stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
e2e404e705578c36a9d19a806405bd3051bc52ce
git.stella-ops.org/docs/ops/evidence-locker-handoff.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

1.7 KiB
Raw Blame History

Evidence Locker Handoff (Signals & Zastava)

Inputs required (from Ops)

  • EVIDENCE_LOCKER_URL (base URL, no trailing slash)
  • CI_EVIDENCE_LOCKER_TOKEN (Bearer token with write to zastava/* and signals/*)
  • Signals production signing key for final re-sign (one of):
    • COSIGN_PRIVATE_KEY_B64 (base64 of private key) + optional COSIGN_PASSWORD, or
    • key file at tools/cosign/cosign.key + password.

Whats ready (deterministic artefacts)

  • Zastava tar: evidence-locker/zastava/2025-12-02/zastava-evidence.tar
    • sha256: e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9ac019cf0f1c9
  • Signals tar (dev key): evidence-locker/signals/2025-12-05/signals-evidence.tar
    • sha256: a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d

Publish both bundles (once URL/token are available)

export EVIDENCE_LOCKER_URL="<locker-base-url>"
export CI_EVIDENCE_LOCKER_TOKEN="<token>"
./tools/upload-all-evidence.sh

Verify locally (hash + inner SHA lists)

  • Zastava: ./tools/zastava-verify-evidence-tar.sh [path/to/zastava-evidence.tar]
  • Signals: ./tools/signals-verify-evidence-tar.sh [path/to/signals-evidence.tar]

Re-sign Signals for production trust (optional but recommended)

export COSIGN_PRIVATE_KEY_B64="<prod-key-b64>"
export COSIGN_PASSWORD="<pwd-if-any>"
OUT_DIR=evidence-locker/signals/2025-12-05 \
  tools/cosign/sign-signals.sh

# Rebuild + upload tar
./tools/signals-upload-evidence.sh

Notes

  • All packaging is deterministic (tar --sort=name --mtime='UTC 1970-01-01' --owner=0 --group=0 --numeric-owner).
  • Tlog upload is disabled for offline parity; Evidence Locker trust comes from the provided keys.
  • Upload scripts exit non-zero on hash mismatch to prevent pushing corrupted artefacts.