git.stella-ops.org/docs/modules/attestor/implementation_plan.md

Implementation plan — Attestor

Delivery phases

• Phase 1 – Foundations
  Build the Attestor service skeleton, DSSE bundle ingestion, mTLS/OpTok enforcement, Rekor v2 client, and cache the {uuid,index,proof} tuple. Publish base API (POST /rekor/entries, GET /entries/{uuid}) and Mongo schemas.
• Phase 2 – Policies & UI
  Deliver verification policy authoring (Policy Studio integration), console views (evidence browser, verification reports, issuer management), and CLI verbs (stella attest sign|verify|list|fetch).
• Phase 3 – Scan & VEX support
  Accept SBOM, ScanResults, VEX, and PolicyEvaluation predicates; integrate with Scanner, Export Center, Excititor, and Policy Engine pipelines. Ensure AOC invariants on ingestion.
• Phase 4 – Transparency & keys
  Add multi-log submission (primary + mirror), witness endorsements, KMS/HSM/FIDO2 drivers, key rotation/revocation workflows, and audit trails.
• Phase 5 – Bulk & air gap
  Implement batch submission/verification, DSSE archival to CAS/object storage, export/import bundles for Offline Kit, and mirror transparency log snapshots.
• Phase 6 – Performance & hardening
  Optimise cache usage, parallel verification (target ≥1 k envelopes/minute per worker), extend observability (metrics/logs/traces), fuzz parsers, and finalise incident playbooks.

Work breakdown

• Attestor service & libraries
  • DSSE validation pipeline (payload whitelist, signature verification, trust roots).
  • Rekor client with inclusion-proof acquisition, retry/backoff, mirroring controls.
  • Mongo repositories for entries, dedupe, audit; CAS storage for DSSE envelopes.
  • Batch submission/verification APIs, verification cache, deterministic serialization.
  • Observability hooks: metrics (attestor_submission_total, attestor_verify_seconds), structured logs, OpenTelemetry traces.
• Signer & Authority integration
  • Enforce mTLS peer validation, Authority scope mapping (attestor.write, attestor.verify), and DPoP binding.
  • Provide signer identity attestation metadata consumed by Attestor.
• Policy & Console
  • Extend Policy Studio with VerificationPolicy authoring, approvals, and simulated results.
  • Console workflows: Evidence browser, verification reports, chain-of-custody graph, key management UI, bulk verification screens.
• CLI & SDK
  • stella attest command group (sign/verify/list/fetch/key management) with DSSE canonicalisation and cosign interoperability.
  • SDK helpers for DSSE envelope creation, verification, and proof inspection.
• Export Center & Offline Kit
  • Export Center adapters for attestation bundles; CLI/Console flows to export & import evidence in air-gapped environments.
  • Offline Kit scripts for replaying verification, mirroring transparency logs, and reporting gaps.
• Security & key management
  • KMS/HSM/FIDO2 driver abstraction, key rotation and revocation runbooks, witness endorsements, and revocation telemetry.
• Docs & training
  • Update module dossier (overview, architecture, implementation plan), key management guides, transparency reference, CLI/Console documentation, and air-gap runbooks.

Cross-module dependencies

• Policy Studio / Policy Engine: verification policy artefacts, explain integration, remediation hints.
• Export Center: attestation bundle export/import, provenance linking.
• Authority & Tenancy: scopes, identity attestations, tenant-aware issuer catalogues.
• Notifications: attestation success/failure events, key rotation alerts.
• Observability: dashboards and alerting for signing/verification pipelines.

Acceptance criteria

• Service ingests DSSE envelopes for all supported predicate types, logs them to configured transparency logs, and returns proofs with deterministic hashes.
• Verification APIs/CLI/UI validate signatures, inclusion proofs, and policy compliance; cached verification accelerates repeated checks.
• Verification policies gate attestation usage, enforcing issuer, freshness, signature count, and witness requirements.
• Export Center and Offline Kit workflows bundle attestations and replay verification offline.
• Observability coverage includes metrics, traces, logs, audit events, and alert triggers for key compromise, log outages, and verification failure spikes.
• Performance target met (≥1 k envelopes/minute per worker) with horizontal scaling.

Risks & mitigations

• Key compromise or leakage: enforce hardware-backed keys, rotation procedures, revocation checks, and incident runbooks.
• Parser bugs / malformed DSSE: fuzz DSSE and predicate schemas, strict schema validation, fail closed.
• Transparency outage: mirror logs, support witness endorsements, queue submissions for retry with exponential backoff.
• Policy complexity: ship curated starter policies, provide simulation tooling, and document common scenarios.
• Offline gaps: archive bundles and proof material, surface gaps to operators, and document compensating controls.

Test strategy

• Unit: DSSE validation, Rekor client, dedupe logic, key drivers, policy enforcement.
• Integration: submit/verify flows across predicate types, multi-log publishing, batch operations, CLI/UI end-to-end exercises.
• Security: tenant isolation, scope enforcement, key rotation regression, tamper detection.
• Performance: throughput benchmarks, cache hit-rate monitoring, large batch verification.
• Chaos: inject Rekor outages, network failures, corrupt bundles; ensure graceful degradation and auditable alerts.

Definition of done

• Phased milestones delivered with telemetry, documentation, and runbooks in place.
• CLI/Console parity verified; Offline Kit procedures validated in sealed environment.
• Cross-module dependencies acknowledged in ./TASKS.md and ../../TASKS.md.
• Documentation set refreshed (overview, architecture, key management, transparency, CLI/UI) with imposed rule statement.