save checkpoint
This commit is contained in:
master
@@ -0,0 +1,53 @@
|
||||
# In-toto Link Attestation Capture
|
||||
|
||||
## Module
|
||||
Attestor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
The attestation pipeline supports DSSE-wrapped statements and proof chains, which follow in-toto patterns. However, the specific per-step in-toto link capture with `in-toto-run` wrappers as described is not directly implemented.
|
||||
|
||||
## What's Implemented
|
||||
- **In-Toto Link Model**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs` -- in-toto link data model.
|
||||
- **In-Toto Link Predicate**: `InToto/InTotoLinkPredicate.cs` -- link predicate with materials and products.
|
||||
- **Link Builder**: `InToto/LinkBuilder.cs` -- builder for constructing in-toto links.
|
||||
- **Link Recorder**: `InToto/LinkRecorder.cs` -- records link data during step execution. Implements `ILinkRecorder.cs`.
|
||||
- **In-Toto Link Emitter**: `InToto/IInTotoLinkEmitter.cs` -- interface for emitting captured links.
|
||||
- **In-Toto Link Signing Service**: `InToto/IInTotoLinkSigningService.cs` with `Infrastructure/InToto/InTotoLinkSigningService.cs` -- signs captured links.
|
||||
- **In-Toto Layout**: `InToto/Layout/InTotoLayout.cs` -- layout defining expected supply chain steps.
|
||||
- **Layout Verifier**: `InToto/Layout/LayoutVerifier.cs` -- verifies links against layout. Implements `ILayoutVerifier.cs`.
|
||||
- **Artifact Digests**: `InToto/ArtifactDigests.cs` -- input/output artifact digest tracking.
|
||||
- **Material Spec**: `InToto/MaterialSpec.cs` -- material specification for links.
|
||||
- **In-Toto Statement**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/InTotoStatement.cs` -- generic in-toto statement.
|
||||
- **Link Contracts**: `WebService/Contracts/InTotoLinkContracts.cs` -- API contracts for link operations.
|
||||
- **Tests**: `Core.Tests/InToto/InTotoLinkTests.cs`, `InTotoGoldenTests.cs`, `ProofChain.Tests/Statements/InTotoStatementSnapshotTests.cs`
|
||||
|
||||
## What's Missing
|
||||
- **`in-toto-run` wrapper**: No CLI wrapper that automatically captures materials before and products after command execution (analogous to `in-toto-run` from the reference implementation).
|
||||
- **Automatic link capture in CI**: No CI integration that automatically records links for each pipeline step.
|
||||
- **Link storage and retrieval API**: No REST endpoint for storing and querying captured links by step name or functionary.
|
||||
- **Multi-functionary layout verification**: Layout verification exists but multi-functionary threshold verification (k-of-n) may not be fully wired.
|
||||
- **Link chain verification**: No end-to-end verification that all links in a layout chain are present and valid.
|
||||
|
||||
## Implementation Plan
|
||||
- Implement an `in-toto-run` CLI command wrapping command execution with automatic material/product capture
|
||||
- Add CI step link capture via webhook or plugin integration
|
||||
- Create REST endpoints for link storage and retrieval in `ProofChainController`
|
||||
- Complete multi-functionary threshold verification in `LayoutVerifier`
|
||||
- Implement end-to-end link chain verification
|
||||
- Add tests for CLI wrapper, CI capture, and chain verification
|
||||
|
||||
## Related Documentation
|
||||
- Source: See feature catalog
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source Verification | PASS |
|
||||
| Tier 1 - Build + Code Review | PASS |
|
||||
| Tier 2 - Behavioral Verification | PASS |
|
||||
| Verified Date | 2026-02-13 |
|
||||
| Run ID | run-001 |
|
||||
Reference in New Issue
Block a user