stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
dc7c75b496c1f0b34c284bf3bda5f70544ce81dd
git.stella-ops.org/docs/implplan/SPRINT_0513_0001_0001_provenance.md
StellaOps Bot dc7c75b496
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add MongoIdempotencyStoreOptions for MongoDB configuration 
feat: Implement BsonJsonConverter for converting BsonDocument and BsonArray to JSON

fix: Update project file to include MongoDB.Bson package

test: Add GraphOverlayExporterTests to validate NDJSON export functionality

refactor: Refactor Program.cs in Attestation Tool for improved argument parsing and error handling

docs: Update README for stella-forensic-verify with usage instructions and exit codes

feat: Enhance HmacVerifier with clock skew and not-after checks

feat: Add MerkleRootVerifier and ChainOfCustodyVerifier for additional verification methods

fix: Update DenoRuntimeShim to correctly handle file paths

feat: Introduce ComposerAutoloadData and related parsing in ComposerLockReader

test: Add tests for Deno runtime execution and verification

test: Enhance PHP package tests to include autoload data verification

test: Add unit tests for HmacVerifier and verification logic
2025-11-22 16:42:56 +02:00

7.4 KiB
Raw Blame History

Sprint 0513-0001-0001 · Ops & Offline · Provenance

Topic & Scope

  • Prove container provenance offline: model DSSE/SLSA build metadata, signing flows, and promotion predicates for orchestrator/job/export subjects.
  • Deliver signing + verification toolchain that is deterministic, air-gap ready, and consumable from CLI (stella forensic verify) and services.
  • Working directory: src/Provenance/StellaOps.Provenance.Attestation. Active items only; completed/historic work lives in docs/implplan/archived/tasks.md (updated 2025-11-08).

Dependencies & Concurrency

  • Upstream sprints: 100.A Attestor, 110.A AdvisoryAI, 120.A AirGap, 130.A Scanner, 140.A Graph, 150.A Orchestrator, 160.A EvidenceLocker, 170.A Notifier, 180.A CLI.
  • Task sequencing: PROV-OBS-53-001 → PROV-OBS-53-002 → PROV-OBS-53-003 → PROV-OBS-54-001 → PROV-OBS-54-002; downstream tasks stay TODO/BLOCKED until predecessors verify in CI.
  • Concurrency guardrails: keep deterministic ordering in Delivery Tracker; no cross-module code changes unless noted under Interlocks.

Documentation Prerequisites

  • docs/07_HIGH_LEVEL_ARCHITECTURE.md
  • docs/modules/platform/architecture-overview.md
  • docs/modules/attestor/architecture.md
  • docs/modules/signer/architecture.md
  • docs/modules/orchestrator/architecture.md
  • docs/modules/export-center/architecture.md

Delivery Tracker

# Task ID Status Key dependency / next step Owners Task Definition
1 PROV-OBS-53-001 DONE (2025-11-17) Baseline models available for downstream tasks Provenance Guild / src/Provenance/StellaOps.Provenance.Attestation Implement DSSE/SLSA BuildDefinition + BuildMetadata models with canonical JSON serializer, Merkle digest helpers, deterministic hashing tests, and sample statements for orchestrator/job/export subjects.
2 PROV-OBS-53-002 BLOCKED Implementation done locally; rerun dotnet test in CI to clear MSB6006 and verify signer abstraction Provenance Guild; Security Guild / src/Provenance/StellaOps.Provenance.Attestation Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture.
3 PROV-OBS-53-003 BLOCKED Implementation landed; awaiting PROV-OBS-53-002 CI verification before release Provenance Guild / src/Provenance/StellaOps.Provenance.Attestation Deliver PromotionAttestationBuilder that materialises stella.ops/promotion@v1 predicate (image digest, SBOM/VEX materials, promotion metadata, Rekor proof) and feeds canonicalised payload bytes to Signer via StellaOps.Cryptography.
4 PROV-OBS-54-001 DONE (2025-11-22) Verification library shipped with HMAC/time checks, Merkle and chain-of-custody helpers; tests passing Provenance Guild; Evidence Locker Guild / src/Provenance/StellaOps.Provenance.Attestation Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody; expose reusable CLI/service APIs; include negative fixtures and offline timestamp verification.
5 PROV-OBS-54-002 DONE (2025-11-22) Tool packaged with usage/docs; tests passing Provenance Guild; DevEx/CLI Guild / src/Provenance/StellaOps.Provenance.Attestation Generate .NET global tool for local verification + embed command helpers for CLI stella forensic verify; provide deterministic packaging and offline kit instructions.

Wave Coordination

  • Single wave covering Provenance attestation + verification; sequencing enforced in Delivery Tracker.

Wave Detail Snapshots

  • Wave 1 (Provenance chain): Signer abstraction → Promotion predicate builder → Verification library → CLI/global tool packaging.

Interlocks

  • Attestor/Orchestrator schema alignment for promotion predicates and job/export subjects.
  • Evidence Locker timeline proofs required for DSSE verification chain-of-custody.
  • CLI integration depends on DevEx/CLI guild packaging conventions.

Upcoming Checkpoints

  • 2025-11-23 · CI rerun for PROV-OBS-53-002 to resolve MSB6006 and unblock downstream tasks.
  • 2025-11-26 · Schema alignment touchpoint with Orchestrator/Attestor guilds on promotion predicate fields.
  • 2025-11-29 · Offline kit packaging review for verification global tool (PROV-OBS-54-002) with DevEx/CLI guild.

Action Tracker

  • Schedule CI environment rerun for PROV-OBS-53-002 with full dependency restore and logs attached.
  • Prepare schema notes for promotion predicate (image digest, SBOM/VEX materials, Rekor proof) ahead of 2025-11-26 checkpoint.
  • Draft offline kit instructions outline for PROV-OBS-54-002 to accelerate packaging once verification APIs land.

Decisions & Risks

Risk table

Risk Impact Mitigation Owner
PROV-OBS-53-002 CI parity pending If CI differs from local, could reopen downstream Rerun in CI; publish logs; align SDK version Provenance Guild
Promotion predicate schema mismatch with Orchestrator/Attestor Rework builder and verification APIs Hold 2025-11-26 alignment; track deltas in docs; gate merges behind feature flag Provenance Guild / Orchestrator Guild
Offline verification kit drift vs CLI packaging rules Users cannot verify in air-gap Pair with DevEx/CLI guild; publish deterministic packaging steps and checksums DevEx/CLI Guild
  • PROV-OBS-53-002 remains BLOCKED until CI rerun resolves MSB6006; PROV-OBS-53-003/54-001/54-002 stay gated.
  • Archived/complete items move to docs/implplan/archived/tasks.md after closure.

Execution Log

Date (UTC) Update Owner
2025-11-22 PROV-OBS-54-002 delivered: global tool stella-forensic-verify updated with signed-at/not-after/skew options, deterministic JSON output, README packaging steps, and tests. Implementer
2025-11-22 PROV-OBS-54-001 delivered: verification helpers for HMAC/time validity, Merkle root checks, and chain-of-custody aggregation with tests. Implementer
2025-11-22 Updated cross-references in tasks-all.md to the renamed sprint ID. Project Mgmt
2025-11-22 Added PROV-OBS-53-002/53-003 to blocked_tree.md for central visibility while CI rerun is pending. Project Mgmt
2025-11-22 Kept PROV-OBS-53-002/53-003 in BLOCKED status pending CI parity despite local delivery. Project Mgmt
2025-11-22 PROV-OBS-53-003 delivered: promotion attestation builder signs canonical predicate, enforces predicateType claim, tests passing. Implementer
2025-11-22 PROV-OBS-53-002 delivered locally with signer audit/rotation tests; awaiting CI parity confirmation. Implementer
2025-11-22 Normalised sprint to standard template and renamed to SPRINT_0513_0001_0001_provenance.md; no scope changes. Project Mgmt
2025-11-18 Marked PROV-OBS-53-002 as BLOCKED (tests cannot run locally: dotnet test MSB6006). Downstream PROV-OBS-53-003 blocked on 53-002 verification. Provenance
2025-11-18 PROV-OBS-53-002 tests blocked locally (dotnet test MSB6006 after long dependency builds); rerun required in CI/less constrained agent. Provenance
2025-11-17 Started PROV-OBS-53-002: added cosign/kms/offline signer abstractions, rotating key provider, audit hooks, and unit tests; full test run pending. Provenance
2025-11-17 PROV-OBS-53-001 delivered: canonical BuildDefinition/BuildMetadata hashes, Merkle helpers, deterministic tests, and sample DSSE statements for orchestrator/job/export subjects. Provenance