git.stella-ops.org/docs/implplan/SPRINT_8200_REPRODUCIBILITY_EPIC_SUMMARY.md

Epic 8200 · SBOM/VEX Pipeline Reproducibility

Status: ✅ ARCHIVED (93% Complete)

Archived: 2025-12-25
Archive Location: docs/implplan/archived/2025-12-25-sprint-8200-reproducibility/

Overview

This epic implements the reproducibility, verifiability, and audit-readiness requirements identified in the product advisory analysis of December 2024.

Goal: Ensure StellaOps produces byte-for-byte identical outputs given identical inputs, with full attestation and offline verification capabilities.

Final Completion Status

Sprint	Topic	Status	Tasks
8200.0001.0001	Verdict ID Content-Addressing	✅ COMPLETE	12/12 DONE
8200.0001.0001	Provcache Core Backend	✅ COMPLETE	44/44 DONE
8200.0001.0002	DSSE Round-Trip Testing	✅ COMPLETE	20/20 DONE
8200.0001.0002	Provcache Invalidation & Air-Gap	🟡 90%	50/56 DONE, 6 BLOCKED
8200.0001.0003	Provcache UX & Observability	✅ COMPLETE	56/56 DONE
8200.0001.0003	SBOM Schema Validation CI	✅ COMPLETE	17/17 DONE
8200.0001.0004	E2E Reproducibility Test	✅ COMPLETE	26/26 DONE
8200.0001.0005	Sigstore Bundle Implementation	🟡 79%	19/24 DONE, 1 N/A, 4 BLOCKED
8200.0001.0006	Budget Threshold Attestation	🟡 61%	11/18 DONE, 1 N/A, 6 BLOCKED

Total: 255/273 tasks DONE (93%), 2 N/A, 16 BLOCKED (cross-module integration)

Epic Timeline

Phase	Sprints	Duration	Focus
Phase 1: Foundation	8200.0001.0001	Week 1	VerdictId content-addressing (critical fix)
Phase 2: Validation	8200.0001.0002, 8200.0001.0003	Week 1-2	DSSE round-trips, schema validation
Phase 3: E2E	8200.0001.0004	Week 2-3	Full pipeline reproducibility test
Phase 4: Packaging	8200.0001.0005, 8200.0001.0006	Week 3	Sigstore bundles, budget attestation

Sprint Summary

P0: SPRINT_8200_0001_0001 — Verdict ID Content-Addressing

Status: TODO | Effort: 2 days | Blocks: All other sprints

Problem: DeltaVerdict.VerdictId uses random GUID instead of content hash. Solution: Implement VerdictIdGenerator using SHA-256 of canonical JSON.

Task Count	Files Modified	Tests Added
12 tasks	5 files	4 tests

Key Deliverables:

• VerdictIdGenerator helper class
• Content-addressed VerdictId in all verdict creation sites
• Regression tests for determinism

---

P1: SPRINT_8200_0001_0002 — DSSE Round-Trip Testing

Status: TODO | Effort: 3 days | Depends on: P0

Problem: No tests validate sign → verify → re-bundle → re-verify cycle. Solution: Comprehensive round-trip test suite with cosign compatibility.

Task Count	Files Created	Tests Added
20 tasks	4 files	15 tests

Key Deliverables:

• DsseRoundtripTestFixture with key management
• Round-trip serialization tests
• Cosign compatibility verification
• Multi-signature envelope handling

---

P2: SPRINT_8200_0001_0003 — SBOM Schema Validation CI

Status: TODO | Effort: 1 day | Depends on: None

Problem: No external validator confirms schema compliance. Solution: Integrate sbom-utility for CycloneDX 1.6 and SPDX 3.0.1 validation.

Task Count	Files Created	CI Jobs Added
17 tasks	7 files	4 jobs

Key Deliverables:

• Schema files committed to repo
• schema-validation.yml workflow
• Validation scripts for all SBOM formats
• Required PR check

---

P3: SPRINT_8200_0001_0004 — Full E2E Reproducibility Test

Status: TODO | Effort: 5 days | Depends on: P0, P1

Problem: No test covers full pipeline: ingest → normalize → diff → decide → attest → bundle. Solution: Create StellaOps.Integration.E2E project with cross-platform verification.

Task Count	Files Created	CI Jobs Added
26 tasks	8 files	4 jobs

Key Deliverables:

• Full pipeline test fixture
• Cross-platform hash comparison (Linux, Windows, macOS)
• Golden baseline fixtures
• Nightly reproducibility gate

---

P4: SPRINT_8200_0001_0005 — Sigstore Bundle Implementation

Status: TODO | Effort: 3 days | Depends on: P1

Problem: Sigstore bundle type defined but not implemented. Solution: Implement v0.3 bundle marshalling/unmarshalling with offline verification.

Task Count	Files Created	Tests Added
24 tasks	9 files	4 tests

Key Deliverables:

• StellaOps.Attestor.Bundle library
• SigstoreBundleBuilder and SigstoreBundleVerifier
• cosign bundle compatibility
• CLI command stella attest bundle

---

P6: SPRINT_8200_0001_0006 — Budget Threshold Attestation

Status: TODO | Effort: 2 days | Depends on: P0

Problem: Unknown budget thresholds not attested in DSSE bundles. Solution: Create BudgetCheckPredicate and include in verdict attestations.

Task Count	Files Created/Modified	Tests Added
18 tasks	7 files	4 tests

Key Deliverables:

• BudgetCheckPredicate model
• Budget config hash for determinism
• Integration with VerdictPredicateBuilder
• Verification rule for config drift

---

Dependency Graph

                    ┌─────────────────┐
                    │   P0: Verdict   │
                    │  Content-Hash   │
                    └────────┬────────┘
                             │
              ┌──────────────┼──────────────┐
              │              │              │
              ▼              ▼              ▼
    ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
    │  P1: DSSE       │ │  P2: Schema     │ │  P6: Budget     │
    │  Round-Trip     │ │  Validation     │ │  Attestation    │
    └────────┬────────┘ └─────────────────┘ └─────────────────┘
             │
    ┌────────┴────────┐
    │                 │
    ▼                 ▼
┌─────────────────┐ ┌─────────────────┐
│  P3: E2E Test   │ │  P4: Sigstore   │
│                 │ │  Bundle         │
└─────────────────┘ └─────────────────┘

Total Effort Summary

Sprint	Priority	Effort	Tasks	Status
8200.0001.0001 (Verdict)	P0	2 days	12	✅ DONE
8200.0001.0001 (Provcache)	P0	5 days	44	✅ DONE
8200.0001.0002 (DSSE)	P1	3 days	20	✅ DONE
8200.0001.0002 (Provcache)	P1	5 days	56	🟡 90% (6 BLOCKED)
8200.0001.0003 (UX)	P2	4 days	56	✅ DONE
8200.0001.0003 (Schema)	P2	1 day	17	✅ DONE
8200.0001.0004	P3	5 days	26	✅ DONE
8200.0001.0005	P4	3 days	24	🟡 79% (4 BLOCKED)
8200.0001.0006	P6	2 days	18	🟡 61% (6 BLOCKED)
Total	—	30 days	273 tasks	93% Complete

Success Criteria

Must Have (Phase 1-2)

• VerdictId is content-addressed (SHA-256)
• DSSE round-trip tests pass
• Schema validation in CI
• All existing tests pass (no regressions)

Should Have (Phase 3)

• Full E2E pipeline test
• Cross-platform reproducibility verified
• Golden baseline established

Nice to Have (Phase 4)

• Sigstore bundle support (core library complete)
• Budget attestation in verdicts (models complete)
• cosign interoperability (mock-based verification complete)

Documentation Deliverables

Document	Sprint	Status
docs/reproducibility.md	Pre-req	✅ DONE
docs/testing/schema-validation.md	P2	✅ DONE
docs/testing/e2e-reproducibility.md	P3	✅ DONE
docs/modules/attestor/bundle-format.md	P4	✅ DONE
docs/modules/policy/budget-attestation.md	P6	✅ DONE
docs/modules/provcache/architecture.md	P1	✅ DONE
docs/modules/provcache/metrics-alerting.md	P2	✅ DONE
docs/modules/ui/provcache-components.md	P2	✅ DONE

Risk Register

Risk	Impact	Probability	Mitigation	Owner
Breaking change for stored verdicts	High	Medium	Migration logic for old GUID format	Policy Guild
Cross-platform determinism failures	High	Medium	Canonical serialization; path normalization	Platform Guild
Sigstore spec changes	Medium	Low	Pin to v0.3; monitor upstream	Attestor Guild
CI performance impact	Medium	Medium	Parallelize validation jobs	Platform Guild

Execution Checkpoints

Checkpoint	Date	Criteria
Phase 1 Complete	Week 1 end	VerdictId fix merged; tests green
Phase 2 Complete	Week 2 end	DSSE round-trips pass; schema validation active
Phase 3 Complete	Week 3 end	E2E test running nightly; baselines established
Phase 4 Complete	Week 3 end	Sigstore bundles working; budget attestation active
Epic Complete	Week 3 end	All success criteria met; docs complete

Related Documents

• Product Advisory Analysis — Original gap analysis
• Reproducibility Specification — Verdict ID formula and replay procedure
• Determinism Verification — Existing determinism infrastructure
• Attestor Module — DSSE and attestation architecture

Changelog

Date	Version	Changes
2025-12-24	1.0	Initial epic creation based on product advisory gap analysis
2025-12-25	2.0	Epic archived at 93% completion. All 9 sprints moved to archived/2025-12-25-sprint-8200-reproducibility/. 255/273 tasks DONE. 16 tasks BLOCKED pending cross-module integration (Signer event publishing, Attestor service integration). Follow-up sprints required for remaining integration work.