stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/verification-pipeline.md

3.6 KiB
Raw Blame History

Verification Pipeline (Multi-step Proof Verification)

Module

Attestor

Status

IMPLEMENTED

Description

Multi-step verification pipeline with pluggable steps: DSSE signature check, ID recomputation, Rekor inclusion proof, trust anchor verification. Each step produces structured results.

Implementation Details

  • IVerificationPipeline: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/IVerificationPipeline.cs -- interface for the multi-step verification pipeline.
  • Verification Pipeline: Verification/VerificationPipeline.cs (with .Verify) -- orchestrates pluggable verification steps in sequence, collecting results.
  • IVerificationStep: Verification/IVerificationStep.cs -- interface for individual verification steps.
  • DSSE Signature Verification Step: Verification/DsseSignatureVerificationStep.cs -- verifies DSSE envelope signature against trusted keys.
  • ID Recomputation Verification Step: Verification/IdRecomputationVerificationStep.cs -- recomputes content-addressed IDs and verifies they match claimed IDs.
  • Rekor Inclusion Verification Step: Verification/RekorInclusionVerificationStep.cs -- verifies Rekor inclusion proof against the transparency log tree.
  • Trust Anchor Verification Step: Verification/TrustAnchorVerificationStep.cs -- verifies signing key against configured trust anchors (allowed keys, PURL patterns, revocation).
  • AI Artifact Verification Step: Verification/AIArtifactVerificationStep.cs (with .Classify, .Execute, .Helpers, .Summary, .VerifyParse, .VerifyValidation) -- verifies AI-generated artifacts for authority classification and replay fidelity.
  • Verification Pipeline Request: Verification/VerificationPipelineRequest.cs -- request containing the proof bundle or attestation to verify.
  • Verification Pipeline Result: Verification/VerificationPipelineResult.cs -- overall pipeline result with per-step outcomes.
  • Verification Step Result: Verification/VerificationStepResult.cs -- individual step result (passed, failed, skipped) with details.
  • Verification Pipeline Interfaces: Verification/VerificationPipelineInterfaces.cs -- shared interfaces for pipeline components.
  • Verification Context: Verification/VerificationContext.cs -- context containing trust anchors, policies, and configuration for the pipeline.
  • Verification Bundle Models: Verification/VerificationBundleModels.cs -- models for verification bundles (proof + metadata).
  • IAIEvidenceResolver: Verification/IAIEvidenceResolver.cs -- resolves AI evidence for the AI verification step.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/

E2E Test Plan

  • Run the full verification pipeline on a valid signed attestation with Rekor inclusion proof and trust anchor; verify all steps pass
  • Remove the DSSE signature and run the pipeline; verify DsseSignatureVerificationStep fails while other steps report skipped
  • Tamper with the attestation content and run IdRecomputationVerificationStep; verify it detects the ID mismatch
  • Provide an invalid Rekor inclusion proof and verify RekorInclusionVerificationStep fails with details about the proof mismatch
  • Configure trust anchors and sign with an untrusted key; verify TrustAnchorVerificationStep fails
  • Run the pipeline with only DSSE and ID steps (skip Rekor/trust anchor) and verify partial results are returned
  • Verify pipeline short-circuiting: if DSSE fails, subsequent steps that depend on signature validity are skipped
  • Run the AI artifact verification step on a valid AI-generated artifact and verify classification and validation pass