stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

docs consolidation work

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-25 18:48:11 +02:00
parent 2a06f780cf
commit 0103defcff
114 changed files with 4143 additions and 2395 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/modules/attestor/README.md
View File

@@ -63,4 +63,28 @@ All predicates capture subjects, issuer metadata, policy context, materials, opt
- **Epic 19 Attestor Console:** console experience, verification APIs, issuer/key governance, transparency integration, and offline bundles.
- **Epic 10 Export Center:** provenance alignment so exports carry signed manifests and attestation bundles.
## Implementation Status
**Delivery Phases:**
- Phase 1 (Foundations) Complete: service skeleton, DSSE ingestion, Rekor client, and cache layer operational
- Phase 2 (Policies & UI) Blocked: Policy Studio integration and CLI commands awaiting upstream dependencies
- Phase 3 (Scan & VEX support) Complete: SBOM, VEX, and scan result predicates integrated
- Phase 4 (Transparency & keys) In progress: key event notifications, witness endorsements, and rotation workflows
- Phase 5 (Bulk & air gap) Blocked: Export Center contract required for attestation bundle workflows
- Phase 6 (Performance & hardening) Not started: benchmarks and incident playbooks pending
**Acceptance Criteria:**
- Service ingests DSSE envelopes, logs to transparency, returns proofs with deterministic hashes
- Verification APIs/CLI/UI validate signatures, inclusion proofs, policy compliance with caching
- Performance target: ≥1k envelopes/minute per worker with horizontal scaling
- Export Center and Offline Kit workflows bundle attestations for offline replay
- Observability coverage: metrics, traces, logs, audit events, and alerts
**Key Risks & Mitigations:**
- Key compromise: enforce hardware-backed keys, rotation procedures, revocation checks, incident runbooks
- Parser bugs: fuzz DSSE/predicate schemas, strict validation, fail closed
- Transparency outage: mirror logs, witness endorsements, queue submissions with exponential backoff
- Policy complexity: ship starter policies, simulation tooling, documented scenarios
- Offline gaps: archive bundles and proof material, surface gaps to operators, document compensating controls
> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.