stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
a3db0c959df7e8c242896f0ff1bcc861a6db8d10
git.stella-ops.org/docs/modules/signer
History
master babb81af52
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat(scanner): Implement Deno analyzer and associated tests 
- Added Deno analyzer with comprehensive metadata and evidence structure.
- Created a detailed implementation plan for Sprint 130 focusing on Deno analyzer.
- Introduced AdvisoryAiGuardrailOptions for managing guardrail configurations.
- Developed GuardrailPhraseLoader for loading blocked phrases from JSON files.
- Implemented tests for AdvisoryGuardrailOptions binding and phrase loading.
- Enhanced telemetry for Advisory AI with metrics tracking.
- Added VexObservationProjectionService for querying VEX observations.
- Created extensive tests for VexObservationProjectionService functionality.
- Introduced Ruby language analyzer with tests for simple and complex workspaces.
- Added Ruby application fixtures for testing purposes.
2025-11-12 10:01:54 +02:00
..
AGENTS.md
Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations.
2025-11-05 11:58:32 +02:00
architecture.md
feat(scanner): Implement Deno analyzer and associated tests
2025-11-12 10:01:54 +02:00
implementation_plan.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
README.md
feat: Implement approvals workflow and notifications integration
2025-11-06 08:48:13 +02:00

README.md

StellaOps Signer

Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports.

Latest updates (Sprint 11 · 2025-10-21)

  • /sign/dsse pipeline landed with Authority OpTok + PoE enforcement, Fulcio/KMS signing modes, and deterministic DSSE bundles ready for Attestor logging.
  • /verify/referrers endpoint exposes release-integrity checks against scanner OCI referrers so callers can confirm digests before requesting signatures.
  • Plan quota enforcement (QPS/concurrency/artifact size) and audit/metrics wiring now align with the Sprint11 signing-chain release.

Responsibilities

  • Enforce Proof-of-Entitlement and plan quotas before signing artifacts.
  • Support keyless (Fulcio) and keyful (KMS/HSM) signing backends.
  • Verify scanner release integrity via OCI referrers prior to issuing signatures.
  • Emit DSSE payloads consumed by Attestor/Export Center and maintain comprehensive audit trails.

Key components

  • StellaOps.Signer service host.
  • Crypto providers under StellaOps.Cryptography.*.

Integrations & dependencies

  • Authority for OpTok + PoE validation.
  • Licensing Service for entitlement introspection.
  • OCI registries (Referrers API) for scanner release verification.
  • Attestor for transparency logging and Rekor ingestion.
  • Export Center and CLI for artifact signing flows.

API quick reference

  • POST /api/v1/signer/sign/dsse — validate OpTok/PoE, enforce quotas, return DSSE bundle with signing identity metadata.
  • GET /api/v1/signer/verify/referrers — report scanner release signer and trust verdict for a supplied image digest.

Operational notes

  • Key management via Authority/DevOps runbooks.
  • Metrics for signing latency/throttle states.
  • Offline kit integration for signature verification.

Backlog references

  • SIG docs/tasks in ../../TASKS.md (e.g., DOCS-SIG-26-006).

Epic alignment

  • Epic 10 Export Center: provide signing pipelines, cosign interoperability, and provenance manifests for bundle promotion.
  • Epic 19 Attestor Console: supply DSSE payloads and Proof-of-Entitlement enforcement feeding attestation workflows described in docs/modules/attestor/.