stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add determinism tests for verdict artifact generation and update SHA256 sums script

Browse Source 
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering.
- Created helper methods for generating sample verdict inputs and computing canonical hashes.
- Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics.
- Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
This commit is contained in:
StellaOps Bot
2025-12-24 02:17:34 +02:00
parent e59921374e
commit 7503c19b8f
390 changed files with 37389 additions and 5380 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
docs/vex/issuer-directory.md
View File

@@ -1,6 +1,33 @@
# Archived: VEX Issuer Directory
# VEX Issuer Directory and Trust
This document was consolidated during docs cleanup.
Issuer trust is a first-class input to VEX decisioning. The issuer directory defines *who* a statement is from, *how* it is verified, and *how* policy should weigh it.
- Canonical guide: `docs/16_VEX_CONSENSUS_GUIDE.md`
- Related: `docs/modules/excititor/architecture.md`, `docs/modules/vex-lens/architecture.md`
## Issuer Identity
An issuer can be identified by:
- Stable provider IDs (connector/provider identifiers)
- Cryptographic identity (certificate chain, key identifiers, transparency inclusion proof) when available
Tenants may define allowlists for acceptable issuer identities and/or map issuers into trust tiers.
## Trust Tiers and Weights
Trust is commonly expressed as:
- **Tier label** (e.g., vendor, distro, internal, untrusted)
- **Weight/confidence** used by consensus/policy to break ties and set posture
- **Verification requirements** (e.g., signature required for `not_affected` gating)
## Offline Trust
Offline deployments must be able to verify issuer identity without network access:
- Trust roots and allowlists are bundled in the Offline Kit
- Signature verification and transparency proofs are evaluated against bundled material
## References
- `docs/16_VEX_CONSENSUS_GUIDE.md`
- `docs/modules/excititor/architecture.md`
- `docs/modules/vex-lens/architecture.md`