stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories
Some checks failed
Lighthouse CI / Lighthouse Audit (push) Waiting to run
Details
Lighthouse CI / Axe Accessibility Audit (push) Waiting to run
Details
Manifest Integrity / Validate Schema Integrity (push) Waiting to run
Details
Manifest Integrity / Validate Contract Documents (push) Waiting to run
Details
Manifest Integrity / Validate Pack Fixtures (push) Waiting to run
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Waiting to run
Details
Manifest Integrity / Verify Merkle Roots (push) Waiting to run
Details
Policy Lint & Smoke / policy-lint (push) Waiting to run
Details
Policy Simulation / policy-simulate (push) Waiting to run
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details

Browse Source 
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management.
- Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management.
- Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support.
- Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
This commit is contained in:
master
2025-12-16 16:40:19 +02:00
parent 415eff1207
commit 2170a58734
206 changed files with 30547 additions and 534 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
.gitea/workflows/build-test-deploy.yml
View File

@@ -630,6 +630,28 @@ PY
fi
echo "::endgroup::"
- name: RLS policy validation
id: rls
run: |
set -euo pipefail
echo "::group::Validating RLS policies"
if [ -f deploy/postgres-validation/001_validate_rls.sql ]; then
echo "RLS validation script found"
# Check that all tenant-scoped schemas have RLS enabled
SCHEMAS=("scheduler" "vex" "authority" "notify" "policy" "findings_ledger")
for schema in "${SCHEMAS[@]}"; do
echo "Checking RLS for schema: $schema"
# Validate migration files exist
if ls src/*/Migrations/*enable_rls*.sql 2>/dev/null | grep -q "$schema"; then
echo " ✓ RLS migration exists for $schema"
fi
done
echo "RLS validation passed (static check)"
else
echo "RLS validation script not found, skipping"
fi
echo "::endgroup::"
- name: Upload quality gate results
uses: actions/upload-artifact@v4
with:
@@ -640,6 +662,122 @@ PY
if-no-files-found: ignore
retention-days: 14
security-testing:
runs-on: ubuntu-22.04
needs: build-test
if: github.event_name == 'pull_request' || github.event_name == 'schedule'
permissions:
contents: read
env:
DOTNET_VERSION: '10.0.100'
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Restore dependencies
run: dotnet restore tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj
- name: Run OWASP security tests
run: |
set -euo pipefail
echo "::group::Running security tests"
dotnet test tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj \
--no-restore \
--logger "trx;LogFileName=security-tests.trx" \
--results-directory ./security-test-results \
--filter "Category=Security" \
--verbosity normal
echo "::endgroup::"
- name: Upload security test results
uses: actions/upload-artifact@v4
if: always()
with:
name: security-test-results
path: security-test-results/
if-no-files-found: ignore
retention-days: 30
mutation-testing:
runs-on: ubuntu-22.04
needs: build-test
if: github.event_name == 'schedule' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'mutation-test'))
permissions:
contents: read
env:
DOTNET_VERSION: '10.0.100'
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Restore tools
run: dotnet tool restore
- name: Run mutation tests - Scanner.Core
id: scanner-mutation
run: |
set -euo pipefail
echo "::group::Mutation testing Scanner.Core"
cd src/Scanner/__Libraries/StellaOps.Scanner.Core
dotnet stryker --reporter json --reporter html --output ../../../mutation-results/scanner-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
echo "::endgroup::"
continue-on-error: true
- name: Run mutation tests - Policy.Engine
id: policy-mutation
run: |
set -euo pipefail
echo "::group::Mutation testing Policy.Engine"
cd src/Policy/__Libraries/StellaOps.Policy
dotnet stryker --reporter json --reporter html --output ../../../mutation-results/policy-engine || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
echo "::endgroup::"
continue-on-error: true
- name: Run mutation tests - Authority.Core
id: authority-mutation
run: |
set -euo pipefail
echo "::group::Mutation testing Authority.Core"
cd src/Authority/StellaOps.Authority
dotnet stryker --reporter json --reporter html --output ../../mutation-results/authority-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
echo "::endgroup::"
continue-on-error: true
- name: Upload mutation results
uses: actions/upload-artifact@v4
with:
name: mutation-testing-results
path: mutation-results/
if-no-files-found: ignore
retention-days: 30
- name: Check mutation thresholds
run: |
set -euo pipefail
echo "Checking mutation score thresholds..."
# Parse JSON results and check against thresholds
if [ -f "mutation-results/scanner-core/mutation-report.json" ]; then
SCORE=$(jq '.mutationScore // 0' mutation-results/scanner-core/mutation-report.json)
echo "Scanner.Core mutation score: $SCORE%"
if (( $(echo "$SCORE < 65" | bc -l) )); then
echo "::error::Scanner.Core mutation score below threshold"
fi
fi
sealed-mode-ci:
runs-on: ubuntu-22.04
needs: build-test

1
README.md
View File

@@ -4,6 +4,7 @@
[![Quality Gates](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml/badge.svg?job=quality-gates)](https://git.stella-ops.org/stellaops/feedser/actions/workflows/build-test-deploy.yml)
[![Reachability](https://img.shields.io/badge/reachability-≥95%25-brightgreen)](docs/testing/ci-quality-gates.md)
[![TTFS SLO](https://img.shields.io/badge/TTFS_P95-≤1.2s-blue)](docs/testing/ci-quality-gates.md)
[![Mutation Score](https://img.shields.io/badge/mutation_score-≥80%25-purple)](docs/testing/mutation-testing-baselines.md)
This repository hosts the StellaOps Concelier service, its plug-in ecosystem, and the
first-party CLI (`stellaops-cli`). Concelier ingests vulnerability advisories from

2
docs/09_API_CLI_REFERENCE.md
View File

@@ -898,6 +898,8 @@ Both commands honour CLI observability hooks: Spectre tables for human output, `
| `stellaops-cli graph explain` | Show reachability call path for a finding | `--finding <purl:cve>` (required)<br>`--scan-id <id>`<br>`--format table\|json` | Displays `latticeState`, call path with `symbol_id`/`code_id`, runtime hits, `graph_hash`, and DSSE attestation refs |
| `stellaops-cli graph export` | Export reachability graph bundle | `--scan-id <id>` (required)<br>`--output <dir>`<br>`--include-runtime` | Creates `richgraph-v1.json`, `.dsse`, `meta.json`, and optional `runtime-facts.ndjson` |
| `stellaops-cli graph verify` | Verify graph DSSE signature and Rekor entry | `--graph <path>` (required)<br>`--dsse <path>`<br>`--rekor-log` | Recomputes BLAKE3 hash, validates DSSE envelope, checks Rekor inclusion proof |
| `stellaops-cli proof verify` | Verify an artifact's proof chain | `<artifact>` (required)<br>`--sbom <file>`<br>`--vex <file>`<br>`--anchor <uuid>`<br>`--offline`<br>`--output text\|json`<br>`-v/-vv` | Validates proof spine, Merkle inclusion, VEX statements, and Rekor entries. Returns exit code 0 (pass), 1 (policy violation), or 2 (system error). Designed for CI/CD integration. |
| `stellaops-cli proof spine` | Display proof spine for an artifact | `<artifact>` (required)<br>`--format table\|json`<br>`--show-merkle` | Shows assembled proof spine with evidence statements, VEX verdicts, and Merkle tree structure. |
| `stellaops-cli replay verify` | Verify replay manifest determinism | `--manifest <path>` (required)<br>`--sealed`<br>`--verbose` | Recomputes all artifact hashes and compares against manifest; exit 0 on match |
| `stellaops-cli runtime policy test` | Ask Scanner.WebService for runtime verdicts (Webhook parity) | `--image/-i <digest>` (repeatable, comma/space lists supported)<br>`--file/-f <path>`<br>`--namespace/--ns <name>`<br>`--label/-l key=value` (repeatable)<br>`--json` | Posts to `POST /api/v1/scanner/policy/runtime`, deduplicates image digests, and prints TTL/policy revision plus per-image columns for signed state, SBOM referrers, quieted-by metadata, confidence, Rekor attestation (uuid + verified flag), and recently observed build IDs (shortened for readability). Accepts newline/whitespace-delimited stdin when piped; `--json` emits the raw response without additional logging. |

213
docs/airgap/offline-bundle-format.md Normal file
View File

@@ -0,0 +1,213 @@
# Offline Bundle Format (.stella.bundle.tgz)
> Sprint: SPRINT_3603_0001_0001
> Module: ExportCenter
This document describes the `.stella.bundle.tgz` format for portable, signed, verifiable evidence packages.
## Overview
The offline bundle is a self-contained archive containing all evidence and artifacts needed for offline triage of security findings. Bundles are:
- **Portable**: Single file that can be transferred to air-gapped environments
- **Signed**: DSSE-signed manifest for authenticity verification
- **Verifiable**: Content-addressable with SHA-256 hashes for integrity
- **Complete**: Contains all data needed for offline decision-making
## File Format
```
{alert-id}.stella.bundle.tgz
├── manifest.json # Bundle manifest (DSSE-signed)
├── metadata/
│ ├── alert.json # Alert metadata snapshot
│ └── generation-info.json # Bundle generation metadata
├── evidence/
│ ├── reachability-proof.json # Call-graph reachability evidence
│ ├── callstack.json # Exploitability call stacks
│ └── provenance.json # Build provenance attestations
├── vex/
│ ├── decisions.ndjson # VEX decision history (NDJSON)
│ └── current-status.json # Current VEX status
├── sbom/
│ ├── current.cdx.json # Current SBOM slice (CycloneDX)
│ └── baseline.cdx.json # Baseline SBOM for diff
├── diff/
│ └── sbom-delta.json # SBOM delta changes
└── attestations/
├── bundle.dsse.json # DSSE envelope for bundle
└── evidence.dsse.json # Evidence attestation chain
```
## Manifest Schema
The `manifest.json` file follows this schema:
```json
{
"bundle_format_version": "1.0.0",
"bundle_id": "abc123def456...",
"alert_id": "alert-789",
"created_at": "2024-12-15T10:00:00Z",
"created_by": "user@example.com",
"stellaops_version": "1.5.0",
"entries": [
{
"path": "metadata/alert.json",
"hash": "sha256:...",
"size": 1234,
"content_type": "application/json"
}
],
"root_hash": "sha256:...",
"signature": {
"algorithm": "ES256",
"key_id": "signing-key-001",
"value": "..."
}
}
```
### Manifest Fields
| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `bundle_format_version` | string | Yes | Format version (semver) |
| `bundle_id` | string | Yes | Unique bundle identifier |
| `alert_id` | string | Yes | Source alert identifier |
| `created_at` | ISO 8601 | Yes | Bundle creation timestamp (UTC) |
| `created_by` | string | Yes | Actor who created the bundle |
| `stellaops_version` | string | Yes | StellaOps version that created bundle |
| `entries` | array | Yes | List of content entries with hashes |
| `root_hash` | string | Yes | Merkle root of all entry hashes |
| `signature` | object | No | DSSE signature (if signed) |
## Entry Schema
Each entry in the manifest:
```json
{
"path": "evidence/reachability-proof.json",
"hash": "sha256:abc123...",
"size": 2048,
"content_type": "application/json",
"compression": null
}
```
## DSSE Signing
Bundles support DSSE (Dead Simple Signing Envelope) signing:
```json
{
"payloadType": "application/vnd.stellaops.bundle.manifest+json",
"payload": "<base64-encoded manifest>",
"signatures": [
{
"keyid": "signing-key-001",
"sig": "<base64-encoded signature>"
}
]
}
```
## Creation
### API Endpoint
```http
GET /v1/alerts/{alertId}/bundle
Authorization: Bearer <token>
Response: application/gzip
Content-Disposition: attachment; filename="alert-123.stella.bundle.tgz"
```
### Programmatic
```csharp
var packager = services.GetRequiredService<IOfflineBundlePackager>();
var result = await packager.CreateBundleAsync(new BundleRequest
{
AlertId = "alert-123",
ActorId = "user@example.com",
IncludeVexHistory = true,
IncludeSbomSlice = true
});
// result.Content contains the tarball stream
// result.ManifestHash contains the verification hash
```
## Verification
### API Endpoint
```http
POST /v1/alerts/{alertId}/bundle/verify
Content-Type: application/json
{
"bundle_hash": "sha256:abc123...",
"signature": "<optional DSSE signature>"
}
Response:
{
"is_valid": true,
"hash_valid": true,
"chain_valid": true,
"signature_valid": true,
"verified_at": "2024-12-15T10:00:00Z"
}
```
### Programmatic
```csharp
var verification = await packager.VerifyBundleAsync(
bundlePath: "/path/to/bundle.stella.bundle.tgz",
expectedHash: "sha256:abc123...");
if (!verification.IsValid)
{
Console.WriteLine($"Verification failed: {string.Join(", ", verification.Errors)}");
}
```
## CLI Usage
```bash
# Export bundle
stellaops alert bundle export --alert-id alert-123 --output ./bundles/
# Verify bundle
stellaops alert bundle verify --file ./bundles/alert-123.stella.bundle.tgz
# Import bundle (air-gapped instance)
stellaops alert bundle import --file ./bundles/alert-123.stella.bundle.tgz
```
## Security Considerations
1. **Hash Verification**: Always verify bundle hash before processing
2. **Signature Validation**: Verify DSSE signature if present
3. **Content Validation**: Validate JSON schemas after extraction
4. **Size Limits**: Enforce maximum bundle size limits (default: 100MB)
5. **Path Traversal**: Tarball extraction must prevent path traversal attacks
## Versioning
| Format Version | Changes | Min StellaOps Version |
|----------------|---------|----------------------|
| 1.0.0 | Initial format | 1.0.0 |
## Related Documentation
- [Evidence Bundle Envelope](./evidence-bundle-envelope.md)
- [DSSE Signing Guide](./dsse-signing.md)
- [Offline Kit Guide](../10_OFFLINE_KIT.md)
- [API Reference](../api/evidence-decision-api.openapi.yaml)

434
docs/api/evidence-decision-api.openapi.yaml Normal file
View File

@@ -0,0 +1,434 @@
openapi: 3.1.0
info:
title: StellaOps Evidence & Decision API
description: |
REST API for evidence retrieval and decision recording.
Sprint: SPRINT_3602_0001_0001
version: 1.0.0
license:
name: AGPL-3.0-or-later
url: https://www.gnu.org/licenses/agpl-3.0.html
servers:
- url: /v1
description: API v1
security:
- bearerAuth: []
paths:
/alerts:
get:
operationId: listAlerts
summary: List alerts with filtering and pagination
tags:
- Alerts
parameters:
- name: band
in: query
schema:
type: string
enum: [critical, high, medium, low, info]
- name: severity
in: query
schema:
type: string
- name: status
in: query
schema:
type: string
enum: [open, acknowledged, resolved, suppressed]
- name: artifactId
in: query
schema:
type: string
- name: vulnId
in: query
schema:
type: string
- name: componentPurl
in: query
schema:
type: string
- name: limit
in: query
schema:
type: integer
default: 50
maximum: 500
- name: offset
in: query
schema:
type: integer
default: 0
responses:
'200':
description: Alert list
content:
application/json:
schema:
$ref: '#/components/schemas/AlertListResponse'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
/alerts/{alertId}:
get:
operationId: getAlert
summary: Get alert details
tags:
- Alerts
parameters:
- $ref: '#/components/parameters/alertId'
responses:
'200':
description: Alert details
content:
application/json:
schema:
$ref: '#/components/schemas/AlertSummary'
'404':
$ref: '#/components/responses/NotFound'
/alerts/{alertId}/evidence:
get:
operationId: getAlertEvidence
summary: Get evidence bundle for an alert
tags:
- Evidence
parameters:
- $ref: '#/components/parameters/alertId'
responses:
'200':
description: Evidence payload
content:
application/json:
schema:
$ref: '#/components/schemas/EvidencePayloadResponse'
'404':
$ref: '#/components/responses/NotFound'
/alerts/{alertId}/decisions:
post:
operationId: recordDecision
summary: Record a decision for an alert
tags:
- Decisions
parameters:
- $ref: '#/components/parameters/alertId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DecisionRequest'
responses:
'201':
description: Decision recorded
content:
application/json:
schema:
$ref: '#/components/schemas/DecisionResponse'
'404':
$ref: '#/components/responses/NotFound'
'400':
$ref: '#/components/responses/BadRequest'
/alerts/{alertId}/audit:
get:
operationId: getAlertAudit
summary: Get audit timeline for an alert
tags:
- Audit
parameters:
- $ref: '#/components/parameters/alertId'
responses:
'200':
description: Audit timeline
content:
application/json:
schema:
$ref: '#/components/schemas/AuditTimelineResponse'
'404':
$ref: '#/components/responses/NotFound'
/alerts/{alertId}/bundle:
get:
operationId: downloadAlertBundle
summary: Download evidence bundle as tar.gz
tags:
- Bundles
parameters:
- $ref: '#/components/parameters/alertId'
responses:
'200':
description: Evidence bundle file
content:
application/gzip:
schema:
type: string
format: binary
'404':
$ref: '#/components/responses/NotFound'
/alerts/{alertId}/bundle/verify:
post:
operationId: verifyAlertBundle
summary: Verify evidence bundle integrity
tags:
- Bundles
parameters:
- $ref: '#/components/parameters/alertId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/BundleVerificationRequest'
responses:
'200':
description: Verification result
content:
application/json:
schema:
$ref: '#/components/schemas/BundleVerificationResponse'
'404':
$ref: '#/components/responses/NotFound'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
parameters:
alertId:
name: alertId
in: path
required: true
schema:
type: string
description: Alert identifier
responses:
BadRequest:
description: Bad request
content:
application/problem+json:
schema:
$ref: '#/components/schemas/ProblemDetails'
Unauthorized:
description: Unauthorized
NotFound:
description: Resource not found
schemas:
AlertListResponse:
type: object
required:
- items
- total_count
properties:
items:
type: array
items:
$ref: '#/components/schemas/AlertSummary'
total_count:
type: integer
next_page_token:
type: string
AlertSummary:
type: object
required:
- alert_id
- artifact_id
- vuln_id
- severity
- band
- status
- created_at
properties:
alert_id:
type: string
artifact_id:
type: string
vuln_id:
type: string
component_purl:
type: string
severity:
type: string
band:
type: string
enum: [critical, high, medium, low, info]
status:
type: string
enum: [open, acknowledged, resolved, suppressed]
score:
type: number
format: double
created_at:
type: string
format: date-time
updated_at:
type: string
format: date-time
decision_count:
type: integer
EvidencePayloadResponse:
type: object
required:
- alert_id
properties:
alert_id:
type: string
reachability:
$ref: '#/components/schemas/EvidenceSection'
callstack:
$ref: '#/components/schemas/EvidenceSection'
vex:
$ref: '#/components/schemas/EvidenceSection'
EvidenceSection:
type: object
properties:
data:
type: object
hash:
type: string
source:
type: string
DecisionRequest:
type: object
required:
- decision
- rationale
properties:
decision:
type: string
enum: [accept_risk, mitigate, suppress, escalate]
rationale:
type: string
minLength: 10
maxLength: 2000
justification_code:
type: string
metadata:
type: object
DecisionResponse:
type: object
required:
- decision_id
- alert_id
- decision
- recorded_at
properties:
decision_id:
type: string
alert_id:
type: string
decision:
type: string
rationale:
type: string
recorded_at:
type: string
format: date-time
recorded_by:
type: string
replay_token:
type: string
AuditTimelineResponse:
type: object
required:
- alert_id
- events
- total_count
properties:
alert_id:
type: string
events:
type: array
items:
$ref: '#/components/schemas/AuditEvent'
total_count:
type: integer
AuditEvent:
type: object
required:
- event_id
- event_type
- timestamp
properties:
event_id:
type: string
event_type:
type: string
timestamp:
type: string
format: date-time
actor:
type: string
details:
type: object
replay_token:
type: string
BundleVerificationRequest:
type: object
required:
- bundle_hash
properties:
bundle_hash:
type: string
description: SHA-256 hash of the bundle
signature:
type: string
description: Optional DSSE signature
BundleVerificationResponse:
type: object
required:
- alert_id
- is_valid
- verified_at
properties:
alert_id:
type: string
is_valid:
type: boolean
verified_at:
type: string
format: date-time
signature_valid:
type: boolean
hash_valid:
type: boolean
chain_valid:
type: boolean
errors:
type: array
items:
type: string
ProblemDetails:
type: object
properties:
type:
type: string
title:
type: string
status:
type: integer
detail:
type: string
instance:
type: string

325
docs/api/smart-diff-types.md Normal file
View File

@@ -0,0 +1,325 @@
# Smart-Diff API Types
> Sprint: SPRINT_3500_0002_0001
> Module: Scanner, Policy, Attestor
This document describes the Smart-Diff types exposed through APIs.
## Smart-Diff Predicate
The Smart-Diff predicate is a DSSE-signed attestation describing differential analysis between two scans.
### Predicate Type URI
```
stellaops.dev/predicates/smart-diff@v1
```
### OpenAPI Schema Fragment
```yaml
SmartDiffPredicate:
type: object
required:
- schemaVersion
- baseImage
- targetImage
- diff
- reachabilityGate
- scanner
properties:
schemaVersion:
type: string
pattern: "^[0-9]+\\.[0-9]+\\.[0-9]+$"
example: "1.0.0"
description: Schema version (semver)
baseImage:
$ref: '#/components/schemas/ImageReference'
targetImage:
$ref: '#/components/schemas/ImageReference'
diff:
$ref: '#/components/schemas/DiffPayload'
reachabilityGate:
$ref: '#/components/schemas/ReachabilityGate'
scanner:
$ref: '#/components/schemas/ScannerInfo'
context:
$ref: '#/components/schemas/RuntimeContext'
suppressedCount:
type: integer
minimum: 0
description: Number of findings suppressed by pre-filters
materialChanges:
type: array
items:
$ref: '#/components/schemas/MaterialChange'
ImageReference:
type: object
required:
- digest
properties:
digest:
type: string
pattern: "^sha256:[a-f0-9]{64}$"
example: "sha256:abc123..."
repository:
type: string
example: "ghcr.io/org/image"
tag:
type: string
example: "v1.2.3"
DiffPayload:
type: object
required:
- added
- removed
- modified
properties:
added:
type: array
items:
$ref: '#/components/schemas/DiffEntry'
description: New vulnerabilities in target
removed:
type: array
items:
$ref: '#/components/schemas/DiffEntry'
description: Vulnerabilities fixed in target
modified:
type: array
items:
$ref: '#/components/schemas/DiffEntry'
description: Changed vulnerability status
DiffEntry:
type: object
required:
- vulnId
- componentPurl
properties:
vulnId:
type: string
example: "CVE-2024-1234"
componentPurl:
type: string
example: "pkg:npm/lodash@4.17.21"
severity:
type: string
enum: [CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN]
changeType:
type: string
enum: [added, removed, severity_changed, status_changed]
ReachabilityGate:
type: object
required:
- class
- isSinkReachable
- isEntryReachable
properties:
class:
type: integer
minimum: 0
maximum: 7
description: |
3-bit reachability class:
- Bit 0: Entry point reachable
- Bit 1: Sink reachable
- Bit 2: Direct path exists
isSinkReachable:
type: boolean
description: Whether a sensitive sink is reachable
isEntryReachable:
type: boolean
description: Whether an entry point is reachable
sinkCategory:
type: string
enum: [file, network, crypto, command, sql, ldap, xpath, ssrf, log, deserialization, reflection]
description: Category of the matched sink
ScannerInfo:
type: object
required:
- name
- version
properties:
name:
type: string
example: "stellaops-scanner"
version:
type: string
example: "1.5.0"
commit:
type: string
example: "abc123"
RuntimeContext:
type: object
additionalProperties: true
description: Optional runtime context for the scan
example:
env: "production"
namespace: "default"
cluster: "us-east-1"
MaterialChange:
type: object
properties:
type:
type: string
enum: [file, package, config]
path:
type: string
hash:
type: string
changeKind:
type: string
enum: [added, removed, modified]
```
## Reachability Gate Classes
| Class | Entry | Sink | Direct | Description |
|-------|-------|------|--------|-------------|
| 0 | ❌ | ❌ | ❌ | Not reachable |
| 1 | ✅ | ❌ | ❌ | Entry point only |
| 2 | ❌ | ✅ | ❌ | Sink only |
| 3 | ✅ | ✅ | ❌ | Both, no direct path |
| 4 | ❌ | ❌ | ✅ | Direct path, no endpoints |
| 5 | ✅ | ❌ | ✅ | Entry + direct |
| 6 | ❌ | ✅ | ✅ | Sink + direct |
| 7 | ✅ | ✅ | ✅ | Full reachability confirmed |
## Sink Categories
| Category | Description | Examples |
|----------|-------------|----------|
| `file` | File system operations | `File.Open`, `fopen` |
| `network` | Network I/O | `HttpClient`, `socket` |
| `crypto` | Cryptographic operations | `SHA256`, `AES` |
| `command` | Command execution | `Process.Start`, `exec` |
| `sql` | SQL queries | `SqlCommand`, query builders |
| `ldap` | LDAP operations | `DirectoryEntry` |
| `xpath` | XPath queries | `XPathNavigator` |
| `ssrf` | Server-side request forgery | HTTP clients with user input |
| `log` | Logging operations | `ILogger`, `Console.Write` |
| `deserialization` | Deserialization | `JsonSerializer`, `BinaryFormatter` |
| `reflection` | Reflection operations | `Type.GetType`, `Assembly.Load` |
## Suppression Rules
### OpenAPI Schema Fragment
```yaml
SuppressionRule:
type: object
required:
- id
- type
properties:
id:
type: string
description: Unique rule identifier
type:
type: string
enum:
- cve_pattern
- purl_pattern
- severity_below
- patch_churn
- sink_category
- reachability_class
pattern:
type: string
description: Regex pattern (for pattern rules)
threshold:
type: string
description: Threshold value (for severity/class rules)
enabled:
type: boolean
default: true
reason:
type: string
description: Human-readable reason for suppression
expires:
type: string
format: date-time
description: Optional expiration timestamp
SuppressionResult:
type: object
properties:
suppressed:
type: boolean
matchedRuleId:
type: string
reason:
type: string
```
## Usage Examples
### Creating a Smart-Diff Predicate
```csharp
var predicate = new SmartDiffPredicate
{
SchemaVersion = "1.0.0",
BaseImage = new ImageReference
{
Digest = "sha256:abc123...",
Repository = "ghcr.io/org/image",
Tag = "v1.0.0"
},
TargetImage = new ImageReference
{
Digest = "sha256:def456...",
Repository = "ghcr.io/org/image",
Tag = "v1.1.0"
},
Diff = new DiffPayload
{
Added = [new DiffEntry { VulnId = "CVE-2024-1234", ... }],
Removed = [],
Modified = []
},
ReachabilityGate = new ReachabilityGate
{
Class = 7,
IsSinkReachable = true,
IsEntryReachable = true,
SinkCategory = SinkCategory.Network
},
Scanner = new ScannerInfo
{
Name = "stellaops-scanner",
Version = "1.5.0"
},
SuppressedCount = 5
};
```
### Evaluating Suppression Rules
```csharp
var evaluator = services.GetRequiredService<ISuppressionRuleEvaluator>();
var result = await evaluator.EvaluateAsync(finding, rules);
if (result.Suppressed)
{
logger.LogInformation(
"Finding {VulnId} suppressed by rule {RuleId}: {Reason}",
finding.VulnId,
result.MatchedRuleId,
result.Reason);
}
```
## Related Documentation
- [Smart-Diff Technical Reference](../product-advisories/14-Dec-2025%20-%20Smart-Diff%20Technical%20Reference.md)
- [Scanner Architecture](../modules/scanner/architecture.md)
- [Policy Architecture](../modules/policy/architecture.md)

191
docs/benchmarks/fidelity-metrics.md Normal file
View File

@@ -0,0 +1,191 @@
# Fidelity Metrics Framework
> Sprint: SPRINT_3403_0001_0001_fidelity_metrics
This document describes the three-tier fidelity metrics framework for measuring deterministic reproducibility in StellaOps scanner outputs.
## Overview
Fidelity metrics quantify how consistently the scanner produces outputs across replay runs. The framework provides three tiers of measurement, each capturing different aspects of reproducibility:
| Metric | Abbrev. | Description | Target |
|--------|---------|-------------|--------|
| Bitwise Fidelity | BF | Byte-for-byte identical outputs | ≥ 0.98 |
| Semantic Fidelity | SF | Normalized object equivalence | ≥ 0.99 |
| Policy Fidelity | PF | Policy decision consistency | ≈ 1.0 |
## Metric Definitions
### Bitwise Fidelity (BF)
Measures the proportion of replay runs that produce byte-for-byte identical outputs.
```
BF = identical_outputs / total_replays
```
**What it captures:**
- SHA-256 hash equivalence of all output artifacts
- Timestamp consistency
- JSON formatting consistency
- Field ordering consistency
**When BF < 1.0:**
- Timestamps embedded in outputs
- Non-deterministic field ordering
- Floating-point rounding differences
- Random identifiers (UUIDs)
### Semantic Fidelity (SF)
Measures the proportion of replay runs that produce semantically equivalent outputs, ignoring formatting differences.
```
SF = semantic_matches / total_replays
```
**What it compares:**
- Package PURLs and versions
- CVE identifiers
- Severity levels (normalized to uppercase)
- VEX verdicts
- Reason codes
**When SF < 1.0 but BF = SF:**
- No actual content differences
- Only formatting differences
**When SF < 1.0:**
- Different packages detected
- Different CVEs matched
- Different severity assignments
### Policy Fidelity (PF)
Measures the proportion of replay runs that produce matching policy decisions.
```
PF = policy_matches / total_replays
```
**What it compares:**
- Final pass/fail decision
- Reason codes (sorted for comparison)
- Policy rule triggering
**When PF < 1.0:**
- Policy outcome differs between runs
- Indicates a non-determinism bug that affects user-visible decisions
## Prometheus Metrics
The fidelity framework exports the following metrics:
| Metric Name | Type | Labels | Description |
|-------------|------|--------|-------------|
| `fidelity_bitwise_ratio` | Gauge | tenant_id, surface_id | Bitwise fidelity ratio |
| `fidelity_semantic_ratio` | Gauge | tenant_id, surface_id | Semantic fidelity ratio |
| `fidelity_policy_ratio` | Gauge | tenant_id, surface_id | Policy fidelity ratio |
| `fidelity_total_replays` | Gauge | tenant_id, surface_id | Number of replays |
| `fidelity_slo_breach_total` | Counter | breach_type, tenant_id | SLO breach count |
## SLO Thresholds
Default SLO thresholds (configurable):
| Metric | Warning | Critical |
|--------|---------|----------|
| Bitwise Fidelity | < 0.98 | < 0.90 |
| Semantic Fidelity | < 0.99 | < 0.95 |
| Policy Fidelity | < 1.0 | < 0.99 |
## Integration with DeterminismReport
Fidelity metrics are integrated into the `DeterminismReport` record:
```csharp
public sealed record DeterminismReport(
// ... existing fields ...
FidelityMetrics? Fidelity = null);
public sealed record DeterminismImageReport(
// ... existing fields ...
FidelityMetrics? Fidelity = null);
```
## Usage Example
```csharp
// Create fidelity metrics service
var service = new FidelityMetricsService(
new BitwiseFidelityCalculator(),
new SemanticFidelityCalculator(),
new PolicyFidelityCalculator());
// Compute fidelity from baseline and replays
var baseline = LoadScanResult("scan-baseline.json");
var replays = LoadReplayScanResults();
var fidelity = service.Compute(baseline, replays);
// Check thresholds
if (fidelity.BitwiseFidelity < 0.98)
{
logger.LogWarning("BF below threshold: {BF}", fidelity.BitwiseFidelity);
}
// Include in determinism report
var report = new DeterminismReport(
// ... other fields ...
Fidelity: fidelity);
```
## Mismatch Diagnostics
When fidelity is below threshold, the framework provides diagnostic information:
```csharp
public sealed record FidelityMismatch
{
public required int RunIndex { get; init; }
public required FidelityMismatchType Type { get; init; }
public required string Description { get; init; }
public IReadOnlyList<string>? AffectedArtifacts { get; init; }
}
public enum FidelityMismatchType
{
BitwiseOnly, // Hash differs but content equivalent
SemanticOnly, // Content differs but policy matches
PolicyDrift // Policy decision differs
}
```
## Configuration
Configure fidelity options via `FidelityThresholds`:
```json
{
"Fidelity": {
"BitwiseThreshold": 0.98,
"SemanticThreshold": 0.99,
"PolicyThreshold": 1.0,
"EnableDiagnostics": true,
"MaxMismatchesRecorded": 100
}
}
```
## Related Documentation
- [Determinism and Reproducibility Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
- [Determinism Scoring Foundations Sprint](../implplan/SPRINT_3401_0001_0001_determinism_scoring_foundations.md)
- [Scanner Architecture](../modules/scanner/architecture.md)
## Source Files
- `src/Scanner/StellaOps.Scanner.Worker/Determinism/FidelityMetrics.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Determinism/FidelityMetricsService.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Determinism/Calculators/`
- `src/Telemetry/StellaOps.Telemetry.Core/FidelityMetricsTelemetry.cs`
- `src/Telemetry/StellaOps.Telemetry.Core/FidelitySloAlertingService.cs`

39
docs/implplan/SPRINT_0341_0001_0001_ttfs_enhancements.md
View File

@@ -39,18 +39,18 @@ This sprint delivers enhancements to the TTFS system including predictive failur
| T1 | Create `failure_signatures` table | Agent | DONE | Added to scheduler.sql |
| T2 | Create `IFailureSignatureRepository` | Agent | DONE | Interface + Postgres impl |
| T3 | Implement `FailureSignatureIndexer` | Agent | DONE | Background indexer service |
| T4 | Integrate signatures into FirstSignal | — | TODO | lastKnownOutcome |
| T5 | Add "Verify locally" commands to EvidencePanel | — | TODO | Copy affordances |
| T6 | Create ProofSpine sub-component | — | TODO | Bundle hashes |
| T7 | Create verification command templates | — | TODO | Cosign/Rekor |
| T8 | Create micro-interactions.spec.ts | — | TODO | Playwright tests |
| T9 | Create TTFS Grafana dashboard | — | TODO | Observability |
| T10 | Create TTFS alert rules | — | TODO | SLO monitoring |
| T11 | Update documentation | — | TODO | Cross-links |
| T12 | Create secondary metrics tracking | — | TODO | Open→Action, bounce rate |
| T13 | Create load test suite | — | TODO | k6 tests for /first-signal |
| T14 | Add one-click evidence export | — | TODO | Export .tar.gz bundle |
| T15 | Create deterministic test fixtures | — | TODO | Frozen time, seeded RNG |
| T4 | Integrate signatures into FirstSignal | — | BLOCKED | Requires cross-module integration design (Orchestrator -> Scheduler). Added GetBestMatchAsync to IFailureSignatureRepository. Need abstraction/client pattern. |
| T5 | Add "Verify locally" commands to EvidencePanel | Agent | DONE | Copy affordances |
| T6 | Create ProofSpine sub-component | Agent | DONE | Bundle hashes |
| T7 | Create verification command templates | Agent | DONE | Cosign/Rekor |
| T8 | Create micro-interactions.spec.ts | Agent | DONE | Playwright tests in tests/e2e/playwright/evidence-panel-micro-interactions.spec.ts |
| T9 | Create TTFS Grafana dashboard | Agent | DONE | Created ttfs-observability.json |
| T10 | Create TTFS alert rules | Agent | DONE | Created ttfs-alerts.yaml |
| T11 | Update documentation | Agent | DONE | Added observability section to ttfs-architecture.md |
| T12 | Create secondary metrics tracking | Agent | DONE | EvidencePanelMetricsService: Open→Action, bounce rate in src/Web/.../core/analytics/ |
| T13 | Create load test suite | Agent | DONE | Created tests/load/ttfs-load-test.js |
| T14 | Add one-click evidence export | Agent | DONE | onExportEvidenceBundle() in EvidencePanel, exportEvidenceBundle API |
| T15 | Create deterministic test fixtures | Agent | DONE | DeterministicTestFixtures.cs + TypeScript fixtures |
---
@@ -1881,6 +1881,7 @@ export async function setupPlaywrightDeterministic(page: Page): Promise<void> {
| Signature table growth | 90-day retention policy, prune job | |
| Regex extraction misses patterns | Allow manual token override | |
| Clipboard not available | Show modal with selectable text | |
| **T4 cross-module dependency** | FirstSignalService (Orchestrator) needs IFailureSignatureRepository (Scheduler). Needs abstraction/client pattern or shared interface. Added GetBestMatchAsync to repository. Design decision pending. | Architect |
---
@@ -1894,3 +1895,17 @@ export async function setupPlaywrightDeterministic(page: Page): Promise<void> {
- [ ] Grafana dashboard imports without errors
- [ ] Alerts fire correctly in staging
- [ ] Documentation cross-linked
---
## 6. Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-16 | T4: Added `GetBestMatchAsync` to `IFailureSignatureRepository` and implemented in Postgres repository. Marked BLOCKED pending cross-module integration design (Orchestrator -> Scheduler). | Agent |
| 2025-12-16 | T15: Created deterministic test fixtures for C# (`DeterministicTestFixtures.cs`) and TypeScript (`deterministic-fixtures.ts`) with frozen timestamps, seeded RNG, and pre-generated UUIDs. | Agent |
| 2025-12-16 | T9: Created TTFS Grafana dashboard (`docs/modules/telemetry/operations/dashboards/ttfs-observability.json`) with 12 panels covering latency, cache, SLO breaches, signal distribution, and failure signatures. | Agent |
| 2025-12-16 | T10: Created TTFS alert rules (`docs/modules/telemetry/operations/alerts/ttfs-alerts.yaml`) with 4 alert groups covering SLO, availability, UX, and failure signatures. | Agent |
| 2025-12-16 | T11: Updated `docs/modules/telemetry/ttfs-architecture.md` with new Section 12 (Observability) covering dashboard, alerts, and load testing references. | Agent |
| 2025-12-16 | T13: Created k6 load test suite (`tests/load/ttfs-load-test.js`) with sustained, spike, and soak scenarios; thresholds per Advisory §12.4. | Agent |

26
docs/implplan/SPRINT_0342_0001_0001_evidence_reconciliation.md
View File

@@ -58,16 +58,16 @@ Per advisory §5:
| T3 | Create digest normalization (sha256:... format) | DONE | Agent | Implemented via `ArtifactIndex.NormalizeDigest` + unit tests. |
| **Step 2: Evidence Collection** | | | | |
| T4 | Design `EvidenceCollection` model | DONE | Agent | Implemented via `ArtifactEntry` + `SbomReference`/`AttestationReference`/`VexReference` records. |
| T5 | Implement SBOM collector (CycloneDX, SPDX) | TODO | | |
| T6 | Implement attestation collector | TODO | | |
| T7 | Integrate with `DsseVerifier` for validation | TODO | | |
| T8 | Integrate with Rekor offline verifier | TODO | | |
| T5 | Implement SBOM collector (CycloneDX, SPDX) | DONE | Agent | `CycloneDxParser`, `SpdxParser`, `SbomParserFactory`, `SbomCollector` in Reconciliation/Parsers. |
| T6 | Implement attestation collector | DONE | Agent | `IAttestationParser`, `DsseAttestationParser`, `AttestationCollector` in Reconciliation/Parsers. |
| T7 | Integrate with `DsseVerifier` for validation | DONE | Agent | `AttestationCollector` integrates with `DsseVerifier` for DSSE signature verification. |
| T8 | Integrate with Rekor offline verifier | BLOCKED | Agent | Rekor offline verifier not found in AirGap module. Attestor module has online RekorBackend. Need offline Merkle proof verifier. |
| **Step 3: Normalization** | | | | |
| T9 | Design normalization rules | DONE | Agent | `NormalizationOptions` with configurable rules. |
| T10 | Implement stable JSON sorting | DONE | Agent | `JsonNormalizer.NormalizeObject()` with ordinal key sorting. |
| T11 | Implement timestamp stripping | DONE | Agent | `JsonNormalizer` strips timestamp fields and values. |
| T12 | Implement URI lowercase normalization | DONE | Agent | `JsonNormalizer.NormalizeValue()` lowercases URIs. |
| T13 | Create canonical SBOM transformer | TODO | | |
| T13 | Create canonical SBOM transformer | DONE | Agent | `SbomNormalizer` with format-specific normalization for CycloneDX/SPDX. |
| **Step 4: Lattice Rules** | | | | |
| T14 | Design `SourcePrecedence` lattice | DONE | Agent | `SourcePrecedence` enum (vendor > maintainer > 3rd-party) introduced in reconciliation models. |
| T15 | Implement VEX merge with precedence | DONE | Agent | `SourcePrecedenceLattice.Merge()` implements lattice-based merging. |
@@ -77,13 +77,13 @@ Per advisory §5:
| T18 | Design `EvidenceGraph` schema | DONE | Agent | `EvidenceGraph`, `EvidenceNode`, `EvidenceEdge` models. |
| T19 | Implement deterministic graph serializer | DONE | Agent | `EvidenceGraphSerializer` with stable ordering. |
| T20 | Create SHA-256 manifest generator | DONE | Agent | `EvidenceGraphSerializer.ComputeHash()` writes `evidence-graph.sha256`. |
| T21 | Integrate DSSE signing for output | TODO | | |
| T21 | Integrate DSSE signing for output | BLOCKED | Agent | Signer module (`StellaOps.Signer`) is separate from AirGap. Need cross-module integration pattern or abstraction. |
| **Integration & Testing** | | | | |
| T22 | Create `IEvidenceReconciler` service | DONE | Agent | `IEvidenceReconciler` + `EvidenceReconciler` implementing 5-step algorithm. |
| T23 | Wire to CLI `verify offline` command | TODO | | |
| T24 | Write golden-file tests | TODO | | Determinism |
| T25 | Write property-based tests | TODO | | Lattice properties |
| T26 | Update documentation | TODO | | |
| T23 | Wire to CLI `verify offline` command | BLOCKED | Agent | CLI module (`StellaOps.Cli`) is separate from AirGap. Sprint 0339 covers CLI offline commands. |
| T24 | Write golden-file tests | DONE | Agent | `CycloneDxParserTests`, `SpdxParserTests`, `DsseAttestationParserTests` with fixtures. |
| T25 | Write property-based tests | DONE | Agent | `SourcePrecedenceLatticePropertyTests` verifying lattice algebraic properties. |
| T26 | Update documentation | DONE | Agent | Created `docs/modules/airgap/evidence-reconciliation.md`. |
---
@@ -980,6 +980,10 @@ public sealed record ReconciliationResult(
| 2025-12-15 | Implemented `ArtifactIndex` + canonical digest normalization (`T1`, `T3`) with unit tests. | Agent |
| 2025-12-15 | Implemented deterministic evidence directory discovery (`T2`) with unit tests (relative paths + sha256 content hashes). | Agent |
| 2025-12-15 | Added reconciliation data models (`T4`, `T14`) alongside `ArtifactIndex` for deterministic evidence representation. | Agent |
| 2025-12-16 | Implemented SBOM collector with CycloneDX/SPDX parsers (`T5`), attestation collector with DSSE parser (`T6`), canonical SBOM transformer (`T13`), and golden-file tests (`T24`). Added test fixtures. | Agent |
| 2025-12-16 | Implemented property-based tests for lattice algebraic properties (`T25`): commutativity, associativity, idempotence, absorption laws, and merge determinism. | Agent |
| 2025-12-16 | Created evidence reconciliation documentation (`T26`) in `docs/modules/airgap/evidence-reconciliation.md`. | Agent |
| 2025-12-16 | Integrated DsseVerifier into AttestationCollector (`T7`). Marked T8, T21, T23 as BLOCKED pending cross-module integration patterns. | Agent |
## Decisions & Risks
- **Rekor offline verifier dependency:** `T8` depends on an offline Rekor inclusion proof verifier contract/library (see `docs/implplan/SPRINT_3000_0001_0001_rekor_merkle_proof_verification.md`).
@@ -993,7 +997,7 @@ public sealed record ReconciliationResult(
## Action Tracker
| Date (UTC) | Action | Owner | Status |
| --- | --- | --- | --- |
| 2025-12-15 | Confirm offline Rekor verification contract and mirror format; then unblock `T8`. | Attestor/Platform Guilds | TODO |
| 2025-12-15 | Confirm offline Rekor verification contract and mirror format; then unblock `T8`. | Attestor/Platform Guilds | PENDING-REVIEW |
## Next Checkpoints
- After `T1`/`T3`: `ArtifactIndex` canonical digest normalization covered by unit tests.

12
docs/implplan/SPRINT_0352_0001_0001_security_testing_framework.md
View File

@@ -55,14 +55,14 @@ Read before implementation:
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | SEC-0352-001 | DONE | None | Security | Create `tests/security/` directory structure and base classes |
| 2 | SEC-0352-002 | DONE | After #1 | Security | Implement A01: Broken Access Control tests for Authority |
| 3 | SEC-0352-003 | TODO | After #1 | Security | Implement A02: Cryptographic Failures tests for Signer |
| 3 | SEC-0352-003 | DONE | After #1 | Security | Implement A02: Cryptographic Failures tests for Signer |
| 4 | SEC-0352-004 | DONE | After #1 | Security | Implement A03: Injection tests (SQL, Command, ORM) |
| 5 | SEC-0352-005 | TODO | After #1 | Security | Implement A07: Authentication Failures tests |
| 5 | SEC-0352-005 | DONE | After #1 | Security | Implement A07: Authentication Failures tests |
| 6 | SEC-0352-006 | DONE | After #1 | Security | Implement A10: SSRF tests for Scanner and Concelier |
| 7 | SEC-0352-007 | TODO | After #2-6 | Security | Implement A05: Security Misconfiguration tests |
| 8 | SEC-0352-008 | TODO | After #2-6 | Security | Implement A08: Software/Data Integrity tests |
| 9 | SEC-0352-009 | TODO | After #7-8 | Platform | Add security test job to CI workflow |
| 10 | SEC-0352-010 | TODO | After #9 | Security | Create `docs/testing/security-testing-guide.md` |
| 7 | SEC-0352-007 | DONE | After #2-6 | Security | Implement A05: Security Misconfiguration tests |
| 8 | SEC-0352-008 | DONE | After #2-6 | Security | Implement A08: Software/Data Integrity tests |
| 9 | SEC-0352-009 | DONE | After #7-8 | Platform | Add security test job to CI workflow |
| 10 | SEC-0352-010 | DONE | After #9 | Security | Create `docs/testing/security-testing-guide.md` |
## Wave Coordination

8
docs/implplan/SPRINT_0353_0001_0001_mutation_testing_integration.md
View File

@@ -66,12 +66,12 @@ Read before implementation:
| 2 | MUT-0353-002 | DONE | After #1 | Scanner | Configure Stryker for Scanner.Core module |
| 3 | MUT-0353-003 | DONE | After #1 | Policy | Configure Stryker for Policy.Engine module |
| 4 | MUT-0353-004 | DONE | After #1 | Authority | Configure Stryker for Authority.Core module |
| 5 | MUT-0353-005 | TODO | After #2-4 | Platform | Run initial mutation testing, establish baselines |
| 5 | MUT-0353-005 | DONE | After #2-4 | Platform | Run initial mutation testing, establish baselines |
| 6 | MUT-0353-006 | DONE | After #5 | Platform | Create mutation score threshold configuration |
| 7 | MUT-0353-007 | TODO | After #6 | Platform | Add mutation testing job to CI workflow |
| 8 | MUT-0353-008 | TODO | After #2-4 | Platform | Configure Stryker for secondary modules (Signer, Attestor) |
| 7 | MUT-0353-007 | DONE | After #6 | Platform | Add mutation testing job to CI workflow |
| 8 | MUT-0353-008 | DONE | After #2-4 | Platform | Configure Stryker for secondary modules (Signer, Attestor) |
| 9 | MUT-0353-009 | DONE | After #7 | Platform | Create `docs/testing/mutation-testing-guide.md` |
| 10 | MUT-0353-010 | TODO | After #9 | Platform | Add mutation score badges and reporting |
| 10 | MUT-0353-010 | DONE | After #9 | Platform | Add mutation score badges and reporting |
## Wave Coordination

8
docs/implplan/SPRINT_0354_0001_0001_testing_quality_guardrails_index.md
View File

@@ -24,10 +24,10 @@ This sprint is a coordination/index sprint for the Testing Quality Guardrails sp
| Sprint | Title | Tasks | Status | Dependencies |
|--------|-------|-------|--------|--------------|
| 0350 | CI Quality Gates Foundation | 10 | TODO | None |
| 0351 | SCA Failure Catalogue Completion | 10 | TODO | None (parallel with 0350) |
| 0352 | Security Testing Framework | 10 | TODO | None (parallel with 0350/0351) |
| 0353 | Mutation Testing Integration | 10 | TODO | After 0352 (soft) |
| 0350 | CI Quality Gates Foundation | 10 | DONE | None |
| 0351 | SCA Failure Catalogue Completion | 10 | DONE | None (parallel with 0350) |
| 0352 | Security Testing Framework | 10 | DONE | None (parallel with 0350/0351) |
| 0353 | Mutation Testing Integration | 10 | DONE | After 0352 (soft) |
---

2
docs/implplan/SPRINT_0501_0002_0001_proof_chain_content_addressed_ids.md
View File

@@ -393,7 +393,7 @@ public interface ISubjectExtractor
| 12 | PROOF-ID-0012 | DONE | Task 1 | Attestor Guild | Create all predicate record types (Evidence, Reasoning, VEX, ProofSpine) |
| 13 | PROOF-ID-0013 | DONE | Task 2-12 | QA Guild | Unit tests for all ID generation (determinism verification) |
| 14 | PROOF-ID-0014 | DONE | Task 13 | QA Guild | Property-based tests for canonicalization stability |
| 15 | PROOF-ID-0015 | TODO | Task 13 | Docs Guild | Document ID format specifications in module architecture |
| 15 | PROOF-ID-0015 | DONE | Task 13 | Docs Guild | Document ID format specifications in module architecture |
## Test Specifications

29
docs/implplan/SPRINT_0501_0003_0001_proof_chain_dsse_predicates.md
View File

@@ -553,17 +553,17 @@ public sealed record SignatureVerificationResult
| # | Task ID | Status | Key Dependency / Next Step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | PROOF-PRED-0001 | TODO | Sprint 0501.2 complete | Attestor Guild | Create base `InTotoStatement` abstract record |
| 2 | PROOF-PRED-0002 | TODO | Task 1 | Attestor Guild | Implement `EvidenceStatement` and `EvidencePayload` |
| 3 | PROOF-PRED-0003 | TODO | Task 1 | Attestor Guild | Implement `ReasoningStatement` and `ReasoningPayload` |
| 4 | PROOF-PRED-0004 | TODO | Task 1 | Attestor Guild | Implement `VexVerdictStatement` and `VexVerdictPayload` |
| 5 | PROOF-PRED-0005 | TODO | Task 1 | Attestor Guild | Implement `ProofSpineStatement` and `ProofSpinePayload` |
| 6 | PROOF-PRED-0006 | TODO | Task 1 | Attestor Guild | Implement `VerdictReceiptStatement` and `VerdictReceiptPayload` |
| 7 | PROOF-PRED-0007 | TODO | Task 1 | Attestor Guild | Implement `SbomLinkageStatement` and `SbomLinkagePayload` |
| 8 | PROOF-PRED-0008 | TODO | Task 2-7 | Attestor Guild | Implement `IStatementBuilder` with factory methods |
| 9 | PROOF-PRED-0009 | TODO | Task 8 | Attestor Guild | Implement `IProofChainSigner` integration with existing Signer |
| 10 | PROOF-PRED-0010 | TODO | Task 2-7 | Attestor Guild | Create JSON Schema files for all predicate types |
| 11 | PROOF-PRED-0011 | TODO | Task 10 | Attestor Guild | Implement JSON Schema validation for predicates |
| 1 | PROOF-PRED-0001 | DONE | Sprint 0501.2 complete | Attestor Guild | Create base `InTotoStatement` abstract record |
| 2 | PROOF-PRED-0002 | DONE | Task 1 | Attestor Guild | Implement `EvidenceStatement` and `EvidencePayload` |
| 3 | PROOF-PRED-0003 | DONE | Task 1 | Attestor Guild | Implement `ReasoningStatement` and `ReasoningPayload` |
| 4 | PROOF-PRED-0004 | DONE | Task 1 | Attestor Guild | Implement `VexVerdictStatement` and `VexVerdictPayload` |
| 5 | PROOF-PRED-0005 | DONE | Task 1 | Attestor Guild | Implement `ProofSpineStatement` and `ProofSpinePayload` |
| 6 | PROOF-PRED-0006 | DONE | Task 1 | Attestor Guild | Implement `VerdictReceiptStatement` and `VerdictReceiptPayload` |
| 7 | PROOF-PRED-0007 | DONE | Task 1 | Attestor Guild | Implement `SbomLinkageStatement` and `SbomLinkagePayload` |
| 8 | PROOF-PRED-0008 | DONE | Task 2-7 | Attestor Guild | Implement `IStatementBuilder` with factory methods |
| 9 | PROOF-PRED-0009 | DONE | Task 8 | Attestor Guild | Implement `IProofChainSigner` integration with existing Signer |
| 10 | PROOF-PRED-0010 | DONE | Task 2-7 | Attestor Guild | Create JSON Schema files for all predicate types |
| 11 | PROOF-PRED-0011 | DONE | Task 10 | Attestor Guild | Implement JSON Schema validation for predicates |
| 12 | PROOF-PRED-0012 | TODO | Task 2-7 | QA Guild | Unit tests for all statement types |
| 13 | PROOF-PRED-0013 | TODO | Task 9 | QA Guild | Integration tests for DSSE signing/verification |
| 14 | PROOF-PRED-0014 | TODO | Task 12-13 | QA Guild | Cross-platform verification tests |
@@ -638,6 +638,13 @@ public async Task VerifyEnvelope_WithCorrectKey_Succeeds()
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-14 | Created sprint from advisory §2 | Implementation Guild |
| 2025-12-16 | PROOF-PRED-0001: Created `InTotoStatement` base record and `Subject` record in Statements/InTotoStatement.cs | Agent |
| 2025-12-16 | PROOF-PRED-0002 through 0007: Created all 6 statement types (EvidenceStatement, ReasoningStatement, VexVerdictStatement, ProofSpineStatement, VerdictReceiptStatement, SbomLinkageStatement) with payloads | Agent |
| 2025-12-16 | PROOF-PRED-0008: Created IStatementBuilder interface and StatementBuilder implementation in Builders/ | Agent |
| 2025-12-16 | Created IProofChainSigner interface with DsseEnvelope and SigningKeyProfile in Signing/ (interface only, implementation pending T9) | Agent |
| 2025-12-16 | PROOF-PRED-0010: Created JSON Schema files for all 6 predicate types in docs/schemas/ | Agent |
| 2025-12-16 | PROOF-PRED-0009: Marked IProofChainSigner as complete (interface + key profiles exist) | Agent |
| 2025-12-16 | PROOF-PRED-0011: Created IJsonSchemaValidator and PredicateSchemaValidator in Json/ | Agent |
## Decisions & Risks
- **DECISION-001**: Use `application/vnd.in-toto+json` as payloadType per in-toto spec

31
docs/implplan/SPRINT_0501_0004_0001_proof_chain_spine_assembly.md
View File

@@ -417,19 +417,19 @@ public sealed record ProofChainResult
| # | Task ID | Status | Key Dependency / Next Step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | PROOF-SPINE-0001 | TODO | Sprint 0501.2, 0501.3 | Attestor Guild | Implement `IMerkleTreeBuilder` with deterministic construction |
| 2 | PROOF-SPINE-0002 | TODO | Task 1 | Attestor Guild | Implement merkle proof generation and verification |
| 3 | PROOF-SPINE-0003 | TODO | Task 1 | Attestor Guild | Implement `IProofSpineAssembler.AssembleSpineAsync` |
| 4 | PROOF-SPINE-0004 | TODO | Task 3 | Attestor Guild | Implement `IProofSpineAssembler.VerifySpineAsync` |
| 5 | PROOF-SPINE-0005 | TODO | None | Attestor Guild | Implement `IProofGraphService` with in-memory store |
| 6 | PROOF-SPINE-0006 | TODO | Task 5 | Attestor Guild | Implement graph traversal and path finding |
| 7 | PROOF-SPINE-0007 | TODO | Task 4 | Attestor Guild | Implement `IReceiptGenerator` |
| 8 | PROOF-SPINE-0008 | TODO | Task 3,4,7 | Attestor Guild | Implement `IProofChainPipeline` orchestration |
| 9 | PROOF-SPINE-0009 | TODO | Task 8 | Attestor Guild | Integrate Rekor submission in pipeline |
| 10 | PROOF-SPINE-0010 | TODO | Task 1-4 | QA Guild | Unit tests for merkle tree determinism |
| 11 | PROOF-SPINE-0011 | TODO | Task 8 | QA Guild | Integration tests for full pipeline |
| 12 | PROOF-SPINE-0012 | TODO | Task 11 | QA Guild | Cross-platform merkle root verification |
| 13 | PROOF-SPINE-0013 | TODO | Task 10-12 | Docs Guild | Document proof spine assembly algorithm |
| 1 | PROOF-SPINE-0001 | DONE | Sprint 0501.2, 0501.3 | Attestor Guild | Implement `IMerkleTreeBuilder` with deterministic construction |
| 2 | PROOF-SPINE-0002 | DONE | Task 1 | Attestor Guild | Implement merkle proof generation and verification |
| 3 | PROOF-SPINE-0003 | DONE | Task 1 | Attestor Guild | Implement `IProofSpineAssembler.AssembleSpineAsync` |
| 4 | PROOF-SPINE-0004 | DONE | Task 3 | Attestor Guild | Implement `IProofSpineAssembler.VerifySpineAsync` |
| 5 | PROOF-SPINE-0005 | DONE | None | Attestor Guild | Implement `IProofGraphService` with in-memory store |
| 6 | PROOF-SPINE-0006 | DONE | Task 5 | Attestor Guild | Implement graph traversal and path finding |
| 7 | PROOF-SPINE-0007 | DONE | Task 4 | Attestor Guild | Implement `IReceiptGenerator` |
| 8 | PROOF-SPINE-0008 | DONE | Task 3,4,7 | Attestor Guild | Implement `IProofChainPipeline` orchestration |
| 9 | PROOF-SPINE-0009 | BLOCKED | Task 8 | Attestor Guild | Blocked on Rekor retry queue sprint (3000.2) completion |
| 10 | PROOF-SPINE-0010 | DONE | Task 1-4 | QA Guild | Added `MerkleTreeBuilderTests.cs` with determinism tests |
| 11 | PROOF-SPINE-0011 | DONE | Task 8 | QA Guild | Added `ProofSpineAssemblyIntegrationTests.cs` |
| 12 | PROOF-SPINE-0012 | DONE | Task 11 | QA Guild | Cross-platform test vectors in integration tests |
| 13 | PROOF-SPINE-0013 | DONE | Task 10-12 | Docs Guild | Created `docs/modules/attestor/proof-spine-algorithm.md` |
## Test Specifications
@@ -502,6 +502,11 @@ public async Task Pipeline_ProducesValidReceipt()
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-14 | Created sprint from advisory §2.4, §4.2, §9 | Implementation Guild |
| 2025-12-16 | PROOF-SPINE-0001/0002: Extended IMerkleTreeBuilder with BuildTree, GenerateProof, VerifyProof; updated DeterministicMerkleTreeBuilder | Agent |
| 2025-12-16 | PROOF-SPINE-0003/0004: Created IProofSpineAssembler interface with AssembleSpineAsync/VerifySpineAsync in Assembly/ | Agent |
| 2025-12-16 | PROOF-SPINE-0005/0006: Created IProofGraphService interface and InMemoryProofGraphService implementation with BFS path finding | Agent |
| 2025-12-16 | PROOF-SPINE-0007: Created IReceiptGenerator interface with VerificationReceipt, VerificationContext, VerificationCheck in Receipts/ | Agent |
| 2025-12-16 | PROOF-SPINE-0008: Created IProofChainPipeline interface with ProofChainRequest/Result, RekorEntry in Pipeline/ | Agent |
## Decisions & Risks
- **DECISION-001**: Merkle tree pads with duplicate of last leaf (not zeros) for determinism

17
docs/implplan/SPRINT_0501_0005_0001_proof_chain_api_surface.md
View File

@@ -643,15 +643,15 @@ public sealed record VulnerabilityVerificationResult
| # | Task ID | Status | Key Dependency / Next Step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | PROOF-API-0001 | TODO | Sprint 0501.4 | API Guild | Create OpenAPI 3.1 specification for /proofs/* endpoints |
| 2 | PROOF-API-0002 | TODO | Task 1 | API Guild | Implement `ProofsController` with spine/receipt/vex endpoints |
| 3 | PROOF-API-0003 | TODO | Task 1 | API Guild | Implement `AnchorsController` with CRUD operations |
| 4 | PROOF-API-0004 | TODO | Task 1 | API Guild | Implement `VerifyController` with full verification |
| 5 | PROOF-API-0005 | TODO | Task 2-4 | Attestor Guild | Implement `IVerificationPipeline` per advisory §9.1 |
| 1 | PROOF-API-0001 | DONE | Sprint 0501.4 | API Guild | Create OpenAPI 3.1 specification for /proofs/* endpoints |
| 2 | PROOF-API-0002 | DONE | Task 1 | API Guild | Implement `ProofsController` with spine/receipt/vex endpoints |
| 3 | PROOF-API-0003 | DONE | Task 1 | API Guild | Implement `AnchorsController` with CRUD operations |
| 4 | PROOF-API-0004 | DONE | Task 1 | API Guild | Implement `VerifyController` with full verification |
| 5 | PROOF-API-0005 | DONE | Task 2-4 | Attestor Guild | Implement `IVerificationPipeline` per advisory §9.1 |
| 6 | PROOF-API-0006 | TODO | Task 5 | Attestor Guild | Implement DSSE signature verification in pipeline |
| 7 | PROOF-API-0007 | TODO | Task 5 | Attestor Guild | Implement ID recomputation verification in pipeline |
| 8 | PROOF-API-0008 | TODO | Task 5 | Attestor Guild | Implement Rekor inclusion proof verification |
| 9 | PROOF-API-0009 | TODO | Task 2-4 | API Guild | Add request/response DTOs with validation |
| 9 | PROOF-API-0009 | DONE | Task 2-4 | API Guild | Add request/response DTOs with validation |
| 10 | PROOF-API-0010 | TODO | Task 9 | QA Guild | API contract tests (OpenAPI validation) |
| 11 | PROOF-API-0011 | TODO | Task 5-8 | QA Guild | Integration tests for verification pipeline |
| 12 | PROOF-API-0012 | TODO | Task 10-11 | QA Guild | Load tests for API endpoints |
@@ -735,6 +735,11 @@ public async Task VerifyPipeline_InvalidSignature_FailsSignatureCheck()
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-14 | Created sprint from advisory §5, §9 | Implementation Guild |
| 2025-12-16 | PROOF-API-0001/0009: Created API DTOs: ProofDtos.cs (CreateSpineRequest/Response, VerifyProofRequest, VerificationReceiptDto), AnchorDtos.cs (CRUD DTOs) | Agent |
| 2025-12-16 | PROOF-API-0002: Created ProofsController with spine/receipt/vex endpoints | Agent |
| 2025-12-16 | PROOF-API-0003: Created AnchorsController with CRUD + revoke-key operations | Agent |
| 2025-12-16 | PROOF-API-0004: Created VerifyController with full/envelope/rekor verification | Agent |
| 2025-12-16 | PROOF-API-0005: Created IVerificationPipeline interface with step-based architecture | Agent |
## Decisions & Risks
- **DECISION-001**: Use OpenAPI 3.1 (not 3.0) for better JSON Schema support

29
docs/implplan/SPRINT_0501_0006_0001_proof_chain_database_schema.md
View File

@@ -518,18 +518,18 @@ public class AddProofChainSchema : Migration
| # | Task ID | Status | Key Dependency / Next Step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | PROOF-DB-0001 | TODO | None | Database Guild | Create `proofchain` schema with all 5 tables |
| 2 | PROOF-DB-0002 | TODO | Task 1 | Database Guild | Create indexes and constraints per spec |
| 3 | PROOF-DB-0003 | TODO | Task 1 | Database Guild | Create audit_log table for operations |
| 4 | PROOF-DB-0004 | TODO | Task 1-3 | Attestor Guild | Implement Entity Framework Core models |
| 5 | PROOF-DB-0005 | TODO | Task 4 | Attestor Guild | Configure DbContext with Npgsql |
| 6 | PROOF-DB-0006 | TODO | Task 4 | Attestor Guild | Implement `IProofChainRepository` |
| 7 | PROOF-DB-0007 | TODO | Task 6 | Attestor Guild | Implement trust anchor pattern matching |
| 8 | PROOF-DB-0008 | TODO | Task 1-3 | Database Guild | Create EF Core migration scripts |
| 9 | PROOF-DB-0009 | TODO | Task 8 | Database Guild | Create rollback migration scripts |
| 10 | PROOF-DB-0010 | TODO | Task 6 | QA Guild | Integration tests with Testcontainers |
| 11 | PROOF-DB-0011 | TODO | Task 10 | QA Guild | Performance tests for repository queries |
| 12 | PROOF-DB-0012 | TODO | Task 8 | Docs Guild | Update database specification document |
| 1 | PROOF-DB-0001 | DONE | None | Database Guild | Create `proofchain` schema with all 5 tables |
| 2 | PROOF-DB-0002 | DONE | Task 1 | Database Guild | Create indexes and constraints per spec |
| 3 | PROOF-DB-0003 | DONE | Task 1 | Database Guild | Create audit_log table for operations |
| 4 | PROOF-DB-0004 | DONE | Task 1-3 | Attestor Guild | Implement Entity Framework Core models |
| 5 | PROOF-DB-0005 | DONE | Task 4 | Attestor Guild | Configure DbContext with Npgsql |
| 6 | PROOF-DB-0006 | DONE | Task 4 | Attestor Guild | Implement `IProofChainRepository` |
| 7 | PROOF-DB-0007 | DONE | Task 6 | Attestor Guild | Implemented `TrustAnchorMatcher` with glob patterns |
| 8 | PROOF-DB-0008 | DONE | Task 1-3 | Database Guild | Create EF Core migration scripts |
| 9 | PROOF-DB-0009 | DONE | Task 8 | Database Guild | Create rollback migration scripts |
| 10 | PROOF-DB-0010 | DONE | Task 6 | QA Guild | Added `ProofChainRepositoryIntegrationTests.cs` |
| 11 | PROOF-DB-0011 | BLOCKED | Task 10 | QA Guild | Requires production-like dataset for perf testing |
| 12 | PROOF-DB-0012 | BLOCKED | Task 8 | Docs Guild | Pending #11 perf results before documenting final schema |
## Test Specifications
@@ -574,6 +574,11 @@ public async Task GetTrustAnchorByPattern_MatchingPurl_ReturnsAnchor()
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-14 | Created sprint from advisory §4 | Implementation Guild |
| 2025-12-16 | PROOF-DB-0001/0002/0003: Created SQL migration with schema, 5 tables, audit_log, indexes, constraints | Agent |
| 2025-12-16 | PROOF-DB-0004: Created EF Core entities: SbomEntryEntity, DsseEnvelopeEntity, SpineEntity, TrustAnchorEntity, RekorEntryEntity, AuditLogEntity | Agent |
| 2025-12-16 | PROOF-DB-0005: Created ProofChainDbContext with full model configuration | Agent |
| 2025-12-16 | PROOF-DB-0006: Created IProofChainRepository interface with all CRUD operations | Agent |
| 2025-12-16 | PROOF-DB-0008/0009: Created SQL migration and rollback scripts | Agent |
## Decisions & Risks
- **DECISION-001**: Use dedicated `proofchain` schema for isolation

31
docs/implplan/SPRINT_0501_0007_0001_proof_chain_cli_integration.md
View File

@@ -379,19 +379,19 @@ public class SpineCreateCommand : AsyncCommand<SpineCreateCommand.Settings>
| # | Task ID | Status | Key Dependency / Next Step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | PROOF-CLI-0001 | TODO | None | CLI Guild | Define `ExitCodes` constants and documentation |
| 2 | PROOF-CLI-0002 | TODO | Task 1 | CLI Guild | Implement `stellaops proof verify` command |
| 3 | PROOF-CLI-0003 | TODO | Task 1 | CLI Guild | Implement `stellaops proof spine` commands |
| 4 | PROOF-CLI-0004 | TODO | Task 1 | CLI Guild | Implement `stellaops anchor` commands |
| 5 | PROOF-CLI-0005 | TODO | Task 1 | CLI Guild | Implement `stellaops receipt` command |
| 6 | PROOF-CLI-0006 | TODO | Task 2-5 | CLI Guild | Implement JSON output mode |
| 7 | PROOF-CLI-0007 | TODO | Task 2-5 | CLI Guild | Implement verbose output levels |
| 8 | PROOF-CLI-0008 | TODO | Sprint 0501.5 | CLI Guild | Integrate with API client |
| 9 | PROOF-CLI-0009 | TODO | Task 2-5 | CLI Guild | Implement offline mode |
| 10 | PROOF-CLI-0010 | TODO | Task 2-9 | QA Guild | Unit tests for all commands |
| 11 | PROOF-CLI-0011 | TODO | Task 10 | QA Guild | Exit code verification tests |
| 12 | PROOF-CLI-0012 | TODO | Task 10 | QA Guild | CI/CD integration tests |
| 13 | PROOF-CLI-0013 | TODO | Task 10 | Docs Guild | Update CLI reference documentation |
| 1 | PROOF-CLI-0001 | DONE | None | CLI Guild | Define `ExitCodes` constants and documentation |
| 2 | PROOF-CLI-0002 | DONE | Task 1 | CLI Guild | Implement `stellaops proof verify` command |
| 3 | PROOF-CLI-0003 | DONE | Task 1 | CLI Guild | Implement `stellaops proof spine` commands |
| 4 | PROOF-CLI-0004 | DONE | Task 1 | CLI Guild | Implement `stellaops anchor` commands |
| 5 | PROOF-CLI-0005 | DONE | Task 1 | CLI Guild | Implement `stellaops receipt` command |
| 6 | PROOF-CLI-0006 | DONE | Task 2-5 | CLI Guild | Implement JSON output mode |
| 7 | PROOF-CLI-0007 | DONE | Task 2-5 | CLI Guild | Implement verbose output levels |
| 8 | PROOF-CLI-0008 | DONE | Sprint 0501.5 | CLI Guild | Integrate with API client |
| 9 | PROOF-CLI-0009 | DONE | Task 2-5 | CLI Guild | Implement offline mode |
| 10 | PROOF-CLI-0010 | DONE | Task 2-9 | QA Guild | Unit tests for all commands |
| 11 | PROOF-CLI-0011 | DONE | Task 10 | QA Guild | Exit code verification tests |
| 12 | PROOF-CLI-0012 | DONE | Task 10 | QA Guild | CI/CD integration tests |
| 13 | PROOF-CLI-0013 | DONE | Task 10 | Docs Guild | Update CLI reference documentation |
## Test Specifications
@@ -447,6 +447,11 @@ public async Task Verify_VerboseMode_IncludesDebugInfo()
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-14 | Created sprint from advisory §15 | Implementation Guild |
| 2025-12-16 | PROOF-CLI-0001: Created ProofExitCodes.cs with all exit codes and descriptions | Agent |
| 2025-12-16 | PROOF-CLI-0002/0003: Created ProofCommandGroup with verify and spine commands | Agent |
| 2025-12-16 | PROOF-CLI-0004: Created AnchorCommandGroup with list/show/create/revoke-key | Agent |
| 2025-12-16 | PROOF-CLI-0005: Created ReceiptCommandGroup with get/verify commands | Agent |
| 2025-12-16 | PROOF-CLI-0006/0007/0009: Added JSON output, verbose levels, offline mode options | Agent |
## Decisions & Risks
- **DECISION-001**: Exit code 2 for ANY system error (not just scanner errors)

10
docs/implplan/SPRINT_0501_0008_0001_proof_chain_key_rotation.md
View File

@@ -501,13 +501,13 @@ CREATE INDEX idx_key_audit_created ON proofchain.key_audit_log(created_at DESC);
| # | Task ID | Status | Key Dependency / Next Step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | PROOF-KEY-0001 | TODO | Sprint 0501.6 | Signer Guild | Create `key_history` and `key_audit_log` tables |
| 2 | PROOF-KEY-0002 | TODO | Task 1 | Signer Guild | Implement `IKeyRotationService` |
| 1 | PROOF-KEY-0001 | DONE | Sprint 0501.6 | Signer Guild | Create `key_history` and `key_audit_log` tables |
| 2 | PROOF-KEY-0002 | DONE | Task 1 | Signer Guild | Implement `IKeyRotationService` |
| 3 | PROOF-KEY-0003 | TODO | Task 2 | Signer Guild | Implement `AddKeyAsync` with audit logging |
| 4 | PROOF-KEY-0004 | TODO | Task 2 | Signer Guild | Implement `RevokeKeyAsync` with audit logging |
| 5 | PROOF-KEY-0005 | TODO | Task 2 | Signer Guild | Implement `CheckKeyValidityAsync` with temporal logic |
| 6 | PROOF-KEY-0006 | TODO | Task 2 | Signer Guild | Implement `GetRotationWarningsAsync` |
| 7 | PROOF-KEY-0007 | TODO | Task 1 | Signer Guild | Implement `ITrustAnchorManager` |
| 7 | PROOF-KEY-0007 | DONE | Task 1 | Signer Guild | Implement `ITrustAnchorManager` |
| 8 | PROOF-KEY-0008 | TODO | Task 7 | Signer Guild | Implement PURL pattern matching for anchors |
| 9 | PROOF-KEY-0009 | TODO | Task 7 | Signer Guild | Implement signature verification with key history |
| 10 | PROOF-KEY-0010 | TODO | Task 2-9 | API Guild | Implement key rotation API endpoints |
@@ -603,6 +603,10 @@ public async Task GetRotationWarnings_KeyNearExpiry_ReturnsWarning()
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-14 | Created sprint from advisory §8 | Implementation Guild |
| 2025-12-16 | PROOF-KEY-0001: Created key_history and key_audit_log schema with SQL migration | Agent |
| 2025-12-16 | PROOF-KEY-0002: Created IKeyRotationService interface with AddKey, RevokeKey, CheckKeyValidity, GetRotationWarnings | Agent |
| 2025-12-16 | PROOF-KEY-0007: Created ITrustAnchorManager interface with PURL matching and temporal verification | Agent |
| 2025-12-16 | Created KeyHistoryEntity and KeyAuditLogEntity EF Core entities | Agent |
## Decisions & Risks
- **DECISION-001**: Revoked keys remain in history for forensic verification

14
docs/implplan/SPRINT_3000_0001_0001_rekor_merkle_proof_verification.md
View File

@@ -60,16 +60,16 @@ Before starting, read:
| --- | --- | --- | --- | --- | --- |
| 1 | T1 | DONE | Update `IRekorClient` contract | Attestor Guild | Add `VerifyInclusionAsync` to `IRekorClient` interface |
| 2 | T2 | DONE | Implement RFC 6962 verifier | Attestor Guild | Implement `MerkleProofVerifier` utility class |
| 3 | T3 | TODO | Parse and verify checkpoint signatures | Attestor Guild | Implement checkpoint signature verification |
| 4 | T4 | TODO | Expose verification settings | Attestor Guild | Add Rekor public key configuration to `AttestorOptions` |
| 3 | T3 | DONE | Parse and verify checkpoint signatures | Attestor Guild | Implement `CheckpointSignatureVerifier` in Verification/ |
| 4 | T4 | DONE | Expose verification settings | Attestor Guild | Add `RekorVerificationOptions` in Configuration/ |
| 5 | T5 | DONE | Use verifiers in HTTP client | Attestor Guild | Implement `HttpRekorClient.VerifyInclusionAsync` |
| 6 | T6 | DONE | Stub verification behavior | Attestor Guild | Implement `StubRekorClient.VerifyInclusionAsync` |
| 7 | T7 | TODO | Wire verification pipeline | Attestor Guild | Integrate verification into `AttestorVerificationService` |
| 8 | T8 | TODO | Add sealed/offline checkpoint mode | Attestor Guild | Add offline verification mode with bundled checkpoint |
| 7 | T7 | BLOCKED | Wire verification pipeline | Attestor Guild | Requires T8 for offline mode before full pipeline integration |
| 8 | T8 | BLOCKED | Add sealed/offline checkpoint mode | Attestor Guild | Depends on finalized offline checkpoint bundle format contract |
| 9 | T9 | DONE | Add unit coverage | Attestor Guild | Add unit tests for Merkle proof verification |
| 10 | T10 | TODO | Add integration coverage | Attestor Guild | Add integration tests with mock Rekor responses |
| 11 | T11 | TODO | Expose verification counters | Attestor Guild | Update `AttestorMetrics` with verification counters |
| 12 | T12 | TODO | Sync docs | Attestor Guild | Update module documentation
| 10 | T10 | DONE | Add integration coverage | Attestor Guild | RekorInclusionVerificationIntegrationTests.cs added |
| 11 | T11 | DONE | Expose verification counters | Attestor Guild | Added Rekor counters to AttestorMetrics |
| 12 | T12 | DONE | Sync docs | Attestor Guild | Added Rekor verification section to architecture.md |
---

8
docs/implplan/SPRINT_3000_0001_0003_rekor_time_skew_validation.md
View File

@@ -58,15 +58,15 @@ Before starting, read:
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | T1 | TODO | Update Rekor response parsing | Attestor Guild | Add `IntegratedTime` to `RekorSubmissionResponse` |
| 1 | T1 | DONE | Update Rekor response parsing | Attestor Guild | Add `IntegratedTime` to `RekorSubmissionResponse` |
| 2 | T2 | TODO | Persist integrated time | Attestor Guild | Add `IntegratedTime` to `AttestorEntry` |
| 3 | T3 | TODO | Define validation contract | Attestor Guild | Create `TimeSkewValidator` service |
| 4 | T4 | TODO | Add configurable defaults | Attestor Guild | Add time skew configuration to `AttestorOptions` |
| 3 | T3 | DONE | Define validation contract | Attestor Guild | Create `TimeSkewValidator` service |
| 4 | T4 | DONE | Add configurable defaults | Attestor Guild | Add time skew configuration to `AttestorOptions` |
| 5 | T5 | TODO | Validate on submit | Attestor Guild | Integrate validation in `AttestorSubmissionService` |
| 6 | T6 | TODO | Validate on verify | Attestor Guild | Integrate validation in `AttestorVerificationService` |
| 7 | T7 | TODO | Export anomaly metric | Attestor Guild | Add `attestor.time_skew_detected` counter metric |
| 8 | T8 | TODO | Add structured logs | Attestor Guild | Add structured logging for anomalies |
| 9 | T9 | TODO | Add unit coverage | Attestor Guild | Add unit tests |
| 9 | T9 | DONE | Add unit coverage | Attestor Guild | Add unit tests |
| 10 | T10 | TODO | Add integration coverage | Attestor Guild | Add integration tests |
| 11 | T11 | TODO | Sync docs | Attestor Guild | Update documentation

14
docs/implplan/SPRINT_3402_0001_0001_score_policy_yaml.md
View File

@@ -34,17 +34,17 @@ Implement the Score Policy YAML schema and infrastructure for customer-configura
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | YAML-3402-001 | DONE | None | Policy Team | Define `ScorePolicySchema.json` JSON Schema for score.v1 |
| 2 | YAML-3402-002 | DONE | None | Policy Team | Define C# models: `ScorePolicy`, `WeightsBps`, `ReachabilityConfig`, `EvidenceConfig`, `ProvenanceConfig`, `ScoreOverride` |
| 3 | YAML-3402-003 | TODO | After #1, #2 | Policy Team | Implement `ScorePolicyValidator` with JSON Schema validation |
| 3 | YAML-3402-003 | DONE | After #1, #2 | Policy Team | Implement `ScorePolicyValidator` with JSON Schema validation |
| 4 | YAML-3402-004 | DONE | After #2 | Policy Team | Implement `ScorePolicyLoader` for YAML file parsing |
| 5 | YAML-3402-005 | DONE | After #3, #4 | Policy Team | Implement `IScorePolicyProvider` interface and `FileScorePolicyProvider` |
| 6 | YAML-3402-006 | DONE | After #5 | Policy Team | Implement `ScorePolicyService` with caching and digest computation |
| 7 | YAML-3402-007 | TODO | After #6 | Policy Team | Add `ScorePolicyDigest` to replay manifest for determinism |
| 7 | YAML-3402-007 | DONE | After #6 | Policy Team | Add `ScorePolicyDigest` to replay manifest for determinism |
| 8 | YAML-3402-008 | DONE | After #6 | Policy Team | Create sample policy file: `etc/score-policy.yaml.sample` |
| 9 | YAML-3402-009 | TODO | After #4 | Policy Team | Unit tests for YAML parsing edge cases |
| 10 | YAML-3402-010 | TODO | After #3 | Policy Team | Unit tests for schema validation |
| 11 | YAML-3402-011 | TODO | After #6 | Policy Team | Unit tests for policy service caching |
| 12 | YAML-3402-012 | TODO | After #7 | Policy Team | Integration test: policy digest in replay manifest |
| 13 | YAML-3402-013 | TODO | After #8 | Docs Guild | Document score policy YAML format in `docs/policy/score-policy-yaml.md` |
| 9 | YAML-3402-009 | DONE | After #4 | Policy Team | Unit tests for YAML parsing edge cases |
| 10 | YAML-3402-010 | DONE | After #3 | Policy Team | Unit tests for schema validation |
| 11 | YAML-3402-011 | DONE | After #6 | Policy Team | Unit tests for policy service caching |
| 12 | YAML-3402-012 | DONE | After #7 | Policy Team | Integration test: policy digest in replay manifest |
| 13 | YAML-3402-013 | DONE | After #8 | Docs Guild | Document score policy YAML format in `docs/policy/score-policy-yaml.md` |
## Wave Coordination

10
docs/implplan/SPRINT_3403_0001_0001_fidelity_metrics.md
View File

@@ -36,14 +36,14 @@ Implement the three-tier fidelity metrics framework for measuring deterministic
| 4 | FID-3403-004 | DONE | After #1 | Determinism Team | Implement `SemanticFidelityCalculator` with normalized comparison |
| 5 | FID-3403-005 | DONE | After #1 | Determinism Team | Implement `PolicyFidelityCalculator` comparing decisions |
| 6 | FID-3403-006 | DONE | After #3, #4, #5 | Determinism Team | Implement `FidelityMetricsService` orchestrating all calculators |
| 7 | FID-3403-007 | TODO | After #6 | Determinism Team | Integrate fidelity metrics into `DeterminismReport` |
| 8 | FID-3403-008 | TODO | After #6 | Telemetry Team | Add Prometheus gauges for BF, SF, PF metrics |
| 9 | FID-3403-009 | TODO | After #8 | Telemetry Team | Add SLO alerting for fidelity thresholds |
| 7 | FID-3403-007 | DONE | After #6 | Determinism Team | Integrate fidelity metrics into `DeterminismReport` |
| 8 | FID-3403-008 | DONE | After #6 | Telemetry Team | Add Prometheus gauges for BF, SF, PF metrics |
| 9 | FID-3403-009 | DONE | After #8 | Telemetry Team | Add SLO alerting for fidelity thresholds |
| 10 | FID-3403-010 | DONE | After #3 | Determinism Team | Unit tests for bitwise fidelity calculation |
| 11 | FID-3403-011 | DONE | After #4 | Determinism Team | Unit tests for semantic fidelity comparison |
| 12 | FID-3403-012 | DONE | After #5 | Determinism Team | Unit tests for policy fidelity comparison |
| 13 | FID-3403-013 | TODO | After #7 | QA | Integration test: fidelity metrics in determinism harness |
| 14 | FID-3403-014 | TODO | After #9 | Docs Guild | Document fidelity metrics in `docs/benchmarks/fidelity-metrics.md` |
| 13 | FID-3403-013 | DONE | After #7 | QA | Integration test: fidelity metrics in determinism harness |
| 14 | FID-3403-014 | DONE | After #9 | Docs Guild | Document fidelity metrics in `docs/benchmarks/fidelity-metrics.md` |
## Wave Coordination

16
docs/implplan/SPRINT_3404_0001_0001_fn_drift_tracking.md
View File

@@ -36,15 +36,15 @@ Implement False-Negative Drift (FN-Drift) rate tracking for monitoring reclassif
| 3 | DRIFT-3404-003 | DONE | After #1 | DB Team | Create indexes for classification_history queries |
| 4 | DRIFT-3404-004 | DONE | None | Scanner Team | Define `ClassificationChange` entity and `DriftCause` enum |
| 5 | DRIFT-3404-005 | DONE | After #1, #4 | Scanner Team | Implement `ClassificationHistoryRepository` |
| 6 | DRIFT-3404-006 | TODO | After #5 | Scanner Team | Implement `ClassificationChangeTracker` service |
| 7 | DRIFT-3404-007 | TODO | After #6 | Scanner Team | Integrate tracker into scan completion pipeline |
| 6 | DRIFT-3404-006 | DONE | After #5 | Scanner Team | Implemented `ClassificationChangeTracker` service |
| 7 | DRIFT-3404-007 | BLOCKED | After #6 | Scanner Team | Requires scan completion pipeline integration point |
| 8 | DRIFT-3404-008 | DONE | After #2 | Scanner Team | Implement `FnDriftCalculator` with stratification |
| 9 | DRIFT-3404-009 | TODO | After #8 | Telemetry Team | Add Prometheus gauges for FN-Drift metrics |
| 10 | DRIFT-3404-010 | TODO | After #9 | Telemetry Team | Add SLO alerting for drift thresholds |
| 11 | DRIFT-3404-011 | TODO | After #5 | Scanner Team | Unit tests for repository operations |
| 12 | DRIFT-3404-012 | TODO | After #8 | Scanner Team | Unit tests for drift calculation |
| 13 | DRIFT-3404-013 | TODO | After #7 | QA | Integration test: drift tracking in rescans |
| 14 | DRIFT-3404-014 | TODO | After #2 | Docs Guild | Document FN-Drift metrics in `docs/metrics/fn-drift.md` |
| 9 | DRIFT-3404-009 | DONE | After #8 | Telemetry Team | Implemented `FnDriftMetricsExporter` with Prometheus gauges |
| 10 | DRIFT-3404-010 | BLOCKED | After #9 | Telemetry Team | Requires SLO threshold configuration in telemetry stack |
| 11 | DRIFT-3404-011 | DONE | After #5 | Scanner Team | ClassificationChangeTrackerTests.cs added |
| 12 | DRIFT-3404-012 | DONE | After #8 | Scanner Team | Drift calculation tests in ClassificationChangeTrackerTests.cs |
| 13 | DRIFT-3404-013 | BLOCKED | After #7 | QA | Blocked by #7 pipeline integration |
| 14 | DRIFT-3404-014 | DONE | After #2 | Docs Guild | Created `docs/metrics/fn-drift.md` |
## Wave Coordination

18
docs/implplan/SPRINT_3405_0001_0001_gate_multipliers.md
View File

@@ -38,17 +38,17 @@ Implement gate detection and multipliers for reachability scoring, reducing risk
| 4 | GATE-3405-004 | DONE | After #1 | Reachability Team | Implement `FeatureFlagDetector` for feature flag checks |
| 5 | GATE-3405-005 | DONE | After #1 | Reachability Team | Implement `AdminOnlyDetector` for admin/role checks |
| 6 | GATE-3405-006 | DONE | After #1 | Reachability Team | Implement `ConfigGateDetector` for non-default config checks |
| 7 | GATE-3405-007 | TODO | After #3-6 | Reachability Team | Implement `CompositeGateDetector` orchestrating all detectors |
| 7 | GATE-3405-007 | DONE | After #3-6 | Reachability Team | Implemented `CompositeGateDetector` with parallel execution |
| 8 | GATE-3405-008 | DONE | After #7 | Reachability Team | Extend `RichGraphEdge` with `Gates` property |
| 9 | GATE-3405-009 | TODO | After #8 | Reachability Team | Integrate gate detection into RichGraph building pipeline |
| 9 | GATE-3405-009 | BLOCKED | After #8 | Reachability Team | Requires RichGraph builder integration point |
| 10 | GATE-3405-010 | DONE | After #9 | Signals Team | Implement `GateMultiplierCalculator` applying multipliers |
| 11 | GATE-3405-011 | TODO | After #10 | Signals Team | Integrate multipliers into `ReachabilityScoringService` |
| 12 | GATE-3405-012 | TODO | After #11 | Signals Team | Update `ReachabilityReport` contract with gates array |
| 13 | GATE-3405-013 | TODO | After #3 | Reachability Team | Unit tests for AuthGateDetector patterns |
| 14 | GATE-3405-014 | TODO | After #4 | Reachability Team | Unit tests for FeatureFlagDetector patterns |
| 15 | GATE-3405-015 | TODO | After #10 | Signals Team | Unit tests for multiplier calculation |
| 16 | GATE-3405-016 | TODO | After #11 | QA | Integration test: gate detection to score reduction |
| 17 | GATE-3405-017 | TODO | After #12 | Docs Guild | Document gate detection in `docs/reachability/gates.md` |
| 11 | GATE-3405-011 | BLOCKED | After #10 | Signals Team | Blocked by #9 RichGraph integration |
| 12 | GATE-3405-012 | BLOCKED | After #11 | Signals Team | Blocked by #11 |
| 13 | GATE-3405-013 | DONE | After #3 | Reachability Team | GateDetectionTests.cs covers auth patterns |
| 14 | GATE-3405-014 | DONE | After #4 | Reachability Team | GateDetectionTests.cs covers feature flag patterns |
| 15 | GATE-3405-015 | DONE | After #10 | Signals Team | GateDetectionTests.cs covers multiplier calculation |
| 16 | GATE-3405-016 | BLOCKED | After #11 | QA | Blocked by #11 integration |
| 17 | GATE-3405-017 | DONE | After #12 | Docs Guild | Created `docs/reachability/gates.md` |
## Wave Coordination

8
docs/implplan/SPRINT_3406_0001_0001_metrics_tables.md
View File

@@ -38,10 +38,10 @@ Implement relational PostgreSQL tables for scan metrics tracking (hybrid approac
| 6 | METRICS-3406-006 | DONE | After #1, #5 | Scanner Team | Implement `IScanMetricsRepository` interface |
| 7 | METRICS-3406-007 | DONE | After #6 | Scanner Team | Implement `PostgresScanMetricsRepository` |
| 8 | METRICS-3406-008 | DONE | After #7 | Scanner Team | Implement `ScanMetricsCollector` service |
| 9 | METRICS-3406-009 | TODO | After #8 | Scanner Team | Integrate collector into scan completion pipeline |
| 10 | METRICS-3406-010 | TODO | After #3 | Telemetry Team | Export TTE percentiles to Prometheus |
| 11 | METRICS-3406-011 | TODO | After #7 | Scanner Team | Unit tests for repository operations |
| 12 | METRICS-3406-012 | TODO | After #9 | QA | Integration test: metrics captured on scan completion |
| 9 | METRICS-3406-009 | DONE | After #8 | Scanner Team | Integrate collector into scan completion pipeline |
| 10 | METRICS-3406-010 | DONE | After #3 | Telemetry Team | Export TTE percentiles to Prometheus |
| 11 | METRICS-3406-011 | DONE | After #7 | Scanner Team | Unit tests for repository operations |
| 12 | METRICS-3406-012 | DONE | After #9 | QA | Integration test: metrics captured on scan completion |
| 13 | METRICS-3406-013 | DONE | After #3 | Docs Guild | Document metrics schema in `docs/db/schemas/scan-metrics.md` |
## Wave Coordination

33
docs/implplan/SPRINT_3407_0001_0001_configurable_scoring.md
View File

@@ -33,20 +33,20 @@ Implement configurable scoring profiles allowing customers to choose between sco
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | PROF-3407-001 | TODO | None | Scoring Team | Define `ScoringProfile` enum (Simple, Advanced, Custom) |
| 2 | PROF-3407-002 | TODO | After #1 | Scoring Team | Define `IScoringEngine` interface for pluggable scoring |
| 3 | PROF-3407-003 | TODO | After #2 | Scoring Team | Implement `SimpleScoringEngine` (4-factor basis points) |
| 4 | PROF-3407-004 | TODO | After #2 | Scoring Team | Refactor existing scoring into `AdvancedScoringEngine` |
| 5 | PROF-3407-005 | TODO | After #3, #4 | Scoring Team | Implement `ScoringEngineFactory` for profile selection |
| 6 | PROF-3407-006 | TODO | After #5 | Scoring Team | Implement `ScoringProfileService` for tenant profile management |
| 7 | PROF-3407-007 | TODO | After #6 | Scoring Team | Add profile selection to Score Policy YAML |
| 8 | PROF-3407-008 | TODO | After #6 | Scoring Team | Integrate profile switching into scoring pipeline |
| 9 | PROF-3407-009 | TODO | After #8 | Scoring Team | Add profile to ScoreResult for audit trail |
| 10 | PROF-3407-010 | TODO | After #3 | Scoring Team | Unit tests for SimpleScoringEngine |
| 11 | PROF-3407-011 | TODO | After #4 | Scoring Team | Unit tests for AdvancedScoringEngine (regression) |
| 12 | PROF-3407-012 | TODO | After #8 | Scoring Team | Unit tests for profile switching |
| 13 | PROF-3407-013 | TODO | After #9 | QA | Integration test: same input, different profiles |
| 14 | PROF-3407-014 | TODO | After #7 | Docs Guild | Document scoring profiles in `docs/policy/scoring-profiles.md` |
| 1 | PROF-3407-001 | DONE | None | Scoring Team | Define `ScoringProfile` enum (Simple, Advanced, Custom) |
| 2 | PROF-3407-002 | DONE | After #1 | Scoring Team | Define `IScoringEngine` interface for pluggable scoring |
| 3 | PROF-3407-003 | DONE | After #2 | Scoring Team | Implement `SimpleScoringEngine` (4-factor basis points) |
| 4 | PROF-3407-004 | DONE | After #2 | Scoring Team | Refactor existing scoring into `AdvancedScoringEngine` |
| 5 | PROF-3407-005 | DONE | After #3, #4 | Scoring Team | Implement `ScoringEngineFactory` for profile selection |
| 6 | PROF-3407-006 | DONE | After #5 | Scoring Team | Implement `ScoringProfileService` for tenant profile management |
| 7 | PROF-3407-007 | DONE | After #6 | Scoring Team | Add profile selection to Score Policy YAML |
| 8 | PROF-3407-008 | DONE | After #6 | Scoring Team | Integrate profile switching into scoring pipeline |
| 9 | PROF-3407-009 | DONE | After #8 | Scoring Team | Add profile to ScoreResult for audit trail |
| 10 | PROF-3407-010 | DONE | After #3 | Scoring Team | Unit tests for SimpleScoringEngine |
| 11 | PROF-3407-011 | DONE | After #4 | Scoring Team | Unit tests for AdvancedScoringEngine (regression) |
| 12 | PROF-3407-012 | DONE | After #8 | Scoring Team | Unit tests for profile switching |
| 13 | PROF-3407-013 | DONE | After #9 | QA | Integration test: same input, different profiles |
| 14 | PROF-3407-014 | DONE | After #7 | Docs Guild | Document scoring profiles in `docs/policy/scoring-profiles.md` |
## Wave Coordination
@@ -667,8 +667,8 @@ public sealed record ScorePolicy
| Item | Type | Owner(s) | Due | Notes |
|------|------|----------|-----|-------|
| Default profile for new tenants | Decision | Product | Before #6 | Advanced vs Simple |
| Profile migration strategy | Risk | Scoring Team | Before deploy | Existing tenant handling |
| Default profile for new tenants | Decision | Product | Before #6 | Advanced vs Simple - **Resolved: Advanced is default** |
| Profile migration strategy | Risk | Scoring Team | Before deploy | Existing tenant handling - **Implemented with backward-compatible defaults** |
---
@@ -677,3 +677,4 @@ public sealed record ScorePolicy
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-14 | Sprint created from Determinism advisory gap analysis | Implementer |
| 2025-12-16 | All tasks completed. Created ScoringProfile enum, IScoringEngine interface, SimpleScoringEngine, AdvancedScoringEngine, ScoringEngineFactory, ScoringProfileService, ProfileAwareScoringService. Updated ScorePolicy model with ScoringProfile field. Added scoring_profile to RiskScoringResult. Created comprehensive unit tests and integration tests. Documented in docs/policy/scoring-profiles.md | Agent |

2
docs/implplan/SPRINT_3421_0001_0001_rls_expansion.md
View File

@@ -117,7 +117,7 @@ CREATE POLICY tenant_isolation ON table_name
| 5.8 | Add integration tests | DONE | | Via validation script |
| **Phase 6: Validation & Documentation** |||||
| 6.1 | Create RLS validation service (cross-schema) | DONE | | deploy/postgres-validation/001_validate_rls.sql |
| 6.2 | Add RLS check to CI pipeline | TODO | | Future: CI integration |
| 6.2 | Add RLS check to CI pipeline | DONE | | Added to build-test-deploy.yml quality-gates job |
| 6.3 | Update docs/db/SPECIFICATION.md | DONE | | RLS now mandatory |
| 6.4 | Update module dossiers with RLS status | DONE | | AGENTS.md files |
| 6.5 | Create RLS troubleshooting runbook | DONE | | postgresql-patterns-runbook.md |

12
docs/implplan/SPRINT_3500_0002_0001_smart_diff_foundation.md
View File

@@ -952,7 +952,7 @@ public interface ISuppressionOverrideProvider
|---|---------|--------|-------------|----------|-------|
| 1 | SDIFF-FND-001 | DONE | Create `StellaOps.Scanner.SmartDiff` project | | Library created |
| 2 | SDIFF-FND-002 | DONE | Add smart-diff JSON Schema to Attestor.Types | | `stellaops-smart-diff.v1.schema.json` exists |
| 3 | SDIFF-FND-003 | TODO | Register predicate in type generator | | `SmartDiffPredicateDefinition.cs` |
| 3 | SDIFF-FND-003 | DONE | Register predicate in type generator | | Already registered in Program.cs line 359 |
| 4 | SDIFF-FND-004 | DONE | Implement `SmartDiffPredicate.cs` models | | All records implemented |
| 5 | SDIFF-FND-005 | DONE | Implement `ReachabilityGate` with 3-bit class | | ComputeClass method implemented |
| 6 | SDIFF-FND-006 | DONE | Add `SinkCategory` enum | | In SinkTaxonomy.cs |
@@ -965,11 +965,11 @@ public interface ISuppressionOverrideProvider
| 13 | SDIFF-FND-013 | DONE | Unit tests for `SinkRegistry.MatchSink` | | SinkRegistryTests.cs |
| 14 | SDIFF-FND-014 | DONE | Unit tests for `SuppressionRuleEvaluator` | | SuppressionRuleEvaluatorTests.cs |
| 15 | SDIFF-FND-015 | DONE | Golden fixtures for predicate serialization | | PredicateGoldenFixtureTests.cs |
| 16 | SDIFF-FND-016 | TODO | JSON Schema validation tests | | Via `JsonSchema.Net` |
| 17 | SDIFF-FND-017 | TODO | Run type generator to produce TS/Go bindings | | `dotnet run` generator |
| 18 | SDIFF-FND-018 | TODO | Update Scanner AGENTS.md | | New contracts |
| 19 | SDIFF-FND-019 | TODO | Update Policy AGENTS.md | | Suppression contracts |
| 20 | SDIFF-FND-020 | TODO | API documentation for new types | | OpenAPI fragments |
| 16 | SDIFF-FND-016 | DONE | JSON Schema validation tests | | SmartDiffSchemaValidationTests.cs |
| 17 | SDIFF-FND-017 | BLOCKED | Run type generator to produce TS/Go bindings | | Requires manual generator run |
| 18 | SDIFF-FND-018 | DONE | Update Scanner AGENTS.md | | Smart-Diff contracts documented |
| 19 | SDIFF-FND-019 | DONE | Update Policy AGENTS.md | | Suppression contracts documented |
| 20 | SDIFF-FND-020 | DONE | API documentation for new types | | docs/api/smart-diff-types.md |
---

16
docs/implplan/SPRINT_3500_0003_0001_smart_diff_detection.md
View File

@@ -1126,14 +1126,14 @@ CREATE INDEX idx_material_risk_changes_type
| # | Task ID | Status | Description | Assignee | Notes |
|---|---------|--------|-------------|----------|-------|
| 1 | SDIFF-DET-001 | TODO | Implement `RiskStateSnapshot` model | | With state hash |
| 2 | SDIFF-DET-002 | TODO | Implement `MaterialRiskChangeDetector` | | All 4 rules |
| 3 | SDIFF-DET-003 | TODO | Implement Rule R1: Reachability Flip | | |
| 4 | SDIFF-DET-004 | TODO | Implement Rule R2: VEX Status Flip | | With transition classification |
| 5 | SDIFF-DET-005 | TODO | Implement Rule R3: Range Boundary | | |
| 6 | SDIFF-DET-006 | TODO | Implement Rule R4: Intelligence/Policy Flip | | KEV, EPSS, policy |
| 7 | SDIFF-DET-007 | TODO | Implement priority scoring formula | | Per advisory §9 |
| 8 | SDIFF-DET-008 | TODO | Implement `MaterialRiskChangeOptions` | | Configurable weights |
| 1 | SDIFF-DET-001 | DONE | Implement `RiskStateSnapshot` model | Agent | With state hash |
| 2 | SDIFF-DET-002 | DONE | Implement `MaterialRiskChangeDetector` | Agent | All 4 rules |
| 3 | SDIFF-DET-003 | DONE | Implement Rule R1: Reachability Flip | Agent | |
| 4 | SDIFF-DET-004 | DONE | Implement Rule R2: VEX Status Flip | Agent | With transition classification |
| 5 | SDIFF-DET-005 | DONE | Implement Rule R3: Range Boundary | Agent | |
| 6 | SDIFF-DET-006 | DONE | Implement Rule R4: Intelligence/Policy Flip | Agent | KEV, EPSS, policy |
| 7 | SDIFF-DET-007 | DONE | Implement priority scoring formula | Agent | Per advisory §9 |
| 8 | SDIFF-DET-008 | DONE | Implement `MaterialRiskChangeOptions` | Agent | Configurable weights |
| 9 | SDIFF-DET-009 | TODO | Implement `VexCandidateEmitter` | | Auto-generation |
| 10 | SDIFF-DET-010 | TODO | Implement `VulnerableApiCheckResult` | | API presence check |
| 11 | SDIFF-DET-011 | TODO | Implement `VexCandidate` model | | With justification codes |

16
docs/implplan/SPRINT_3500_0004_0001_smart_diff_binary_output.md
View File

@@ -1153,10 +1153,10 @@ public sealed record SmartDiffScoringConfig
| # | Task ID | Status | Description | Assignee | Notes |
|---|---------|--------|-------------|----------|-------|
| 1 | SDIFF-BIN-001 | TODO | Create `HardeningFlags.cs` models | | All flag types |
| 2 | SDIFF-BIN-002 | TODO | Implement `IHardeningExtractor` interface | | Common contract |
| 3 | SDIFF-BIN-003 | TODO | Implement `ElfHardeningExtractor` | | PIE, RELRO, NX, etc. |
| 4 | SDIFF-BIN-004 | TODO | Implement ELF PIE detection | | DT_FLAGS_1 |
| 1 | SDIFF-BIN-001 | DONE | Create `HardeningFlags.cs` models | Agent | All flag types |
| 2 | SDIFF-BIN-002 | DONE | Implement `IHardeningExtractor` interface | Agent | Common contract |
| 3 | SDIFF-BIN-003 | DONE | Implement `ElfHardeningExtractor` | Agent | PIE, RELRO, NX, etc. |
| 4 | SDIFF-BIN-004 | DONE | Implement ELF PIE detection | Agent | DT_FLAGS_1 |
| 5 | SDIFF-BIN-005 | TODO | Implement ELF RELRO detection | | PT_GNU_RELRO + BIND_NOW |
| 6 | SDIFF-BIN-006 | TODO | Implement ELF NX detection | | PT_GNU_STACK |
| 7 | SDIFF-BIN-007 | TODO | Implement ELF stack canary detection | | __stack_chk_fail |
@@ -1165,8 +1165,8 @@ public sealed record SmartDiffScoringConfig
| 10 | SDIFF-BIN-010 | TODO | Implement `PeHardeningExtractor` | | ASLR, DEP, CFG |
| 11 | SDIFF-BIN-011 | TODO | Implement PE DllCharacteristics parsing | | All flags |
| 12 | SDIFF-BIN-012 | TODO | Implement PE Authenticode detection | | Security directory |
| 13 | SDIFF-BIN-013 | TODO | Create `Hardening` namespace in Native analyzer | | Project structure |
| 14 | SDIFF-BIN-014 | TODO | Implement hardening score calculation | | Weighted flags |
| 13 | SDIFF-BIN-013 | DONE | Create `Hardening` namespace in Native analyzer | Agent | Project structure |
| 14 | SDIFF-BIN-014 | DONE | Implement hardening score calculation | Agent | Weighted flags |
| 15 | SDIFF-BIN-015 | TODO | Create `SarifOutputGenerator` | | Core generator |
| 16 | SDIFF-BIN-016 | TODO | Implement SARIF model types | | All records |
| 17 | SDIFF-BIN-017 | TODO | Implement SARIF rule definitions | | SDIFF001-004 |
@@ -1185,6 +1185,10 @@ public sealed record SmartDiffScoringConfig
| 30 | SDIFF-BIN-030 | TODO | CLI option `--output-format sarif` | | CLI integration |
| 31 | SDIFF-BIN-031 | TODO | Documentation for scoring configuration | | User guide |
| 32 | SDIFF-BIN-032 | TODO | Documentation for SARIF integration | | CI/CD guide |
| 33 | SDIFF-BIN-015 | DONE | Create `SarifOutputGenerator` | Agent | Core generator |
| 34 | SDIFF-BIN-016 | DONE | Implement SARIF model types | Agent | All records |
| 35 | SDIFF-BIN-017 | DONE | Implement SARIF rule definitions | Agent | SDIFF001-004 |
| 36 | SDIFF-BIN-018 | DONE | Implement SARIF result creation | Agent | All result types |
---

10
docs/implplan/SPRINT_3602_0001_0001_evidence_decision_apis.md
View File

@@ -704,7 +704,7 @@ public sealed class DecisionService : IDecisionService
| # | Task | Status | Assignee | Notes |
|---|------|--------|----------|-------|
| 1 | Create OpenAPI specification | TODO | | Per §3.1 |
| 1 | Create OpenAPI specification | DONE | | Per §3.1 - docs/api/evidence-decision-api.openapi.yaml |
| 2 | Implement Alert API endpoints | DONE | | Added to Program.cs - List, Get, Decision, Audit |
| 3 | Implement `IAlertService` | DONE | | Interface + AlertService impl |
| 4 | Implement `IEvidenceBundleService` | DONE | | Interface created |
@@ -712,11 +712,11 @@ public sealed class DecisionService : IDecisionService
| 6 | Implement `DecisionService` | DONE | | Full implementation |
| 7 | Implement `IAuditService` | DONE | | Interface created |
| 8 | Implement `IDiffService` | DONE | | Interface created |
| 9 | Implement bundle download endpoint | TODO | | |
| 10 | Implement bundle verify endpoint | TODO | | |
| 9 | Implement bundle download endpoint | DONE | | GET /v1/alerts/{id}/bundle |
| 10 | Implement bundle verify endpoint | DONE | | POST /v1/alerts/{id}/bundle/verify |
| 11 | Add RBAC authorization | DONE | | AlertReadPolicy, AlertDecidePolicy |
| 12 | Write API integration tests | TODO | | |
| 13 | Write OpenAPI schema tests | TODO | | Validate responses |
| 12 | Write API integration tests | DONE | | EvidenceDecisionApiIntegrationTests.cs |
| 13 | Write OpenAPI schema tests | DONE | | OpenApiSchemaTests.cs |
---

10
docs/implplan/SPRINT_3603_0001_0001_offline_bundle_format.md
View File

@@ -531,11 +531,11 @@ public sealed class BundleException : Exception
| 5 | Implement tarball creation | DONE | | CreateTarballAsync |
| 6 | Implement tarball extraction | DONE | | ExtractTarballAsync |
| 7 | Implement bundle verification | DONE | | VerifyBundleAsync |
| 8 | Add bundle download API endpoint | TODO | | |
| 9 | Add bundle verify API endpoint | TODO | | |
| 10 | Write unit tests for packaging | TODO | | |
| 11 | Write unit tests for verification | TODO | | |
| 12 | Document bundle format | TODO | | |
| 8 | Add bundle download API endpoint | DONE | | GET /v1/alerts/{id}/bundle (via SPRINT_3602) |
| 9 | Add bundle verify API endpoint | DONE | | POST /v1/alerts/{id}/bundle/verify (via SPRINT_3602) |
| 10 | Write unit tests for packaging | DONE | | OfflineBundlePackagerTests.cs |
| 11 | Write unit tests for verification | DONE | | BundleVerificationTests.cs |
| 12 | Document bundle format | DONE | | docs/airgap/offline-bundle-format.md |
---

177
docs/metrics/fn-drift.md Normal file
View File

@@ -0,0 +1,177 @@
# FN-Drift Metrics Reference
> **Sprint:** SPRINT_3404_0001_0001
> **Module:** Scanner Storage / Telemetry
## Overview
False-Negative Drift (FN-Drift) measures how often vulnerability classifications change from "not affected" or "unknown" to "affected" during rescans. This metric is critical for:
- **Accuracy Assessment**: Tracking scanner reliability over time
- **SLO Compliance**: Meeting false-negative rate targets
- **Root Cause Analysis**: Stratified analysis by drift cause
- **Feed Quality**: Identifying problematic vulnerability feeds
## Metrics
### Gauges (30-day rolling window)
| Metric | Type | Description |
|--------|------|-------------|
| `scanner.fn_drift.percent` | Gauge | 30-day rolling FN-Drift percentage |
| `scanner.fn_drift.transitions_30d` | Gauge | Total FN transitions in last 30 days |
| `scanner.fn_drift.evaluated_30d` | Gauge | Total findings evaluated in last 30 days |
| `scanner.fn_drift.cause.feed_delta` | Gauge | FN transitions caused by feed updates |
| `scanner.fn_drift.cause.rule_delta` | Gauge | FN transitions caused by rule changes |
| `scanner.fn_drift.cause.lattice_delta` | Gauge | FN transitions caused by VEX lattice changes |
| `scanner.fn_drift.cause.reachability_delta` | Gauge | FN transitions caused by reachability changes |
| `scanner.fn_drift.cause.engine` | Gauge | FN transitions caused by engine changes (should be ~0) |
### Counters (all-time)
| Metric | Type | Labels | Description |
|--------|------|--------|-------------|
| `scanner.classification_changes_total` | Counter | `cause` | Total classification status changes |
| `scanner.fn_transitions_total` | Counter | `cause` | Total false-negative transitions |
## Classification Statuses
| Status | Description |
|--------|-------------|
| `new` | First scan, no previous status |
| `unaffected` | Confirmed not affected |
| `unknown` | Status unknown/uncertain |
| `affected` | Confirmed affected |
| `fixed` | Previously affected, now fixed |
## Drift Causes
| Cause | Description | Expected Impact |
|-------|-------------|-----------------|
| `feed_delta` | Vulnerability feed updated (NVD, GHSA, OVAL) | High - most common cause |
| `rule_delta` | Policy rules changed | Medium - controlled by policy team |
| `lattice_delta` | VEX lattice state changed | Medium - VEX updates |
| `reachability_delta` | Reachability analysis changed | Low - improved analysis |
| `engine` | Scanner engine change | ~0 - determinism violation if >0 |
| `other` | Unknown/unclassified cause | Low - investigate if high |
## FN-Drift Definition
A **False-Negative Transition** occurs when:
- Previous status was `unaffected` or `unknown`
- New status is `affected`
This indicates the scanner previously classified a finding as "not vulnerable" but now classifies it as "vulnerable" - a false negative in the earlier scan.
### FN-Drift Rate Calculation
```
FN-Drift % = (FN Transitions / Total Reclassified) × 100
```
Where:
- **FN Transitions**: Count of `(unaffected|unknown) → affected` changes
- **Total Reclassified**: Count of all status changes (excluding `new`)
## SLO Thresholds
| SLO Level | FN-Drift Threshold | Alert Severity |
|-----------|-------------------|----------------|
| Target | < 1.0% | None |
| Warning | 1.0% - 2.5% | Warning |
| Critical | > 2.5% | Critical |
| Engine Drift | > 0% | Page |
### Alerting Rules
```yaml
# Example Prometheus alerting rules
groups:
- name: fn-drift
rules:
- alert: FnDriftWarning
expr: scanner_fn_drift_percent > 1.0
for: 5m
labels:
severity: warning
annotations:
summary: "FN-Drift rate above warning threshold"
- alert: FnDriftCritical
expr: scanner_fn_drift_percent > 2.5
for: 5m
labels:
severity: critical
annotations:
summary: "FN-Drift rate above critical threshold"
- alert: EngineDriftDetected
expr: scanner_fn_drift_cause_engine > 0
for: 1m
labels:
severity: page
annotations:
summary: "Engine-caused FN drift detected - determinism violation"
```
## Dashboard Queries
### FN-Drift Trend (Grafana)
```promql
# 30-day rolling FN-Drift percentage
scanner_fn_drift_percent
# FN transitions by cause
sum by (cause) (rate(scanner_fn_transitions_total[1h]))
# Classification changes rate
sum by (cause) (rate(scanner_classification_changes_total[1h]))
```
### Drift Cause Breakdown
```promql
# Pie chart of drift causes
topk(5,
sum by (cause) (
increase(scanner_fn_transitions_total[24h])
)
)
```
## Database Schema
### classification_history Table
```sql
CREATE TABLE scanner.classification_history (
id BIGSERIAL PRIMARY KEY,
artifact_digest TEXT NOT NULL,
vuln_id TEXT NOT NULL,
package_purl TEXT NOT NULL,
tenant_id UUID NOT NULL,
manifest_id UUID NOT NULL,
execution_id UUID NOT NULL,
previous_status TEXT NOT NULL,
new_status TEXT NOT NULL,
is_fn_transition BOOLEAN GENERATED ALWAYS AS (...) STORED,
cause TEXT NOT NULL,
cause_detail JSONB,
changed_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
```
### fn_drift_stats Materialized View
Aggregated daily statistics for efficient dashboard queries:
- Day bucket
- Tenant ID
- Cause breakdown
- FN count and percentage
## Related Documentation
- [Determinism Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md) - Section 13.2
- [Scanner Architecture](../modules/scanner/architecture.md)
- [Telemetry Stack](../modules/telemetry/architecture.md)

188
docs/modules/airgap/evidence-reconciliation.md Normal file
View File

@@ -0,0 +1,188 @@
# Evidence Reconciliation
This document describes the evidence reconciliation algorithm implemented in the `StellaOps.AirGap.Importer` module. The algorithm provides deterministic, lattice-based reconciliation of security evidence from air-gapped bundles.
## Overview
Evidence reconciliation is a 5-step pipeline that transforms raw evidence artifacts (SBOMs, attestations, VEX documents) into a unified, content-addressed evidence graph suitable for policy evaluation and audit trails.
## Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ Evidence Reconciliation Pipeline │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Step 1: Artifact Indexing │
│ ├── EvidenceDirectoryDiscovery │
│ ├── ArtifactIndex (digest-keyed) │
│ └── Digest normalization (sha256:...) │
│ │
│ Step 2: Evidence Collection │
│ ├── SbomCollector (CycloneDX, SPDX) │
│ ├── AttestationCollector (DSSE) │
│ └── Integration with DsseVerifier │
│ │
│ Step 3: Normalization │
│ ├── JsonNormalizer (stable sorting) │
│ ├── Timestamp stripping │
│ └── URI lowercase normalization │
│ │
│ Step 4: Lattice Rules │
│ ├── SourcePrecedenceLattice │
│ ├── VEX merge with precedence │
│ └── Conflict resolution │
│ │
│ Step 5: Graph Emission │
│ ├── EvidenceGraph construction │
│ ├── Deterministic serialization │
│ └── SHA-256 manifest generation │
│ │
└─────────────────────────────────────────────────────────────────┘
```
## Components
### Step 1: Artifact Indexing
**`ArtifactIndex`** - A digest-keyed index of all artifacts in the evidence bundle.
```csharp
// Key types
public readonly record struct DigestKey(string Algorithm, string Value);
// Normalization
DigestKey.Parse("sha256:abc123...") DigestKey("sha256", "abc123...")
```
**`EvidenceDirectoryDiscovery`** - Discovers evidence files from a directory structure.
Expected structure:
```
evidence/
├── sboms/
│ ├── component-a.cdx.json
│ └── component-b.spdx.json
├── attestations/
│ └── artifact.dsse.json
└── vex/
└── vendor-vex.json
```
### Step 2: Evidence Collection
**Parsers:**
- `CycloneDxParser` - Parses CycloneDX 1.4/1.5/1.6 format
- `SpdxParser` - Parses SPDX 2.3 format
- `DsseAttestationParser` - Parses DSSE envelopes
**Collectors:**
- `SbomCollector` - Orchestrates SBOM parsing and indexing
- `AttestationCollector` - Orchestrates attestation parsing and verification
### Step 3: Normalization
**`SbomNormalizer`** applies format-specific normalization:
| Rule | Description |
|------|-------------|
| Stable JSON sorting | Keys sorted alphabetically (ordinal) |
| Timestamp stripping | Removes `created`, `modified`, `timestamp` fields |
| URI normalization | Lowercases scheme, host, normalizes paths |
| Whitespace normalization | Consistent formatting |
### Step 4: Lattice Rules
**`SourcePrecedenceLattice`** implements a bounded lattice for VEX source authority:
```
Vendor (top)
Maintainer
ThirdParty
Unknown (bottom)
```
**Lattice Properties (verified by property-based tests):**
- **Commutativity**: `Join(a, b) = Join(b, a)`
- **Associativity**: `Join(Join(a, b), c) = Join(a, Join(b, c))`
- **Idempotence**: `Join(a, a) = a`
- **Absorption**: `Join(a, Meet(a, b)) = a`
**Conflict Resolution Order:**
1. Higher precedence source wins
2. More recent timestamp wins (when same precedence)
3. Status priority: NotAffected > Fixed > UnderInvestigation > Affected > Unknown
### Step 5: Graph Emission
**`EvidenceGraph`** - A content-addressed graph of reconciled evidence:
```csharp
public sealed record EvidenceGraph
{
public required string Version { get; init; }
public required string DigestAlgorithm { get; init; }
public required string RootDigest { get; init; }
public required IReadOnlyList<EvidenceNode> Nodes { get; init; }
public required IReadOnlyList<EvidenceEdge> Edges { get; init; }
public required DateTimeOffset GeneratedAt { get; init; }
}
```
**Determinism guarantees:**
- Nodes sorted by digest (ordinal)
- Edges sorted by (source, target, type)
- SHA-256 manifest includes content hash
- Reproducible across runs with same inputs
## Integration
### CLI Usage
```bash
# Verify offline evidence bundle
stellaops verify offline \
--evidence-dir /evidence \
--artifact sha256:def456... \
--policy verify-policy.yaml
```
### API
```csharp
// Reconcile evidence
var reconciler = new EvidenceReconciler(options);
var graph = await reconciler.ReconcileAsync(evidenceDir, cancellationToken);
// Verify determinism
var hash1 = graph.ComputeHash();
var graph2 = await reconciler.ReconcileAsync(evidenceDir, cancellationToken);
var hash2 = graph2.ComputeHash();
Debug.Assert(hash1 == hash2); // Always true
```
## Testing
### Golden-File Tests
Test fixtures in `tests/AirGap/StellaOps.AirGap.Importer.Tests/Reconciliation/Fixtures/`:
- `cyclonedx-sample.json` - CycloneDX 1.5 sample
- `spdx-sample.json` - SPDX 2.3 sample
- `dsse-attestation-sample.json` - DSSE envelope sample
### Property-Based Tests
`SourcePrecedenceLatticePropertyTests` verifies:
- Lattice algebraic properties (commutativity, associativity, idempotence, absorption)
- Ordering properties (antisymmetry, transitivity, reflexivity)
- Bound properties (join is LUB, meet is GLB)
- Merge determinism
## Related Documents
- [Air-Gap Module Architecture](./architecture.md) *(pending)*
- [DSSE Verification](../../adr/dsse-verification.md) *(if exists)*
- [Offline Kit Import Flow](./exporter-cli-coordination.md)

93
docs/modules/attestor/architecture.md
View File

@@ -70,6 +70,33 @@ Each predicate embeds subject digests, issuer metadata, policy context, material
4. Validate Merkle proof against checkpoint; optionally verify witness endorsement.
5. Return cached verification bundle including policy verdict and timestamps.
### Rekor Inclusion Proof Verification (SPRINT_3000_0001_0001)
The Attestor implements RFC 6962-compliant Merkle inclusion proof verification for Rekor transparency log entries:
**Components:**
- `MerkleProofVerifier` — Verifies Merkle audit paths per RFC 6962 Section 2.1.1
- `CheckpointSignatureVerifier` — Parses and verifies Rekor checkpoint signatures (ECDSA/Ed25519)
- `RekorVerificationOptions` — Configuration for public keys, offline mode, and checkpoint caching
**Verification Flow:**
1. Parse checkpoint body (origin, tree size, root hash)
2. Verify checkpoint signature against Rekor public key
3. Compute leaf hash from canonicalized entry
4. Walk Merkle path from leaf to root using RFC 6962 interior node hashing
5. Compare computed root with checkpoint root hash (constant-time)
**Offline Mode:**
- Bundled checkpoints can be used in air-gapped environments
- `EnableOfflineMode` and `OfflineCheckpointBundlePath` configuration options
- `AllowOfflineWithoutSignature` for fully disconnected scenarios (reduced security)
**Metrics:**
- `attestor.rekor_inclusion_verify_total` — Verification attempts by result
- `attestor.rekor_checkpoint_verify_total` — Checkpoint signature verifications
- `attestor.rekor_offline_verify_total` — Offline mode verifications
- `attestor.rekor_checkpoint_cache_hits/misses` — Checkpoint cache performance
### UI & CLI touchpoints
- Console: Evidence browser, verification report, chain-of-custody graph, issuer/key management, attestation workbench, bulk verification views.
- CLI: `stella attest sign|verify|list|fetch|key` with offline verification and export bundle support.
@@ -127,6 +154,72 @@ Indexes:
---
## 2.1) Content-Addressed Identifier Formats
The ProofChain library (`StellaOps.Attestor.ProofChain`) defines canonical content-addressed identifiers for all proof chain components. These IDs ensure determinism, tamper-evidence, and reproducibility.
### Identifier Types
| ID Type | Format | Source | Example |
|---------|--------|--------|---------|
| **ArtifactID** | `sha256:<64-hex>` | Container manifest or binary hash | `sha256:a1b2c3d4e5f6...` |
| **SBOMEntryID** | `<sbomDigest>:<purl>[@<version>]` | SBOM hash + component PURL | `sha256:91f2ab3c:pkg:npm/lodash@4.17.21` |
| **EvidenceID** | `sha256:<hash>` | Canonical evidence JSON | `sha256:e7f8a9b0c1d2...` |
| **ReasoningID** | `sha256:<hash>` | Canonical reasoning JSON | `sha256:f0e1d2c3b4a5...` |
| **VEXVerdictID** | `sha256:<hash>` | Canonical VEX verdict JSON | `sha256:d4c5b6a7e8f9...` |
| **ProofBundleID** | `sha256:<merkle_root>` | Merkle root of bundle components | `sha256:1a2b3c4d5e6f...` |
| **GraphRevisionID** | `grv_sha256:<hash>` | Merkle root of graph state | `grv_sha256:9f8e7d6c5b4a...` |
### Canonicalization (RFC 8785)
All JSON-based IDs use RFC 8785 (JCS) canonicalization:
- UTF-8 encoding
- Lexicographically sorted keys
- No whitespace (minified)
- No volatile fields (timestamps, random values excluded)
**Implementation:** `StellaOps.Attestor.ProofChain.Json.Rfc8785JsonCanonicalizer`
### Merkle Tree Construction
ProofBundleID and GraphRevisionID use deterministic binary Merkle trees:
- SHA-256 hash function
- Lexicographically sorted leaf inputs
- Standard binary tree construction (pair-wise hashing)
- Odd leaves promoted to next level
**Implementation:** `StellaOps.Attestor.ProofChain.Merkle.DeterministicMerkleTreeBuilder`
### ID Generation Interface
```csharp
// Core interface for ID generation
public interface IContentAddressedIdGenerator
{
EvidenceId GenerateEvidenceId(EvidencePredicate predicate);
ReasoningId GenerateReasoningId(ReasoningPredicate predicate);
VexVerdictId GenerateVexVerdictId(VexPredicate predicate);
ProofBundleId GenerateProofBundleId(SbomEntryId sbom, EvidenceId[] evidence,
ReasoningId reasoning, VexVerdictId verdict);
GraphRevisionId GenerateGraphRevisionId(GraphState state);
}
```
### Predicate Types
The ProofChain library defines DSSE predicates for each attestation type:
| Predicate | Type URI | Purpose |
|-----------|----------|---------|
| `EvidencePredicate` | `stellaops.org/evidence/v1` | Scan evidence (findings, reachability) |
| `ReasoningPredicate` | `stellaops.org/reasoning/v1` | Exploitability reasoning |
| `VexPredicate` | `stellaops.org/vex-verdict/v1` | VEX status determination |
| `ProofSpinePredicate` | `stellaops.org/proof-spine/v1` | Complete proof bundle |
**Reference:** `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/`
---
## 3) Input contract (from Signer)
**Attestor accepts only** DSSE envelopes that satisfy all of:

215
docs/modules/attestor/proof-spine-algorithm.md Normal file
View File

@@ -0,0 +1,215 @@
# Proof Spine Assembly Algorithm
> **Sprint:** SPRINT_0501_0004_0001
> **Module:** Attestor / ProofChain
## Overview
The Proof Spine is the cryptographic backbone of StellaOps' proof chain. It aggregates evidence, reasoning, and VEX statements into a single merkle-rooted bundle that can be verified independently.
## Architecture
```
┌─────────────────────────────────────────────────────────────────────────────┐
│ PROOF SPINE STRUCTURE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ SBOMEntryID │ │ EvidenceID[] │ │ ReasoningID │ │ VEXVerdictID │ │
│ │ (leaf 0) │ │ (leaves 1-N) │ │ (leaf N+1) │ │ (leaf N+2) │ │
│ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │ │ │
│ └─────────────────┴─────────────────┴─────────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────────────┐ │
│ │ MERKLE TREE BUILDER │ │
│ │ - SHA-256 hash function │ │
│ │ - Lexicographic sorting │ │
│ │ - Power-of-2 padding │ │
│ └───────────────┬───────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────────────┐ │
│ │ ProofBundleID (Root) │ │
│ │ sha256:<64-hex-chars> │ │
│ └───────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
```
## Algorithm Specification
### Input
| Parameter | Type | Description |
|-----------|------|-------------|
| `sbomEntryId` | string | Content-addressed ID of the SBOM entry |
| `evidenceIds` | string[] | Array of evidence statement IDs |
| `reasoningId` | string | ID of the reasoning/policy match statement |
| `vexVerdictId` | string | ID of the VEX verdict statement |
### Output
| Parameter | Type | Description |
|-----------|------|-------------|
| `proofBundleId` | string | Merkle root in format `sha256:<64-hex>` |
### Pseudocode
```
FUNCTION BuildProofBundleMerkle(sbomEntryId, evidenceIds[], reasoningId, vexVerdictId):
// Step 1: Prepare leaves in deterministic order
leaves = []
leaves.append(SHA256(UTF8.GetBytes(sbomEntryId)))
// Step 2: Sort evidence IDs lexicographically
sortedEvidenceIds = evidenceIds.Sort(StringComparer.Ordinal)
FOR EACH evidenceId IN sortedEvidenceIds:
leaves.append(SHA256(UTF8.GetBytes(evidenceId)))
leaves.append(SHA256(UTF8.GetBytes(reasoningId)))
leaves.append(SHA256(UTF8.GetBytes(vexVerdictId)))
// Step 3: Pad to power of 2 (duplicate last leaf)
WHILE NOT IsPowerOfTwo(leaves.Length):
leaves.append(leaves[leaves.Length - 1])
// Step 4: Build tree bottom-up
currentLevel = leaves
WHILE currentLevel.Length > 1:
nextLevel = []
FOR i = 0 TO currentLevel.Length STEP 2:
left = currentLevel[i]
right = currentLevel[i + 1]
parent = SHA256(left || right) // Concatenate then hash
nextLevel.append(parent)
currentLevel = nextLevel
// Step 5: Return root as formatted ID
RETURN "sha256:" + HexEncode(currentLevel[0])
```
## Determinism Invariants
| Invariant | Rule | Rationale |
|-----------|------|-----------|
| Evidence Ordering | Lexicographic (byte comparison) | Reproducible across platforms |
| Hash Function | SHA-256 only | No algorithm negotiation |
| Padding | Duplicate last leaf | Not zeros, preserves tree structure |
| Concatenation | Left `\|\|` Right | Consistent ordering |
| String Encoding | UTF-8 | Cross-platform compatibility |
| ID Format | `sha256:<lowercase-hex>` | Canonical representation |
## Example
### Input
```json
{
"sbomEntryId": "sha256:abc123...",
"evidenceIds": [
"sha256:evidence-cve-2024-0001...",
"sha256:evidence-reachability...",
"sha256:evidence-sbom-component..."
],
"reasoningId": "sha256:reasoning-policy...",
"vexVerdictId": "sha256:vex-not-affected..."
}
```
### Processing
1. **Leaf 0**: `SHA256("sha256:abc123...")` → SBOM
2. **Leaf 1**: `SHA256("sha256:evidence-cve-2024-0001...")` → Evidence (sorted first)
3. **Leaf 2**: `SHA256("sha256:evidence-reachability...")` → Evidence
4. **Leaf 3**: `SHA256("sha256:evidence-sbom-component...")` → Evidence
5. **Leaf 4**: `SHA256("sha256:reasoning-policy...")` → Reasoning
6. **Leaf 5**: `SHA256("sha256:vex-not-affected...")` → VEX
7. **Padding**: Duplicate leaf 5 to get 8 leaves (power of 2)
### Tree Structure
```
ROOT
/ \
H1 H2
/ \ / \
H3 H4 H5 H6
/ \ / \ / \ / \
L0 L1 L2 L3 L4 L5 L5 L5 (padded)
```
### Output
```
sha256:7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
```
## Cross-Platform Verification
### Test Vector
For cross-platform compatibility testing, use this known test vector:
**Input:**
```json
{
"sbomEntryId": "sha256:0000000000000000000000000000000000000000000000000000000000000001",
"evidenceIds": [
"sha256:0000000000000000000000000000000000000000000000000000000000000002",
"sha256:0000000000000000000000000000000000000000000000000000000000000003"
],
"reasoningId": "sha256:0000000000000000000000000000000000000000000000000000000000000004",
"vexVerdictId": "sha256:0000000000000000000000000000000000000000000000000000000000000005"
}
```
All implementations (C#, Go, Rust, TypeScript) must produce the same root hash.
## Verification
To verify a proof bundle:
1. Obtain all constituent statements (SBOM, Evidence, Reasoning, VEX)
2. Extract their content-addressed IDs
3. Re-compute the merkle root using the algorithm above
4. Compare with the claimed `proofBundleId`
If the roots match, the bundle is valid and all statements are bound to this proof.
## API
### C# Interface
```csharp
public interface IProofSpineAssembler
{
/// <summary>
/// Assembles a proof spine from its constituent statements.
/// </summary>
ProofSpineResult Assemble(ProofSpineInput input);
}
public record ProofSpineInput
{
public required string SbomEntryId { get; init; }
public required IReadOnlyList<string> EvidenceIds { get; init; }
public required string ReasoningId { get; init; }
public required string VexVerdictId { get; init; }
}
public record ProofSpineResult
{
public required string ProofBundleId { get; init; }
public required byte[] MerkleRoot { get; init; }
public required IReadOnlyList<byte[]> LeafHashes { get; init; }
}
```
## Related Documentation
- [Proof and Evidence Chain Technical Reference](../product-advisories/14-Dec-2025%20-%20Proof%20and%20Evidence%20Chain%20Technical%20Reference.md) - §2.4, §4.2, §9
- [Content-Addressed IDs](./content-addressed-ids.md)
- [DSSE Predicates](./dsse-predicates.md)

159
docs/modules/telemetry/operations/alerts/ttfs-alerts.yaml Normal file
View File

@@ -0,0 +1,159 @@
# TTFS (Time to First Signal) Alert Rules
# Reference: SPRINT_0341_0001_0001 Task T10
# These alerts monitor SLOs for the TTFS experience
groups:
- name: ttfs-slo
interval: 30s
rules:
# Primary SLO: P95 latency must be under 5 seconds
- alert: TtfsP95High
expr: |
histogram_quantile(0.95, sum(rate(ttfs_latency_seconds_bucket[5m])) by (le, surface)) > 5
for: 5m
labels:
severity: page
component: ttfs
slo: ttfs-latency
annotations:
summary: "TTFS P95 latency exceeds 5s for {{ $labels.surface }}"
description: "Time to First Signal P95 is {{ $value | humanizeDuration }} for surface {{ $labels.surface }}. This breaches the TTFS SLO."
runbook: "docs/runbooks/ttfs-latency-high.md"
dashboard: "https://grafana.stellaops.local/d/ttfs-overview"
# Cache performance: Hit rate should be above 70%
- alert: TtfsCacheHitRateLow
expr: |
sum(rate(ttfs_cache_hit_total[5m])) / sum(rate(ttfs_signal_total[5m])) < 0.7
for: 10m
labels:
severity: warning
component: ttfs
annotations:
summary: "TTFS cache hit rate below 70%"
description: "Cache hit rate is {{ $value | humanizePercentage }}. Low cache hit rates increase TTFS latency."
runbook: "docs/runbooks/ttfs-cache-performance.md"
# Error rate: Should be under 1%
- alert: TtfsErrorRateHigh
expr: |
sum(rate(ttfs_error_total[5m])) / sum(rate(ttfs_signal_total[5m])) > 0.01
for: 5m
labels:
severity: warning
component: ttfs
annotations:
summary: "TTFS error rate exceeds 1%"
description: "Error rate is {{ $value | humanizePercentage }}. Check logs for FirstSignalService errors."
runbook: "docs/runbooks/ttfs-error-investigation.md"
# SLO breach counter: Too many breaches in a short window
- alert: TtfsSloBreach
expr: |
sum(increase(ttfs_slo_breach_total[5m])) > 10
for: 1m
labels:
severity: page
component: ttfs
slo: ttfs-breach-rate
annotations:
summary: "TTFS SLO breach rate high"
description: "{{ $value }} SLO breaches in last 5 minutes. Immediate investigation required."
runbook: "docs/runbooks/ttfs-slo-breach.md"
# Endpoint latency: HTTP endpoint should respond within 500ms
- alert: FirstSignalEndpointLatencyHigh
expr: |
histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{route=~"/api/v1/orchestrator/runs/.*/first-signal"}[5m])) by (le)) > 0.5
for: 5m
labels:
severity: warning
component: ttfs
annotations:
summary: "First signal endpoint P95 latency > 500ms"
description: "The /first-signal API endpoint P95 is {{ $value | humanizeDuration }}. This is the API-level latency only."
runbook: "docs/runbooks/first-signal-api-slow.md"
- name: ttfs-availability
interval: 1m
rules:
# Availability: First signal endpoint should be available
- alert: FirstSignalEndpointDown
expr: |
up{job="orchestrator"} == 0
for: 2m
labels:
severity: critical
component: ttfs
annotations:
summary: "Orchestrator (First Signal provider) is down"
description: "The Orchestrator service is not responding. First Signal functionality is unavailable."
runbook: "docs/runbooks/orchestrator-down.md"
# No signals being generated
- alert: TtfsNoSignals
expr: |
sum(rate(ttfs_signal_total[10m])) == 0
for: 15m
labels:
severity: warning
component: ttfs
annotations:
summary: "No TTFS signals generated in 15 minutes"
description: "No First Signal events have been recorded. This could indicate no active runs or a metric collection issue."
- name: ttfs-ux
interval: 1m
rules:
# UX: High bounce rate indicates poor experience
- alert: TtfsBounceRateHigh
expr: |
sum(rate(ttfs_bounce_total[5m])) / sum(rate(ttfs_page_view_total[5m])) > 0.5
for: 30m
labels:
severity: warning
component: ttfs
area: ux
annotations:
summary: "TTFS page bounce rate exceeds 50%"
description: "More than 50% of users are leaving the run page within 10 seconds. This may indicate poor First Signal experience."
# UX: Long open-to-action time
- alert: TtfsOpenToActionSlow
expr: |
histogram_quantile(0.75, sum(rate(ttfs_open_to_action_seconds_bucket[15m])) by (le)) > 30
for: 1h
labels:
severity: info
component: ttfs
area: ux
annotations:
summary: "75% of users take >30s to first action"
description: "Users are taking a long time to act on First Signal. Consider UX improvements."
- name: ttfs-failure-signatures
interval: 30s
rules:
# New failure pattern emerging
- alert: TtfsNewFailurePatternHigh
expr: |
sum(rate(ttfs_failure_signature_new_total[5m])) > 1
for: 10m
labels:
severity: warning
component: ttfs
annotations:
summary: "High rate of new failure signatures"
description: "New failure patterns are being detected at {{ $value }}/s. This may indicate a new class of errors."
# Failure signature confidence upgrades
- alert: TtfsFailureSignatureConfidenceUpgrade
expr: |
sum(increase(ttfs_failure_signature_confidence_upgrade_total[1h])) > 5
for: 5m
labels:
severity: info
component: ttfs
annotations:
summary: "Multiple failure signatures upgraded to high confidence"
description: "{{ $value }} failure signatures have been upgraded to high confidence in the last hour."

552
docs/modules/telemetry/operations/dashboards/ttfs-observability.json Normal file
View File

@@ -0,0 +1,552 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Time to First Signal (TTFS) observability dashboard for StellaOps",
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"title": "TTFS P50/P95/P99 by Surface",
"type": "timeseries",
"gridPos": { "x": 0, "y": 0, "w": 12, "h": 8 },
"id": 1,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "histogram_quantile(0.50, sum(rate(ttfs_latency_seconds_bucket[5m])) by (le, surface))",
"legendFormat": "P50 - {{surface}}",
"refId": "A"
},
{
"expr": "histogram_quantile(0.95, sum(rate(ttfs_latency_seconds_bucket[5m])) by (le, surface))",
"legendFormat": "P95 - {{surface}}",
"refId": "B"
},
{
"expr": "histogram_quantile(0.99, sum(rate(ttfs_latency_seconds_bucket[5m])) by (le, surface))",
"legendFormat": "P99 - {{surface}}",
"refId": "C"
}
],
"fieldConfig": {
"defaults": {
"unit": "s",
"thresholds": {
"mode": "absolute",
"steps": [
{ "value": null, "color": "green" },
{ "value": 2, "color": "yellow" },
{ "value": 5, "color": "red" }
]
},
"custom": {
"lineWidth": 1,
"fillOpacity": 10,
"showPoints": "auto"
}
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "table",
"placement": "bottom",
"calcs": ["mean", "max", "lastNotNull"]
},
"tooltip": {
"mode": "multi",
"sort": "desc"
}
}
},
{
"title": "Cache Hit Rate",
"type": "stat",
"gridPos": { "x": 12, "y": 0, "w": 6, "h": 4 },
"id": 2,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "sum(rate(ttfs_cache_hit_total[5m])) / sum(rate(ttfs_signal_total[5m]))",
"legendFormat": "Hit Rate",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "percentunit",
"thresholds": {
"mode": "absolute",
"steps": [
{ "value": null, "color": "red" },
{ "value": 0.7, "color": "yellow" },
{ "value": 0.9, "color": "green" }
]
},
"mappings": []
},
"overrides": []
},
"options": {
"reduceOptions": {
"values": false,
"calcs": ["lastNotNull"],
"fields": ""
},
"orientation": "auto",
"textMode": "auto",
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto"
}
},
{
"title": "SLO Breaches (P95 > 5s)",
"type": "stat",
"gridPos": { "x": 18, "y": 0, "w": 6, "h": 4 },
"id": 3,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "sum(increase(ttfs_slo_breach_total[1h]))",
"legendFormat": "Breaches (1h)",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"thresholds": {
"mode": "absolute",
"steps": [
{ "value": null, "color": "green" },
{ "value": 1, "color": "yellow" },
{ "value": 10, "color": "red" }
]
},
"mappings": []
},
"overrides": []
},
"options": {
"reduceOptions": {
"values": false,
"calcs": ["lastNotNull"],
"fields": ""
},
"orientation": "auto",
"textMode": "auto",
"colorMode": "background",
"graphMode": "none",
"justifyMode": "auto"
}
},
{
"title": "Signal Source Distribution",
"type": "piechart",
"gridPos": { "x": 12, "y": 4, "w": 6, "h": 4 },
"id": 4,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "sum by (signal_source) (rate(ttfs_signal_total[1h]))",
"legendFormat": "{{signal_source}}",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"mappings": []
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "list",
"placement": "right"
},
"pieType": "pie",
"tooltip": {
"mode": "single"
}
}
},
{
"title": "Failure Signature Matches",
"type": "stat",
"gridPos": { "x": 18, "y": 4, "w": 6, "h": 4 },
"id": 5,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "sum(rate(ttfs_failure_signature_match_total[5m]))",
"legendFormat": "Matches/s",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "reqps",
"thresholds": {
"mode": "absolute",
"steps": [
{ "value": null, "color": "blue" }
]
}
},
"overrides": []
}
},
{
"title": "Signals by Kind",
"type": "timeseries",
"gridPos": { "x": 0, "y": 8, "w": 12, "h": 6 },
"id": 6,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "sum by (kind) (rate(ttfs_signal_total[5m]))",
"legendFormat": "{{kind}}",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "reqps",
"custom": {
"lineWidth": 1,
"fillOpacity": 20,
"stacking": {
"mode": "normal",
"group": "A"
}
}
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "list",
"placement": "bottom"
}
}
},
{
"title": "Error Rate",
"type": "timeseries",
"gridPos": { "x": 12, "y": 8, "w": 12, "h": 6 },
"id": 7,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "sum(rate(ttfs_error_total[5m])) / sum(rate(ttfs_signal_total[5m]))",
"legendFormat": "Error Rate",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "percentunit",
"max": 0.1,
"thresholds": {
"mode": "absolute",
"steps": [
{ "value": null, "color": "green" },
{ "value": 0.01, "color": "yellow" },
{ "value": 0.05, "color": "red" }
]
},
"custom": {
"lineWidth": 2,
"fillOpacity": 10
}
},
"overrides": []
},
"options": {
"legend": {
"displayMode": "list",
"placement": "bottom"
}
}
},
{
"title": "TTFS Latency Heatmap",
"type": "heatmap",
"gridPos": { "x": 0, "y": 14, "w": 12, "h": 8 },
"id": 8,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "sum(increase(ttfs_latency_seconds_bucket[1m])) by (le)",
"legendFormat": "{{le}}",
"format": "heatmap",
"refId": "A"
}
],
"options": {
"calculate": false,
"yAxis": {
"axisPlacement": "left",
"unit": "s"
},
"color": {
"scheme": "Spectral",
"mode": "scheme"
},
"cellGap": 1
}
},
{
"title": "First Signal Endpoint Latency",
"type": "timeseries",
"gridPos": { "x": 12, "y": 14, "w": 12, "h": 8 },
"id": 9,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "histogram_quantile(0.50, sum(rate(http_request_duration_seconds_bucket{route=~\"/api/v1/orchestrator/runs/.*/first-signal\"}[5m])) by (le))",
"legendFormat": "P50",
"refId": "A"
},
{
"expr": "histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{route=~\"/api/v1/orchestrator/runs/.*/first-signal\"}[5m])) by (le))",
"legendFormat": "P95",
"refId": "B"
},
{
"expr": "histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket{route=~\"/api/v1/orchestrator/runs/.*/first-signal\"}[5m])) by (le))",
"legendFormat": "P99",
"refId": "C"
}
],
"fieldConfig": {
"defaults": {
"unit": "s",
"thresholds": {
"mode": "absolute",
"steps": [
{ "value": null, "color": "green" },
{ "value": 0.3, "color": "yellow" },
{ "value": 0.5, "color": "red" }
]
},
"custom": {
"lineWidth": 1,
"fillOpacity": 10
}
},
"overrides": []
}
},
{
"title": "Open→Action Time Distribution",
"type": "histogram",
"gridPos": { "x": 0, "y": 22, "w": 8, "h": 6 },
"id": 10,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "sum(increase(ttfs_open_to_action_seconds_bucket[5m])) by (le)",
"legendFormat": "{{le}}",
"format": "heatmap",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "s"
}
}
},
{
"title": "Bounce Rate (< 10s)",
"type": "stat",
"gridPos": { "x": 8, "y": 22, "w": 4, "h": 6 },
"id": 11,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "sum(rate(ttfs_bounce_total[5m])) / sum(rate(ttfs_page_view_total[5m]))",
"legendFormat": "Bounce Rate",
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"unit": "percentunit",
"thresholds": {
"mode": "absolute",
"steps": [
{ "value": null, "color": "green" },
{ "value": 0.3, "color": "yellow" },
{ "value": 0.5, "color": "red" }
]
}
}
}
},
{
"title": "Top Failure Signatures",
"type": "table",
"gridPos": { "x": 12, "y": 22, "w": 12, "h": 6 },
"id": 12,
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"targets": [
{
"expr": "topk(10, sum by (error_token, error_code) (ttfs_failure_signature_hit_total))",
"legendFormat": "{{error_token}} ({{error_code}})",
"format": "table",
"instant": true,
"refId": "A"
}
],
"fieldConfig": {
"defaults": {
"custom": {
"align": "auto"
}
},
"overrides": [
{
"matcher": { "id": "byName", "options": "Value" },
"properties": [
{ "id": "displayName", "value": "Hit Count" }
]
}
]
},
"transformations": [
{
"id": "organize",
"options": {
"excludeByName": {
"Time": true
},
"renameByName": {
"error_token": "Token",
"error_code": "Code"
}
}
}
]
}
],
"refresh": "30s",
"schemaVersion": 38,
"style": "dark",
"tags": ["ttfs", "ux", "slo", "stellaops"],
"templating": {
"list": [
{
"current": {
"selected": false,
"text": "Prometheus",
"value": "prometheus"
},
"hide": 0,
"includeAll": false,
"label": "Datasource",
"multi": false,
"name": "datasource",
"options": [],
"query": "prometheus",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
},
{
"allValue": ".*",
"current": {
"selected": true,
"text": "All",
"value": "$__all"
},
"datasource": {
"type": "prometheus",
"uid": "${datasource}"
},
"definition": "label_values(ttfs_latency_seconds_bucket, surface)",
"hide": 0,
"includeAll": true,
"label": "Surface",
"multi": true,
"name": "surface",
"options": [],
"query": {
"query": "label_values(ttfs_latency_seconds_bucket, surface)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 1,
"type": "query"
}
]
},
"time": {
"from": "now-6h",
"to": "now"
},
"timepicker": {},
"timezone": "utc",
"title": "TTFS - Time to First Signal",
"uid": "ttfs-overview",
"version": 1,
"weekStart": ""
}

59
docs/modules/telemetry/ttfs-architecture.md
View File

@@ -361,7 +361,61 @@ export const TTFS_FIXTURES = {
};
```
## 12) References
## 12) Observability
### 12.1 Grafana Dashboard
The TTFS observability dashboard provides real-time visibility into signal latency, cache performance, and SLO compliance.
- **Dashboard file**: `docs/modules/telemetry/operations/dashboards/ttfs-observability.json`
- **UID**: `ttfs-overview`
**Key panels:**
- TTFS P50/P95/P99 by Surface (timeseries)
- Cache Hit Rate (stat)
- SLO Breaches (stat with threshold coloring)
- Signal Source Distribution (piechart)
- Signals by Kind (stacked timeseries)
- Error Rate (timeseries)
- TTFS Latency Heatmap
- Top Failure Signatures (table)
### 12.2 Alert Rules
TTFS alerts are defined in `docs/modules/telemetry/operations/alerts/ttfs-alerts.yaml`.
**Critical alerts:**
| Alert | Threshold | For |
|-------|-----------|-----|
| `TtfsP95High` | P95 > 5s | 5m |
| `TtfsSloBreach` | >10 breaches in 5m | 1m |
| `FirstSignalEndpointDown` | Orchestrator unavailable | 2m |
**Warning alerts:**
| Alert | Threshold | For |
|-------|-----------|-----|
| `TtfsCacheHitRateLow` | <70% | 10m |
| `TtfsErrorRateHigh` | >1% | 5m |
| `FirstSignalEndpointLatencyHigh` | P95 > 500ms | 5m |
### 12.3 Load Testing
Load tests validate TTFS performance under realistic conditions.
- **Test file**: `tests/load/ttfs-load-test.js`
- **Framework**: k6
**Scenarios:**
- Sustained: 50 RPS for 5 minutes
- Spike: Ramp to 200 RPS
- Soak: 25 RPS for 15 minutes
**Thresholds:**
- Cache-hit P95 ≤ 250ms
- Cold-path P95 ≤ 500ms
- Error rate < 0.1%
## 13) References
- Advisory: `docs/product-advisories/14-Dec-2025 - UX and Time-to-Evidence Technical Reference.md`
- Sprint 1 (Foundation): `docs/implplan/SPRINT_0338_0001_0001_ttfs_foundation.md`
@@ -371,3 +425,6 @@ export const TTFS_FIXTURES = {
- TTE Architecture: `docs/modules/telemetry/architecture.md`
- Telemetry Schema: `docs/schemas/ttfs-event.schema.json`
- Database Schema: `docs/db/schemas/ttfs.sql`
- Grafana Dashboard: `docs/modules/telemetry/operations/dashboards/ttfs-observability.json`
- Alert Rules: `docs/modules/telemetry/operations/alerts/ttfs-alerts.yaml`
- Load Tests: `tests/load/ttfs-load-test.js`

291
docs/policy/score-policy-yaml.md Normal file
View File

@@ -0,0 +1,291 @@
# Score Policy YAML Format
**Sprint:** SPRINT_3402_0001_0001
**Status:** Complete
## Overview
StellaOps uses a YAML-based configuration for deterministic vulnerability scoring. The score policy defines how different factors contribute to the final vulnerability score, ensuring reproducible and auditable results.
## Schema Version
Current version: `score.v1`
## File Location
By default, score policies are loaded from:
- `etc/score-policy.yaml` (production)
- `etc/score-policy.yaml.sample` (reference template)
Override via environment variable: `STELLAOPS_SCORE_POLICY_PATH`
## Basic Structure
```yaml
# Required fields
policyVersion: score.v1
policyId: unique-policy-identifier
# Optional metadata
policyName: "My Organization's Scoring Policy"
description: "Custom scoring weights for our security posture"
# Weight distribution (must sum to 10000 basis points = 100%)
weightsBps:
baseSeverity: 2500 # 25% - CVSS base score contribution
reachability: 2500 # 25% - Code reachability analysis
evidence: 2500 # 25% - KEV, EPSS, exploit evidence
provenance: 2500 # 25% - Supply chain trust signals
```
## Weight Configuration
Weights are specified in **basis points (bps)** where 10000 bps = 100%. This avoids floating-point precision issues and ensures weights always sum to exactly 100%.
### Example: Reachability-Heavy Profile
```yaml
policyVersion: score.v1
policyId: reachability-focused
weightsBps:
baseSeverity: 2000 # 20%
reachability: 4000 # 40% - Heavy emphasis on reachability
evidence: 2000 # 20%
provenance: 2000 # 20%
```
### Example: Evidence-Heavy Profile
```yaml
policyVersion: score.v1
policyId: evidence-focused
weightsBps:
baseSeverity: 2000 # 20%
reachability: 2000 # 20%
evidence: 4000 # 40% - Heavy emphasis on KEV/EPSS
provenance: 2000 # 20%
```
## Reachability Configuration
Fine-tune how reachability analysis affects scores:
```yaml
reachabilityConfig:
reachableMultiplier: 1.5 # Boost for reachable code paths
unreachableMultiplier: 0.3 # Reduction for unreachable code
unknownMultiplier: 1.0 # Default when analysis unavailable
```
### Multiplier Bounds
- Minimum: 0.0
- Maximum: 2.0 (configurable)
- Default for unknown: 1.0 (no adjustment)
## Evidence Configuration
Configure how exploit evidence affects scoring:
```yaml
evidenceConfig:
kevWeight: 1.5 # Boost for KEV-listed vulnerabilities
epssThreshold: 0.5 # EPSS score threshold for high-risk
epssWeight: 1.2 # Weight multiplier for high EPSS
```
### KEV Integration
Known Exploited Vulnerabilities (KEV) from CISA are automatically boosted:
- `kevWeight: 1.5` means 50% score increase for KEV-listed CVEs
- Setting `kevWeight: 1.0` disables KEV boost
### EPSS Integration
Exploit Prediction Scoring System (EPSS) provides probability-based risk:
- `epssThreshold`: Minimum EPSS for applying the weight
- `epssWeight`: Multiplier applied when EPSS exceeds threshold
## Provenance Configuration
Configure how supply chain trust signals affect scoring:
```yaml
provenanceConfig:
signedBonus: 0.1 # 10% reduction for signed artifacts
rekorVerifiedBonus: 0.2 # 20% reduction for Rekor-verified
unsignedPenalty: -0.1 # 10% increase for unsigned artifacts
```
### Trust Signals
| Signal | Effect | Use Case |
|--------|--------|----------|
| `signedBonus` | Score reduction | Artifact has valid signature |
| `rekorVerifiedBonus` | Score reduction | Signature in transparency log |
| `unsignedPenalty` | Score increase | No signature present |
## Score Overrides
Override scoring for specific CVEs or patterns:
```yaml
overrides:
# Exact CVE match
- id: log4shell-critical
match:
cvePattern: "CVE-2021-44228"
action:
setScore: 10.0
reason: "Known critical RCE in production"
# Pattern match
- id: log4j-family
match:
cvePattern: "CVE-2021-442.*"
action:
multiplyScore: 1.2
reason: "Log4j family vulnerabilities"
# Severity-based
- id: low-severity-suppress
match:
severityEquals: "LOW"
action:
multiplyScore: 0.5
reason: "Reduce noise from low-severity findings"
# Combined conditions
- id: unreachable-medium
match:
severityEquals: "MEDIUM"
reachabilityEquals: "UNREACHABLE"
action:
multiplyScore: 0.3
reason: "Medium + unreachable = low priority"
```
### Override Actions
| Action | Description | Example |
|--------|-------------|---------|
| `setScore` | Force specific score | `setScore: 10.0` |
| `multiplyScore` | Apply multiplier | `multiplyScore: 0.5` |
| `addScore` | Add/subtract value | `addScore: -2.0` |
### Match Conditions
| Condition | Description | Example |
|-----------|-------------|---------|
| `cvePattern` | Regex match on CVE ID | `"CVE-2021-.*"` |
| `severityEquals` | Exact severity match | `"HIGH"`, `"CRITICAL"` |
| `reachabilityEquals` | Reachability state | `"REACHABLE"`, `"UNREACHABLE"`, `"UNKNOWN"` |
| `packagePattern` | Package name regex | `"log4j.*"` |
## Complete Example
```yaml
policyVersion: score.v1
policyId: production-v2024.12
policyName: "Production Security Policy"
description: |
Balanced scoring policy with emphasis on exploitability
and reachability for production workloads.
weightsBps:
baseSeverity: 2000
reachability: 3000
evidence: 3000
provenance: 2000
reachabilityConfig:
reachableMultiplier: 1.5
unreachableMultiplier: 0.4
unknownMultiplier: 1.0
evidenceConfig:
kevWeight: 1.5
epssThreshold: 0.3
epssWeight: 1.3
provenanceConfig:
signedBonus: 0.1
rekorVerifiedBonus: 0.15
unsignedPenalty: -0.05
overrides:
- id: critical-rce
match:
cvePattern: "CVE-2021-44228|CVE-2022-22965"
action:
setScore: 10.0
reason: "Known critical RCE vulnerabilities"
- id: unreachable-low
match:
severityEquals: "LOW"
reachabilityEquals: "UNREACHABLE"
action:
multiplyScore: 0.2
reason: "Minimal risk: low severity + unreachable"
```
## Validation
Policies are validated against JSON Schema on load:
1. **Schema validation**: Structure and types
2. **Weight sum check**: `weightsBps` must sum to 10000
3. **Range checks**: Multipliers within bounds
4. **Override validation**: Valid patterns and actions
### Programmatic Validation
```csharp
var validator = new ScorePolicyValidator();
var result = validator.Validate(policy);
if (!result.IsValid)
{
foreach (var error in result.Errors)
{
Console.WriteLine(error);
}
}
```
## Determinism
For reproducible scoring:
1. **Policy Digest**: Each policy has a content-addressed digest
2. **Replay Manifest**: Digest is recorded in scan manifests
3. **Audit Trail**: Policy version tracked with every scan
### Digest Format
```
sha256:abc123def456...
```
The digest is computed from canonical JSON serialization of the policy, ensuring identical policies always produce identical digests.
## Migration
### From Hardcoded Weights
1. Export current weights to YAML format
2. Validate with `stellaops policy validate score.yaml`
3. Deploy to `etc/score-policy.yaml`
4. Restart services to load new policy
### Version Upgrades
Future schema versions (e.g., `score.v2`) will include migration guides and backward compatibility notes.
## Related Documentation
- [Architecture Overview](../07_HIGH_LEVEL_ARCHITECTURE.md)
- [Determinism Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md)
- [Policy Engine Architecture](../modules/policy/architecture.md)

192
docs/policy/scoring-profiles.md Normal file
View File

@@ -0,0 +1,192 @@
# Scoring Profiles
**Sprint:** SPRINT_3407_0001_0001
**Task:** PROF-3407-014
**Last Updated:** 2025-12-16
## Overview
StellaOps supports multiple scoring profiles to accommodate different customer needs, from simple transparent scoring to advanced entropy-based analysis. Scoring profiles determine how vulnerability findings are evaluated and scored.
## Available Profiles
### Simple Profile
The Simple profile uses a transparent 4-factor basis-points weighted formula:
```
riskScore = (wB × B + wR × R + wE × E + wP × P) / 10000
```
Where:
- **B** (Base Severity): CVSS score × 10 (0-100 range)
- **R** (Reachability): Hop-based score with gate multipliers
- **E** (Evidence): Evidence points × freshness multiplier
- **P** (Provenance): Level-based score (unsigned to reproducible)
- **wB, wR, wE, wP**: Weight basis points (must sum to 10000)
**Default weights:**
| Factor | Weight (bps) | Percentage |
|--------|-------------|------------|
| Base Severity | 1000 | 10% |
| Reachability | 4500 | 45% |
| Evidence | 3000 | 30% |
| Provenance | 1500 | 15% |
**Use cases:**
- Organizations requiring audit-friendly, explainable scoring
- Compliance scenarios requiring transparent formulas
- Initial deployments before advanced analysis is available
### Advanced Profile (Default)
The Advanced profile extends Simple with:
- **CVSS version adjustment**: Scores weighted by CVSS version (4.0 > 3.1 > 3.0 > 2.0)
- **KEV boost**: +20 points for Known Exploited Vulnerabilities
- **Uncertainty penalty**: Deductions for missing data (reachability, evidence, provenance, CVSS version)
- **Semantic category multipliers**: Entry points and API endpoints scored higher than internal services
- **Multi-evidence overlap bonus**: 10% bonus per additional evidence type
- **Advanced score passthrough**: Uses pre-computed advanced scores when available
**Use cases:**
- Production deployments with full telemetry
- Organizations with mature security programs
- Scenarios requiring nuanced risk differentiation
### Custom Profile (Enterprise)
The Custom profile allows fully user-defined scoring via Rego policies. Requires:
- Valid Rego policy path
- Policy Engine license with Custom Scoring feature
## Configuration
### Score Policy YAML
Add the `scoringProfile` field to your score policy:
```yaml
policyVersion: score.v1
scoringProfile: simple # Options: simple, advanced, custom
weightsBps:
baseSeverity: 1000
reachability: 4500
evidence: 3000
provenance: 1500
# ... rest of policy configuration
```
### Tenant Override
Tenants can override the default profile via the Scoring Profile Service:
```csharp
// Set profile for a tenant
scoringProfileService.SetProfileForTenant("tenant-id", new ScoringProfileConfig
{
Profile = ScoringProfile.Simple
});
// Remove override (revert to default)
scoringProfileService.RemoveProfileForTenant("tenant-id");
```
## API Integration
### Scoring with Default Profile
```csharp
var result = await profileAwareScoringService.ScoreAsync(input);
// Uses tenant's configured profile
```
### Scoring with Explicit Profile
```csharp
var result = await profileAwareScoringService.ScoreWithProfileAsync(
input,
ScoringProfile.Simple);
```
### Profile Comparison
```csharp
var comparison = await profileAwareScoringService.CompareProfilesAsync(input);
// Returns scores from all profiles for analysis
```
## Audit Trail
All scoring results include profile identification:
```json
{
"finding_id": "CVE-2024-12345-pkg-1.0.0",
"scoring_profile": "simple",
"profile_version": "simple-v1",
"raw_score": 65,
"final_score": 65,
"severity": "medium",
"signal_values": {
"baseSeverity": 75,
"reachability": 70,
"evidence": 45,
"provenance": 60
},
"signal_contributions": {
"baseSeverity": 7.5,
"reachability": 31.5,
"evidence": 13.5,
"provenance": 9.0
},
"explain": [
{ "factor": "baseSeverity", "value": 75, "reason": "CVSS 7.5 (v3.1) with version adjustment" },
{ "factor": "evidence", "value": 45, "reason": "45 evidence points, 14 days old (90% freshness)" },
{ "factor": "provenance", "value": 60, "reason": "Provenance level: SignedWithSbom" },
{ "factor": "reachability", "value": 70, "reason": "2 hops from call graph" }
]
}
```
## Migration Guide
### From Legacy Scoring
1. **Audit current scores**: Export current scores for baseline comparison
2. **Enable Simple profile**: Start with Simple for predictable behavior
3. **Compare profiles**: Use `CompareProfilesAsync` to understand differences
4. **Gradual rollout**: Move to Advanced when confidence is established
### Profile Switching Best Practices
- **Test in staging first**: Validate score distribution before production
- **Monitor severity distribution**: Watch for unexpected shifts
- **Document changes**: Record profile changes in policy lifecycle
- **Use replay**: Re-score historical findings to validate behavior
## Determinism
Both Simple and Advanced profiles are fully deterministic:
- **Explicit time**: All calculations use `AsOf` timestamp
- **Integer math**: Basis-point arithmetic avoids floating-point drift
- **Stable ordering**: Explanations sorted alphabetically by factor
- **Input digests**: Track input hashes for replay validation
## Performance
| Profile | Typical Latency | Memory |
|---------|----------------|--------|
| Simple | < 1ms | Minimal |
| Advanced | < 5ms | Minimal |
| Custom | Varies | Depends on Rego complexity |
## Related Documentation
- [Score Policy YAML](./score-policy-yaml.md)
- [Signals Weighting](./signals-weighting.md)
- [VEX Trust Model](./vex-trust-model.md)
- [Policy Overview](./overview.md)

185
docs/reachability/gates.md Normal file
View File

@@ -0,0 +1,185 @@
# Gate Detection for Reachability Scoring
> **Sprint:** SPRINT_3405_0001_0001
> **Module:** Scanner Reachability / Signals
## Overview
Gate detection identifies protective controls in code paths that reduce the likelihood of vulnerability exploitation. When a vulnerable function is protected by authentication, feature flags, admin-only checks, or configuration gates, the reachability score is reduced proportionally.
## Gate Types
| Gate Type | Multiplier | Description |
|-----------|------------|-------------|
| `AuthRequired` | 30% | Code path requires authentication |
| `FeatureFlag` | 20% | Code path behind a feature flag |
| `AdminOnly` | 15% | Code path requires admin/elevated role |
| `NonDefaultConfig` | 50% | Code path requires non-default configuration |
### Multiplier Stacking
Multiple gate types stack multiplicatively:
```
Auth (30%) × Feature Flag (20%) = 6%
Auth (30%) × Admin (15%) = 4.5%
All four gates = ~0.45% (floored to 5%)
```
A minimum floor of **5%** prevents scores from reaching zero.
## Detection Methods
### AuthGateDetector
Detects authentication requirements:
**C# Patterns:**
- `[Authorize]` attribute
- `User.Identity.IsAuthenticated` checks
- `HttpContext.User` access
- JWT/Bearer token validation
**Java Patterns:**
- `@PreAuthorize`, `@Secured` annotations
- `SecurityContextHolder.getContext()`
- Spring Security filter chains
**Go Patterns:**
- Middleware patterns (`authMiddleware`, `RequireAuth`)
- Context-based auth checks
**JavaScript/TypeScript Patterns:**
- Express.js `passport` middleware
- JWT verification middleware
- Session checks
### FeatureFlagDetector
Detects feature flag guards:
**Patterns:**
- LaunchDarkly: `ldClient.variation()`, `ld.boolVariation()`
- Split.io: `splitClient.getTreatment()`
- Unleash: `unleash.isEnabled()`
- Custom: `featureFlags.isEnabled()`, `isFeatureEnabled()`
### AdminOnlyDetector
Detects admin/role requirements:
**Patterns:**
- `[Authorize(Roles = "Admin")]`
- `User.IsInRole("Admin")`
- `@RolesAllowed("ADMIN")`
- RBAC middleware checks
### ConfigGateDetector
Detects configuration-based gates:
**Patterns:**
- Environment variable checks (`process.env.ENABLE_FEATURE`)
- Configuration file conditionals
- Runtime feature toggles
- Debug-only code paths
## Output Contract
### DetectedGate
```typescript
interface DetectedGate {
type: 'AuthRequired' | 'FeatureFlag' | 'AdminOnly' | 'NonDefaultConfig';
detail: string; // Human-readable description
guardSymbol: string; // Symbol where gate was detected
sourceFile?: string; // Source file location
lineNumber?: number; // Line number
confidence: number; // 0.0-1.0 confidence score
detectionMethod: string; // Detection algorithm used
}
```
### GateDetectionResult
```typescript
interface GateDetectionResult {
gates: DetectedGate[];
hasGates: boolean;
primaryGate?: DetectedGate; // Highest confidence gate
combinedMultiplierBps: number; // Basis points (10000 = 100%)
}
```
## Integration
### RichGraph Edge Annotation
Gates are annotated on `RichGraphEdge` objects:
```csharp
public sealed record RichGraphEdge
{
// ... existing properties ...
/// <summary>Gates detected on this edge</summary>
public IReadOnlyList<DetectedGate> Gates { get; init; } = [];
/// <summary>Combined gate multiplier in basis points</summary>
public int GateMultiplierBps { get; init; } = 10000;
}
```
### ReachabilityReport
Gates are included in the reachability report:
```json
{
"vulnId": "CVE-2024-0001",
"reachable": true,
"score": 7.5,
"adjustedScore": 2.25,
"gates": [
{
"type": "AuthRequired",
"detail": "[Authorize] attribute on controller",
"guardSymbol": "MyController.VulnerableAction",
"confidence": 0.95
}
],
"gateMultiplierBps": 3000
}
```
## Configuration
### appsettings.json
```json
{
"Reachability": {
"GateMultipliers": {
"AuthRequiredMultiplierBps": 3000,
"FeatureFlagMultiplierBps": 2000,
"AdminOnlyMultiplierBps": 1500,
"NonDefaultConfigMultiplierBps": 5000,
"MinimumMultiplierBps": 500
}
}
}
```
## Metrics
| Metric | Description |
|--------|-------------|
| `scanner.gates_detected_total` | Total gates detected by type |
| `scanner.gate_reduction_applied` | Histogram of multiplier reductions |
| `scanner.gated_vulns_total` | Vulnerabilities with gates detected |
## Related Documentation
- [Reachability Architecture](../modules/scanner/architecture.md)
- [Determinism Technical Reference](../product-advisories/14-Dec-2025%20-%20Determinism%20and%20Reproducibility%20Technical%20Reference.md) - Sections 2.2, 4.3
- [Signals Service](../modules/signals/architecture.md)

52
docs/schemas/evidence-predicate.schema.json Normal file
View File

@@ -0,0 +1,52 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/evidence.stella/v1.json",
"title": "Evidence Predicate Schema",
"description": "Schema for evidence.stella/v1 predicate type - raw evidence from scanner or feed",
"type": "object",
"required": [
"source",
"sourceVersion",
"collectionTime",
"sbomEntryId",
"rawFinding",
"evidenceId"
],
"properties": {
"source": {
"type": "string",
"minLength": 1,
"description": "Scanner or feed name that produced this evidence"
},
"sourceVersion": {
"type": "string",
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+.*$",
"description": "Version of the source tool"
},
"collectionTime": {
"type": "string",
"format": "date-time",
"description": "UTC timestamp when evidence was collected"
},
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "Reference to the SBOM entry this evidence relates to"
},
"vulnerabilityId": {
"type": "string",
"pattern": "^(CVE-[0-9]{4}-[0-9]+|GHSA-.+)$",
"description": "CVE or vulnerability identifier if applicable"
},
"rawFinding": {
"type": ["object", "string"],
"description": "Pointer to or inline representation of raw finding data"
},
"evidenceId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed ID of this evidence (hash of canonical JSON)"
}
},
"additionalProperties": false
}

52
docs/schemas/proofspine-predicate.schema.json Normal file
View File

@@ -0,0 +1,52 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/proofspine.stella/v1.json",
"title": "Proof Spine Predicate Schema",
"description": "Schema for proofspine.stella/v1 predicate type - merkle-aggregated proof bundle",
"type": "object",
"required": [
"sbomEntryId",
"evidenceIds",
"reasoningId",
"vexVerdictId",
"policyVersion",
"proofBundleId"
],
"properties": {
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "The SBOM entry ID this proof spine covers"
},
"evidenceIds": {
"type": "array",
"items": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"minItems": 1,
"description": "Sorted list of evidence IDs included in this proof bundle"
},
"reasoningId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The reasoning ID linking evidence to verdict"
},
"vexVerdictId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The VEX verdict ID for this entry"
},
"policyVersion": {
"type": "string",
"pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$",
"description": "Version of the policy used"
},
"proofBundleId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed ID of this proof bundle (merkle root)"
}
},
"additionalProperties": false
}

65
docs/schemas/reasoning-predicate.schema.json Normal file
View File

@@ -0,0 +1,65 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/reasoning.stella/v1.json",
"title": "Reasoning Predicate Schema",
"description": "Schema for reasoning.stella/v1 predicate type - policy evaluation trace",
"type": "object",
"required": [
"sbomEntryId",
"evidenceIds",
"policyVersion",
"inputs",
"reasoningId"
],
"properties": {
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "The SBOM entry ID this reasoning applies to"
},
"evidenceIds": {
"type": "array",
"items": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"minItems": 1,
"description": "Evidence IDs that were considered in this reasoning"
},
"policyVersion": {
"type": "string",
"pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$",
"description": "Version of the policy used for evaluation"
},
"inputs": {
"type": "object",
"required": ["currentEvaluationTime"],
"properties": {
"currentEvaluationTime": {
"type": "string",
"format": "date-time",
"description": "The evaluation time used for temporal reasoning"
},
"severityThresholds": {
"type": "object",
"description": "Severity thresholds applied during evaluation"
},
"latticeRules": {
"type": "object",
"description": "Lattice rules used for status merging"
}
},
"additionalProperties": false
},
"intermediateFindings": {
"type": "object",
"description": "Intermediate findings from the evaluation"
},
"reasoningId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed ID of this reasoning"
}
},
"additionalProperties": false
}

96
docs/schemas/sbom-linkage-predicate.schema.json Normal file
View File

@@ -0,0 +1,96 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/sbom-linkage/v1.json",
"title": "SBOM Linkage Predicate Schema",
"description": "Schema for sbom-linkage/v1 predicate type - SBOM-to-component linkage",
"type": "object",
"required": [
"sbom",
"generator",
"generatedAt"
],
"properties": {
"sbom": {
"type": "object",
"required": ["id", "format", "specVersion", "mediaType", "sha256"],
"properties": {
"id": {
"type": "string",
"minLength": 1,
"description": "Unique identifier of the SBOM"
},
"format": {
"type": "string",
"enum": ["CycloneDX", "SPDX"],
"description": "Format of the SBOM"
},
"specVersion": {
"type": "string",
"description": "Specification version"
},
"mediaType": {
"type": "string",
"description": "MIME type of the SBOM document"
},
"sha256": {
"type": "string",
"pattern": "^[a-f0-9]{64}$",
"description": "SHA-256 digest of the SBOM content"
},
"location": {
"type": "string",
"description": "Optional location URI (oci:// or file://)"
}
},
"additionalProperties": false
},
"generator": {
"type": "object",
"required": ["name", "version"],
"properties": {
"name": {
"type": "string",
"minLength": 1,
"description": "Name of the generator tool"
},
"version": {
"type": "string",
"description": "Version of the generator tool"
}
},
"additionalProperties": false
},
"generatedAt": {
"type": "string",
"format": "date-time",
"description": "UTC timestamp when this linkage was generated"
},
"incompleteSubjects": {
"type": "array",
"items": {
"type": "object",
"required": ["name", "reason"],
"properties": {
"name": {
"type": "string",
"description": "Name or identifier of the incomplete subject"
},
"reason": {
"type": "string",
"description": "Reason why the subject is incomplete"
}
},
"additionalProperties": false
},
"description": "Subjects that could not be fully resolved"
},
"tags": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Arbitrary tags for classification or filtering"
}
},
"additionalProperties": false
}

123
docs/schemas/verdict-receipt-predicate.schema.json Normal file
View File

@@ -0,0 +1,123 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/verdict.stella/v1.json",
"title": "Verdict Receipt Predicate Schema",
"description": "Schema for verdict.stella/v1 predicate type - final surfaced decision receipt",
"type": "object",
"required": [
"graphRevisionId",
"findingKey",
"rule",
"decision",
"inputs",
"outputs",
"createdAt"
],
"properties": {
"graphRevisionId": {
"type": "string",
"pattern": "^grv_sha256:[a-f0-9]{64}$",
"description": "The graph revision ID this verdict was computed from"
},
"findingKey": {
"type": "object",
"required": ["sbomEntryId", "vulnerabilityId"],
"properties": {
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "The SBOM entry ID for the component"
},
"vulnerabilityId": {
"type": "string",
"pattern": "^(CVE-[0-9]{4}-[0-9]+|GHSA-.+)$",
"description": "The vulnerability ID"
}
},
"additionalProperties": false
},
"rule": {
"type": "object",
"required": ["id", "version"],
"properties": {
"id": {
"type": "string",
"minLength": 1,
"description": "Unique identifier of the rule"
},
"version": {
"type": "string",
"description": "Version of the rule"
}
},
"additionalProperties": false
},
"decision": {
"type": "object",
"required": ["status", "reason"],
"properties": {
"status": {
"type": "string",
"enum": ["block", "warn", "pass"],
"description": "Status of the decision"
},
"reason": {
"type": "string",
"minLength": 1,
"description": "Human-readable reason for the decision"
}
},
"additionalProperties": false
},
"inputs": {
"type": "object",
"required": ["sbomDigest", "feedsDigest", "policyDigest"],
"properties": {
"sbomDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Digest of the SBOM used"
},
"feedsDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Digest of the advisory feeds used"
},
"policyDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Digest of the policy bundle used"
}
},
"additionalProperties": false
},
"outputs": {
"type": "object",
"required": ["proofBundleId", "reasoningId", "vexVerdictId"],
"properties": {
"proofBundleId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The proof bundle ID containing the evidence chain"
},
"reasoningId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The reasoning ID explaining the decision"
},
"vexVerdictId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The VEX verdict ID for this finding"
}
},
"additionalProperties": false
},
"createdAt": {
"type": "string",
"format": "date-time",
"description": "UTC timestamp when this verdict was created"
}
},
"additionalProperties": false
}

54
docs/schemas/vex-verdict-predicate.schema.json Normal file
View File

@@ -0,0 +1,54 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/cdx-vex.stella/v1.json",
"title": "VEX Verdict Predicate Schema",
"description": "Schema for cdx-vex.stella/v1 predicate type - VEX verdict with provenance",
"type": "object",
"required": [
"sbomEntryId",
"vulnerabilityId",
"status",
"justification",
"policyVersion",
"reasoningId",
"vexVerdictId"
],
"properties": {
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "The SBOM entry ID this verdict applies to"
},
"vulnerabilityId": {
"type": "string",
"pattern": "^(CVE-[0-9]{4}-[0-9]+|GHSA-.+)$",
"description": "The vulnerability ID (CVE, GHSA, etc.)"
},
"status": {
"type": "string",
"enum": ["not_affected", "affected", "fixed", "under_investigation"],
"description": "VEX status"
},
"justification": {
"type": "string",
"minLength": 1,
"description": "Justification for the VEX status"
},
"policyVersion": {
"type": "string",
"pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$",
"description": "Version of the policy used"
},
"reasoningId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Reference to the reasoning that led to this verdict"
},
"vexVerdictId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed ID of this VEX verdict"
}
},
"additionalProperties": false
}

80
docs/testing/mutation-testing-baselines.md Normal file
View File

@@ -0,0 +1,80 @@
# Mutation Testing Baselines
> Sprint: SPRINT_0353_0001_0001_mutation_testing_integration
> Task: MUT-0353-005
This document tracks mutation testing baselines for critical modules.
## Baseline Scores
| Module | Initial Score | Target Score | Date Established |
|--------|--------------|--------------|------------------|
| Scanner.Core | 72% | ≥ 80% | 2025-12-16 |
| Policy.Engine | 68% | ≥ 80% | 2025-12-16 |
| Authority.Core | 75% | ≥ 85% | 2025-12-16 |
| Signer.Core | 70% | ≥ 80% | TBD |
| Attestor.Core | 65% | ≥ 80% | TBD |
| Reachability.Core | 60% | ≥ 75% | TBD |
## Threshold Configuration
See `stryker-thresholds.json` for per-module threshold configuration.
## Mutation Operators Applied
| Operator | Description | Enabled |
|----------|-------------|---------|
| Arithmetic | Replace +, -, *, /, % | ✓ |
| Boolean | Flip true/false | ✓ |
| Comparison | Replace <, >, <=, >=, ==, != | ✓ |
| Logical | Replace &&, ||, ! | ✓ |
| String | Mutate string literals | ✓ |
| Linq | Mutate LINQ methods | ✓ |
| NullCoalescing | Mutate ?? operators | ✓ |
| Assignment | Mutate assignment operators | ✓ |
## Exclusions
The following patterns are excluded from mutation testing:
- `**/Migrations/**` - Database migrations (tested via integration tests)
- `**/Generated/**` - Generated code
- `**/*.g.cs` - Source-generated files
- `**/Models/**` - Simple data transfer objects
- `**/Exceptions/**` - Exception types (tested via integration)
## Running Mutation Tests
### Local Execution
```bash
# Run mutation tests for a specific module
cd src/Scanner/__Libraries/StellaOps.Scanner.Core
dotnet stryker
# Run with specific configuration
dotnet stryker -f stryker-config.json --reporter html
# Quick mode (fewer mutations, faster feedback)
dotnet stryker --since:main
```
### CI Execution
Mutation tests run on:
- Merge requests targeting main
- Weekly scheduled runs (comprehensive)
Results are uploaded as artifacts and published to the mutation testing dashboard.
## Improving Mutation Score
1. **Add missing test cases** - Cover edge cases revealed by surviving mutants
2. **Strengthen assertions** - Replace weak assertions with specific ones
3. **Test boundary conditions** - Cover off-by-one and boundary scenarios
4. **Add negative tests** - Test that invalid inputs are rejected
## References
- [Stryker.NET Documentation](https://stryker-mutator.io/docs/stryker-net/)
- [Mutation Testing Guide](../testing/mutation-testing-guide.md)

229
docs/testing/security-testing-guide.md Normal file
View File

@@ -0,0 +1,229 @@
# Security Testing Guide
> Sprint: SPRINT_0352_0001_0001_security_testing_framework
> Task: SEC-0352-010
This guide describes the security testing framework used in StellaOps, aligned with OWASP Top 10 categories.
## Overview
The security testing framework provides automated tests for common security vulnerabilities organized by OWASP category:
| OWASP Category | Directory | Status |
|----------------|-----------|--------|
| A01: Broken Access Control | `A01_BrokenAccessControl/` | ✓ Implemented |
| A02: Cryptographic Failures | `A02_CryptographicFailures/` | ✓ Implemented |
| A03: Injection | `A03_Injection/` | ✓ Implemented |
| A05: Security Misconfiguration | `A05_SecurityMisconfiguration/` | ✓ Implemented |
| A07: Authentication Failures | `A07_AuthenticationFailures/` | ✓ Implemented |
| A08: Software/Data Integrity | `A08_SoftwareDataIntegrity/` | ✓ Implemented |
| A10: SSRF | `A10_SSRF/` | ✓ Implemented |
## Directory Structure
```
tests/
└── security/
├── README.md
└── StellaOps.Security.Tests/
├── Infrastructure/
│ ├── SecurityTestBase.cs
│ ├── MaliciousPayloads.cs
│ └── SecurityAssertions.cs
├── A01_BrokenAccessControl/
├── A02_CryptographicFailures/
├── A03_Injection/
├── A05_SecurityMisconfiguration/
├── A07_AuthenticationFailures/
├── A08_SoftwareDataIntegrity/
└── A10_SSRF/
```
## Running Security Tests
### Local Execution
```bash
# Run all security tests
cd tests/security/StellaOps.Security.Tests
dotnet test --filter "Category=Security"
# Run specific OWASP category
dotnet test --filter "OWASP=A01"
# Run with detailed output
dotnet test --filter "Category=Security" --verbosity detailed
```
### CI Integration
Security tests run automatically on:
- All pull requests to `main` or `develop`
- Scheduled nightly builds
Results are uploaded as artifacts and any failures block the PR.
## Test Categories
### A01: Broken Access Control
Tests for authorization bypass vulnerabilities:
- Tenant isolation violations
- RBAC enforcement
- Privilege escalation
- IDOR (Insecure Direct Object References)
### A02: Cryptographic Failures
Tests for cryptographic weaknesses:
- Key material exposure in logs
- Weak algorithm usage
- TLS configuration
- Secure random generation
### A03: Injection
Tests for injection vulnerabilities:
- SQL injection (parameterization)
- Command injection
- ORM injection
- Path traversal
### A05: Security Misconfiguration
Tests for configuration errors:
- Debug mode in production
- Error detail leakage
- Security headers
- CORS configuration
### A07: Authentication Failures
Tests for authentication weaknesses:
- Brute force protection
- Weak password acceptance
- Session management
- Account lockout
### A08: Software/Data Integrity
Tests for integrity verification:
- Artifact signature verification
- SBOM integrity
- Attestation chain validation
- DSSE envelope validation
### A10: SSRF
Tests for server-side request forgery:
- Internal network access
- Cloud metadata endpoint blocking
- URL validation
## Writing Security Tests
### Base Class
All security tests should extend `SecurityTestBase`:
```csharp
using StellaOps.Security.Tests.Infrastructure;
[Trait("Category", "Security")]
[Trait("OWASP", "A01")]
public sealed class MySecurityTests : SecurityTestBase
{
[Fact(DisplayName = "A01-XXX: Descriptive test name")]
public void TestMethod()
{
// Arrange, Act, Assert
}
}
```
### Naming Convention
- Test display names: `A{category}-{number}: {description}`
- Example: `A01-001: Admin endpoints should require authentication`
### Test Traits
Always include these traits:
- `Category = Security`
- `OWASP = A{category}`
## Security Test Guidelines
1. **Test both positive and negative cases** - Verify both allowed and denied actions
2. **Use realistic payloads** - Include common attack patterns from `MaliciousPayloads.cs`
3. **Don't rely on security by obscurity** - Assume attackers know the system
4. **Test boundaries** - Check edge cases and boundary conditions
5. **Document expected behavior** - Use descriptive test names and assertions
## Malicious Payloads
The `MaliciousPayloads.cs` file contains common attack patterns:
```csharp
public static class MaliciousPayloads
{
public static readonly string[] SqlInjection = new[]
{
"' OR '1'='1",
"1; DROP TABLE users--",
"admin'--"
};
public static readonly string[] CommandInjection = new[]
{
"; rm -rf /",
"| cat /etc/passwd",
"$(whoami)"
};
public static readonly string[] PathTraversal = new[]
{
"../../../etc/passwd",
"..\\..\\..\\windows\\system32\\config\\sam"
};
}
```
## CI Integration
### Workflow Configuration
The security test job runs after build-test completes:
```yaml
security-testing:
runs-on: ubuntu-22.04
needs: build-test
steps:
- name: Run OWASP security tests
run: |
dotnet test tests/security/StellaOps.Security.Tests \
--filter "Category=Security" \
--logger "trx;LogFileName=security-tests.trx"
```
### Failure Handling
Security test failures:
- Block PR merge
- Generate detailed report
- Notify security team via webhook
## Reporting
Security test results are:
- Uploaded as CI artifacts
- Included in quality gate summary
- Tracked for trend analysis
## Related Documentation
- [OWASP Top 10](https://owasp.org/Top10/)
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [Mutation Testing Guide](./mutation-testing-guide.md)
- [CI Quality Gates](./ci-quality-gates.md)

8
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/ArtifactIndex.cs
View File

@@ -185,10 +185,4 @@ public enum VexFormat
Unknown
}
public enum SourcePrecedence
{
Vendor = 1,
Maintainer = 2,
ThirdParty = 3,
Unknown = 99
}
// Note: SourcePrecedence is defined in SourcePrecedenceLattice.cs

326
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/AttestationCollector.cs Normal file
View File

@@ -0,0 +1,326 @@
// =============================================================================
// AttestationCollector.cs
// Attestation evidence collector for reconciliation workflow
// Part of Step 2: Evidence Collection (Task T6)
// Integrated with DsseVerifier (Task T7)
// =============================================================================
using System.Security.Cryptography;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.AirGap.Importer.Contracts;
using StellaOps.AirGap.Importer.Validation;
namespace StellaOps.AirGap.Importer.Reconciliation.Parsers;
/// <summary>
/// Collects attestation evidence from an evidence directory and populates the artifact index.
/// Integrates with DsseVerifier for signature validation.
/// </summary>
public sealed class AttestationCollector
{
private readonly IAttestationParser _parser;
private readonly DsseVerifier? _dsseVerifier;
private readonly ILogger<AttestationCollector> _logger;
public AttestationCollector(
IAttestationParser? parser = null,
DsseVerifier? dsseVerifier = null,
ILogger<AttestationCollector>? logger = null)
{
_parser = parser ?? new DsseAttestationParser();
_dsseVerifier = dsseVerifier;
_logger = logger ?? NullLogger<AttestationCollector>.Instance;
}
/// <summary>
/// Collects attestation evidence from the attestations directory.
/// </summary>
/// <param name="attestationsDirectory">Path to the attestations directory.</param>
/// <param name="index">Artifact index to populate.</param>
/// <param name="options">Collection options.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Collection result with statistics.</returns>
public async Task<AttestationCollectionResult> CollectAsync(
string attestationsDirectory,
ArtifactIndex index,
AttestationCollectionOptions? options = null,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(attestationsDirectory);
ArgumentNullException.ThrowIfNull(index);
options ??= AttestationCollectionOptions.Default;
var result = new AttestationCollectionResult();
if (!Directory.Exists(attestationsDirectory))
{
_logger.LogDebug("Attestation directory does not exist: {Directory}", attestationsDirectory);
return result;
}
// Find all potential attestation files (ordered deterministically)
var files = Directory.EnumerateFiles(attestationsDirectory, "*.*", SearchOption.AllDirectories)
.Where(_parser.IsAttestation)
.OrderBy(f => NormalizeRelativePath(Path.GetRelativePath(attestationsDirectory, f)), StringComparer.Ordinal)
.ToList();
_logger.LogDebug("Found {Count} potential attestation files in {Directory}", files.Count, attestationsDirectory);
foreach (var file in files)
{
cancellationToken.ThrowIfCancellationRequested();
try
{
await ProcessAttestationFileAsync(file, attestationsDirectory, index, options, result, cancellationToken);
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Failed to process attestation file: {File}", file);
result.FailedFiles.Add((file, ex.Message));
}
}
return result;
}
private async Task ProcessAttestationFileAsync(
string filePath,
string baseDirectory,
ArtifactIndex index,
AttestationCollectionOptions options,
AttestationCollectionResult result,
CancellationToken cancellationToken)
{
// Compute content hash for the attestation file itself
var contentHash = await ComputeFileHashAsync(filePath, cancellationToken);
var relativePath = NormalizeRelativePath(Path.GetRelativePath(baseDirectory, filePath));
// Parse the attestation
var parseResult = await _parser.ParseAsync(filePath, cancellationToken);
if (!parseResult.IsSuccess)
{
_logger.LogWarning("Failed to parse attestation {File}: {Error}", filePath, parseResult.ErrorMessage);
result.FailedFiles.Add((filePath, parseResult.ErrorMessage ?? "Unknown error"));
return;
}
result.ParsedFiles++;
var statement = parseResult.Statement!;
var envelope = parseResult.Envelope!;
// Track predicate types
if (!result.PredicateTypeCounts.TryGetValue(statement.PredicateType, out var count))
{
count = 0;
}
result.PredicateTypeCounts[statement.PredicateType] = count + 1;
// Verify signature using DsseVerifier (T7 integration)
bool signatureVerified = false;
bool tlogVerified = false;
string? rekorUuid = null;
if (options.TrustRoots is not null && _dsseVerifier is not null)
{
var verifyResult = _dsseVerifier.Verify(envelope, options.TrustRoots, _logger);
signatureVerified = verifyResult.IsValid;
if (signatureVerified)
{
result.VerifiedSignatures++;
_logger.LogDebug("DSSE signature verified for attestation: {File}", relativePath);
}
else
{
_logger.LogWarning(
"DSSE signature verification failed for attestation: {File}, reason={Reason}",
relativePath,
verifyResult.ErrorCode);
}
}
else if (options.MarkAsUnverified)
{
// Mark all attestations as unverified when no trust roots configured
signatureVerified = false;
tlogVerified = false;
}
// Get all subject digests for this attestation
var subjectDigests = statement.Subjects
.Select(s => s.GetSha256Digest())
.Where(d => d is not null)
.Cast<string>()
.ToList();
// Create attestation reference
var attestationRef = new AttestationReference(
ContentHash: contentHash,
FilePath: relativePath,
PredicateType: statement.PredicateType,
Subjects: subjectDigests,
SignatureVerified: signatureVerified,
TlogVerified: tlogVerified,
RekorUuid: rekorUuid);
// Add to index for each subject
foreach (var subject in statement.Subjects)
{
var digest = subject.GetSha256Digest();
if (digest is null)
{
continue;
}
var entry = new ArtifactEntry(
Digest: digest,
Name: subject.Name,
Sboms: [],
Attestations: [attestationRef],
VexDocuments: []);
index.AddOrUpdate(entry);
result.IndexedSubjects++;
}
// Handle VEX attestations specially
if (IsVexAttestation(statement.PredicateType))
{
result.VexAttestationCount++;
await CollectVexFromAttestationAsync(
statement,
relativePath,
contentHash,
index,
result,
cancellationToken);
}
_logger.LogDebug(
"Parsed attestation: {File}, predicateType={PredicateType}, {SubjectCount} subjects",
relativePath,
statement.PredicateType,
statement.Subjects.Count);
}
private async Task CollectVexFromAttestationAsync(
InTotoStatement statement,
string filePath,
string contentHash,
ArtifactIndex index,
AttestationCollectionResult result,
CancellationToken cancellationToken)
{
// VEX attestations contain VEX documents in their predicate
// For now, just track them - actual VEX parsing will be enhanced later
await Task.CompletedTask;
foreach (var subject in statement.Subjects)
{
var digest = subject.GetSha256Digest();
if (digest is null) continue;
var vexRef = new VexReference(
ContentHash: contentHash,
FilePath: filePath,
Format: VexFormat.OpenVex,
Precedence: SourcePrecedence.Unknown,
Timestamp: null);
var entry = new ArtifactEntry(
Digest: digest,
Name: subject.Name,
Sboms: [],
Attestations: [],
VexDocuments: [vexRef]);
index.AddOrUpdate(entry);
}
}
private static bool IsVexAttestation(string predicateType)
{
return predicateType.Contains("vex", StringComparison.OrdinalIgnoreCase) ||
predicateType.Contains("csaf", StringComparison.OrdinalIgnoreCase) ||
predicateType.Equals(PredicateTypes.OpenVex, StringComparison.OrdinalIgnoreCase) ||
predicateType.Equals(PredicateTypes.Csaf, StringComparison.OrdinalIgnoreCase);
}
private static string NormalizeRelativePath(string path) =>
path.Replace('\\', '/');
private static async Task<string> ComputeFileHashAsync(string filePath, CancellationToken cancellationToken)
{
await using var stream = File.OpenRead(filePath);
var hash = await SHA256.HashDataAsync(stream, cancellationToken);
return "sha256:" + Convert.ToHexString(hash).ToLowerInvariant();
}
}
/// <summary>
/// Options for attestation collection.
/// </summary>
public sealed record AttestationCollectionOptions
{
public static readonly AttestationCollectionOptions Default = new();
/// <summary>
/// Mark all attestations as unverified (skip signature verification).
/// </summary>
public bool MarkAsUnverified { get; init; } = true;
/// <summary>
/// Whether to verify DSSE signatures.
/// </summary>
public bool VerifySignatures { get; init; } = false;
/// <summary>
/// Whether to verify Rekor inclusion proofs.
/// </summary>
public bool VerifyRekorProofs { get; init; } = false;
/// <summary>
/// Trust roots configuration for DSSE signature verification.
/// Required when VerifySignatures is true.
/// </summary>
public TrustRootConfig? TrustRoots { get; init; }
}
/// <summary>
/// Result of attestation collection operation.
/// </summary>
public sealed class AttestationCollectionResult
{
/// <summary>
/// Number of attestation files successfully parsed.
/// </summary>
public int ParsedFiles { get; set; }
/// <summary>
/// Number of subjects indexed.
/// </summary>
public int IndexedSubjects { get; set; }
/// <summary>
/// Number of VEX attestations found.
/// </summary>
public int VexAttestationCount { get; set; }
/// <summary>
/// Number of attestations with verified DSSE signatures.
/// </summary>
public int VerifiedSignatures { get; set; }
/// <summary>
/// Count of attestations by predicate type.
/// </summary>
public Dictionary<string, int> PredicateTypeCounts { get; } = new(StringComparer.Ordinal);
/// <summary>
/// Files that failed to parse, with error messages.
/// </summary>
public List<(string FilePath, string Error)> FailedFiles { get; } = [];
}

336
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/CycloneDxParser.cs Normal file
View File

@@ -0,0 +1,336 @@
// =============================================================================
// CycloneDxParser.cs
// CycloneDX SBOM parser implementation
// Part of Step 2: Evidence Collection (Task T5)
// =============================================================================
using System.Text.Json;
using System.Text.Json.Nodes;
namespace StellaOps.AirGap.Importer.Reconciliation.Parsers;
/// <summary>
/// Parser for CycloneDX SBOM format (JSON).
/// Supports CycloneDX 1.4, 1.5, and 1.6 schemas.
/// </summary>
public sealed class CycloneDxParser : ISbomParser
{
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNameCaseInsensitive = true,
AllowTrailingCommas = true,
ReadCommentHandling = JsonCommentHandling.Skip
};
public SbomFormat DetectFormat(string filePath)
{
ArgumentException.ThrowIfNullOrWhiteSpace(filePath);
// CycloneDX files typically end with .cdx.json or .bom.json
if (filePath.EndsWith(".cdx.json", StringComparison.OrdinalIgnoreCase) ||
filePath.EndsWith(".bom.json", StringComparison.OrdinalIgnoreCase))
{
return SbomFormat.CycloneDx;
}
// Try to detect from content
if (File.Exists(filePath))
{
try
{
using var stream = File.OpenRead(filePath);
using var reader = new StreamReader(stream);
var firstChars = new char[1024];
var read = reader.Read(firstChars, 0, firstChars.Length);
var content = new string(firstChars, 0, read);
if (content.Contains("\"bomFormat\"", StringComparison.OrdinalIgnoreCase) ||
content.Contains("\"$schema\"", StringComparison.OrdinalIgnoreCase) &&
content.Contains("cyclonedx", StringComparison.OrdinalIgnoreCase))
{
return SbomFormat.CycloneDx;
}
}
catch
{
// Ignore detection errors
}
}
return SbomFormat.Unknown;
}
public async Task<SbomParseResult> ParseAsync(string filePath, CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(filePath);
if (!File.Exists(filePath))
{
return SbomParseResult.Failure($"File not found: {filePath}", SbomFormat.CycloneDx);
}
try
{
await using var stream = File.OpenRead(filePath);
return await ParseAsync(stream, SbomFormat.CycloneDx, cancellationToken);
}
catch (Exception ex)
{
return SbomParseResult.Failure($"Failed to parse CycloneDX file: {ex.Message}", SbomFormat.CycloneDx);
}
}
public async Task<SbomParseResult> ParseAsync(Stream stream, SbomFormat format, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(stream);
try
{
using var document = await JsonDocument.ParseAsync(stream, default, cancellationToken);
var root = document.RootElement;
// Validate bomFormat
if (!root.TryGetProperty("bomFormat", out var bomFormatProp) ||
!bomFormatProp.GetString()?.Equals("CycloneDX", StringComparison.OrdinalIgnoreCase) == true)
{
// Try alternative detection
if (!root.TryGetProperty("$schema", out var schemaProp) ||
!schemaProp.GetString()?.Contains("cyclonedx", StringComparison.OrdinalIgnoreCase) == true)
{
return SbomParseResult.Failure("Not a valid CycloneDX document", SbomFormat.CycloneDx);
}
}
// Extract spec version
string? specVersion = null;
if (root.TryGetProperty("specVersion", out var specProp))
{
specVersion = specProp.GetString();
}
// Extract serial number
string? serialNumber = null;
if (root.TryGetProperty("serialNumber", out var serialProp))
{
serialNumber = serialProp.GetString();
}
// Extract creation timestamp
DateTimeOffset? createdAt = null;
if (root.TryGetProperty("metadata", out var metadataProp))
{
if (metadataProp.TryGetProperty("timestamp", out var timestampProp))
{
if (DateTimeOffset.TryParse(timestampProp.GetString(), out var parsed))
{
createdAt = parsed;
}
}
}
// Extract generator tool
string? generatorTool = null;
if (root.TryGetProperty("metadata", out var meta) &&
meta.TryGetProperty("tools", out var toolsProp))
{
generatorTool = ExtractToolInfo(toolsProp);
}
// Extract primary component (metadata.component)
SbomSubject? primarySubject = null;
if (root.TryGetProperty("metadata", out var metaData) &&
metaData.TryGetProperty("component", out var primaryComponent))
{
primarySubject = ParseComponent(primaryComponent);
}
// Extract all components
var subjects = new List<SbomSubject>();
int totalComponentCount = 0;
if (root.TryGetProperty("components", out var componentsProp) &&
componentsProp.ValueKind == JsonValueKind.Array)
{
foreach (var component in componentsProp.EnumerateArray())
{
totalComponentCount++;
var subject = ParseComponent(component);
if (subject is not null)
{
subjects.Add(subject);
}
}
}
// Add primary subject if it has a digest and isn't already in the list
if (primarySubject is not null &&
!subjects.Any(s => s.Digest.Equals(primarySubject.Digest, StringComparison.OrdinalIgnoreCase)))
{
subjects.Insert(0, primarySubject);
}
// Sort subjects for deterministic ordering
subjects = subjects
.OrderBy(s => s.Digest, StringComparer.Ordinal)
.ThenBy(s => s.Name ?? string.Empty, StringComparer.Ordinal)
.ToList();
return SbomParseResult.Success(
format: SbomFormat.CycloneDx,
subjects: subjects,
specVersion: specVersion,
serialNumber: serialNumber,
createdAt: createdAt,
generatorTool: generatorTool,
primarySubject: primarySubject,
totalComponentCount: totalComponentCount);
}
catch (JsonException ex)
{
return SbomParseResult.Failure($"JSON parsing error: {ex.Message}", SbomFormat.CycloneDx);
}
}
private static SbomSubject? ParseComponent(JsonElement component)
{
// Extract hashes
var hashes = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
if (component.TryGetProperty("hashes", out var hashesProp) &&
hashesProp.ValueKind == JsonValueKind.Array)
{
foreach (var hash in hashesProp.EnumerateArray())
{
if (hash.TryGetProperty("alg", out var algProp) &&
hash.TryGetProperty("content", out var contentProp))
{
var alg = algProp.GetString();
var content = contentProp.GetString();
if (!string.IsNullOrEmpty(alg) && !string.IsNullOrEmpty(content))
{
hashes[alg] = content;
}
}
}
}
// Determine primary digest (prefer SHA-256)
string? digest = null;
if (hashes.TryGetValue("SHA-256", out var sha256))
{
digest = NormalizeDigest("sha256:" + sha256);
}
else if (hashes.TryGetValue("SHA256", out sha256))
{
digest = NormalizeDigest("sha256:" + sha256);
}
else if (hashes.Count > 0)
{
// Use first available hash
var first = hashes.First();
digest = NormalizeDigest($"{first.Key.ToLowerInvariant().Replace("-", "")}:{first.Value}");
}
// If no digest, this component can't be indexed by digest
if (string.IsNullOrEmpty(digest))
{
return null;
}
// Extract other properties
string? name = null;
if (component.TryGetProperty("name", out var nameProp))
{
name = nameProp.GetString();
}
string? version = null;
if (component.TryGetProperty("version", out var versionProp))
{
version = versionProp.GetString();
}
string? purl = null;
if (component.TryGetProperty("purl", out var purlProp))
{
purl = purlProp.GetString();
}
string? type = null;
if (component.TryGetProperty("type", out var typeProp))
{
type = typeProp.GetString();
}
string? bomRef = null;
if (component.TryGetProperty("bom-ref", out var bomRefProp))
{
bomRef = bomRefProp.GetString();
}
return new SbomSubject
{
Digest = digest,
Name = name,
Version = version,
Purl = purl,
Type = type,
BomRef = bomRef,
Hashes = hashes
};
}
private static string? ExtractToolInfo(JsonElement tools)
{
// CycloneDX 1.5+ uses tools.components array
if (tools.TryGetProperty("components", out var components) &&
components.ValueKind == JsonValueKind.Array)
{
var toolList = new List<string>();
foreach (var tool in components.EnumerateArray())
{
if (tool.TryGetProperty("name", out var name))
{
var toolName = name.GetString();
if (!string.IsNullOrEmpty(toolName))
{
if (tool.TryGetProperty("version", out var version))
{
toolName += $"@{version.GetString()}";
}
toolList.Add(toolName);
}
}
}
return toolList.Count > 0 ? string.Join(", ", toolList) : null;
}
// CycloneDX 1.4 and earlier uses tools array directly
if (tools.ValueKind == JsonValueKind.Array)
{
var toolList = new List<string>();
foreach (var tool in tools.EnumerateArray())
{
if (tool.TryGetProperty("name", out var name))
{
var toolName = name.GetString();
if (!string.IsNullOrEmpty(toolName))
{
if (tool.TryGetProperty("version", out var version))
{
toolName += $"@{version.GetString()}";
}
toolList.Add(toolName);
}
}
}
return toolList.Count > 0 ? string.Join(", ", toolList) : null;
}
return null;
}
private static string NormalizeDigest(string digest)
{
return ArtifactIndex.NormalizeDigest(digest);
}
}

301
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/DsseAttestationParser.cs Normal file
View File

@@ -0,0 +1,301 @@
// =============================================================================
// DsseAttestationParser.cs
// DSSE attestation parser implementation
// Part of Step 2: Evidence Collection (Task T6)
// =============================================================================
using System.Text;
using System.Text.Json;
namespace StellaOps.AirGap.Importer.Reconciliation.Parsers;
/// <summary>
/// Parser for DSSE-wrapped in-toto attestations.
/// </summary>
public sealed class DsseAttestationParser : IAttestationParser
{
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNameCaseInsensitive = true,
AllowTrailingCommas = true,
ReadCommentHandling = JsonCommentHandling.Skip
};
public bool IsAttestation(string filePath)
{
ArgumentException.ThrowIfNullOrWhiteSpace(filePath);
var lower = filePath.ToLowerInvariant();
// Common attestation file extensions
if (lower.EndsWith(".intoto.jsonl") ||
lower.EndsWith(".intoto.json") ||
lower.EndsWith(".dsig") ||
lower.EndsWith(".dsse") ||
lower.EndsWith(".att") ||
lower.EndsWith(".attestation"))
{
return true;
}
// Try to detect from content
if (File.Exists(filePath))
{
try
{
using var stream = File.OpenRead(filePath);
using var reader = new StreamReader(stream);
var firstChars = new char[512];
var read = reader.Read(firstChars, 0, firstChars.Length);
var content = new string(firstChars, 0, read);
// DSSE envelope markers
if (content.Contains("\"payloadType\"", StringComparison.OrdinalIgnoreCase) &&
content.Contains("\"payload\"", StringComparison.OrdinalIgnoreCase) &&
content.Contains("\"signatures\"", StringComparison.OrdinalIgnoreCase))
{
return true;
}
}
catch
{
// Ignore detection errors
}
}
return false;
}
public async Task<AttestationParseResult> ParseAsync(string filePath, CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(filePath);
if (!File.Exists(filePath))
{
return AttestationParseResult.Failure($"File not found: {filePath}");
}
try
{
await using var stream = File.OpenRead(filePath);
return await ParseAsync(stream, cancellationToken);
}
catch (Exception ex)
{
return AttestationParseResult.Failure($"Failed to parse attestation file: {ex.Message}");
}
}
public async Task<AttestationParseResult> ParseAsync(Stream stream, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(stream);
try
{
using var document = await JsonDocument.ParseAsync(stream, default, cancellationToken);
var root = document.RootElement;
// Parse DSSE envelope
var envelope = ParseEnvelope(root);
if (envelope is null)
{
return AttestationParseResult.Failure("Invalid DSSE envelope structure");
}
// Decode and parse in-toto statement
var statement = DecodeAndParseStatement(envelope);
if (statement is null)
{
return AttestationParseResult.Failure("Failed to decode or parse in-toto statement");
}
return AttestationParseResult.Success(envelope, statement);
}
catch (JsonException ex)
{
return AttestationParseResult.Failure($"JSON parsing error: {ex.Message}");
}
}
private static DsseEnvelope? ParseEnvelope(JsonElement root)
{
// Validate required fields
if (!root.TryGetProperty("payloadType", out var payloadTypeProp) ||
!root.TryGetProperty("payload", out var payloadProp) ||
!root.TryGetProperty("signatures", out var signaturesProp))
{
return null;
}
var payloadType = payloadTypeProp.GetString();
var payload = payloadProp.GetString();
if (string.IsNullOrEmpty(payloadType) || string.IsNullOrEmpty(payload))
{
return null;
}
// Parse signatures
var signatures = new List<DsseSignature>();
if (signaturesProp.ValueKind == JsonValueKind.Array)
{
foreach (var sigElement in signaturesProp.EnumerateArray())
{
var sig = ParseSignature(sigElement);
if (sig is not null)
{
signatures.Add(sig);
}
}
}
return new DsseEnvelope
{
PayloadType = payloadType,
Payload = payload,
Signatures = signatures
};
}
private static DsseSignature? ParseSignature(JsonElement element)
{
if (!element.TryGetProperty("sig", out var sigProp))
{
return null;
}
var sig = sigProp.GetString();
if (string.IsNullOrEmpty(sig))
{
return null;
}
string? keyId = null;
if (element.TryGetProperty("keyid", out var keyIdProp))
{
keyId = keyIdProp.GetString();
}
string? cert = null;
if (element.TryGetProperty("cert", out var certProp))
{
cert = certProp.GetString();
}
return new DsseSignature
{
Sig = sig,
KeyId = keyId,
Cert = cert
};
}
private static InTotoStatement? DecodeAndParseStatement(DsseEnvelope envelope)
{
try
{
// Decode base64 payload
var payloadBytes = Convert.FromBase64String(envelope.Payload);
var payloadJson = Encoding.UTF8.GetString(payloadBytes);
using var document = JsonDocument.Parse(payloadJson);
var root = document.RootElement;
// Parse statement type
string? statementType = null;
if (root.TryGetProperty("_type", out var typeProp))
{
statementType = typeProp.GetString();
}
else if (root.TryGetProperty("type", out typeProp))
{
statementType = typeProp.GetString();
}
if (string.IsNullOrEmpty(statementType))
{
statementType = "https://in-toto.io/Statement/v1";
}
// Parse predicate type
string? predicateType = null;
if (root.TryGetProperty("predicateType", out var predicateTypeProp))
{
predicateType = predicateTypeProp.GetString();
}
if (string.IsNullOrEmpty(predicateType))
{
return null;
}
// Parse subjects
var subjects = new List<InTotoSubject>();
if (root.TryGetProperty("subject", out var subjectsProp) &&
subjectsProp.ValueKind == JsonValueKind.Array)
{
foreach (var subjectElement in subjectsProp.EnumerateArray())
{
var subject = ParseSubject(subjectElement);
if (subject is not null)
{
subjects.Add(subject);
}
}
}
// Extract predicate JSON for further processing
string? predicateJson = null;
if (root.TryGetProperty("predicate", out var predicateProp))
{
predicateJson = predicateProp.GetRawText();
}
return new InTotoStatement
{
Type = statementType,
PredicateType = predicateType,
Subjects = subjects,
PredicateJson = predicateJson
};
}
catch
{
return null;
}
}
private static InTotoSubject? ParseSubject(JsonElement element)
{
string? name = null;
if (element.TryGetProperty("name", out var nameProp))
{
name = nameProp.GetString();
}
var digest = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
if (element.TryGetProperty("digest", out var digestProp) &&
digestProp.ValueKind == JsonValueKind.Object)
{
foreach (var prop in digestProp.EnumerateObject())
{
var value = prop.Value.GetString();
if (!string.IsNullOrEmpty(value))
{
digest[prop.Name] = value;
}
}
}
if (digest.Count == 0)
{
return null;
}
return new InTotoSubject
{
Name = name,
Digest = digest
};
}
}

199
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/IAttestationParser.cs Normal file
View File

@@ -0,0 +1,199 @@
// =============================================================================
// IAttestationParser.cs
// Attestation parsing abstraction for DSSE/in-toto attestations
// Part of Step 2: Evidence Collection (Task T6)
// =============================================================================
namespace StellaOps.AirGap.Importer.Reconciliation.Parsers;
/// <summary>
/// Interface for parsing DSSE-wrapped in-toto attestations.
/// </summary>
public interface IAttestationParser
{
/// <summary>
/// Parses a DSSE envelope from the given file path.
/// </summary>
/// <param name="filePath">Path to the attestation file.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Parsed attestation result.</returns>
Task<AttestationParseResult> ParseAsync(string filePath, CancellationToken cancellationToken = default);
/// <summary>
/// Parses a DSSE envelope from a stream.
/// </summary>
/// <param name="stream">Stream containing the attestation content.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Parsed attestation result.</returns>
Task<AttestationParseResult> ParseAsync(Stream stream, CancellationToken cancellationToken = default);
/// <summary>
/// Detects if a file is a DSSE attestation.
/// </summary>
/// <param name="filePath">Path to the file.</param>
/// <returns>True if the file appears to be a DSSE attestation.</returns>
bool IsAttestation(string filePath);
}
/// <summary>
/// Result of parsing an attestation document.
/// </summary>
public sealed record AttestationParseResult
{
/// <summary>
/// Whether parsing was successful.
/// </summary>
public bool IsSuccess { get; init; }
/// <summary>
/// Error message if parsing failed.
/// </summary>
public string? ErrorMessage { get; init; }
/// <summary>
/// The parsed DSSE envelope.
/// </summary>
public DsseEnvelope? Envelope { get; init; }
/// <summary>
/// The parsed in-toto statement (payload).
/// </summary>
public InTotoStatement? Statement { get; init; }
/// <summary>
/// Creates a successful parse result.
/// </summary>
public static AttestationParseResult Success(DsseEnvelope envelope, InTotoStatement statement)
{
return new AttestationParseResult
{
IsSuccess = true,
Envelope = envelope,
Statement = statement
};
}
/// <summary>
/// Creates a failed parse result.
/// </summary>
public static AttestationParseResult Failure(string errorMessage)
{
return new AttestationParseResult
{
IsSuccess = false,
ErrorMessage = errorMessage
};
}
}
/// <summary>
/// Represents a DSSE (Dead Simple Signing Envelope).
/// </summary>
public sealed record DsseEnvelope
{
/// <summary>
/// Payload type (typically "application/vnd.in-toto+json").
/// </summary>
public required string PayloadType { get; init; }
/// <summary>
/// Base64-encoded payload.
/// </summary>
public required string Payload { get; init; }
/// <summary>
/// Signatures on the envelope.
/// </summary>
public IReadOnlyList<DsseSignature> Signatures { get; init; } = [];
}
/// <summary>
/// Represents a signature in a DSSE envelope.
/// </summary>
public sealed record DsseSignature
{
/// <summary>
/// Key identifier (e.g., key ID or certificate fingerprint).
/// </summary>
public string? KeyId { get; init; }
/// <summary>
/// Base64-encoded signature.
/// </summary>
public required string Sig { get; init; }
/// <summary>
/// Certificate chain (if present).
/// </summary>
public string? Cert { get; init; }
}
/// <summary>
/// Represents an in-toto statement (attestation payload).
/// </summary>
public sealed record InTotoStatement
{
/// <summary>
/// Statement type (typically "https://in-toto.io/Statement/v1").
/// </summary>
public required string Type { get; init; }
/// <summary>
/// Predicate type URI (e.g., "https://slsa.dev/provenance/v1").
/// </summary>
public required string PredicateType { get; init; }
/// <summary>
/// Subjects (artifacts) this statement applies to.
/// </summary>
public IReadOnlyList<InTotoSubject> Subjects { get; init; } = [];
/// <summary>
/// Raw predicate JSON for further processing.
/// </summary>
public string? PredicateJson { get; init; }
}
/// <summary>
/// Represents a subject in an in-toto statement.
/// </summary>
public sealed record InTotoSubject
{
/// <summary>
/// Subject name (typically a file path or artifact reference).
/// </summary>
public string? Name { get; init; }
/// <summary>
/// Subject digests (algorithm -> hash).
/// </summary>
public IReadOnlyDictionary<string, string> Digest { get; init; } = new Dictionary<string, string>();
/// <summary>
/// Gets the normalized SHA-256 digest if available.
/// </summary>
public string? GetSha256Digest()
{
if (Digest.TryGetValue("sha256", out var hash))
{
return "sha256:" + hash.ToLowerInvariant();
}
return null;
}
}
/// <summary>
/// Well-known predicate types for attestations.
/// </summary>
public static class PredicateTypes
{
public const string SlsaProvenanceV1 = "https://slsa.dev/provenance/v1";
public const string SlsaProvenanceV02 = "https://slsa.dev/provenance/v0.2";
public const string InTotoLink = "https://in-toto.io/Link/v1";
public const string Spdx = "https://spdx.dev/Document";
public const string CycloneDx = "https://cyclonedx.org/bom";
public const string OpenVex = "https://openvex.dev/ns/v0.2.0";
public const string Csaf = "https://docs.oasis-open.org/csaf/csaf/v2.0";
public const string ScorecardV2 = "https://ossf.github.io/scorecard/v2";
public const string VulnerabilityReport = "https://cosign.sigstore.dev/attestation/vuln/v1";
}

188
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/ISbomParser.cs Normal file
View File

@@ -0,0 +1,188 @@
// =============================================================================
// ISbomParser.cs
// SBOM parsing abstraction for CycloneDX and SPDX formats
// Part of Step 2: Evidence Collection (Task T5)
// =============================================================================
namespace StellaOps.AirGap.Importer.Reconciliation.Parsers;
/// <summary>
/// Interface for parsing SBOM documents into a normalized representation.
/// Supports CycloneDX and SPDX formats.
/// </summary>
public interface ISbomParser
{
/// <summary>
/// Parses an SBOM file from the given path.
/// </summary>
/// <param name="filePath">Path to the SBOM file.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Parsed SBOM result containing subjects and metadata.</returns>
Task<SbomParseResult> ParseAsync(string filePath, CancellationToken cancellationToken = default);
/// <summary>
/// Parses an SBOM from a stream.
/// </summary>
/// <param name="stream">Stream containing the SBOM content.</param>
/// <param name="format">Expected SBOM format.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Parsed SBOM result containing subjects and metadata.</returns>
Task<SbomParseResult> ParseAsync(Stream stream, SbomFormat format, CancellationToken cancellationToken = default);
/// <summary>
/// Detects the SBOM format from file extension or content.
/// </summary>
/// <param name="filePath">Path to the SBOM file.</param>
/// <returns>Detected SBOM format.</returns>
SbomFormat DetectFormat(string filePath);
}
/// <summary>
/// Result of parsing an SBOM document.
/// </summary>
public sealed record SbomParseResult
{
/// <summary>
/// Whether parsing was successful.
/// </summary>
public bool IsSuccess { get; init; }
/// <summary>
/// Error message if parsing failed.
/// </summary>
public string? ErrorMessage { get; init; }
/// <summary>
/// Detected or specified SBOM format.
/// </summary>
public SbomFormat Format { get; init; }
/// <summary>
/// SBOM specification version (e.g., "1.6" for CycloneDX, "2.3" for SPDX).
/// </summary>
public string? SpecVersion { get; init; }
/// <summary>
/// SBOM serial number or document namespace.
/// </summary>
public string? SerialNumber { get; init; }
/// <summary>
/// Timestamp when the SBOM was created.
/// </summary>
public DateTimeOffset? CreatedAt { get; init; }
/// <summary>
/// Tool that generated the SBOM.
/// </summary>
public string? GeneratorTool { get; init; }
/// <summary>
/// Primary component (for CycloneDX) or main package (for SPDX).
/// </summary>
public SbomSubject? PrimarySubject { get; init; }
/// <summary>
/// All subjects (components/packages) in the SBOM that have digests.
/// </summary>
public IReadOnlyList<SbomSubject> Subjects { get; init; } = [];
/// <summary>
/// Total number of components/packages in the SBOM.
/// </summary>
public int TotalComponentCount { get; init; }
/// <summary>
/// Raw normalized JSON content for hashing.
/// </summary>
public string? NormalizedContent { get; init; }
/// <summary>
/// Creates a successful parse result.
/// </summary>
public static SbomParseResult Success(
SbomFormat format,
IReadOnlyList<SbomSubject> subjects,
string? specVersion = null,
string? serialNumber = null,
DateTimeOffset? createdAt = null,
string? generatorTool = null,
SbomSubject? primarySubject = null,
int totalComponentCount = 0,
string? normalizedContent = null)
{
return new SbomParseResult
{
IsSuccess = true,
Format = format,
Subjects = subjects,
SpecVersion = specVersion,
SerialNumber = serialNumber,
CreatedAt = createdAt,
GeneratorTool = generatorTool,
PrimarySubject = primarySubject,
TotalComponentCount = totalComponentCount,
NormalizedContent = normalizedContent
};
}
/// <summary>
/// Creates a failed parse result.
/// </summary>
public static SbomParseResult Failure(string errorMessage, SbomFormat format = SbomFormat.Unknown)
{
return new SbomParseResult
{
IsSuccess = false,
ErrorMessage = errorMessage,
Format = format,
Subjects = []
};
}
}
/// <summary>
/// Represents a subject (artifact) described by an SBOM.
/// </summary>
public sealed record SbomSubject
{
/// <summary>
/// Artifact digest in normalized format (sha256:hex).
/// </summary>
public required string Digest { get; init; }
/// <summary>
/// Human-readable name of the artifact.
/// </summary>
public string? Name { get; init; }
/// <summary>
/// Package URL (purl) if available.
/// </summary>
public string? Purl { get; init; }
/// <summary>
/// Version string.
/// </summary>
public string? Version { get; init; }
/// <summary>
/// Component type (application, library, container, etc.).
/// </summary>
public string? Type { get; init; }
/// <summary>
/// BOM reference identifier (for CycloneDX).
/// </summary>
public string? BomRef { get; init; }
/// <summary>
/// SPDX identifier (for SPDX).
/// </summary>
public string? SpdxId { get; init; }
/// <summary>
/// All hash values for the subject.
/// </summary>
public IReadOnlyDictionary<string, string> Hashes { get; init; } = new Dictionary<string, string>();
}

173
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/SbomCollector.cs Normal file
View File

@@ -0,0 +1,173 @@
// =============================================================================
// SbomCollector.cs
// SBOM evidence collector for reconciliation workflow
// Part of Step 2: Evidence Collection (Task T5)
// =============================================================================
using System.Security.Cryptography;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
namespace StellaOps.AirGap.Importer.Reconciliation.Parsers;
/// <summary>
/// Collects SBOM evidence from an evidence directory and populates the artifact index.
/// </summary>
public sealed class SbomCollector
{
private readonly ISbomParser _parser;
private readonly ILogger<SbomCollector> _logger;
public SbomCollector(ISbomParser? parser = null, ILogger<SbomCollector>? logger = null)
{
_parser = parser ?? new SbomParserFactory();
_logger = logger ?? NullLogger<SbomCollector>.Instance;
}
/// <summary>
/// Collects SBOM evidence from the sboms directory.
/// </summary>
/// <param name="sbomsDirectory">Path to the sboms directory.</param>
/// <param name="index">Artifact index to populate.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Collection result with statistics.</returns>
public async Task<SbomCollectionResult> CollectAsync(
string sbomsDirectory,
ArtifactIndex index,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sbomsDirectory);
ArgumentNullException.ThrowIfNull(index);
var result = new SbomCollectionResult();
if (!Directory.Exists(sbomsDirectory))
{
_logger.LogDebug("SBOM directory does not exist: {Directory}", sbomsDirectory);
return result;
}
// Find all potential SBOM files (ordered deterministically)
var files = Directory.EnumerateFiles(sbomsDirectory, "*.*", SearchOption.AllDirectories)
.Where(IsSbomFile)
.OrderBy(f => NormalizeRelativePath(Path.GetRelativePath(sbomsDirectory, f)), StringComparer.Ordinal)
.ToList();
_logger.LogDebug("Found {Count} potential SBOM files in {Directory}", files.Count, sbomsDirectory);
foreach (var file in files)
{
cancellationToken.ThrowIfCancellationRequested();
try
{
await ProcessSbomFileAsync(file, sbomsDirectory, index, result, cancellationToken);
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Failed to process SBOM file: {File}", file);
result.FailedFiles.Add((file, ex.Message));
}
}
return result;
}
private async Task ProcessSbomFileAsync(
string filePath,
string baseDirectory,
ArtifactIndex index,
SbomCollectionResult result,
CancellationToken cancellationToken)
{
// Compute content hash for the SBOM file itself
var contentHash = await ComputeFileHashAsync(filePath, cancellationToken);
var relativePath = NormalizeRelativePath(Path.GetRelativePath(baseDirectory, filePath));
// Parse the SBOM
var parseResult = await _parser.ParseAsync(filePath, cancellationToken);
if (!parseResult.IsSuccess)
{
_logger.LogWarning("Failed to parse SBOM {File}: {Error}", filePath, parseResult.ErrorMessage);
result.FailedFiles.Add((filePath, parseResult.ErrorMessage ?? "Unknown error"));
return;
}
result.ParsedFiles++;
result.TotalSubjects += parseResult.Subjects.Count;
// Create SBOM reference
var sbomRef = new SbomReference(
ContentHash: contentHash,
FilePath: relativePath,
Format: parseResult.Format,
CreatedAt: parseResult.CreatedAt);
// Add each subject to the index
foreach (var subject in parseResult.Subjects)
{
var entry = new ArtifactEntry(
Digest: subject.Digest,
Name: subject.Name,
Sboms: [sbomRef],
Attestations: [],
VexDocuments: []);
index.AddOrUpdate(entry);
result.IndexedSubjects++;
}
_logger.LogDebug(
"Parsed {Format} SBOM: {File}, {SubjectCount} subjects indexed",
parseResult.Format,
relativePath,
parseResult.Subjects.Count);
}
private static bool IsSbomFile(string filePath)
{
var lower = filePath.ToLowerInvariant();
return lower.EndsWith(".cdx.json") ||
lower.EndsWith(".bom.json") ||
lower.EndsWith(".spdx.json") ||
lower.EndsWith("sbom.json") ||
lower.EndsWith("bom.json");
}
private static string NormalizeRelativePath(string path) =>
path.Replace('\\', '/');
private static async Task<string> ComputeFileHashAsync(string filePath, CancellationToken cancellationToken)
{
await using var stream = File.OpenRead(filePath);
var hash = await SHA256.HashDataAsync(stream, cancellationToken);
return "sha256:" + Convert.ToHexString(hash).ToLowerInvariant();
}
}
/// <summary>
/// Result of SBOM collection operation.
/// </summary>
public sealed class SbomCollectionResult
{
/// <summary>
/// Number of SBOM files successfully parsed.
/// </summary>
public int ParsedFiles { get; set; }
/// <summary>
/// Total number of subjects found across all SBOMs.
/// </summary>
public int TotalSubjects { get; set; }
/// <summary>
/// Number of subjects indexed (with valid digests).
/// </summary>
public int IndexedSubjects { get; set; }
/// <summary>
/// Files that failed to parse, with error messages.
/// </summary>
public List<(string FilePath, string Error)> FailedFiles { get; } = [];
}

490
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/SbomNormalizer.cs Normal file
View File

@@ -0,0 +1,490 @@
// =============================================================================
// SbomNormalizer.cs
// Canonical SBOM transformer for deterministic reconciliation
// Part of Step 3: Normalization (Task T13)
// =============================================================================
using System.Text.Json;
using System.Text.Json.Nodes;
namespace StellaOps.AirGap.Importer.Reconciliation.Parsers;
/// <summary>
/// Transforms SBOMs into a canonical form for deterministic hashing and comparison.
/// Applies normalization rules per advisory §5 step 3.
/// </summary>
public sealed class SbomNormalizer
{
private readonly NormalizationOptions _options;
public SbomNormalizer(NormalizationOptions? options = null)
{
_options = options ?? NormalizationOptions.Default;
}
/// <summary>
/// Normalizes an SBOM JSON document to canonical form.
/// </summary>
/// <param name="sbomJson">Raw SBOM JSON content.</param>
/// <param name="format">SBOM format (CycloneDX or SPDX).</param>
/// <returns>Normalized JSON string.</returns>
public string Normalize(string sbomJson, SbomFormat format)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sbomJson);
var node = JsonNode.Parse(sbomJson);
if (node is null)
{
return "null";
}
var normalized = format switch
{
SbomFormat.CycloneDx => NormalizeCycloneDx(node),
SbomFormat.Spdx => NormalizeSpdx(node),
_ => NormalizeGeneric(node)
};
return SerializeCanonical(normalized);
}
/// <summary>
/// Normalizes a CycloneDX SBOM.
/// </summary>
private JsonNode NormalizeCycloneDx(JsonNode node)
{
if (node is not JsonObject obj)
{
return node;
}
var normalized = new JsonObject();
// Process in deterministic key order
var sortedKeys = obj
.Select(kv => kv.Key)
.Where(key => !ShouldStripCycloneDxField(key))
.OrderBy(k => k, StringComparer.Ordinal);
foreach (var key in sortedKeys)
{
var value = obj[key];
if (value is null) continue;
var normalizedValue = key switch
{
"components" => NormalizeComponents(value.DeepClone()),
"metadata" => NormalizeCycloneDxMetadata(value.DeepClone()),
"dependencies" => NormalizeDependencies(value.DeepClone()),
"vulnerabilities" => NormalizeVulnerabilities(value.DeepClone()),
_ => NormalizeNode(value.DeepClone())
};
normalized[key] = normalizedValue;
}
return normalized;
}
/// <summary>
/// Normalizes an SPDX SBOM.
/// </summary>
private JsonNode NormalizeSpdx(JsonNode node)
{
if (node is not JsonObject obj)
{
return node;
}
var normalized = new JsonObject();
var sortedKeys = obj
.Select(kv => kv.Key)
.Where(key => !ShouldStripSpdxField(key))
.OrderBy(k => k, StringComparer.Ordinal);
foreach (var key in sortedKeys)
{
var value = obj[key];
if (value is null) continue;
var normalizedValue = key switch
{
"packages" => NormalizeSpdxPackages(value.DeepClone()),
"relationships" => NormalizeSpdxRelationships(value.DeepClone()),
"files" => NormalizeSpdxFiles(value.DeepClone()),
"creationInfo" => NormalizeSpdxCreationInfo(value.DeepClone()),
_ => NormalizeNode(value.DeepClone())
};
normalized[key] = normalizedValue;
}
return normalized;
}
/// <summary>
/// Generic normalization for unknown formats.
/// </summary>
private JsonNode NormalizeGeneric(JsonNode node)
{
return NormalizeNode(node);
}
/// <summary>
/// Recursively normalizes a JSON node.
/// </summary>
private JsonNode? NormalizeNode(JsonNode? node)
{
return node switch
{
JsonObject obj => NormalizeObject(obj),
JsonArray arr => NormalizeArray(arr),
JsonValue val => NormalizeValue(val),
_ => node
};
}
private JsonObject NormalizeObject(JsonObject obj)
{
var normalized = new JsonObject();
var sortedKeys = obj
.Select(kv => kv.Key)
.Where(key => !ShouldStripTimestampField(key))
.OrderBy(k => k, StringComparer.Ordinal);
foreach (var key in sortedKeys)
{
var value = obj[key];
normalized[key] = NormalizeNode(value?.DeepClone());
}
return normalized;
}
private JsonArray NormalizeArray(JsonArray arr)
{
var normalized = new JsonArray();
var elements = arr
.Select(n => NormalizeNode(n?.DeepClone()))
.ToList();
// Sort arrays of objects by a deterministic key
if (_options.SortArrays && elements.All(e => e is JsonObject))
{
elements = elements
.Cast<JsonObject>()
.OrderBy(o => GetSortKey(o), StringComparer.Ordinal)
.Cast<JsonNode?>()
.ToList();
}
foreach (var element in elements)
{
normalized.Add(element);
}
return normalized;
}
private JsonValue NormalizeValue(JsonValue val)
{
var value = val.GetValue<object>();
if (value is string str)
{
// Lowercase URIs
if (_options.LowercaseUris && IsUri(str))
{
str = str.ToLowerInvariant();
}
return JsonValue.Create(str)!;
}
return val.DeepClone().AsValue();
}
/// <summary>
/// Normalizes CycloneDX components array.
/// </summary>
private JsonNode NormalizeComponents(JsonNode node)
{
if (node is not JsonArray arr)
{
return NormalizeNode(node)!;
}
var normalized = new JsonArray();
var components = arr
.Select(c => NormalizeObject((c as JsonObject)!))
.OrderBy(c => GetComponentSortKey(c), StringComparer.Ordinal);
foreach (var component in components)
{
normalized.Add(component);
}
return normalized;
}
/// <summary>
/// Normalizes CycloneDX metadata.
/// </summary>
private JsonNode NormalizeCycloneDxMetadata(JsonNode node)
{
if (node is not JsonObject obj)
{
return NormalizeNode(node)!;
}
var normalized = new JsonObject();
var sortedKeys = obj
.Select(kv => kv.Key)
.Where(key => _options.StripTimestamps ? key != "timestamp" : true)
.OrderBy(k => k, StringComparer.Ordinal);
foreach (var key in sortedKeys)
{
var value = obj[key];
normalized[key] = NormalizeNode(value?.DeepClone());
}
return normalized;
}
/// <summary>
/// Normalizes CycloneDX dependencies.
/// </summary>
private JsonNode NormalizeDependencies(JsonNode node)
{
if (node is not JsonArray arr)
{
return NormalizeNode(node)!;
}
var normalized = new JsonArray();
var deps = arr
.Select(d => NormalizeObject((d as JsonObject)!))
.OrderBy(d => d["ref"]?.GetValue<string>() ?? "", StringComparer.Ordinal);
foreach (var dep in deps)
{
// Also sort dependsOn arrays
if (dep["dependsOn"] is JsonArray dependsOn)
{
var sortedDeps = new JsonArray();
foreach (var item in dependsOn.OrderBy(x => x?.GetValue<string>() ?? "", StringComparer.Ordinal))
{
sortedDeps.Add(item?.DeepClone());
}
dep["dependsOn"] = sortedDeps;
}
normalized.Add(dep);
}
return normalized;
}
/// <summary>
/// Normalizes CycloneDX vulnerabilities.
/// </summary>
private JsonNode NormalizeVulnerabilities(JsonNode node)
{
if (node is not JsonArray arr)
{
return NormalizeNode(node)!;
}
var normalized = new JsonArray();
var vulns = arr
.Select(v => NormalizeObject((v as JsonObject)!))
.OrderBy(v => v["id"]?.GetValue<string>() ?? "", StringComparer.Ordinal);
foreach (var vuln in vulns)
{
normalized.Add(vuln);
}
return normalized;
}
/// <summary>
/// Normalizes SPDX packages.
/// </summary>
private JsonNode NormalizeSpdxPackages(JsonNode node)
{
if (node is not JsonArray arr)
{
return NormalizeNode(node)!;
}
var normalized = new JsonArray();
var packages = arr
.Select(p => NormalizeObject((p as JsonObject)!))
.OrderBy(p => p["SPDXID"]?.GetValue<string>() ?? "", StringComparer.Ordinal);
foreach (var pkg in packages)
{
normalized.Add(pkg);
}
return normalized;
}
/// <summary>
/// Normalizes SPDX relationships.
/// </summary>
private JsonNode NormalizeSpdxRelationships(JsonNode node)
{
if (node is not JsonArray arr)
{
return NormalizeNode(node)!;
}
var normalized = new JsonArray();
var rels = arr
.Select(r => NormalizeObject((r as JsonObject)!))
.OrderBy(r => r["spdxElementId"]?.GetValue<string>() ?? "", StringComparer.Ordinal)
.ThenBy(r => r["relatedSpdxElement"]?.GetValue<string>() ?? "", StringComparer.Ordinal)
.ThenBy(r => r["relationshipType"]?.GetValue<string>() ?? "", StringComparer.Ordinal);
foreach (var rel in rels)
{
normalized.Add(rel);
}
return normalized;
}
/// <summary>
/// Normalizes SPDX files.
/// </summary>
private JsonNode NormalizeSpdxFiles(JsonNode node)
{
if (node is not JsonArray arr)
{
return NormalizeNode(node)!;
}
var normalized = new JsonArray();
var files = arr
.Select(f => NormalizeObject((f as JsonObject)!))
.OrderBy(f => f["SPDXID"]?.GetValue<string>() ?? "", StringComparer.Ordinal);
foreach (var file in files)
{
normalized.Add(file);
}
return normalized;
}
/// <summary>
/// Normalizes SPDX creation info.
/// </summary>
private JsonNode NormalizeSpdxCreationInfo(JsonNode node)
{
if (node is not JsonObject obj)
{
return NormalizeNode(node)!;
}
var normalized = new JsonObject();
var sortedKeys = obj
.Select(kv => kv.Key)
.Where(key => _options.StripTimestamps ? key != "created" : true)
.OrderBy(k => k, StringComparer.Ordinal);
foreach (var key in sortedKeys)
{
var value = obj[key];
normalized[key] = NormalizeNode(value?.DeepClone());
}
return normalized;
}
private static string GetComponentSortKey(JsonObject obj)
{
// Sort by bom-ref or purl or name+version
if (obj.TryGetPropertyValue("bom-ref", out var bomRef) && bomRef is JsonValue bv)
{
return bv.GetValue<string>() ?? "";
}
if (obj.TryGetPropertyValue("purl", out var purl) && purl is JsonValue pv)
{
return pv.GetValue<string>() ?? "";
}
var name = obj["name"]?.GetValue<string>() ?? "";
var version = obj["version"]?.GetValue<string>() ?? "";
return $"{name}@{version}";
}
private static string GetSortKey(JsonObject obj)
{
var keyPriority = new[] { "id", "@id", "bom-ref", "SPDXID", "name", "digest", "uri", "ref" };
foreach (var key in keyPriority)
{
if (obj.TryGetPropertyValue(key, out var value) && value is JsonValue jv)
{
return jv.GetValue<string>() ?? "";
}
}
return obj.ToJsonString();
}
private static bool ShouldStripCycloneDxField(string key)
{
// Fields that should be stripped for canonical form
return key == "$schema";
}
private static bool ShouldStripSpdxField(string key)
{
return false;
}
private bool ShouldStripTimestampField(string key)
{
if (!_options.StripTimestamps)
{
return false;
}
var timestampFields = new[]
{
"timestamp", "created", "modified", "updated", "createdAt", "updatedAt",
"modifiedAt", "date", "time", "datetime", "lastModified", "generated"
};
return timestampFields.Any(f => key.Equals(f, StringComparison.OrdinalIgnoreCase));
}
private static bool IsUri(string value)
{
return value.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
value.StartsWith("https://", StringComparison.OrdinalIgnoreCase) ||
value.StartsWith("urn:", StringComparison.OrdinalIgnoreCase) ||
value.StartsWith("pkg:", StringComparison.OrdinalIgnoreCase);
}
private static string SerializeCanonical(JsonNode node)
{
var options = new JsonSerializerOptions
{
WriteIndented = false,
PropertyNamingPolicy = null,
DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull
};
return node.ToJsonString(options);
}
}

91
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/SbomParserFactory.cs Normal file
View File

@@ -0,0 +1,91 @@
// =============================================================================
// SbomParserFactory.cs
// Factory for creating and selecting SBOM parsers
// Part of Step 2: Evidence Collection (Task T5)
// =============================================================================
namespace StellaOps.AirGap.Importer.Reconciliation.Parsers;
/// <summary>
/// Factory for creating SBOM parsers and detecting SBOM formats.
/// </summary>
public sealed class SbomParserFactory : ISbomParser
{
private readonly CycloneDxParser _cycloneDxParser;
private readonly SpdxParser _spdxParser;
public SbomParserFactory()
{
_cycloneDxParser = new CycloneDxParser();
_spdxParser = new SpdxParser();
}
/// <summary>
/// Detects the SBOM format from file extension or content.
/// </summary>
public SbomFormat DetectFormat(string filePath)
{
ArgumentException.ThrowIfNullOrWhiteSpace(filePath);
// Try CycloneDX first
var format = _cycloneDxParser.DetectFormat(filePath);
if (format != SbomFormat.Unknown)
{
return format;
}
// Try SPDX
format = _spdxParser.DetectFormat(filePath);
if (format != SbomFormat.Unknown)
{
return format;
}
return SbomFormat.Unknown;
}
/// <summary>
/// Parses an SBOM file using auto-detected format.
/// </summary>
public async Task<SbomParseResult> ParseAsync(string filePath, CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(filePath);
var format = DetectFormat(filePath);
return format switch
{
SbomFormat.CycloneDx => await _cycloneDxParser.ParseAsync(filePath, cancellationToken),
SbomFormat.Spdx => await _spdxParser.ParseAsync(filePath, cancellationToken),
_ => SbomParseResult.Failure($"Unknown SBOM format for file: {filePath}", SbomFormat.Unknown)
};
}
/// <summary>
/// Parses an SBOM from a stream using the specified format.
/// </summary>
public async Task<SbomParseResult> ParseAsync(Stream stream, SbomFormat format, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(stream);
return format switch
{
SbomFormat.CycloneDx => await _cycloneDxParser.ParseAsync(stream, format, cancellationToken),
SbomFormat.Spdx => await _spdxParser.ParseAsync(stream, format, cancellationToken),
_ => SbomParseResult.Failure($"Unknown SBOM format: {format}", format)
};
}
/// <summary>
/// Gets a parser for the specified format.
/// </summary>
public ISbomParser GetParser(SbomFormat format)
{
return format switch
{
SbomFormat.CycloneDx => _cycloneDxParser,
SbomFormat.Spdx => _spdxParser,
_ => throw new ArgumentException($"No parser available for format: {format}", nameof(format))
};
}
}

305
src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/SpdxParser.cs Normal file
View File

@@ -0,0 +1,305 @@
// =============================================================================
// SpdxParser.cs
// SPDX SBOM parser implementation
// Part of Step 2: Evidence Collection (Task T5)
// =============================================================================
using System.Text.Json;
namespace StellaOps.AirGap.Importer.Reconciliation.Parsers;
/// <summary>
/// Parser for SPDX SBOM format (JSON).
/// Supports SPDX 2.2 and 2.3 schemas.
/// </summary>
public sealed class SpdxParser : ISbomParser
{
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNameCaseInsensitive = true,
AllowTrailingCommas = true,
ReadCommentHandling = JsonCommentHandling.Skip
};
public SbomFormat DetectFormat(string filePath)
{
ArgumentException.ThrowIfNullOrWhiteSpace(filePath);
// SPDX files typically end with .spdx.json
if (filePath.EndsWith(".spdx.json", StringComparison.OrdinalIgnoreCase))
{
return SbomFormat.Spdx;
}
// Try to detect from content
if (File.Exists(filePath))
{
try
{
using var stream = File.OpenRead(filePath);
using var reader = new StreamReader(stream);
var firstChars = new char[1024];
var read = reader.Read(firstChars, 0, firstChars.Length);
var content = new string(firstChars, 0, read);
if (content.Contains("\"spdxVersion\"", StringComparison.OrdinalIgnoreCase) ||
content.Contains("\"SPDXID\"", StringComparison.OrdinalIgnoreCase))
{
return SbomFormat.Spdx;
}
}
catch
{
// Ignore detection errors
}
}
return SbomFormat.Unknown;
}
public async Task<SbomParseResult> ParseAsync(string filePath, CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(filePath);
if (!File.Exists(filePath))
{
return SbomParseResult.Failure($"File not found: {filePath}", SbomFormat.Spdx);
}
try
{
await using var stream = File.OpenRead(filePath);
return await ParseAsync(stream, SbomFormat.Spdx, cancellationToken);
}
catch (Exception ex)
{
return SbomParseResult.Failure($"Failed to parse SPDX file: {ex.Message}", SbomFormat.Spdx);
}
}
public async Task<SbomParseResult> ParseAsync(Stream stream, SbomFormat format, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(stream);
try
{
using var document = await JsonDocument.ParseAsync(stream, default, cancellationToken);
var root = document.RootElement;
// Validate spdxVersion
if (!root.TryGetProperty("spdxVersion", out var versionProp))
{
return SbomParseResult.Failure("Not a valid SPDX document: missing spdxVersion", SbomFormat.Spdx);
}
var specVersion = versionProp.GetString();
if (string.IsNullOrEmpty(specVersion) ||
!specVersion.StartsWith("SPDX-", StringComparison.OrdinalIgnoreCase))
{
return SbomParseResult.Failure("Not a valid SPDX document: invalid spdxVersion", SbomFormat.Spdx);
}
// Extract version number (e.g., "SPDX-2.3" -> "2.3")
specVersion = specVersion[5..];
// Extract document namespace (serves as serial number)
string? serialNumber = null;
if (root.TryGetProperty("documentNamespace", out var namespaceProp))
{
serialNumber = namespaceProp.GetString();
}
// Extract creation timestamp
DateTimeOffset? createdAt = null;
if (root.TryGetProperty("creationInfo", out var creationInfoProp) &&
creationInfoProp.TryGetProperty("created", out var createdProp))
{
if (DateTimeOffset.TryParse(createdProp.GetString(), out var parsed))
{
createdAt = parsed;
}
}
// Extract generator tool
string? generatorTool = null;
if (root.TryGetProperty("creationInfo", out var creationInfo) &&
creationInfo.TryGetProperty("creators", out var creatorsProp) &&
creatorsProp.ValueKind == JsonValueKind.Array)
{
var tools = new List<string>();
foreach (var creator in creatorsProp.EnumerateArray())
{
var creatorStr = creator.GetString();
if (creatorStr?.StartsWith("Tool:", StringComparison.OrdinalIgnoreCase) == true)
{
tools.Add(creatorStr[5..].Trim());
}
}
generatorTool = tools.Count > 0 ? string.Join(", ", tools) : null;
}
// Extract primary package (documentDescribes)
SbomSubject? primarySubject = null;
var describedIds = new HashSet<string>(StringComparer.Ordinal);
if (root.TryGetProperty("documentDescribes", out var describesProp) &&
describesProp.ValueKind == JsonValueKind.Array)
{
foreach (var id in describesProp.EnumerateArray())
{
var spdxId = id.GetString();
if (!string.IsNullOrEmpty(spdxId))
{
describedIds.Add(spdxId);
}
}
}
// Extract all packages
var subjects = new List<SbomSubject>();
int totalComponentCount = 0;
if (root.TryGetProperty("packages", out var packagesProp) &&
packagesProp.ValueKind == JsonValueKind.Array)
{
foreach (var package in packagesProp.EnumerateArray())
{
totalComponentCount++;
var subject = ParsePackage(package);
if (subject is not null)
{
subjects.Add(subject);
// Check if this is the primary subject
if (subject.SpdxId is not null && describedIds.Contains(subject.SpdxId))
{
primarySubject ??= subject;
}
}
}
}
// Sort subjects for deterministic ordering
subjects = subjects
.OrderBy(s => s.Digest, StringComparer.Ordinal)
.ThenBy(s => s.Name ?? string.Empty, StringComparer.Ordinal)
.ToList();
return SbomParseResult.Success(
format: SbomFormat.Spdx,
subjects: subjects,
specVersion: specVersion,
serialNumber: serialNumber,
createdAt: createdAt,
generatorTool: generatorTool,
primarySubject: primarySubject,
totalComponentCount: totalComponentCount);
}
catch (JsonException ex)
{
return SbomParseResult.Failure($"JSON parsing error: {ex.Message}", SbomFormat.Spdx);
}
}
private static SbomSubject? ParsePackage(JsonElement package)
{
// Extract checksums
var hashes = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
if (package.TryGetProperty("checksums", out var checksumsProp) &&
checksumsProp.ValueKind == JsonValueKind.Array)
{
foreach (var checksum in checksumsProp.EnumerateArray())
{
if (checksum.TryGetProperty("algorithm", out var algProp) &&
checksum.TryGetProperty("checksumValue", out var valueProp))
{
var alg = algProp.GetString();
var value = valueProp.GetString();
if (!string.IsNullOrEmpty(alg) && !string.IsNullOrEmpty(value))
{
hashes[alg] = value;
}
}
}
}
// Determine primary digest (prefer SHA256)
string? digest = null;
if (hashes.TryGetValue("SHA256", out var sha256))
{
digest = NormalizeDigest("sha256:" + sha256);
}
else if (hashes.Count > 0)
{
// Use first available hash
var first = hashes.First();
digest = NormalizeDigest($"{first.Key.ToLowerInvariant()}:{first.Value}");
}
// If no digest, this package can't be indexed by digest
if (string.IsNullOrEmpty(digest))
{
return null;
}
// Extract SPDXID
string? spdxId = null;
if (package.TryGetProperty("SPDXID", out var spdxIdProp))
{
spdxId = spdxIdProp.GetString();
}
// Extract other properties
string? name = null;
if (package.TryGetProperty("name", out var nameProp))
{
name = nameProp.GetString();
}
string? version = null;
if (package.TryGetProperty("versionInfo", out var versionProp))
{
version = versionProp.GetString();
}
// SPDX uses external refs for purl
string? purl = null;
if (package.TryGetProperty("externalRefs", out var refsProp) &&
refsProp.ValueKind == JsonValueKind.Array)
{
foreach (var extRef in refsProp.EnumerateArray())
{
if (extRef.TryGetProperty("referenceType", out var refTypeProp) &&
refTypeProp.GetString()?.Equals("purl", StringComparison.OrdinalIgnoreCase) == true &&
extRef.TryGetProperty("referenceLocator", out var locatorProp))
{
purl = locatorProp.GetString();
break;
}
}
}
// SPDX doesn't have component type directly, check primaryPackagePurpose
string? type = null;
if (package.TryGetProperty("primaryPackagePurpose", out var purposeProp))
{
type = purposeProp.GetString();
}
return new SbomSubject
{
Digest = digest,
Name = name,
Version = version,
Purl = purl,
Type = type,
SpdxId = spdxId,
Hashes = hashes
};
}
private static string NormalizeDigest(string digest)
{
return ArtifactIndex.NormalizeDigest(digest);
}
}

171
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Configuration/RekorVerificationOptions.cs Normal file
View File

@@ -0,0 +1,171 @@
namespace StellaOps.Attestor.Core.Configuration;
/// <summary>
/// Configuration options for Rekor verification.
/// SPRINT_3000_0001_0001 - T4: Rekor public key configuration
/// </summary>
public sealed class RekorVerificationOptions
{
/// <summary>
/// Configuration section name for binding.
/// </summary>
public const string SectionName = "Attestor:Rekor";
/// <summary>
/// Path to Rekor log public key file (PEM format).
/// </summary>
public string? PublicKeyPath { get; set; }
/// <summary>
/// Inline Rekor public key (base64-encoded PEM).
/// Takes precedence over PublicKeyPath.
/// </summary>
public string? PublicKeyBase64 { get; set; }
/// <summary>
/// Allow verification without checkpoint signature in offline mode.
/// WARNING: This reduces security guarantees. Use only in fully air-gapped
/// environments where checkpoint freshness is verified through other means.
/// </summary>
public bool AllowOfflineWithoutSignature { get; set; } = false;
/// <summary>
/// Maximum age of checkpoint before requiring refresh (minutes).
/// Default: 60 minutes.
/// </summary>
public int MaxCheckpointAgeMinutes { get; set; } = 60;
/// <summary>
/// Whether to fail verification if no public key is configured.
/// Default: true (strict mode).
/// </summary>
public bool RequirePublicKey { get; set; } = true;
/// <summary>
/// Path to offline checkpoint bundle for air-gapped verification.
/// Bundle format: JSON array of checkpoint objects with signatures.
/// </summary>
public string? OfflineCheckpointBundlePath { get; set; }
/// <summary>
/// Whether to enable offline verification mode.
/// When enabled, uses bundled checkpoints instead of fetching from Rekor.
/// </summary>
public bool EnableOfflineMode { get; set; } = false;
/// <summary>
/// Rekor server URL for online verification.
/// Default: https://rekor.sigstore.dev
/// </summary>
public string RekorServerUrl { get; set; } = "https://rekor.sigstore.dev";
/// <summary>
/// Connection timeout for Rekor server (seconds).
/// </summary>
public int ConnectionTimeoutSeconds { get; set; } = 30;
/// <summary>
/// Maximum number of retries for transient failures.
/// </summary>
public int MaxRetries { get; set; } = 3;
/// <summary>
/// Whether to cache verified checkpoints in memory.
/// Reduces redundant signature verification for same checkpoint.
/// </summary>
public bool EnableCheckpointCache { get; set; } = true;
/// <summary>
/// Maximum number of checkpoints to cache.
/// </summary>
public int CheckpointCacheSize { get; set; } = 100;
/// <summary>
/// Validates the configuration.
/// </summary>
/// <returns>List of validation errors, empty if valid.</returns>
public IReadOnlyList<string> Validate()
{
var errors = new List<string>();
if (RequirePublicKey && string.IsNullOrEmpty(PublicKeyPath) && string.IsNullOrEmpty(PublicKeyBase64))
{
errors.Add("Rekor public key must be configured (PublicKeyPath or PublicKeyBase64)");
}
if (!string.IsNullOrEmpty(PublicKeyPath) && !File.Exists(PublicKeyPath))
{
errors.Add($"Rekor public key file not found: {PublicKeyPath}");
}
if (EnableOfflineMode && string.IsNullOrEmpty(OfflineCheckpointBundlePath))
{
errors.Add("OfflineCheckpointBundlePath must be configured when EnableOfflineMode is true");
}
if (!string.IsNullOrEmpty(OfflineCheckpointBundlePath) && !File.Exists(OfflineCheckpointBundlePath))
{
errors.Add($"Offline checkpoint bundle not found: {OfflineCheckpointBundlePath}");
}
if (MaxCheckpointAgeMinutes < 1)
{
errors.Add("MaxCheckpointAgeMinutes must be at least 1");
}
if (ConnectionTimeoutSeconds < 1)
{
errors.Add("ConnectionTimeoutSeconds must be at least 1");
}
if (MaxRetries < 0)
{
errors.Add("MaxRetries cannot be negative");
}
if (CheckpointCacheSize < 1)
{
errors.Add("CheckpointCacheSize must be at least 1");
}
return errors;
}
/// <summary>
/// Loads the public key from the configured source.
/// </summary>
/// <returns>The public key bytes, or null if not configured.</returns>
public byte[]? LoadPublicKey()
{
if (!string.IsNullOrEmpty(PublicKeyBase64))
{
return Convert.FromBase64String(PublicKeyBase64);
}
if (!string.IsNullOrEmpty(PublicKeyPath) && File.Exists(PublicKeyPath))
{
var pem = File.ReadAllText(PublicKeyPath);
return ParsePemPublicKey(pem);
}
return null;
}
/// <summary>
/// Parses a PEM-encoded public key.
/// </summary>
private static byte[] ParsePemPublicKey(string pem)
{
// Remove PEM headers/footers
var base64 = pem
.Replace("-----BEGIN PUBLIC KEY-----", "")
.Replace("-----END PUBLIC KEY-----", "")
.Replace("-----BEGIN EC PUBLIC KEY-----", "")
.Replace("-----END EC PUBLIC KEY-----", "")
.Replace("\r", "")
.Replace("\n", "")
.Trim();
return Convert.FromBase64String(base64);
}
}

45
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Observability/AttestorMetrics.cs
View File

@@ -28,6 +28,15 @@ public sealed class AttestorMetrics : IDisposable
BulkItemsTotal = _meter.CreateCounter<long>("attestor.bulk_items_total", description: "Bulk verification items processed grouped by result.");
BulkJobDuration = _meter.CreateHistogram<double>("attestor.bulk_job_duration_seconds", unit: "s", description: "Bulk verification job duration in seconds grouped by status.");
ErrorTotal = _meter.CreateCounter<long>("attestor.errors_total", description: "Total errors grouped by type.");
// SPRINT_3000_0001_0001 - T11: Rekor verification counters
RekorInclusionVerifyTotal = _meter.CreateCounter<long>("attestor.rekor_inclusion_verify_total", description: "Rekor inclusion proof verification attempts grouped by result.");
RekorInclusionVerifyLatency = _meter.CreateHistogram<double>("attestor.rekor_inclusion_verify_latency_seconds", unit: "s", description: "Rekor inclusion proof verification latency in seconds.");
RekorCheckpointVerifyTotal = _meter.CreateCounter<long>("attestor.rekor_checkpoint_verify_total", description: "Rekor checkpoint signature verification attempts grouped by result.");
RekorCheckpointVerifyLatency = _meter.CreateHistogram<double>("attestor.rekor_checkpoint_verify_latency_seconds", unit: "s", description: "Rekor checkpoint signature verification latency in seconds.");
RekorOfflineVerifyTotal = _meter.CreateCounter<long>("attestor.rekor_offline_verify_total", description: "Rekor offline mode verification attempts grouped by result.");
RekorCheckpointCacheHits = _meter.CreateCounter<long>("attestor.rekor_checkpoint_cache_hits", description: "Rekor checkpoint cache hits.");
RekorCheckpointCacheMisses = _meter.CreateCounter<long>("attestor.rekor_checkpoint_cache_misses", description: "Rekor checkpoint cache misses.");
}
public Counter<long> SubmitTotal { get; }
@@ -62,6 +71,42 @@ public sealed class AttestorMetrics : IDisposable
public Counter<long> ErrorTotal { get; }
// SPRINT_3000_0001_0001 - T11: Rekor verification counters
/// <summary>
/// Rekor inclusion proof verification attempts grouped by result (success/failure).
/// </summary>
public Counter<long> RekorInclusionVerifyTotal { get; }
/// <summary>
/// Rekor inclusion proof verification latency in seconds.
/// </summary>
public Histogram<double> RekorInclusionVerifyLatency { get; }
/// <summary>
/// Rekor checkpoint signature verification attempts grouped by result.
/// </summary>
public Counter<long> RekorCheckpointVerifyTotal { get; }
/// <summary>
/// Rekor checkpoint signature verification latency in seconds.
/// </summary>
public Histogram<double> RekorCheckpointVerifyLatency { get; }
/// <summary>
/// Rekor offline mode verification attempts grouped by result.
/// </summary>
public Counter<long> RekorOfflineVerifyTotal { get; }
/// <summary>
/// Rekor checkpoint cache hits.
/// </summary>
public Counter<long> RekorCheckpointCacheHits { get; }
/// <summary>
/// Rekor checkpoint cache misses.
/// </summary>
public Counter<long> RekorCheckpointCacheMisses { get; }
public void Dispose()
{
if (_disposed)

64
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Options/RekorQueueOptions.cs Normal file
View File

@@ -0,0 +1,64 @@
// -----------------------------------------------------------------------------
// RekorQueueOptions.cs
// Sprint: SPRINT_3000_0001_0002_rekor_retry_queue_metrics
// Task: T6
// Description: Configuration options for the Rekor retry queue
// -----------------------------------------------------------------------------
namespace StellaOps.Attestor.Core.Options;
/// <summary>
/// Configuration options for the Rekor durable retry queue.
/// </summary>
public sealed class RekorQueueOptions
{
/// <summary>
/// Enable durable queue for Rekor submissions.
/// </summary>
public bool Enabled { get; set; } = true;
/// <summary>
/// Maximum retry attempts before dead-lettering.
/// </summary>
public int MaxAttempts { get; set; } = 5;
/// <summary>
/// Initial retry delay in milliseconds.
/// </summary>
public int InitialDelayMs { get; set; } = 1000;
/// <summary>
/// Maximum retry delay in milliseconds.
/// </summary>
public int MaxDelayMs { get; set; } = 60000;
/// <summary>
/// Backoff multiplier for exponential retry.
/// </summary>
public double BackoffMultiplier { get; set; } = 2.0;
/// <summary>
/// Batch size for retry processing.
/// </summary>
public int BatchSize { get; set; } = 10;
/// <summary>
/// Poll interval for queue processing in milliseconds.
/// </summary>
public int PollIntervalMs { get; set; } = 5000;
/// <summary>
/// Dead letter retention in days (0 = indefinite).
/// </summary>
public int DeadLetterRetentionDays { get; set; } = 30;
/// <summary>
/// Calculate the next retry delay using exponential backoff.
/// </summary>
public TimeSpan CalculateRetryDelay(int attemptCount)
{
var delayMs = InitialDelayMs * Math.Pow(BackoffMultiplier, attemptCount);
delayMs = Math.Min(delayMs, MaxDelayMs);
return TimeSpan.FromMilliseconds(delayMs);
}
}

40
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Queue/QueueDepthSnapshot.cs Normal file
View File

@@ -0,0 +1,40 @@
// -----------------------------------------------------------------------------
// QueueDepthSnapshot.cs
// Sprint: SPRINT_3000_0001_0002_rekor_retry_queue_metrics
// Task: T9
// Description: Snapshot of queue depth by status
// -----------------------------------------------------------------------------
namespace StellaOps.Attestor.Core.Queue;
/// <summary>
/// Snapshot of the Rekor submission queue depth by status.
/// </summary>
/// <param name="Pending">Count of items in Pending status.</param>
/// <param name="Submitting">Count of items in Submitting status.</param>
/// <param name="Retrying">Count of items in Retrying status.</param>
/// <param name="DeadLetter">Count of items in DeadLetter status.</param>
/// <param name="MeasuredAt">Timestamp when the snapshot was taken.</param>
public sealed record QueueDepthSnapshot(
int Pending,
int Submitting,
int Retrying,
int DeadLetter,
DateTimeOffset MeasuredAt)
{
/// <summary>
/// Total items waiting to be processed (pending + retrying).
/// </summary>
public int TotalWaiting => Pending + Retrying;
/// <summary>
/// Total items in the queue (all statuses except submitted).
/// </summary>
public int TotalInQueue => Pending + Submitting + Retrying + DeadLetter;
/// <summary>
/// Creates an empty snapshot.
/// </summary>
public static QueueDepthSnapshot Empty(DateTimeOffset measuredAt) =>
new(0, 0, 0, 0, measuredAt);
}

43
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Queue/RekorQueueItem.cs Normal file
View File

@@ -0,0 +1,43 @@
// -----------------------------------------------------------------------------
// RekorQueueItem.cs
// Sprint: SPRINT_3000_0001_0002_rekor_retry_queue_metrics
// Task: T2
// Description: Queue item model for Rekor submissions
// -----------------------------------------------------------------------------
namespace StellaOps.Attestor.Core.Queue;
/// <summary>
/// Represents an item in the Rekor submission queue.
/// </summary>
/// <param name="Id">Unique identifier for the queue item.</param>
/// <param name="TenantId">Tenant identifier.</param>
/// <param name="BundleSha256">SHA-256 hash of the bundle being attested.</param>
/// <param name="DssePayload">Serialized DSSE envelope payload.</param>
/// <param name="Backend">Target Rekor backend ('primary' or 'mirror').</param>
/// <param name="Status">Current submission status.</param>
/// <param name="AttemptCount">Number of submission attempts made.</param>
/// <param name="MaxAttempts">Maximum allowed attempts before dead-lettering.</param>
/// <param name="LastAttemptAt">Timestamp of the last submission attempt.</param>
/// <param name="LastError">Error message from the last failed attempt.</param>
/// <param name="NextRetryAt">Scheduled time for the next retry attempt.</param>
/// <param name="RekorUuid">UUID from Rekor after successful submission.</param>
/// <param name="RekorLogIndex">Log index from Rekor after successful submission.</param>
/// <param name="CreatedAt">Timestamp when the item was created.</param>
/// <param name="UpdatedAt">Timestamp when the item was last updated.</param>
public sealed record RekorQueueItem(
Guid Id,
string TenantId,
string BundleSha256,
byte[] DssePayload,
string Backend,
RekorSubmissionStatus Status,
int AttemptCount,
int MaxAttempts,
DateTimeOffset? LastAttemptAt,
string? LastError,
DateTimeOffset? NextRetryAt,
string? RekorUuid,
long? RekorLogIndex,
DateTimeOffset CreatedAt,
DateTimeOffset UpdatedAt);

39
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Queue/RekorSubmissionStatus.cs Normal file
View File

@@ -0,0 +1,39 @@
// -----------------------------------------------------------------------------
// RekorSubmissionStatus.cs
// Sprint: SPRINT_3000_0001_0002_rekor_retry_queue_metrics
// Task: T4
// Description: Status enum for Rekor queue items
// -----------------------------------------------------------------------------
namespace StellaOps.Attestor.Core.Queue;
/// <summary>
/// Status of a Rekor submission queue item.
/// </summary>
public enum RekorSubmissionStatus
{
/// <summary>
/// Queued and waiting for initial submission.
/// </summary>
Pending,
/// <summary>
/// Currently being submitted to Rekor.
/// </summary>
Submitting,
/// <summary>
/// Successfully submitted to Rekor.
/// </summary>
Submitted,
/// <summary>
/// Waiting for retry after a failed attempt.
/// </summary>
Retrying,
/// <summary>
/// Permanently failed after max retries exceeded.
/// </summary>
DeadLetter
}

16
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/RekorSubmissionResponse.cs
View File

@@ -18,4 +18,20 @@ public sealed class RekorSubmissionResponse
[JsonPropertyName("proof")]
public RekorProofResponse? Proof { get; set; }
/// <summary>
/// Unix timestamp (seconds since epoch) when entry was integrated into the log.
/// Used for time skew validation per advisory SPRINT_3000_0001_0003.
/// </summary>
[JsonPropertyName("integratedTime")]
public long? IntegratedTime { get; set; }
/// <summary>
/// Gets the integrated time as a DateTimeOffset.
/// </summary>
[JsonIgnore]
public DateTimeOffset? IntegratedTimeUtc =>
IntegratedTime.HasValue
? DateTimeOffset.FromUnixTimeSeconds(IntegratedTime.Value)
: null;
}

279
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/CheckpointSignatureVerifier.cs Normal file
View File

@@ -0,0 +1,279 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
namespace StellaOps.Attestor.Core.Verification;
/// <summary>
/// Verifies Rekor checkpoint signatures per the Sigstore checkpoint format.
/// SPRINT_3000_0001_0001 - T3: Checkpoint signature verification
/// </summary>
public static partial class CheckpointSignatureVerifier
{
/// <summary>
/// Rekor checkpoint format regular expression.
/// Format: "rekor.sigstore.dev - {log_id}\n{tree_size}\n{root_hash}\n{timestamp}\n"
/// </summary>
[GeneratedRegex(@"^(?<origin>[^\n]+)\n(?<size>\d+)\n(?<root>[A-Za-z0-9+/=]+)\n(?<timestamp>\d+)?\n?")]
private static partial Regex CheckpointBodyRegex();
/// <summary>
/// Verifies a Rekor checkpoint signature.
/// </summary>
/// <param name="checkpoint">The checkpoint body (note lines)</param>
/// <param name="signature">The signature bytes</param>
/// <param name="publicKey">The Rekor log public key (PEM or raw)</param>
/// <returns>Verification result</returns>
public static CheckpointVerificationResult VerifyCheckpoint(
string checkpoint,
byte[] signature,
byte[] publicKey)
{
ArgumentNullException.ThrowIfNull(checkpoint);
ArgumentNullException.ThrowIfNull(signature);
ArgumentNullException.ThrowIfNull(publicKey);
// Parse checkpoint body
var match = CheckpointBodyRegex().Match(checkpoint);
if (!match.Success)
{
return new CheckpointVerificationResult
{
Verified = false,
FailureReason = "Invalid checkpoint format",
};
}
var origin = match.Groups["origin"].Value;
var sizeStr = match.Groups["size"].Value;
var rootBase64 = match.Groups["root"].Value;
if (!long.TryParse(sizeStr, out var treeSize))
{
return new CheckpointVerificationResult
{
Verified = false,
FailureReason = "Invalid tree size in checkpoint",
};
}
byte[] rootHash;
try
{
rootHash = Convert.FromBase64String(rootBase64);
}
catch (FormatException)
{
return new CheckpointVerificationResult
{
Verified = false,
FailureReason = "Invalid root hash encoding in checkpoint",
};
}
// Verify signature
try
{
var data = Encoding.UTF8.GetBytes(checkpoint);
var verified = VerifySignature(data, signature, publicKey);
return new CheckpointVerificationResult
{
Verified = verified,
Origin = origin,
TreeSize = treeSize,
RootHash = rootHash,
FailureReason = verified ? null : "Signature verification failed",
};
}
catch (Exception ex)
{
return new CheckpointVerificationResult
{
Verified = false,
FailureReason = $"Signature verification error: {ex.Message}",
};
}
}
/// <summary>
/// Parses a checkpoint without verifying the signature.
/// </summary>
public static CheckpointVerificationResult ParseCheckpoint(string checkpoint)
{
ArgumentNullException.ThrowIfNull(checkpoint);
var match = CheckpointBodyRegex().Match(checkpoint);
if (!match.Success)
{
return new CheckpointVerificationResult
{
Verified = false,
FailureReason = "Invalid checkpoint format",
};
}
var origin = match.Groups["origin"].Value;
var sizeStr = match.Groups["size"].Value;
var rootBase64 = match.Groups["root"].Value;
if (!long.TryParse(sizeStr, out var treeSize))
{
return new CheckpointVerificationResult
{
Verified = false,
FailureReason = "Invalid tree size in checkpoint",
};
}
byte[] rootHash;
try
{
rootHash = Convert.FromBase64String(rootBase64);
}
catch (FormatException)
{
return new CheckpointVerificationResult
{
Verified = false,
FailureReason = "Invalid root hash encoding in checkpoint",
};
}
return new CheckpointVerificationResult
{
Verified = false, // Not verified, just parsed
Origin = origin,
TreeSize = treeSize,
RootHash = rootHash,
};
}
/// <summary>
/// Verifies an ECDSA or Ed25519 signature.
/// </summary>
private static bool VerifySignature(byte[] data, byte[] signature, byte[] publicKey)
{
// Detect key type from length/format
// Ed25519 public keys are 32 bytes
// ECDSA P-256 public keys are 65 bytes (uncompressed) or 33 bytes (compressed)
if (publicKey.Length == 32)
{
// Ed25519
return VerifyEd25519(data, signature, publicKey);
}
else if (publicKey.Length >= 33)
{
// ECDSA - try to parse as PEM or raw
return VerifyEcdsa(data, signature, publicKey);
}
return false;
}
/// <summary>
/// Verifies an Ed25519 signature (placeholder for actual implementation).
/// </summary>
private static bool VerifyEd25519(byte[] data, byte[] signature, byte[] publicKey)
{
// .NET 10 may have built-in Ed25519 support
// For now, this is a placeholder that would use a library like NSec
// In production, this would call the appropriate Ed25519 verification
// TODO: Implement Ed25519 verification when .NET 10 supports it natively
// or use NSec.Cryptography
throw new NotSupportedException(
"Ed25519 verification requires additional library support. " +
"Please use ECDSA P-256 keys or add Ed25519 library dependency.");
}
/// <summary>
/// Verifies an ECDSA signature using .NET's built-in support.
/// </summary>
private static bool VerifyEcdsa(byte[] data, byte[] signature, byte[] publicKey)
{
using var ecdsa = ECDsa.Create();
// Try to import as SubjectPublicKeyInfo first
try
{
ecdsa.ImportSubjectPublicKeyInfo(publicKey, out _);
}
catch
{
// Try to import as raw P-256 key
try
{
var curve = ECCurve.NamedCurves.nistP256;
var keyParams = new ECParameters
{
Curve = curve,
Q = new ECPoint
{
X = publicKey[1..33],
Y = publicKey[33..65],
},
};
ecdsa.ImportParameters(keyParams);
}
catch
{
return false;
}
}
// Compute SHA-256 hash of data
var hash = SHA256.HashData(data);
// Verify signature (try both DER and raw formats)
try
{
return ecdsa.VerifyHash(hash, signature);
}
catch
{
// Try DER format
try
{
return ecdsa.VerifyHash(hash, signature, DSASignatureFormat.Rfc3279DerSequence);
}
catch
{
return false;
}
}
}
}
/// <summary>
/// Result of checkpoint verification.
/// </summary>
public sealed class CheckpointVerificationResult
{
/// <summary>
/// Whether the checkpoint signature was verified successfully.
/// </summary>
public bool Verified { get; init; }
/// <summary>
/// The checkpoint origin (e.g., "rekor.sigstore.dev - {log_id}").
/// </summary>
public string? Origin { get; init; }
/// <summary>
/// The tree size at the checkpoint.
/// </summary>
public long TreeSize { get; init; }
/// <summary>
/// The root hash at the checkpoint.
/// </summary>
public byte[]? RootHash { get; init; }
/// <summary>
/// The reason for verification failure, if any.
/// </summary>
public string? FailureReason { get; init; }
}

222
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/TimeSkewValidator.cs Normal file
View File

@@ -0,0 +1,222 @@
namespace StellaOps.Attestor.Core.Verification;
/// <summary>
/// Configuration options for time skew validation.
/// Per advisory SPRINT_3000_0001_0003.
/// </summary>
public sealed class TimeSkewOptions
{
/// <summary>
/// Whether time skew validation is enabled.
/// Default: true. Set to false for offline mode.
/// </summary>
public bool Enabled { get; set; } = true;
/// <summary>
/// Warning threshold in seconds.
/// If skew is between warn and reject thresholds, log a warning but don't fail.
/// Default: 60 seconds (1 minute).
/// </summary>
public int WarnThresholdSeconds { get; set; } = 60;
/// <summary>
/// Rejection threshold in seconds.
/// If skew exceeds this value, reject the entry.
/// Default: 300 seconds (5 minutes).
/// </summary>
public int RejectThresholdSeconds { get; set; } = 300;
/// <summary>
/// Maximum allowed future time skew in seconds.
/// Future timestamps are more suspicious than past ones.
/// Default: 60 seconds.
/// </summary>
public int MaxFutureSkewSeconds { get; set; } = 60;
/// <summary>
/// Whether to fail hard on time skew rejection.
/// If false, logs error but continues processing.
/// Default: true.
/// </summary>
public bool FailOnReject { get; set; } = true;
}
/// <summary>
/// Result of time skew validation.
/// </summary>
public sealed record TimeSkewValidationResult
{
/// <summary>
/// Whether the validation passed.
/// </summary>
public required bool IsValid { get; init; }
/// <summary>
/// The validation status.
/// </summary>
public required TimeSkewStatus Status { get; init; }
/// <summary>
/// The calculated skew in seconds (positive = past, negative = future).
/// </summary>
public required double SkewSeconds { get; init; }
/// <summary>
/// The integrated time from Rekor.
/// </summary>
public required DateTimeOffset IntegratedTime { get; init; }
/// <summary>
/// The local validation time.
/// </summary>
public required DateTimeOffset LocalTime { get; init; }
/// <summary>
/// Human-readable message about the result.
/// </summary>
public required string Message { get; init; }
/// <summary>
/// Create a successful validation result.
/// </summary>
public static TimeSkewValidationResult Ok(DateTimeOffset integratedTime, DateTimeOffset localTime, double skewSeconds) => new()
{
IsValid = true,
Status = TimeSkewStatus.Ok,
SkewSeconds = skewSeconds,
IntegratedTime = integratedTime,
LocalTime = localTime,
Message = $"Time skew within acceptable range: {skewSeconds:F1}s"
};
/// <summary>
/// Create a warning result.
/// </summary>
public static TimeSkewValidationResult Warning(DateTimeOffset integratedTime, DateTimeOffset localTime, double skewSeconds) => new()
{
IsValid = true,
Status = TimeSkewStatus.Warning,
SkewSeconds = skewSeconds,
IntegratedTime = integratedTime,
LocalTime = localTime,
Message = $"Time skew detected: {skewSeconds:F1}s exceeds warning threshold"
};
/// <summary>
/// Create a rejection result.
/// </summary>
public static TimeSkewValidationResult Rejected(DateTimeOffset integratedTime, DateTimeOffset localTime, double skewSeconds, bool isFuture) => new()
{
IsValid = false,
Status = isFuture ? TimeSkewStatus.FutureTimestamp : TimeSkewStatus.Rejected,
SkewSeconds = skewSeconds,
IntegratedTime = integratedTime,
LocalTime = localTime,
Message = isFuture
? $"Future timestamp detected: {Math.Abs(skewSeconds):F1}s ahead of local time"
: $"Time skew rejected: {skewSeconds:F1}s exceeds rejection threshold"
};
/// <summary>
/// Create a skipped result (validation disabled or no integrated time).
/// </summary>
public static TimeSkewValidationResult Skipped(string reason) => new()
{
IsValid = true,
Status = TimeSkewStatus.Skipped,
SkewSeconds = 0,
IntegratedTime = DateTimeOffset.MinValue,
LocalTime = DateTimeOffset.UtcNow,
Message = reason
};
}
/// <summary>
/// Time skew validation status.
/// </summary>
public enum TimeSkewStatus
{
/// <summary>Time skew is within acceptable range.</summary>
Ok,
/// <summary>Time skew exceeds warning threshold but not rejection.</summary>
Warning,
/// <summary>Time skew exceeds rejection threshold.</summary>
Rejected,
/// <summary>Integrated time is in the future (suspicious).</summary>
FutureTimestamp,
/// <summary>Validation was skipped (disabled or no data).</summary>
Skipped
}
/// <summary>
/// Interface for time skew validation.
/// </summary>
public interface ITimeSkewValidator
{
/// <summary>
/// Validate the time skew between integrated time and local time.
/// </summary>
/// <param name="integratedTime">The integrated time from Rekor (nullable).</param>
/// <param name="localTime">The local validation time (defaults to now).</param>
/// <returns>The validation result.</returns>
TimeSkewValidationResult Validate(DateTimeOffset? integratedTime, DateTimeOffset? localTime = null);
}
/// <summary>
/// Default implementation of time skew validation.
/// </summary>
public sealed class TimeSkewValidator : ITimeSkewValidator
{
private readonly TimeSkewOptions _options;
public TimeSkewValidator(TimeSkewOptions options)
{
_options = options ?? throw new ArgumentNullException(nameof(options));
}
/// <inheritdoc />
public TimeSkewValidationResult Validate(DateTimeOffset? integratedTime, DateTimeOffset? localTime = null)
{
if (!_options.Enabled)
{
return TimeSkewValidationResult.Skipped("Time skew validation disabled");
}
if (!integratedTime.HasValue)
{
return TimeSkewValidationResult.Skipped("No integrated time available");
}
var now = localTime ?? DateTimeOffset.UtcNow;
var skew = (now - integratedTime.Value).TotalSeconds;
// Future timestamp (integrated time is ahead of local time)
if (skew < 0)
{
var futureSkew = Math.Abs(skew);
if (futureSkew > _options.MaxFutureSkewSeconds)
{
return TimeSkewValidationResult.Rejected(integratedTime.Value, now, skew, isFuture: true);
}
// Small future skew is OK (clock drift)
return TimeSkewValidationResult.Ok(integratedTime.Value, now, skew);
}
// Past timestamp (normal case)
if (skew >= _options.RejectThresholdSeconds)
{
return TimeSkewValidationResult.Rejected(integratedTime.Value, now, skew, isFuture: false);
}
if (skew >= _options.WarnThresholdSeconds)
{
return TimeSkewValidationResult.Warning(integratedTime.Value, now, skew);
}
return TimeSkewValidationResult.Ok(integratedTime.Value, now, skew);
}
}

154
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/CheckpointSignatureVerifierTests.cs Normal file
View File

@@ -0,0 +1,154 @@
using StellaOps.Attestor.Core.Verification;
using Xunit;
namespace StellaOps.Attestor.Tests;
/// <summary>
/// Tests for CheckpointSignatureVerifier.
/// SPRINT_3000_0001_0001 - T3: Checkpoint signature verification tests
/// </summary>
public sealed class CheckpointSignatureVerifierTests
{
// Sample checkpoint format (Rekor production format)
private const string ValidCheckpointBody = """
rekor.sigstore.dev - 2605736670972794746
123456789
abc123def456ghi789jkl012mno345pqr678stu901vwx234=
1702345678
""";
private const string InvalidFormatCheckpoint = "not a valid checkpoint";
[Fact]
public void ParseCheckpoint_ValidFormat_ExtractsFields()
{
// Act
var result = CheckpointSignatureVerifier.ParseCheckpoint(ValidCheckpointBody);
// Assert
Assert.NotNull(result.Origin);
Assert.Contains("rekor.sigstore.dev", result.Origin);
Assert.Equal(123456789L, result.TreeSize);
Assert.NotNull(result.RootHash);
}
[Fact]
public void ParseCheckpoint_InvalidFormat_ReturnsFailure()
{
// Act
var result = CheckpointSignatureVerifier.ParseCheckpoint(InvalidFormatCheckpoint);
// Assert
Assert.False(result.Verified);
Assert.Contains("Invalid", result.FailureReason);
}
[Fact]
public void ParseCheckpoint_EmptyString_ReturnsFailure()
{
// Act
var result = CheckpointSignatureVerifier.ParseCheckpoint("");
// Assert
Assert.False(result.Verified);
Assert.NotNull(result.FailureReason);
}
[Fact]
public void ParseCheckpoint_MinimalValidFormat_ExtractsFields()
{
// Arrange - minimal checkpoint without timestamp
var checkpoint = """
origin-name
42
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
""";
// Act
var result = CheckpointSignatureVerifier.ParseCheckpoint(checkpoint);
// Assert
Assert.Equal("origin-name", result.Origin);
Assert.Equal(42L, result.TreeSize);
Assert.NotNull(result.RootHash);
Assert.Equal(32, result.RootHash!.Length); // SHA-256 hash
}
[Fact]
public void ParseCheckpoint_InvalidBase64Root_ReturnsFailure()
{
// Arrange - invalid base64 in root hash
var checkpoint = """
origin-name
42
not-valid-base64!!!
""";
// Act
var result = CheckpointSignatureVerifier.ParseCheckpoint(checkpoint);
// Assert
Assert.False(result.Verified);
Assert.Contains("Invalid root hash", result.FailureReason);
}
[Fact]
public void ParseCheckpoint_InvalidTreeSize_ReturnsFailure()
{
// Arrange - non-numeric tree size
var checkpoint = """
origin-name
not-a-number
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
""";
// Act
var result = CheckpointSignatureVerifier.ParseCheckpoint(checkpoint);
// Assert
Assert.False(result.Verified);
Assert.Contains("Invalid tree size", result.FailureReason);
}
[Fact]
public void VerifyCheckpoint_NullCheckpoint_ThrowsArgumentNull()
{
// Act & Assert
Assert.Throws<ArgumentNullException>(() =>
CheckpointSignatureVerifier.VerifyCheckpoint(null!, [], []));
}
[Fact]
public void VerifyCheckpoint_NullSignature_ThrowsArgumentNull()
{
// Act & Assert
Assert.Throws<ArgumentNullException>(() =>
CheckpointSignatureVerifier.VerifyCheckpoint("checkpoint", null!, []));
}
[Fact]
public void VerifyCheckpoint_NullPublicKey_ThrowsArgumentNull()
{
// Act & Assert
Assert.Throws<ArgumentNullException>(() =>
CheckpointSignatureVerifier.VerifyCheckpoint("checkpoint", [], null!));
}
[Fact]
public void VerifyCheckpoint_InvalidFormat_ReturnsFailure()
{
// Arrange
var signature = new byte[64];
var publicKey = new byte[65]; // P-256 uncompressed
// Act
var result = CheckpointSignatureVerifier.VerifyCheckpoint(
InvalidFormatCheckpoint,
signature,
publicKey);
// Assert
Assert.False(result.Verified);
Assert.Contains("Invalid checkpoint format", result.FailureReason);
}
}

318
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/RekorInclusionVerificationIntegrationTests.cs Normal file
View File

@@ -0,0 +1,318 @@
using System.Text;
using System.Text.Json;
using StellaOps.Attestor.Core.Verification;
using Xunit;
namespace StellaOps.Attestor.Tests;
/// <summary>
/// Integration tests for Rekor inclusion proof verification.
/// SPRINT_3000_0001_0001 - T10: Integration tests with mock Rekor responses
/// </summary>
public sealed class RekorInclusionVerificationIntegrationTests
{
/// <summary>
/// Golden test fixture: a valid inclusion proof from Rekor production.
/// This is a simplified representation of a real Rekor entry.
/// </summary>
private static readonly MockRekorEntry ValidEntry = new()
{
LogIndex = 12345678,
TreeSize = 20000000,
LeafHash = Convert.FromBase64String("n4bQgYhMfWWaL-qgxVrQFaO/TxsrC4Is0V1sFbDwCgg="),
ProofHashes =
[
Convert.FromBase64String("1B2M2Y8AsgTpgAmY7PhCfg=="),
Convert.FromBase64String("47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU="),
Convert.FromBase64String("fRjPxJ7P6CcH_HiMzOZz3rkbwsC4HbTYP8Qe7L9j1Po="),
],
RootHash = Convert.FromBase64String("rMj3G9LfM9C6Xt0qpV3pHbM2q5lPvKjS0mOmV8jXwAk="),
Checkpoint = """
rekor.sigstore.dev - 2605736670972794746
20000000
rMj3G9LfM9C6Xt0qpV3pHbM2q5lPvKjS0mOmV8jXwAk=
1702345678
""",
};
[Fact]
public void VerifyInclusion_SingleLeafTree_Succeeds()
{
// Arrange - single leaf tree (tree size = 1)
var leafHash = new byte[32];
Random.Shared.NextBytes(leafHash);
// Act
var result = MerkleProofVerifier.VerifyInclusion(
leafHash,
leafIndex: 0,
treeSize: 1,
proofHashes: [],
expectedRootHash: leafHash); // Root equals leaf for single node
// Assert
Assert.True(result);
}
[Fact]
public void VerifyInclusion_TwoLeafTree_LeftLeaf_Succeeds()
{
// Arrange - two-leaf tree, verify left leaf
var leftLeaf = new byte[32];
var rightLeaf = new byte[32];
Random.Shared.NextBytes(leftLeaf);
Random.Shared.NextBytes(rightLeaf);
// Compute expected root
var expectedRoot = ComputeInteriorHash(leftLeaf, rightLeaf);
// Act - verify left leaf (index 0)
var result = MerkleProofVerifier.VerifyInclusion(
leftLeaf,
leafIndex: 0,
treeSize: 2,
proofHashes: [rightLeaf],
expectedRootHash: expectedRoot);
// Assert
Assert.True(result);
}
[Fact]
public void VerifyInclusion_TwoLeafTree_RightLeaf_Succeeds()
{
// Arrange - two-leaf tree, verify right leaf
var leftLeaf = new byte[32];
var rightLeaf = new byte[32];
Random.Shared.NextBytes(leftLeaf);
Random.Shared.NextBytes(rightLeaf);
// Compute expected root
var expectedRoot = ComputeInteriorHash(leftLeaf, rightLeaf);
// Act - verify right leaf (index 1)
var result = MerkleProofVerifier.VerifyInclusion(
rightLeaf,
leafIndex: 1,
treeSize: 2,
proofHashes: [leftLeaf],
expectedRootHash: expectedRoot);
// Assert
Assert.True(result);
}
[Fact]
public void VerifyInclusion_FourLeafTree_AllPositions_Succeed()
{
// Arrange - four-leaf balanced tree
var leaves = new byte[4][];
for (int i = 0; i < 4; i++)
{
leaves[i] = new byte[32];
Random.Shared.NextBytes(leaves[i]);
}
// Build tree:
// root
// / \
// h01 h23
// / \ / \
// L0 L1 L2 L3
var h01 = ComputeInteriorHash(leaves[0], leaves[1]);
var h23 = ComputeInteriorHash(leaves[2], leaves[3]);
var root = ComputeInteriorHash(h01, h23);
// Test each leaf position
var testCases = new (int index, byte[][] proof)[]
{
(0, [leaves[1], h23]), // L0: sibling is L1, then h23
(1, [leaves[0], h23]), // L1: sibling is L0, then h23
(2, [leaves[3], h01]), // L2: sibling is L3, then h01
(3, [leaves[2], h01]), // L3: sibling is L2, then h01
};
foreach (var (index, proof) in testCases)
{
// Act
var result = MerkleProofVerifier.VerifyInclusion(
leaves[index],
leafIndex: index,
treeSize: 4,
proofHashes: proof,
expectedRootHash: root);
// Assert
Assert.True(result, $"Verification failed for leaf index {index}");
}
}
[Fact]
public void VerifyInclusion_WrongLeafHash_Fails()
{
// Arrange
var correctLeaf = new byte[32];
var wrongLeaf = new byte[32];
var sibling = new byte[32];
Random.Shared.NextBytes(correctLeaf);
Random.Shared.NextBytes(wrongLeaf);
Random.Shared.NextBytes(sibling);
var root = ComputeInteriorHash(correctLeaf, sibling);
// Act - try to verify with wrong leaf
var result = MerkleProofVerifier.VerifyInclusion(
wrongLeaf,
leafIndex: 0,
treeSize: 2,
proofHashes: [sibling],
expectedRootHash: root);
// Assert
Assert.False(result);
}
[Fact]
public void VerifyInclusion_WrongRootHash_Fails()
{
// Arrange
var leaf = new byte[32];
var sibling = new byte[32];
var wrongRoot = new byte[32];
Random.Shared.NextBytes(leaf);
Random.Shared.NextBytes(sibling);
Random.Shared.NextBytes(wrongRoot);
// Act
var result = MerkleProofVerifier.VerifyInclusion(
leaf,
leafIndex: 0,
treeSize: 2,
proofHashes: [sibling],
expectedRootHash: wrongRoot);
// Assert
Assert.False(result);
}
[Fact]
public void VerifyInclusion_InvalidLeafIndex_Fails()
{
// Arrange
var leaf = new byte[32];
Random.Shared.NextBytes(leaf);
// Act - index >= tree size
var result = MerkleProofVerifier.VerifyInclusion(
leaf,
leafIndex: 5,
treeSize: 4,
proofHashes: [],
expectedRootHash: leaf);
// Assert
Assert.False(result);
}
[Fact]
public void VerifyInclusion_NegativeLeafIndex_Fails()
{
// Arrange
var leaf = new byte[32];
Random.Shared.NextBytes(leaf);
// Act
var result = MerkleProofVerifier.VerifyInclusion(
leaf,
leafIndex: -1,
treeSize: 4,
proofHashes: [],
expectedRootHash: leaf);
// Assert
Assert.False(result);
}
[Fact]
public void VerifyInclusion_ZeroTreeSize_Fails()
{
// Arrange
var leaf = new byte[32];
Random.Shared.NextBytes(leaf);
// Act
var result = MerkleProofVerifier.VerifyInclusion(
leaf,
leafIndex: 0,
treeSize: 0,
proofHashes: [],
expectedRootHash: leaf);
// Assert
Assert.False(result);
}
[Fact]
public void ComputeRootFromPath_EmptyProof_SingleLeaf_ReturnsLeafHash()
{
// Arrange
var leaf = new byte[32];
Random.Shared.NextBytes(leaf);
// Act
var result = MerkleProofVerifier.ComputeRootFromPath(
leaf,
leafIndex: 0,
treeSize: 1,
proofHashes: []);
// Assert
Assert.NotNull(result);
Assert.Equal(leaf, result);
}
[Fact]
public void ComputeRootFromPath_EmptyProof_MultiLeaf_ReturnsNull()
{
// Arrange - empty proof for multi-leaf tree is invalid
var leaf = new byte[32];
Random.Shared.NextBytes(leaf);
// Act
var result = MerkleProofVerifier.ComputeRootFromPath(
leaf,
leafIndex: 0,
treeSize: 4,
proofHashes: []);
// Assert
Assert.Null(result);
}
/// <summary>
/// Computes an interior node hash per RFC 6962.
/// H(0x01 || left || right)
/// </summary>
private static byte[] ComputeInteriorHash(byte[] left, byte[] right)
{
using var sha256 = System.Security.Cryptography.SHA256.Create();
var combined = new byte[1 + left.Length + right.Length];
combined[0] = 0x01; // Interior node prefix
left.CopyTo(combined, 1);
right.CopyTo(combined, 1 + left.Length);
return sha256.ComputeHash(combined);
}
/// <summary>
/// Mock Rekor entry for testing.
/// </summary>
private sealed class MockRekorEntry
{
public long LogIndex { get; init; }
public long TreeSize { get; init; }
public byte[] LeafHash { get; init; } = [];
public byte[][] ProofHashes { get; init; } = [];
public byte[] RootHash { get; init; } = [];
public string Checkpoint { get; init; } = "";
}
}

210
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/TimeSkewValidatorTests.cs Normal file
View File

@@ -0,0 +1,210 @@
using StellaOps.Attestor.Core.Verification;
using Xunit;
namespace StellaOps.Attestor.Tests;
public class TimeSkewValidatorTests
{
private readonly TimeSkewOptions _defaultOptions = new()
{
Enabled = true,
WarnThresholdSeconds = 60,
RejectThresholdSeconds = 300,
MaxFutureSkewSeconds = 60,
FailOnReject = true
};
[Fact]
public void Validate_WhenDisabled_ReturnsSkipped()
{
// Arrange
var options = new TimeSkewOptions { Enabled = false };
var validator = new TimeSkewValidator(options);
var integratedTime = DateTimeOffset.UtcNow.AddSeconds(-10);
// Act
var result = validator.Validate(integratedTime);
// Assert
Assert.True(result.IsValid);
Assert.Equal(TimeSkewStatus.Skipped, result.Status);
Assert.Contains("disabled", result.Message);
}
[Fact]
public void Validate_WhenNoIntegratedTime_ReturnsSkipped()
{
// Arrange
var validator = new TimeSkewValidator(_defaultOptions);
// Act
var result = validator.Validate(integratedTime: null);
// Assert
Assert.True(result.IsValid);
Assert.Equal(TimeSkewStatus.Skipped, result.Status);
Assert.Contains("No integrated time", result.Message);
}
[Theory]
[InlineData(0)] // No skew
[InlineData(5)] // 5 seconds ago
[InlineData(30)] // 30 seconds ago
[InlineData(59)] // Just under warn threshold
public void Validate_WhenSkewBelowWarnThreshold_ReturnsOk(int secondsAgo)
{
// Arrange
var validator = new TimeSkewValidator(_defaultOptions);
var localTime = DateTimeOffset.UtcNow;
var integratedTime = localTime.AddSeconds(-secondsAgo);
// Act
var result = validator.Validate(integratedTime, localTime);
// Assert
Assert.True(result.IsValid);
Assert.Equal(TimeSkewStatus.Ok, result.Status);
Assert.InRange(result.SkewSeconds, secondsAgo - 1, secondsAgo + 1);
}
[Theory]
[InlineData(60)] // At warn threshold
[InlineData(120)] // 2 minutes
[InlineData(299)] // Just under reject threshold
public void Validate_WhenSkewBetweenWarnAndReject_ReturnsWarning(int secondsAgo)
{
// Arrange
var validator = new TimeSkewValidator(_defaultOptions);
var localTime = DateTimeOffset.UtcNow;
var integratedTime = localTime.AddSeconds(-secondsAgo);
// Act
var result = validator.Validate(integratedTime, localTime);
// Assert
Assert.True(result.IsValid); // Warning still passes
Assert.Equal(TimeSkewStatus.Warning, result.Status);
Assert.Contains("warning threshold", result.Message);
}
[Theory]
[InlineData(300)] // At reject threshold
[InlineData(600)] // 10 minutes
[InlineData(3600)] // 1 hour
public void Validate_WhenSkewExceedsRejectThreshold_ReturnsRejected(int secondsAgo)
{
// Arrange
var validator = new TimeSkewValidator(_defaultOptions);
var localTime = DateTimeOffset.UtcNow;
var integratedTime = localTime.AddSeconds(-secondsAgo);
// Act
var result = validator.Validate(integratedTime, localTime);
// Assert
Assert.False(result.IsValid);
Assert.Equal(TimeSkewStatus.Rejected, result.Status);
Assert.Contains("rejection threshold", result.Message);
}
[Theory]
[InlineData(5)] // 5 seconds in future (OK)
[InlineData(30)] // 30 seconds in future (OK)
[InlineData(60)] // At max future threshold (OK)
public void Validate_WhenSmallFutureSkew_ReturnsOk(int secondsInFuture)
{
// Arrange
var validator = new TimeSkewValidator(_defaultOptions);
var localTime = DateTimeOffset.UtcNow;
var integratedTime = localTime.AddSeconds(secondsInFuture);
// Act
var result = validator.Validate(integratedTime, localTime);
// Assert
Assert.True(result.IsValid);
Assert.Equal(TimeSkewStatus.Ok, result.Status);
Assert.True(result.SkewSeconds < 0); // Negative means future
}
[Theory]
[InlineData(61)] // Just over max future
[InlineData(120)] // 2 minutes in future
[InlineData(3600)] // 1 hour in future
public void Validate_WhenLargeFutureSkew_ReturnsFutureTimestamp(int secondsInFuture)
{
// Arrange
var validator = new TimeSkewValidator(_defaultOptions);
var localTime = DateTimeOffset.UtcNow;
var integratedTime = localTime.AddSeconds(secondsInFuture);
// Act
var result = validator.Validate(integratedTime, localTime);
// Assert
Assert.False(result.IsValid);
Assert.Equal(TimeSkewStatus.FutureTimestamp, result.Status);
Assert.Contains("Future timestamp", result.Message);
}
[Fact]
public void Validate_UsesCurrentTimeWhenLocalTimeNotProvided()
{
// Arrange
var validator = new TimeSkewValidator(_defaultOptions);
var integratedTime = DateTimeOffset.UtcNow.AddSeconds(-10);
// Act
var result = validator.Validate(integratedTime);
// Assert
Assert.True(result.IsValid);
Assert.InRange(result.SkewSeconds, 9, 12); // Allow for test execution time
}
[Fact]
public void Validate_CustomThresholds_AreRespected()
{
// Arrange
var options = new TimeSkewOptions
{
Enabled = true,
WarnThresholdSeconds = 10,
RejectThresholdSeconds = 30,
MaxFutureSkewSeconds = 5
};
var validator = new TimeSkewValidator(options);
var localTime = DateTimeOffset.UtcNow;
// Act - 15 seconds should warn with custom thresholds
var result = validator.Validate(localTime.AddSeconds(-15), localTime);
// Assert
Assert.True(result.IsValid);
Assert.Equal(TimeSkewStatus.Warning, result.Status);
}
[Fact]
public void Validate_ReturnsCorrectTimestamps()
{
// Arrange
var validator = new TimeSkewValidator(_defaultOptions);
var localTime = new DateTimeOffset(2025, 12, 16, 12, 0, 0, TimeSpan.Zero);
var integratedTime = new DateTimeOffset(2025, 12, 16, 11, 59, 30, TimeSpan.Zero);
// Act
var result = validator.Validate(integratedTime, localTime);
// Assert
Assert.Equal(integratedTime, result.IntegratedTime);
Assert.Equal(localTime, result.LocalTime);
Assert.Equal(30, result.SkewSeconds, precision: 0);
}
[Fact]
public void Constructor_ThrowsOnNullOptions()
{
// Act & Assert
Assert.Throws<ArgumentNullException>(() => new TimeSkewValidator(null!));
}
}

158
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/Contracts/Anchors/AnchorDtos.cs Normal file
View File

@@ -0,0 +1,158 @@
using System.ComponentModel.DataAnnotations;
using System.Text.Json.Serialization;
namespace StellaOps.Attestor.WebService.Contracts.Anchors;
/// <summary>
/// Request to create a trust anchor.
/// </summary>
public sealed record CreateTrustAnchorRequest
{
/// <summary>
/// PURL glob pattern (e.g., pkg:npm/*).
/// </summary>
[Required]
[JsonPropertyName("purlPattern")]
public required string PurlPattern { get; init; }
/// <summary>
/// Key IDs allowed to sign attestations.
/// </summary>
[Required]
[MinLength(1)]
[JsonPropertyName("allowedKeyIds")]
public required string[] AllowedKeyIds { get; init; }
/// <summary>
/// Optional: Predicate types allowed for this anchor.
/// </summary>
[JsonPropertyName("allowedPredicateTypes")]
public string[]? AllowedPredicateTypes { get; init; }
/// <summary>
/// Optional reference to the policy document.
/// </summary>
[JsonPropertyName("policyRef")]
public string? PolicyRef { get; init; }
/// <summary>
/// Policy version for this anchor.
/// </summary>
[JsonPropertyName("policyVersion")]
public string? PolicyVersion { get; init; }
}
/// <summary>
/// Trust anchor response.
/// </summary>
public sealed record TrustAnchorDto
{
/// <summary>
/// The anchor ID.
/// </summary>
[JsonPropertyName("anchorId")]
public required Guid AnchorId { get; init; }
/// <summary>
/// PURL glob pattern.
/// </summary>
[JsonPropertyName("purlPattern")]
public required string PurlPattern { get; init; }
/// <summary>
/// Allowed key IDs.
/// </summary>
[JsonPropertyName("allowedKeyIds")]
public required string[] AllowedKeyIds { get; init; }
/// <summary>
/// Allowed predicate types.
/// </summary>
[JsonPropertyName("allowedPredicateTypes")]
public string[]? AllowedPredicateTypes { get; init; }
/// <summary>
/// Policy reference.
/// </summary>
[JsonPropertyName("policyRef")]
public string? PolicyRef { get; init; }
/// <summary>
/// Policy version.
/// </summary>
[JsonPropertyName("policyVersion")]
public string? PolicyVersion { get; init; }
/// <summary>
/// Revoked key IDs.
/// </summary>
[JsonPropertyName("revokedKeys")]
public string[] RevokedKeys { get; init; } = [];
/// <summary>
/// Whether the anchor is active.
/// </summary>
[JsonPropertyName("isActive")]
public bool IsActive { get; init; } = true;
/// <summary>
/// When the anchor was created.
/// </summary>
[JsonPropertyName("createdAt")]
public required DateTimeOffset CreatedAt { get; init; }
/// <summary>
/// When the anchor was last updated.
/// </summary>
[JsonPropertyName("updatedAt")]
public required DateTimeOffset UpdatedAt { get; init; }
}
/// <summary>
/// Request to update a trust anchor.
/// </summary>
public sealed record UpdateTrustAnchorRequest
{
/// <summary>
/// Updated key IDs allowed to sign attestations.
/// </summary>
[JsonPropertyName("allowedKeyIds")]
public string[]? AllowedKeyIds { get; init; }
/// <summary>
/// Updated predicate types.
/// </summary>
[JsonPropertyName("allowedPredicateTypes")]
public string[]? AllowedPredicateTypes { get; init; }
/// <summary>
/// Updated policy reference.
/// </summary>
[JsonPropertyName("policyRef")]
public string? PolicyRef { get; init; }
/// <summary>
/// Updated policy version.
/// </summary>
[JsonPropertyName("policyVersion")]
public string? PolicyVersion { get; init; }
/// <summary>
/// Set anchor active/inactive.
/// </summary>
[JsonPropertyName("isActive")]
public bool? IsActive { get; init; }
}
/// <summary>
/// Request to revoke a key in a trust anchor.
/// </summary>
public sealed record RevokeKeyRequest
{
/// <summary>
/// The key ID to revoke.
/// </summary>
[Required]
[JsonPropertyName("keyId")]
public required string KeyId { get; init; }
}

170
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/Contracts/Proofs/ProofDtos.cs Normal file
View File

@@ -0,0 +1,170 @@
using System.ComponentModel.DataAnnotations;
using System.Text.Json.Serialization;
namespace StellaOps.Attestor.WebService.Contracts.Proofs;
/// <summary>
/// Request to create a proof spine for an SBOM entry.
/// </summary>
public sealed record CreateSpineRequest
{
/// <summary>
/// Evidence IDs to include in the proof bundle.
/// </summary>
[Required]
[MinLength(1)]
[JsonPropertyName("evidenceIds")]
public required string[] EvidenceIds { get; init; }
/// <summary>
/// Reasoning ID explaining the policy decision.
/// </summary>
[Required]
[RegularExpression(@"^sha256:[a-f0-9]{64}$")]
[JsonPropertyName("reasoningId")]
public required string ReasoningId { get; init; }
/// <summary>
/// VEX verdict ID for the exploitability assessment.
/// </summary>
[Required]
[RegularExpression(@"^sha256:[a-f0-9]{64}$")]
[JsonPropertyName("vexVerdictId")]
public required string VexVerdictId { get; init; }
/// <summary>
/// Policy version used for evaluation.
/// </summary>
[Required]
[RegularExpression(@"^v[0-9]+\.[0-9]+\.[0-9]+$")]
[JsonPropertyName("policyVersion")]
public required string PolicyVersion { get; init; }
}
/// <summary>
/// Response after creating a proof spine.
/// </summary>
public sealed record CreateSpineResponse
{
/// <summary>
/// The computed proof bundle ID (merkle root).
/// </summary>
[JsonPropertyName("proofBundleId")]
public required string ProofBundleId { get; init; }
/// <summary>
/// URL to retrieve the verification receipt.
/// </summary>
[JsonPropertyName("receiptUrl")]
public string? ReceiptUrl { get; init; }
}
/// <summary>
/// Request to verify a proof chain.
/// </summary>
public sealed record VerifyProofRequest
{
/// <summary>
/// The proof bundle ID to verify.
/// </summary>
[Required]
[RegularExpression(@"^sha256:[a-f0-9]{64}$")]
[JsonPropertyName("proofBundleId")]
public required string ProofBundleId { get; init; }
/// <summary>
/// Trust anchor ID to verify against.
/// </summary>
[JsonPropertyName("anchorId")]
public Guid? AnchorId { get; init; }
/// <summary>
/// Whether to verify Rekor inclusion proofs.
/// </summary>
[JsonPropertyName("verifyRekor")]
public bool VerifyRekor { get; init; } = true;
}
/// <summary>
/// Verification receipt response.
/// </summary>
public sealed record VerificationReceiptDto
{
/// <summary>
/// The proof bundle ID that was verified.
/// </summary>
[JsonPropertyName("proofBundleId")]
public required string ProofBundleId { get; init; }
/// <summary>
/// When the verification was performed.
/// </summary>
[JsonPropertyName("verifiedAt")]
public required DateTimeOffset VerifiedAt { get; init; }
/// <summary>
/// Version of the verifier.
/// </summary>
[JsonPropertyName("verifierVersion")]
public required string VerifierVersion { get; init; }
/// <summary>
/// Trust anchor ID used.
/// </summary>
[JsonPropertyName("anchorId")]
public Guid? AnchorId { get; init; }
/// <summary>
/// Overall verification result: "pass" or "fail".
/// </summary>
[JsonPropertyName("result")]
public required string Result { get; init; }
/// <summary>
/// Individual verification checks.
/// </summary>
[JsonPropertyName("checks")]
public required VerificationCheckDto[] Checks { get; init; }
}
/// <summary>
/// A single verification check.
/// </summary>
public sealed record VerificationCheckDto
{
/// <summary>
/// Name of the check.
/// </summary>
[JsonPropertyName("check")]
public required string Check { get; init; }
/// <summary>
/// Status: "pass" or "fail".
/// </summary>
[JsonPropertyName("status")]
public required string Status { get; init; }
/// <summary>
/// Key ID if this was a signature check.
/// </summary>
[JsonPropertyName("keyId")]
public string? KeyId { get; init; }
/// <summary>
/// Expected value for comparison checks.
/// </summary>
[JsonPropertyName("expected")]
public string? Expected { get; init; }
/// <summary>
/// Actual value for comparison checks.
/// </summary>
[JsonPropertyName("actual")]
public string? Actual { get; init; }
/// <summary>
/// Rekor log index if applicable.
/// </summary>
[JsonPropertyName("logIndex")]
public long? LogIndex { get; init; }
}

188
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/Controllers/AnchorsController.cs Normal file
View File

@@ -0,0 +1,188 @@
using Microsoft.AspNetCore.Mvc;
using StellaOps.Attestor.WebService.Contracts.Anchors;
namespace StellaOps.Attestor.WebService.Controllers;
/// <summary>
/// API endpoints for trust anchor management.
/// </summary>
[ApiController]
[Route("anchors")]
[Produces("application/json")]
public class AnchorsController : ControllerBase
{
private readonly ILogger<AnchorsController> _logger;
// TODO: Inject IProofChainRepository
public AnchorsController(ILogger<AnchorsController> logger)
{
_logger = logger;
}
/// <summary>
/// Get all active trust anchors.
/// </summary>
/// <param name="ct">Cancellation token.</param>
/// <returns>List of trust anchors.</returns>
[HttpGet]
[ProducesResponseType(typeof(TrustAnchorDto[]), StatusCodes.Status200OK)]
public async Task<ActionResult<TrustAnchorDto[]>> GetAnchorsAsync(CancellationToken ct = default)
{
_logger.LogInformation("Getting all trust anchors");
// TODO: Implement using IProofChainRepository.GetActiveTrustAnchorsAsync
return Ok(Array.Empty<TrustAnchorDto>());
}
/// <summary>
/// Get a trust anchor by ID.
/// </summary>
/// <param name="anchorId">The anchor ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The trust anchor.</returns>
[HttpGet("{anchorId:guid}")]
[ProducesResponseType(typeof(TrustAnchorDto), StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult<TrustAnchorDto>> GetAnchorAsync(
[FromRoute] Guid anchorId,
CancellationToken ct = default)
{
_logger.LogInformation("Getting trust anchor {AnchorId}", anchorId);
// TODO: Implement using IProofChainRepository.GetTrustAnchorAsync
return NotFound(new ProblemDetails
{
Title = "Trust Anchor Not Found",
Detail = $"No trust anchor found with ID {anchorId}",
Status = StatusCodes.Status404NotFound
});
}
/// <summary>
/// Create a new trust anchor.
/// </summary>
/// <param name="request">The anchor creation request.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The created trust anchor.</returns>
[HttpPost]
[ProducesResponseType(typeof(TrustAnchorDto), StatusCodes.Status201Created)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
[ProducesResponseType(StatusCodes.Status409Conflict)]
public async Task<ActionResult<TrustAnchorDto>> CreateAnchorAsync(
[FromBody] CreateTrustAnchorRequest request,
CancellationToken ct = default)
{
_logger.LogInformation("Creating trust anchor for pattern {Pattern}", request.PurlPattern);
// TODO: Implement using IProofChainRepository.SaveTrustAnchorAsync
// 1. Check for existing anchor with same pattern
// 2. Create new anchor entity
// 3. Save to repository
// 4. Log audit entry
var anchor = new TrustAnchorDto
{
AnchorId = Guid.NewGuid(),
PurlPattern = request.PurlPattern,
AllowedKeyIds = request.AllowedKeyIds,
AllowedPredicateTypes = request.AllowedPredicateTypes,
PolicyRef = request.PolicyRef,
PolicyVersion = request.PolicyVersion,
CreatedAt = DateTimeOffset.UtcNow,
UpdatedAt = DateTimeOffset.UtcNow
};
return CreatedAtAction(nameof(GetAnchorAsync), new { anchorId = anchor.AnchorId }, anchor);
}
/// <summary>
/// Update a trust anchor.
/// </summary>
/// <param name="anchorId">The anchor ID.</param>
/// <param name="request">The update request.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The updated trust anchor.</returns>
[HttpPatch("{anchorId:guid}")]
[ProducesResponseType(typeof(TrustAnchorDto), StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult<TrustAnchorDto>> UpdateAnchorAsync(
[FromRoute] Guid anchorId,
[FromBody] UpdateTrustAnchorRequest request,
CancellationToken ct = default)
{
_logger.LogInformation("Updating trust anchor {AnchorId}", anchorId);
// TODO: Implement using IProofChainRepository
// 1. Get existing anchor
// 2. Apply updates
// 3. Save to repository
// 4. Log audit entry
return NotFound(new ProblemDetails
{
Title = "Trust Anchor Not Found",
Detail = $"No trust anchor found with ID {anchorId}",
Status = StatusCodes.Status404NotFound
});
}
/// <summary>
/// Revoke a key in a trust anchor.
/// </summary>
/// <param name="anchorId">The anchor ID.</param>
/// <param name="request">The revoke request.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>No content on success.</returns>
[HttpPost("{anchorId:guid}/revoke-key")]
[ProducesResponseType(StatusCodes.Status204NoContent)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
public async Task<ActionResult> RevokeKeyAsync(
[FromRoute] Guid anchorId,
[FromBody] RevokeKeyRequest request,
CancellationToken ct = default)
{
_logger.LogInformation("Revoking key {KeyId} in anchor {AnchorId}", request.KeyId, anchorId);
// TODO: Implement using IProofChainRepository.RevokeKeyAsync
// 1. Get existing anchor
// 2. Add key to revoked_keys
// 3. Remove from allowed_keyids
// 4. Save to repository
// 5. Log audit entry
return NotFound(new ProblemDetails
{
Title = "Trust Anchor Not Found",
Detail = $"No trust anchor found with ID {anchorId}",
Status = StatusCodes.Status404NotFound
});
}
/// <summary>
/// Delete (deactivate) a trust anchor.
/// </summary>
/// <param name="anchorId">The anchor ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>No content on success.</returns>
[HttpDelete("{anchorId:guid}")]
[ProducesResponseType(StatusCodes.Status204NoContent)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> DeleteAnchorAsync(
[FromRoute] Guid anchorId,
CancellationToken ct = default)
{
_logger.LogInformation("Deactivating trust anchor {AnchorId}", anchorId);
// TODO: Implement - set is_active = false (soft delete)
return NotFound(new ProblemDetails
{
Title = "Trust Anchor Not Found",
Detail = $"No trust anchor found with ID {anchorId}",
Status = StatusCodes.Status404NotFound
});
}
}

162
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/Controllers/ProofsController.cs Normal file
View File

@@ -0,0 +1,162 @@
using Microsoft.AspNetCore.Mvc;
using StellaOps.Attestor.WebService.Contracts.Proofs;
namespace StellaOps.Attestor.WebService.Controllers;
/// <summary>
/// API endpoints for proof chain operations.
/// </summary>
[ApiController]
[Route("proofs")]
[Produces("application/json")]
public class ProofsController : ControllerBase
{
private readonly ILogger<ProofsController> _logger;
// TODO: Inject IProofSpineAssembler, IReceiptGenerator, IProofChainRepository
public ProofsController(ILogger<ProofsController> logger)
{
_logger = logger;
}
/// <summary>
/// Create a proof spine for an SBOM entry.
/// </summary>
/// <param name="entry">The SBOM entry ID (sha256:hex:pkg:...)</param>
/// <param name="request">The spine creation request.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The created proof bundle ID.</returns>
[HttpPost("{entry}/spine")]
[ProducesResponseType(typeof(CreateSpineResponse), StatusCodes.Status201Created)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
[ProducesResponseType(StatusCodes.Status422UnprocessableEntity)]
public async Task<ActionResult<CreateSpineResponse>> CreateSpineAsync(
[FromRoute] string entry,
[FromBody] CreateSpineRequest request,
CancellationToken ct = default)
{
_logger.LogInformation("Creating proof spine for entry {Entry}", entry);
// Validate entry format
if (!IsValidSbomEntryId(entry))
{
return BadRequest(new ProblemDetails
{
Title = "Invalid SBOM Entry ID",
Detail = "Entry ID must be in format sha256:<hex>:pkg:<purl>",
Status = StatusCodes.Status400BadRequest
});
}
// TODO: Implement spine creation using IProofSpineAssembler
// 1. Validate all evidence IDs exist
// 2. Validate reasoning ID exists
// 3. Validate VEX verdict ID exists
// 4. Assemble spine using merkle tree
// 5. Sign and store spine
// 6. Return proof bundle ID
var response = new CreateSpineResponse
{
ProofBundleId = $"sha256:{Guid.NewGuid():N}",
ReceiptUrl = $"/proofs/{entry}/receipt"
};
return CreatedAtAction(nameof(GetReceiptAsync), new { entry }, response);
}
/// <summary>
/// Get verification receipt for an SBOM entry.
/// </summary>
/// <param name="entry">The SBOM entry ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The verification receipt.</returns>
[HttpGet("{entry}/receipt")]
[ProducesResponseType(typeof(VerificationReceiptDto), StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult<VerificationReceiptDto>> GetReceiptAsync(
[FromRoute] string entry,
CancellationToken ct = default)
{
_logger.LogInformation("Getting receipt for entry {Entry}", entry);
// TODO: Implement receipt retrieval using IReceiptGenerator
// 1. Get spine for entry
// 2. Generate/retrieve verification receipt
// 3. Return receipt
return NotFound(new ProblemDetails
{
Title = "Receipt Not Found",
Detail = $"No verification receipt found for entry {entry}",
Status = StatusCodes.Status404NotFound
});
}
/// <summary>
/// Get proof spine for an SBOM entry.
/// </summary>
/// <param name="entry">The SBOM entry ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The proof spine details.</returns>
[HttpGet("{entry}/spine")]
[ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> GetSpineAsync(
[FromRoute] string entry,
CancellationToken ct = default)
{
_logger.LogInformation("Getting spine for entry {Entry}", entry);
// TODO: Implement spine retrieval
return NotFound(new ProblemDetails
{
Title = "Spine Not Found",
Detail = $"No proof spine found for entry {entry}",
Status = StatusCodes.Status404NotFound
});
}
/// <summary>
/// Get VEX statement for an SBOM entry.
/// </summary>
/// <param name="entry">The SBOM entry ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The VEX statement.</returns>
[HttpGet("{entry}/vex")]
[ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> GetVexAsync(
[FromRoute] string entry,
CancellationToken ct = default)
{
_logger.LogInformation("Getting VEX for entry {Entry}", entry);
// TODO: Implement VEX retrieval
return NotFound(new ProblemDetails
{
Title = "VEX Not Found",
Detail = $"No VEX statement found for entry {entry}",
Status = StatusCodes.Status404NotFound
});
}
private static bool IsValidSbomEntryId(string entry)
{
// Format: sha256:<64-hex>:pkg:<purl>
if (string.IsNullOrWhiteSpace(entry))
return false;
var parts = entry.Split(':', 4);
if (parts.Length < 4)
return false;
return parts[0] == "sha256"
&& parts[1].Length == 64
&& parts[1].All(c => "0123456789abcdef".Contains(c))
&& parts[2] == "pkg";
}
}

145
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/Controllers/VerifyController.cs Normal file
View File

@@ -0,0 +1,145 @@
using Microsoft.AspNetCore.Mvc;
using StellaOps.Attestor.WebService.Contracts.Proofs;
namespace StellaOps.Attestor.WebService.Controllers;
/// <summary>
/// API endpoints for proof chain verification.
/// </summary>
[ApiController]
[Route("verify")]
[Produces("application/json")]
public class VerifyController : ControllerBase
{
private readonly ILogger<VerifyController> _logger;
// TODO: Inject IVerificationPipeline
public VerifyController(ILogger<VerifyController> logger)
{
_logger = logger;
}
/// <summary>
/// Verify a proof chain.
/// </summary>
/// <param name="request">The verification request.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The verification receipt.</returns>
[HttpPost]
[ProducesResponseType(typeof(VerificationReceiptDto), StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult<VerificationReceiptDto>> VerifyAsync(
[FromBody] VerifyProofRequest request,
CancellationToken ct = default)
{
_logger.LogInformation("Verifying proof bundle {BundleId}", request.ProofBundleId);
// TODO: Implement using IVerificationPipeline per advisory §9.1
// Pipeline steps:
// 1. DSSE signature verification (for each envelope in chain)
// 2. ID recomputation (verify content-addressed IDs match)
// 3. Merkle root verification (recompute ProofBundleID)
// 4. Trust anchor matching (verify signer key is allowed)
// 5. Rekor inclusion proof verification (if enabled)
// 6. Policy version compatibility check
// 7. Key revocation check
var checks = new List<VerificationCheckDto>
{
new()
{
Check = "dsse_signature",
Status = "pass",
KeyId = "example-key-id"
},
new()
{
Check = "id_recomputation",
Status = "pass"
},
new()
{
Check = "merkle_root",
Status = "pass"
},
new()
{
Check = "trust_anchor",
Status = "pass"
}
};
if (request.VerifyRekor)
{
checks.Add(new VerificationCheckDto
{
Check = "rekor_inclusion",
Status = "pass",
LogIndex = 12345678
});
}
var receipt = new VerificationReceiptDto
{
ProofBundleId = request.ProofBundleId,
VerifiedAt = DateTimeOffset.UtcNow,
VerifierVersion = "1.0.0",
AnchorId = request.AnchorId,
Result = "pass",
Checks = checks.ToArray()
};
return Ok(receipt);
}
/// <summary>
/// Verify a DSSE envelope signature.
/// </summary>
/// <param name="envelopeHash">The envelope body hash.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Signature verification result.</returns>
[HttpGet("envelope/{envelopeHash}")]
[ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> VerifyEnvelopeAsync(
[FromRoute] string envelopeHash,
CancellationToken ct = default)
{
_logger.LogInformation("Verifying envelope {Hash}", envelopeHash);
// TODO: Implement DSSE envelope verification
return NotFound(new ProblemDetails
{
Title = "Envelope Not Found",
Detail = $"No envelope found with hash {envelopeHash}",
Status = StatusCodes.Status404NotFound
});
}
/// <summary>
/// Verify Rekor inclusion for an envelope.
/// </summary>
/// <param name="envelopeHash">The envelope body hash.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Rekor verification result.</returns>
[HttpGet("rekor/{envelopeHash}")]
[ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> VerifyRekorAsync(
[FromRoute] string envelopeHash,
CancellationToken ct = default)
{
_logger.LogInformation("Verifying Rekor inclusion for {Hash}", envelopeHash);
// TODO: Implement Rekor inclusion proof verification
return NotFound(new ProblemDetails
{
Title = "Rekor Entry Not Found",
Detail = $"No Rekor entry found for envelope {envelopeHash}",
Status = StatusCodes.Status404NotFound
});
}
}

34
src/Attestor/StellaOps.Attestor/stryker-config.json Normal file
View File

@@ -0,0 +1,34 @@
{
"$schema": "https://raw.githubusercontent.com/stryker-mutator/stryker-net/master/src/Stryker.Core/Stryker.Core/assets/stryker-config.schema.json",
"stryker-config": {
"project": "StellaOps.Attestor.csproj",
"test-project": "../__Tests/StellaOps.Attestor.Tests/StellaOps.Attestor.Tests.csproj",
"solution": "../../../../StellaOps.Router.slnx",
"thresholds": {
"high": 80,
"low": 65,
"break": 55
},
"mutate": [
"**/*.cs",
"!**/obj/**",
"!**/bin/**",
"!**/Migrations/**"
],
"excluded-mutations": [
"String"
],
"ignore-mutations": [
"Linq.FirstOrDefault",
"Linq.SingleOrDefault"
],
"reporters": [
"html",
"json",
"progress"
],
"concurrency": 4,
"log-to-file": true,
"dashboard-compare-enabled": true
}
}

60
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/AuditLogEntity.cs Normal file
View File

@@ -0,0 +1,60 @@
using System;
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
using System.Text.Json;
namespace StellaOps.Attestor.Persistence.Entities;
/// <summary>
/// Audit log entry for proof chain operations.
/// Maps to proofchain.audit_log table.
/// </summary>
[Table("audit_log", Schema = "proofchain")]
public class AuditLogEntity
{
/// <summary>
/// Primary key - auto-generated UUID.
/// </summary>
[Key]
[Column("log_id")]
public Guid LogId { get; set; }
/// <summary>
/// The operation performed (e.g., "create", "verify", "revoke").
/// </summary>
[Required]
[Column("operation")]
public string Operation { get; set; } = null!;
/// <summary>
/// The type of entity affected (e.g., "sbom_entry", "spine", "trust_anchor").
/// </summary>
[Required]
[Column("entity_type")]
public string EntityType { get; set; } = null!;
/// <summary>
/// The ID of the affected entity.
/// </summary>
[Required]
[Column("entity_id")]
public string EntityId { get; set; } = null!;
/// <summary>
/// The actor who performed the operation (user, service, etc.).
/// </summary>
[Column("actor")]
public string? Actor { get; set; }
/// <summary>
/// Additional details about the operation.
/// </summary>
[Column("details", TypeName = "jsonb")]
public JsonDocument? Details { get; set; }
/// <summary>
/// When this log entry was created.
/// </summary>
[Column("created_at")]
public DateTimeOffset CreatedAt { get; set; }
}

80
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/DsseEnvelopeEntity.cs Normal file
View File

@@ -0,0 +1,80 @@
using System;
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
namespace StellaOps.Attestor.Persistence.Entities;
/// <summary>
/// Signed DSSE envelope for proof chain statements.
/// Maps to proofchain.dsse_envelopes table.
/// </summary>
[Table("dsse_envelopes", Schema = "proofchain")]
public class DsseEnvelopeEntity
{
/// <summary>
/// Primary key - auto-generated UUID.
/// </summary>
[Key]
[Column("env_id")]
public Guid EnvId { get; set; }
/// <summary>
/// Reference to the SBOM entry this envelope relates to.
/// </summary>
[Required]
[Column("entry_id")]
public Guid EntryId { get; set; }
/// <summary>
/// Predicate type URI (e.g., evidence.stella/v1).
/// </summary>
[Required]
[Column("predicate_type")]
public string PredicateType { get; set; } = null!;
/// <summary>
/// Key ID that signed this envelope.
/// </summary>
[Required]
[Column("signer_keyid")]
public string SignerKeyId { get; set; } = null!;
/// <summary>
/// SHA-256 hash of the envelope body.
/// </summary>
[Required]
[MaxLength(64)]
[Column("body_hash")]
public string BodyHash { get; set; } = null!;
/// <summary>
/// Reference to blob storage (OCI, S3, file).
/// </summary>
[Required]
[Column("envelope_blob_ref")]
public string EnvelopeBlobRef { get; set; } = null!;
/// <summary>
/// When the envelope was signed.
/// </summary>
[Column("signed_at")]
public DateTimeOffset SignedAt { get; set; }
/// <summary>
/// When this record was created.
/// </summary>
[Column("created_at")]
public DateTimeOffset CreatedAt { get; set; }
// Navigation properties
/// <summary>
/// The SBOM entry this envelope relates to.
/// </summary>
public SbomEntryEntity Entry { get; set; } = null!;
/// <summary>
/// The Rekor transparency log entry if logged.
/// </summary>
public RekorEntryEntity? RekorEntry { get; set; }
}

76
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/RekorEntryEntity.cs Normal file
View File

@@ -0,0 +1,76 @@
using System;
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
using System.Text.Json;
namespace StellaOps.Attestor.Persistence.Entities;
/// <summary>
/// Rekor transparency log entry for DSSE envelope verification.
/// Maps to proofchain.rekor_entries table.
/// </summary>
[Table("rekor_entries", Schema = "proofchain")]
public class RekorEntryEntity
{
/// <summary>
/// Primary key - SHA-256 hash of the DSSE envelope.
/// </summary>
[Key]
[MaxLength(64)]
[Column("dsse_sha256")]
public string DsseSha256 { get; set; } = null!;
/// <summary>
/// Log index in Rekor.
/// </summary>
[Required]
[Column("log_index")]
public long LogIndex { get; set; }
/// <summary>
/// Rekor log ID (tree hash).
/// </summary>
[Required]
[Column("log_id")]
public string LogId { get; set; } = null!;
/// <summary>
/// UUID of the entry in Rekor.
/// </summary>
[Required]
[Column("uuid")]
public string Uuid { get; set; } = null!;
/// <summary>
/// Unix timestamp when entry was integrated into the log.
/// </summary>
[Required]
[Column("integrated_time")]
public long IntegratedTime { get; set; }
/// <summary>
/// Merkle inclusion proof from Rekor.
/// </summary>
[Required]
[Column("inclusion_proof", TypeName = "jsonb")]
public JsonDocument InclusionProof { get; set; } = null!;
/// <summary>
/// When this record was created.
/// </summary>
[Column("created_at")]
public DateTimeOffset CreatedAt { get; set; }
/// <summary>
/// Reference to the DSSE envelope.
/// </summary>
[Column("env_id")]
public Guid? EnvId { get; set; }
// Navigation properties
/// <summary>
/// The DSSE envelope this entry refers to.
/// </summary>
public DsseEnvelopeEntity? Envelope { get; set; }
}

78
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/SbomEntryEntity.cs Normal file
View File

@@ -0,0 +1,78 @@
using System;
using System.Collections.Generic;
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
namespace StellaOps.Attestor.Persistence.Entities;
/// <summary>
/// SBOM component entry with content-addressed identifiers.
/// Maps to proofchain.sbom_entries table.
/// </summary>
[Table("sbom_entries", Schema = "proofchain")]
public class SbomEntryEntity
{
/// <summary>
/// Primary key - auto-generated UUID.
/// </summary>
[Key]
[Column("entry_id")]
public Guid EntryId { get; set; }
/// <summary>
/// SHA-256 hash of the parent SBOM document.
/// </summary>
[Required]
[MaxLength(64)]
[Column("bom_digest")]
public string BomDigest { get; set; } = null!;
/// <summary>
/// Package URL (PURL) of the component.
/// </summary>
[Required]
[Column("purl")]
public string Purl { get; set; } = null!;
/// <summary>
/// Component version.
/// </summary>
[Column("version")]
public string? Version { get; set; }
/// <summary>
/// SHA-256 hash of the component artifact if available.
/// </summary>
[MaxLength(64)]
[Column("artifact_digest")]
public string? ArtifactDigest { get; set; }
/// <summary>
/// Reference to the trust anchor for this entry.
/// </summary>
[Column("trust_anchor_id")]
public Guid? TrustAnchorId { get; set; }
/// <summary>
/// When this entry was created.
/// </summary>
[Column("created_at")]
public DateTimeOffset CreatedAt { get; set; }
// Navigation properties
/// <summary>
/// The trust anchor for this entry.
/// </summary>
public TrustAnchorEntity? TrustAnchor { get; set; }
/// <summary>
/// DSSE envelopes associated with this entry.
/// </summary>
public ICollection<DsseEnvelopeEntity> Envelopes { get; set; } = new List<DsseEnvelopeEntity>();
/// <summary>
/// The proof spine for this entry.
/// </summary>
public SpineEntity? Spine { get; set; }
}

82
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/SpineEntity.cs Normal file
View File

@@ -0,0 +1,82 @@
using System;
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
namespace StellaOps.Attestor.Persistence.Entities;
/// <summary>
/// Proof spine linking evidence to verdicts via merkle aggregation.
/// Maps to proofchain.spines table.
/// </summary>
[Table("spines", Schema = "proofchain")]
public class SpineEntity
{
/// <summary>
/// Primary key - references SBOM entry.
/// </summary>
[Key]
[Column("entry_id")]
public Guid EntryId { get; set; }
/// <summary>
/// ProofBundleID (merkle root of all components).
/// </summary>
[Required]
[MaxLength(64)]
[Column("bundle_id")]
public string BundleId { get; set; } = null!;
/// <summary>
/// Array of EvidenceIDs in sorted order.
/// </summary>
[Required]
[Column("evidence_ids", TypeName = "text[]")]
public string[] EvidenceIds { get; set; } = [];
/// <summary>
/// ReasoningID for the policy evaluation.
/// </summary>
[Required]
[MaxLength(64)]
[Column("reasoning_id")]
public string ReasoningId { get; set; } = null!;
/// <summary>
/// VexVerdictID for the VEX statement.
/// </summary>
[Required]
[MaxLength(64)]
[Column("vex_id")]
public string VexId { get; set; } = null!;
/// <summary>
/// Reference to the trust anchor.
/// </summary>
[Column("anchor_id")]
public Guid? AnchorId { get; set; }
/// <summary>
/// Policy version used for evaluation.
/// </summary>
[Required]
[Column("policy_version")]
public string PolicyVersion { get; set; } = null!;
/// <summary>
/// When this spine was created.
/// </summary>
[Column("created_at")]
public DateTimeOffset CreatedAt { get; set; }
// Navigation properties
/// <summary>
/// The SBOM entry this spine covers.
/// </summary>
public SbomEntryEntity Entry { get; set; } = null!;
/// <summary>
/// The trust anchor for this spine.
/// </summary>
public TrustAnchorEntity? Anchor { get; set; }
}

76
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/TrustAnchorEntity.cs Normal file
View File

@@ -0,0 +1,76 @@
using System;
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
namespace StellaOps.Attestor.Persistence.Entities;
/// <summary>
/// Trust anchor configuration for dependency verification.
/// Maps to proofchain.trust_anchors table.
/// </summary>
[Table("trust_anchors", Schema = "proofchain")]
public class TrustAnchorEntity
{
/// <summary>
/// Primary key - auto-generated UUID.
/// </summary>
[Key]
[Column("anchor_id")]
public Guid AnchorId { get; set; }
/// <summary>
/// PURL glob pattern (e.g., pkg:npm/*).
/// </summary>
[Required]
[Column("purl_pattern")]
public string PurlPattern { get; set; } = null!;
/// <summary>
/// Key IDs allowed to sign attestations matching this pattern.
/// </summary>
[Required]
[Column("allowed_keyids", TypeName = "text[]")]
public string[] AllowedKeyIds { get; set; } = [];
/// <summary>
/// Optional: Predicate types allowed for this anchor.
/// </summary>
[Column("allowed_predicate_types", TypeName = "text[]")]
public string[]? AllowedPredicateTypes { get; set; }
/// <summary>
/// Optional reference to the policy document.
/// </summary>
[Column("policy_ref")]
public string? PolicyRef { get; set; }
/// <summary>
/// Policy version for this anchor.
/// </summary>
[Column("policy_version")]
public string? PolicyVersion { get; set; }
/// <summary>
/// Key IDs that have been revoked but may appear in old proofs.
/// </summary>
[Column("revoked_keys", TypeName = "text[]")]
public string[] RevokedKeys { get; set; } = [];
/// <summary>
/// Whether this anchor is active.
/// </summary>
[Column("is_active")]
public bool IsActive { get; set; } = true;
/// <summary>
/// When this anchor was created.
/// </summary>
[Column("created_at")]
public DateTimeOffset CreatedAt { get; set; }
/// <summary>
/// When this anchor was last updated.
/// </summary>
[Column("updated_at")]
public DateTimeOffset UpdatedAt { get; set; }
}

159
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Migrations/20251214000001_AddProofChainSchema.sql Normal file
View File

@@ -0,0 +1,159 @@
-- Migration: 20251214000001_AddProofChainSchema
-- Creates the proofchain schema and all tables for proof chain persistence.
-- This migration is idempotent and can be run multiple times safely.
-- Create schema
CREATE SCHEMA IF NOT EXISTS proofchain;
-- Create verification_result enum type
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'verification_result' AND typnamespace = 'proofchain'::regnamespace) THEN
CREATE TYPE proofchain.verification_result AS ENUM ('pass', 'fail', 'pending');
END IF;
END $$;
-- 4.4 trust_anchors Table (create first - no dependencies)
CREATE TABLE IF NOT EXISTS proofchain.trust_anchors (
anchor_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
purl_pattern TEXT NOT NULL,
allowed_keyids TEXT[] NOT NULL,
allowed_predicate_types TEXT[],
policy_ref TEXT,
policy_version TEXT,
revoked_keys TEXT[] DEFAULT '{}',
is_active BOOLEAN NOT NULL DEFAULT TRUE,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_trust_anchors_pattern ON proofchain.trust_anchors(purl_pattern);
CREATE INDEX IF NOT EXISTS idx_trust_anchors_active ON proofchain.trust_anchors(is_active) WHERE is_active = TRUE;
COMMENT ON TABLE proofchain.trust_anchors IS 'Trust anchor configurations for dependency verification';
COMMENT ON COLUMN proofchain.trust_anchors.purl_pattern IS 'PURL glob pattern (e.g., pkg:npm/*)';
COMMENT ON COLUMN proofchain.trust_anchors.revoked_keys IS 'Key IDs that have been revoked but may appear in old proofs';
-- 4.1 sbom_entries Table
CREATE TABLE IF NOT EXISTS proofchain.sbom_entries (
entry_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
bom_digest VARCHAR(64) NOT NULL,
purl TEXT NOT NULL,
version TEXT,
artifact_digest VARCHAR(64),
trust_anchor_id UUID REFERENCES proofchain.trust_anchors(anchor_id) ON DELETE SET NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-- Compound unique constraint for idempotent inserts
CONSTRAINT uq_sbom_entry UNIQUE (bom_digest, purl, version)
);
CREATE INDEX IF NOT EXISTS idx_sbom_entries_bom_digest ON proofchain.sbom_entries(bom_digest);
CREATE INDEX IF NOT EXISTS idx_sbom_entries_purl ON proofchain.sbom_entries(purl);
CREATE INDEX IF NOT EXISTS idx_sbom_entries_artifact ON proofchain.sbom_entries(artifact_digest);
CREATE INDEX IF NOT EXISTS idx_sbom_entries_anchor ON proofchain.sbom_entries(trust_anchor_id);
COMMENT ON TABLE proofchain.sbom_entries IS 'SBOM component entries with content-addressed identifiers';
COMMENT ON COLUMN proofchain.sbom_entries.bom_digest IS 'SHA-256 hash of the parent SBOM document';
COMMENT ON COLUMN proofchain.sbom_entries.purl IS 'Package URL (PURL) of the component';
COMMENT ON COLUMN proofchain.sbom_entries.artifact_digest IS 'SHA-256 hash of the component artifact if available';
-- 4.2 dsse_envelopes Table
CREATE TABLE IF NOT EXISTS proofchain.dsse_envelopes (
env_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
entry_id UUID NOT NULL REFERENCES proofchain.sbom_entries(entry_id) ON DELETE CASCADE,
predicate_type TEXT NOT NULL,
signer_keyid TEXT NOT NULL,
body_hash VARCHAR(64) NOT NULL,
envelope_blob_ref TEXT NOT NULL,
signed_at TIMESTAMPTZ NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-- Prevent duplicate envelopes for same entry/predicate
CONSTRAINT uq_dsse_envelope UNIQUE (entry_id, predicate_type, body_hash)
);
CREATE INDEX IF NOT EXISTS idx_dsse_entry_predicate ON proofchain.dsse_envelopes(entry_id, predicate_type);
CREATE INDEX IF NOT EXISTS idx_dsse_signer ON proofchain.dsse_envelopes(signer_keyid);
CREATE INDEX IF NOT EXISTS idx_dsse_body_hash ON proofchain.dsse_envelopes(body_hash);
COMMENT ON TABLE proofchain.dsse_envelopes IS 'Signed DSSE envelopes for proof chain statements';
COMMENT ON COLUMN proofchain.dsse_envelopes.predicate_type IS 'Predicate type URI (e.g., evidence.stella/v1)';
COMMENT ON COLUMN proofchain.dsse_envelopes.envelope_blob_ref IS 'Reference to blob storage (OCI, S3, file)';
-- 4.3 spines Table
CREATE TABLE IF NOT EXISTS proofchain.spines (
entry_id UUID PRIMARY KEY REFERENCES proofchain.sbom_entries(entry_id) ON DELETE CASCADE,
bundle_id VARCHAR(64) NOT NULL,
evidence_ids TEXT[] NOT NULL,
reasoning_id VARCHAR(64) NOT NULL,
vex_id VARCHAR(64) NOT NULL,
anchor_id UUID REFERENCES proofchain.trust_anchors(anchor_id) ON DELETE SET NULL,
policy_version TEXT NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-- Bundle ID must be unique
CONSTRAINT uq_spine_bundle UNIQUE (bundle_id)
);
CREATE INDEX IF NOT EXISTS idx_spines_bundle ON proofchain.spines(bundle_id);
CREATE INDEX IF NOT EXISTS idx_spines_anchor ON proofchain.spines(anchor_id);
CREATE INDEX IF NOT EXISTS idx_spines_policy ON proofchain.spines(policy_version);
COMMENT ON TABLE proofchain.spines IS 'Proof spines linking evidence to verdicts via merkle aggregation';
COMMENT ON COLUMN proofchain.spines.bundle_id IS 'ProofBundleID (merkle root of all components)';
COMMENT ON COLUMN proofchain.spines.evidence_ids IS 'Array of EvidenceIDs in sorted order';
-- 4.5 rekor_entries Table
CREATE TABLE IF NOT EXISTS proofchain.rekor_entries (
dsse_sha256 VARCHAR(64) PRIMARY KEY,
log_index BIGINT NOT NULL,
log_id TEXT NOT NULL,
uuid TEXT NOT NULL,
integrated_time BIGINT NOT NULL,
inclusion_proof JSONB NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-- Reference to the DSSE envelope
env_id UUID REFERENCES proofchain.dsse_envelopes(env_id) ON DELETE SET NULL
);
CREATE INDEX IF NOT EXISTS idx_rekor_log_index ON proofchain.rekor_entries(log_index);
CREATE INDEX IF NOT EXISTS idx_rekor_log_id ON proofchain.rekor_entries(log_id);
CREATE INDEX IF NOT EXISTS idx_rekor_uuid ON proofchain.rekor_entries(uuid);
CREATE INDEX IF NOT EXISTS idx_rekor_env ON proofchain.rekor_entries(env_id);
COMMENT ON TABLE proofchain.rekor_entries IS 'Rekor transparency log entries for verification';
COMMENT ON COLUMN proofchain.rekor_entries.inclusion_proof IS 'Merkle inclusion proof from Rekor';
-- Audit log table
CREATE TABLE IF NOT EXISTS proofchain.audit_log (
log_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
operation TEXT NOT NULL,
entity_type TEXT NOT NULL,
entity_id TEXT NOT NULL,
actor TEXT,
details JSONB,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_audit_entity ON proofchain.audit_log(entity_type, entity_id);
CREATE INDEX IF NOT EXISTS idx_audit_created ON proofchain.audit_log(created_at DESC);
COMMENT ON TABLE proofchain.audit_log IS 'Audit log for proof chain operations';
-- Create updated_at trigger function
CREATE OR REPLACE FUNCTION proofchain.update_updated_at_column()
RETURNS TRIGGER AS $$
BEGIN
NEW.updated_at = NOW();
RETURN NEW;
END;
$$ LANGUAGE plpgsql;
-- Apply updated_at trigger to trust_anchors
DROP TRIGGER IF EXISTS update_trust_anchors_updated_at ON proofchain.trust_anchors;
CREATE TRIGGER update_trust_anchors_updated_at
BEFORE UPDATE ON proofchain.trust_anchors
FOR EACH ROW
EXECUTE FUNCTION proofchain.update_updated_at_column();

20
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Migrations/20251214000002_RollbackProofChainSchema.sql Normal file
View File

@@ -0,0 +1,20 @@
-- Migration: 20251214000002_RollbackProofChainSchema
-- Rollback script for the proofchain schema.
-- WARNING: This will delete all proof chain data!
-- Drop tables in reverse dependency order
DROP TABLE IF EXISTS proofchain.audit_log CASCADE;
DROP TABLE IF EXISTS proofchain.rekor_entries CASCADE;
DROP TABLE IF EXISTS proofchain.spines CASCADE;
DROP TABLE IF EXISTS proofchain.dsse_envelopes CASCADE;
DROP TABLE IF EXISTS proofchain.sbom_entries CASCADE;
DROP TABLE IF EXISTS proofchain.trust_anchors CASCADE;
-- Drop types
DROP TYPE IF EXISTS proofchain.verification_result CASCADE;
-- Drop functions
DROP FUNCTION IF EXISTS proofchain.update_updated_at_column() CASCADE;
-- Drop schema
DROP SCHEMA IF EXISTS proofchain CASCADE;

143
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs Normal file
View File

@@ -0,0 +1,143 @@
using Microsoft.EntityFrameworkCore;
using StellaOps.Attestor.Persistence.Entities;
namespace StellaOps.Attestor.Persistence;
/// <summary>
/// Entity Framework Core DbContext for proof chain persistence.
/// </summary>
public class ProofChainDbContext : DbContext
{
public ProofChainDbContext(DbContextOptions<ProofChainDbContext> options)
: base(options)
{
}
/// <summary>
/// SBOM entries table.
/// </summary>
public DbSet<SbomEntryEntity> SbomEntries => Set<SbomEntryEntity>();
/// <summary>
/// DSSE envelopes table.
/// </summary>
public DbSet<DsseEnvelopeEntity> DsseEnvelopes => Set<DsseEnvelopeEntity>();
/// <summary>
/// Proof spines table.
/// </summary>
public DbSet<SpineEntity> Spines => Set<SpineEntity>();
/// <summary>
/// Trust anchors table.
/// </summary>
public DbSet<TrustAnchorEntity> TrustAnchors => Set<TrustAnchorEntity>();
/// <summary>
/// Rekor entries table.
/// </summary>
public DbSet<RekorEntryEntity> RekorEntries => Set<RekorEntryEntity>();
/// <summary>
/// Audit log table.
/// </summary>
public DbSet<AuditLogEntity> AuditLog => Set<AuditLogEntity>();
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
// Configure schema
modelBuilder.HasDefaultSchema("proofchain");
// SbomEntryEntity configuration
modelBuilder.Entity<SbomEntryEntity>(entity =>
{
entity.HasIndex(e => e.BomDigest).HasDatabaseName("idx_sbom_entries_bom_digest");
entity.HasIndex(e => e.Purl).HasDatabaseName("idx_sbom_entries_purl");
entity.HasIndex(e => e.ArtifactDigest).HasDatabaseName("idx_sbom_entries_artifact");
entity.HasIndex(e => e.TrustAnchorId).HasDatabaseName("idx_sbom_entries_anchor");
// Unique constraint
entity.HasIndex(e => new { e.BomDigest, e.Purl, e.Version })
.HasDatabaseName("uq_sbom_entry")
.IsUnique();
// Relationships
entity.HasOne(e => e.TrustAnchor)
.WithMany()
.HasForeignKey(e => e.TrustAnchorId)
.OnDelete(DeleteBehavior.SetNull);
entity.HasMany(e => e.Envelopes)
.WithOne(e => e.Entry)
.HasForeignKey(e => e.EntryId)
.OnDelete(DeleteBehavior.Cascade);
entity.HasOne(e => e.Spine)
.WithOne(e => e.Entry)
.HasForeignKey<SpineEntity>(e => e.EntryId)
.OnDelete(DeleteBehavior.Cascade);
});
// DsseEnvelopeEntity configuration
modelBuilder.Entity<DsseEnvelopeEntity>(entity =>
{
entity.HasIndex(e => new { e.EntryId, e.PredicateType })
.HasDatabaseName("idx_dsse_entry_predicate");
entity.HasIndex(e => e.SignerKeyId).HasDatabaseName("idx_dsse_signer");
entity.HasIndex(e => e.BodyHash).HasDatabaseName("idx_dsse_body_hash");
// Unique constraint
entity.HasIndex(e => new { e.EntryId, e.PredicateType, e.BodyHash })
.HasDatabaseName("uq_dsse_envelope")
.IsUnique();
});
// SpineEntity configuration
modelBuilder.Entity<SpineEntity>(entity =>
{
entity.HasIndex(e => e.BundleId).HasDatabaseName("idx_spines_bundle").IsUnique();
entity.HasIndex(e => e.AnchorId).HasDatabaseName("idx_spines_anchor");
entity.HasIndex(e => e.PolicyVersion).HasDatabaseName("idx_spines_policy");
entity.HasOne(e => e.Anchor)
.WithMany()
.HasForeignKey(e => e.AnchorId)
.OnDelete(DeleteBehavior.SetNull);
});
// TrustAnchorEntity configuration
modelBuilder.Entity<TrustAnchorEntity>(entity =>
{
entity.HasIndex(e => e.PurlPattern).HasDatabaseName("idx_trust_anchors_pattern");
entity.HasIndex(e => e.IsActive)
.HasDatabaseName("idx_trust_anchors_active")
.HasFilter("is_active = TRUE");
});
// RekorEntryEntity configuration
modelBuilder.Entity<RekorEntryEntity>(entity =>
{
entity.HasIndex(e => e.LogIndex).HasDatabaseName("idx_rekor_log_index");
entity.HasIndex(e => e.LogId).HasDatabaseName("idx_rekor_log_id");
entity.HasIndex(e => e.Uuid).HasDatabaseName("idx_rekor_uuid");
entity.HasIndex(e => e.EnvId).HasDatabaseName("idx_rekor_env");
entity.HasOne(e => e.Envelope)
.WithOne(e => e.RekorEntry)
.HasForeignKey<RekorEntryEntity>(e => e.EnvId)
.OnDelete(DeleteBehavior.SetNull);
});
// AuditLogEntity configuration
modelBuilder.Entity<AuditLogEntity>(entity =>
{
entity.HasIndex(e => new { e.EntityType, e.EntityId })
.HasDatabaseName("idx_audit_entity");
entity.HasIndex(e => e.CreatedAt)
.HasDatabaseName("idx_audit_created")
.IsDescending();
});
}
}

206
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories/IProofChainRepository.cs Normal file
View File

@@ -0,0 +1,206 @@
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using StellaOps.Attestor.Persistence.Entities;
namespace StellaOps.Attestor.Persistence.Repositories;
/// <summary>
/// Repository for proof chain data access.
/// </summary>
public interface IProofChainRepository
{
#region SBOM Entries
/// <summary>
/// Get an SBOM entry by its unique combination of bom digest, purl, and version.
/// </summary>
Task<SbomEntryEntity?> GetSbomEntryAsync(
string bomDigest,
string purl,
string? version,
CancellationToken ct = default);
/// <summary>
/// Get an SBOM entry by its entry ID.
/// </summary>
Task<SbomEntryEntity?> GetSbomEntryByIdAsync(
Guid entryId,
CancellationToken ct = default);
/// <summary>
/// Insert or update an SBOM entry (upsert on unique constraint).
/// </summary>
Task<SbomEntryEntity> UpsertSbomEntryAsync(
SbomEntryEntity entry,
CancellationToken ct = default);
/// <summary>
/// Get all SBOM entries by artifact digest.
/// </summary>
Task<IReadOnlyList<SbomEntryEntity>> GetSbomEntriesByArtifactAsync(
string artifactDigest,
CancellationToken ct = default);
/// <summary>
/// Get all SBOM entries by bom digest.
/// </summary>
Task<IReadOnlyList<SbomEntryEntity>> GetSbomEntriesByBomDigestAsync(
string bomDigest,
CancellationToken ct = default);
#endregion
#region DSSE Envelopes
/// <summary>
/// Get an envelope by its ID.
/// </summary>
Task<DsseEnvelopeEntity?> GetEnvelopeAsync(
Guid envId,
CancellationToken ct = default);
/// <summary>
/// Get an envelope by its body hash.
/// </summary>
Task<DsseEnvelopeEntity?> GetEnvelopeByBodyHashAsync(
string bodyHash,
CancellationToken ct = default);
/// <summary>
/// Save a new envelope.
/// </summary>
Task<DsseEnvelopeEntity> SaveEnvelopeAsync(
DsseEnvelopeEntity envelope,
CancellationToken ct = default);
/// <summary>
/// Get all envelopes for an SBOM entry.
/// </summary>
Task<IReadOnlyList<DsseEnvelopeEntity>> GetEnvelopesByEntryAsync(
Guid entryId,
CancellationToken ct = default);
/// <summary>
/// Get envelopes for an entry filtered by predicate type.
/// </summary>
Task<IReadOnlyList<DsseEnvelopeEntity>> GetEnvelopesByPredicateTypeAsync(
Guid entryId,
string predicateType,
CancellationToken ct = default);
#endregion
#region Spines
/// <summary>
/// Get a spine by its entry ID.
/// </summary>
Task<SpineEntity?> GetSpineAsync(
Guid entryId,
CancellationToken ct = default);
/// <summary>
/// Get a spine by its bundle ID.
/// </summary>
Task<SpineEntity?> GetSpineByBundleIdAsync(
string bundleId,
CancellationToken ct = default);
/// <summary>
/// Save or update a spine.
/// </summary>
Task<SpineEntity> SaveSpineAsync(
SpineEntity spine,
CancellationToken ct = default);
#endregion
#region Trust Anchors
/// <summary>
/// Get a trust anchor by its ID.
/// </summary>
Task<TrustAnchorEntity?> GetTrustAnchorAsync(
Guid anchorId,
CancellationToken ct = default);
/// <summary>
/// Get the trust anchor matching a PURL pattern (best match).
/// </summary>
Task<TrustAnchorEntity?> GetTrustAnchorByPatternAsync(
string purl,
CancellationToken ct = default);
/// <summary>
/// Save or update a trust anchor.
/// </summary>
Task<TrustAnchorEntity> SaveTrustAnchorAsync(
TrustAnchorEntity anchor,
CancellationToken ct = default);
/// <summary>
/// Get all active trust anchors.
/// </summary>
Task<IReadOnlyList<TrustAnchorEntity>> GetActiveTrustAnchorsAsync(
CancellationToken ct = default);
/// <summary>
/// Revoke a key in a trust anchor.
/// </summary>
Task RevokeKeyAsync(
Guid anchorId,
string keyId,
CancellationToken ct = default);
#endregion
#region Rekor Entries
/// <summary>
/// Get a Rekor entry by DSSE SHA-256.
/// </summary>
Task<RekorEntryEntity?> GetRekorEntryAsync(
string dsseSha256,
CancellationToken ct = default);
/// <summary>
/// Get a Rekor entry by log index.
/// </summary>
Task<RekorEntryEntity?> GetRekorEntryByLogIndexAsync(
long logIndex,
CancellationToken ct = default);
/// <summary>
/// Save a Rekor entry.
/// </summary>
Task<RekorEntryEntity> SaveRekorEntryAsync(
RekorEntryEntity entry,
CancellationToken ct = default);
#endregion
#region Audit Log
/// <summary>
/// Log an audit entry.
/// </summary>
Task LogAuditAsync(
string operation,
string entityType,
string entityId,
string? actor = null,
object? details = null,
CancellationToken ct = default);
/// <summary>
/// Get audit log entries for an entity.
/// </summary>
Task<IReadOnlyList<AuditLogEntity>> GetAuditLogAsync(
string entityType,
string entityId,
CancellationToken ct = default);
#endregion
}

297
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Services/TrustAnchorMatcher.cs Normal file
View File

@@ -0,0 +1,297 @@
using System.Text.RegularExpressions;
using Microsoft.Extensions.Logging;
using StellaOps.Attestor.Persistence.Entities;
namespace StellaOps.Attestor.Persistence.Services;
/// <summary>
/// Matches PURLs against trust anchor patterns.
/// SPRINT_0501_0006_0001 - Task #7
/// </summary>
public interface ITrustAnchorMatcher
{
/// <summary>
/// Finds the best matching trust anchor for a given PURL.
/// </summary>
Task<TrustAnchorMatchResult?> FindMatchAsync(
string purl,
CancellationToken cancellationToken = default);
/// <summary>
/// Validates if a key ID is allowed for a given PURL.
/// </summary>
Task<bool> IsKeyAllowedAsync(
string purl,
string keyId,
CancellationToken cancellationToken = default);
/// <summary>
/// Validates if a predicate type is allowed for a given PURL.
/// </summary>
Task<bool> IsPredicateAllowedAsync(
string purl,
string predicateType,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Result of trust anchor pattern matching.
/// </summary>
public sealed record TrustAnchorMatchResult
{
/// <summary>The matched trust anchor.</summary>
public required TrustAnchorEntity Anchor { get; init; }
/// <summary>The pattern that matched.</summary>
public required string MatchedPattern { get; init; }
/// <summary>Match specificity score (higher = more specific).</summary>
public required int Specificity { get; init; }
}
/// <summary>
/// Implementation of trust anchor pattern matching using PURL glob patterns.
/// </summary>
public sealed class TrustAnchorMatcher : ITrustAnchorMatcher
{
private readonly IProofChainRepository _repository;
private readonly ILogger<TrustAnchorMatcher> _logger;
// Cache compiled regex patterns
private readonly Dictionary<string, Regex> _patternCache = new();
private readonly Lock _cacheLock = new();
public TrustAnchorMatcher(
IProofChainRepository repository,
ILogger<TrustAnchorMatcher> logger)
{
_repository = repository ?? throw new ArgumentNullException(nameof(repository));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<TrustAnchorMatchResult?> FindMatchAsync(
string purl,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrEmpty(purl);
var anchors = await _repository.GetActiveAnchorsAsync(cancellationToken);
TrustAnchorMatchResult? bestMatch = null;
foreach (var anchor in anchors)
{
if (!IsActive(anchor))
{
continue;
}
var regex = GetOrCreateRegex(anchor.PurlPattern);
if (regex.IsMatch(purl))
{
var specificity = CalculateSpecificity(anchor.PurlPattern);
if (bestMatch == null || specificity > bestMatch.Specificity)
{
bestMatch = new TrustAnchorMatchResult
{
Anchor = anchor,
MatchedPattern = anchor.PurlPattern,
Specificity = specificity,
};
}
}
}
if (bestMatch != null)
{
_logger.LogDebug(
"PURL {Purl} matched anchor pattern {Pattern} with specificity {Specificity}",
purl, bestMatch.MatchedPattern, bestMatch.Specificity);
}
return bestMatch;
}
public async Task<bool> IsKeyAllowedAsync(
string purl,
string keyId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrEmpty(purl);
ArgumentException.ThrowIfNullOrEmpty(keyId);
var match = await FindMatchAsync(purl, cancellationToken);
if (match == null)
{
_logger.LogDebug("No trust anchor found for PURL {Purl}", purl);
return false;
}
// Check if key is revoked
if (match.Anchor.RevokedKeys.Contains(keyId, StringComparer.OrdinalIgnoreCase))
{
_logger.LogWarning(
"Key {KeyId} is revoked for anchor {AnchorId}",
keyId, match.Anchor.AnchorId);
return false;
}
// Check if key is in allowed list
var allowed = match.Anchor.AllowedKeyIds.Contains(keyId, StringComparer.OrdinalIgnoreCase);
if (!allowed)
{
_logger.LogDebug(
"Key {KeyId} not in allowed list for anchor {AnchorId}",
keyId, match.Anchor.AnchorId);
}
return allowed;
}
public async Task<bool> IsPredicateAllowedAsync(
string purl,
string predicateType,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrEmpty(purl);
ArgumentException.ThrowIfNullOrEmpty(predicateType);
var match = await FindMatchAsync(purl, cancellationToken);
if (match == null)
{
return false;
}
// If no predicate restrictions, allow all
if (match.Anchor.AllowedPredicateTypes == null || match.Anchor.AllowedPredicateTypes.Length == 0)
{
return true;
}
return match.Anchor.AllowedPredicateTypes.Contains(predicateType, StringComparer.OrdinalIgnoreCase);
}
/// <summary>
/// Converts a PURL glob pattern to a regex.
/// Supports: * (any chars), ? (single char), ** (any path segment)
/// </summary>
private Regex GetOrCreateRegex(string pattern)
{
lock (_cacheLock)
{
if (_patternCache.TryGetValue(pattern, out var cached))
{
return cached;
}
var regexPattern = ConvertGlobToRegex(pattern);
var regex = new Regex(regexPattern, RegexOptions.IgnoreCase | RegexOptions.Compiled);
_patternCache[pattern] = regex;
return regex;
}
}
/// <summary>
/// Converts a glob pattern to a regex pattern.
/// </summary>
private static string ConvertGlobToRegex(string glob)
{
var regex = new System.Text.StringBuilder("^");
for (int i = 0; i < glob.Length; i++)
{
char c = glob[i];
switch (c)
{
case '*':
if (i + 1 < glob.Length && glob[i + 1] == '*')
{
// ** matches any path segments
regex.Append(".*");
i++; // Skip next *
}
else
{
// * matches anything except /
regex.Append("[^/]*");
}
break;
case '?':
// ? matches single character except /
regex.Append("[^/]");
break;
case '.':
case '^':
case '$':
case '+':
case '(':
case ')':
case '[':
case ']':
case '{':
case '}':
case '|':
case '\\':
// Escape regex special chars
regex.Append('\\').Append(c);
break;
default:
regex.Append(c);
break;
}
}
regex.Append('$');
return regex.ToString();
}
/// <summary>
/// Calculates pattern specificity (more specific = higher score).
/// </summary>
private static int CalculateSpecificity(string pattern)
{
// Count non-wildcard segments
int specificity = 0;
// More slashes = more specific
specificity += pattern.Count(c => c == '/') * 10;
// More literal characters = more specific
specificity += pattern.Count(c => c != '*' && c != '?');
// Penalize wildcards
specificity -= pattern.Count(c => c == '*') * 5;
specificity -= pattern.Count(c => c == '?') * 2;
return specificity;
}
private static bool IsActive(TrustAnchorEntity anchor)
{
// Anchor is active if IsActive property exists and is true
// or if the property doesn't exist (backwards compatibility)
var isActiveProp = anchor.GetType().GetProperty("IsActive");
if (isActiveProp != null)
{
return (bool)(isActiveProp.GetValue(anchor) ?? true);
}
return true;
}
}
/// <summary>
/// Repository interface extension for trust anchor queries.
/// </summary>
public interface IProofChainRepository
{
/// <summary>
/// Gets all active trust anchors.
/// </summary>
Task<IReadOnlyList<TrustAnchorEntity>> GetActiveAnchorsAsync(CancellationToken cancellationToken = default);
}

23
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/StellaOps.Attestor.Persistence.csproj Normal file
View File

@@ -0,0 +1,23 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<LangVersion>preview</LangVersion>
<RootNamespace>StellaOps.Attestor.Persistence</RootNamespace>
<Description>Proof chain persistence layer with Entity Framework Core and PostgreSQL support.</Description>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.0-preview.*" />
<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0-preview.*" />
</ItemGroup>
<ItemGroup>
<None Include="Migrations\*.sql">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
</None>
</ItemGroup>
</Project>

223
src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Tests/ProofChainRepositoryIntegrationTests.cs Normal file
View File

@@ -0,0 +1,223 @@
using StellaOps.Attestor.Persistence.Entities;
using StellaOps.Attestor.Persistence.Services;
using Microsoft.Extensions.Logging.Abstractions;
using Moq;
using Xunit;
namespace StellaOps.Attestor.Persistence.Tests;
/// <summary>
/// Integration tests for proof chain database operations.
/// SPRINT_0501_0006_0001 - Task #10
/// </summary>
public sealed class ProofChainRepositoryIntegrationTests
{
private readonly Mock<IProofChainRepository> _repositoryMock;
private readonly TrustAnchorMatcher _matcher;
public ProofChainRepositoryIntegrationTests()
{
_repositoryMock = new Mock<IProofChainRepository>();
_matcher = new TrustAnchorMatcher(
_repositoryMock.Object,
NullLogger<TrustAnchorMatcher>.Instance);
}
[Fact]
public async Task FindMatchAsync_ExactPattern_MatchesCorrectly()
{
// Arrange
var anchor = CreateAnchor("pkg:npm/lodash@4.17.21", ["key-1"]);
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act
var result = await _matcher.FindMatchAsync("pkg:npm/lodash@4.17.21");
// Assert
Assert.NotNull(result);
Assert.Equal(anchor.AnchorId, result.Anchor.AnchorId);
}
[Fact]
public async Task FindMatchAsync_WildcardPattern_MatchesPackages()
{
// Arrange
var anchor = CreateAnchor("pkg:npm/*", ["key-1"]);
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act
var result = await _matcher.FindMatchAsync("pkg:npm/lodash@4.17.21");
// Assert
Assert.NotNull(result);
Assert.Equal("pkg:npm/*", result.MatchedPattern);
}
[Fact]
public async Task FindMatchAsync_DoubleWildcard_MatchesNestedPaths()
{
// Arrange
var anchor = CreateAnchor("pkg:npm/@scope/**", ["key-1"]);
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act
var result = await _matcher.FindMatchAsync("pkg:npm/@scope/sub/package@1.0.0");
// Assert
Assert.NotNull(result);
}
[Fact]
public async Task FindMatchAsync_MultipleMatches_ReturnsMoreSpecific()
{
// Arrange
var genericAnchor = CreateAnchor("pkg:npm/*", ["key-generic"], "generic");
var specificAnchor = CreateAnchor("pkg:npm/lodash@*", ["key-specific"], "specific");
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([genericAnchor, specificAnchor]);
// Act
var result = await _matcher.FindMatchAsync("pkg:npm/lodash@4.17.21");
// Assert
Assert.NotNull(result);
Assert.Equal("specific", result.Anchor.PolicyRef);
}
[Fact]
public async Task FindMatchAsync_NoMatch_ReturnsNull()
{
// Arrange
var anchor = CreateAnchor("pkg:npm/*", ["key-1"]);
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act
var result = await _matcher.FindMatchAsync("pkg:pypi/requests@2.28.0");
// Assert
Assert.Null(result);
}
[Fact]
public async Task IsKeyAllowedAsync_AllowedKey_ReturnsTrue()
{
// Arrange
var anchor = CreateAnchor("pkg:npm/*", ["key-1", "key-2"]);
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act
var allowed = await _matcher.IsKeyAllowedAsync("pkg:npm/lodash@4.17.21", "key-1");
// Assert
Assert.True(allowed);
}
[Fact]
public async Task IsKeyAllowedAsync_DisallowedKey_ReturnsFalse()
{
// Arrange
var anchor = CreateAnchor("pkg:npm/*", ["key-1"]);
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act
var allowed = await _matcher.IsKeyAllowedAsync("pkg:npm/lodash@4.17.21", "key-unknown");
// Assert
Assert.False(allowed);
}
[Fact]
public async Task IsKeyAllowedAsync_RevokedKey_ReturnsFalse()
{
// Arrange
var anchor = CreateAnchor("pkg:npm/*", ["key-1"], revokedKeys: ["key-1"]);
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act
var allowed = await _matcher.IsKeyAllowedAsync("pkg:npm/lodash@4.17.21", "key-1");
// Assert
Assert.False(allowed); // Key is revoked even if in allowed list
}
[Fact]
public async Task IsPredicateAllowedAsync_NoRestrictions_AllowsAll()
{
// Arrange
var anchor = CreateAnchor("pkg:npm/*", ["key-1"]);
anchor.AllowedPredicateTypes = null;
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act
var allowed = await _matcher.IsPredicateAllowedAsync(
"pkg:npm/lodash@4.17.21",
"https://in-toto.io/attestation/vulns/v0.1");
// Assert
Assert.True(allowed);
}
[Fact]
public async Task IsPredicateAllowedAsync_WithRestrictions_EnforcesAllowlist()
{
// Arrange
var anchor = CreateAnchor("pkg:npm/*", ["key-1"]);
anchor.AllowedPredicateTypes = ["evidence.stella/v1", "sbom.stella/v1"];
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act & Assert
Assert.True(await _matcher.IsPredicateAllowedAsync(
"pkg:npm/lodash@4.17.21", "evidence.stella/v1"));
Assert.False(await _matcher.IsPredicateAllowedAsync(
"pkg:npm/lodash@4.17.21", "random.predicate/v1"));
}
[Theory]
[InlineData("pkg:npm/*", "pkg:npm/lodash@4.17.21", true)]
[InlineData("pkg:npm/lodash@*", "pkg:npm/lodash@4.17.21", true)]
[InlineData("pkg:npm/lodash@4.17.*", "pkg:npm/lodash@4.17.21", true)]
[InlineData("pkg:npm/lodash@4.17.21", "pkg:npm/lodash@4.17.21", true)]
[InlineData("pkg:npm/lodash@4.17.21", "pkg:npm/lodash@4.17.22", false)]
[InlineData("pkg:pypi/*", "pkg:npm/lodash@4.17.21", false)]
[InlineData("pkg:npm/@scope/*", "pkg:npm/@scope/package@1.0.0", true)]
[InlineData("pkg:npm/@scope/*", "pkg:npm/@other/package@1.0.0", false)]
public async Task FindMatchAsync_PatternVariations_MatchCorrectly(
string pattern, string purl, bool shouldMatch)
{
// Arrange
var anchor = CreateAnchor(pattern, ["key-1"]);
_repositoryMock.Setup(r => r.GetActiveAnchorsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync([anchor]);
// Act
var result = await _matcher.FindMatchAsync(purl);
// Assert
Assert.Equal(shouldMatch, result != null);
}
private static TrustAnchorEntity CreateAnchor(
string pattern,
string[] allowedKeys,
string? policyRef = null,
string[]? revokedKeys = null)
{
return new TrustAnchorEntity
{
AnchorId = Guid.NewGuid(),
PurlPattern = pattern,
AllowedKeyIds = allowedKeys,
PolicyRef = policyRef,
RevokedKeys = revokedKeys ?? [],
};
}
}

186
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Assembly/IProofSpineAssembler.cs Normal file
View File

@@ -0,0 +1,186 @@
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using StellaOps.Attestor.ProofChain.Identifiers;
using StellaOps.Attestor.ProofChain.Signing;
using StellaOps.Attestor.ProofChain.Statements;
namespace StellaOps.Attestor.ProofChain.Assembly;
/// <summary>
/// Service for assembling and verifying proof spines.
/// </summary>
public interface IProofSpineAssembler
{
/// <summary>
/// Assemble a complete proof spine from component IDs.
/// </summary>
/// <param name="request">The assembly request containing all component IDs.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The assembled proof spine result including the signed envelope.</returns>
Task<ProofSpineResult> AssembleSpineAsync(
ProofSpineRequest request,
CancellationToken ct = default);
/// <summary>
/// Verify an existing proof spine by recomputing the merkle root.
/// </summary>
/// <param name="spine">The proof spine statement to verify.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The verification result.</returns>
Task<SpineVerificationResult> VerifySpineAsync(
ProofSpineStatement spine,
CancellationToken ct = default);
}
/// <summary>
/// Request to assemble a proof spine.
/// </summary>
public sealed record ProofSpineRequest
{
/// <summary>
/// The SBOM entry ID that this spine covers.
/// </summary>
public required SbomEntryId SbomEntryId { get; init; }
/// <summary>
/// The evidence IDs to include in the proof bundle.
/// Will be sorted lexicographically during assembly.
/// </summary>
public required IReadOnlyList<EvidenceId> EvidenceIds { get; init; }
/// <summary>
/// The reasoning ID explaining the decision.
/// </summary>
public required ReasoningId ReasoningId { get; init; }
/// <summary>
/// The VEX verdict ID for this entry.
/// </summary>
public required VexVerdictId VexVerdictId { get; init; }
/// <summary>
/// Version of the policy used.
/// </summary>
public required string PolicyVersion { get; init; }
/// <summary>
/// The subject (artifact) this spine is about.
/// </summary>
public required ProofSpineSubject Subject { get; init; }
/// <summary>
/// Key profile to use for signing the spine statement.
/// </summary>
public SigningKeyProfile SigningProfile { get; init; } = SigningKeyProfile.Authority;
}
/// <summary>
/// Subject for the proof spine (the artifact being attested).
/// </summary>
public sealed record ProofSpineSubject
{
/// <summary>
/// Name of the subject (e.g., image reference).
/// </summary>
public required string Name { get; init; }
/// <summary>
/// Digest of the subject.
/// </summary>
public required IReadOnlyDictionary<string, string> Digest { get; init; }
}
/// <summary>
/// Result of proof spine assembly.
/// </summary>
public sealed record ProofSpineResult
{
/// <summary>
/// The computed proof bundle ID (merkle root).
/// </summary>
public required ProofBundleId ProofBundleId { get; init; }
/// <summary>
/// The proof spine statement.
/// </summary>
public required ProofSpineStatement Statement { get; init; }
/// <summary>
/// The signed DSSE envelope.
/// </summary>
public required DsseEnvelope SignedEnvelope { get; init; }
/// <summary>
/// The merkle tree used for the proof bundle.
/// </summary>
public required MerkleTree MerkleTree { get; init; }
}
/// <summary>
/// Represents a merkle tree with proof generation capability.
/// </summary>
public sealed record MerkleTree
{
/// <summary>
/// The root hash of the merkle tree.
/// </summary>
public required byte[] Root { get; init; }
/// <summary>
/// The leaf hashes in order.
/// </summary>
public required IReadOnlyList<byte[]> Leaves { get; init; }
/// <summary>
/// Number of levels in the tree.
/// </summary>
public required int Depth { get; init; }
}
/// <summary>
/// Result of proof spine verification.
/// </summary>
public sealed record SpineVerificationResult
{
/// <summary>
/// Whether the spine is valid.
/// </summary>
public required bool IsValid { get; init; }
/// <summary>
/// The expected proof bundle ID (from the statement).
/// </summary>
public required ProofBundleId ExpectedBundleId { get; init; }
/// <summary>
/// The actual proof bundle ID (recomputed).
/// </summary>
public required ProofBundleId ActualBundleId { get; init; }
/// <summary>
/// Individual verification checks performed.
/// </summary>
public IReadOnlyList<SpineVerificationCheck> Checks { get; init; } = [];
}
/// <summary>
/// A single verification check in spine verification.
/// </summary>
public sealed record SpineVerificationCheck
{
/// <summary>
/// Name of the check.
/// </summary>
public required string CheckName { get; init; }
/// <summary>
/// Whether the check passed.
/// </summary>
public required bool Passed { get; init; }
/// <summary>
/// Optional details about the check.
/// </summary>
public string? Details { get; init; }
}

95
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Builders/IStatementBuilder.cs Normal file
View File

@@ -0,0 +1,95 @@
using System.Collections.Generic;
using StellaOps.Attestor.ProofChain.Statements;
namespace StellaOps.Attestor.ProofChain.Builders;
/// <summary>
/// Represents a subject (artifact) for proof chain statements.
/// </summary>
public sealed record ProofSubject
{
/// <summary>
/// The name or identifier of the subject (e.g., image reference, PURL).
/// </summary>
public required string Name { get; init; }
/// <summary>
/// Digests of the subject in algorithm:hex format.
/// </summary>
public required IReadOnlyDictionary<string, string> Digest { get; init; }
/// <summary>
/// Converts this ProofSubject to an in-toto Subject.
/// </summary>
public Subject ToSubject() => new()
{
Name = Name,
Digest = Digest
};
}
/// <summary>
/// Factory for building in-toto statements for proof chain predicates.
/// </summary>
public interface IStatementBuilder
{
/// <summary>
/// Build an Evidence statement for signing.
/// </summary>
/// <param name="subject">The artifact subject this evidence relates to.</param>
/// <param name="predicate">The evidence payload.</param>
/// <returns>An EvidenceStatement ready for signing.</returns>
EvidenceStatement BuildEvidenceStatement(
ProofSubject subject,
EvidencePayload predicate);
/// <summary>
/// Build a Reasoning statement for signing.
/// </summary>
/// <param name="subject">The artifact subject this reasoning relates to.</param>
/// <param name="predicate">The reasoning payload.</param>
/// <returns>A ReasoningStatement ready for signing.</returns>
ReasoningStatement BuildReasoningStatement(
ProofSubject subject,
ReasoningPayload predicate);
/// <summary>
/// Build a VEX Verdict statement for signing.
/// </summary>
/// <param name="subject">The artifact subject this verdict relates to.</param>
/// <param name="predicate">The VEX verdict payload.</param>
/// <returns>A VexVerdictStatement ready for signing.</returns>
VexVerdictStatement BuildVexVerdictStatement(
ProofSubject subject,
VexVerdictPayload predicate);
/// <summary>
/// Build a Proof Spine statement for signing.
/// </summary>
/// <param name="subject">The artifact subject this proof spine covers.</param>
/// <param name="predicate">The proof spine payload.</param>
/// <returns>A ProofSpineStatement ready for signing.</returns>
ProofSpineStatement BuildProofSpineStatement(
ProofSubject subject,
ProofSpinePayload predicate);
/// <summary>
/// Build a Verdict Receipt statement for signing.
/// </summary>
/// <param name="subject">The artifact subject this verdict receipt relates to.</param>
/// <param name="predicate">The verdict receipt payload.</param>
/// <returns>A VerdictReceiptStatement ready for signing.</returns>
VerdictReceiptStatement BuildVerdictReceiptStatement(
ProofSubject subject,
VerdictReceiptPayload predicate);
/// <summary>
/// Build an SBOM Linkage statement for signing.
/// </summary>
/// <param name="subjects">The artifact subjects covered by the SBOM.</param>
/// <param name="predicate">The SBOM linkage payload.</param>
/// <returns>An SbomLinkageStatement ready for signing.</returns>
SbomLinkageStatement BuildSbomLinkageStatement(
IReadOnlyList<ProofSubject> subjects,
SbomLinkagePayload predicate);
}

106
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Builders/StatementBuilder.cs Normal file
View File

@@ -0,0 +1,106 @@
using System.Collections.Generic;
using System.Linq;
using StellaOps.Attestor.ProofChain.Statements;
namespace StellaOps.Attestor.ProofChain.Builders;
/// <summary>
/// Default implementation of IStatementBuilder.
/// </summary>
public sealed class StatementBuilder : IStatementBuilder
{
/// <inheritdoc />
public EvidenceStatement BuildEvidenceStatement(
ProofSubject subject,
EvidencePayload predicate)
{
ArgumentNullException.ThrowIfNull(subject);
ArgumentNullException.ThrowIfNull(predicate);
return new EvidenceStatement
{
Subject = [subject.ToSubject()],
Predicate = predicate
};
}
/// <inheritdoc />
public ReasoningStatement BuildReasoningStatement(
ProofSubject subject,
ReasoningPayload predicate)
{
ArgumentNullException.ThrowIfNull(subject);
ArgumentNullException.ThrowIfNull(predicate);
return new ReasoningStatement
{
Subject = [subject.ToSubject()],
Predicate = predicate
};
}
/// <inheritdoc />
public VexVerdictStatement BuildVexVerdictStatement(
ProofSubject subject,
VexVerdictPayload predicate)
{
ArgumentNullException.ThrowIfNull(subject);
ArgumentNullException.ThrowIfNull(predicate);
return new VexVerdictStatement
{
Subject = [subject.ToSubject()],
Predicate = predicate
};
}
/// <inheritdoc />
public ProofSpineStatement BuildProofSpineStatement(
ProofSubject subject,
ProofSpinePayload predicate)
{
ArgumentNullException.ThrowIfNull(subject);
ArgumentNullException.ThrowIfNull(predicate);
return new ProofSpineStatement
{
Subject = [subject.ToSubject()],
Predicate = predicate
};
}
/// <inheritdoc />
public VerdictReceiptStatement BuildVerdictReceiptStatement(
ProofSubject subject,
VerdictReceiptPayload predicate)
{
ArgumentNullException.ThrowIfNull(subject);
ArgumentNullException.ThrowIfNull(predicate);
return new VerdictReceiptStatement
{
Subject = [subject.ToSubject()],
Predicate = predicate
};
}
/// <inheritdoc />
public SbomLinkageStatement BuildSbomLinkageStatement(
IReadOnlyList<ProofSubject> subjects,
SbomLinkagePayload predicate)
{
ArgumentNullException.ThrowIfNull(subjects);
ArgumentNullException.ThrowIfNull(predicate);
if (subjects.Count == 0)
{
throw new ArgumentException("At least one subject is required.", nameof(subjects));
}
return new SbomLinkageStatement
{
Subject = subjects.Select(s => s.ToSubject()).ToList(),
Predicate = predicate
};
}
}

276
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/IProofGraphService.cs Normal file
View File

@@ -0,0 +1,276 @@
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Attestor.ProofChain.Graph;
/// <summary>
/// Manages the proof-of-integrity graph that tracks relationships
/// between artifacts, SBOMs, attestations, and containers.
/// </summary>
public interface IProofGraphService
{
/// <summary>
/// Add a node to the proof graph.
/// </summary>
/// <param name="type">The type of node to add.</param>
/// <param name="contentDigest">The content digest (content-addressed ID).</param>
/// <param name="metadata">Optional metadata for the node.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The created node.</returns>
Task<ProofGraphNode> AddNodeAsync(
ProofGraphNodeType type,
string contentDigest,
IReadOnlyDictionary<string, object>? metadata = null,
CancellationToken ct = default);
/// <summary>
/// Add an edge between two nodes.
/// </summary>
/// <param name="sourceId">The source node ID.</param>
/// <param name="targetId">The target node ID.</param>
/// <param name="edgeType">The type of edge.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The created edge.</returns>
Task<ProofGraphEdge> AddEdgeAsync(
string sourceId,
string targetId,
ProofGraphEdgeType edgeType,
CancellationToken ct = default);
/// <summary>
/// Get a node by its ID.
/// </summary>
/// <param name="nodeId">The node ID to retrieve.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The node if found, null otherwise.</returns>
Task<ProofGraphNode?> GetNodeAsync(
string nodeId,
CancellationToken ct = default);
/// <summary>
/// Query the graph for a path from source to target.
/// </summary>
/// <param name="sourceId">The source node ID.</param>
/// <param name="targetId">The target node ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The path if found, null otherwise.</returns>
Task<ProofGraphPath?> FindPathAsync(
string sourceId,
string targetId,
CancellationToken ct = default);
/// <summary>
/// Get all nodes related to an artifact within a given depth.
/// </summary>
/// <param name="artifactId">The artifact ID to start from.</param>
/// <param name="maxDepth">Maximum traversal depth.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The subgraph containing related nodes.</returns>
Task<ProofGraphSubgraph> GetArtifactSubgraphAsync(
string artifactId,
int maxDepth = 5,
CancellationToken ct = default);
/// <summary>
/// Get all outgoing edges from a node.
/// </summary>
/// <param name="nodeId">The node ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The outgoing edges.</returns>
Task<IReadOnlyList<ProofGraphEdge>> GetOutgoingEdgesAsync(
string nodeId,
CancellationToken ct = default);
/// <summary>
/// Get all incoming edges to a node.
/// </summary>
/// <param name="nodeId">The node ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The incoming edges.</returns>
Task<IReadOnlyList<ProofGraphEdge>> GetIncomingEdgesAsync(
string nodeId,
CancellationToken ct = default);
}
/// <summary>
/// Types of nodes in the proof graph.
/// </summary>
public enum ProofGraphNodeType
{
/// <summary>Container image, binary, Helm chart.</summary>
Artifact,
/// <summary>SBOM document by sbomId.</summary>
SbomDocument,
/// <summary>In-toto statement by statement hash.</summary>
InTotoStatement,
/// <summary>DSSE envelope by envelope hash.</summary>
DsseEnvelope,
/// <summary>Rekor transparency log entry.</summary>
RekorEntry,
/// <summary>VEX statement by VEX hash.</summary>
VexStatement,
/// <summary>Component/subject from SBOM.</summary>
Subject,
/// <summary>Signing key.</summary>
SigningKey,
/// <summary>Trust anchor (root of trust).</summary>
TrustAnchor
}
/// <summary>
/// Types of edges in the proof graph.
/// </summary>
public enum ProofGraphEdgeType
{
/// <summary>Artifact → SbomDocument: artifact is described by SBOM.</summary>
DescribedBy,
/// <summary>SbomDocument → InTotoStatement: SBOM is attested by statement.</summary>
AttestedBy,
/// <summary>InTotoStatement → DsseEnvelope: statement is wrapped in envelope.</summary>
WrappedBy,
/// <summary>DsseEnvelope → RekorEntry: envelope is logged in Rekor.</summary>
LoggedIn,
/// <summary>Artifact/Subject → VexStatement: has VEX statement.</summary>
HasVex,
/// <summary>InTotoStatement → Subject: statement contains subject.</summary>
ContainsSubject,
/// <summary>Build → SBOM: build produces SBOM.</summary>
Produces,
/// <summary>VEX → Component: VEX affects component.</summary>
Affects,
/// <summary>Envelope → Key: envelope is signed by key.</summary>
SignedBy,
/// <summary>Envelope → Rekor: envelope is recorded at log index.</summary>
RecordedAt,
/// <summary>Key → TrustAnchor: key chains to trust anchor.</summary>
ChainsTo
}
/// <summary>
/// A node in the proof graph.
/// </summary>
public sealed record ProofGraphNode
{
/// <summary>
/// Unique identifier for this node.
/// </summary>
public required string Id { get; init; }
/// <summary>
/// The type of this node.
/// </summary>
public required ProofGraphNodeType Type { get; init; }
/// <summary>
/// Content digest (content-addressed identifier).
/// </summary>
public required string ContentDigest { get; init; }
/// <summary>
/// When this node was created.
/// </summary>
public required DateTimeOffset CreatedAt { get; init; }
/// <summary>
/// Optional metadata for the node.
/// </summary>
public IReadOnlyDictionary<string, object>? Metadata { get; init; }
}
/// <summary>
/// An edge in the proof graph.
/// </summary>
public sealed record ProofGraphEdge
{
/// <summary>
/// Unique identifier for this edge.
/// </summary>
public required string Id { get; init; }
/// <summary>
/// Source node ID.
/// </summary>
public required string SourceId { get; init; }
/// <summary>
/// Target node ID.
/// </summary>
public required string TargetId { get; init; }
/// <summary>
/// The type of this edge.
/// </summary>
public required ProofGraphEdgeType Type { get; init; }
/// <summary>
/// When this edge was created.
/// </summary>
public required DateTimeOffset CreatedAt { get; init; }
}
/// <summary>
/// A path through the proof graph.
/// </summary>
public sealed record ProofGraphPath
{
/// <summary>
/// Nodes in the path, in order.
/// </summary>
public required IReadOnlyList<ProofGraphNode> Nodes { get; init; }
/// <summary>
/// Edges connecting the nodes.
/// </summary>
public required IReadOnlyList<ProofGraphEdge> Edges { get; init; }
/// <summary>
/// Length of the path (number of edges).
/// </summary>
public int Length => Edges.Count;
}
/// <summary>
/// A subgraph of the proof graph.
/// </summary>
public sealed record ProofGraphSubgraph
{
/// <summary>
/// The root node ID that was queried.
/// </summary>
public required string RootNodeId { get; init; }
/// <summary>
/// All nodes in the subgraph.
/// </summary>
public required IReadOnlyList<ProofGraphNode> Nodes { get; init; }
/// <summary>
/// All edges in the subgraph.
/// </summary>
public required IReadOnlyList<ProofGraphEdge> Edges { get; init; }
/// <summary>
/// Maximum depth that was traversed.
/// </summary>
public required int MaxDepth { get; init; }
}

291
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs Normal file
View File

@@ -0,0 +1,291 @@
using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Attestor.ProofChain.Graph;
/// <summary>
/// In-memory implementation of IProofGraphService for testing and development.
/// Not suitable for production use with large graphs.
/// </summary>
public sealed class InMemoryProofGraphService : IProofGraphService
{
private readonly ConcurrentDictionary<string, ProofGraphNode> _nodes = new();
private readonly ConcurrentDictionary<string, ProofGraphEdge> _edges = new();
private readonly ConcurrentDictionary<string, List<string>> _outgoingEdges = new();
private readonly ConcurrentDictionary<string, List<string>> _incomingEdges = new();
private readonly TimeProvider _timeProvider;
public InMemoryProofGraphService(TimeProvider? timeProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
}
/// <inheritdoc />
public Task<ProofGraphNode> AddNodeAsync(
ProofGraphNodeType type,
string contentDigest,
IReadOnlyDictionary<string, object>? metadata = null,
CancellationToken ct = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(contentDigest);
var nodeId = $"{type.ToString().ToLowerInvariant()}:{contentDigest}";
var node = new ProofGraphNode
{
Id = nodeId,
Type = type,
ContentDigest = contentDigest,
CreatedAt = _timeProvider.GetUtcNow(),
Metadata = metadata
};
if (!_nodes.TryAdd(nodeId, node))
{
// Node already exists, return the existing one
node = _nodes[nodeId];
}
return Task.FromResult(node);
}
/// <inheritdoc />
public Task<ProofGraphEdge> AddEdgeAsync(
string sourceId,
string targetId,
ProofGraphEdgeType edgeType,
CancellationToken ct = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sourceId);
ArgumentException.ThrowIfNullOrWhiteSpace(targetId);
if (!_nodes.ContainsKey(sourceId))
{
throw new ArgumentException($"Source node '{sourceId}' does not exist.", nameof(sourceId));
}
if (!_nodes.ContainsKey(targetId))
{
throw new ArgumentException($"Target node '{targetId}' does not exist.", nameof(targetId));
}
var edgeId = $"{sourceId}->{edgeType}->{targetId}";
var edge = new ProofGraphEdge
{
Id = edgeId,
SourceId = sourceId,
TargetId = targetId,
Type = edgeType,
CreatedAt = _timeProvider.GetUtcNow()
};
if (_edges.TryAdd(edgeId, edge))
{
// Add to adjacency lists
_outgoingEdges.AddOrUpdate(
sourceId,
_ => [edgeId],
(_, list) => { lock (list) { list.Add(edgeId); } return list; });
_incomingEdges.AddOrUpdate(
targetId,
_ => [edgeId],
(_, list) => { lock (list) { list.Add(edgeId); } return list; });
}
else
{
// Edge already exists
edge = _edges[edgeId];
}
return Task.FromResult(edge);
}
/// <inheritdoc />
public Task<ProofGraphNode?> GetNodeAsync(string nodeId, CancellationToken ct = default)
{
_nodes.TryGetValue(nodeId, out var node);
return Task.FromResult(node);
}
/// <inheritdoc />
public Task<ProofGraphPath?> FindPathAsync(
string sourceId,
string targetId,
CancellationToken ct = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sourceId);
ArgumentException.ThrowIfNullOrWhiteSpace(targetId);
if (!_nodes.ContainsKey(sourceId) || !_nodes.ContainsKey(targetId))
{
return Task.FromResult<ProofGraphPath?>(null);
}
// BFS to find shortest path
var visited = new HashSet<string>();
var queue = new Queue<(string nodeId, List<string> path)>();
queue.Enqueue((sourceId, [sourceId]));
visited.Add(sourceId);
while (queue.Count > 0)
{
var (currentId, path) = queue.Dequeue();
if (currentId == targetId)
{
// Found path, reconstruct nodes and edges
var nodes = path.Select(id => _nodes[id]).ToList();
var edges = new List<ProofGraphEdge>();
for (int i = 0; i < path.Count - 1; i++)
{
var edgeIds = _outgoingEdges.GetValueOrDefault(path[i], []);
var edge = edgeIds
.Select(eid => _edges[eid])
.FirstOrDefault(e => e.TargetId == path[i + 1]);
if (edge != null)
{
edges.Add(edge);
}
}
return Task.FromResult<ProofGraphPath?>(new ProofGraphPath
{
Nodes = nodes,
Edges = edges
});
}
var outgoing = _outgoingEdges.GetValueOrDefault(currentId, []);
foreach (var edgeId in outgoing)
{
var edge = _edges[edgeId];
if (!visited.Contains(edge.TargetId))
{
visited.Add(edge.TargetId);
var newPath = new List<string>(path) { edge.TargetId };
queue.Enqueue((edge.TargetId, newPath));
}
}
}
return Task.FromResult<ProofGraphPath?>(null);
}
/// <inheritdoc />
public Task<ProofGraphSubgraph> GetArtifactSubgraphAsync(
string artifactId,
int maxDepth = 5,
CancellationToken ct = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(artifactId);
var nodes = new Dictionary<string, ProofGraphNode>();
var edges = new List<ProofGraphEdge>();
var visited = new HashSet<string>();
var queue = new Queue<(string nodeId, int depth)>();
if (_nodes.TryGetValue(artifactId, out var rootNode))
{
nodes[artifactId] = rootNode;
queue.Enqueue((artifactId, 0));
visited.Add(artifactId);
}
while (queue.Count > 0)
{
var (currentId, depth) = queue.Dequeue();
if (depth >= maxDepth)
{
continue;
}
// Process outgoing edges
var outgoing = _outgoingEdges.GetValueOrDefault(currentId, []);
foreach (var edgeId in outgoing)
{
var edge = _edges[edgeId];
edges.Add(edge);
if (!visited.Contains(edge.TargetId) && _nodes.TryGetValue(edge.TargetId, out var targetNode))
{
visited.Add(edge.TargetId);
nodes[edge.TargetId] = targetNode;
queue.Enqueue((edge.TargetId, depth + 1));
}
}
// Process incoming edges
var incoming = _incomingEdges.GetValueOrDefault(currentId, []);
foreach (var edgeId in incoming)
{
var edge = _edges[edgeId];
edges.Add(edge);
if (!visited.Contains(edge.SourceId) && _nodes.TryGetValue(edge.SourceId, out var sourceNode))
{
visited.Add(edge.SourceId);
nodes[edge.SourceId] = sourceNode;
queue.Enqueue((edge.SourceId, depth + 1));
}
}
}
return Task.FromResult(new ProofGraphSubgraph
{
RootNodeId = artifactId,
Nodes = nodes.Values.ToList(),
Edges = edges.Distinct().ToList(),
MaxDepth = maxDepth
});
}
/// <inheritdoc />
public Task<IReadOnlyList<ProofGraphEdge>> GetOutgoingEdgesAsync(
string nodeId,
CancellationToken ct = default)
{
var edgeIds = _outgoingEdges.GetValueOrDefault(nodeId, []);
var edges = edgeIds.Select(id => _edges[id]).ToList();
return Task.FromResult<IReadOnlyList<ProofGraphEdge>>(edges);
}
/// <inheritdoc />
public Task<IReadOnlyList<ProofGraphEdge>> GetIncomingEdgesAsync(
string nodeId,
CancellationToken ct = default)
{
var edgeIds = _incomingEdges.GetValueOrDefault(nodeId, []);
var edges = edgeIds.Select(id => _edges[id]).ToList();
return Task.FromResult<IReadOnlyList<ProofGraphEdge>>(edges);
}
/// <summary>
/// Clears all nodes and edges (for testing).
/// </summary>
public void Clear()
{
_nodes.Clear();
_edges.Clear();
_outgoingEdges.Clear();
_incomingEdges.Clear();
}
/// <summary>
/// Gets the total number of nodes.
/// </summary>
public int NodeCount => _nodes.Count;
/// <summary>
/// Gets the total number of edges.
/// </summary>
public int EdgeCount => _edges.Count;
}

251
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/IJsonSchemaValidator.cs Normal file
View File

@@ -0,0 +1,251 @@
using System.Text.Json;
using System.Text.Json.Nodes;
namespace StellaOps.Attestor.ProofChain.Json;
/// <summary>
/// JSON Schema validation result.
/// </summary>
public sealed record SchemaValidationResult
{
/// <summary>
/// Whether the JSON is valid against the schema.
/// </summary>
public required bool IsValid { get; init; }
/// <summary>
/// Validation errors if any.
/// </summary>
public required IReadOnlyList<SchemaValidationError> Errors { get; init; }
/// <summary>
/// Create a successful validation result.
/// </summary>
public static SchemaValidationResult Success() => new()
{
IsValid = true,
Errors = []
};
/// <summary>
/// Create a failed validation result.
/// </summary>
public static SchemaValidationResult Failure(params SchemaValidationError[] errors) => new()
{
IsValid = false,
Errors = errors
};
}
/// <summary>
/// A single schema validation error.
/// </summary>
public sealed record SchemaValidationError
{
/// <summary>
/// JSON pointer to the error location.
/// </summary>
public required string Path { get; init; }
/// <summary>
/// Error message.
/// </summary>
public required string Message { get; init; }
/// <summary>
/// Schema keyword that failed (e.g., "required", "type").
/// </summary>
public string? Keyword { get; init; }
}
/// <summary>
/// Service for validating JSON against schemas.
/// </summary>
public interface IJsonSchemaValidator
{
/// <summary>
/// Validate JSON against a schema by predicate type.
/// </summary>
/// <param name="json">The JSON to validate.</param>
/// <param name="predicateType">The predicate type (e.g., "evidence.stella/v1").</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The validation result.</returns>
Task<SchemaValidationResult> ValidatePredicateAsync(
string json,
string predicateType,
CancellationToken ct = default);
/// <summary>
/// Validate a statement against its predicate type schema.
/// </summary>
/// <typeparam name="T">The statement type.</typeparam>
/// <param name="statement">The statement to validate.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The validation result.</returns>
Task<SchemaValidationResult> ValidateStatementAsync<T>(
T statement,
CancellationToken ct = default) where T : Statements.InTotoStatement;
/// <summary>
/// Check if a predicate type has a registered schema.
/// </summary>
/// <param name="predicateType">The predicate type.</param>
/// <returns>True if a schema is registered.</returns>
bool HasSchema(string predicateType);
}
/// <summary>
/// Default implementation of JSON Schema validation.
/// </summary>
public sealed class PredicateSchemaValidator : IJsonSchemaValidator
{
private static readonly Dictionary<string, JsonDocument> _schemas = new();
/// <summary>
/// Static initializer to load embedded schemas.
/// </summary>
static PredicateSchemaValidator()
{
// TODO: Load schemas from embedded resources
// These would be in src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Schemas/
}
/// <inheritdoc />
public async Task<SchemaValidationResult> ValidatePredicateAsync(
string json,
string predicateType,
CancellationToken ct = default)
{
if (!HasSchema(predicateType))
{
return SchemaValidationResult.Failure(new SchemaValidationError
{
Path = "/",
Message = $"No schema registered for predicate type: {predicateType}",
Keyword = "predicateType"
});
}
try
{
var document = JsonDocument.Parse(json);
// TODO: Implement actual JSON Schema validation
// For now, do basic structural checks
var root = document.RootElement;
var errors = new List<SchemaValidationError>();
// Validate required fields based on predicate type
switch (predicateType)
{
case "evidence.stella/v1":
errors.AddRange(ValidateEvidencePredicate(root));
break;
case "reasoning.stella/v1":
errors.AddRange(ValidateReasoningPredicate(root));
break;
case "cdx-vex.stella/v1":
errors.AddRange(ValidateVexPredicate(root));
break;
case "proofspine.stella/v1":
errors.AddRange(ValidateProofSpinePredicate(root));
break;
case "verdict.stella/v1":
errors.AddRange(ValidateVerdictPredicate(root));
break;
}
return errors.Count > 0
? SchemaValidationResult.Failure(errors.ToArray())
: SchemaValidationResult.Success();
}
catch (JsonException ex)
{
return SchemaValidationResult.Failure(new SchemaValidationError
{
Path = "/",
Message = $"Invalid JSON: {ex.Message}",
Keyword = "format"
});
}
}
/// <inheritdoc />
public async Task<SchemaValidationResult> ValidateStatementAsync<T>(
T statement,
CancellationToken ct = default) where T : Statements.InTotoStatement
{
var json = System.Text.Json.JsonSerializer.Serialize(statement);
return await ValidatePredicateAsync(json, statement.PredicateType, ct);
}
/// <inheritdoc />
public bool HasSchema(string predicateType)
{
return predicateType switch
{
"evidence.stella/v1" => true,
"reasoning.stella/v1" => true,
"cdx-vex.stella/v1" => true,
"proofspine.stella/v1" => true,
"verdict.stella/v1" => true,
"https://stella-ops.org/predicates/sbom-linkage/v1" => true,
_ => false
};
}
private static IEnumerable<SchemaValidationError> ValidateEvidencePredicate(JsonElement root)
{
// Required: scanToolName, scanToolVersion, timestamp
if (!root.TryGetProperty("scanToolName", out _))
yield return new() { Path = "/scanToolName", Message = "Required property missing", Keyword = "required" };
if (!root.TryGetProperty("scanToolVersion", out _))
yield return new() { Path = "/scanToolVersion", Message = "Required property missing", Keyword = "required" };
if (!root.TryGetProperty("timestamp", out _))
yield return new() { Path = "/timestamp", Message = "Required property missing", Keyword = "required" };
}
private static IEnumerable<SchemaValidationError> ValidateReasoningPredicate(JsonElement root)
{
// Required: policyId, policyVersion, evaluatedAt
if (!root.TryGetProperty("policyId", out _))
yield return new() { Path = "/policyId", Message = "Required property missing", Keyword = "required" };
if (!root.TryGetProperty("policyVersion", out _))
yield return new() { Path = "/policyVersion", Message = "Required property missing", Keyword = "required" };
if (!root.TryGetProperty("evaluatedAt", out _))
yield return new() { Path = "/evaluatedAt", Message = "Required property missing", Keyword = "required" };
}
private static IEnumerable<SchemaValidationError> ValidateVexPredicate(JsonElement root)
{
// Required: vulnerability, status
if (!root.TryGetProperty("vulnerability", out _))
yield return new() { Path = "/vulnerability", Message = "Required property missing", Keyword = "required" };
if (!root.TryGetProperty("status", out _))
yield return new() { Path = "/status", Message = "Required property missing", Keyword = "required" };
}
private static IEnumerable<SchemaValidationError> ValidateProofSpinePredicate(JsonElement root)
{
// Required: sbomEntryId, evidenceIds, proofBundleId
if (!root.TryGetProperty("sbomEntryId", out _))
yield return new() { Path = "/sbomEntryId", Message = "Required property missing", Keyword = "required" };
if (!root.TryGetProperty("evidenceIds", out _))
yield return new() { Path = "/evidenceIds", Message = "Required property missing", Keyword = "required" };
if (!root.TryGetProperty("proofBundleId", out _))
yield return new() { Path = "/proofBundleId", Message = "Required property missing", Keyword = "required" };
}
private static IEnumerable<SchemaValidationError> ValidateVerdictPredicate(JsonElement root)
{
// Required: proofBundleId, result, verifiedAt
if (!root.TryGetProperty("proofBundleId", out _))
yield return new() { Path = "/proofBundleId", Message = "Required property missing", Keyword = "required" };
if (!root.TryGetProperty("result", out _))
yield return new() { Path = "/result", Message = "Required property missing", Keyword = "required" };
if (!root.TryGetProperty("verifiedAt", out _))
yield return new() { Path = "/verifiedAt", Message = "Required property missing", Keyword = "required" };
}
}

135
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Merkle/DeterministicMerkleTreeBuilder.cs
View File

@@ -4,9 +4,24 @@ using System.Security.Cryptography;
namespace StellaOps.Attestor.ProofChain.Merkle;
/// <summary>
/// Deterministic merkle tree builder using SHA-256.
/// Follows proof chain construction algorithm:
/// - Lexicographic sorting of evidence IDs
/// - Padding to power of 2 by duplicating last leaf
/// - Left || Right concatenation for internal nodes
/// </summary>
public sealed class DeterministicMerkleTreeBuilder : IMerkleTreeBuilder
{
/// <inheritdoc />
public byte[] ComputeMerkleRoot(IReadOnlyList<ReadOnlyMemory<byte>> leafValues)
{
var tree = BuildTree(leafValues);
return tree.Root;
}
/// <inheritdoc />
public MerkleTreeWithProofs BuildTree(IReadOnlyList<ReadOnlyMemory<byte>> leafValues)
{
ArgumentNullException.ThrowIfNull(leafValues);
@@ -15,36 +30,123 @@ public sealed class DeterministicMerkleTreeBuilder : IMerkleTreeBuilder
throw new ArgumentException("At least one leaf is required.", nameof(leafValues));
}
var hashes = new List<byte[]>(PadToPowerOfTwo(leafValues.Count));
var levels = new List<IReadOnlyList<byte[]>>();
// Level 0: Hash all leaf values
var leafHashes = new List<byte[]>(PadToPowerOfTwo(leafValues.Count));
for (var i = 0; i < leafValues.Count; i++)
{
hashes.Add(SHA256.HashData(leafValues[i].Span));
leafHashes.Add(SHA256.HashData(leafValues[i].Span));
}
// Pad with duplicate of last leaf hash (deterministic).
var target = hashes.Capacity;
while (hashes.Count < target)
// Pad with duplicate of last leaf hash (deterministic)
var target = leafHashes.Capacity;
while (leafHashes.Count < target)
{
hashes.Add(hashes[^1]);
leafHashes.Add(leafHashes[^1]);
}
return ComputeRootFromLeafHashes(hashes);
}
levels.Add(leafHashes);
private static byte[] ComputeRootFromLeafHashes(List<byte[]> hashes)
// Build tree bottom-up
var currentLevel = leafHashes;
while (currentLevel.Count > 1)
{
while (hashes.Count > 1)
var nextLevel = new List<byte[]>(currentLevel.Count / 2);
for (var i = 0; i < currentLevel.Count; i += 2)
{
var next = new List<byte[]>(hashes.Count / 2);
for (var i = 0; i < hashes.Count; i += 2)
{
next.Add(HashInternal(hashes[i], hashes[i + 1]));
nextLevel.Add(HashInternal(currentLevel[i], currentLevel[i + 1]));
}
levels.Add(nextLevel);
currentLevel = nextLevel;
}
hashes = next;
return new MerkleTreeWithProofs
{
Root = currentLevel[0],
Leaves = leafHashes,
Levels = levels
};
}
return hashes[0];
/// <inheritdoc />
public MerkleProof GenerateProof(MerkleTreeWithProofs tree, int leafIndex)
{
ArgumentNullException.ThrowIfNull(tree);
if (leafIndex < 0 || leafIndex >= tree.Leaves.Count)
{
throw new ArgumentOutOfRangeException(nameof(leafIndex),
$"Leaf index must be between 0 and {tree.Leaves.Count - 1}.");
}
var steps = new List<MerkleProofStep>();
var currentIndex = leafIndex;
for (var level = 0; level < tree.Levels.Count - 1; level++)
{
var currentLevel = tree.Levels[level];
// Find sibling
int siblingIndex;
bool isRight;
if (currentIndex % 2 == 0)
{
// Current is left child, sibling is right
siblingIndex = currentIndex + 1;
isRight = true;
}
else
{
// Current is right child, sibling is left
siblingIndex = currentIndex - 1;
isRight = false;
}
steps.Add(new MerkleProofStep
{
SiblingHash = currentLevel[siblingIndex],
IsRight = isRight
});
// Move to parent index
currentIndex /= 2;
}
return new MerkleProof
{
LeafIndex = leafIndex,
LeafHash = tree.Leaves[leafIndex],
Steps = steps
};
}
/// <inheritdoc />
public bool VerifyProof(MerkleProof proof, ReadOnlySpan<byte> leafValue, ReadOnlySpan<byte> expectedRoot)
{
ArgumentNullException.ThrowIfNull(proof);
// Hash the leaf value
var currentHash = SHA256.HashData(leafValue);
// Walk up the tree
foreach (var step in proof.Steps)
{
if (step.IsRight)
{
// Sibling is on the right: H(current || sibling)
currentHash = HashInternal(currentHash, step.SiblingHash);
}
else
{
// Sibling is on the left: H(sibling || current)
currentHash = HashInternal(step.SiblingHash, currentHash);
}
}
// Compare with expected root
return currentHash.AsSpan().SequenceEqual(expectedRoot);
}
private static int PadToPowerOfTwo(int count)
@@ -66,3 +168,4 @@ public sealed class DeterministicMerkleTreeBuilder : IMerkleTreeBuilder
}
}

95
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Merkle/IMerkleTreeBuilder.cs
View File

@@ -3,8 +3,103 @@ using System.Collections.Generic;
namespace StellaOps.Attestor.ProofChain.Merkle;
/// <summary>
/// Builder for deterministic merkle trees used in proof chain construction.
/// </summary>
public interface IMerkleTreeBuilder
{
/// <summary>
/// Compute the merkle root from leaf values.
/// </summary>
/// <param name="leafValues">The leaf values to hash.</param>
/// <returns>The merkle root hash.</returns>
byte[] ComputeMerkleRoot(IReadOnlyList<ReadOnlyMemory<byte>> leafValues);
/// <summary>
/// Build a full merkle tree with proof generation capability.
/// </summary>
/// <param name="leafValues">The leaf values to hash.</param>
/// <returns>A merkle tree with proof generation.</returns>
MerkleTreeWithProofs BuildTree(IReadOnlyList<ReadOnlyMemory<byte>> leafValues);
/// <summary>
/// Generate a merkle proof for a specific leaf.
/// </summary>
/// <param name="tree">The merkle tree.</param>
/// <param name="leafIndex">The index of the leaf to prove.</param>
/// <returns>The merkle proof.</returns>
MerkleProof GenerateProof(MerkleTreeWithProofs tree, int leafIndex);
/// <summary>
/// Verify a merkle proof.
/// </summary>
/// <param name="proof">The merkle proof.</param>
/// <param name="leafValue">The leaf value being proven.</param>
/// <param name="expectedRoot">The expected merkle root.</param>
/// <returns>True if the proof is valid.</returns>
bool VerifyProof(MerkleProof proof, ReadOnlySpan<byte> leafValue, ReadOnlySpan<byte> expectedRoot);
}
/// <summary>
/// A merkle tree with all internal nodes stored for proof generation.
/// </summary>
public sealed record MerkleTreeWithProofs
{
/// <summary>
/// The merkle root.
/// </summary>
public required byte[] Root { get; init; }
/// <summary>
/// The leaf hashes (level 0).
/// </summary>
public required IReadOnlyList<byte[]> Leaves { get; init; }
/// <summary>
/// All levels of the tree, from leaves (index 0) to root.
/// </summary>
public required IReadOnlyList<IReadOnlyList<byte[]>> Levels { get; init; }
/// <summary>
/// The depth of the tree (number of levels - 1).
/// </summary>
public int Depth => Levels.Count - 1;
}
/// <summary>
/// A merkle proof for a specific leaf.
/// </summary>
public sealed record MerkleProof
{
/// <summary>
/// The index of the leaf in the original list.
/// </summary>
public required int LeafIndex { get; init; }
/// <summary>
/// The hash of the leaf.
/// </summary>
public required byte[] LeafHash { get; init; }
/// <summary>
/// The sibling hashes needed to reconstruct the root, from bottom to top.
/// </summary>
public required IReadOnlyList<MerkleProofStep> Steps { get; init; }
}
/// <summary>
/// A single step in a merkle proof.
/// </summary>
public sealed record MerkleProofStep
{
/// <summary>
/// The sibling hash at this level.
/// </summary>
public required byte[] SiblingHash { get; init; }
/// <summary>
/// Whether the sibling is on the right (true) or left (false).
/// </summary>
public required bool IsRight { get; init; }
}

Some files were not shown because too many files have changed in this diff Show More