stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
10212d67c0dfa0dd849fd798c24502b773664749
git.stella-ops.org/docs/modules/evidence-locker/attestation-scope-note.md
master 10212d67c0
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
api-governance / spectral-lint (push) Has been cancelled
Details
Refactor code structure for improved readability and maintainability; removed redundant code blocks and optimized function calls.
2025-11-20 07:50:52 +02:00

2.1 KiB
Raw Blame History

Evidence Locker Attestation Scope Note (v1) — 2025-11-19

Scope & Coverage

  • Predicates: in-toto Provenance (DSSE-wrapped) with claims for bundle inputs, normalization pipeline version, tenant scope, and content hashes; optional Rekor transparency pointer when online.
  • Artefacts covered: Evidence Bundle v1 payloads (observations, linksets, normalization diffs) and mirror bundle manifest hash when present.
  • Tenancy: tenant-id is lowercased, required, and included in subject, claims, and DSSE _type to keep air-gap parity.
  • Transparency: if Rekor unavailable (air-gap), include transparency.skip_reason = offline and signed local timeline anchor.

Required claims (PromotionAttestationBuilder input)

  • subject.digest (sha256 of bundle tar) and subject.name (bundle_id).
  • bundle.created (UTC RFC3339) and bundle.version (semantic).
  • pipeline.version (build ID or git SHA) and pipeline.inputs (hashes of observation/linkset payloads).
  • tenant (lowercase) and scope (advisory | vex | policy | mixed).
  • evidence_bundle (path/doi) and transparency (rekor UUID or skip reason).
  • aoc.guardrails (boolean) and aoc.details (list of enforced checks).

Example builder payload

{
  "subject": {"name": "evidence-bundle-m0", "digest": "sha256:REPLACE"},
  "bundle": {"id": "evidence-bundle-m0", "version": "1.0.0", "created": "2025-11-19T00:00:00Z"},
  "pipeline": {"version": "git:abcd1234", "inputs": ["sha256:payload-hash-1", "sha256:payload-hash-2"]},
  "tenant": "demo",
  "scope": "vex",
  "evidence_bundle": "out/evidence/bundles/evidence-bundle-m0.tar.gz",
  "transparency": {"rekor_uuid": null, "skip_reason": "offline"},
  "aoc": {"guardrails": true, "details": ["schema:frozen:1.0", "limits:chunk:max=2000"]}
}

Placement

  • File: docs/modules/evidence-locker/attestation-scope-note.md (this document).
  • Reference in Evidence Bundle changelog and sprint Execution Log when updated.

Next steps

  • Swap placeholder digest values with real bundle hash after MIRROR-CRT-56-001 emits artefact.
  • Attach this note to Concelier/Excititor attestation tasks (CONCELIER-ATTEST-73-001/002, EXCITITOR-ATTEST-73-001/002).