stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/dsse-attestation-bundling-and-batch-publishing-to-rekor.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.0 KiB
Raw Blame History

DSSE Attestation Bundling and Batch Publishing to Rekor

Module

Attestor

Status

VERIFIED

Description

Attestation bundling with configurable options, aggregation abstraction, and Rekor submission queue with retry worker and sync background service.

Implementation Details

  • Attestation Bundler: src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/AttestationBundler.cs -- implements IAttestationBundler. Aggregates multiple DSSE-signed attestations into bundles.
  • Bundle Aggregator: Abstractions/IBundleAggregator.cs -- interface for aggregating attestation bundles.
  • Bundle Store: Abstractions/IBundleStore.cs -- persistence interface. Models/AttestationBundle.cs -- bundle model.
  • Bundling Options: Configuration/BundlingOptions.cs -- configurable batch size, timeout, and bundling strategy.
  • Rekor Submission Queue: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Queue/IRekorSubmissionQueue.cs -- queue interface. RekorQueueItem.cs, RekorSubmissionStatus.cs, QueueDepthSnapshot.cs -- queue models.
  • PostgreSQL Queue: StellaOps.Attestor.Infrastructure/Queue/PostgresRekorSubmissionQueue.cs -- durable PostgreSQL-backed queue with SKIP LOCKED.
  • Retry Worker: Infrastructure/Workers/RekorRetryWorker.cs -- retries failed Rekor submissions.
  • Rekor Sync Service: StellaOps.Attestor.Core/Rekor/RekorSyncBackgroundService.cs -- background service for batch Rekor publication.
  • Rekor Client: Infrastructure/Rekor/HttpRekorClient.cs, ResilientRekorClient.cs -- HTTP client with resilience. IRekorClient.cs -- interface.
  • Verdict Rekor Publisher: __Libraries/StellaOps.Attestor.Infrastructure/Rekor/VerdictRekorPublisher.cs -- publishes verdict attestations to Rekor.
  • Tests: StellaOps.Attestor.Tests/RekorSubmissionQueueTests.cs, RekorRetryWorkerTests.cs, HttpRekorClientTests.cs, __Tests/StellaOps.Attestor.Bundling.Tests/AttestationBundlerTests.cs, BundleAggregatorTests.cs

E2E Test Plan

  • Bundle 5 DSSE-signed attestations via AttestationBundler with a batch size of 5 and verify a single bundle is produced
  • Configure bundling with a batch size of 3 and submit 5 attestations, verifying 2 bundles are produced
  • Enqueue attestations to PostgresRekorSubmissionQueue and verify they are stored with Pending status
  • Process the queue and verify successful submissions are marked as Completed
  • Simulate a Rekor submission failure and verify RekorRetryWorker retries the failed item
  • Verify QueueDepthSnapshot reports correct counts of pending, processing, and completed items
  • Publish a verdict attestation via VerdictRekorPublisher and verify the Rekor receipt is stored
  • Test ResilientRekorClient circuit breaker by simulating repeated failures and verifying the circuit opens

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001