feat: Add Go module and workspace test fixtures

- Created expected JSON files for Go modules and workspaces. - Added go.mod and go.sum files for example projects. - Implemented private module structure with expected JSON output. - Introduced vendored dependencies with corresponding expected JSON. - Developed PostgresGraphJobStore for managing graph jobs. - Established SQL migration scripts for graph jobs schema. - Implemented GraphJobRepository for CRUD operations on graph jobs. - Created IGraphJobRepository interface for repository abstraction. - Added unit tests for GraphJobRepository to ensure functionality.
2025-12-06 20:04:03 +02:00
parent a6f1406509
commit 05597616d6
178 changed files with 12022 additions and 4545 deletions
--- a/docs/schemas/verification-policy.schema.json
+++ b/docs/schemas/verification-policy.schema.json
@@ -0,0 +1,151 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stellaops.io/schemas/verification-policy.v1.json",
+  "title": "VerificationPolicy",
+  "description": "Attestation verification policy configuration for StellaOps",
+  "type": "object",
+  "required": ["policyId", "version", "predicateTypes", "signerRequirements"],
+  "properties": {
+    "policyId": {
+      "type": "string",
+      "description": "Unique policy identifier",
+      "pattern": "^[a-z0-9-]+$",
+      "examples": ["default-verification-policy", "strict-slsa-policy"]
+    },
+    "version": {
+      "type": "string",
+      "description": "Policy version (SemVer)",
+      "pattern": "^\\d+\\.\\d+\\.\\d+$",
+      "examples": ["1.0.0", "2.1.0"]
+    },
+    "description": {
+      "type": "string",
+      "description": "Human-readable policy description"
+    },
+    "tenantScope": {
+      "type": "string",
+      "description": "Tenant ID this policy applies to, or '*' for all tenants",
+      "default": "*"
+    },
+    "predicateTypes": {
+      "type": "array",
+      "description": "Allowed attestation predicate types",
+      "items": {
+        "type": "string"
+      },
+      "minItems": 1,
+      "examples": [
+        ["stella.ops/sbom@v1", "stella.ops/vex@v1"]
+      ]
+    },
+    "signerRequirements": {
+      "$ref": "#/$defs/SignerRequirements"
+    },
+    "validityWindow": {
+      "$ref": "#/$defs/ValidityWindow"
+    },
+    "metadata": {
+      "type": "object",
+      "description": "Free-form metadata",
+      "additionalProperties": true
+    }
+  },
+  "$defs": {
+    "SignerRequirements": {
+      "type": "object",
+      "description": "Requirements for attestation signers",
+      "properties": {
+        "minimumSignatures": {
+          "type": "integer",
+          "minimum": 1,
+          "default": 1,
+          "description": "Minimum number of valid signatures required"
+        },
+        "trustedKeyFingerprints": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "pattern": "^sha256:[a-f0-9]{64}$"
+          },
+          "description": "List of trusted signer key fingerprints (SHA-256)"
+        },
+        "trustedIssuers": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "format": "uri"
+          },
+          "description": "List of trusted issuer identities (OIDC issuers)"
+        },
+        "requireRekor": {
+          "type": "boolean",
+          "default": false,
+          "description": "Require Sigstore Rekor transparency log entry"
+        },
+        "algorithms": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "EdDSA"]
+          },
+          "description": "Allowed signing algorithms",
+          "default": ["ES256", "RS256", "EdDSA"]
+        }
+      }
+    },
+    "ValidityWindow": {
+      "type": "object",
+      "description": "Time-based validity constraints",
+      "properties": {
+        "notBefore": {
+          "type": "string",
+          "format": "date-time",
+          "description": "Policy not valid before this time (ISO-8601)"
+        },
+        "notAfter": {
+          "type": "string",
+          "format": "date-time",
+          "description": "Policy not valid after this time (ISO-8601)"
+        },
+        "maxAttestationAge": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Maximum age of attestation in seconds (0 = no limit)"
+        }
+      }
+    }
+  },
+  "examples": [
+    {
+      "policyId": "default-verification-policy",
+      "version": "1.0.0",
+      "description": "Default verification policy for StellaOps attestations",
+      "tenantScope": "*",
+      "predicateTypes": [
+        "stella.ops/sbom@v1",
+        "stella.ops/vex@v1",
+        "stella.ops/vexDecision@v1",
+        "stella.ops/policy@v1",
+        "stella.ops/promotion@v1",
+        "stella.ops/evidence@v1",
+        "stella.ops/graph@v1",
+        "stella.ops/replay@v1",
+        "https://slsa.dev/provenance/v1",
+        "https://cyclonedx.org/bom",
+        "https://spdx.dev/Document",
+        "https://openvex.dev/ns"
+      ],
+      "signerRequirements": {
+        "minimumSignatures": 1,
+        "trustedKeyFingerprints": [
+          "sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
+        ],
+        "requireRekor": false,
+        "algorithms": ["ES256", "RS256", "EdDSA"]
+      },
+      "validityWindow": {
+        "maxAttestationAge": 86400
+      }
+    }
+  ]
+}