save checkpoint

docs/features/checked/attestor/verification-pipeline.md

@@ -0,0 +1,48 @@
+# Verification Pipeline (Multi-step Proof Verification)
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Multi-step verification pipeline with pluggable steps: DSSE signature check, ID recomputation, Rekor inclusion proof, trust anchor verification. Each step produces structured results.
+
+## Implementation Details
+- **IVerificationPipeline**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/IVerificationPipeline.cs` -- interface for the multi-step verification pipeline.
+- **Verification Pipeline**: `Verification/VerificationPipeline.cs` (with `.Verify`) -- orchestrates pluggable verification steps in sequence, collecting results.
+- **IVerificationStep**: `Verification/IVerificationStep.cs` -- interface for individual verification steps.
+- **DSSE Signature Verification Step**: `Verification/DsseSignatureVerificationStep.cs` -- verifies DSSE envelope signature against trusted keys.
+- **ID Recomputation Verification Step**: `Verification/IdRecomputationVerificationStep.cs` -- recomputes content-addressed IDs and verifies they match claimed IDs.
+- **Rekor Inclusion Verification Step**: `Verification/RekorInclusionVerificationStep.cs` -- verifies Rekor inclusion proof against the transparency log tree.
+- **Trust Anchor Verification Step**: `Verification/TrustAnchorVerificationStep.cs` -- verifies signing key against configured trust anchors (allowed keys, PURL patterns, revocation).
+- **AI Artifact Verification Step**: `Verification/AIArtifactVerificationStep.cs` (with `.Classify`, `.Execute`, `.Helpers`, `.Summary`, `.VerifyParse`, `.VerifyValidation`) -- verifies AI-generated artifacts for authority classification and replay fidelity.
+- **Verification Pipeline Request**: `Verification/VerificationPipelineRequest.cs` -- request containing the proof bundle or attestation to verify.
+- **Verification Pipeline Result**: `Verification/VerificationPipelineResult.cs` -- overall pipeline result with per-step outcomes.
+- **Verification Step Result**: `Verification/VerificationStepResult.cs` -- individual step result (passed, failed, skipped) with details.
+- **Verification Pipeline Interfaces**: `Verification/VerificationPipelineInterfaces.cs` -- shared interfaces for pipeline components.
+- **Verification Context**: `Verification/VerificationContext.cs` -- context containing trust anchors, policies, and configuration for the pipeline.
+- **Verification Bundle Models**: `Verification/VerificationBundleModels.cs` -- models for verification bundles (proof + metadata).
+- **IAIEvidenceResolver**: `Verification/IAIEvidenceResolver.cs` -- resolves AI evidence for the AI verification step.
+- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/`
+
+## E2E Test Plan
+- [ ] Run the full verification pipeline on a valid signed attestation with Rekor inclusion proof and trust anchor; verify all steps pass
+- [ ] Remove the DSSE signature and run the pipeline; verify `DsseSignatureVerificationStep` fails while other steps report skipped
+- [ ] Tamper with the attestation content and run `IdRecomputationVerificationStep`; verify it detects the ID mismatch
+- [ ] Provide an invalid Rekor inclusion proof and verify `RekorInclusionVerificationStep` fails with details about the proof mismatch
+- [ ] Configure trust anchors and sign with an untrusted key; verify `TrustAnchorVerificationStep` fails
+- [ ] Run the pipeline with only DSSE and ID steps (skip Rekor/trust anchor) and verify partial results are returned
+- [ ] Verify pipeline short-circuiting: if DSSE fails, subsequent steps that depend on signature validity are skipped
+- [ ] Run the AI artifact verification step on a valid AI-generated artifact and verify classification and validation pass
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |