stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/attestor/proof-audit-trail-transparency-log.md

2.8 KiB
Raw Blame History

Proof Audit Trail / Transparency Log

Module

Attestor

Status

IMPLEMENTED

Description

Generated proofs are stored in attestor.proof_blobs with tamper-evident hashing (proof_hash UNIQUE constraint). Each proof includes snapshot_id, evidence_count, confidence, and full payload JSONB. The ProofHashing.VerifyHash method allows verification that proof content has not been tampered with.

Implementation Details

  • Audit Hash Logger: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs (with .Validation) -- logs audit records with tamper-evident hashing. Records proof operations with content hashes for later verification.
  • Hash Audit Record: Audit/HashAuditRecord.cs -- individual audit record containing operation type, content hash, timestamp, and actor.
  • Audit Artifact Types: Audit/AuditArtifactTypes.cs -- enum of auditable artifact types (ProofBlob, DsseEnvelope, VerdictReceipt, SpineEntry, etc.).
  • Persistence: __Libraries/StellaOps.Attestor.Persistence/Entities/AuditLogEntity.cs -- persisted audit log entry with tenant_id, created_at, updated_at, and JSONB payload.
  • Proof Chain Repository: __Libraries/StellaOps.Attestor.Persistence/Repositories/IProofChainRepository.cs -- repository for proof chain entities including proof blobs.
  • Content-Addressed IDs: __Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs -- generates SHA-256 IDs for proof blobs ensuring hash uniqueness.
  • Rekor Integration: StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs -- submits proof audit entries to Rekor for external transparency.
  • Verdict Ledger: __Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerService.cs -- append-only ledger for verdict decisions.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/AuditHashLoggerTests.cs

E2E Test Plan

  • Log a proof creation event via AuditHashLogger and verify the HashAuditRecord contains the correct content hash and operation type
  • Verify tamper detection: modify a stored proof blob's content and verify AuditHashLogger.Validation detects the hash mismatch
  • Create multiple audit records for different AuditArtifactTypes and verify each type is correctly categorized
  • Persist audit records via AuditLogEntity and verify retrieval with correct tenant_id scoping
  • Verify the proof_hash UNIQUE constraint: attempt to store two proof blobs with the same hash and verify the duplicate is rejected
  • Submit an audit trail entry to Rekor and verify external transparency log integration
  • Verify VerdictLedgerService creates append-only audit entries for verdict decisions
  • Verify the full audit chain: create proof -> log audit -> persist -> retrieve -> verify hash integrity