113 lines
4.9 KiB
Markdown
113 lines
4.9 KiB
Markdown
# Sprint Batch 8200.0001 - Reproducibility & Provenance Epic
|
|
|
|
**Archived:** 2025-12-25
|
|
**Epic Theme:** Deterministic decision-making, reproducibility proof chains, and provenance caching
|
|
|
|
## Summary
|
|
|
|
This sprint batch implemented the foundational reproducibility and provenance infrastructure for StellaOps, enabling deterministic policy decisions, verifiable attestations, and efficient caching for offline/air-gap scenarios.
|
|
|
|
## Sprint Completion Status
|
|
|
|
| Sprint | Topic | Status | Tasks |
|
|
|--------|-------|--------|-------|
|
|
| 8200.0001.0001 | Verdict ID Content-Addressing | ✅ **COMPLETE** | 12/12 DONE |
|
|
| 8200.0001.0001 | Provcache Core Backend | ✅ **COMPLETE** | 44/44 DONE |
|
|
| 8200.0001.0002 | DSSE Round-Trip Testing | ✅ **COMPLETE** | 20/20 DONE |
|
|
| 8200.0001.0002 | Provcache Invalidation & Air-Gap | 🟡 **90% COMPLETE** | 50/56 DONE, 6 BLOCKED |
|
|
| 8200.0001.0003 | Provcache UX & Observability | ✅ **COMPLETE** | 56/56 DONE |
|
|
| 8200.0001.0003 | SBOM Schema Validation CI | ✅ **COMPLETE** | 17/17 DONE |
|
|
| 8200.0001.0004 | E2E Reproducibility Test | ✅ **COMPLETE** | 26/26 DONE |
|
|
| 8200.0001.0005 | Sigstore Bundle Implementation | 🟡 **79% COMPLETE** | 19/24 DONE, 1 N/A, 4 BLOCKED |
|
|
| 8200.0001.0006 | Budget Threshold Attestation | 🟡 **61% COMPLETE** | 11/18 DONE, 1 N/A, 6 BLOCKED |
|
|
|
|
**Total:** 255/273 tasks DONE (93%), 2 N/A, 16 BLOCKED
|
|
|
|
## Key Deliverables
|
|
|
|
### 1. Verdict ID Content-Addressing (Sprint 0001/Verdict)
|
|
- `VerdictIdGenerator` with SHA-256 content-addressed IDs
|
|
- Deterministic verdict hashing across runs
|
|
- 14 unit tests validating stability
|
|
|
|
### 2. Provcache Core Backend (Sprint 0001/Provcache)
|
|
- VeriKey composite hash (source, SBOM, VEX, policy, signer, time)
|
|
- DecisionDigest wrapping TrustLattice output
|
|
- Valkey read-through cache with Postgres write-behind
|
|
- `/v1/provcache/*` API endpoints
|
|
- Policy engine integration with bypass support
|
|
- OpenTelemetry traces and Prometheus metrics
|
|
|
|
### 3. DSSE Round-Trip Testing (Sprint 0002/DSSE)
|
|
- Sign → serialize → deserialize → re-bundle → verify tests
|
|
- Cosign compatibility with mock Fulcio/Rekor
|
|
- Multi-signature envelope support
|
|
- 55+ determinism and negative tests
|
|
|
|
### 4. Provcache Invalidation & Air-Gap (Sprint 0002/Provcache)
|
|
- Signer revocation fan-out via `SignerRevokedEvent`
|
|
- Feed epoch binding via `FeedEpochAdvancedEvent`
|
|
- Evidence chunk storage with Merkle verification
|
|
- Minimal proof export (lite/standard/strict density)
|
|
- CLI commands: `stella prov export/import/verify`
|
|
- Lazy evidence fetch for air-gap
|
|
|
|
### 5. Provcache UX & Observability (Sprint 0003/Provcache)
|
|
- ProvenanceBadgeComponent (cached/computed/stale/unknown)
|
|
- TrustScoreDisplayComponent with donut chart
|
|
- ProofTreeComponent with collapsible Merkle tree
|
|
- InputManifestComponent showing decision inputs
|
|
- Grafana dashboards (hit rate, latency, invalidations)
|
|
- OCI attestation attachment (`stella.ops/provcache@v1`)
|
|
|
|
### 6. SBOM Schema Validation CI (Sprint 0003/Schema)
|
|
- CycloneDX 1.6, SPDX 3.0.1, OpenVEX 0.2.0 schemas
|
|
- Validation scripts and CI workflow
|
|
- Golden corpus validation on every PR
|
|
|
|
### 7. E2E Reproducibility Test (Sprint 0004)
|
|
- Full pipeline: ingest → normalize → diff → decide → attest → bundle
|
|
- Cross-platform verification (Linux/Windows/macOS)
|
|
- Golden baseline with expected hashes
|
|
- Nightly reproducibility gate
|
|
|
|
### 8. Sigstore Bundle (Sprint 0005)
|
|
- Sigstore Bundle v0.3 models and serialization
|
|
- Certificate chain and Merkle proof verification
|
|
- DSSE signature verification (ECDSA/Ed25519/RSA)
|
|
- 36 unit tests
|
|
|
|
### 9. Budget Threshold Attestation (Sprint 0006)
|
|
- BudgetCheckPredicate with environment, limits, counts
|
|
- Deterministic config hash for reproducibility
|
|
- VerdictPredicateBuilder integration
|
|
- 12 unit tests
|
|
|
|
## Blocked Tasks (Follow-Up Required)
|
|
|
|
### Cross-Module Integration (Signer → Provcache)
|
|
- PROV-8200-101: Publish `SignerRevokedEvent` from `KeyRotationService.RevokeKey()`
|
|
- PROV-8200-105, 106: SignerSetInvalidator DI and tests
|
|
|
|
### Service Integration
|
|
- PROV-8200-112, 113: FeedEpochInvalidator DI and tests
|
|
- PROV-8200-143: CLI e2e tests (requires deployed services)
|
|
|
|
### Attestor Integration
|
|
- BUNDLE-8200-016-018, 022: Sigstore Bundle integration with AttestorBundleService, ExportCenter, CLI
|
|
- BUDGET-8200-008-010, 014-016: BudgetCheckStatement and DSSE envelope integration
|
|
|
|
## Files Changed
|
|
|
|
- **New Projects:** `StellaOps.Provcache`, `StellaOps.Attestor.Bundle`
|
|
- **Documentation:** `docs/modules/provcache/`, `docs/modules/attestor/`, `docs/testing/`
|
|
- **CI/CD:** `.gitea/workflows/schema-validation.yml`, `.gitea/workflows/e2e-reproducibility.yml`
|
|
- **Deploy:** `deploy/grafana/dashboards/provcache-overview.json`
|
|
|
|
## Next Steps
|
|
|
|
1. Create follow-up sprint for Signer module to publish `SignerRevokedEvent`
|
|
2. Create follow-up sprint for service-level DI registration of invalidators
|
|
3. Create follow-up sprint for Attestor integration with Sigstore Bundle and Budget attestation
|
|
4. Run full E2E reproducibility test in CI to validate cross-platform determinism
|