stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/features/unchecked/attestor/signed-risk-verdicts.md Normal file
View File

@@ -0,0 +1,34 @@
# Signed Risk Verdicts (DSSE/in-toto Envelope)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Verdicts signed as DSSE/in-toto attestations bound to immutable artifact digests, containing policy binding, knowledge snapshot binding, evaluator version, rationale, findings references, and unknowns state.
## Implementation Details
- **Verdict Receipt Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptPayload.cs` -- payload containing the verdict decision, inputs, outputs, and rationale.
- **Verdict Receipt Statement**: `Statements/VerdictReceiptStatement.cs` -- in-toto statement wrapping the verdict receipt.
- **Verdict Decision**: `Statements/VerdictDecision.cs` -- the risk verdict (Pass/Fail/Warn) with rationale.
- **Verdict Inputs**: `Statements/VerdictInputs.cs` -- inputs: policy binding, knowledge snapshot digest, evaluator version, findings references.
- **Verdict Outputs**: `Statements/VerdictOutputs.cs` -- outputs: violations, exceptions, unknowns state.
- **Verdict Summary**: `Predicates/VerdictSummary.cs` -- summary of the verdict for proof graph integration.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- signs verdicts into DSSE envelopes bound to artifact digests.
- **Signing Key Profile**: `Signing/SigningKeyProfile.cs` -- key profile used for signing the verdict.
- **Proof Subject**: `Builders/ProofSubject.cs` -- artifact digest binding (subject with name and digest map).
- **Verdict Ledger**: `__Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerService.cs` -- records signed verdicts in the append-only ledger.
- **Trust Verdict**: `__Libraries/StellaOps.Attestor.TrustVerdict/` -- trust verdict integration.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/VerdictReceiptTests.cs`
## E2E Test Plan
- [ ] Create a `VerdictReceiptPayload` with Pass decision, sign into DSSE envelope, and verify binding to artifact digest
- [ ] Verify `VerdictInputs` captures policy binding ID, knowledge snapshot digest, and evaluator version
- [ ] Verify `VerdictOutputs` captures findings references and unknowns state
- [ ] Create a Fail verdict with rationale and verify the rationale is present in the signed payload
- [ ] Verify the DSSE envelope signature via `ProofChainSigner.Verification`
- [ ] Record the signed verdict in `VerdictLedgerService` and verify the ledger entry
- [ ] Verify immutability: attempt to modify the verdict after signing and confirm signature verification fails
- [ ] Create verdicts for multiple artifacts and verify each is bound to its specific artifact digest via `ProofSubject`