stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 14 Releases Wiki Activity
Files
f43e828b4e21957636ce35cdaf50bb29da5d4e1d
git.stella-ops.org/docs/modules/excititor/prep/2025-11-22-attestation-rehearsal-prep.md
StellaOps Bot f43e828b4e
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Implement MongoDB orchestrator storage with registry, commands, and heartbeats 
- Added NullAdvisoryObservationEventTransport for handling advisory observation events.
- Created IOrchestratorRegistryStore interface for orchestrator registry operations.
- Implemented MongoOrchestratorRegistryStore for MongoDB interactions with orchestrator data.
- Defined OrchestratorCommandDocument and OrchestratorCommandRecord for command handling.
- Added OrchestratorHeartbeatDocument and OrchestratorHeartbeatRecord for heartbeat tracking.
- Created OrchestratorRegistryDocument and OrchestratorRegistryRecord for registry management.
- Developed tests for orchestrator collections migration and MongoOrchestratorRegistryStore functionality.
- Introduced AirgapImportRequest and AirgapImportValidator for air-gapped VEX bundle imports.
- Added incident mode rules sample JSON for notifier configuration.
2025-11-22 12:35:38 +02:00

1.7 KiB
Raw Blame History

Attestation Verifier Rehearsal — Excititor

Status: Ready for implementation (2025-11-22) Owners: Excititor Attestation Guild · Evidence Locker Guild Scope: Dry-run IVexAttestationVerifier against current Evidence Locker bundles to ensure Excititor attestation endpoints ship with deterministic verification.

Test Matrix

  • Inputs: Evidence Bundle v1 sample (docs/samples/evidence-bundle/*), mirror bundle thin sample (out/mirror/thin/mirror-thin-m0-sample.tar.gz).
  • Verification steps:
  1. Validate DSSE envelope signature and Rekor entry (if present); offline mode skips transparency but records rekorSkipped=true.
  2. Verify manifest hash tree against payload NDJSON files; fail on first mismatch.
  3. Assert policy hash matches Policy Engine overlay hash (placeholder policyHash captured for now).
  4. Emit structured result JSON: {bundleId, verified, dsseVerified, transparencyChecked, manifestRoot, failures[]}.
  • Determinism: sorted failure list, timestamps set to supplied --as-of flag.

Deliverables

  • Harness entry point: tools/attestation/verifier-rehearsal.sh (script stub path reserved).
  • Sample output recorded at docs/modules/excititor/prep/artifacts/2025-11-22-attestation-rehearsal.json (to be produced in implementation).
  • Logging fields to surface in Excititor: attestationBundleId, evidenceBundleId, verified, failureCode, tenantId.

Acceptance Criteria

  • Rehearsal script runs offline using bundled samples and exits non-zero on any verification failure.
  • Output schema above is referenced by Excititor API tests and Policy attest replay tasks.
  • Downstream tasks EXCITITOR-GRAPH-21-00x and attestation endpoints can rely on this contract.

Notes

  • Satisfies PREP-ATTESTATION-VERIFIER-REHEARSAL-EXCITITOR.