stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
docs/features/checked/attestor/richgraph-attestation-service.md Normal file
View File

@@ -0,0 +1,42 @@
# RichGraph Attestation Service (stella.ops/richgraph@v1 predicate)
## Module
Attestor
## Status
VERIFIED
## Description
Generates DSSE-signed attestations capturing the full evidence graph (nodes, edges, paths) for a scan result. Uses the stella.ops/richgraph@v1 in-toto predicate type to attest the complete dependency and evidence graph topology.
## Implementation Details
- **Proof Graph Service**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs` (with `.Mutation`, `.Queries`, `.Subgraph`) -- in-memory graph service providing the richgraph data (nodes, edges, paths).
- **Graph Node**: `Graph/ProofGraphNode.cs` -- typed graph node with content-addressed ID and metadata.
- **Graph Edge**: `Graph/ProofGraphEdge.cs` -- directed edge with type metadata.
- **Node Types**: `Graph/ProofGraphNodeType.cs` -- node type enum (Evidence, Verdict, Policy, Artifact).
- **Edge Types**: `Graph/ProofGraphEdgeType.cs` -- edge type enum for relationship semantics.
- **Graph Subgraph**: `Graph/ProofGraphSubgraph.cs` -- extracted subgraph for attestation scope.
- **Graph Path**: `Graph/ProofGraphPath.cs` -- traversal path within the richgraph.
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds in-toto statements with the richgraph predicate type.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- signs richgraph attestations.
- **Graph Root Attestor**: `__Libraries/StellaOps.Attestor.GraphRoot/GraphRootAttestor.cs` -- attests Merkle roots over the graph for integrity.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ProofGraphTests.cs`
## E2E Test Plan
- [ ] Build a richgraph via `InMemoryProofGraphService` with Evidence, Verdict, and Artifact nodes connected by typed edges
- [ ] Create an in-toto statement with predicate type `stella.ops/richgraph@v1` via `StatementBuilder.Extended` wrapping the graph data
- [ ] Sign the richgraph attestation via `ProofChainSigner` and verify the DSSE envelope structure
- [ ] Extract a subgraph via `ProofGraphSubgraph` for a specific scan result and verify the attestation scopes to that subgraph
- [ ] Verify all graph paths from entrypoint to vulnerable sink are captured in the richgraph predicate
- [ ] Attest the Merkle root of the richgraph via `GraphRootAttestor` and verify integrity
- [ ] Verify the richgraph DSSE signature via `ProofChainSigner.Verification`
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |