stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/features/unchecked/attestor/proof-audit-trail-transparency-log.md Normal file
View File

@@ -0,0 +1,31 @@
# Proof Audit Trail / Transparency Log
## Module
Attestor
## Status
IMPLEMENTED
## Description
Generated proofs are stored in attestor.proof_blobs with tamper-evident hashing (proof_hash UNIQUE constraint). Each proof includes snapshot_id, evidence_count, confidence, and full payload JSONB. The ProofHashing.VerifyHash method allows verification that proof content has not been tampered with.
## Implementation Details
- **Audit Hash Logger**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs` (with `.Validation`) -- logs audit records with tamper-evident hashing. Records proof operations with content hashes for later verification.
- **Hash Audit Record**: `Audit/HashAuditRecord.cs` -- individual audit record containing operation type, content hash, timestamp, and actor.
- **Audit Artifact Types**: `Audit/AuditArtifactTypes.cs` -- enum of auditable artifact types (ProofBlob, DsseEnvelope, VerdictReceipt, SpineEntry, etc.).
- **Persistence**: `__Libraries/StellaOps.Attestor.Persistence/Entities/AuditLogEntity.cs` -- persisted audit log entry with tenant_id, created_at, updated_at, and JSONB payload.
- **Proof Chain Repository**: `__Libraries/StellaOps.Attestor.Persistence/Repositories/IProofChainRepository.cs` -- repository for proof chain entities including proof blobs.
- **Content-Addressed IDs**: `__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs` -- generates SHA-256 IDs for proof blobs ensuring hash uniqueness.
- **Rekor Integration**: `StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs` -- submits proof audit entries to Rekor for external transparency.
- **Verdict Ledger**: `__Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerService.cs` -- append-only ledger for verdict decisions.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/AuditHashLoggerTests.cs`
## E2E Test Plan
- [ ] Log a proof creation event via `AuditHashLogger` and verify the `HashAuditRecord` contains the correct content hash and operation type
- [ ] Verify tamper detection: modify a stored proof blob's content and verify `AuditHashLogger.Validation` detects the hash mismatch
- [ ] Create multiple audit records for different `AuditArtifactTypes` and verify each type is correctly categorized
- [ ] Persist audit records via `AuditLogEntity` and verify retrieval with correct tenant_id scoping
- [ ] Verify the proof_hash UNIQUE constraint: attempt to store two proof blobs with the same hash and verify the duplicate is rejected
- [ ] Submit an audit trail entry to Rekor and verify external transparency log integration
- [ ] Verify `VerdictLedgerService` creates append-only audit entries for verdict decisions
- [ ] Verify the full audit chain: create proof -> log audit -> persist -> retrieve -> verify hash integrity