563079fc69
Builds the previously-aspirational Capsule create/seal/verify/export/replay
pipeline. Unblocks the former CAPSULE-001 task that lived (BLOCKED) in
SPRINT_20260408_005; carried over as CAPSULE-AUDIT-001 inside the new
SPRINT_20260422_002 (created + archived in same pass).
Pipeline:
- CapsuleManifest record: deterministic SBOM+feeds+reachability+policy+VEX
content-address bundle.
- CapsuleManifestCanonicalizer: mirrors AUDIT-007 algorithm byte-for-byte
(ordinal-sorted UTF-8 JSON via JsonDocument round-trip).
- ICapsuleSigner + EcdsaCapsuleSigner + NullCapsuleSigner: DSSE PAE
contract, DSSE payload type application/vnd.stellaops.decision-capsule+json.
Pattern-identical to IAuditBundleManifestSigner; defined locally rather
than cross-referencing IExportAttestationSigner (which lives inside
ExportCenter.WebService, not a shared library — future cleanup noted).
- CapsuleService: create / seal / verify / export (zip) / replay.
- PostgresCapsuleRepository (Dapper) with tenant RLS hookup.
Endpoints (all tenant-scoped, POST):
- POST /api/v1/evidence/capsules
- POST /api/v1/evidence/capsules/{id}/seal
- POST /api/v1/evidence/capsules/{id}/verify
- POST /api/v1/evidence/capsules/{id}/export (application/zip)
- POST /api/v1/evidence/capsules/{id}/replay
Storage: embedded migration 005_decision_capsules.sql creates
evidence_locker.decision_capsules (RLS-enforced) + indexes + CHECK
constraints. Auto-applied by existing EvidenceLockerMigrationRunner.
Audit (CAPSULE-AUDIT-001):
- 5 new AuditActions.Evidence constants (CreateCapsule/Seal/Verify/Export/Replay)
- Each endpoint chained with .Audited(AuditModules.Evidence, ...)
- contentHash surfaced on responses so AuditActionFilter propagates it
into details_jsonb.
Tests: 9 focused tests (determinism x3, sign+verify+tamper x3, null-signer
graceful degradation, pipeline round-trip, 404 on missing). Full
EvidenceLocker namespace sweep: 141/141, 0 failures.
Docs: docs/modules/evidence-locker/architecture.md §9bis (manifest schema,
DSSE payload type, storage, API surface, relationship to
release.run_capsule_replay_linkage).
Runtime curl+Timeline assertion deferred — running container image
predates these changes; rebuild pending. Structural wiring identical to
runtime-verified VerdictEndpoints (AUDIT-002 precedent).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
EvidenceLocker
Status: Implemented
Source: src/EvidenceLocker/
Owner: Platform Team
Purpose
EvidenceLocker provides sealed, immutable storage for vulnerability scan evidence and audit logs. Ensures tamper-proof evidence chains for compliance and forensic analysis with content-addressable storage and cryptographic sealing.
Components
Services:
StellaOps.EvidenceLocker.WebService- HTTP API for evidence submission and retrievalStellaOps.EvidenceLocker.Worker- Background sealing and archival workers
Libraries:
StellaOps.EvidenceLocker.Core- Evidence sealing, verification, and chain validationStellaOps.EvidenceLocker.Infrastructure- Storage adapters and evidence bundle management
Configuration
See etc/evidence-locker.yaml.sample for configuration options (if available).
Key settings:
- Storage backend (filesystem, object storage)
- Sealing policy (immediate vs. batch)
- Retention policies
- Export destinations
- Authority integration for access control
Dependencies
- PostgreSQL (schema:
evidence_locker) - Authority (authentication and authorization)
- Signer (cryptographic sealing operations)
- ExportCenter (evidence bundle export)
Related Documentation
- Operations:
./operations/(if exists) - Portable pack contract:
./portable-audit-pack-contract.md - Portable manifest schema:
./schemas/portable-audit-pack-manifest.v1.schema.json - Portable compatibility mapping:
./portable-audit-pack-compatibility.md - Portable determinism profile:
./portable-audit-pack-determinism.md - Portable Rekor offline profile:
./portable-audit-pack-rekor-offline.md - Portable CLI runbook:
./portable-audit-pack-cli-runbook.md - Portable Parquet profile:
./portable-audit-pack-parquet-profile.md - Portable verification matrix:
./portable-audit-pack-test-matrix.md - Promotion evidence contract:
./promotion-evidence-contract.md - ExportCenter:
../export-center/ - Attestor:
../attestor/ - High-Level Architecture:
../../ARCHITECTURE_OVERVIEW.md
Current Status
Implemented with WebService and Worker components. Supports sealed evidence storage with cryptographic verification. Integrated with ExportCenter for audit bundle generation.