semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/excititor/vex-override-workflow-with-attestation-linkage.md
+++ b/docs/features/unchecked/excititor/vex-override-workflow-with-attestation-linkage.md
@@ -0,0 +1,35 @@
+# VEX Override Workflow with Attestation Linkage
+
+## Module
+Excititor
+
+## Status
+IMPLEMENTED
+
+## Description
+VEX decision APIs extended with attestation references so overrides are DSSE-signed. Attestor integration mints envelopes for operator decisions with envelope digest and Rekor info persistence. Includes offline stub client.
+
+## Implementation Details
+- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/`
+- **Key Classes**:
+  - `VexDsseBuilder` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Dsse/VexDsseBuilder.cs`) - builds DSSE envelopes for VEX override decisions
+  - `VexAttestationClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/VexAttestationClient.cs`) - client for VEX attestation operations
+  - `VexEvidenceAttestor` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Evidence/VexEvidenceAttestor.cs`) - attests VEX evidence with DSSE signatures
+  - `VexAttestationVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs`) - verifies VEX attestation envelopes
+  - `VexAttestationPredicate` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Models/VexAttestationPredicate.cs`) - predicate model for VEX attestations
+  - `RekorHttpClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Transparency/RekorHttpClient.cs`) - Rekor transparency log client
+  - `DsseEvidenceSignatureValidator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/DsseEvidenceSignatureValidator.cs`) - validates DSSE signatures on evidence
+  - `VexEvidenceLinker` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinker.cs`) - links VEX decisions to supporting evidence
+  - `AttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/AttestationEndpoints.cs`) - REST endpoints for attestation operations
+  - `RekorAttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/RekorAttestationEndpoints.cs`) - Rekor-specific attestation endpoints
+- **Interfaces**: `IVexSigner`, `ITransparencyLogClient`, `IVexAttestationVerifier`
+- **Source**: SPRINT_20260112_004_VULN_vex_override_workflow.md
+
+## E2E Test Plan
+- [ ] Create a VEX override and verify `VexDsseBuilder` mints a DSSE-signed envelope with the operator's decision
+- [ ] Verify `VexAttestationClient` persists the envelope digest and Rekor entry info
+- [ ] Verify `VexAttestationVerifier` validates the DSSE signature on a VEX override attestation
+- [ ] Verify `RekorHttpClient` submits the attestation to the Rekor transparency log and retrieves the entry
+- [ ] Verify `VexEvidenceLinker` links the override decision to supporting binary-diff or reachability evidence
+- [ ] Verify `DsseEvidenceSignatureValidator` rejects overrides with invalid DSSE signatures
+- [ ] Verify attestation endpoints return override history with DSSE envelope and Rekor receipt references