stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Reachability Corpus Validation / validate-corpus (push) Has been cancelled
Details
Reachability Corpus Validation / validate-ground-truths (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Reachability Corpus Validation / determinism-check (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-14 15:50:38 +02:00
parent f1a39c4ce3
commit 233873f620
249 changed files with 29746 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
src/Aoc/StellaOps.Aoc.Cli/Commands/VerifyCommand.cs Normal file
View File

@@ -0,0 +1,177 @@
using System.CommandLine;
using System.CommandLine.Invocation;
using System.Text.Json;
using StellaOps.Aoc.Cli.Models;
using StellaOps.Aoc.Cli.Services;
namespace StellaOps.Aoc.Cli.Commands;
public static class VerifyCommand
{
public static Command Create()
{
var sinceOption = new Option<string>(
aliases: ["--since", "-s"],
description: "Git commit SHA or ISO timestamp to verify from")
{
IsRequired = true
};
var mongoOption = new Option<string?>(
aliases: ["--mongo", "-m"],
description: "MongoDB connection string (legacy support)");
var postgresOption = new Option<string?>(
aliases: ["--postgres", "-p"],
description: "PostgreSQL connection string");
var outputOption = new Option<string?>(
aliases: ["--output", "-o"],
description: "Path for JSON output report");
var ndjsonOption = new Option<string?>(
aliases: ["--ndjson", "-n"],
description: "Path for NDJSON output (one violation per line)");
var tenantOption = new Option<string?>(
aliases: ["--tenant", "-t"],
description: "Filter by tenant ID");
var dryRunOption = new Option<bool>(
aliases: ["--dry-run"],
description: "Validate configuration without querying database",
getDefaultValue: () => false);
var verboseOption = new Option<bool>(
aliases: ["--verbose", "-v"],
description: "Enable verbose output",
getDefaultValue: () => false);
var command = new Command("verify", "Verify AOC compliance for documents since a given point")
{
sinceOption,
mongoOption,
postgresOption,
outputOption,
ndjsonOption,
tenantOption,
dryRunOption,
verboseOption
};
command.SetHandler(async (context) =>
{
var since = context.ParseResult.GetValueForOption(sinceOption)!;
var mongo = context.ParseResult.GetValueForOption(mongoOption);
var postgres = context.ParseResult.GetValueForOption(postgresOption);
var output = context.ParseResult.GetValueForOption(outputOption);
var ndjson = context.ParseResult.GetValueForOption(ndjsonOption);
var tenant = context.ParseResult.GetValueForOption(tenantOption);
var dryRun = context.ParseResult.GetValueForOption(dryRunOption);
var verbose = context.ParseResult.GetValueForOption(verboseOption);
var options = new VerifyOptions
{
Since = since,
MongoConnectionString = mongo,
PostgresConnectionString = postgres,
OutputPath = output,
NdjsonPath = ndjson,
Tenant = tenant,
DryRun = dryRun,
Verbose = verbose
};
var exitCode = await ExecuteAsync(options, context.GetCancellationToken());
context.ExitCode = exitCode;
});
return command;
}
private static async Task<int> ExecuteAsync(VerifyOptions options, CancellationToken cancellationToken)
{
if (options.Verbose)
{
Console.WriteLine($"AOC Verify starting...");
Console.WriteLine($" Since: {options.Since}");
Console.WriteLine($" Tenant: {options.Tenant ?? "(all)"}");
Console.WriteLine($" Dry run: {options.DryRun}");
}
// Validate connection string is provided
if (string.IsNullOrEmpty(options.MongoConnectionString) && string.IsNullOrEmpty(options.PostgresConnectionString))
{
Console.Error.WriteLine("Error: Either --mongo or --postgres connection string is required");
return 1;
}
if (options.DryRun)
{
Console.WriteLine("Dry run mode - configuration validated successfully");
return 0;
}
try
{
var service = new AocVerificationService();
var result = await service.VerifyAsync(options, cancellationToken);
// Write JSON output if requested
if (!string.IsNullOrEmpty(options.OutputPath))
{
var json = JsonSerializer.Serialize(result, new JsonSerializerOptions
{
WriteIndented = true,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
});
await File.WriteAllTextAsync(options.OutputPath, json, cancellationToken);
if (options.Verbose)
{
Console.WriteLine($"JSON report written to: {options.OutputPath}");
}
}
// Write NDJSON output if requested
if (!string.IsNullOrEmpty(options.NdjsonPath))
{
var ndjsonLines = result.Violations.Select(v =>
JsonSerializer.Serialize(v, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase }));
await File.WriteAllLinesAsync(options.NdjsonPath, ndjsonLines, cancellationToken);
if (options.Verbose)
{
Console.WriteLine($"NDJSON report written to: {options.NdjsonPath}");
}
}
// Output summary
Console.WriteLine($"AOC Verification Complete");
Console.WriteLine($" Documents scanned: {result.DocumentsScanned}");
Console.WriteLine($" Violations found: {result.ViolationCount}");
Console.WriteLine($" Duration: {result.DurationMs}ms");
if (result.ViolationCount > 0)
{
Console.WriteLine();
Console.WriteLine("Violations by type:");
foreach (var group in result.Violations.GroupBy(v => v.Code))
{
Console.WriteLine($" {group.Key}: {group.Count()}");
}
}
return result.ViolationCount > 0 ? 2 : 0;
}
catch (Exception ex)
{
Console.Error.WriteLine($"Error during verification: {ex.Message}");
if (options.Verbose)
{
Console.Error.WriteLine(ex.StackTrace);
}
return 1;
}
}
}

57
src/Aoc/StellaOps.Aoc.Cli/Models/VerificationResult.cs Normal file
View File

@@ -0,0 +1,57 @@
using System.Text.Json.Serialization;
namespace StellaOps.Aoc.Cli.Models;
public sealed class VerificationResult
{
[JsonPropertyName("since")]
public required string Since { get; init; }
[JsonPropertyName("tenant")]
public string? Tenant { get; init; }
[JsonPropertyName("verifiedAt")]
public DateTimeOffset VerifiedAt { get; init; } = DateTimeOffset.UtcNow;
[JsonPropertyName("documentsScanned")]
public int DocumentsScanned { get; set; }
[JsonPropertyName("violationCount")]
public int ViolationCount => Violations.Count;
[JsonPropertyName("violations")]
public List<DocumentViolation> Violations { get; init; } = [];
[JsonPropertyName("durationMs")]
public long DurationMs { get; set; }
[JsonPropertyName("status")]
public string Status => ViolationCount == 0 ? "PASS" : "FAIL";
}
public sealed class DocumentViolation
{
[JsonPropertyName("documentId")]
public required string DocumentId { get; init; }
[JsonPropertyName("collection")]
public required string Collection { get; init; }
[JsonPropertyName("code")]
public required string Code { get; init; }
[JsonPropertyName("path")]
public required string Path { get; init; }
[JsonPropertyName("message")]
public required string Message { get; init; }
[JsonPropertyName("tenant")]
public string? Tenant { get; init; }
[JsonPropertyName("detectedAt")]
public DateTimeOffset DetectedAt { get; init; } = DateTimeOffset.UtcNow;
[JsonPropertyName("documentTimestamp")]
public DateTimeOffset? DocumentTimestamp { get; init; }
}

13
src/Aoc/StellaOps.Aoc.Cli/Models/VerifyOptions.cs Normal file
View File

@@ -0,0 +1,13 @@
namespace StellaOps.Aoc.Cli.Models;
public sealed class VerifyOptions
{
public required string Since { get; init; }
public string? MongoConnectionString { get; init; }
public string? PostgresConnectionString { get; init; }
public string? OutputPath { get; init; }
public string? NdjsonPath { get; init; }
public string? Tenant { get; init; }
public bool DryRun { get; init; }
public bool Verbose { get; init; }
}

18
src/Aoc/StellaOps.Aoc.Cli/Program.cs Normal file
View File

@@ -0,0 +1,18 @@
using System.CommandLine;
using System.Text.Json;
using StellaOps.Aoc.Cli.Commands;
namespace StellaOps.Aoc.Cli;
public static class Program
{
public static async Task<int> Main(string[] args)
{
var rootCommand = new RootCommand("StellaOps AOC CLI - Verify append-only contract compliance")
{
VerifyCommand.Create()
};
return await rootCommand.InvokeAsync(args);
}
}

256
src/Aoc/StellaOps.Aoc.Cli/Services/AocVerificationService.cs Normal file
View File

@@ -0,0 +1,256 @@
using System.Diagnostics;
using System.Text.Json;
using Npgsql;
using StellaOps.Aoc.Cli.Models;
namespace StellaOps.Aoc.Cli.Services;
public sealed class AocVerificationService
{
private readonly AocWriteGuard _guard = new();
public async Task<VerificationResult> VerifyAsync(VerifyOptions options, CancellationToken cancellationToken = default)
{
var stopwatch = Stopwatch.StartNew();
var result = new VerificationResult
{
Since = options.Since,
Tenant = options.Tenant
};
// Parse the since parameter
var sinceTimestamp = ParseSinceParameter(options.Since);
// Route to appropriate database verification
if (!string.IsNullOrEmpty(options.PostgresConnectionString))
{
await VerifyPostgresAsync(options.PostgresConnectionString, sinceTimestamp, options.Tenant, result, cancellationToken);
}
else if (!string.IsNullOrEmpty(options.MongoConnectionString))
{
// MongoDB support - for legacy verification
// Note: The codebase is transitioning to PostgreSQL
await VerifyMongoAsync(options.MongoConnectionString, sinceTimestamp, options.Tenant, result, cancellationToken);
}
stopwatch.Stop();
result.DurationMs = stopwatch.ElapsedMilliseconds;
return result;
}
private static DateTimeOffset ParseSinceParameter(string since)
{
// Try parsing as ISO timestamp first
if (DateTimeOffset.TryParse(since, out var timestamp))
{
return timestamp;
}
// If it looks like a git commit SHA, use current time minus a default window
// In a real implementation, we'd query git for the commit timestamp
if (since.Length >= 7 && since.All(c => char.IsLetterOrDigit(c)))
{
// Default to 24 hours ago for commit-based queries
// The actual implementation would resolve the commit timestamp
return DateTimeOffset.UtcNow.AddHours(-24);
}
// Default fallback
return DateTimeOffset.UtcNow.AddDays(-1);
}
private async Task VerifyPostgresAsync(
string connectionString,
DateTimeOffset since,
string? tenant,
VerificationResult result,
CancellationToken cancellationToken)
{
await using var connection = new NpgsqlConnection(connectionString);
await connection.OpenAsync(cancellationToken);
// Query advisory_raw documents from Concelier
await VerifyConcelierDocumentsAsync(connection, since, tenant, result, cancellationToken);
// Query VEX documents from Excititor
await VerifyExcititorDocumentsAsync(connection, since, tenant, result, cancellationToken);
}
private async Task VerifyConcelierDocumentsAsync(
NpgsqlConnection connection,
DateTimeOffset since,
string? tenant,
VerificationResult result,
CancellationToken cancellationToken)
{
var sql = """
SELECT id, tenant, content, created_at
FROM concelier.advisory_raw
WHERE created_at >= @since
""";
if (!string.IsNullOrEmpty(tenant))
{
sql += " AND tenant = @tenant";
}
await using var cmd = new NpgsqlCommand(sql, connection);
cmd.Parameters.AddWithValue("since", since);
if (!string.IsNullOrEmpty(tenant))
{
cmd.Parameters.AddWithValue("tenant", tenant);
}
try
{
await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
while (await reader.ReadAsync(cancellationToken))
{
result.DocumentsScanned++;
var docId = reader.GetString(0);
var docTenant = reader.IsDBNull(1) ? null : reader.GetString(1);
var contentJson = reader.GetString(2);
var createdAt = reader.GetDateTime(3);
try
{
using var doc = JsonDocument.Parse(contentJson);
var guardResult = _guard.Validate(doc.RootElement);
foreach (var violation in guardResult.Violations)
{
result.Violations.Add(new DocumentViolation
{
DocumentId = docId,
Collection = "concelier.advisory_raw",
Code = violation.Code.ToErrorCode(),
Path = violation.Path,
Message = violation.Message,
Tenant = docTenant,
DocumentTimestamp = new DateTimeOffset(createdAt, TimeSpan.Zero)
});
}
}
catch (JsonException)
{
result.Violations.Add(new DocumentViolation
{
DocumentId = docId,
Collection = "concelier.advisory_raw",
Code = "ERR_AOC_PARSE",
Path = "/",
Message = "Document content is not valid JSON",
Tenant = docTenant,
DocumentTimestamp = new DateTimeOffset(createdAt, TimeSpan.Zero)
});
}
}
}
catch (PostgresException ex) when (ex.SqlState == "42P01") // relation does not exist
{
// Table doesn't exist - this is okay for fresh installations
Console.WriteLine("Note: concelier.advisory_raw table not found (may not be initialized)");
}
}
private async Task VerifyExcititorDocumentsAsync(
NpgsqlConnection connection,
DateTimeOffset since,
string? tenant,
VerificationResult result,
CancellationToken cancellationToken)
{
var sql = """
SELECT id, tenant, document, created_at
FROM excititor.vex_documents
WHERE created_at >= @since
""";
if (!string.IsNullOrEmpty(tenant))
{
sql += " AND tenant = @tenant";
}
await using var cmd = new NpgsqlCommand(sql, connection);
cmd.Parameters.AddWithValue("since", since);
if (!string.IsNullOrEmpty(tenant))
{
cmd.Parameters.AddWithValue("tenant", tenant);
}
try
{
await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
while (await reader.ReadAsync(cancellationToken))
{
result.DocumentsScanned++;
var docId = reader.GetString(0);
var docTenant = reader.IsDBNull(1) ? null : reader.GetString(1);
var contentJson = reader.GetString(2);
var createdAt = reader.GetDateTime(3);
try
{
using var doc = JsonDocument.Parse(contentJson);
var guardResult = _guard.Validate(doc.RootElement);
foreach (var violation in guardResult.Violations)
{
result.Violations.Add(new DocumentViolation
{
DocumentId = docId,
Collection = "excititor.vex_documents",
Code = violation.Code.ToErrorCode(),
Path = violation.Path,
Message = violation.Message,
Tenant = docTenant,
DocumentTimestamp = new DateTimeOffset(createdAt, TimeSpan.Zero)
});
}
}
catch (JsonException)
{
result.Violations.Add(new DocumentViolation
{
DocumentId = docId,
Collection = "excititor.vex_documents",
Code = "ERR_AOC_PARSE",
Path = "/",
Message = "Document content is not valid JSON",
Tenant = docTenant,
DocumentTimestamp = new DateTimeOffset(createdAt, TimeSpan.Zero)
});
}
}
}
catch (PostgresException ex) when (ex.SqlState == "42P01") // relation does not exist
{
// Table doesn't exist - this is okay for fresh installations
Console.WriteLine("Note: excititor.vex_documents table not found (may not be initialized)");
}
}
private Task VerifyMongoAsync(
string connectionString,
DateTimeOffset since,
string? tenant,
VerificationResult result,
CancellationToken cancellationToken)
{
// MongoDB support is deprecated - log warning and return empty result
Console.WriteLine("Warning: MongoDB verification is deprecated. The codebase is transitioning to PostgreSQL.");
Console.WriteLine(" Use --postgres instead of --mongo for production verification.");
// For backwards compatibility during transition, we don't fail
// but we also don't perform actual MongoDB queries
return Task.CompletedTask;
}
}

25
src/Aoc/StellaOps.Aoc.Cli/StellaOps.Aoc.Cli.csproj Normal file
View File

@@ -0,0 +1,25 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<LangVersion>preview</LangVersion>
<AssemblyName>stella-aoc</AssemblyName>
<RootNamespace>StellaOps.Aoc.Cli</RootNamespace>
<Description>StellaOps AOC CLI - Verify append-only contract compliance in advisory databases</Description>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="System.CommandLine" Version="2.0.0-beta4.22272.1" />
<PackageReference Include="Microsoft.Extensions.Logging" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Logging.Console" Version="10.0.0" />
<PackageReference Include="Npgsql" Version="9.0.2" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\__Libraries\StellaOps.Aoc\StellaOps.Aoc.csproj" />
</ItemGroup>
</Project>

12
src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/AnalyzerReleases.Shipped.md Normal file
View File

@@ -0,0 +1,12 @@
; Shipped analyzer releases
; https://github.com/dotnet/roslyn-analyzers/blob/main/src/Microsoft.CodeAnalysis.Analyzers/ReleaseTrackingAnalyzers.Help.md
## Release 1.0
### New Rules
Rule ID | Category | Severity | Notes
--------|----------|----------|-------
AOC0001 | AOC | Error | AocForbiddenFieldAnalyzer - Detects writes to forbidden fields
AOC0002 | AOC | Error | AocForbiddenFieldAnalyzer - Detects writes to derived fields
AOC0003 | AOC | Warning | AocForbiddenFieldAnalyzer - Detects unguarded database writes

7
src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/AnalyzerReleases.Unshipped.md Normal file
View File

@@ -0,0 +1,7 @@
; Unshipped analyzer changes
; https://github.com/dotnet/roslyn-analyzers/blob/main/src/Microsoft.CodeAnalysis.Analyzers/ReleaseTrackingAnalyzers.Help.md
### New Rules
Rule ID | Category | Severity | Notes
--------|----------|----------|-------

404
src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/AocForbiddenFieldAnalyzer.cs Normal file
View File

@@ -0,0 +1,404 @@
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using Microsoft.CodeAnalysis;
using Microsoft.CodeAnalysis.CSharp;
using Microsoft.CodeAnalysis.CSharp.Syntax;
using Microsoft.CodeAnalysis.Diagnostics;
using Microsoft.CodeAnalysis.Operations;
namespace StellaOps.Aoc.Analyzers;
/// <summary>
/// Roslyn analyzer that detects writes to AOC-forbidden fields during ingestion.
/// This prevents accidental overwrites of derived/computed fields that should only
/// be set by the merge/decisioning pipeline.
/// </summary>
[DiagnosticAnalyzer(LanguageNames.CSharp)]
public sealed class AocForbiddenFieldAnalyzer : DiagnosticAnalyzer
{
public const string DiagnosticIdForbiddenField = "AOC0001";
public const string DiagnosticIdDerivedField = "AOC0002";
public const string DiagnosticIdUnguardedWrite = "AOC0003";
private static readonly ImmutableHashSet<string> ForbiddenTopLevel = ImmutableHashSet.Create(
StringComparer.OrdinalIgnoreCase,
"severity",
"cvss",
"cvss_vector",
"effective_status",
"effective_range",
"merged_from",
"consensus_provider",
"reachability",
"asset_criticality",
"risk_score");
private static readonly DiagnosticDescriptor ForbiddenFieldRule = new(
DiagnosticIdForbiddenField,
title: "AOC forbidden field write detected",
messageFormat: "Field '{0}' is forbidden in AOC ingestion context; this field is computed by the decisioning pipeline (ERR_AOC_001)",
category: "AOC",
defaultSeverity: DiagnosticSeverity.Error,
isEnabledByDefault: true,
description: "AOC (Append-Only Contracts) forbid writes to certain fields during ingestion. These fields are computed by downstream merge/decisioning pipelines and must not be set during initial data capture.",
helpLinkUri: "https://stella-ops.org/docs/aoc/forbidden-fields");
private static readonly DiagnosticDescriptor DerivedFieldRule = new(
DiagnosticIdDerivedField,
title: "AOC derived field write detected",
messageFormat: "Derived field '{0}' must not be written during ingestion; effective_* fields are computed post-merge (ERR_AOC_006)",
category: "AOC",
defaultSeverity: DiagnosticSeverity.Error,
isEnabledByDefault: true,
description: "Fields prefixed with 'effective_' are derived values computed after merge. Writing them during ingestion violates append-only contracts.",
helpLinkUri: "https://stella-ops.org/docs/aoc/derived-fields");
private static readonly DiagnosticDescriptor UnguardedWriteRule = new(
DiagnosticIdUnguardedWrite,
title: "AOC unguarded database write detected",
messageFormat: "Database write operation '{0}' detected without AOC guard validation; wrap with IAocGuard.Validate() (ERR_AOC_007)",
category: "AOC",
defaultSeverity: DiagnosticSeverity.Warning,
isEnabledByDefault: true,
description: "All database writes in ingestion pipelines should be validated by the AOC guard to ensure forbidden fields are not written.",
helpLinkUri: "https://stella-ops.org/docs/aoc/guard-usage");
public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics =>
ImmutableArray.Create(ForbiddenFieldRule, DerivedFieldRule, UnguardedWriteRule);
public override void Initialize(AnalysisContext context)
{
context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
context.EnableConcurrentExecution();
context.RegisterOperationAction(AnalyzeAssignment, OperationKind.SimpleAssignment);
context.RegisterOperationAction(AnalyzePropertyReference, OperationKind.PropertyReference);
context.RegisterOperationAction(AnalyzeInvocation, OperationKind.Invocation);
context.RegisterSyntaxNodeAction(AnalyzeObjectInitializer, SyntaxKind.ObjectInitializerExpression);
context.RegisterSyntaxNodeAction(AnalyzeAnonymousObjectMember, SyntaxKind.AnonymousObjectMemberDeclarator);
}
private static void AnalyzeAssignment(OperationAnalysisContext context)
{
if (context.Operation is not ISimpleAssignmentOperation assignment)
{
return;
}
if (!IsIngestionContext(context.ContainingSymbol))
{
return;
}
var targetName = GetTargetPropertyName(assignment.Target);
if (string.IsNullOrEmpty(targetName))
{
return;
}
CheckForbiddenField(context, targetName!, assignment.Syntax.GetLocation());
}
private static void AnalyzePropertyReference(OperationAnalysisContext context)
{
if (context.Operation is not IPropertyReferenceOperation propertyRef)
{
return;
}
if (!IsIngestionContext(context.ContainingSymbol))
{
return;
}
if (!IsWriteContext(propertyRef))
{
return;
}
var propertyName = propertyRef.Property.Name;
CheckForbiddenField(context, propertyName, propertyRef.Syntax.GetLocation());
}
private static void AnalyzeInvocation(OperationAnalysisContext context)
{
if (context.Operation is not IInvocationOperation invocation)
{
return;
}
if (!IsIngestionContext(context.ContainingSymbol))
{
return;
}
var method = invocation.TargetMethod;
var methodName = method.Name;
// Check for dictionary/document indexer writes with forbidden keys
if (IsDictionarySetOperation(method))
{
CheckDictionaryWriteArguments(context, invocation);
return;
}
// Check for unguarded database write operations
if (IsDatabaseWriteOperation(method))
{
if (!IsWithinAocGuardScope(invocation))
{
var diagnostic = Diagnostic.Create(
UnguardedWriteRule,
invocation.Syntax.GetLocation(),
$"{method.ContainingType?.Name}.{methodName}");
context.ReportDiagnostic(diagnostic);
}
}
}
private static void AnalyzeObjectInitializer(SyntaxNodeAnalysisContext context)
{
var initializer = (InitializerExpressionSyntax)context.Node;
if (!IsIngestionContext(context.ContainingSymbol))
{
return;
}
foreach (var expression in initializer.Expressions)
{
if (expression is AssignmentExpressionSyntax assignment)
{
var left = assignment.Left;
string? propertyName = left switch
{
IdentifierNameSyntax identifier => identifier.Identifier.Text,
_ => null
};
if (!string.IsNullOrEmpty(propertyName))
{
CheckForbiddenFieldSyntax(context, propertyName!, left.GetLocation());
}
}
}
}
private static void AnalyzeAnonymousObjectMember(SyntaxNodeAnalysisContext context)
{
var member = (AnonymousObjectMemberDeclaratorSyntax)context.Node;
if (!IsIngestionContext(context.ContainingSymbol))
{
return;
}
var name = member.NameEquals?.Name.Identifier.Text;
if (!string.IsNullOrEmpty(name))
{
CheckForbiddenFieldSyntax(context, name!, member.GetLocation());
}
}
private static void CheckForbiddenField(OperationAnalysisContext context, string fieldName, Location location)
{
if (ForbiddenTopLevel.Contains(fieldName))
{
var diagnostic = Diagnostic.Create(ForbiddenFieldRule, location, fieldName);
context.ReportDiagnostic(diagnostic);
return;
}
if (fieldName.StartsWith("effective_", StringComparison.OrdinalIgnoreCase))
{
var diagnostic = Diagnostic.Create(DerivedFieldRule, location, fieldName);
context.ReportDiagnostic(diagnostic);
}
}
private static void CheckForbiddenFieldSyntax(SyntaxNodeAnalysisContext context, string fieldName, Location location)
{
if (ForbiddenTopLevel.Contains(fieldName))
{
var diagnostic = Diagnostic.Create(ForbiddenFieldRule, location, fieldName);
context.ReportDiagnostic(diagnostic);
return;
}
if (fieldName.StartsWith("effective_", StringComparison.OrdinalIgnoreCase))
{
var diagnostic = Diagnostic.Create(DerivedFieldRule, location, fieldName);
context.ReportDiagnostic(diagnostic);
}
}
private static void CheckDictionaryWriteArguments(OperationAnalysisContext context, IInvocationOperation invocation)
{
foreach (var argument in invocation.Arguments)
{
if (argument.Value is ILiteralOperation literal && literal.ConstantValue.HasValue)
{
var value = literal.ConstantValue.Value?.ToString();
if (!string.IsNullOrEmpty(value))
{
CheckForbiddenField(context, value!, argument.Syntax.GetLocation());
}
}
}
}
private static string? GetTargetPropertyName(IOperation? target)
{
return target switch
{
IPropertyReferenceOperation propRef => propRef.Property.Name,
IFieldReferenceOperation fieldRef => fieldRef.Field.Name,
ILocalReferenceOperation localRef => localRef.Local.Name,
_ => null
};
}
private static bool IsWriteContext(IPropertyReferenceOperation propertyRef)
{
var parent = propertyRef.Parent;
return parent is ISimpleAssignmentOperation assignment && assignment.Target == propertyRef;
}
private static bool IsIngestionContext(ISymbol? containingSymbol)
{
if (containingSymbol is null)
{
return false;
}
var assemblyName = containingSymbol.ContainingAssembly?.Name;
if (string.IsNullOrEmpty(assemblyName))
{
return false;
}
// Allow analyzer assemblies and tests
if (assemblyName!.EndsWith(".Analyzers", StringComparison.Ordinal) ||
assemblyName.EndsWith(".Tests", StringComparison.Ordinal))
{
return false;
}
// Check for ingestion-related assemblies/namespaces
if (assemblyName.Contains(".Connector.", StringComparison.Ordinal) ||
assemblyName.Contains(".Ingestion", StringComparison.Ordinal) ||
assemblyName.EndsWith(".Connector", StringComparison.Ordinal))
{
return true;
}
// Check namespace for ingestion context
var ns = containingSymbol.ContainingNamespace?.ToDisplayString();
if (!string.IsNullOrEmpty(ns))
{
if (ns!.Contains(".Connector.", StringComparison.Ordinal) ||
ns.Contains(".Ingestion", StringComparison.Ordinal))
{
return true;
}
}
return false;
}
private static bool IsDictionarySetOperation(IMethodSymbol method)
{
var name = method.Name;
if (!string.Equals(name, "set_Item", StringComparison.Ordinal) &&
!string.Equals(name, "Add", StringComparison.Ordinal) &&
!string.Equals(name, "TryAdd", StringComparison.Ordinal) &&
!string.Equals(name, "Set", StringComparison.Ordinal))
{
return false;
}
var containingType = method.ContainingType;
if (containingType is null)
{
return false;
}
var typeName = containingType.ToDisplayString();
return typeName.Contains("Dictionary", StringComparison.Ordinal) ||
typeName.Contains("BsonDocument", StringComparison.Ordinal) ||
typeName.Contains("JsonObject", StringComparison.Ordinal) ||
typeName.Contains("JsonElement", StringComparison.Ordinal);
}
private static bool IsDatabaseWriteOperation(IMethodSymbol method)
{
var name = method.Name;
var writeOps = new[]
{
"InsertOne", "InsertOneAsync",
"InsertMany", "InsertManyAsync",
"UpdateOne", "UpdateOneAsync",
"UpdateMany", "UpdateManyAsync",
"ReplaceOne", "ReplaceOneAsync",
"BulkWrite", "BulkWriteAsync",
"ExecuteNonQuery", "ExecuteNonQueryAsync",
"SaveChanges", "SaveChangesAsync",
"Add", "AddAsync",
"Update", "UpdateAsync"
};
foreach (var op in writeOps)
{
if (string.Equals(name, op, StringComparison.Ordinal))
{
return true;
}
}
return false;
}
private static bool IsWithinAocGuardScope(IInvocationOperation invocation)
{
// Walk up the operation tree to find if we're within an AOC guard validation scope
var current = invocation.Parent;
var depth = 0;
const int maxDepth = 20;
while (current is not null && depth < maxDepth)
{
if (current is IInvocationOperation parentInvocation)
{
var method = parentInvocation.TargetMethod;
if (method.Name == "Validate" &&
method.ContainingType?.Name.Contains("AocGuard", StringComparison.Ordinal) == true)
{
return true;
}
}
// Check if containing method has IAocGuard parameter or calls Validate
if (current is IBlockOperation)
{
// We've reached a method body; check the containing method signature
var containingMethod = invocation.SemanticModel?.GetEnclosingSymbol(invocation.Syntax.SpanStart) as IMethodSymbol;
if (containingMethod is not null)
{
foreach (var param in containingMethod.Parameters)
{
if (param.Type.Name.Contains("AocGuard", StringComparison.Ordinal))
{
return true;
}
}
}
}
current = current.Parent;
depth++;
}
return false;
}
}

57
src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/README.md Normal file
View File

@@ -0,0 +1,57 @@
# StellaOps.Aoc.Analyzers
Roslyn source analyzers for enforcing AOC (Append-Only Contracts) during compile time.
## Rules
| Rule ID | Category | Severity | Description |
|---------|----------|----------|-------------|
| AOC0001 | AOC | Error | Forbidden field write detected - fields like `severity`, `cvss`, etc. |
| AOC0002 | AOC | Error | Derived field write detected - `effective_*` prefixed fields |
| AOC0003 | AOC | Warning | Unguarded database write - writes without `IAocGuard.Validate()` |
## Forbidden Fields
The following fields must not be written during ingestion:
- `severity`
- `cvss`
- `cvss_vector`
- `effective_status`
- `effective_range`
- `merged_from`
- `consensus_provider`
- `reachability`
- `asset_criticality`
- `risk_score`
Additionally, any field prefixed with `effective_` is considered derived and forbidden.
## Usage
Reference this analyzer in your project:
```xml
<ItemGroup>
<ProjectReference Include="..\..\..\Aoc\__Analyzers\StellaOps.Aoc.Analyzers\StellaOps.Aoc.Analyzers.csproj"
OutputItemType="Analyzer"
ReferenceOutputAssembly="false" />
</ItemGroup>
```
Or add as a NuGet package once published.
## Suppression
To suppress a specific diagnostic:
```csharp
#pragma warning disable AOC0001
// Code that intentionally writes forbidden field
#pragma warning restore AOC0001
```
Or use `[SuppressMessage]` attribute:
```csharp
[SuppressMessage("AOC", "AOC0001", Justification = "Legitimate use case")]
```

24
src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj Normal file
View File

@@ -0,0 +1,24 @@
<?xml version="1.0" encoding="utf-8"?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>netstandard2.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<LangVersion>preview</LangVersion>
<IncludeBuildOutput>false</IncludeBuildOutput>
<AnalysisLevel>latest</AnalysisLevel>
<EnforceExtendedAnalyzerRules>true</EnforceExtendedAnalyzerRules>
<Description>StellaOps AOC Roslyn Analyzers - Compile-time detection of forbidden field writes and unguarded ingestion operations</Description>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.0.1" PrivateAssets="all" />
<PackageReference Include="Microsoft.CodeAnalysis.Analyzers" Version="3.3.4" PrivateAssets="all" />
</ItemGroup>
<ItemGroup>
<None Include="README.md" Visible="false" />
<None Include="AnalyzerReleases.Shipped.md" Visible="false" />
<None Include="AnalyzerReleases.Unshipped.md" Visible="false" />
</ItemGroup>
</Project>

300
src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/AocForbiddenFieldAnalyzerTests.cs Normal file
View File

@@ -0,0 +1,300 @@
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.Linq;
using System.Reflection;
using System.Threading.Tasks;
using Microsoft.CodeAnalysis;
using Microsoft.CodeAnalysis.CSharp;
using Microsoft.CodeAnalysis.Diagnostics;
using StellaOps.Aoc.Analyzers;
namespace StellaOps.Aoc.Analyzers.Tests;
public sealed class AocForbiddenFieldAnalyzerTests
{
[Theory]
[InlineData("severity")]
[InlineData("cvss")]
[InlineData("cvss_vector")]
[InlineData("effective_status")]
[InlineData("merged_from")]
[InlineData("consensus_provider")]
[InlineData("reachability")]
[InlineData("asset_criticality")]
[InlineData("risk_score")]
public async Task ReportsDiagnostic_ForForbiddenFieldAssignment(string fieldName)
{
string source = $$"""
namespace StellaOps.Concelier.Connector.Sample;
public sealed class AdvisoryModel
{
public string? {{fieldName}} { get; set; }
}
public sealed class Ingester
{
public void Process(AdvisoryModel advisory)
{
advisory.{{fieldName}} = "value";
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Concelier.Connector.Sample");
Assert.Contains(diagnostics, d => d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdForbiddenField);
}
[Theory]
[InlineData("effective_date")]
[InlineData("effective_version")]
[InlineData("effective_score")]
public async Task ReportsDiagnostic_ForDerivedFieldAssignment(string fieldName)
{
string source = $$"""
namespace StellaOps.Concelier.Connector.Sample;
public sealed class AdvisoryModel
{
public string? {{fieldName}} { get; set; }
}
public sealed class Ingester
{
public void Process(AdvisoryModel advisory)
{
advisory.{{fieldName}} = "value";
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Concelier.Connector.Sample");
Assert.Contains(diagnostics, d => d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdDerivedField);
}
[Fact]
public async Task ReportsDiagnostic_ForForbiddenFieldInObjectInitializer()
{
const string source = """
namespace StellaOps.Concelier.Connector.Sample;
public sealed class AdvisoryModel
{
public string? severity { get; set; }
public string? cveId { get; set; }
}
public sealed class Ingester
{
public AdvisoryModel Create()
{
return new AdvisoryModel
{
severity = "high",
cveId = "CVE-2024-0001"
};
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Concelier.Connector.Sample");
Assert.Contains(diagnostics, d => d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdForbiddenField);
}
[Fact]
public async Task DoesNotReportDiagnostic_ForAllowedFieldAssignment()
{
const string source = """
namespace StellaOps.Concelier.Connector.Sample;
public sealed class AdvisoryModel
{
public string? cveId { get; set; }
public string? description { get; set; }
}
public sealed class Ingester
{
public void Process(AdvisoryModel advisory)
{
advisory.cveId = "CVE-2024-0001";
advisory.description = "Test vulnerability";
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Concelier.Connector.Sample");
Assert.DoesNotContain(diagnostics, d =>
d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdForbiddenField ||
d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdDerivedField);
}
[Fact]
public async Task DoesNotReportDiagnostic_ForNonIngestionAssembly()
{
const string source = """
namespace StellaOps.Internal.Processing;
public sealed class AdvisoryModel
{
public string? severity { get; set; }
}
public sealed class Processor
{
public void Process(AdvisoryModel advisory)
{
advisory.severity = "high";
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Internal.Processing");
Assert.DoesNotContain(diagnostics, d => d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdForbiddenField);
}
[Fact]
public async Task DoesNotReportDiagnostic_ForTestAssembly()
{
const string source = """
namespace StellaOps.Concelier.Connector.Sample.Tests;
public sealed class AdvisoryModel
{
public string? severity { get; set; }
}
public sealed class IngesterTests
{
public void TestProcess()
{
var advisory = new AdvisoryModel { severity = "high" };
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Concelier.Connector.Sample.Tests");
Assert.DoesNotContain(diagnostics, d => d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdForbiddenField);
}
[Fact]
public async Task ReportsDiagnostic_ForDictionaryAddWithForbiddenKey()
{
const string source = """
using System.Collections.Generic;
namespace StellaOps.Concelier.Connector.Sample;
public sealed class Ingester
{
public void Process()
{
var dict = new Dictionary<string, object>();
dict.Add("cvss", 9.8);
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Concelier.Connector.Sample");
Assert.Contains(diagnostics, d => d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdForbiddenField);
}
[Fact]
public async Task ReportsDiagnostic_CaseInsensitive()
{
const string source = """
namespace StellaOps.Concelier.Connector.Sample;
public sealed class AdvisoryModel
{
public string? Severity { get; set; }
public string? CVSS { get; set; }
}
public sealed class Ingester
{
public void Process(AdvisoryModel advisory)
{
advisory.Severity = "high";
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Concelier.Connector.Sample");
Assert.Contains(diagnostics, d => d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdForbiddenField);
}
[Fact]
public async Task ReportsDiagnostic_ForAnonymousObjectWithForbiddenField()
{
const string source = """
namespace StellaOps.Concelier.Connector.Sample;
public sealed class Ingester
{
public object Create()
{
return new { severity = "high", cveId = "CVE-2024-0001" };
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Concelier.Connector.Sample");
Assert.Contains(diagnostics, d => d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdForbiddenField);
}
[Fact]
public async Task DoesNotReportDiagnostic_ForIngestionNamespaceButNotConnector()
{
const string source = """
namespace StellaOps.Concelier.Ingestion;
public sealed class AdvisoryModel
{
public string? severity { get; set; }
}
public sealed class Processor
{
public void Process(AdvisoryModel advisory)
{
advisory.severity = "high";
}
}
""";
var diagnostics = await AnalyzeAsync(source, "StellaOps.Concelier.Ingestion");
Assert.Contains(diagnostics, d => d.Id == AocForbiddenFieldAnalyzer.DiagnosticIdForbiddenField);
}
private static async Task<ImmutableArray<Diagnostic>> AnalyzeAsync(string source, string assemblyName)
{
var compilation = CSharpCompilation.Create(
assemblyName,
new[] { CSharpSyntaxTree.ParseText(source) },
CreateMetadataReferences(),
new CSharpCompilationOptions(OutputKind.DynamicallyLinkedLibrary));
var analyzer = new AocForbiddenFieldAnalyzer();
var compilationWithAnalyzers = compilation.WithAnalyzers(ImmutableArray.Create<DiagnosticAnalyzer>(analyzer));
return await compilationWithAnalyzers.GetAnalyzerDiagnosticsAsync();
}
private static IEnumerable<MetadataReference> CreateMetadataReferences()
{
yield return MetadataReference.CreateFromFile(typeof(object).GetTypeInfo().Assembly.Location);
yield return MetadataReference.CreateFromFile(typeof(Enumerable).GetTypeInfo().Assembly.Location);
// Get System.Collections reference for Dictionary<,>
var systemCollectionsPath = Path.GetDirectoryName(typeof(object).GetTypeInfo().Assembly.Location);
if (!string.IsNullOrEmpty(systemCollectionsPath))
{
var collectionsPath = Path.Combine(systemCollectionsPath!, "System.Collections.dll");
if (File.Exists(collectionsPath))
{
yield return MetadataReference.CreateFromFile(collectionsPath);
}
}
}
}

27
src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj Normal file
View File

@@ -0,0 +1,27 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<IsPackable>false</IsPackable>
<LangVersion>preview</LangVersion>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="coverlet.collector" Version="6.0.4" />
<PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.0.1" PrivateAssets="all" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.0" />
<PackageReference Include="xunit" Version="2.9.2" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" />
</ItemGroup>
<ItemGroup>
<Using Include="Xunit" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\__Analyzers\StellaOps.Aoc.Analyzers\StellaOps.Aoc.Analyzers.csproj" />
</ItemGroup>
</Project>

195
src/Aoc/__Tests/StellaOps.Aoc.Cli.Tests/AocVerificationServiceTests.cs Normal file
View File

@@ -0,0 +1,195 @@
using System.Text.Json;
using StellaOps.Aoc.Cli.Models;
using StellaOps.Aoc.Cli.Services;
namespace StellaOps.Aoc.Cli.Tests;
public sealed class AocVerificationServiceTests
{
[Fact]
public void VerifyOptions_RequiredProperties_AreSet()
{
var options = new VerifyOptions
{
Since = "2025-12-01",
PostgresConnectionString = "Host=localhost;Database=test",
Verbose = true
};
Assert.Equal("2025-12-01", options.Since);
Assert.Equal("Host=localhost;Database=test", options.PostgresConnectionString);
Assert.True(options.Verbose);
Assert.False(options.DryRun);
}
[Fact]
public void VerificationResult_Status_ReturnsPass_WhenNoViolations()
{
var result = new VerificationResult
{
Since = "2025-12-01"
};
Assert.Equal("PASS", result.Status);
Assert.Equal(0, result.ViolationCount);
}
[Fact]
public void VerificationResult_Status_ReturnsFail_WhenViolationsExist()
{
var result = new VerificationResult
{
Since = "2025-12-01",
Violations =
{
new DocumentViolation
{
DocumentId = "doc-1",
Collection = "test",
Code = "ERR_AOC_001",
Path = "/severity",
Message = "Forbidden field"
}
}
};
Assert.Equal("FAIL", result.Status);
Assert.Equal(1, result.ViolationCount);
}
[Fact]
public void DocumentViolation_Serializes_ToExpectedJson()
{
var violation = new DocumentViolation
{
DocumentId = "doc-123",
Collection = "advisory_raw",
Code = "ERR_AOC_001",
Path = "/severity",
Message = "Field 'severity' is forbidden",
Tenant = "tenant-1"
};
var json = JsonSerializer.Serialize(violation, new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
});
Assert.Contains("\"documentId\":\"doc-123\"", json);
Assert.Contains("\"collection\":\"advisory_raw\"", json);
Assert.Contains("\"code\":\"ERR_AOC_001\"", json);
Assert.Contains("\"path\":\"/severity\"", json);
}
[Fact]
public void VerificationResult_Serializes_WithAllFields()
{
var result = new VerificationResult
{
Since = "abc123",
Tenant = "tenant-1",
DocumentsScanned = 100,
DurationMs = 500,
Violations =
{
new DocumentViolation
{
DocumentId = "doc-1",
Collection = "test",
Code = "ERR_AOC_001",
Path = "/severity",
Message = "Forbidden"
}
}
};
var json = JsonSerializer.Serialize(result, new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
});
Assert.Contains("\"since\":\"abc123\"", json);
Assert.Contains("\"tenant\":\"tenant-1\"", json);
Assert.Contains("\"documentsScanned\":100", json);
Assert.Contains("\"violationCount\":1", json);
Assert.Contains("\"status\":\"FAIL\"", json);
Assert.Contains("\"durationMs\":500", json);
}
[Fact]
public void VerifyOptions_MongoAndPostgres_AreMutuallyExclusive()
{
var optionsMongo = new VerifyOptions
{
Since = "HEAD~1",
MongoConnectionString = "mongodb://localhost:27017"
};
var optionsPostgres = new VerifyOptions
{
Since = "HEAD~1",
PostgresConnectionString = "Host=localhost;Database=test"
};
Assert.NotNull(optionsMongo.MongoConnectionString);
Assert.Null(optionsMongo.PostgresConnectionString);
Assert.Null(optionsPostgres.MongoConnectionString);
Assert.NotNull(optionsPostgres.PostgresConnectionString);
}
[Fact]
public void VerifyOptions_DryRun_DefaultsToFalse()
{
var options = new VerifyOptions
{
Since = "2025-01-01"
};
Assert.False(options.DryRun);
}
[Fact]
public void VerifyOptions_Verbose_DefaultsToFalse()
{
var options = new VerifyOptions
{
Since = "2025-01-01"
};
Assert.False(options.Verbose);
}
[Fact]
public void VerificationResult_ViolationCount_MatchesListCount()
{
var result = new VerificationResult
{
Since = "test"
};
Assert.Equal(0, result.ViolationCount);
result.Violations.Add(new DocumentViolation
{
DocumentId = "1",
Collection = "test",
Code = "ERR",
Path = "/",
Message = "msg"
});
Assert.Equal(1, result.ViolationCount);
result.Violations.Add(new DocumentViolation
{
DocumentId = "2",
Collection = "test",
Code = "ERR",
Path = "/",
Message = "msg"
});
Assert.Equal(2, result.ViolationCount);
}
}

26
src/Aoc/__Tests/StellaOps.Aoc.Cli.Tests/StellaOps.Aoc.Cli.Tests.csproj Normal file
View File

@@ -0,0 +1,26 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<IsPackable>false</IsPackable>
<LangVersion>preview</LangVersion>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="coverlet.collector" Version="6.0.4" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.0" />
<PackageReference Include="xunit" Version="2.9.2" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" />
</ItemGroup>
<ItemGroup>
<Using Include="Xunit" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\StellaOps.Aoc.Cli\StellaOps.Aoc.Cli.csproj" />
</ItemGroup>
</Project>

29
src/Aoc/aoc.runsettings Normal file
View File

@@ -0,0 +1,29 @@
<?xml version="1.0" encoding="utf-8"?>
<RunSettings>
<DataCollectionRunSettings>
<DataCollectors>
<DataCollector friendlyName="XPlat code coverage">
<Configuration>
<Format>cobertura,opencover</Format>
<Exclude>[*.Tests]*,[*]*.Migrations.*</Exclude>
<Include>[StellaOps.Aoc]*,[StellaOps.Aoc.Cli]*,[StellaOps.Aoc.Analyzers]*</Include>
<ExcludeByFile>**/obj/**,**/bin/**</ExcludeByFile>
<SingleHit>false</SingleHit>
<UseSourceLink>true</UseSourceLink>
<IncludeTestAssembly>false</IncludeTestAssembly>
<SkipAutoProps>true</SkipAutoProps>
<DeterministicReport>true</DeterministicReport>
</Configuration>
</DataCollector>
</DataCollectors>
</DataCollectionRunSettings>
<!-- Coverage thresholds for CI enforcement -->
<!-- Minimum line coverage: 70% -->
<!-- Minimum branch coverage: 60% -->
<Coverlet>
<ThresholdType>line,branch</ThresholdType>
<Threshold>70,60</Threshold>
<ThresholdStat>total</ThresholdStat>
</Coverlet>
</RunSettings>