stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/features/checked/attestor/auditor-evidence-extraction.md Normal file
View File

@@ -0,0 +1,40 @@
# Auditor Evidence Extraction (Audit Pack / Evidence Pack)
## Module
Attestor
## Status
VERIFIED
## Description
Exportable evidence packs (audit bundles) containing RVA attestation, policy bundle, knowledge snapshot manifest, referenced evidence artifacts, and verification replay logs for auditor consumption.
## Implementation Details
- **Evidence Pack Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- constructs complete evidence packs containing all artifacts needed for audit verification.
- **Evidence Pack Serializer**: `ReleaseEvidencePackSerializer.cs` -- serializes evidence packs to portable format.
- **Evidence Pack Manifest**: `Models/ReleaseEvidencePackManifest.cs` -- manifest listing all artifacts in the pack with digests.
- **Verification Replay Log**: `Models/VerificationReplayLog.cs` -- captures the sequence of verification steps for deterministic replay.
- **Replay Log Builder**: `Services/VerificationReplayLogBuilder.cs` -- builds replay logs during verification. `ReplayLogSerializerContext.cs` -- serialization context.
- **Archive Store**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/IAttestorArchiveStore.cs`, `AttestorArchiveBundle.cs` -- interface and model for archive storage. `Infrastructure/Storage/S3AttestorArchiveStore.cs`, `NullAttestorArchiveStore.cs` -- S3 and null implementations.
- **Audit Records**: `StellaOps.Attestor.Core/Audit/AttestorAuditRecord.cs` -- audit record model. `StellaOps.Attestor.Core/Storage/IAttestorAuditSink.cs` -- sink interface.
- **Tests**: `__Tests/StellaOps.Attestor.EvidencePack.Tests/ReleaseEvidencePackBuilderTests.cs`, `ReleaseEvidencePackManifestTests.cs`, `VerificationReplayLogBuilderTests.cs`
- **Integration Tests**: `__Tests/StellaOps.Attestor.EvidencePack.IntegrationTests/` -- `EvidencePackGenerationTests.cs`, `OfflineVerificationTests.cs`, `ReproducibilityTests.cs`, `TamperDetectionTests.cs`, `SlsaStrictValidationTests.cs`
## E2E Test Plan
- [ ] Build a `ReleaseEvidencePackManifest` via `ReleaseEvidencePackBuilder` with SBOM, VEX, attestation, and provenance artifacts, then verify manifest contains entries for each artifact with correct SHA-256 digests
- [ ] Serialize the evidence pack via `ReleaseEvidencePackSerializer` and verify the output can be deserialized back with all artifacts intact
- [ ] Build a `VerificationReplayLog` capturing 5+ verification steps and verify the log contains each step in order with timestamps and results
- [ ] Export the evidence pack, then replay verification using the replay log and verify identical outcomes (reproducibility)
- [ ] Tamper with an artifact in the exported pack and verify that digest verification detects the modification
- [ ] Archive an evidence pack to S3 via `S3AttestorArchiveStore` and retrieve it, verifying content integrity
- [ ] Verify the evidence pack includes all required audit artifacts (attestation chain, policy bundle, knowledge snapshot)
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |