save checkpoint
This commit is contained in:
master
@@ -0,0 +1,41 @@
|
||||
# VEX Override Workflow with Attestation Linkage
|
||||
|
||||
## Module
|
||||
Excititor
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
VEX decision APIs extended with attestation references so overrides are DSSE-signed. Attestor integration mints envelopes for operator decisions with envelope digest and Rekor info persistence. Includes offline stub client.
|
||||
|
||||
## Implementation Details
|
||||
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/`
|
||||
- **Key Classes**:
|
||||
- `VexDsseBuilder` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Dsse/VexDsseBuilder.cs`) - builds DSSE envelopes for VEX override decisions
|
||||
- `VexAttestationClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/VexAttestationClient.cs`) - client for VEX attestation operations
|
||||
- `VexEvidenceAttestor` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Evidence/VexEvidenceAttestor.cs`) - attests VEX evidence with DSSE signatures
|
||||
- `VexAttestationVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs`) - verifies VEX attestation envelopes
|
||||
- `VexAttestationPredicate` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Models/VexAttestationPredicate.cs`) - predicate model for VEX attestations
|
||||
- `RekorHttpClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Transparency/RekorHttpClient.cs`) - Rekor transparency log client
|
||||
- `DsseEvidenceSignatureValidator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/DsseEvidenceSignatureValidator.cs`) - validates DSSE signatures on evidence
|
||||
- `VexEvidenceLinker` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinker.cs`) - links VEX decisions to supporting evidence
|
||||
- `AttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/AttestationEndpoints.cs`) - REST endpoints for attestation operations
|
||||
- `RekorAttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/RekorAttestationEndpoints.cs`) - Rekor-specific attestation endpoints
|
||||
- **Interfaces**: `IVexSigner`, `ITransparencyLogClient`, `IVexAttestationVerifier`
|
||||
- **Source**: SPRINT_20260112_004_VULN_vex_override_workflow.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Create a VEX override and verify `VexDsseBuilder` mints a DSSE-signed envelope with the operator's decision
|
||||
- [ ] Verify `VexAttestationClient` persists the envelope digest and Rekor entry info
|
||||
- [ ] Verify `VexAttestationVerifier` validates the DSSE signature on a VEX override attestation
|
||||
- [ ] Verify `RekorHttpClient` submits the attestation to the Rekor transparency log and retrieves the entry
|
||||
- [ ] Verify `VexEvidenceLinker` links the override decision to supporting binary-diff or reachability evidence
|
||||
- [ ] Verify `DsseEvidenceSignatureValidator` rejects overrides with invalid DSSE signatures
|
||||
- [ ] Verify attestation endpoints return override history with DSSE envelope and Rekor receipt references
|
||||
|
||||
## Verification
|
||||
- Verified on 2026-02-13 via `run-001`.
|
||||
- Tier 0: Source files confirmed present on disk.
|
||||
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
|
||||
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-override-workflow-with-attestation-linkage/run-001/tier2-integration-check.json`
|
||||
Reference in New Issue
Block a user