git.stella-ops.org/docs/modules/evidence-locker/portable-audit-pack-determinism.md

Portable Audit Pack Determinism Profile

Status: Draft frozen for implementation handoff (2026-02-10).

Scope

Deterministic requirements for portable pack generation (manifest.json, BOM, DSSE envelope, Rekor material, optional VEX/Parquet artifacts).

Normative rules

1. Canonical JSON MUST use RFC 8785/JCS-compatible serialization.
2. File inventory in manifest.files MUST be lexicographically sorted by canonical path.
3. Archive entries MUST have fixed metadata:
   • mtime: 2026-01-01T00:00:00Z
   • uid/gid: 0/0
   • file mode 0644, directory mode 0755
4. Digests MUST be lowercase SHA-256 hex.
5. Optional artifacts (merged_vex.json, components.parquet) MUST not change ordering of required files.
6. Compression toolchain versions MUST be pinned in release manifests.

Canonicalization conformance tests (required)

• Nested object key ordering stability.
• Unicode normalization and escaping stability.
• Non-finite number rejection (NaN, Infinity).
• DSSE payload preimage digest stability across repeated runs.

Byte stability gate

• CI must generate the same pack twice from identical frozen input fixtures.
• Outputs must be byte-identical (sha256sum pack1 == pack2).
• On mismatch, pipeline fails with ERR_PACK_NON_DETERMINISTIC.

Deterministic fixture layout

• testvectors/portable-audit-pack/minimal/
• testvectors/portable-audit-pack/with-vex/
• testvectors/portable-audit-pack/with-parquet/

Each fixture set should include:

• inputs (sbom.json, optional vex.json)
• expected canonical files
• expected per-file SHA-256 digests
• expected package archive digest

Toolchain pin set (to be implemented)

• JCS canonicalizer version
• DSSE signer library version
• tar implementation/version
• compression implementation/version
• Parquet writer version (if profile enabled)