stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/attestor/remediation-planner.md

2.7 KiB
Raw Blame History

Remediation Planner

Module

Attestor

Status

IMPLEMENTED

Description

Frontend has remediation plan preview, remediation panel, and AI-assisted remediation. Backend has structured remediation step models with risk assessment and verification status.

Implementation Details

  • AI Remediation Plan Statement: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/AI/AIRemediationPlanStatement.cs -- in-toto statement wrapping an AI-generated remediation plan.
  • Remediation Step: Predicates/AI/RemediationStep.cs -- individual remediation step with action, target component, and expected outcome.
  • Remediation Action Type: Predicates/AI/RemediationActionType.cs -- enum of action types (Upgrade, Patch, Configure, Mitigate, Accept).
  • Remediation Step Status: Predicates/AI/RemediationStepStatus.cs -- enum tracking step execution status (Pending, InProgress, Completed, Failed, Skipped).
  • Remediation Risk Assessment: Predicates/AI/RemediationRiskAssessment.cs -- risk assessment for a remediation action (breaking change risk, compatibility impact, rollback plan).
  • Remediation Verification Status: Predicates/AI/RemediationVerificationStatus.cs -- verification of whether the remediation was successful.
  • AI Authority Classifier: Predicates/AI/AIAuthorityClassifier.cs (with .Remediation, .RemediationScore) -- classifies AI-generated remediation plans by authority level.
  • AI Model Identifier: Predicates/AI/AIModelIdentifier.cs -- identifies the AI model that generated the plan.
  • DSSE Signing: Signing/ProofChainSigner.cs -- signs remediation plan attestations.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/AIRemediationPlanTests.cs

E2E Test Plan

  • Create an AIRemediationPlanStatement with 3 RemediationStep entries (Upgrade openssl, Patch libcurl, Configure nginx) and verify the statement structure
  • Verify each step has a RemediationActionType and appropriate target component
  • Create a RemediationRiskAssessment for an upgrade step and verify breaking change risk and rollback plan are captured
  • Track step execution via RemediationStepStatus: move a step from Pending -> InProgress -> Completed and verify status transitions
  • Verify RemediationVerificationStatus confirms whether the remediation was successful (e.g., CVE no longer detected after upgrade)
  • Classify the remediation plan via AIAuthorityClassifier.Remediation and verify authority level based on evidence quality
  • Sign the remediation plan into a DSSE envelope and verify the signature
  • Create plans with different RemediationActionType values and verify type-specific metadata