new two advisories and sprints work on them

2026-01-16 18:39:36 +02:00
parent 9daf619954
commit 111d80954f
69 changed files with 15508 additions and 16 deletions
--- a/docs/modules/excititor/vex_observations.md
+++ b/docs/modules/excititor/vex_observations.md
@@ -132,3 +132,101 @@ All observation documents are immutable. New information creates a new observati
 - `EXCITITOR-GRAPH-24-*` relies on this schema to build overlays.
 - `DOCS-LNM-22-002` (Link-Not-Merge documentation) references this file.
 - `EXCITITOR-ATTEST-73-*` uses `document.digest` + `signature` to embed provenance in attestation payloads.
+
+---
+
+## Rekor Transparency Log Linkage
+
+**Sprint Reference**: `SPRINT_20260117_002_EXCITITOR_vex_rekor_linkage`
+
+VEX observations can be attested to the Sigstore Rekor transparency log, providing an immutable, publicly verifiable record of when each observation was recorded. This supports:
+
+- **Auditability**: Independent verification that an observation existed at a specific time
+- **Non-repudiation**: Cryptographic proof of observation provenance
+- **Supply chain compliance**: Evidence for regulatory and security requirements
+- **Offline verification**: Stored inclusion proofs enable air-gapped verification
+
+### Rekor Linkage Fields
+
+The following fields are added to `vex_observations` when an observation is attested:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `rekor_uuid` | TEXT | Rekor entry UUID (64-char hex) |
+| `rekor_log_index` | BIGINT | Monotonically increasing log position |
+| `rekor_integrated_time` | TIMESTAMPTZ | When entry was integrated into log |
+| `rekor_log_url` | TEXT | Rekor server URL where submitted |
+| `rekor_inclusion_proof` | JSONB | RFC 6962 inclusion proof for offline verification |
+| `rekor_linked_at` | TIMESTAMPTZ | When linkage was recorded locally |
+
+### Schema Extension
+
+```sql
+-- V20260117__vex_rekor_linkage.sql
+ALTER TABLE excititor.vex_observations
+ADD COLUMN IF NOT EXISTS rekor_uuid TEXT,
+ADD COLUMN IF NOT EXISTS rekor_log_index BIGINT,
+ADD COLUMN IF NOT EXISTS rekor_integrated_time TIMESTAMPTZ,
+ADD COLUMN IF NOT EXISTS rekor_log_url TEXT,
+ADD COLUMN IF NOT EXISTS rekor_inclusion_proof JSONB,
+ADD COLUMN IF NOT EXISTS rekor_linked_at TIMESTAMPTZ;
+
+-- Indexes for Rekor queries
+CREATE INDEX idx_vex_observations_rekor_uuid
+ON excititor.vex_observations(rekor_uuid)
+WHERE rekor_uuid IS NOT NULL;
+
+CREATE INDEX idx_vex_observations_pending_rekor
+ON excititor.vex_observations(created_at)
+WHERE rekor_uuid IS NULL;
+```
+
+### API Endpoints
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/attestations/rekor/observations/{id}` | POST | Attest observation to Rekor |
+| `/attestations/rekor/observations/batch` | POST | Batch attestation |
+| `/attestations/rekor/observations/{id}/verify` | GET | Verify Rekor linkage |
+| `/attestations/rekor/pending` | GET | List observations pending attestation |
+
+### CLI Commands
+
+```bash
+# Show observation with Rekor details
+stella vex observation show <id> --show-rekor
+
+# Attest an observation to Rekor
+stella vex observation attest <id> [--rekor-url URL]
+
+# Verify Rekor linkage
+stella vex observation verify-rekor <id> [--offline]
+
+# List pending attestations
+stella vex observation list-pending
+```
+
+### Inclusion Proof Structure
+
+```jsonc
+{
+  "treeSize": 1234567,
+  "rootHash": "base64-encoded-root-hash",
+  "logIndex": 12345,
+  "hashes": [
+    "base64-hash-1",
+    "base64-hash-2",
+    "base64-hash-3"
+  ]
+}
+```
+
+### Verification Modes
+
+| Mode | Network | Use Case |
+|------|---------|----------|
+| Online | Required | Full verification against live Rekor |
+| Offline | Not required | Verify using stored inclusion proof |
+
+Offline mode uses the stored `rekor_inclusion_proof` to verify the Merkle path locally. This is essential for air-gapped environments.
+