# In-toto Statement and Provenance System (SBOM, Evidence, Reasoning, VEX, SLSA) ## Module Attestor ## Status VERIFIED ## Description Full in-toto statement builder framework generating Evidence, Reasoning, VexVerdict, ProofSpine, and SbomLinkage statements with snapshot-based golden testing. In-toto/DSSE provenance attestation with SLSA provenance parsing, schema validation, layout verification, and SPDX3 build attestation mapping. ## Implementation Details - **Statement Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Builders/StatementBuilder.cs` (with `.Extended`) -- fluent builder creating in-toto statements for all predicate types. `IStatementBuilder.cs` -- interface. - **Proof Subject**: `Builders/ProofSubject.cs` -- subject model with name and digest map for in-toto statements. - **Core In-toto Link**: `StellaOps.Attestor.Core/InToto/InTotoLink.cs` -- in-toto link with materials, products, and predicate. `LinkBuilder.cs` -- builds links with material/product specs. `InTotoLinkPredicate.cs` -- link predicate model. - **Layout Verification**: `StellaOps.Attestor.Core/InToto/Layout/` -- in-toto layout verification for supply chain steps. - **Link Recording**: `StellaOps.Attestor.Core/InToto/LinkRecorder.cs` -- records links during build. `ILinkRecorder.cs` -- interface. - **SLSA Provenance Parser**: `__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs` (with `.ExtractMetadata`, `.Validation`) -- parses SLSA v1 provenance predicates. - **SLSA Schema Validator**: `__Libraries/StellaOps.Attestor.StandardPredicates/Validation/SlsaSchemaValidator.cs` (with `.BuildDefinition`, `.Helpers`, `.Level`, `.RunDetails`) -- validates SLSA provenance against schema. `SlsaValidationResult.cs` -- result model. - **SPDX3 Build Attestation**: `__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs` (with `.MapFromSpdx3`, `.MapToSpdx3`) -- maps between SPDX3 build profiles and internal attestation models. `BuildAttestationPayload.cs`, `BuildInvocation.cs`, `BuildMaterial.cs`, `BuildMetadata.cs` -- build attestation models. - **DSSE SPDX3 Signer**: `__Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Signer.cs` (with `.Encoding`, `.SignAsync`, `.SignBuildProfile`, `.Verify`) -- signs SPDX3 build attestations. - **Statement Types**: 46 statement files in `Statements/` -- Evidence, Reasoning, VexVerdict, ProofSpine, SbomLinkage, DeltaVerdict, ChangeTrace, Uncertainty, ReachabilityWitness, etc. - **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/StatementBuilderTests.cs`, `__Tests/StellaOps.Attestor.StandardPredicates.Tests/SlsaSchemaValidatorTests.cs` ## E2E Test Plan - [ ] Build an Evidence statement via `StatementBuilder` with subject digests and verify the in-toto statement structure - [ ] Build a VexVerdict statement and verify it wraps the VEX predicate with correct predicate type URI - [ ] Build a ProofSpine statement and verify it contains the Merkle root and linked evidence IDs - [ ] Parse a SLSA v1 provenance JSON via `SlsaProvenancePredicateParser` and verify builder, build definition, and run details are extracted - [ ] Validate SLSA provenance via `SlsaSchemaValidator` and verify it passes for valid provenance and fails for invalid (e.g., missing buildDefinition) - [ ] Map a build attestation to SPDX3 via `BuildAttestationMapper.MapToSpdx3` and back via `.MapFromSpdx3`; verify round-trip fidelity - [ ] Sign an SPDX3 build attestation via `DsseSpdx3Signer.SignBuildProfile` and verify the DSSE envelope - [ ] Record an in-toto link via `LinkRecorder` with materials and products, then verify the link digest matches ## Verification | Check | Result | |-------|--------| | Tier 0 - Source Verification | PASS | | Tier 1 - Build + Code Review | PASS | | Tier 2 - Behavioral Verification | PASS | | Verified Date | 2026-02-13 | | Run ID | run-001 |