stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/proof-spine-system.md

2.7 KiB
Raw Blame History

Proof Spine System (Assembly, Segment Construction, Explainable Quiet Alerts)

Module

Attestor

Status

IMPLEMENTED

Description

Proof spine builder producing chained segments (SBOM_SLICE, MATCH, REACHABILITY, GUARD_ANALYSIS, RUNTIME_OBSERVATION, POLICY_EVAL), each DSSE-signed with hash-linked predecessors. Chains evidence IDs, reasoning IDs, VEX verdict IDs into signed proof bundles with Merkle root computation. VexProofSpineService in Policy engine enables explainable quiet alerts.

Implementation Details

  • Proof Spine Assembly: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Assembly/ -- proof spine assembly:
    • ProofSpineRequest.cs -- request specifying subjects and evidence to include in the spine.
    • ProofSpineResult.cs -- result containing assembled spine with Merkle root and linked segments.
    • ProofSpineSubject.cs -- individual subject within a spine (artifact digest, type).
    • MerkleTree.cs -- Merkle tree used for spine root computation.
    • SpineVerificationCheck.cs -- individual verification check for a spine segment.
    • SpineVerificationResult.cs -- aggregate verification result for the complete spine.
  • Proof Spine Statement: Statements/ProofSpineStatement.cs -- in-toto statement wrapping a proof spine.
  • Proof Spine Predicate: Predicates/ProofSpinePredicate.cs -- predicate containing Merkle root, segment list, evidence IDs, reasoning IDs, and VEX verdict IDs.
  • DSSE Signing: Signing/ProofChainSigner.cs -- signs each spine segment into a DSSE envelope with hash-linked predecessor.
  • Content-Addressed Identifiers: Identifiers/EvidenceId.cs, ReasoningId.cs, VexVerdictId.cs -- IDs chained in the spine.
  • Persistence: __Libraries/StellaOps.Attestor.Persistence/Entities/SpineEntity.cs -- persists spine data.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ProofSpineTests.cs

E2E Test Plan

  • Assemble a proof spine via ProofSpineRequest with 5 subjects and verify ProofSpineResult contains a valid Merkle root
  • Verify each spine segment is DSSE-signed and hash-linked to its predecessor
  • Create spine segments of different types (SBOM_SLICE, MATCH, REACHABILITY, POLICY_EVAL) and verify segment type metadata
  • Chain evidence IDs, reasoning IDs, and VEX verdict IDs into the spine and verify all IDs are present in ProofSpinePredicate
  • Verify the spine via SpineVerificationCheck for each segment and confirm SpineVerificationResult passes
  • Build a ProofSpineStatement and sign it; verify the DSSE envelope wraps the complete spine
  • Persist the spine via SpineEntity and retrieve it; verify data integrity
  • Tamper with one segment's hash and verify spine verification detects the break in the hash chain