# Periodic Rekor Verification Job ## Module Attestor ## Status VERIFIED ## Description Scheduled background job that periodically re-verifies Rekor transparency log entries to detect post-compromise tampering, with metrics emission, health check integration, and a dedicated Doctor plugin for verification status monitoring. ## Implementation Details - **Rekor Verification Job**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/RekorVerificationJob.cs` -- scheduled background job that re-verifies Rekor entries on a configurable interval. - **Rekor Verification Service**: `Verification/RekorVerificationService.cs` -- service that performs the actual verification (inclusion proof, checkpoint consistency). Implements `IRekorVerificationService.cs`. - **Verification Metrics**: `Verification/RekorVerificationMetrics.cs` -- emits metrics: entries verified, failures detected, verification duration. - **Health Check**: `Verification/RekorVerificationHealthCheck.cs` -- ASP.NET health check reporting Rekor verification status. - **Checkpoint Divergence Detector**: `StellaOps.Attestor.Core/Rekor/CheckpointDivergenceDetector.cs` -- detects checkpoint divergence between local and remote Rekor log. Implements `ICheckpointDivergenceDetector.cs`. - **Divergence Alert Publisher**: `Rekor/CheckpointDivergenceAlertPublisher.cs` -- publishes alerts when checkpoint divergence is detected. - **Rekor Inclusion Verification**: `Rekor/RekorInclusionVerificationResult.cs` -- result of verifying a single entry's inclusion proof. - **Merkle Proof Verifier**: `Verification/MerkleProofVerifier.cs` -- verifies Merkle inclusion proofs for Rekor entries. - **Offline Receipt Verifier**: `Verification/RekorOfflineReceiptVerifier.cs` -- verifies Rekor receipts without network access. - **Verification Report**: `Verification/VerificationReport.cs` -- aggregate report of all verification results for a run. - **Tests**: `__Tests/StellaOps.Attestor.Core.Tests/RekorVerificationJobTests.cs` ## E2E Test Plan - [ ] Run `RekorVerificationJob` against a set of persisted Rekor entries and verify all entries are re-verified successfully - [ ] Tamper with a persisted Rekor entry's inclusion proof and verify the job detects the failure via `RekorVerificationService` - [ ] Verify `RekorVerificationMetrics` emits correct counts: entries_verified, failures_detected, duration_ms - [ ] Verify `RekorVerificationHealthCheck` reports Healthy when all entries verify and Unhealthy when failures are detected - [ ] Simulate checkpoint divergence via `CheckpointDivergenceDetector` (local checkpoint ahead of remote) and verify `CheckpointDivergenceAlertPublisher` fires - [ ] Verify `MerkleProofVerifier` correctly validates inclusion proofs for Rekor entries - [ ] Verify `VerificationReport` contains a summary of all checks with pass/fail status per entry - [ ] Run the verification job with network disabled and verify `RekorOfflineReceiptVerifier` handles offline mode ## Verification | Check | Result | |-------|--------| | Tier 0 - Source Verification | PASS | | Tier 1 - Build + Code Review | PASS | | Tier 2 - Behavioral Verification | PASS | | Verified Date | 2026-02-13 | | Run ID | run-001 |