fallback (if PATH prefixed with tools/cosign): 
    cosign sign-blob \
  --key cosign.key \
  --predicate-type stella.ops/confidenceDecayConfig@v1 \
  --output-signature confidence_decay_config.dsse \
  decay/confidence_decay_config.yaml
  2. Record SHA256 from SHA256SUMS in DSSE annotations (or bundle metadata); keep canonical filenames:
    • v3: confidence_decay_config.sigstore.json, unknowns_scoring_manifest.sigstore.json, heuristics_catalog.sigstore.json
    • v2 fallback: .dsse signatures.
  3. Place signed envelopes + checksums in the Evidence Locker paths above; update sprint tracker Delivery Tracker rows 57 and Decisions & Risks with the final URIs.
  4. Add signer/approver IDs to the sprint Execution Log once signatures are complete.

Notes:

  • Use UTC timestamps in DSSE issuedAt.
  • Ensure offline parity by copying envelopes + SHA256SUMS into the offline kit bundle when ready.