stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
d785a9095f31c477ae24e6b71d461799f18b2d94
git.stella-ops.org/docs/modules/export-center/determinism.md
StellaOps Bot 2d08f52715 feat(zastava): add evidence locker plan and schema examples 
- Introduced README.md for Zastava Evidence Locker Plan detailing artifacts to sign and post-signing steps.
- Added example JSON schemas for observer events and webhook admissions.
- Updated implementor guidelines with checklist for CI linting, determinism, secrets management, and schema control.
- Created alert rules for Vuln Explorer to monitor API latency and projection errors.
- Developed analytics ingestion plan for Vuln Explorer, focusing on telemetry and PII guardrails.
- Implemented Grafana dashboard configuration for Vuln Explorer metrics visualization.
- Added expected projection SHA256 for vulnerability events.
- Created k6 load testing script for Vuln Explorer API.
- Added sample projection and replay event data for testing.
- Implemented ReplayInputsLock for deterministic replay inputs management.
- Developed tests for ReplayInputsLock to ensure stable hash computation.
- Created SurfaceManifestDeterminismVerifier to validate manifest determinism and integrity.
- Added unit tests for SurfaceManifestDeterminismVerifier to ensure correct functionality.
- Implemented Angular tests for VulnerabilityHttpClient and VulnerabilityDetailComponent to verify API interactions and UI rendering.
2025-12-02 09:27:31 +02:00

1.5 KiB
Raw Blame History

Export Center Determinism & Rerun Hash Guide

Advisory: docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md (EC1EC10).

Adapter settings (runnable example)

  • JSON adapters: --compression zstd --compression-level 19 --deterministic-order
  • Mirror adapter: sort descriptors by digest, emit annotations in lexicographic order, disable mtime in tar (--mtime 0).
  • Delta adapter: include baseManifestHash and sorted added/removed lists; tombstones must be explicit.

Rerun-hash check

set -euo pipefail
run_id=$(uuidgen)
stella export run --profile demo --run-id "$run_id" --out /tmp/export1
sha256sum /tmp/export1/manifest.json > /tmp/export1/manifest.sha256
# second run
run_id2=$(uuidgen)
stella export run --profile demo --run-id "$run_id2" --out /tmp/export2
sha256sum /tmp/export2/manifest.json > /tmp/export2/manifest.sha256
diff -u /tmp/export1/manifest.sha256 /tmp/export2/manifest.sha256

Integrity headers (HTTP example)

  • Digest: sha-256=<base64>
  • X-Stella-Signature: dsse-b64=<payload>
  • X-Stella-Immutability: true

Offline kit packaging

  • Tar flags: tar --sort=name --mtime=@0 --owner=0 --group=0 --numeric-owner
  • Include export-kit/manifest.json + manifest.dsse; add verify-export-kit.sh to check hashes and signatures.

Where to place fixtures

  • src/ExportCenter/__fixtures/ for deterministic manifests/outputs used by tests.
  • Add rerun-hash CI to compare fixture hash against regenerated outputs.