Attestation Store
Ed25519 signing, append-only storage, and tamper-evident audit trail
The Attestation Store records every policy decision as an immutable, cryptographically signed record. This provides a regulator-grade audit trail suitable for EU AI Act compliance, SOC 2 requirements, and internal governance.
How It Works
Signing (attestation_store.py)
Every attestation is signed with Ed25519 (v5+) for tamper evidence:
The signing message includes all material fields: verdict, tool name, agent ID, payload hash, impact hash, constraint IDs, delegation fields, and evidence classification. This ensures any modification to any field invalidates the signature.
Signature versions:
- v1-v4 — HMAC-SHA256 (symmetric, legacy)
- v5 — Ed25519 (asymmetric, current)
Ed25519 key generation:
AegisAttestationStore
The AegisAttestationStore class manages attestation lifecycle:
record()— Creates a new attestation record with signatureverify()— Validates the signature of an existing recordquery()— Retrieves attestations by workspace, agent, tool, time range, or verdict
Append-Only Storage
Attestation records are stored in the aegis_attestations PostgreSQL table which is protected by a database trigger that prevents UPDATE and DELETE operations. Only INSERT is allowed. This is enforced at the database level, not the application level, making it tamper-resistant even if the application is compromised.
Export (attestation_export.py)
Attestations can be exported in multiple formats:
- JSON — Full structured export with all fields
- CSV — Tabular export for spreadsheet analysis
- JSON-LD — Linked data format for regulatory submissions
Exports support filtering by workspace, time range, verdict, agent, and tool pattern (via fnmatch glob matching).
Crypto (crypto.py)
Fernet encryption for downstream connection credentials:
encrypt_config()— Encrypts connection configuration with a derived keydecrypt_config()— Decrypts configurationredact_config()— Returns configuration with sensitive values masked (for display)
Architecture
Configuration
Generate keys:
Technical Details
- The
_reconstruct_ed25519_message()function rebuilds the signing message from a stored attestation for verification - Payload hashing uses SHA-256 (
hash_payload()) with deterministic JSON serialization - The
summarize_payload()function creates a truncated human-readable summary (max 500 chars) stored alongside the hash - Database trigger enforcement means even a database admin with direct SQL access cannot modify attestation records
- The audit_logs table uses the same append-only pattern with HMAC tamper detection