stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
ed3079543c145bd714e60ee068fc3f713decf47e
git.stella-ops.org/docs/implplan/archived/2025-12-25-sprint-8200-reproducibility
History

README.md

Sprint Batch 8200.0001 - Reproducibility & Provenance Epic

Archived: 2025-12-25
Epic Theme: Deterministic decision-making, reproducibility proof chains, and provenance caching

Summary

This sprint batch implemented the foundational reproducibility and provenance infrastructure for StellaOps, enabling deterministic policy decisions, verifiable attestations, and efficient caching for offline/air-gap scenarios.

Sprint Completion Status

Sprint Topic Status Tasks
8200.0001.0001 Verdict ID Content-Addressing COMPLETE 12/12 DONE
8200.0001.0001 Provcache Core Backend COMPLETE 44/44 DONE
8200.0001.0002 DSSE Round-Trip Testing COMPLETE 20/20 DONE
8200.0001.0002 Provcache Invalidation & Air-Gap 🟡 90% COMPLETE 50/56 DONE, 6 BLOCKED
8200.0001.0003 Provcache UX & Observability COMPLETE 56/56 DONE
8200.0001.0003 SBOM Schema Validation CI COMPLETE 17/17 DONE
8200.0001.0004 E2E Reproducibility Test COMPLETE 26/26 DONE
8200.0001.0005 Sigstore Bundle Implementation 🟡 79% COMPLETE 19/24 DONE, 1 N/A, 4 BLOCKED
8200.0001.0006 Budget Threshold Attestation 🟡 61% COMPLETE 11/18 DONE, 1 N/A, 6 BLOCKED

Total: 255/273 tasks DONE (93%), 2 N/A, 16 BLOCKED

Key Deliverables

1. Verdict ID Content-Addressing (Sprint 0001/Verdict)

  • VerdictIdGenerator with SHA-256 content-addressed IDs
  • Deterministic verdict hashing across runs
  • 14 unit tests validating stability

2. Provcache Core Backend (Sprint 0001/Provcache)

  • VeriKey composite hash (source, SBOM, VEX, policy, signer, time)
  • DecisionDigest wrapping TrustLattice output
  • Valkey read-through cache with Postgres write-behind
  • /v1/provcache/* API endpoints
  • Policy engine integration with bypass support
  • OpenTelemetry traces and Prometheus metrics

3. DSSE Round-Trip Testing (Sprint 0002/DSSE)

  • Sign → serialize → deserialize → re-bundle → verify tests
  • Cosign compatibility with mock Fulcio/Rekor
  • Multi-signature envelope support
  • 55+ determinism and negative tests

4. Provcache Invalidation & Air-Gap (Sprint 0002/Provcache)

  • Signer revocation fan-out via SignerRevokedEvent
  • Feed epoch binding via FeedEpochAdvancedEvent
  • Evidence chunk storage with Merkle verification
  • Minimal proof export (lite/standard/strict density)
  • CLI commands: stella prov export/import/verify
  • Lazy evidence fetch for air-gap

5. Provcache UX & Observability (Sprint 0003/Provcache)

  • ProvenanceBadgeComponent (cached/computed/stale/unknown)
  • TrustScoreDisplayComponent with donut chart
  • ProofTreeComponent with collapsible Merkle tree
  • InputManifestComponent showing decision inputs
  • Grafana dashboards (hit rate, latency, invalidations)
  • OCI attestation attachment (stella.ops/provcache@v1)

6. SBOM Schema Validation CI (Sprint 0003/Schema)

  • CycloneDX 1.6, SPDX 3.0.1, OpenVEX 0.2.0 schemas
  • Validation scripts and CI workflow
  • Golden corpus validation on every PR

7. E2E Reproducibility Test (Sprint 0004)

  • Full pipeline: ingest → normalize → diff → decide → attest → bundle
  • Cross-platform verification (Linux/Windows/macOS)
  • Golden baseline with expected hashes
  • Nightly reproducibility gate

8. Sigstore Bundle (Sprint 0005)

  • Sigstore Bundle v0.3 models and serialization
  • Certificate chain and Merkle proof verification
  • DSSE signature verification (ECDSA/Ed25519/RSA)
  • 36 unit tests

9. Budget Threshold Attestation (Sprint 0006)

  • BudgetCheckPredicate with environment, limits, counts
  • Deterministic config hash for reproducibility
  • VerdictPredicateBuilder integration
  • 12 unit tests

Blocked Tasks (Follow-Up Required)

Cross-Module Integration (Signer → Provcache)

  • PROV-8200-101: Publish SignerRevokedEvent from KeyRotationService.RevokeKey()
  • PROV-8200-105, 106: SignerSetInvalidator DI and tests

Service Integration

  • PROV-8200-112, 113: FeedEpochInvalidator DI and tests
  • PROV-8200-143: CLI e2e tests (requires deployed services)

Attestor Integration

  • BUNDLE-8200-016-018, 022: Sigstore Bundle integration with AttestorBundleService, ExportCenter, CLI
  • BUDGET-8200-008-010, 014-016: BudgetCheckStatement and DSSE envelope integration

Files Changed

  • New Projects: StellaOps.Provcache, StellaOps.Attestor.Bundle
  • Documentation: docs/modules/provcache/, docs/modules/attestor/, docs/testing/
  • CI/CD: .gitea/workflows/schema-validation.yml, .gitea/workflows/e2e-reproducibility.yml
  • Deploy: deploy/grafana/dashboards/provcache-overview.json

Next Steps

  1. Create follow-up sprint for Signer module to publish SignerRevokedEvent
  2. Create follow-up sprint for service-level DI registration of invalidators
  3. Create follow-up sprint for Attestor integration with Sigstore Bundle and Budget attestation
  4. Run full E2E reproducibility test in CI to validate cross-platform determinism