stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/cli/oci-referrers-for-evidence-storage.md

2.9 KiB
Raw Blame History

OCI Referrers for Evidence Storage (StellaBundle)

Module

Cli

Status

IMPLEMENTED

Description

Bundle export, verification, and CLI commands exist. The pattern for storing evidence as OCI referrers is partially implemented through the bundle system and verifier module.

What's Implemented

  • Bundle Export: src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs -- BundleExportCommand (static class)
    • Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-002)
    • Implements stella evidence export-bundle --image <ref> [--output <path>] [--include-dsse] [--include-rekor-proof]
    • Produces advisory-compliant bundles with DSSE envelopes, Rekor proofs, and OCI referrer metadata
  • Bundle Verification: src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs -- BundleVerifyCommand (static class)
    • Sprint: SPRINT_20260118_018_AirGap_router_integration (TASK-018-003)
    • Implements stella bundle verify --bundle <path> [--trust-root <pem>] [--rekor-checkpoint <path>]
    • Full offline cryptographic verification chain
  • Bundle Command Group: src/Cli/StellaOps.Cli/Commands/BundleCommandGroup.cs -- additional bundle operations
  • Evidence Command Group: src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs -- evidence management commands
  • Checkpoint Commands: src/Cli/StellaOps.Cli/Commands/CheckpointCommands.cs -- checkpoint operations for bundle management
  • Verifier Module: src/Verifier/ -- evidence verification backend

What's Missing

  • OCI Referrers API integration: No direct oras or OCI Distribution API client for pushing/pulling evidence as OCI referrers (artifacts are stored as bundles, not native OCI referrers)
  • stella evidence push-referrer: No command to push evidence artifacts as OCI referrers to a registry using the OCI Referrers API
  • stella evidence list-referrers: No command to list all referrers attached to an OCI artifact digest
  • Referrer discovery: No automated discovery of evidence referrers when running verify commands against a registry
  • ORAS integration: No integration with ORAS library for native OCI artifact handling

Implementation Plan

  • Add OCI Distribution client with Referrers API support (v2 manifest list)
  • Implement stella evidence push-referrer --image <ref> --artifact-type <type> --file <path> for pushing evidence as OCI referrers
  • Implement stella evidence list-referrers <ref> for listing attached referrers by artifact type
  • Add --use-referrers flag to stella verify image to auto-discover evidence from registry referrers
  • Integrate with existing bundle export to optionally push as OCI referrers instead of tar.gz

Related Documentation

  • Bundle export: src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs
  • Bundle verify: src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs
  • Evidence commands: src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs