stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/excititor/vex-override-workflow-with-attestation-linkage.md

2.9 KiB
Raw Blame History

VEX Override Workflow with Attestation Linkage

Module

Excititor

Status

IMPLEMENTED

Description

VEX decision APIs extended with attestation references so overrides are DSSE-signed. Attestor integration mints envelopes for operator decisions with envelope digest and Rekor info persistence. Includes offline stub client.

Implementation Details

  • Modules: src/Excititor/__Libraries/StellaOps.Excititor.Attestation/, src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/
  • Key Classes:
    • VexDsseBuilder (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Dsse/VexDsseBuilder.cs) - builds DSSE envelopes for VEX override decisions
    • VexAttestationClient (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/VexAttestationClient.cs) - client for VEX attestation operations
    • VexEvidenceAttestor (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Evidence/VexEvidenceAttestor.cs) - attests VEX evidence with DSSE signatures
    • VexAttestationVerifier (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs) - verifies VEX attestation envelopes
    • VexAttestationPredicate (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Models/VexAttestationPredicate.cs) - predicate model for VEX attestations
    • RekorHttpClient (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Transparency/RekorHttpClient.cs) - Rekor transparency log client
    • DsseEvidenceSignatureValidator (src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/DsseEvidenceSignatureValidator.cs) - validates DSSE signatures on evidence
    • VexEvidenceLinker (src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinker.cs) - links VEX decisions to supporting evidence
    • AttestationEndpoints (src/Excititor/StellaOps.Excititor.WebService/Endpoints/AttestationEndpoints.cs) - REST endpoints for attestation operations
    • RekorAttestationEndpoints (src/Excititor/StellaOps.Excititor.WebService/Endpoints/RekorAttestationEndpoints.cs) - Rekor-specific attestation endpoints
  • Interfaces: IVexSigner, ITransparencyLogClient, IVexAttestationVerifier
  • Source: SPRINT_20260112_004_VULN_vex_override_workflow.md

E2E Test Plan

  • Create a VEX override and verify VexDsseBuilder mints a DSSE-signed envelope with the operator's decision
  • Verify VexAttestationClient persists the envelope digest and Rekor entry info
  • Verify VexAttestationVerifier validates the DSSE signature on a VEX override attestation
  • Verify RekorHttpClient submits the attestation to the Rekor transparency log and retrieves the entry
  • Verify VexEvidenceLinker links the override decision to supporting binary-diff or reachability evidence
  • Verify DsseEvidenceSignatureValidator rejects overrides with invalid DSSE signatures
  • Verify attestation endpoints return override history with DSSE envelope and Rekor receipt references