e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil. - Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt. feat: Implement ILockRepository interface and LockRepository class - Defined ILockRepository interface with methods for acquiring and releasing locks. - Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations. feat: Add SurfaceManifestPointer record for manifest pointers - Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest. feat: Create PolicySimulationInputLock and related validation logic - Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests. - Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements. test: Add unit tests for ReplayVerificationService and ReplayVerifier - Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios. - Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic. test: Implement PolicySimulationInputLockValidatorTests - Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions. chore: Add cosign key example and signing scripts - Included a placeholder cosign key example for development purposes. - Added a script for signing Signals artifacts using cosign with support for both v2 and v3. chore: Create script for uploading evidence to the evidence locker - Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
Policy Simulation Gaps (PS1–PS10) — Lockfile, Quotas, and Shadow Safety
This note closes POLICY-GAPS-185-006 by defining a signed inputs lock, offline verifier, and shadow isolation guardrails for policy simulations.
Lockfile
- Schema:
docs/replay/policy-sim/lock.schema.json - Sample:
docs/replay/policy-sim/inputs.lock.sample.json - Fields cover policy bundle, graph, SBOM, time anchor, dataset digests; shadowIsolation flag; requiredScopes.
- Recommended signing: DSSE over the lockfile with Ed25519; record envelope digest alongside artefacts.
Validation
- Library helper:
PolicySimulationInputLockValidatorinStellaOps.Replay.Corecompares materialized digests and enforces shadow mode + scopepolicy:simulate:shadow. - Staleness: pass
maxAge(suggested 24h) to reject outdated locks.
CLI / CI contract
- Script:
scripts/replay/verify-policy-sim-lock.sh(offline). Exit codes: 0 OK, 2 missing tools/args, 3 schema/hash mismatch, 4 stale, 5 shadow/scope failure. - CI should run verifier before simulations and fail fast on non-zero exit.
Quotas & backpressure
- Default limits: max 10 concurrent shadow runs per tenant; queue depth 100; reject when
policy:simulate:shadowscope missing. - Simulators must be read-only: no writes to policy stores; only emit shadow metrics.
Offline policy-sim kit
- Lockfile + DSSE, digests of policy/graph/sbom/time-anchor/dataset.
- Bundle alongside replay packs; verifier uses local SHA256 only (no network).
Shadow isolation & redaction
- Always run in
shadowmode; block if requested runMode !=shadow. - Redact PII fields (
user,ip,headers,secrets) before storing fixtures; keep only hashes. - Require DSSE evidence when storing fixtures or responding to API clients.