save checkpoint: save features
This commit is contained in:
master
@@ -0,0 +1,36 @@
|
||||
# PostgreSQL Backend for Rekor Metadata
|
||||
|
||||
## Module
|
||||
devops
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
PostgreSQL-based Rekor backend with checkpoint storage, submission queue tables, and VEX-Rekor linkage migration.
|
||||
|
||||
## Implementation Details
|
||||
- **Rekor Inclusion Proof Models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/RekorInclusionProof.cs` -- model for Rekor inclusion proof data including log index, root hash, tree size, and inclusion hashes.
|
||||
- **Enhanced Rekor Proof Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.cs` (with partials `.Build.cs`, `.Validate.cs`) -- builds and validates Rekor inclusion proofs, storing metadata for PostgreSQL persistence.
|
||||
- **Pipeline Rekor Entry**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Pipeline/RekorEntry.cs` -- pipeline model for Rekor transparency log entries.
|
||||
- **Rekor Inclusion Verification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/RekorInclusionVerificationStep.cs` -- verification step that validates Rekor inclusion proofs against stored checkpoints.
|
||||
- **Database Cluster Config**: `devops/database/postgres/cluster-production.yaml`, `cluster-staging.yaml` -- PostgreSQL cluster definitions for CloudNativePG with Rekor metadata tables.
|
||||
- **Database Pooler Config**: `devops/database/postgres/pooler-production.yaml`, `pooler-staging.yaml` -- PgBouncer pooler configurations for Rekor query workloads.
|
||||
- **Compose Configuration**: `devops/compose/docker-compose.stella-ops.yml` -- includes PostgreSQL service configuration for the Rekor backend.
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Submit a DSSE attestation through the proof chain pipeline and verify the Rekor entry metadata (log index, root hash, tree size) is persisted to PostgreSQL
|
||||
- [ ] Query the stored Rekor checkpoint and verify it matches the transparency log state at submission time
|
||||
- [ ] Verify Rekor inclusion proof validation: retrieve a stored proof from PostgreSQL and run `RekorInclusionVerificationStep` to confirm it validates correctly
|
||||
- [ ] Verify the submission queue processes entries in order and marks them as submitted after successful Rekor log inclusion
|
||||
- [ ] Deploy the PostgreSQL cluster configuration and verify the database schema includes the required Rekor metadata tables
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-11 with `run-001`.
|
||||
- Tier 0 source checks passed for Rekor proof models/builders, verification step, and DevOps PostgreSQL assets.
|
||||
- Tier 1 build and focused behavioral test gates passed (`57/57`) across Rekor inclusion proof, receipt generation/verification, and verification-job integration suites.
|
||||
- Tier 2 behavioral checks passed by applying the initial PostgreSQL schema in Docker and validating required tables/indexes for `proofchain.rekor_entries` and `attestor.rekor_submission_queue`.
|
||||
- Evidence:
|
||||
- `docs/qa/feature-checks/runs/devops/postgresql-backend-for-rekor-metadata/run-001/tier0-source-check.json`
|
||||
- `docs/qa/feature-checks/runs/devops/postgresql-backend-for-rekor-metadata/run-001/tier1-build-check.json`
|
||||
- `docs/qa/feature-checks/runs/devops/postgresql-backend-for-rekor-metadata/run-001/tier2-integration-check.json`
|
||||
39
docs/features/checked/devops/vex-rekor-linkage.md
Normal file
39
docs/features/checked/devops/vex-rekor-linkage.md
Normal file
@@ -0,0 +1,39 @@
|
||||
# VEX-Rekor Linkage
|
||||
|
||||
## Module
|
||||
devops
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Database migration and persistence behavior for linking VEX observations to Rekor entries, enabling transparent VEX decision traceability.
|
||||
|
||||
## Implementation Details
|
||||
- **VEX Proof Integrator Metadata**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.Helpers.cs` and `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.Metadata.cs` implement deterministic VEX verdict status/justification mapping and proof metadata payload generation.
|
||||
- **VEX Verdict Proof Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexVerdictProofPayload.cs` defines the serialized proof-carrying payload contract for VEX verdicts.
|
||||
- **VEX Verdict ID**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/VexVerdictId.cs` provides content-addressed VEX verdict identifiers.
|
||||
- **VEX Delta and Merge Models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDeltaChange.cs`, `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDeltaStatement.cs`, `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDeltaSummary.cs`, and `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexMergeTrace.cs` model delta/merge evidence for VEX decision evolution.
|
||||
- **Rekor Linkage Migration**: `devops/database/migrations/V20260117__vex_rekor_linkage.sql` adds Rekor linkage columns and indexes for Excititor and VexHub tables and attestor verification metadata columns.
|
||||
- **Compose Configuration**: `devops/compose/docker-compose.stella-ops.yml` provides PostgreSQL infrastructure used for linkage verification workflows.
|
||||
- **Excititor Postgres Store**: `src/Excititor/__Libraries/StellaOps.Excititor.Persistence/Postgres/Repositories/PostgresVexObservationStore.cs` now consistently persists and queries Rekor linkage fields on `vex.observations` with ensured Rekor columns/indexes.
|
||||
- **Behavioral Coverage**: `src/Excititor/__Tests/StellaOps.Excititor.Persistence.Tests/PostgresVexObservationStoreTests.cs` includes linkage round-trip, pending-queue, and missing-observation negative-path tests.
|
||||
|
||||
## E2E Test Plan
|
||||
- [x] Create VEX observations and validate Rekor linkage fields can be persisted and queried.
|
||||
- [x] Query pending observations and verify unlinked records are returned in deterministic created-at order.
|
||||
- [x] Validate migration adds required Rekor columns and indexes across Excititor and VexHub tables.
|
||||
- [x] Reapply migration and verify existing Rekor linkage data is preserved.
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-11 with `run-001`.
|
||||
- Tier 0 source checks passed for Attestor VEX/Rekor models, DevOps migration assets, and Excititor persistence/test paths.
|
||||
- Tier 1 passed after resolving a schema mismatch defect in `PostgresVexObservationStore` (`71/71` tests across persistence and attestation suites).
|
||||
- Tier 2 passed with fresh Dockerized PostgreSQL interactions validating migration columns/indexes, linked and pending query paths, and idempotent reapply behavior.
|
||||
- Evidence:
|
||||
- `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/tier0-source-check.json`
|
||||
- `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/tier1-build-check.json`
|
||||
- `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/triage.json`
|
||||
- `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/fix-summary.json`
|
||||
- `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/retest-result.json`
|
||||
- `docs/qa/feature-checks/runs/devops/vex-rekor-linkage/run-001/tier2-integration-check.json`
|
||||
Reference in New Issue
Block a user