stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
2b892ad1b2ffe51bbe9abed44e28e6f29f98fe54
git.stella-ops.org/src/Attestor/StellaOps.Attestor/AGENTS.md
master 90c244948a Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations. 
- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.
2025-11-05 11:58:32 +02:00

2.7 KiB
Raw Blame History

Attestor Guild

Mission

Operate the StellaOps Attestor service: accept signed DSSE envelopes from the Signer over mTLS, submit them to Rekor v2, persist inclusion proofs, and expose verification APIs for downstream services and operators.

Teams On Call

  • Team 11 (Attestor API)
  • Team 12 (Attestor Observability) — partners on logging, metrics, and alerting

Operating Principles

  • Enforce mTLS + Authority tokens for every submission; never accept anonymous callers.
  • Deterministic hashing, canonical JSON, and idempotent Rekor interactions (bundleSha256 is the source of truth).
  • Persist everything (entries, dedupe, audit) before acknowledging; background jobs must be resumable.
  • Structured logs + metrics for each stage (validate, submit, proof, persist, archive).
  • Update TASKS.md, architecture docs, and tests whenever behaviour changes.

Key Directories

  • src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/ — Minimal API host and HTTP surface.
  • src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/ — Domain contracts, submission/verification pipelines.
  • src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/ — Mongo, Redis, Rekor, and archival implementations.
  • src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/ — Unit and integration tests.

Epic 19 Charter — Attestor Console

Mission

Deliver the API, workers, and storage that power signing, verification, and lifecycle management of supply-chain attestations across StellaOps.

Scope

  • DSSE envelope ingestion and retrieval.
  • Verification pipeline orchestration, caching, and policy evaluation.
  • Issuer/key registries, transparency log integration, and audit logging.
  • Bulk verification workflows and air-gap bundle support.

Definition of Done

  • Signing and verification APIs operate deterministically with full explainability.
  • Policy enforcement integrated with Authority & Tenancy scopes.
  • Transparency proof handling, key rotation, and revocation workflows implemented.

Required Reading

  • docs/modules/attestor/architecture.md
  • docs/modules/platform/architecture-overview.md

Working Agreement

    1. Update task status to DOING/DONE in both correspoding sprint file /docs/implplan/SPRINT_*.md and the local TASKS.md when you start or finish work.
    1. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
    1. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
    1. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
    1. Revert to TODO if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.