stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unimplemented/cli/oci-referrers-for-evidence-storage.md

2.9 KiB
Raw Blame History

OCI Referrers for Evidence Storage (StellaBundle)

Module

Cli

Status

PARTIALLY_IMPLEMENTED

Description

Bundle export, verification, and CLI commands exist. The pattern for storing evidence as OCI referrers is partially implemented through the bundle system and verifier module.

What's Implemented

  • Bundle Export: src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs -- BundleExportCommand (static class)
    • Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-002)
    • Implements stella evidence export-bundle --image <ref> [--output <path>] [--include-dsse] [--include-rekor-proof]
    • Produces advisory-compliant bundles with DSSE envelopes, Rekor proofs, and OCI referrer metadata
  • Bundle Verification: src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs -- BundleVerifyCommand (static class)
    • Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-003)
    • Implements stella bundle verify --bundle <path> [--trust-root <pem>] [--rekor-checkpoint <path>]
    • Full offline cryptographic verification chain
  • Bundle Command Group: src/Cli/StellaOps.Cli/Commands/BundleCommandGroup.cs -- additional bundle operations
  • Evidence Command Group: src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs -- evidence management commands
  • Checkpoint Commands: src/Cli/StellaOps.Cli/Commands/CheckpointCommands.cs -- checkpoint operations for bundle management
  • Verifier Module: src/Verifier/ -- evidence verification backend

What's Missing

  • OCI Referrers API integration: No direct oras or OCI Distribution API client for pushing/pulling evidence as OCI referrers (artifacts are stored as bundles, not native OCI referrers)
  • stella evidence push-referrer: No command to push evidence artifacts as OCI referrers to a registry using the OCI Referrers API
  • stella evidence list-referrers: No command to list all referrers attached to an OCI artifact digest
  • Referrer discovery: No automated discovery of evidence referrers when running verify commands against a registry
  • ORAS integration: No integration with ORAS library for native OCI artifact handling

Implementation Plan

  • Add OCI Distribution client with Referrers API support (v2 manifest list)
  • Implement stella evidence push-referrer --image <ref> --artifact-type <type> --file <path> for pushing evidence as OCI referrers
  • Implement stella evidence list-referrers <ref> for listing attached referrers by artifact type
  • Add --use-referrers flag to stella verify image to auto-discover evidence from registry referrers
  • Integrate with existing bundle export to optionally push as OCI referrers instead of tar.gz

Related Documentation

  • Bundle export: src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs
  • Bundle verify: src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs
  • Evidence commands: src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs