stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e923880694b66a819714782b43fed2b0d577a95b
git.stella-ops.org/docs/modules/policy/contracts/spine-versioning-plan.md
StellaOps Bot e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Add DigestUpsertRequest and LockEntity models 
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
2025-12-03 07:51:50 +02:00

65 lines
4.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# SBOM/VEX Spine Versioning Plan (SP1)
## Purpose
Establish versioned spine API/DTO schemas with migration rules, determinism guarantees, and DSSE-backed manifests, covering SP1SP10 gaps from the 31-Nov-2025 findings advisory.
## Scope
- Spine APIs and DTOs shared by Scanner, Policy, Authority, and Graph.
- Manifest/signing layers for spine bundles (online + offline).
- Pagination/performance envelopes and Unknowns workflow.
## Deliverables (SP tasks)
- SP1: Versioned schemas + header/version negotiation rules; deprecation timetable.
- SP2: Evidence requirements per predicate/edge (reachability proof, package identity, build metadata) with MUST/SHOULD fields.
- SP3: Unknowns registry contract (states, SLA, surfacing rules, expiry/decay).
- SP4: DSSE-signed spine manifest listing hashes for all artifacts; Rekor/mirror policy hooks.
- SP5: Deterministic diff rules + fixtures (ordered deltas, canonical sorting, hash expectations).
- SP6: Feed snapshot freshness/staleness thresholds and validation steps.
- SP7: Stage-by-stage DSSE requirements, Rekor/mirror policy matrices (online/offline).
- SP8: Policy lattice version field and embedding rules in spine objects.
- SP9: Pagination/ordering/perf budgets (stable sort keys, default page size limits, deterministic cursors).
- SP10: Crosswalk mappings SBOM ↔ VEX ↔ graph ↔ policy (table + sample payloads).
## Migration & Determinism
- Version headers and DTO version fields must be required; rejects if missing or downgraded without declared adapter.
- Canonical JSON ordering for manifests; hashes computed over canonical form (UTF-8, no BOM).
- Pagination uses deterministic primary/secondary sort keys; cursors are opaque, HMAC-free, reproducible from sort key + last id.
### Versioning mechanics (v0.1)
- Header: `X-Spine-Version: v1` (required). DTO field mirror: `schemaVersion` (string, semver).
- Deprecation window: N-1 supported for 90 days; adapters required to downgrade v2→v1 (CSV in `docs/modules/policy/fixtures/spine-adapters/`).
- Hashing: canonical JSON, sorted properties, UTF-8 no BOM, normalized decimals (4dp), timestamps UTC ISO-8601.
### Evidence minima per edge (SP2, draft)
- `reachability`: state, confidence, score, method, evidenceRef (hash or URI), runtimeEvidence flag (bool).
- `package_identity`: purl, name, version, supplier, hashes[] (at least SHA256).
- `build_metadata`: buildId, sourceRepo, sourceRef, buildInvokerHash, provenanceHash (DSSE).
### Unknowns workflow (SP3, draft)
- States: `unknown`, `under_review`, `resolved`, `expired`.
- SLA: auto-review escalation after 7 days; decay to `expired` at 30 days unless refreshed.
- Surfacing: APIs must include `unknowns.count` and list endpoint with deterministic pagination; optional policy lattice flag to penalize unknowns.
### Signing (SP4/SP7)
- Manifest structure: list of artifacts (type, id, hash, version, uri), signed using DSSE/ED25519 by default; Rekor optional online, mirrored checkpoints offline.
- Stage policy: compile → ingest → materialize → export; each stage produces DSSE, carries prior stage hash for chain-of-custody.
### Pagination/perf budgets (SP9)
- Default page size 200; max 500; stable sort: tenant asc, subjectPurl asc, advisoryId asc, createdAt asc.
- Cursors: base64-encoded tuple of sort keys; must round-trip deterministically.
### Crosswalk (SP10)
- Provide table mapping: SBOM component ↔ spine node ↔ graph node ↔ policy evaluation input; include sample payloads in `docs/modules/policy/fixtures/spine-crosswalk/`.
## Signing & Offline
- DSSE envelope mandatory for spine manifest; Rekor entry optional online, mirrored checkpoints for offline kits.
- Mirror bundles carry: manifest hash list, time-anchor digest, toolkit hashes, version map for adapters.
## Open Items
- Finalize evidence minima per predicate with Signals/Reachability guild once runtime schema lands.
- Confirm lattice versioning alignment with policy engine release cadence.
## Links
- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (SP1SP10)
- Advisory: `docs/product-advisories/31-Nov-2025 FINDINGS.md`
Reference in New Issue View Git Blame Copy Permalink