stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
0e764da736ca51bcc64acf7b024f2bc3f2b46c96
git.stella-ops.org/docs/features/checked/libraries/verdict-bundle-builder.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

40 lines
4.4 KiB
Markdown
Raw Blame History

# Verdict Bundle Builder (Scoring + Signing + Rekor Anchoring)
## Module
__Libraries
## Status
VERIFIED
## Description
End-to-end verdict bundle pipeline: scoring from EWS (Evidence-Weighted Score) results, input extraction, normalization tracing, gate evaluation, content-addressed bundle digest, DSSE signing, and Rekor transparency log anchoring with inclusion proof verification. Integrates scoring manifest versioning, VEX-aware overrides, and per-environment gate configuration.
## Implementation Details
- **VerdictBundleBuilder**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictBundleBuilder.cs` -- implements `IVerdictBundleBuilder`; constructor takes `IGateEvaluator`, `TimeProvider`, `IScoringManifestProvider`; `Build(ewsResult, input, policy, gateConfig)` orchestrates: `ExtractInputs` (from EWS input), `CreateNormalizationTrace` (from EWS result), `GetManifestRef` (scoring manifest reference), `CalculateRawScore`, `GetVerdictOverride` (VEX overrides), gate evaluation via `IGateEvaluator.Evaluate`, `ComputeBundleDigest` (SHA-256 of canonical JSON); multi-partial: `.Score.cs` (score calculation), `.Normalization.cs` (normalization trace), `.Digest.cs` (content-addressed digest), `.Extract.cs` (input extraction), `.Manifest.cs` (manifest binding), `.Override.cs` (VEX override), `.Projections.cs`/`.Projections.Details.cs` (result projections)
- **IVerdictBundleBuilder**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/IVerdictBundleBuilder.cs` -- interface: `Build(ewsResult, input, policy, gateConfig)` and `Build(ewsResult, input, policy)` (default gate config)
- **VerdictBundle**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictBundle.cs` -- sealed partial record: `BundleId` (content-addressed sha256:...), `SchemaVersion`, `FindingId` (CVE@PURL), `ManifestRef` (ScoringManifestRef), `Inputs` (VerdictInputs), `Normalization` (NormalizationTrace), `RawScore` (double), `FinalScore` (double, clamped 0-1), `Override` (VerdictOverride?), `Gate` (GateDecision), `ComputedAt` (DateTimeOffset), `BundleDigest` (SHA-256), `DsseSignature` (DSSE envelope); multi-partial: `.Rekor.cs` (Rekor anchoring fields)
- **VerdictSigningService**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictSigningService.cs` -- multi-partial: `.Sign.cs` (DSSE signing), `.Verify.cs` (signature verification), `.Canonical.cs` (canonical JSON for signing), `.Envelope.cs` (DSSE envelope construction), `.Projections.cs`/`.Projections.Extensions.cs` (projection helpers)
- **VerdictRekorAnchorService**: `src/__Libraries/StellaOps.DeltaVerdict/Bundles/VerdictRekorAnchorService.cs` -- multi-partial: `.Anchor.cs` (submit to Rekor), `.Verify.cs` (verify anchoring), `.InclusionProof.cs` (Merkle inclusion proof verification), `.Helpers.cs`; `VerdictAnchorResult`, `VerdictAnchorVerificationResult`
- **Scoring Manifest**: `src/__Libraries/StellaOps.DeltaVerdict/Manifest/ScoringManifest.cs` -- manifest model with `ScoringWeights`, `ScoringNormalizers`; `ScoringManifestVersioner` multi-partial: `.Bump.cs`, `.Compare.cs`/`.Compare.Helpers.cs`, `.Versioning.cs` for semantic versioning of manifest changes
- **Delta Computation**: `src/__Libraries/StellaOps.DeltaVerdict/Engine/DeltaComputationEngine.cs` -- multi-partial: `.Components.cs`, `.ChangedComponents.cs`, `.Vulnerabilities.cs`, `.Risk.cs`; `IDeltaComputationEngine` interface
- **Signing Infrastructure**: `src/__Libraries/StellaOps.DeltaVerdict/Signing/` -- `DeltaSigningService`, `ScoringManifestSigningService`, `ScoringManifestRekorAnchorService` with full DSSE envelope, Rekor submission, and verification
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify VerdictBundleBuilder.Build produces content-addressed BundleId (sha256:...)
- [ ] Test BundleDigest is deterministic for same EWS result and policy inputs
- [ ] Verify gate evaluation integrates with GateEvaluator for allow/warn/block decisions
- [ ] Test VerdictSigningService produces valid DSSE signatures on verdict bundles
- [ ] Verify VerdictRekorAnchorService submits to Rekor and retrieves inclusion proof
- [ ] Test Rekor inclusion proof verification detects tampered entries
- [ ] Verify ScoringManifestVersioner bumps versions correctly for manifest changes
- [ ] Test VEX override correctly modifies final score when not_affected VEX status applies
## Verification
- **Verified**: 2026-02-13T20:30:00Z
- **Run**: run-001
- **Tier**: Tier 2d (Library/Internal)
- **Verdict**: PASS
Reference in New Issue View Git Blame Copy Permalink