partly or unimplemented features - now implemented
This commit is contained in:
master
@@ -0,0 +1,43 @@
|
||||
# OCI Referrers for Evidence Storage (StellaBundle)
|
||||
|
||||
## Module
|
||||
Cli
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Bundle export, verification, and CLI commands exist. The pattern for storing evidence as OCI referrers is partially implemented through the bundle system and verifier module.
|
||||
|
||||
## What's Implemented
|
||||
- **Bundle Export**: `src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs` -- `BundleExportCommand` (static class)
|
||||
- Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-002)
|
||||
- Implements `stella evidence export-bundle --image <ref> [--output <path>] [--include-dsse] [--include-rekor-proof]`
|
||||
- Produces advisory-compliant bundles with DSSE envelopes, Rekor proofs, and OCI referrer metadata
|
||||
- **Bundle Verification**: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs` -- `BundleVerifyCommand` (static class)
|
||||
- Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-003)
|
||||
- Implements `stella bundle verify --bundle <path> [--trust-root <pem>] [--rekor-checkpoint <path>]`
|
||||
- Full offline cryptographic verification chain
|
||||
- **Bundle Command Group**: `src/Cli/StellaOps.Cli/Commands/BundleCommandGroup.cs` -- additional bundle operations
|
||||
- **Evidence Command Group**: `src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs` -- evidence management commands
|
||||
- **Checkpoint Commands**: `src/Cli/StellaOps.Cli/Commands/CheckpointCommands.cs` -- checkpoint operations for bundle management
|
||||
- **Verifier Module**: `src/Verifier/` -- evidence verification backend
|
||||
|
||||
## What's Missing
|
||||
- **OCI Referrers API integration**: No direct `oras` or OCI Distribution API client for pushing/pulling evidence as OCI referrers (artifacts are stored as bundles, not native OCI referrers)
|
||||
- **`stella evidence push-referrer`**: No command to push evidence artifacts as OCI referrers to a registry using the OCI Referrers API
|
||||
- **`stella evidence list-referrers`**: No command to list all referrers attached to an OCI artifact digest
|
||||
- **Referrer discovery**: No automated discovery of evidence referrers when running verify commands against a registry
|
||||
- **ORAS integration**: No integration with ORAS library for native OCI artifact handling
|
||||
|
||||
## Implementation Plan
|
||||
- Add OCI Distribution client with Referrers API support (v2 manifest list)
|
||||
- Implement `stella evidence push-referrer --image <ref> --artifact-type <type> --file <path>` for pushing evidence as OCI referrers
|
||||
- Implement `stella evidence list-referrers <ref>` for listing attached referrers by artifact type
|
||||
- Add `--use-referrers` flag to `stella verify image` to auto-discover evidence from registry referrers
|
||||
- Integrate with existing bundle export to optionally push as OCI referrers instead of tar.gz
|
||||
|
||||
## Related Documentation
|
||||
- Bundle export: `src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs`
|
||||
- Bundle verify: `src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs`
|
||||
- Evidence commands: `src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs`
|
||||
Reference in New Issue
Block a user