semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/exportcenter/export-center-risk-bundle-builder.md
+++ b/docs/features/unchecked/exportcenter/export-center-risk-bundle-builder.md
@@ -0,0 +1,27 @@
+# Export Center Risk Bundle Builder
+
+## Module
+ExportCenter
+
+## Status
+IMPLEMENTED
+
+## Description
+Generates signed risk bundles aggregating vulnerability findings, VEX decisions, and policy evaluations into portable, DSSE-signed export artifacts for compliance reporting and auditor handoff.
+
+## Implementation Details
+- **Risk bundle builder**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleBuilder.cs` -- aggregates findings, VEX decisions, and policy evaluations into portable bundles
+- **Risk bundle models**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleModels.cs` -- bundle data models
+- **Risk bundle signing**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleSigning.cs` -- DSSE signing for risk bundles
+- **Risk bundle job**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleJob.cs` -- async job for bundle generation
+- **Object store**: `src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleObjectStore.cs`, `FileSystemRiskBundleObjectStore.cs` -- bundle storage
+- **Job handler**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/RiskBundle/RiskBundleJobHandler.cs` -- processes risk bundle jobs
+- **Attestation service**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Attestation/ExportAttestationService.cs` -- DSSE attestations for exports
+- **Source**: SPRINT_0163_0001_0001_exportcenter_ii.md
+
+## E2E Test Plan
+- [ ] Verify risk bundle builder aggregates vulnerability findings correctly
+- [ ] Test DSSE signing produces valid signed bundles
+- [ ] Verify bundle includes VEX decisions and policy evaluations
+- [ ] Test async job processing for large bundles
+- [ ] Verify bundle storage and retrieval via object store
--- a/docs/features/unchecked/exportcenter/export-telemetry-and-worker.md
+++ b/docs/features/unchecked/exportcenter/export-telemetry-and-worker.md
@@ -0,0 +1,29 @@
+# Export Telemetry and Worker
+
+## Module
+ExportCenter
+
+## Status
+IMPLEMENTED
+
+## Description
+Export telemetry instrumentation and dedicated background worker for async export job processing.
+
+## Implementation Details
+- **Export telemetry**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Telemetry/ExportTelemetry.cs` -- OpenTelemetry instrumentation for export operations
+- **Telemetry context**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Telemetry/ExportRunTelemetryContext.cs` -- per-export-run telemetry context
+- **Activity extensions**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Telemetry/ExportActivityExtensions.cs` -- activity source extensions
+- **Telemetry DI**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Telemetry/TelemetryServiceCollectionExtensions.cs` -- telemetry registration
+- **Timeline publisher**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Timeline/ExportTimelinePublisher.cs` -- publishes export events to timeline
+- **Incident manager**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Incident/ExportIncidentManager.cs` -- manages export failure incidents
+- **Audit service**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Api/ExportAuditService.cs` -- export audit trail
+- **API endpoints**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Api/ExportApiEndpoints.cs` -- export API
+- **Evidence locker client**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/EvidenceLocker/ExportEvidenceLockerClient.cs` -- evidence locker integration
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify export telemetry emits OpenTelemetry traces and spans
+- [ ] Test timeline publisher records export events
+- [ ] Verify audit service logs all export operations
+- [ ] Test incident manager handles export failures appropriately
+- [ ] Verify telemetry context propagates across export pipeline
--- a/docs/features/unchecked/exportcenter/local-evidence-cache-with-deferred-enrichment-queue.md
+++ b/docs/features/unchecked/exportcenter/local-evidence-cache-with-deferred-enrichment-queue.md
@@ -0,0 +1,25 @@
+# Local Evidence Cache with Deferred Enrichment Queue
+
+## Module
+ExportCenter
+
+## Status
+IMPLEMENTED
+
+## Description
+Disk-backed local evidence cache that stores scan artifacts (SBOM, VEX, reachability data) alongside findings with a deferred enrichment queue pattern for offline-first evidence collection and lazy hydration.
+
+## Implementation Details
+- **Cache service interface**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/EvidenceCache/IEvidenceCacheService.cs` -- evidence cache contract
+- **Cache service implementation**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/EvidenceCache/LocalEvidenceCacheService.cs` -- disk-backed local evidence cache with deferred enrichment queue
+- **Cache models**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/EvidenceCache/CacheModels.cs` -- cache entry models for SBOM, VEX, reachability data
+- **Cache manifest**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/EvidenceCache/CacheManifest.cs` -- cache manifest for inventory tracking
+- **Tests**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/EvidenceCache/LocalEvidenceCacheServiceTests.cs`
+- **Source**: SPRINT_3605_0001_0001_local_evidence_cache.md
+
+## E2E Test Plan
+- [ ] Verify evidence cache stores SBOM, VEX, and reachability data to disk
+- [ ] Test deferred enrichment queue processes entries lazily
+- [ ] Verify cache manifest tracks all cached entries
+- [ ] Test offline-first behavior (cache works without network)
+- [ ] Verify cache eviction policy for disk space management
--- a/docs/features/unchecked/exportcenter/oci-digest-first-release-identity.md
+++ b/docs/features/unchecked/exportcenter/oci-digest-first-release-identity.md
@@ -0,0 +1,27 @@
+# OCI Digest-First Release Identity
+
+## Module
+ExportCenter
+
+## Status
+IMPLEMENTED
+
+## Description
+OCI distribution with digest-based artifact publishing and type-safe models is implemented.
+
+## Implementation Details
+- **OCI distribution client**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciDistributionClient.cs`, `IOciDistributionClient.cs` -- digest-based artifact publishing
+- **OCI distribution models**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciDistributionModels.cs` -- type-safe OCI digest and manifest models
+- **OCI distribution options**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciDistributionOptions.cs` -- configurable OCI registry options
+- **Registry config**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciRegistryConfig.cs` -- registry endpoint configuration
+- **Distribution target**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Domain/ExportDistributionTarget.cs` -- export distribution target model
+- **DI extensions**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciDistributionServiceExtensions.cs`
+- **Tests**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Distribution/Oci/OciDistributionClientTests.cs`, `OciDistributionServiceExtensionsTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify digest-based artifact publishing uses sha256 digests
+- [ ] Test OCI distribution client pushes manifests correctly
+- [ ] Verify registry configuration supports multiple registries
+- [ ] Test type-safe models serialize/deserialize correctly
+- [ ] Verify distribution target resolution for different export types
--- a/docs/features/unchecked/exportcenter/oci-distribution-for-export-artifacts.md
+++ b/docs/features/unchecked/exportcenter/oci-distribution-for-export-artifacts.md
@@ -0,0 +1,31 @@
+# OCI Distribution for Export Artifacts
+
+## Module
+ExportCenter
+
+## Status
+IMPLEMENTED
+
+## Description
+OCI registry distribution with push client, referrer support, configurable options, and export distribution lifecycle management.
+
+## Implementation Details
+- **Distribution lifecycle**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/ExportDistributionLifecycle.cs`, `IExportDistributionLifecycle.cs` -- export distribution lifecycle management
+- **Distribution DI**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/ExportDistributionServiceCollectionExtensions.cs`
+- **OCI push client**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciDistributionClient.cs`, `IOciDistributionClient.cs`
+- **OCI referrer push**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciReferrerPushClient.cs` -- pushes artifacts as OCI referrers
+- **OCI referrer discovery**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciReferrerDiscovery.cs`, `OciReferrerDiscoveryService.cs`
+- **RVA OCI publisher**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/RvaOciPublisher.cs` -- RVA-specific OCI publishing
+- **AI attestation OCI**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/AIAttestationOciPublisher.cs`, `AIAttestationOciDiscovery.cs` -- AI attestation OCI distribution
+- **OCI referrer fallback**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciReferrerFallback.cs` -- fallback for non-referrer registries
+- **Adapter registry**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/ExportAdapterRegistry.cs` -- adapter pattern for distribution targets
+- **Mirror adapter**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Adapters/MirrorAdapter.cs` -- mirror distribution adapter
+- **Tests**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Distribution/ExportDistributionLifecycleTests.cs`, `Oci/OciDistributionClientTests.cs`, `OciReferrerPushClientTests.cs`, `RvaOciPublisherTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify export artifacts are pushed to OCI registry
+- [ ] Test distribution lifecycle manages push/verify/cleanup stages
+- [ ] Verify referrer push attaches artifacts as OCI referrers
+- [ ] Test AI attestation OCI publishing
+- [ ] Verify fallback for registries without referrer API support
--- a/docs/features/unchecked/exportcenter/oci-referrer-publishing.md
+++ b/docs/features/unchecked/exportcenter/oci-referrer-publishing.md
@@ -0,0 +1,29 @@
+# OCI Referrer Publishing
+
+## Module
+ExportCenter
+
+## Status
+IMPLEMENTED
+
+## Description
+OCI referrer push client and discovery service for publishing attestations as OCI-attached artifacts.
+
+## Implementation Details
+- **Referrer push client**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciReferrerPushClient.cs` -- pushes attestations as OCI referrer artifacts
+- **Referrer discovery**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciReferrerDiscovery.cs` -- discovers attached referrer artifacts
+- **Referrer discovery service**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciReferrerDiscoveryService.cs` -- service wrapper for referrer discovery
+- **Referrer fallback**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/OciReferrerFallback.cs` -- fallback for tag-based referrer linking
+- **RVA publisher**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/RvaOciPublisher.cs` -- publishes RVA attestations as OCI referrers
+- **AI attestation publisher**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/AIAttestationOciPublisher.cs` -- AI attestation referrer publishing
+- **AI attestation discovery**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Distribution/Oci/AIAttestationOciDiscovery.cs` -- discovers AI attestation referrers
+- **Mirror referrer discovery**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/MirrorBundle/IReferrerDiscoveryService.cs`
+- **Tests**: `src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/Distribution/Oci/OciReferrerPushClientTests.cs`, `OciReferrerDiscoveryTests.cs`, `OciReferrerDiscoveryServiceTests.cs`, `RvaOciPublisherTests.cs`, `Adapters/MirrorAdapterReferrerDiscoveryTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify attestations are published as OCI referrer artifacts
+- [ ] Test referrer discovery finds attached artifacts for a digest
+- [ ] Verify fallback works for registries without referrer API
+- [ ] Test RVA and AI attestation referrer publishing
+- [ ] Verify mirror adapter discovers referrers across mirrors