stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/proof-carrying-security-decisions.md

3.1 KiB
Raw Blame History

Proof-Carrying Security Decisions (Proof Chain)

Module

Attestor

Status

IMPLEMENTED

Description

The ProofChain library is the core of the system with graph, signing, verification, merkle proofs, content-addressed IDs, DSSE, Rekor integration, predicates, statements, and a web service for querying. Every security decision carries linked proof.

Implementation Details

  • Proof Graph: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs (with .Mutation, .Queries, .Subgraph) -- graph linking verdicts to reasoning to evidence nodes.
  • DSSE Signing: Signing/ProofChainSigner.cs (with .Verification) -- signs all security decisions into DSSE envelopes.
  • Verification Pipeline: Verification/VerificationPipeline.cs (with .Verify) -- multi-step verification pipeline for proof chains.
  • Verification Steps: Verification/DsseSignatureVerificationStep.cs, IdRecomputationVerificationStep.cs, RekorInclusionVerificationStep.cs, TrustAnchorVerificationStep.cs, AIArtifactVerificationStep.cs -- individual verification steps.
  • Content-Addressed IDs: Identifiers/ContentAddressedIdGenerator.cs (with .Graph), ArtifactId.cs, EvidenceId.cs, ProofBundleId.cs, ReasoningId.cs, VexVerdictId.cs -- SHA-256 IDs linking all artifacts.
  • Merkle Proofs: Merkle/DeterministicMerkleTreeBuilder.cs (with .Helpers, .Proof) -- Merkle inclusion proofs for evidence chains.
  • Rekor Integration: Rekor/EnhancedRekorProofBuilder.cs (with .Build, .Validate) -- Rekor transparency log integration.
  • Predicates: 93+ predicate files in Predicates/ -- all predicate types.
  • Statements: 46 statement files in Statements/ -- all in-toto statement types.
  • Web Service: StellaOps.Attestor.WebService/Controllers/ProofsController.cs, VerifyController.cs, BundlesController.cs, ChainController.cs -- REST API for proof chain operations.
  • Receipts: Receipts/VerificationReceipt.cs, VerificationCheck.cs, VerificationContext.cs -- machine-verifiable verification receipts.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/

E2E Test Plan

  • Create a complete proof chain: evidence -> reasoning -> verdict, sign each into DSSE envelopes, and verify the chain via VerificationPipeline
  • Verify each step in the pipeline: DsseSignatureVerificationStep (signature valid), IdRecomputationVerificationStep (IDs match), TrustAnchorVerificationStep (anchor valid)
  • Query the proof graph from a verdict to all supporting evidence via InMemoryProofGraphService.Queries and verify the complete chain
  • Generate content-addressed IDs for all artifacts and verify they are deterministic and unique
  • Build Merkle proofs for evidence in the chain and verify inclusion
  • Submit the proof chain to Rekor and verify RekorInclusionVerificationStep passes
  • Query proofs via ProofsController REST API and verify the response contains linked proof chains
  • Verify via VerifyController and confirm a VerificationReceipt with all checks passing is returned