# Trust Anchor Management

## Module
Attestor

## Status
VERIFIED

## Description
Trust anchor system with per-dependency anchors (public key + policy), PURL pattern matching, allowed key IDs, revoked keys tracking, and verification step integration.

## Implementation Details
- **Trust Anchor Verification Step**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/TrustAnchorVerificationStep.cs` -- verification step that checks attestation signatures against trusted anchors.
- **Verification Context**: `Verification/VerificationContext.cs` -- context containing trust anchors for the verification pipeline.
- **Trust Anchor Entity**: `__Libraries/StellaOps.Attestor.Persistence/Entities/TrustAnchorEntity.cs` -- persisted trust anchor with key material, expiry, allowed patterns, and revocation status.
- **Anchors Controller**: `StellaOps.Attestor.WebService/Controllers/AnchorsController.cs` -- REST API for managing trust anchors (create, query, revoke).
- **Signing Key Profile**: `Signing/SigningKeyProfile.cs` -- key profile linked to trust anchors.
- **Signature Verification Result**: `Signing/SignatureVerificationResult.cs` -- result of signature verification against trust anchors.
- **TUF Client**: `__Libraries/StellaOps.Attestor.TrustRepo/ITufClient.cs` -- TUF client for retrieving trusted root keys.
- **TUF Metadata Store**: `__Libraries/StellaOps.Attestor.TrustRepo/ITufMetadataStore.cs` -- stores TUF metadata. `FileSystemTufMetadataStore.cs` (with `.Atomic`, `.IO`) -- filesystem implementation. `InMemoryTufMetadataStore.cs` -- in-memory implementation.
- **TUF Key Loader**: `__Libraries/StellaOps.Attestor.TrustRepo/ITufKeyLoader.cs` -- loads TUF keys. `Ed25519PublicKey.cs` -- Ed25519 key model.
- **TUF Metadata Verifier**: `__Libraries/StellaOps.Attestor.TrustRepo/ITufMetadataVerifier.cs` -- verifies TUF metadata signatures.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/TrustAnchorTests.cs`, `__Tests/StellaOps.Attestor.TrustRepo.Tests/`

## E2E Test Plan
- [ ] Create a trust anchor via `AnchorsController` with a public key and PURL pattern and verify it is persisted
- [ ] Verify an attestation signed by a trusted key passes `TrustAnchorVerificationStep`
- [ ] Verify an attestation signed by an untrusted key fails `TrustAnchorVerificationStep`
- [ ] Revoke a trust anchor and verify subsequent attestation verification fails for that key
- [ ] Verify PURL pattern matching: create an anchor for `pkg:npm/*` and verify it matches npm packages but not maven packages
- [ ] Load trusted roots via TUF client and verify key rotation (new root replaces old root)
- [ ] Store TUF metadata via `FileSystemTufMetadataStore` and verify atomic updates
- [ ] Verify trust anchor expiry: create an anchor with a past expiry date and verify it is rejected

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |