stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/signed-risk-verdicts.md

2.6 KiB
Raw Blame History

Signed Risk Verdicts (DSSE/in-toto Envelope)

Module

Attestor

Status

IMPLEMENTED

Description

Verdicts signed as DSSE/in-toto attestations bound to immutable artifact digests, containing policy binding, knowledge snapshot binding, evaluator version, rationale, findings references, and unknowns state.

Implementation Details

  • Verdict Receipt Payload: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptPayload.cs -- payload containing the verdict decision, inputs, outputs, and rationale.
  • Verdict Receipt Statement: Statements/VerdictReceiptStatement.cs -- in-toto statement wrapping the verdict receipt.
  • Verdict Decision: Statements/VerdictDecision.cs -- the risk verdict (Pass/Fail/Warn) with rationale.
  • Verdict Inputs: Statements/VerdictInputs.cs -- inputs: policy binding, knowledge snapshot digest, evaluator version, findings references.
  • Verdict Outputs: Statements/VerdictOutputs.cs -- outputs: violations, exceptions, unknowns state.
  • Verdict Summary: Predicates/VerdictSummary.cs -- summary of the verdict for proof graph integration.
  • DSSE Signing: Signing/ProofChainSigner.cs (with .Verification) -- signs verdicts into DSSE envelopes bound to artifact digests.
  • Signing Key Profile: Signing/SigningKeyProfile.cs -- key profile used for signing the verdict.
  • Proof Subject: Builders/ProofSubject.cs -- artifact digest binding (subject with name and digest map).
  • Verdict Ledger: __Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerService.cs -- records signed verdicts in the append-only ledger.
  • Trust Verdict: __Libraries/StellaOps.Attestor.TrustVerdict/ -- trust verdict integration.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/VerdictReceiptTests.cs

E2E Test Plan

  • Create a VerdictReceiptPayload with Pass decision, sign into DSSE envelope, and verify binding to artifact digest
  • Verify VerdictInputs captures policy binding ID, knowledge snapshot digest, and evaluator version
  • Verify VerdictOutputs captures findings references and unknowns state
  • Create a Fail verdict with rationale and verify the rationale is present in the signed payload
  • Verify the DSSE envelope signature via ProofChainSigner.Verification
  • Record the signed verdict in VerdictLedgerService and verify the ledger entry
  • Verify immutability: attempt to modify the verdict after signing and confirm signature verification fails
  • Create verdicts for multiple artifacts and verify each is bound to its specific artifact digest via ProofSubject