stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/dsse-signed-exception-objects-with-recheck-policy.md

2.3 KiB
Raw Blame History

DSSE-Signed Exception Objects with Recheck Policy

Module

Attestor

Status

IMPLEMENTED

Description

Policy exceptions framework with models, repositories, and services exists. DSSE signing infrastructure is available. Full UI exception modal with recheck policy enforcement is partially complete.

What's Implemented

  • Budget Exception Entry: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs -- exception entry model.
  • Exception Ref: ProofChain/Services/ExceptionRef.cs -- reference to an approved exception.
  • VEX Override System: __Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/ -- VexOverridePredicateBuilder (with .Build, .Serialize, .WithMethods), VexOverrideDecision, EvidenceReference -- structured override/exception with evidence.
  • DSSE Signing Infrastructure: ProofChain/Signing/ProofChainSigner.cs, DsseEnvelope.cs -- available DSSE signing.
  • Policy Decision: Predicates/PolicyDecision.cs -- policy decision referencing exceptions.

What's Missing

  • DSSE-signed exception objects: Exceptions are not individually DSSE-signed as standalone attestation artifacts. They exist as records within larger predicates but are not independently verifiable.
  • Recheck policy enforcement: No automated recheck scheduling that re-evaluates exceptions at configured intervals (e.g., 30-day review cycle).
  • Exception expiry enforcement: No automated enforcement of exception expiry dates with re-approval workflow.
  • Exception approval workflow: No multi-party approval flow for exception creation (e.g., two approvers required for critical CVE exceptions).
  • Exception audit trail: No dedicated audit trail for exception lifecycle (created, approved, rechecked, expired, revoked).

Implementation Plan

  • Create DsseSignedException model wrapping exception objects in DSSE envelopes
  • Implement recheck policy with configurable intervals (Scheduler integration)
  • Add exception expiry enforcement with notification before expiry
  • Build multi-party approval workflow for high-severity exceptions
  • Create exception audit trail using the existing AuditHashLogger infrastructure
  • Add UI exception modal with recheck policy configuration
  • Add tests for signing, recheck scheduling, and expiry enforcement

Related Documentation

  • Source: See feature catalog