stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/devops/vex-rekor-linkage.md

2.2 KiB
Raw Blame History

VEX-Rekor Linkage

Module

devops

Status

IMPLEMENTED

Description

Database migration linking VEX observations to Rekor entries for transparent VEX decision tracking.

Implementation Details

  • VEX Proof Integrator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.Helpers.cs and VexProofIntegrator.Metadata.cs -- integrates VEX verdicts with proof chain by generating Rekor-linked evidence, binding VEX decisions to transparency log entries.
  • VEX Verdict Proof Payload: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/VexVerdictProofPayload.cs -- payload model for VEX verdict proofs containing Rekor entry references.
  • VEX Verdict ID: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/VexVerdictId.cs -- content-addressed identifier for VEX verdicts, used to link VEX observations to their Rekor transparency log entries.
  • VEX Delta Models: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexDeltaChange.cs, VexDeltaStatement.cs, VexDeltaSummary.cs -- models for tracking VEX status changes across Rekor-linked observations.
  • VEX Merge Trace: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexMergeTrace.cs -- audit trace for VEX statement merges, including Rekor entry references for each source.
  • Compose Configuration: devops/compose/docker-compose.stella-ops.yml -- Docker Compose with PostgreSQL services supporting VEX-Rekor linkage tables.

E2E Test Plan

  • Create a VEX verdict via the proof chain pipeline and verify it generates a Rekor entry with the VEX payload; confirm the linkage is persisted in PostgreSQL with both the VEX verdict ID and Rekor log index
  • Query VEX observations by Rekor entry and verify the linked VEX status (affected, not_affected, under_investigation) is correctly returned
  • Update a VEX status and verify a new Rekor entry is created; confirm the delta change record links both the old and new Rekor entries
  • Verify the VEX merge trace includes Rekor references for each merged source statement
  • Verify the linkage survives database migration: run the migration on an existing database and confirm existing VEX-Rekor links are preserved