stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/features/checked/attestor/signed-risk-verdicts.md Normal file
View File

@@ -0,0 +1,44 @@
# Signed Risk Verdicts (DSSE/in-toto Envelope)
## Module
Attestor
## Status
VERIFIED
## Description
Verdicts signed as DSSE/in-toto attestations bound to immutable artifact digests, containing policy binding, knowledge snapshot binding, evaluator version, rationale, findings references, and unknowns state.
## Implementation Details
- **Verdict Receipt Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptPayload.cs` -- payload containing the verdict decision, inputs, outputs, and rationale.
- **Verdict Receipt Statement**: `Statements/VerdictReceiptStatement.cs` -- in-toto statement wrapping the verdict receipt.
- **Verdict Decision**: `Statements/VerdictDecision.cs` -- the risk verdict (Pass/Fail/Warn) with rationale.
- **Verdict Inputs**: `Statements/VerdictInputs.cs` -- inputs: policy binding, knowledge snapshot digest, evaluator version, findings references.
- **Verdict Outputs**: `Statements/VerdictOutputs.cs` -- outputs: violations, exceptions, unknowns state.
- **Verdict Summary**: `Predicates/VerdictSummary.cs` -- summary of the verdict for proof graph integration.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- signs verdicts into DSSE envelopes bound to artifact digests.
- **Signing Key Profile**: `Signing/SigningKeyProfile.cs` -- key profile used for signing the verdict.
- **Proof Subject**: `Builders/ProofSubject.cs` -- artifact digest binding (subject with name and digest map).
- **Verdict Ledger**: `__Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerService.cs` -- records signed verdicts in the append-only ledger.
- **Trust Verdict**: `__Libraries/StellaOps.Attestor.TrustVerdict/` -- trust verdict integration.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/VerdictReceiptTests.cs`
## E2E Test Plan
- [ ] Create a `VerdictReceiptPayload` with Pass decision, sign into DSSE envelope, and verify binding to artifact digest
- [ ] Verify `VerdictInputs` captures policy binding ID, knowledge snapshot digest, and evaluator version
- [ ] Verify `VerdictOutputs` captures findings references and unknowns state
- [ ] Create a Fail verdict with rationale and verify the rationale is present in the signed payload
- [ ] Verify the DSSE envelope signature via `ProofChainSigner.Verification`
- [ ] Record the signed verdict in `VerdictLedgerService` and verify the ledger entry
- [ ] Verify immutability: attempt to modify the verdict after signing and confirm signature verification fails
- [ ] Create verdicts for multiple artifacts and verify each is bound to its specific artifact digest via `ProofSubject`
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |