stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/features/checked/attestor/proof-spine-system.md Normal file
View File

@@ -0,0 +1,45 @@
# Proof Spine System (Assembly, Segment Construction, Explainable Quiet Alerts)
## Module
Attestor
## Status
VERIFIED
## Description
Proof spine builder producing chained segments (SBOM_SLICE, MATCH, REACHABILITY, GUARD_ANALYSIS, RUNTIME_OBSERVATION, POLICY_EVAL), each DSSE-signed with hash-linked predecessors. Chains evidence IDs, reasoning IDs, VEX verdict IDs into signed proof bundles with Merkle root computation. VexProofSpineService in Policy engine enables explainable quiet alerts.
## Implementation Details
- **Proof Spine Assembly**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Assembly/` -- proof spine assembly:
- `ProofSpineRequest.cs` -- request specifying subjects and evidence to include in the spine.
- `ProofSpineResult.cs` -- result containing assembled spine with Merkle root and linked segments.
- `ProofSpineSubject.cs` -- individual subject within a spine (artifact digest, type).
- `MerkleTree.cs` -- Merkle tree used for spine root computation.
- `SpineVerificationCheck.cs` -- individual verification check for a spine segment.
- `SpineVerificationResult.cs` -- aggregate verification result for the complete spine.
- **Proof Spine Statement**: `Statements/ProofSpineStatement.cs` -- in-toto statement wrapping a proof spine.
- **Proof Spine Predicate**: `Predicates/ProofSpinePredicate.cs` -- predicate containing Merkle root, segment list, evidence IDs, reasoning IDs, and VEX verdict IDs.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs each spine segment into a DSSE envelope with hash-linked predecessor.
- **Content-Addressed Identifiers**: `Identifiers/EvidenceId.cs`, `ReasoningId.cs`, `VexVerdictId.cs` -- IDs chained in the spine.
- **Persistence**: `__Libraries/StellaOps.Attestor.Persistence/Entities/SpineEntity.cs` -- persists spine data.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ProofSpineTests.cs`
## E2E Test Plan
- [ ] Assemble a proof spine via `ProofSpineRequest` with 5 subjects and verify `ProofSpineResult` contains a valid Merkle root
- [ ] Verify each spine segment is DSSE-signed and hash-linked to its predecessor
- [ ] Create spine segments of different types (SBOM_SLICE, MATCH, REACHABILITY, POLICY_EVAL) and verify segment type metadata
- [ ] Chain evidence IDs, reasoning IDs, and VEX verdict IDs into the spine and verify all IDs are present in `ProofSpinePredicate`
- [ ] Verify the spine via `SpineVerificationCheck` for each segment and confirm `SpineVerificationResult` passes
- [ ] Build a `ProofSpineStatement` and sign it; verify the DSSE envelope wraps the complete spine
- [ ] Persist the spine via `SpineEntity` and retrieve it; verify data integrity
- [ ] Tamper with one segment's hash and verify spine verification detects the break in the hash chain
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |