stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/excititor/attestation-plan.md
master 79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add new features and tests for AirGap and Time modules 
- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
2025-11-20 23:29:54 +02:00

1.8 KiB
Raw Blame History

Excititor Attestation Plan (Sprint 110)

Goals

  • Align Excititor chunk API and attestation envelopes with Evidence Locker contract.
  • Provide offline-ready chunk submission/attestation flow for VEX evidence.

Chunk API shape (/vex/evidence/chunks)

  • POST body (NDJSON, deterministic order by chunk_id): 
    {
  "chunk_id": "uuid",
  "tenant": "acme",
  "source": "ghsa",
  "schema": "stellaops.vex.chunk.v1",
  "items": [ {"advisory_id":"GHSA-123","status":"affected","purl":"pkg:npm/foo@1.0.0"} ],
  "provenance": {"fetched_at":"2025-11-20T00:00:00Z","artifact_sha":"abc"}
}
  • At submission, Excititor returns chunk_digest (sha256 of canonical JSON) and queue id.

Attestation envelope

  • Subject: chunk_digest from above.
  • Predicates attached:
    • stellaops.vex.chunk.meta.v1 (tenant, source, schema version, item count).
    • stellaops.vex.chunk.integrity.v1 (sha256 per item block, canonical order).
    • Optional stellaops.transparency.v1 (Rekor UUID/logIndex) when online.
  • Envelope format: DSSE using Evidence Locker provider registry; signing profile mirrors Evidence Locker bundle profile for tenant.

DSSE bundling rules

  • Deterministic JSON (sorted keys) before hashing.
  • Canonical NDJSON for chunk payload; no gzip inside envelope.
  • Attach verification report alongside attestation as chunk-verify.json (hashes + signature check results).

Sample payloads

  • docs/samples/excititor/chunk-sample.ndjson
  • docs/samples/excititor/chunk-attestation-sample.json

Integration points

  • Evidence Locker contract v1 (see docs/modules/evidence-locker/attestation-contract.md).
  • Concelier LNM schemas (observations remain aggregation-only; attestation is evidence, not merge).

Ownership

  • Excititor Guild (primary); Evidence Locker Guild reviewer.