stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/auditor-evidence-extraction.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.1 KiB
Raw Blame History

Auditor Evidence Extraction (Audit Pack / Evidence Pack)

Module

Attestor

Status

VERIFIED

Description

Exportable evidence packs (audit bundles) containing RVA attestation, policy bundle, knowledge snapshot manifest, referenced evidence artifacts, and verification replay logs for auditor consumption.

Implementation Details

  • Evidence Pack Builder: src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs -- constructs complete evidence packs containing all artifacts needed for audit verification.
  • Evidence Pack Serializer: ReleaseEvidencePackSerializer.cs -- serializes evidence packs to portable format.
  • Evidence Pack Manifest: Models/ReleaseEvidencePackManifest.cs -- manifest listing all artifacts in the pack with digests.
  • Verification Replay Log: Models/VerificationReplayLog.cs -- captures the sequence of verification steps for deterministic replay.
  • Replay Log Builder: Services/VerificationReplayLogBuilder.cs -- builds replay logs during verification. ReplayLogSerializerContext.cs -- serialization context.
  • Archive Store: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/IAttestorArchiveStore.cs, AttestorArchiveBundle.cs -- interface and model for archive storage. Infrastructure/Storage/S3AttestorArchiveStore.cs, NullAttestorArchiveStore.cs -- S3 and null implementations.
  • Audit Records: StellaOps.Attestor.Core/Audit/AttestorAuditRecord.cs -- audit record model. StellaOps.Attestor.Core/Storage/IAttestorAuditSink.cs -- sink interface.
  • Tests: __Tests/StellaOps.Attestor.EvidencePack.Tests/ReleaseEvidencePackBuilderTests.cs, ReleaseEvidencePackManifestTests.cs, VerificationReplayLogBuilderTests.cs
  • Integration Tests: __Tests/StellaOps.Attestor.EvidencePack.IntegrationTests/ -- EvidencePackGenerationTests.cs, OfflineVerificationTests.cs, ReproducibilityTests.cs, TamperDetectionTests.cs, SlsaStrictValidationTests.cs

E2E Test Plan

  • Build a ReleaseEvidencePackManifest via ReleaseEvidencePackBuilder with SBOM, VEX, attestation, and provenance artifacts, then verify manifest contains entries for each artifact with correct SHA-256 digests
  • Serialize the evidence pack via ReleaseEvidencePackSerializer and verify the output can be deserialized back with all artifacts intact
  • Build a VerificationReplayLog capturing 5+ verification steps and verify the log contains each step in order with timestamps and results
  • Export the evidence pack, then replay verification using the replay log and verify identical outcomes (reproducibility)
  • Tamper with an artifact in the exported pack and verify that digest verification detects the modification
  • Archive an evidence pack to S3 via S3AttestorArchiveStore and retrieve it, verifying content integrity
  • Verify the evidence pack includes all required audit artifacts (attestation chain, policy bundle, knowledge snapshot)

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001