stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/evidencelocker/verifiable-evidence-for-every-release-decision.md

2.4 KiB
Raw Blame History

Verifiable Evidence for Every Release Decision

Module

EvidenceLocker

Status

IMPLEMENTED

Description

Timestamped evidence with attestation assembly and export services supports verifiable, audit-grade release decision records.

Implementation Details

  • Modules: src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/, src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/
  • Key Classes:
    • EvidenceBundleBuilder (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Builders/EvidenceBundleBuilder.cs) - assembles verifiable evidence for release decisions
    • EvidenceSignatureService (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs) - signs evidence with DSSE for verifiability
    • RetimestampService (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/RetimestampService.cs) - provides timestamps for evidence records
    • EvidenceSnapshotService (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidenceSnapshotService.cs) - captures point-in-time evidence snapshots
    • EvidenceBundleRepository (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Repositories/EvidenceBundleRepository.cs) - persists verifiable evidence bundles
    • TimestampEvidence (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Models/TimestampEvidence.cs) - timestamp evidence model for RFC 3161/Rekor timestamps
  • Interfaces: IEvidenceBundleBuilder, IEvidenceSignatureService, IRetimestampService, IEvidenceBundleRepository
  • Source: Feature matrix scan

E2E Test Plan

  • Record a release decision and verify EvidenceBundleBuilder creates a verifiable evidence bundle with DSSE signature
  • Verify EvidenceSignatureService produces DSSE signatures that are independently verifiable
  • Verify RetimestampService attaches RFC 3161 or Rekor timestamps to evidence records
  • Verify EvidenceSnapshotService captures the complete decision context at the time of the decision
  • Verify evidence bundles persisted via EvidenceBundleRepository maintain integrity over time (content hash matches)
  • Verify end-to-end: create, sign, timestamp, store, retrieve, and independently verify an evidence bundle