stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/features/checked/attestor/dsse-wrapped-reach-maps.md Normal file
View File

@@ -0,0 +1,45 @@
# DSSE-Wrapped Reach-Maps
## Module
Attestor
## Status
VERIFIED
## Description
Rich graphs and suppression witnesses exist with signing infrastructure available, but a specific "signed reach-map artifact" as a standalone DSSE-wrapped output is not distinctly implemented as described.
## What's Implemented
- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path`) -- reachability witness data with call paths.
- **Witness Path Nodes**: `Statements/WitnessCallPathNode.cs`, `WitnessPathNode.cs` -- call path node models.
- **Micro Witness Evidence**: `Predicates/MicroWitnessFunctionEvidence.cs`, `MicroWitnessBinaryRef.cs`, `MicroWitnessCveRef.cs`, `MicroWitnessSbomRef.cs` -- function-level reachability evidence.
- **DSSE Signing**: `Signing/ProofChainSigner.cs`, `DsseEnvelope.cs` -- available signing infrastructure.
- **Proof Graph**: `Graph/InMemoryProofGraphService.cs` (with `.Mutation`, `.Queries`, `.Subgraph`) -- graph model for proof evidence.
## What's Missing
- **Standalone reach-map artifact**: No dedicated reach-map document type that captures the full reachability graph (all functions, edges, and reachability status) as a single DSSE-wrapped artifact.
- **Reach-map predicate type**: No registered predicate type URI (e.g., `https://stellaops.org/attestation/reachmap/v1`) for reach-map attestations.
- **Full graph serialization**: Reachability evidence is captured per-CVE (micro-witness) not as a complete call graph that can be independently verified.
- **Reach-map versioning**: No mechanism to version reach-maps and detect changes between scans.
- **Reach-map OCI attachment**: No pipeline to attach DSSE-signed reach-maps to OCI images as referrers.
## Implementation Plan
- Define a reach-map predicate type with full call graph serialization
- Create a `ReachMapBuilder` that aggregates all micro-witness data into a single reach-map document
- Implement DSSE signing for reach-map documents using existing `ProofChainSigner`
- Add reach-map versioning with diff detection between scans
- Wire OCI attachment via existing `OrasAttestationAttacher`
- Add tests for reach-map building, signing, and versioning
## Related Documentation
- Source: See feature catalog
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |