stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
docs/features/checked/attestor/cas-for-sbom-vex-attestation-artifacts.md Normal file
View File

@@ -0,0 +1,47 @@
# CAS for SBOM/VEX/Attestation Artifacts
## Module
Attestor
## Status
VERIFIED
## Description
Content-addressed identifiers are implemented for proof chain artifacts. EvidenceLocker provides bundle building. Full OCI/MinIO CAS for SBOM/VEX blobs is not fully visible.
## What's Implemented
- **Content-Addressed ID Generator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/` -- ArtifactId, EvidenceId, ProofBundleId, VexVerdictId, GenericContentAddressedId, ContentAddressedIdGenerator (with `.Graph`), Sha256IdParser.
- **SBOM OCI Publisher**: `__Libraries/StellaOps.Attestor.Oci/Services/SbomOciPublisher.cs` -- publishes SBOMs to OCI registries.
- **ORAS Attestation Attacher**: `Oci/Services/OrasAttestationAttacher.cs` -- attaches attestations to OCI images.
- **Content-Addressed Tile Store**: `StellaOps.Attestor.TileProxy/Services/ContentAddressedTileStore.cs` -- content-addressed storage for tiles.
- **Evidence Pack Builder**: `__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- builds evidence packs.
- **Sigstore Bundle**: `__Libraries/StellaOps.Attestor.Bundle/Models/SigstoreBundle.cs` -- Sigstore bundle model.
## What's Missing
- **Unified CAS for all artifact types**: No single content-addressed storage service that handles SBOM, VEX, and attestation blobs uniformly. Current CAS is per-domain (tiles, OCI, proof chain IDs).
- **MinIO/S3 backend**: No MinIO or S3-compatible object storage backend for CAS. Current storage is either OCI registry or filesystem.
- **Deduplication service**: No cross-artifact deduplication by content hash (e.g., same SBOM ingested twice should resolve to one stored blob).
- **CAS garbage collection**: No garbage collection or retention policy for unreferenced CAS blobs.
- **CAS REST API**: No unified REST API for CAS operations (store, retrieve, exists, list by prefix).
## Implementation Plan
- Create a unified `IContentAddressedStore` interface with store/retrieve/exists operations
- Implement MinIO/S3 backend and filesystem backend behind the interface
- Add deduplication logic (check-before-store by content hash)
- Implement garbage collection with configurable retention policies
- Add REST endpoints for CAS operations
- Migrate existing per-domain storage to use the unified CAS
- Add tests for store/retrieve, deduplication, and GC
## Related Documentation
- Source: See feature catalog
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |