stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fda92af9bcbaf6c1677f0d6b13609a8e04222bbc
git.stella-ops.org/docs2/architecture/evidence-and-trust.md
master fcb5ffe25d feat(scanner): Complete PoE implementation with Windows compatibility fix 
- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 14:52:08 +02:00

2.2 KiB
Raw Blame History

Evidence and trust model

Determinism rules

  • Content-address all artifacts by digest.
  • Canonicalize JSON and sort arrays deterministically.
  • Use UTC timestamps only.
  • Do not use wall-clock or RNG in decision paths.
  • Pin inputs: analyzer versions, policy hash, advisory and VEX snapshots.

Evidence categories

  • Inputs: SBOMs, advisories, VEX statements, provenance, runtime facts.
  • Transforms: normalization outputs, linksets, reachability graphs.
  • Decisions: verdicts, explain traces, derived VEX.
  • Audit: token issuance, policy changes, signing events.

Decision Capsules

A Decision Capsule is the minimal audit bundle for a decision. It includes:

  • The exact SBOM (inventory and usage views)
  • Advisory and VEX snapshot identifiers
  • Reachability evidence and unknowns metadata
  • Policy version and policy hash
  • Decision trace and derived VEX
  • DSSE envelopes and optional Rekor proofs

Attestation chain

  • in-toto statements wrapped in DSSE envelopes.
  • Signer produces DSSE; Attestor logs and verifies in Rekor when enabled.
  • Offline kits include cached proofs for air-gapped verification.

Aggregation-Only Contract (AOC)

  • Ingestion services store raw facts only.
  • No derived severity, consensus, or policy hints at ingest time.
  • All derived findings are produced by the Policy Engine.
  • Idempotent writes use content hash and supersedes chains.
  • Append-only revisions preserve upstream provenance and conflicts.

Content-addressed storage

  • RustFS stores SBOM fragments, reports, reachability graphs, and evidence bundles.
  • Replay bundles store inputs and outputs with deterministic ordering.

Replay bundles (typical layout)

  • manifest.json and manifest.dsse.json
  • input bundle with feeds, policy, and tool manifests
  • output bundle with SBOMs, findings, VEX, and logs

Verification steps (offline or online)

  1. Verify DSSE envelope signature against trusted keys.
  2. Recompute payload hash and compare to manifest digest.
  3. Verify Rekor proof when available or against offline checkpoints.
  4. Ensure all referenced CAS objects are present and hashed.

Retention

  • Evidence retention is configurable, but must preserve decision reproducibility for the required audit window.