stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/attestable-exception-objects-with-expiries-and-audit-trails.md

2.8 KiB
Raw Blame History

Attestable Exception Objects with Expiries and Audit Trails

Module

Attestor

Status

IMPLEMENTED

Description

Exceptions are modeled as auditable objects with IDs, owners, expiry dates, and audit trails. The exception ledger UI shows active/pending/expiring counts. Signed override badges indicate cryptographic attestation of exceptions.

Implementation Details

  • Exception Reference: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/ExceptionRef.cs -- models exception objects with ID, owner, and expiry metadata.
  • Budget Exception Entry: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs -- exception entry within the uncertainty budget system, tracking exception scope and validity period.
  • Budget System Integration: BudgetDefinition.cs, BudgetObservation.cs, BudgetViolationEntry.cs -- exceptions integrate with the uncertainty budget to allow controlled risk acceptance.
  • VEX Override System: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs -- signed VEX overrides serve as attestable exceptions. VexOverridePredicateBuilder.cs (with .Build, .Serialize, .WithMethods partials) constructs override predicates. VexOverrideDecision.cs captures the decision rationale.
  • Evidence Reference: VexOverride/EvidenceReference.cs -- links exception decisions to supporting evidence.
  • Audit Trail: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs (with .Validation partial) logs hash-based audit records. HashAuditRecord.cs captures individual audit entries. AuditArtifactTypes.cs defines auditable artifact types.
  • Persistence: src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/AuditLogEntity.cs -- database entity for audit log persistence.
  • DSSE Signing: Exceptions are signed via ProofChainSigner to produce cryptographic attestation (signed override badges).

E2E Test Plan

  • Create an exception via BudgetExceptionEntry with owner, expiry date, and justification, then verify all fields serialize correctly
  • Build a VexOverridePredicate with VexOverridePredicateBuilder, sign it via DSSE, and verify the signed envelope contains the override decision
  • Create an exception with an expiry date in the past and verify budget evaluation treats it as expired (no longer valid)
  • Create an exception with a future expiry and verify it is counted as active in the budget check
  • Log exception creation via AuditHashLogger and verify HashAuditRecord captures the artifact type, timestamp, and hash
  • Query audit trail for a specific exception ID and verify the complete history of changes is returned
  • Verify that ExceptionRef correctly links to EvidenceReference for evidence-backed exception justification