stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
docs/features/unchecked/attestor/security-state-snapshot.md Normal file
View File

@@ -0,0 +1,30 @@
# Security State Snapshot (Content-Addressed Release Bundle)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Versioned, content-addressed snapshot bundles that capture SBOM graph, reachability graph, VEX claim set, policies, data-feed identifiers, and toolchain versions as digests for a release evaluation.
## Implementation Details
- **Attestation Bundler**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs` -- bundles multiple attestation artifacts into a versioned snapshot bundle.
- **Release Evidence Pack Builder**: `__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- builds release evidence packs containing SBOM, VEX, policy, and verdict data.
- **Pack Manifest**: `__Libraries/StellaOps.Attestor.EvidencePack/Models/ReleaseEvidencePackManifest.cs` -- manifest with SHA-256 digests of every included artifact.
- **Content-Addressed IDs**: `__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs` -- generates content-addressed IDs for each snapshot component.
- **Graph Root Attestor**: `__Libraries/StellaOps.Attestor.GraphRoot/GraphRootAttestor.cs` -- attests SBOM graph and reachability graph Merkle roots.
- **Proof Spine**: `__Libraries/StellaOps.Attestor.ProofChain/Assembly/ProofSpineRequest.cs`, `ProofSpineResult.cs` -- assembles snapshot components into a proof spine.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs the snapshot bundle.
- **Verdict Receipt**: `Statements/VerdictReceiptPayload.cs` -- captures the security state at evaluation time.
- **Tests**: `__Tests/StellaOps.Attestor.EvidencePack.Tests/`
## E2E Test Plan
- [ ] Build a security state snapshot via `AttestationBundler` with SBOM, VEX, policy, and reachability data; verify all components are included
- [ ] Verify each component has a content-addressed ID and the manifest lists all digests
- [ ] Attest the SBOM graph and reachability graph roots via `GraphRootAttestor` and verify they are included in the snapshot
- [ ] Assemble the snapshot into a proof spine and verify the Merkle root covers all components
- [ ] Sign the snapshot bundle and verify the DSSE envelope is valid
- [ ] Create a second snapshot with one modified component and verify the content-addressed IDs differ
- [ ] Verify offline verification: export the snapshot, import in an air-gapped environment, and verify all signatures