stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
79b8e53441e92dbc63684f42072434d40b80275f
git.stella-ops.org/docs/modules/findings-ledger/prep/ledger-attestations-http.md
master 79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add new features and tests for AirGap and Time modules 
- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
2025-11-20 23:29:54 +02:00

1.8 KiB
Raw Blame History

Ledger attestation HTTP surface (prep for LEDGER-OBS-54-001 / 55-001)

Goal. Provide the minimal HTTP contract to expose ledger attestation verifications so PREP-LEDGER-OBS-55-001 can proceed. This complements the OAS baseline (docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml) and schema (docs/modules/findings-ledger/schema.md).

Endpoint

  • GET /v1/ledger/attestations
  • Tenant header: X-Stella-Tenant (required).
  • Auth: bearer scope=ledger.attest.read or mTLS.
  • Query params:
    • artifactId (string, optional; OCI digest or SBOM id)
    • findingId (string, optional)
    • attestationId (uuid, optional)
    • status (verified|failed|unknown, optional)
    • sinceRecordedAt / untilRecordedAt (ISO-8601 UTC)
    • limit (int, default 200, max 1000)
  • Ordering: deterministic by recordedAt ASC, attestationId ASC.
  • Response: JSON array (or NDJSON when Accept: application/x-ndjson). Each item:
    • attestationId (uuid)
    • artifactId (string)
    • findingId (string)
    • verificationStatus (verified|failed|unknown)
    • verificationTime (ISO-8601 UTC)
    • dsseDigest (sha256)
    • rekorEntryId (string, optional)
    • evidenceBundleRef (string, optional)
    • ledgerEventId (uuid) — source ledger event that linked the attestation
    • recordedAt (ISO-8601 UTC)
    • merkleLeafHash (sha256)
    • rootHash (sha256)

Determinism/offline posture

  • Sorting keys are fixed; pagination token encodes {recordedAt, attestationId, filtersHash}.
  • No live Rekor calls; rekorEntryId is stored reference only.
  • Hashes remain lowercase SHA-256; times are UTC.

Artefact location

  • This prep doc: docs/modules/findings-ledger/prep/ledger-attestations-http.md.
  • Add path to OAS in a follow-on increment (LEDGER-OAS-61-002/63-001) once approved.