stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 14 Releases Wiki Activity
Files
f43e828b4e21957636ce35cdaf50bb29da5d4e1d
git.stella-ops.org/docs/modules/concelier/attestation.md
StellaOps Bot f43e828b4e
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Implement MongoDB orchestrator storage with registry, commands, and heartbeats 
- Added NullAdvisoryObservationEventTransport for handling advisory observation events.
- Created IOrchestratorRegistryStore interface for orchestrator registry operations.
- Implemented MongoOrchestratorRegistryStore for MongoDB interactions with orchestrator data.
- Defined OrchestratorCommandDocument and OrchestratorCommandRecord for command handling.
- Added OrchestratorHeartbeatDocument and OrchestratorHeartbeatRecord for heartbeat tracking.
- Created OrchestratorRegistryDocument and OrchestratorRegistryRecord for registry management.
- Developed tests for orchestrator collections migration and MongoOrchestratorRegistryStore functionality.
- Introduced AirgapImportRequest and AirgapImportValidator for air-gapped VEX bundle imports.
- Added incident mode rules sample JSON for notifier configuration.
2025-11-22 12:35:38 +02:00

2.0 KiB
Raw Blame History

Concelier Advisory Evidence Attestation

Purpose

  • Describe how Concelier returns attestation claims for advisory evidence bundles so downstream services (Advisory AI, Attestor, Console) can verify provenance.

Endpoint

  • GET /vuln/evidence/advisories/{advisoryKey}
  • Authentication/tenant headers follow standard Concelier rules (X-Stella-Tenant or tenant query; authority policies apply).
  • Response payload: AdvisoryEvidenceResponse { advisoryKey, records[], attestation? }

Attestation parameters (query)

  • bundlePath (required to enable attestation): Relative or absolute path to evidence bundle tar.gz. Relative paths are resolved under the configured evidence root (concelier:evidence:root). Paths outside this root are rejected.
  • manifestPath (optional): Defaults to sibling manifest.json next to the bundle.
  • transparencyPath (optional): Defaults to sibling transparency.json next to the bundle.
  • pipelineVersion (optional): Defaults to concelier:evidence:pipelineVersion (e.g., git:<sha>).

Behavior

  • When bundlePath is omitted, the endpoint returns evidence records only (attestation is null).
  • When provided, Concelier builds claims via EvidenceBundleAttestationBuilder using the manifest and optional transparency payload; tenant must be lowercase per scope note.
  • Path safety: All resolved files must live under the evidence root; traversal attempts or missing files silently skip attestation (response remains valid without claims).

Configuration

  • concelier:evidence:root (default out/evidence/bundles, resolved absolute).
  • concelier:evidence:defaultManifestFileName (default manifest.json).
  • concelier:evidence:defaultTransparencyFileName (default transparency.json).
  • concelier:evidence:pipelineVersion (default git:unknown).

References

  • Evidence Locker attestation scope: docs/modules/evidence-locker/attestation-scope-note.md.
  • Implementation: src/Concelier/StellaOps.Concelier.WebService/Program.cs, StellaOps.Concelier.Core/Attestation/EvidenceBundleAttestationBuilder.cs.