stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
docs/features/unchecked/attestor/unknowns-system.md Normal file
View File

@@ -0,0 +1,38 @@
# Unknowns System (First-Class State, Budget Enforcement, Registry, Attestation Binding)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Full unknowns tracking as first-class state: dedicated module with budget enforcement, ranking, taxonomy, budget-exceeded event publishing, IUnknownsAggregator interface, and UnknownItem records. Registry with trust-decay scoring, repository persistence, and ProofChain aggregation. Unknowns cryptographically bound to attestations via uncertainty statements, budget predicates, and JSON schemas. UI components for unknowns queue and budget widgets.
## Implementation Details
- **IUnknownsAggregator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/IUnknownsAggregator.cs` -- interface for aggregating unknown items across scan results and evidence gaps.
- **UnknownsAggregator**: `Services/UnknownsAggregator.cs` -- concrete implementation that collects, deduplicates, and ranks unknown items.
- **UnknownItem**: `Services/UnknownItem.cs` -- individual unknown item record with source, severity, category, and first-seen timestamp.
- **Budget Check Result**: `Services/BudgetCheckResult.cs` -- result of checking aggregated unknowns against budget thresholds.
- **Budget Violation**: `Services/BudgetViolation.cs` -- violation record when unknowns exceed budget limits.
- **Exception Ref**: `Services/ExceptionRef.cs` -- reference to an approved exception that excludes an unknown from budget enforcement.
- **Unknowns Budget Predicate**: `Predicates/UnknownsBudgetPredicate.cs` -- attestation predicate binding unknowns state to the proof chain.
- **Uncertainty Statement**: `Statements/UncertaintyStatement.cs` -- in-toto statement wrapping uncertainty evidence for attestation.
- **Uncertainty State Entry**: `Statements/UncertaintyStateEntry.cs` -- per-finding uncertainty state entry.
- **Uncertainty Evidence**: `Statements/UncertaintyEvidence.cs` -- evidence contributing to the uncertainty measurement.
- **Budget Definition**: `Statements/BudgetDefinition.cs` -- threshold definitions for unknowns budget enforcement.
- **Budget Observation**: `Statements/BudgetObservation.cs` -- observed unknowns counts at a point in time.
- **Budget Violation Entry**: `Statements/BudgetViolationEntry.cs` -- recorded violation when budget is exceeded.
- **Budget Exception Entry**: `Statements/BudgetExceptionEntry.cs` -- approved exception entry.
- **Predicate Schema Validator**: `Json/PredicateSchemaValidator.cs` -- validates unknowns predicates against JSON schemas.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/`
## E2E Test Plan
- [ ] Aggregate 10 unknown items via `UnknownsAggregator` from different sources and verify deduplication by source+CVE key
- [ ] Verify unknowns ranking: add items with varying severities and confirm they are ordered by severity (critical first)
- [ ] Set a budget (max_critical=3) and aggregate 5 critical unknowns; verify `BudgetCheckResult` reports violation
- [ ] Register an `ExceptionRef` for one critical unknown and verify budget count drops to 4 critical
- [ ] Build an `UnknownsBudgetPredicate` from aggregated unknowns and verify it contains correct item counts and budget status
- [ ] Create an `UncertaintyStatement` from unknowns and verify it is a valid in-toto statement with the correct predicate type URI
- [ ] Validate the unknowns predicate against `PredicateSchemaValidator` and verify it passes schema validation
- [ ] Aggregate unknowns from an empty scan and verify the aggregator returns zero items with a passing budget check