stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/features/unchecked/attestor/richgraph-attestation-service.md Normal file
View File

@@ -0,0 +1,32 @@
# RichGraph Attestation Service (stella.ops/richgraph@v1 predicate)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Generates DSSE-signed attestations capturing the full evidence graph (nodes, edges, paths) for a scan result. Uses the stella.ops/richgraph@v1 in-toto predicate type to attest the complete dependency and evidence graph topology.
## Implementation Details
- **Proof Graph Service**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs` (with `.Mutation`, `.Queries`, `.Subgraph`) -- in-memory graph service providing the richgraph data (nodes, edges, paths).
- **Graph Node**: `Graph/ProofGraphNode.cs` -- typed graph node with content-addressed ID and metadata.
- **Graph Edge**: `Graph/ProofGraphEdge.cs` -- directed edge with type metadata.
- **Node Types**: `Graph/ProofGraphNodeType.cs` -- node type enum (Evidence, Verdict, Policy, Artifact).
- **Edge Types**: `Graph/ProofGraphEdgeType.cs` -- edge type enum for relationship semantics.
- **Graph Subgraph**: `Graph/ProofGraphSubgraph.cs` -- extracted subgraph for attestation scope.
- **Graph Path**: `Graph/ProofGraphPath.cs` -- traversal path within the richgraph.
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds in-toto statements with the richgraph predicate type.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- signs richgraph attestations.
- **Graph Root Attestor**: `__Libraries/StellaOps.Attestor.GraphRoot/GraphRootAttestor.cs` -- attests Merkle roots over the graph for integrity.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ProofGraphTests.cs`
## E2E Test Plan
- [ ] Build a richgraph via `InMemoryProofGraphService` with Evidence, Verdict, and Artifact nodes connected by typed edges
- [ ] Create an in-toto statement with predicate type `stella.ops/richgraph@v1` via `StatementBuilder.Extended` wrapping the graph data
- [ ] Sign the richgraph attestation via `ProofChainSigner` and verify the DSSE envelope structure
- [ ] Extract a subgraph via `ProofGraphSubgraph` for a specific scan result and verify the attestation scopes to that subgraph
- [ ] Verify all graph paths from entrypoint to vulnerable sink are captured in the richgraph predicate
- [ ] Attest the Merkle root of the richgraph via `GraphRootAttestor` and verify integrity
- [ ] Verify the richgraph DSSE signature via `ProofChainSigner.Verification`