stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/dsse-signed-exception-objects-with-recheck-policy.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.6 KiB
Raw Blame History

DSSE-Signed Exception Objects with Recheck Policy

Module

Attestor

Status

VERIFIED

Description

Policy exceptions framework with models, repositories, and services exists. DSSE signing infrastructure is available. Full UI exception modal with recheck policy enforcement is partially complete.

What's Implemented

  • Budget Exception Entry: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs -- exception entry model.
  • Exception Ref: ProofChain/Services/ExceptionRef.cs -- reference to an approved exception.
  • VEX Override System: __Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/ -- VexOverridePredicateBuilder (with .Build, .Serialize, .WithMethods), VexOverrideDecision, EvidenceReference -- structured override/exception with evidence.
  • DSSE Signing Infrastructure: ProofChain/Signing/ProofChainSigner.cs, DsseEnvelope.cs -- available DSSE signing.
  • Policy Decision: Predicates/PolicyDecision.cs -- policy decision referencing exceptions.

What's Missing

  • DSSE-signed exception objects: Exceptions are not individually DSSE-signed as standalone attestation artifacts. They exist as records within larger predicates but are not independently verifiable.
  • Recheck policy enforcement: No automated recheck scheduling that re-evaluates exceptions at configured intervals (e.g., 30-day review cycle).
  • Exception expiry enforcement: No automated enforcement of exception expiry dates with re-approval workflow.
  • Exception approval workflow: No multi-party approval flow for exception creation (e.g., two approvers required for critical CVE exceptions).
  • Exception audit trail: No dedicated audit trail for exception lifecycle (created, approved, rechecked, expired, revoked).

Implementation Plan

  • Create DsseSignedException model wrapping exception objects in DSSE envelopes
  • Implement recheck policy with configurable intervals (Scheduler integration)
  • Add exception expiry enforcement with notification before expiry
  • Build multi-party approval workflow for high-severity exceptions
  • Create exception audit trail using the existing AuditHashLogger infrastructure
  • Add UI exception modal with recheck policy configuration
  • Add tests for signing, recheck scheduling, and expiry enforcement

Related Documentation

  • Source: See feature catalog

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001