work

2025-11-23 23:40:10 +02:00
parent c13355923f
commit 029002ad05
93 changed files with 2160 additions and 285 deletions
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/SurfaceValidationIssueCodes.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/SurfaceValidationIssueCodes.cs
@@ -8,6 +8,7 @@ public static class SurfaceValidationIssueCodes
    public const string CacheQuotaInvalid = "SURFACE_ENV_CACHE_QUOTA_INVALID";
    public const string SecretsProviderUnknown = "SURFACE_SECRET_PROVIDER_UNKNOWN";
    public const string SecretsConfigurationMissing = "SURFACE_SECRET_CONFIGURATION_MISSING";
+    public const string SecretsConfigurationInvalid = "SURFACE_SECRET_FORMAT_INVALID";
    public const string TenantMissing = "SURFACE_ENV_TENANT_MISSING";
    public const string BucketMissing = "SURFACE_FS_BUCKET_MISSING";
    public const string FeatureUnknown = "SURFACE_FEATURE_UNKNOWN";
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/Validators/SurfaceSecretsValidator.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/Validators/SurfaceSecretsValidator.cs
@@ -35,6 +35,14 @@ internal sealed class SurfaceSecretsValidator : ISurfaceValidator
                "Set SCANNER_SURFACE_SECRETS_PROVIDER to 'kubernetes', 'file', or another supported provider."));
        }

+        if (secrets.HasFallback && !KnownProviders.Contains(secrets.FallbackProvider!))
+        {
+            issues.Add(SurfaceValidationIssue.Error(
+                SurfaceValidationIssueCodes.SecretsProviderUnknown,
+                $"Fallback secrets provider '{secrets.FallbackProvider}' is not recognised.",
+                "Choose a supported fallback provider (kubernetes | file | inline) or clear SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER."));
+        }
+
        if (string.Equals(secrets.Provider, "kubernetes", StringComparison.OrdinalIgnoreCase) &&
            string.IsNullOrWhiteSpace(secrets.Namespace))
        {
@@ -53,6 +61,24 @@ internal sealed class SurfaceSecretsValidator : ISurfaceValidator
                "Set SCANNER_SURFACE_SECRETS_ROOT to a directory path."));
        }

+        if (string.Equals(secrets.Provider, "file", StringComparison.OrdinalIgnoreCase) &&
+            !string.IsNullOrWhiteSpace(secrets.Root) &&
+            !Directory.Exists(secrets.Root))
+        {
+            issues.Add(SurfaceValidationIssue.Error(
+                SurfaceValidationIssueCodes.SecretsConfigurationInvalid,
+                $"File secrets root '{secrets.Root}' does not exist.",
+                "Ensure SCANNER_SURFACE_SECRETS_ROOT points to an existing directory with 0600-style permissions."));
+        }
+
+        if (string.Equals(secrets.Provider, "inline", StringComparison.OrdinalIgnoreCase) && !secrets.AllowInline)
+        {
+            issues.Add(SurfaceValidationIssue.Error(
+                SurfaceValidationIssueCodes.SecretsConfigurationInvalid,
+                "Inline secrets provider is selected but AllowInline=false.",
+                "Either enable SCANNER_SURFACE_SECRETS_ALLOW_INLINE for dev/test or switch provider."));
+        }
+
        if (string.IsNullOrWhiteSpace(secrets.Tenant))
        {
            issues.Add(SurfaceValidationIssue.Error(