stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/checked/attestor/fixchain-attestation.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.3 KiB
Raw Permalink Blame History

FixChain Attestation (Backport Proof)

Module

Attestor

Status

VERIFIED

Description

FixChain provides attestation-based proof that a backport or fix has been applied, with validation and policy gate integration.

Implementation Details

  • FixChain Attestation Service: src/Attestor/__Libraries/StellaOps.Attestor.FixChain/FixChainAttestationService.cs -- creates fix chain attestations.
  • FixChain Models: FixChainModels.cs -- core models for fix chain data.
  • FixChain Predicate: FixChainPredicate.cs -- attestable predicate for fix chain proof.
  • FixChain Statement Builder: FixChainStatementBuilder.cs -- builds in-toto statements for fix chain attestations.
  • FixChain Validator: FixChainValidator.cs -- validates fix chain attestations.
  • DI Registration: ServiceCollectionExtensions.cs -- registers fix chain services.
  • Fix Status Info: __Libraries/StellaOps.Attestor.ProofChain/Predicates/FixStatusInfo.cs -- fix status tracking in proof chain.
  • Tests:
    • __Libraries/__Tests/StellaOps.Attestor.FixChain.Tests/FixChainPredicateTests.cs, FixChainStatementBuilderTests.cs, FixChainValidatorTests.cs
    • __Tests/StellaOps.Attestor.FixChain.Tests/Unit/FixChainAttestationServiceTests.cs, FixChainStatementBuilderTests.cs, FixChainValidatorTests.cs
    • __Tests/StellaOps.Attestor.FixChain.Tests/Integration/FixChainAttestationIntegrationTests.cs

E2E Test Plan

  • Create a fix chain attestation via FixChainAttestationService for a backported security patch and verify the attestation contains patch details
  • Build an in-toto statement via FixChainStatementBuilder and verify correct predicate type
  • Validate the fix chain attestation via FixChainValidator and verify it passes for a valid fix
  • Create a fix chain with invalid data (e.g., missing patch reference) and verify FixChainValidator rejects it
  • Verify FixStatusInfo in the proof chain tracks fix application status
  • Sign the fix chain statement and verify DSSE envelope integrity
  • Run integration tests to verify end-to-end fix chain attestation flow

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001