stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/attestor/richgraph-attestation-service.md

2.4 KiB
Raw Blame History

RichGraph Attestation Service (stella.ops/richgraph@v1 predicate)

Module

Attestor

Status

IMPLEMENTED

Description

Generates DSSE-signed attestations capturing the full evidence graph (nodes, edges, paths) for a scan result. Uses the stella.ops/richgraph@v1 in-toto predicate type to attest the complete dependency and evidence graph topology.

Implementation Details

  • Proof Graph Service: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs (with .Mutation, .Queries, .Subgraph) -- in-memory graph service providing the richgraph data (nodes, edges, paths).
  • Graph Node: Graph/ProofGraphNode.cs -- typed graph node with content-addressed ID and metadata.
  • Graph Edge: Graph/ProofGraphEdge.cs -- directed edge with type metadata.
  • Node Types: Graph/ProofGraphNodeType.cs -- node type enum (Evidence, Verdict, Policy, Artifact).
  • Edge Types: Graph/ProofGraphEdgeType.cs -- edge type enum for relationship semantics.
  • Graph Subgraph: Graph/ProofGraphSubgraph.cs -- extracted subgraph for attestation scope.
  • Graph Path: Graph/ProofGraphPath.cs -- traversal path within the richgraph.
  • Statement Builder: Builders/StatementBuilder.cs (with .Extended) -- builds in-toto statements with the richgraph predicate type.
  • DSSE Signing: Signing/ProofChainSigner.cs (with .Verification) -- signs richgraph attestations.
  • Graph Root Attestor: __Libraries/StellaOps.Attestor.GraphRoot/GraphRootAttestor.cs -- attests Merkle roots over the graph for integrity.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ProofGraphTests.cs

E2E Test Plan

  • Build a richgraph via InMemoryProofGraphService with Evidence, Verdict, and Artifact nodes connected by typed edges
  • Create an in-toto statement with predicate type stella.ops/richgraph@v1 via StatementBuilder.Extended wrapping the graph data
  • Sign the richgraph attestation via ProofChainSigner and verify the DSSE envelope structure
  • Extract a subgraph via ProofGraphSubgraph for a specific scan result and verify the attestation scopes to that subgraph
  • Verify all graph paths from entrypoint to vulnerable sink are captured in the richgraph predicate
  • Attest the Merkle root of the richgraph via GraphRootAttestor and verify integrity
  • Verify the richgraph DSSE signature via ProofChainSigner.Verification