stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/attestor/verdic-replay.md

3.3 KiB
Raw Blame History

Verdic Replay (Deterministic Replay)

Module

Attestor

Status

IMPLEMENTED

Description

Verdict replay service for deterministic re-execution of security decisions with input manifest resolution and verification.

Implementation Details

  • Replay Input Artifact: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayInputArtifact.cs -- content-addressed input artifact referenced by digest for deterministic resolution during replay.
  • Replay Prompt Template: Replay/ReplayPromptTemplate.cs -- template for replay prompts that captures the original decision context and input bindings.
  • Replay Result: Replay/ReplayResult.cs -- result of a replay execution, including the replayed verdict and comparison with the original.
  • Replay Status: Replay/ReplayStatus.cs -- enum tracking replay state (Pending, Running, Completed, Failed, Diverged).
  • Replay Verification Result: Replay/ReplayVerificationResult.cs -- verification result comparing replayed output against original, detecting divergence.
  • AI Artifact Replay Manifest: Replay/AIArtifactReplayManifest.cs -- manifest for replaying AI-generated artifacts with frozen model parameters and inputs.
  • IAIArtifactReplayer: Replay/IAIArtifactReplayer.cs -- interface for replaying AI artifact generation with deterministic inputs.
  • Verdict Receipt Payload: Statements/VerdictReceiptPayload.cs -- payload containing verdict inputs, decision, and outputs for replay.
  • Verdict Receipt Statement: Statements/VerdictReceiptStatement.cs -- in-toto statement wrapping the verdict receipt for attestation.
  • Verdict Decision: Statements/VerdictDecision.cs -- the decision record (PASS/FAIL/WARN) with reasoning.
  • Verdict Inputs: Statements/VerdictInputs.cs -- captured inputs (scan results, policies, VEX state) that drove the verdict.
  • Verdict Outputs: Statements/VerdictOutputs.cs -- outputs of the verdict (actions taken, notifications sent).
  • Verification Replay Log Builder: __Libraries/StellaOps.Attestor.EvidencePack/Services/VerificationReplayLogBuilder.cs -- builds replay logs for inclusion in evidence packs.
  • Verification Replay Log: EvidencePack/Models/VerificationReplayLog.cs -- structured log of replay execution steps.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/

E2E Test Plan

  • Create a VerdictReceiptPayload with inputs (SBOM digest, policy rules, VEX state) and a PASS decision; serialize and verify round-trip fidelity
  • Replay the verdict using the captured VerdictInputs and verify the replayed decision matches the original PASS
  • Modify one input (add a new critical CVE) and replay; verify ReplayVerificationResult detects divergence with the original
  • Verify ReplayStatus transitions: Pending -> Running -> Completed for a successful replay
  • Create an AIArtifactReplayManifest with frozen model parameters and verify replay produces identical outputs
  • Build a VerificationReplayLog via VerificationReplayLogBuilder and verify it captures each replay step with timestamps
  • Replay a verdict with missing input artifacts and verify ReplayStatus is Failed with a descriptive error
  • Verify the VerdictReceiptStatement is a valid in-toto statement with the correct predicate type URI