stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
d519782a8f0b30f425c9b6ae0f316b19259972a2
git.stella-ops.org/docs/modules/export-center/prep/2025-11-20-export-attest-75-001-prep.md
master d519782a8f
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
prep docs and service updates
2025-11-21 06:56:36 +00:00

2.4 KiB
Raw Blame History

Export Attestation Prep — PREP-EXPORT-ATTEST-75-001

Status: Ready for implementation (2025-11-20) Owners: Attestation Bundle Guild · CLI Attestor Guild Scope: Define CLI contract for verifying/importing attestation export bundles (from 74-002) in offline/air-gap environments.

Dependencies

  • Attestation export bundle layout: docs/modules/export-center/prep/2025-11-20-export-attest-74-001-prep.md and CI/offline kit integration ...-74-002-prep.md.
  • EvidenceLocker/Attestor verification library (stella attest verify).

CLI experience

  • New command: stella attest bundle verify --file export-attestation-bundle-v1.tgz
    • Validates SHA256 against co-located .sha256 file (see 74-002).
    • Runs DSSE verification using bundled statement/signature; prints subject digests, predicate type/version, and root hash.
    • Exit codes: 0 success, 2 checksum mismatch, 3 DSSE signature failure, 4 missing TSA/log when required, >4 unexpected error.
  • New command: stella attest bundle import --file export-attestation-bundle-v1.tgz
    • Performs verification first; then registers the attestation in the local/offline EvidenceLocker (when configured) and outputs new attestationId/tenant reference.
    • Supports --tenant, --namespace flags; defaults to current CLI profile.
    • No network calls beyond optional TSA/CT validations; provide --offline to skip.

Determinism and I/O

  • CLI must avoid rewriting the archive; reads-only.
  • Output logs in JSON when --output json is passed, with stable key order:
{
  "status": "verified",
  "exportId": "...",
  "attestationId": "...",
  "rootHash": "sha256:...",
  "subjects": ["sha256:..."],
  "predicateType": "slsa/v1",
  "bundlePath": "export-attestation-bundle-v1.tgz"
}
  • Human-readable output includes root hash, subject digests, predicate type/version, and trust root used.

Acceptance criteria

  • CLI verifies bundles generated by 74-002 using only local artefacts; succeeds offline when --offline is used.
  • Import command registers attestation locally without modifying archive; errors if checksum/signature fail.
  • Exit codes and JSON schema documented for automation; tests cover checksum mismatch and invalid signature cases.

Handoff

  • Implement commands in src/Cli/StellaOps.Cli (attestor plugin) and add docs/examples to docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md or a new CLI guide.
  • Link back to this prep in Sprint 0162 Delivery Tracker entry P8.