stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/human-approval-attestation-service.md

1.7 KiB
Raw Blame History

Human Approval Attestation Service (stella.ops/human-approval@v1 predicate)

Module

Scanner

Status

IMPLEMENTED

Description

Generates DSSE-signed attestations for human approval decisions with 30-day TTL auto-expiry. Uses stella.ops/human-approval@v1 predicate. Integrates with the Approvals API (POST/GET/DELETE /api/v1/scans/{scanId}/approvals).

Implementation Details

  • Attestation Service:
    • src/Scanner/StellaOps.Scanner.WebService/Services/IHumanApprovalAttestationService.cs - IHumanApprovalAttestationService, HumanApprovalAttestationInput, HumanApprovalAttestationResult
    • src/Scanner/StellaOps.Scanner.WebService/Services/HumanApprovalAttestationService.cs - Generates DSSE-signed attestations with 30-day TTL
  • Contracts:
    • src/Scanner/StellaOps.Scanner.WebService/Contracts/HumanApprovalStatement.cs - stella.ops/human-approval@v1 predicate model
  • API Endpoints:
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/ApprovalEndpoints.cs - ApprovalEndpoints with CreateApprovalRequest, RevokeApprovalRequest, ApprovalResponse, ApprovalListResponse

E2E Test Plan

  • Create a human approval via POST /api/v1/scans/{scanId}/approvals and verify a DSSE-signed attestation is generated
  • Verify the attestation uses stella.ops/human-approval@v1 predicate type
  • Verify the attestation includes the approver identity, timestamp, and scope
  • List approvals via GET /api/v1/scans/{scanId}/approvals and verify active approvals are returned
  • Verify 30-day TTL auto-expiry removes expired approvals
  • Revoke an approval via DELETE /api/v1/scans/{scanId}/approvals/{approvalId} and verify it is removed