git.stella-ops.org/docs/features/unchecked/attestor/dsse-attestation-bundling-and-batch-publishing-to-rekor.md

DSSE Attestation Bundling and Batch Publishing to Rekor

Module

Attestor

Status

IMPLEMENTED

Description

Attestation bundling with configurable options, aggregation abstraction, and Rekor submission queue with retry worker and sync background service.

Implementation Details

• Attestation Bundler: src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/AttestationBundler.cs -- implements IAttestationBundler. Aggregates multiple DSSE-signed attestations into bundles.
• Bundle Aggregator: Abstractions/IBundleAggregator.cs -- interface for aggregating attestation bundles.
• Bundle Store: Abstractions/IBundleStore.cs -- persistence interface. Models/AttestationBundle.cs -- bundle model.
• Bundling Options: Configuration/BundlingOptions.cs -- configurable batch size, timeout, and bundling strategy.
• Rekor Submission Queue: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Queue/IRekorSubmissionQueue.cs -- queue interface. RekorQueueItem.cs, RekorSubmissionStatus.cs, QueueDepthSnapshot.cs -- queue models.
• PostgreSQL Queue: StellaOps.Attestor.Infrastructure/Queue/PostgresRekorSubmissionQueue.cs -- durable PostgreSQL-backed queue with SKIP LOCKED.
• Retry Worker: Infrastructure/Workers/RekorRetryWorker.cs -- retries failed Rekor submissions.
• Rekor Sync Service: StellaOps.Attestor.Core/Rekor/RekorSyncBackgroundService.cs -- background service for batch Rekor publication.
• Rekor Client: Infrastructure/Rekor/HttpRekorClient.cs, ResilientRekorClient.cs -- HTTP client with resilience. IRekorClient.cs -- interface.
• Verdict Rekor Publisher: __Libraries/StellaOps.Attestor.Infrastructure/Rekor/VerdictRekorPublisher.cs -- publishes verdict attestations to Rekor.
• Tests: StellaOps.Attestor.Tests/RekorSubmissionQueueTests.cs, RekorRetryWorkerTests.cs, HttpRekorClientTests.cs, __Tests/StellaOps.Attestor.Bundling.Tests/AttestationBundlerTests.cs, BundleAggregatorTests.cs

E2E Test Plan

• Bundle 5 DSSE-signed attestations via AttestationBundler with a batch size of 5 and verify a single bundle is produced
• Configure bundling with a batch size of 3 and submit 5 attestations, verifying 2 bundles are produced
• Enqueue attestations to PostgresRekorSubmissionQueue and verify they are stored with Pending status
• Process the queue and verify successful submissions are marked as Completed
• Simulate a Rekor submission failure and verify RekorRetryWorker retries the failed item
• Verify QueueDepthSnapshot reports correct counts of pending, processing, and completed items
• Publish a verdict attestation via VerdictRekorPublisher and verify the Rekor receipt is stored
• Test ResilientRekorClient circuit breaker by simulating repeated failures and verifying the circuit opens