stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

partly or unimplemented features - now implemented

Browse Source
This commit is contained in:
master
2026-02-09 08:53:51 +02:00
parent 1bf6bbf395
commit 4bdc298ec1
674 changed files with 90194 additions and 2271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
docs/features/unchecked/attestor/dsse-signed-exception-objects-with-recheck-policy.md Normal file
View File

@@ -0,0 +1,36 @@
# DSSE-Signed Exception Objects with Recheck Policy
## Module
Attestor
## Status
IMPLEMENTED
## Description
Policy exceptions framework with models, repositories, and services exists. DSSE signing infrastructure is available. Full UI exception modal with recheck policy enforcement is partially complete.
## What's Implemented
- **Budget Exception Entry**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs` -- exception entry model.
- **Exception Ref**: `ProofChain/Services/ExceptionRef.cs` -- reference to an approved exception.
- **VEX Override System**: `__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/` -- VexOverridePredicateBuilder (with `.Build`, `.Serialize`, `.WithMethods`), VexOverrideDecision, EvidenceReference -- structured override/exception with evidence.
- **DSSE Signing Infrastructure**: `ProofChain/Signing/ProofChainSigner.cs`, `DsseEnvelope.cs` -- available DSSE signing.
- **Policy Decision**: `Predicates/PolicyDecision.cs` -- policy decision referencing exceptions.
## What's Missing
- **DSSE-signed exception objects**: Exceptions are not individually DSSE-signed as standalone attestation artifacts. They exist as records within larger predicates but are not independently verifiable.
- **Recheck policy enforcement**: No automated recheck scheduling that re-evaluates exceptions at configured intervals (e.g., 30-day review cycle).
- **Exception expiry enforcement**: No automated enforcement of exception expiry dates with re-approval workflow.
- **Exception approval workflow**: No multi-party approval flow for exception creation (e.g., two approvers required for critical CVE exceptions).
- **Exception audit trail**: No dedicated audit trail for exception lifecycle (created, approved, rechecked, expired, revoked).
## Implementation Plan
- Create `DsseSignedException` model wrapping exception objects in DSSE envelopes
- Implement recheck policy with configurable intervals (Scheduler integration)
- Add exception expiry enforcement with notification before expiry
- Build multi-party approval workflow for high-severity exceptions
- Create exception audit trail using the existing AuditHashLogger infrastructure
- Add UI exception modal with recheck policy configuration
- Add tests for signing, recheck scheduling, and expiry enforcement
## Related Documentation
- Source: See feature catalog