feat: add endorsements.skip_validation setting for disaster recovery

[sangwa]

When enabled, endorsement retrieval failures are demoted to warnings instead of hard errors, allowing the server to start and serve attestation when endorsement infrastructure is unavailable. Only retrieval failures are skipped — if endorsements are successfully fetched, measurement comparison is always enforced regardless of this flag, ensuring modified images cannot pass attestation.

Summary by CodeRabbit

• New Features

  • Added an endorsement skip-validation toggle to allow the server to continue when endorsement retrieval fails; retrieval failures become warnings while successful fetches still require strict verification and measurement matching.

• Documentation

  • Updated configuration, architecture, and security docs to describe skip-validation scope, error-class behavior, and startup logging when the toggle is enabled.

• Tests

  • Added tests covering skip-validation behavior, including retrieval failures, cached mismatches, and post-fetch parsing/verification errors.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 82d0fd77-c2fa-405a-8b04-e14796fe87fe

📥 Commits

Reviewing files that changed from the base of the PR and between 1a0bb9e and 77564f2.

📒 Files selected for processing (4)

• CLAUDE.md
• docs/security.md
• internal/endorsements.go
• internal/endorsements_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• docs/security.md
• CLAUDE.md
• internal/endorsements.go

---

Walkthrough

A new configuration toggle endorsements.skip_validation (default false) was added to config, viper bindings, and docs. A new Config.EndorsementSkipValidation field is loaded from viper. Retrieval errors from endorsement/network fetches are tagged with a new errEndorsementRetrieval type and, when the flag is enabled, are downgraded to warnings and cause endorsement validation to be skipped; verification/parsing and measurement-comparison errors remain fatal. NewServer logs a warning when the flag is set. Tests were added to cover skip-validation semantics.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Server
  participant EndorsementFetcher
  participant Verifier
  Client->>Server: Request attestation
  Server->>EndorsementFetcher: fetch endorsements (parallel)
  alt fetch succeeds
    EndorsementFetcher-->>Server: endorsements
    Server->>Verifier: verify signatures & compare measurements
    alt verification succeeds
      Verifier-->>Server: verified
      Server-->>Client: attestation response (endorsed)
    else verification fails
      Verifier-->>Server: error (verification/mismatch)
      Server-->>Client: attestation error (fatal)
    end
  else fetch fails
    EndorsementFetcher-->>Server: wrapped errEndorsementRetrieval
    alt EndorsementSkipValidation = true
      Server--xServer: log warning, skip endorsement validation
      Server-->>Client: attestation response (without endorsement verification)
    else
      Server-->>Client: attestation error (fatal)
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A flag in the burrow, gentle and sly,
When fetches go missing it lets hopes fly—
Warnings whisper, the server stays bright,
But true measurements still guard the night,
Hop on, resilient attestation, bye-bye fright! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a new endorsements.skip_validation configuration setting for disaster recovery scenarios.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/self-attestation-toggle

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

internal/endorsements_test.go (1)

817-878: Add a regression test for post-fetch resolve failures under skip mode.

The new tests validate canceled-context retrieval failures, but not failures that happen after successful fetch (e.g., invalid cosign bundle/verification error). Please add one case asserting those errors are not skipped when endorsements.skip_validation=true.

Also applies to: 1562-1635

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/endorsements_test.go` around lines 817 - 878, Add a new test in
endorsements_test.go (alongside TestValidateOwnEndorsements_SkipValidation_*)
that exercises a post-fetch resolution/verification failure (fetch succeeds but
cosign bundle / verification or resolve fails) and asserts that
endorsements.skip_validation=true does NOT suppress that error. Reuse
newFetcherCache/cache.setGroup to return a fetched payload that will fail during
resolution/verification (e.g., malformed cosign bundle or bad signature) and
construct a Server with validateOwnEndorsements,
endorsements.skip_validation=true, and a valid selfAttestation; call
s.validateOwnEndorsements(context.Background()) and assert err != nil and that
err.Error() contains a verification/resolve-related substring (e.g., "verify",
"cosign", or "resolve") to ensure post-fetch failures are not skipped.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CLAUDE.md`:
- Line 167: Update the sentence describing NewServer behavior to clarify that
endorsements.skip_validation only relaxes failures that occur while
retrieving/validating endorsement data, not device open or Attest failures;
specifically mention that NewServer still exits on device open/Attest errors and
that parsedSelfAttestation is used for endorsement validation while only
endorsement retrieval/validation can be bypassed when
endorsements.skip_validation is enabled.

In `@docs/security.md`:
- Line 113: Change the phrase describing the infrastructure to use a hyphenated
compound modifier: update the text mentioning endorsements.skip_validation to
read "endorsement-serving infrastructure" (hyphenate endorsement-serving) so the
sentence reads "when the endorsement-serving infrastructure is completely
unavailable"; ensure the surrounding sentence and the startup warning reference
remain unchanged.

In `@internal/endorsements.go`:
- Around line 198-204: The current handling treats any error from
resolveEndorsements as skippable when s.cfg.EndorsementSkipValidation is true;
change the logic to only skip when the error represents a retrieval/network
failure (not verification/parsing failures). Update resolveEndorsements to
return or wrap a sentinel/typed error for retrieval problems (e.g.,
ErrEndorsementRetrieval or a RetrievalError type) and then replace the
unconditional skip check around the call that assigns doc, cr, err :=
s.resolveEndorsements(...) so it uses errors.Is/As to detect retrieval-only
errors: if skip is enabled and errors.Is(err, ErrEndorsementRetrieval) then log
warn and return nil, otherwise log/return the original err for non-retrieval
errors (verification/parsing). Apply the same change to the other identical call
site that currently uses s.cfg.EndorsementSkipValidation to ensure only
retrieval errors are bypassed.

---

Nitpick comments:
In `@internal/endorsements_test.go`:
- Around line 817-878: Add a new test in endorsements_test.go (alongside
TestValidateOwnEndorsements_SkipValidation_*) that exercises a post-fetch
resolution/verification failure (fetch succeeds but cosign bundle / verification
or resolve fails) and asserts that endorsements.skip_validation=true does NOT
suppress that error. Reuse newFetcherCache/cache.setGroup to return a fetched
payload that will fail during resolution/verification (e.g., malformed cosign
bundle or bad signature) and construct a Server with validateOwnEndorsements,
endorsements.skip_validation=true, and a valid selfAttestation; call
s.validateOwnEndorsements(context.Background()) and assert err != nil and that
err.Error() contains a verification/resolve-related substring (e.g., "verify",
"cosign", or "resolve") to ensure post-fetch failures are not skipped.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cc571454-240e-4480-86c9-f2c2063ae70f

📥 Commits

Reviewing files that changed from the base of the PR and between 6c7aea7 and 1a0bb9e.

📒 Files selected for processing (9)

• CLAUDE.md
• cmd/root.go
• config/config.toml
• docs/architecture.md
• docs/security.md
• internal/config.go
• internal/endorsements.go
• internal/endorsements_test.go
• internal/server.go