stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
docs/features/checked/attestor/single-canonical-verdict-attestation-per-subject.md Normal file
View File

@@ -0,0 +1,41 @@
# Single Canonical Verdict Attestation per Subject
## Module
Attestor
## Status
VERIFIED
## Description
VerdictBuilder service produces signed verdict attestations with DSSE envelopes, enabling single canonical verdict per artifact.
## Implementation Details
- **Verdict Receipt Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptStatement.cs` -- in-toto statement wrapping the single canonical verdict for a subject.
- **Verdict Receipt Payload**: `Statements/VerdictReceiptPayload.cs` -- payload with decision, inputs, outputs, and rationale.
- **Verdict Decision**: `Statements/VerdictDecision.cs` -- the canonical decision (Pass/Fail/Warn).
- **Statement Builder**: `Builders/StatementBuilder.cs` -- builds the verdict statement with subject binding.
- **Proof Subject**: `Builders/ProofSubject.cs` -- binds the verdict to a single artifact digest (subject).
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs the canonical verdict into a DSSE envelope.
- **Content-Addressed ID**: `Identifiers/ContentAddressedIdGenerator.cs` -- generates a unique content-addressed ID for the verdict.
- **Verdict Ledger**: `__Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerService.cs` -- ensures single canonical verdict per subject in the ledger.
- **Trust Verdict Service**: `__Libraries/StellaOps.Attestor.TrustVerdict/Services/` -- trust verdict service managing canonical verdicts.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/VerdictCanonicalTests.cs`
## E2E Test Plan
- [ ] Create a verdict for a subject digest via `StatementBuilder` and sign it; verify the DSSE envelope binds to exactly one subject
- [ ] Verify the verdict content-addressed ID is deterministic for the same decision and inputs
- [ ] Create a second verdict for the same subject and verify the canonical verdict is the latest one
- [ ] Query the verdict ledger for a subject and verify only one canonical verdict is returned
- [ ] Verify the canonical verdict contains complete inputs and outputs for auditability
- [ ] Create verdicts for different subjects and verify each subject has its own canonical verdict
- [ ] Verify the DSSE signature binds the verdict to the immutable artifact digest
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |