stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: Implement air-gap functionality with timeline impact and evidence snapshot services
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details

Browse Source 
- Added AirgapTimelineImpact, AirgapTimelineImpactInput, and AirgapTimelineImpactResult records for managing air-gap bundle import impacts.
- Introduced EvidenceSnapshotRecord, EvidenceSnapshotLinkInput, and EvidenceSnapshotLinkResult records for linking findings to evidence snapshots.
- Created IEvidenceSnapshotRepository interface for managing evidence snapshot records.
- Developed StalenessValidationService to validate staleness and enforce freshness thresholds.
- Implemented AirgapTimelineService for emitting timeline events related to bundle imports.
- Added EvidenceSnapshotService for linking findings to evidence snapshots and verifying their validity.
- Introduced AirGapOptions for configuring air-gap staleness enforcement and thresholds.
- Added minimal jsPDF stub for offline/testing builds in the web application.
- Created TypeScript definitions for jsPDF to enhance type safety in the web application.
This commit is contained in:
StellaOps Bot
2025-12-06 01:30:08 +02:00
parent 6c1177a6ce
commit 2eaf0f699b
144 changed files with 7578 additions and 2581 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/Concelier/StellaOps.Concelier.WebService/Contracts/AdvisoryObservationContracts.cs
View File

@@ -1,3 +1,4 @@
using System.Collections.Generic;
using System.Collections.Immutable;
using StellaOps.Concelier.Models.Observations;
using StellaOps.Concelier.RawModels;
@@ -20,3 +21,13 @@ public sealed record AdvisoryObservationLinksetAggregateResponse(
ImmutableArray<RawRelationship> Relationships,
double Confidence,
ImmutableArray<AdvisoryLinksetConflict> Conflicts);
/// <summary>
/// Request to publish observation events to NATS/Redis.
/// </summary>
public sealed record ObservationEventPublishRequest(IReadOnlyList<string>? ObservationIds);
/// <summary>
/// Request to publish linkset events to NATS/Redis.
/// </summary>
public sealed record LinksetEventPublishRequest(IReadOnlyList<string>? AdvisoryIds);

133
src/Concelier/StellaOps.Concelier.WebService/Contracts/ErrorEnvelopeContracts.cs Normal file
View File

@@ -0,0 +1,133 @@
using System.Text.Json.Serialization;
namespace StellaOps.Concelier.WebService.Contracts;
/// <summary>
/// Hybrid RFC 7807 + Standard Error Envelope.
/// Per CONCELIER-WEB-OAS-61-002.
/// </summary>
/// <remarks>
/// Combines RFC 7807 Problem Details format with a structured error code
/// for machine-readable error handling. This enables both human-readable
/// problem descriptions and programmatic error code checking.
/// </remarks>
public sealed record ErrorEnvelope
{
/// <summary>
/// A URI reference that identifies the problem type (RFC 7807).
/// </summary>
[JsonPropertyName("type")]
public required string Type { get; init; }
/// <summary>
/// A short, human-readable summary of the problem type (RFC 7807).
/// </summary>
[JsonPropertyName("title")]
public required string Title { get; init; }
/// <summary>
/// The HTTP status code (RFC 7807).
/// </summary>
[JsonPropertyName("status")]
public required int Status { get; init; }
/// <summary>
/// A human-readable explanation specific to this occurrence (RFC 7807).
/// </summary>
[JsonPropertyName("detail")]
public string? Detail { get; init; }
/// <summary>
/// A URI reference that identifies the specific occurrence (RFC 7807).
/// </summary>
[JsonPropertyName("instance")]
public string? Instance { get; init; }
/// <summary>
/// Distributed trace identifier for correlation.
/// </summary>
[JsonPropertyName("traceId")]
public string? TraceId { get; init; }
/// <summary>
/// Structured error details with machine-readable code.
/// </summary>
[JsonPropertyName("error")]
public ErrorDetail? Error { get; init; }
}
/// <summary>
/// Structured error detail with machine-readable code.
/// </summary>
public sealed record ErrorDetail
{
/// <summary>
/// Machine-readable error code (e.g., "VALIDATION_FAILED", "RESOURCE_NOT_FOUND").
/// </summary>
[JsonPropertyName("code")]
public required string Code { get; init; }
/// <summary>
/// Human-readable error message.
/// </summary>
[JsonPropertyName("message")]
public string? Message { get; init; }
/// <summary>
/// Target of the error (field name, resource identifier, etc.).
/// </summary>
[JsonPropertyName("target")]
public string? Target { get; init; }
/// <summary>
/// Additional metadata about the error.
/// </summary>
[JsonPropertyName("metadata")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public IReadOnlyDictionary<string, object?>? Metadata { get; init; }
/// <summary>
/// Nested validation errors for complex validation failures.
/// </summary>
[JsonPropertyName("innerErrors")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public IReadOnlyList<ValidationError>? InnerErrors { get; init; }
/// <summary>
/// URL for more information about this error.
/// </summary>
[JsonPropertyName("helpUrl")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? HelpUrl { get; init; }
/// <summary>
/// Retry-after hint in seconds (for rate limiting).
/// </summary>
[JsonPropertyName("retryAfter")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public int? RetryAfter { get; init; }
}
/// <summary>
/// Individual validation error for field-level issues.
/// </summary>
public sealed record ValidationError
{
/// <summary>
/// Field path (e.g., "advisoryId", "data.severity").
/// </summary>
[JsonPropertyName("field")]
public required string Field { get; init; }
/// <summary>
/// Error code for this specific validation error.
/// </summary>
[JsonPropertyName("code")]
public required string Code { get; init; }
/// <summary>
/// Human-readable message for this validation error.
/// </summary>
[JsonPropertyName("message")]
public string? Message { get; init; }
}

148
src/Concelier/StellaOps.Concelier.WebService/Diagnostics/ErrorCodes.cs Normal file
View File

@@ -0,0 +1,148 @@
namespace StellaOps.Concelier.WebService.Diagnostics;
/// <summary>
/// Machine-readable error codes for API responses.
/// Per CONCELIER-WEB-OAS-61-002.
/// </summary>
public static class ErrorCodes
{
// ─────────────────────────────────────────────────────────────────────────
// Validation Errors (4xx)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>Generic validation failure.</summary>
public const string ValidationFailed = "VALIDATION_FAILED";
/// <summary>Required field is missing.</summary>
public const string RequiredFieldMissing = "REQUIRED_FIELD_MISSING";
/// <summary>Field value is invalid.</summary>
public const string InvalidFieldValue = "INVALID_FIELD_VALUE";
/// <summary>Tenant ID is required but not provided.</summary>
public const string TenantRequired = "TENANT_REQUIRED";
/// <summary>Advisory ID is required but not provided.</summary>
public const string AdvisoryIdRequired = "ADVISORY_ID_REQUIRED";
/// <summary>Vulnerability key is required but not provided.</summary>
public const string VulnerabilityKeyRequired = "VULNERABILITY_KEY_REQUIRED";
/// <summary>Cursor parameter must be an integer.</summary>
public const string InvalidCursor = "INVALID_CURSOR";
/// <summary>Invalid pagination parameters.</summary>
public const string InvalidPagination = "INVALID_PAGINATION";
// ─────────────────────────────────────────────────────────────────────────
// Resource Errors (404)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>Requested resource was not found.</summary>
public const string ResourceNotFound = "RESOURCE_NOT_FOUND";
/// <summary>Advisory not found.</summary>
public const string AdvisoryNotFound = "ADVISORY_NOT_FOUND";
/// <summary>Vulnerability not found.</summary>
public const string VulnerabilityNotFound = "VULNERABILITY_NOT_FOUND";
/// <summary>Evidence not found.</summary>
public const string EvidenceNotFound = "EVIDENCE_NOT_FOUND";
/// <summary>Tenant not found.</summary>
public const string TenantNotFound = "TENANT_NOT_FOUND";
/// <summary>Job not found.</summary>
public const string JobNotFound = "JOB_NOT_FOUND";
/// <summary>Mirror not found.</summary>
public const string MirrorNotFound = "MIRROR_NOT_FOUND";
/// <summary>Bundle source not found.</summary>
public const string BundleSourceNotFound = "BUNDLE_SOURCE_NOT_FOUND";
// ─────────────────────────────────────────────────────────────────────────
// AOC (Aggregation-Only Contract) Errors
// ─────────────────────────────────────────────────────────────────────────
/// <summary>AOC violation occurred.</summary>
public const string AocViolation = "AOC_VIOLATION";
/// <summary>Forbidden field in advisory (ERR_AOC_001).</summary>
public const string AocForbiddenField = "AOC_FORBIDDEN_FIELD";
/// <summary>Merge attempt detected (ERR_AOC_002).</summary>
public const string AocMergeAttempt = "AOC_MERGE_ATTEMPT";
/// <summary>Derived field modification (ERR_AOC_006).</summary>
public const string AocDerivedField = "AOC_DERIVED_FIELD";
/// <summary>Unknown field detected (ERR_AOC_007).</summary>
public const string AocUnknownField = "AOC_UNKNOWN_FIELD";
// ─────────────────────────────────────────────────────────────────────────
// Conflict Errors (409)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>Resource already exists.</summary>
public const string ResourceConflict = "RESOURCE_CONFLICT";
/// <summary>Concurrent modification detected.</summary>
public const string ConcurrencyConflict = "CONCURRENCY_CONFLICT";
/// <summary>Lease already held by another client.</summary>
public const string LeaseConflict = "LEASE_CONFLICT";
// ─────────────────────────────────────────────────────────────────────────
// State Errors (423 Locked)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>Resource is locked.</summary>
public const string ResourceLocked = "RESOURCE_LOCKED";
/// <summary>Lease rejected.</summary>
public const string LeaseRejected = "LEASE_REJECTED";
// ─────────────────────────────────────────────────────────────────────────
// AirGap/Sealed Mode Errors
// ─────────────────────────────────────────────────────────────────────────
/// <summary>AirGap mode is disabled.</summary>
public const string AirGapDisabled = "AIRGAP_DISABLED";
/// <summary>Sealed mode violation.</summary>
public const string SealedModeViolation = "SEALED_MODE_VIOLATION";
/// <summary>Source blocked by sealed mode.</summary>
public const string SourceBlocked = "SOURCE_BLOCKED";
// ─────────────────────────────────────────────────────────────────────────
// Rate Limiting (429)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>Rate limit exceeded.</summary>
public const string RateLimitExceeded = "RATE_LIMIT_EXCEEDED";
/// <summary>Quota exceeded.</summary>
public const string QuotaExceeded = "QUOTA_EXCEEDED";
// ─────────────────────────────────────────────────────────────────────────
// Server Errors (5xx)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>Internal server error.</summary>
public const string InternalError = "INTERNAL_ERROR";
/// <summary>Service unavailable.</summary>
public const string ServiceUnavailable = "SERVICE_UNAVAILABLE";
/// <summary>Job execution failure.</summary>
public const string JobFailure = "JOB_FAILURE";
/// <summary>External service failure.</summary>
public const string ExternalServiceFailure = "EXTERNAL_SERVICE_FAILURE";
/// <summary>Database operation failed.</summary>
public const string DatabaseError = "DATABASE_ERROR";
}

165
src/Concelier/StellaOps.Concelier.WebService/Extensions/AirGapEndpointExtensions.cs Normal file
View File

@@ -0,0 +1,165 @@
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Options;
using StellaOps.Concelier.Core.AirGap;
using StellaOps.Concelier.Core.AirGap.Models;
using StellaOps.Concelier.WebService.Diagnostics;
using StellaOps.Concelier.WebService.Options;
using StellaOps.Concelier.WebService.Results;
namespace StellaOps.Concelier.WebService.Extensions;
/// <summary>
/// Endpoint extensions for AirGap functionality.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
internal static class AirGapEndpointExtensions
{
public static void MapConcelierAirGapEndpoints(this WebApplication app)
{
var group = app.MapGroup("/api/v1/concelier/airgap")
.WithTags("AirGap");
// GET /api/v1/concelier/airgap/catalog - Aggregated bundle catalog
group.MapGet("/catalog", async (
HttpContext context,
IBundleCatalogService catalogService,
IOptionsMonitor<ConcelierOptions> optionsMonitor,
[FromQuery] string? cursor,
[FromQuery] int? limit,
CancellationToken cancellationToken) =>
{
var airGapOptions = optionsMonitor.CurrentValue.AirGap;
if (!airGapOptions.Enabled)
{
return ConcelierProblemResultFactory.AirGapDisabled(context);
}
var catalog = await catalogService.GetCatalogAsync(cursor, limit, cancellationToken)
.ConfigureAwait(false);
return Results.Ok(catalog);
});
// GET /api/v1/concelier/airgap/sources - List registered sources
group.MapGet("/sources", (
HttpContext context,
IBundleSourceRegistry sourceRegistry,
IOptionsMonitor<ConcelierOptions> optionsMonitor) =>
{
var airGapOptions = optionsMonitor.CurrentValue.AirGap;
if (!airGapOptions.Enabled)
{
return ConcelierProblemResultFactory.AirGapDisabled(context);
}
var sources = sourceRegistry.GetSources();
return Results.Ok(new { sources, count = sources.Count });
});
// POST /api/v1/concelier/airgap/sources - Register new source
group.MapPost("/sources", async (
HttpContext context,
IBundleSourceRegistry sourceRegistry,
IOptionsMonitor<ConcelierOptions> optionsMonitor,
[FromBody] BundleSourceRegistration registration,
CancellationToken cancellationToken) =>
{
var airGapOptions = optionsMonitor.CurrentValue.AirGap;
if (!airGapOptions.Enabled)
{
return ConcelierProblemResultFactory.AirGapDisabled(context);
}
if (string.IsNullOrWhiteSpace(registration.Id))
{
return ConcelierProblemResultFactory.RequiredFieldMissing(context, "id");
}
var source = await sourceRegistry.RegisterAsync(registration, cancellationToken)
.ConfigureAwait(false);
return Results.Created($"/api/v1/concelier/airgap/sources/{source.Id}", source);
});
// GET /api/v1/concelier/airgap/sources/{sourceId} - Get specific source
group.MapGet("/sources/{sourceId}", (
HttpContext context,
IBundleSourceRegistry sourceRegistry,
IOptionsMonitor<ConcelierOptions> optionsMonitor,
string sourceId) =>
{
var airGapOptions = optionsMonitor.CurrentValue.AirGap;
if (!airGapOptions.Enabled)
{
return ConcelierProblemResultFactory.AirGapDisabled(context);
}
var source = sourceRegistry.GetSource(sourceId);
if (source is null)
{
return ConcelierProblemResultFactory.BundleSourceNotFound(context, sourceId);
}
return Results.Ok(source);
});
// DELETE /api/v1/concelier/airgap/sources/{sourceId} - Unregister source
group.MapDelete("/sources/{sourceId}", async (
HttpContext context,
IBundleSourceRegistry sourceRegistry,
IOptionsMonitor<ConcelierOptions> optionsMonitor,
string sourceId,
CancellationToken cancellationToken) =>
{
var airGapOptions = optionsMonitor.CurrentValue.AirGap;
if (!airGapOptions.Enabled)
{
return ConcelierProblemResultFactory.AirGapDisabled(context);
}
var removed = await sourceRegistry.UnregisterAsync(sourceId, cancellationToken)
.ConfigureAwait(false);
return removed
? Results.NoContent()
: ConcelierProblemResultFactory.BundleSourceNotFound(context, sourceId);
});
// POST /api/v1/concelier/airgap/sources/{sourceId}/validate - Validate source
group.MapPost("/sources/{sourceId}/validate", async (
HttpContext context,
IBundleSourceRegistry sourceRegistry,
IOptionsMonitor<ConcelierOptions> optionsMonitor,
string sourceId,
CancellationToken cancellationToken) =>
{
var airGapOptions = optionsMonitor.CurrentValue.AirGap;
if (!airGapOptions.Enabled)
{
return ConcelierProblemResultFactory.AirGapDisabled(context);
}
var result = await sourceRegistry.ValidateAsync(sourceId, cancellationToken)
.ConfigureAwait(false);
return Results.Ok(result);
});
// GET /api/v1/concelier/airgap/status - Sealed-mode status
group.MapGet("/status", (
HttpContext context,
ISealedModeEnforcer sealedModeEnforcer,
IOptionsMonitor<ConcelierOptions> optionsMonitor) =>
{
var airGapOptions = optionsMonitor.CurrentValue.AirGap;
if (!airGapOptions.Enabled)
{
return ConcelierProblemResultFactory.AirGapDisabled(context);
}
var status = sealedModeEnforcer.GetStatus();
return Results.Ok(status);
});
}
}

126
src/Concelier/StellaOps.Concelier.WebService/Extensions/MirrorEndpointExtensions.cs
View File

@@ -1,9 +1,11 @@
using System.Globalization;
using System.IO;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Options;
using StellaOps.Concelier.WebService.Options;
using StellaOps.Concelier.WebService.Services;
using System.Globalization;
using System.IO;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Options;
using StellaOps.Concelier.WebService.Diagnostics;
using StellaOps.Concelier.WebService.Options;
using StellaOps.Concelier.WebService.Results;
using StellaOps.Concelier.WebService.Services;
namespace StellaOps.Concelier.WebService.Extensions;
@@ -24,7 +26,7 @@ internal static class MirrorEndpointExtensions
var mirrorOptions = optionsMonitor.CurrentValue.Mirror ?? new ConcelierOptions.MirrorOptions();
if (!mirrorOptions.Enabled)
{
return Results.NotFound();
return ConcelierProblemResultFactory.MirrorNotFound(context);
}
if (!TryAuthorize(mirrorOptions.RequireAuthentication, enforceAuthority, context, authorityConfigured, out var unauthorizedResult))
@@ -35,15 +37,15 @@ internal static class MirrorEndpointExtensions
if (!limiter.TryAcquire("__index__", IndexScope, mirrorOptions.MaxIndexRequestsPerHour, out var retryAfter))
{
ApplyRetryAfter(context.Response, retryAfter);
return Results.StatusCode(StatusCodes.Status429TooManyRequests);
return ConcelierProblemResultFactory.RateLimitExceeded(context, (int?)retryAfter?.TotalSeconds);
}
if (!locator.TryResolveIndex(out var path, out _))
{
return Results.NotFound();
return ConcelierProblemResultFactory.MirrorNotFound(context);
}
return await WriteFileAsync(path, context.Response, "application/json").ConfigureAwait(false);
return await WriteFileAsync(context, path, "application/json").ConfigureAwait(false);
});
app.MapGet("/concelier/exports/{**relativePath}", async (
@@ -57,17 +59,17 @@ internal static class MirrorEndpointExtensions
var mirrorOptions = optionsMonitor.CurrentValue.Mirror ?? new ConcelierOptions.MirrorOptions();
if (!mirrorOptions.Enabled)
{
return Results.NotFound();
return ConcelierProblemResultFactory.MirrorNotFound(context);
}
if (string.IsNullOrWhiteSpace(relativePath))
{
return Results.NotFound();
return ConcelierProblemResultFactory.MirrorNotFound(context);
}
if (!locator.TryResolveRelativePath(relativePath, out var path, out _, out var domainId))
{
return Results.NotFound();
return ConcelierProblemResultFactory.MirrorNotFound(context, relativePath);
}
var domain = FindDomain(mirrorOptions, domainId);
@@ -81,11 +83,11 @@ internal static class MirrorEndpointExtensions
if (!limiter.TryAcquire(domain?.Id ?? "__mirror__", DownloadScope, limit, out var retryAfter))
{
ApplyRetryAfter(context.Response, retryAfter);
return Results.StatusCode(StatusCodes.Status429TooManyRequests);
return ConcelierProblemResultFactory.RateLimitExceeded(context, (int?)retryAfter?.TotalSeconds);
}
var contentType = ResolveContentType(path);
return await WriteFileAsync(path, context.Response, contentType).ConfigureAwait(false);
return await WriteFileAsync(context, path, contentType).ConfigureAwait(false);
});
}
@@ -112,12 +114,12 @@ internal static class MirrorEndpointExtensions
return null;
}
private static bool TryAuthorize(bool requireAuthentication, bool enforceAuthority, HttpContext context, bool authorityConfigured, out IResult result)
{
result = Results.Empty;
if (!requireAuthentication)
{
return true;
private static bool TryAuthorize(bool requireAuthentication, bool enforceAuthority, HttpContext context, bool authorityConfigured, out IResult result)
{
result = Results.Empty;
if (!requireAuthentication)
{
return true;
}
if (!enforceAuthority || !authorityConfigured)
@@ -128,19 +130,19 @@ internal static class MirrorEndpointExtensions
if (context.User?.Identity?.IsAuthenticated == true)
{
return true;
}
context.Response.Headers.WWWAuthenticate = "Bearer realm=\"StellaOps Concelier Mirror\"";
result = Results.StatusCode(StatusCodes.Status401Unauthorized);
return false;
}
private static Task<IResult> WriteFileAsync(string path, HttpResponse response, string contentType)
{
}
context.Response.Headers.WWWAuthenticate = "Bearer realm=\"StellaOps Concelier Mirror\"";
result = Results.StatusCode(StatusCodes.Status401Unauthorized);
return false;
}
private static Task<IResult> WriteFileAsync(HttpContext context, string path, string contentType)
{
var fileInfo = new FileInfo(path);
if (!fileInfo.Exists)
{
return Task.FromResult(Results.NotFound());
return Task.FromResult(ConcelierProblemResultFactory.MirrorNotFound(context, path));
}
var stream = new FileStream(
@@ -149,12 +151,12 @@ internal static class MirrorEndpointExtensions
FileAccess.Read,
FileShare.Read | FileShare.Delete);
response.Headers.CacheControl = BuildCacheControlHeader(path);
response.Headers.LastModified = fileInfo.LastWriteTimeUtc.ToString("R", CultureInfo.InvariantCulture);
response.ContentLength = fileInfo.Length;
return Task.FromResult(Results.Stream(stream, contentType));
}
context.Response.Headers.CacheControl = BuildCacheControlHeader(path);
context.Response.Headers.LastModified = fileInfo.LastWriteTimeUtc.ToString("R", CultureInfo.InvariantCulture);
context.Response.ContentLength = fileInfo.Length;
return Task.FromResult(Results.Stream(stream, contentType));
}
private static string ResolveContentType(string path)
{
if (path.EndsWith(".json", StringComparison.OrdinalIgnoreCase))
@@ -178,28 +180,28 @@ internal static class MirrorEndpointExtensions
}
var seconds = Math.Max((int)Math.Ceiling(retryAfter.Value.TotalSeconds), 1);
response.Headers.RetryAfter = seconds.ToString(CultureInfo.InvariantCulture);
}
private static string BuildCacheControlHeader(string path)
{
var fileName = Path.GetFileName(path);
if (fileName is null)
{
return "public, max-age=60";
}
if (string.Equals(fileName, "index.json", StringComparison.OrdinalIgnoreCase))
{
return "public, max-age=60";
}
if (fileName.EndsWith(".json", StringComparison.OrdinalIgnoreCase) ||
fileName.EndsWith(".jws", StringComparison.OrdinalIgnoreCase))
{
return "public, max-age=300, immutable";
}
return "public, max-age=300";
}
}
response.Headers.RetryAfter = seconds.ToString(CultureInfo.InvariantCulture);
}
private static string BuildCacheControlHeader(string path)
{
var fileName = Path.GetFileName(path);
if (fileName is null)
{
return "public, max-age=60";
}
if (string.Equals(fileName, "index.json", StringComparison.OrdinalIgnoreCase))
{
return "public, max-age=60";
}
if (fileName.EndsWith(".json", StringComparison.OrdinalIgnoreCase) ||
fileName.EndsWith(".jws", StringComparison.OrdinalIgnoreCase))
{
return "public, max-age=300, immutable";
}
return "public, max-age=300";
}
}

158
src/Concelier/StellaOps.Concelier.WebService/Options/AirGapOptions.cs Normal file
View File

@@ -0,0 +1,158 @@
using System.Text.Json.Serialization;
namespace StellaOps.Concelier.WebService.Options;
/// <summary>
/// Air-gap configuration options for Concelier.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed class AirGapOptions
{
/// <summary>
/// Enable air-gap mode with bundle-based feed consumption.
/// </summary>
public bool Enabled { get; set; }
/// <summary>
/// Sealed mode configuration (blocks direct internet feeds when enabled).
/// </summary>
public SealedModeOptions SealedMode { get; set; } = new();
/// <summary>
/// Bundle sources configuration.
/// </summary>
public BundleSourcesOptions Sources { get; set; } = new();
/// <summary>
/// Catalog configuration.
/// </summary>
public CatalogOptions Catalog { get; set; } = new();
/// <summary>
/// Sealed mode configuration options.
/// When sealed mode is enabled, direct internet feeds are blocked.
/// </summary>
public sealed class SealedModeOptions
{
/// <summary>
/// Enable sealed mode (block direct internet feeds).
/// </summary>
public bool Enabled { get; set; }
/// <summary>
/// List of sources explicitly allowed even in sealed mode.
/// </summary>
public IList<string> AllowedSources { get; set; } = new List<string>();
/// <summary>
/// List of hosts that are allowed for egress even in sealed mode.
/// Useful for internal mirrors or private registries.
/// </summary>
public IList<string> AllowedHosts { get; set; } = new List<string>();
/// <summary>
/// Warn-only mode: log violations but don't block requests.
/// Useful for testing sealed mode before full enforcement.
/// </summary>
public bool WarnOnly { get; set; }
}
/// <summary>
/// Bundle sources configuration options.
/// </summary>
public sealed class BundleSourcesOptions
{
/// <summary>
/// Root directory for bundle storage.
/// </summary>
public string Root { get; set; } = "bundles";
/// <summary>
/// Automatically register sources from bundle directory on startup.
/// </summary>
public bool AutoDiscovery { get; set; } = true;
/// <summary>
/// File patterns to match for auto-discovery.
/// </summary>
public IList<string> DiscoveryPatterns { get; set; } = new List<string> { "*.bundle.json", "catalog.json" };
/// <summary>
/// Pre-configured bundle sources.
/// </summary>
public IList<BundleSourceConfig> Configured { get; set; } = new List<BundleSourceConfig>();
/// <summary>
/// Computed absolute path to root directory.
/// </summary>
[JsonIgnore]
public string RootAbsolute { get; internal set; } = string.Empty;
}
/// <summary>
/// Configuration for a single bundle source.
/// </summary>
public sealed class BundleSourceConfig
{
/// <summary>
/// Unique identifier for the source.
/// </summary>
public string Id { get; set; } = string.Empty;
/// <summary>
/// Display name for the source.
/// </summary>
public string? DisplayName { get; set; }
/// <summary>
/// Source type (directory, archive, remote).
/// </summary>
public string Type { get; set; } = "directory";
/// <summary>
/// Path or URL to the bundle source.
/// </summary>
public string Location { get; set; } = string.Empty;
/// <summary>
/// Enable this source.
/// </summary>
public bool Enabled { get; set; } = true;
/// <summary>
/// Priority for this source (lower = higher priority).
/// </summary>
public int Priority { get; set; } = 100;
/// <summary>
/// Verification mode for bundles from this source.
/// </summary>
public string VerificationMode { get; set; } = "signature";
}
/// <summary>
/// Catalog configuration options.
/// </summary>
public sealed class CatalogOptions
{
/// <summary>
/// Enable catalog aggregation from all sources.
/// </summary>
public bool Enabled { get; set; } = true;
/// <summary>
/// Cache duration for aggregated catalog in seconds.
/// </summary>
public int CacheDurationSeconds { get; set; } = 300;
/// <summary>
/// Maximum number of items per catalog page.
/// </summary>
public int MaxPageSize { get; set; } = 100;
/// <summary>
/// Include bundle provenance in catalog responses.
/// </summary>
public bool IncludeProvenance { get; set; } = true;
}
}

6
src/Concelier/StellaOps.Concelier.WebService/Options/ConcelierOptions.cs
View File

@@ -27,6 +27,12 @@ public sealed class ConcelierOptions
public StellaOpsCryptoOptions Crypto { get; } = new();
/// <summary>
/// Air-gap mode configuration.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public AirGapOptions AirGap { get; set; } = new();
public sealed class StorageOptions
{
public string Driver { get; set; } = "mongo";

400
src/Concelier/StellaOps.Concelier.WebService/Program.cs
View File

@@ -51,6 +51,7 @@ using StellaOps.Aoc;
using StellaOps.Aoc.AspNetCore.Routing;
using StellaOps.Aoc.AspNetCore.Results;
using StellaOps.Concelier.WebService.Contracts;
using StellaOps.Concelier.WebService.Results;
using StellaOps.Concelier.Core.Aoc;
using StellaOps.Concelier.Core.Raw;
using StellaOps.Concelier.RawModels;
@@ -712,7 +713,7 @@ var observationsEndpoint = app.MapGet("/concelier/observations", async (
{"reason", "format"},
{"stage", "ingest"}
});
return Results.BadRequest(ex.Message);
return ConcelierProblemResultFactory.ValidationFailed(context, ex.Message);
}
var elapsed = stopwatch.Elapsed;
@@ -867,7 +868,7 @@ app.MapGet("/v1/lnm/linksets/{advisoryId}", async (
if (string.IsNullOrWhiteSpace(advisoryId))
{
return Results.BadRequest("advisoryId is required.");
return ConcelierProblemResultFactory.AdvisoryIdRequired(context);
}
var stopwatch = Stopwatch.StartNew();
@@ -880,7 +881,7 @@ app.MapGet("/v1/lnm/linksets/{advisoryId}", async (
if (result.Linksets.IsDefaultOrEmpty)
{
return Results.NotFound();
return ConcelierProblemResultFactory.AdvisoryNotFound(context, advisoryId);
}
var linkset = result.Linksets[0];
@@ -1178,7 +1179,7 @@ var advisoryRawGetEndpoint = app.MapGet("/advisories/raw/{id}", async (
var record = await rawService.FindByIdAsync(tenant, id.Trim(), cancellationToken).ConfigureAwait(false);
if (record is null)
{
return Results.NotFound();
return ConcelierProblemResultFactory.AdvisoryNotFound(context, id);
}
var response = new AdvisoryRawRecordResponse(
@@ -1222,7 +1223,7 @@ var advisoryRawProvenanceEndpoint = app.MapGet("/advisories/raw/{id}/provenance"
var record = await rawService.FindByIdAsync(tenant, id.Trim(), cancellationToken).ConfigureAwait(false);
if (record is null)
{
return Results.NotFound();
return ConcelierProblemResultFactory.AdvisoryNotFound(context, id);
}
var response = new AdvisoryRawProvenanceResponse(
@@ -1241,6 +1242,379 @@ if (authorityConfigured)
advisoryRawProvenanceEndpoint.RequireAuthorization(AdvisoryReadPolicyName);
}
// Advisory observations endpoint - filtered by alias/purl/source with strict tenant scopes.
// Echoes upstream values + provenance fields only (no merge-derived judgments).
var advisoryObservationsEndpoint = app.MapGet("/advisories/observations", async (
HttpContext context,
[FromServices] IAdvisoryObservationQueryService observationService,
CancellationToken cancellationToken) =>
{
ApplyNoCache(context.Response);
if (!TryResolveTenant(context, requireHeader: true, out var tenant, out var tenantError))
{
return tenantError;
}
var authorizationError = EnsureTenantAuthorized(context, tenant);
if (authorizationError is not null)
{
return authorizationError;
}
var query = context.Request.Query;
// Parse query parameters
var aliases = query.TryGetValue("alias", out var aliasValues)
? AdvisoryRawRequestMapper.NormalizeStrings(aliasValues)
: null;
var purls = query.TryGetValue("purl", out var purlValues)
? AdvisoryRawRequestMapper.NormalizeStrings(purlValues)
: null;
var cpes = query.TryGetValue("cpe", out var cpeValues)
? AdvisoryRawRequestMapper.NormalizeStrings(cpeValues)
: null;
var observationIds = query.TryGetValue("id", out var idValues)
? AdvisoryRawRequestMapper.NormalizeStrings(idValues)
: null;
int? limit = null;
if (query.TryGetValue("limit", out var limitValues) &&
int.TryParse(limitValues.FirstOrDefault(), NumberStyles.Integer, CultureInfo.InvariantCulture, out var parsedLimit) &&
parsedLimit > 0)
{
limit = Math.Min(parsedLimit, 200); // Cap at 200
}
string? cursor = null;
if (query.TryGetValue("cursor", out var cursorValues))
{
var cursorValue = cursorValues.FirstOrDefault();
if (!string.IsNullOrWhiteSpace(cursorValue))
{
cursor = cursorValue.Trim();
}
}
// Build query options with tenant scope
var options = new AdvisoryObservationQueryOptions(
tenant,
observationIds: observationIds,
aliases: aliases,
purls: purls,
cpes: cpes,
limit: limit,
cursor: cursor);
var result = await observationService.QueryAsync(options, cancellationToken).ConfigureAwait(false);
// Map to response contracts
var linksetResponse = new AdvisoryObservationLinksetAggregateResponse(
result.Linkset.Aliases,
result.Linkset.Purls,
result.Linkset.Cpes,
result.Linkset.References,
result.Linkset.Scopes,
result.Linkset.Relationships,
result.Linkset.Confidence,
result.Linkset.Conflicts);
var response = new AdvisoryObservationQueryResponse(
result.Observations,
linksetResponse,
result.NextCursor,
result.HasMore);
return JsonResult(response);
}).WithName("GetAdvisoryObservations");
if (authorityConfigured)
{
advisoryObservationsEndpoint.RequireAuthorization(ObservationsPolicyName);
}
// Advisory linksets endpoint - surfaces correlation + conflict payloads with ERR_AGG_* mapping.
// No synthesis/merge - echoes upstream values only.
var advisoryLinksetsEndpoint = app.MapGet("/advisories/linksets", async (
HttpContext context,
[FromServices] IAdvisoryLinksetQueryService linksetService,
CancellationToken cancellationToken) =>
{
ApplyNoCache(context.Response);
if (!TryResolveTenant(context, requireHeader: true, out var tenant, out var tenantError))
{
return tenantError;
}
var authorizationError = EnsureTenantAuthorized(context, tenant);
if (authorizationError is not null)
{
return authorizationError;
}
var query = context.Request.Query;
// Parse advisory IDs (alias values like CVE-*, GHSA-*)
var advisoryIds = query.TryGetValue("advisoryId", out var advisoryIdValues)
? AdvisoryRawRequestMapper.NormalizeStrings(advisoryIdValues)
: (query.TryGetValue("alias", out var aliasValues)
? AdvisoryRawRequestMapper.NormalizeStrings(aliasValues)
: null);
var sources = query.TryGetValue("source", out var sourceValues)
? AdvisoryRawRequestMapper.NormalizeStrings(sourceValues)
: null;
int? limit = null;
if (query.TryGetValue("limit", out var limitValues) &&
int.TryParse(limitValues.FirstOrDefault(), NumberStyles.Integer, CultureInfo.InvariantCulture, out var parsedLimit) &&
parsedLimit > 0)
{
limit = Math.Min(parsedLimit, 500); // Cap at 500
}
string? cursor = null;
if (query.TryGetValue("cursor", out var cursorValues))
{
var cursorValue = cursorValues.FirstOrDefault();
if (!string.IsNullOrWhiteSpace(cursorValue))
{
cursor = cursorValue.Trim();
}
}
var options = new AdvisoryLinksetQueryOptions(
tenant,
advisoryIds,
sources,
limit,
cursor);
var result = await linksetService.QueryAsync(options, cancellationToken).ConfigureAwait(false);
// Map to LNM linkset response format
var items = result.Linksets.Select(linkset => new LnmLinksetResponse(
linkset.AdvisoryId,
linkset.Source,
linkset.Normalized?.Purls ?? Array.Empty<string>(),
linkset.Normalized?.Cpes ?? Array.Empty<string>(),
null, // Summary not available in linkset
null, // PublishedAt
null, // ModifiedAt
null, // Severity - no derived judgment
null, // Status
linkset.Provenance is not null
? new LnmLinksetProvenance(
linkset.CreatedAt,
null, // ConnectorId
linkset.Provenance.ObservationHashes?.FirstOrDefault(),
null) // DsseEnvelopeHash
: null,
linkset.Conflicts?.Select(c => new LnmLinksetConflict(
c.Field,
c.Reason,
c.Values?.FirstOrDefault(),
null,
null)).ToArray() ?? Array.Empty<LnmLinksetConflict>(),
Array.Empty<LnmLinksetTimeline>(),
linkset.Normalized is not null
? new LnmLinksetNormalized(
null, // Aliases not in normalized
linkset.Normalized.Purls,
linkset.Normalized.Cpes,
linkset.Normalized.Versions,
null) // Ranges serialized differently
: null,
false, // Not from cache
Array.Empty<string>(),
linkset.ObservationIds.ToArray())).ToArray();
var response = new LnmLinksetPage(items, 1, items.Length, null);
return JsonResult(response);
}).WithName("GetAdvisoryLinksets");
if (authorityConfigured)
{
advisoryLinksetsEndpoint.RequireAuthorization(AdvisoryReadPolicyName);
}
// Advisory linksets export endpoint for evidence bundles
var advisoryLinksetsExportEndpoint = app.MapGet("/advisories/linksets/export", async (
HttpContext context,
[FromServices] IAdvisoryLinksetQueryService linksetService,
[FromServices] TimeProvider timeProvider,
CancellationToken cancellationToken) =>
{
ApplyNoCache(context.Response);
if (!TryResolveTenant(context, requireHeader: true, out var tenant, out var tenantError))
{
return tenantError;
}
var authorizationError = EnsureTenantAuthorized(context, tenant);
if (authorizationError is not null)
{
return authorizationError;
}
var query = context.Request.Query;
var advisoryIds = query.TryGetValue("advisoryId", out var advisoryIdValues)
? AdvisoryRawRequestMapper.NormalizeStrings(advisoryIdValues)
: null;
var sources = query.TryGetValue("source", out var sourceValues)
? AdvisoryRawRequestMapper.NormalizeStrings(sourceValues)
: null;
var options = new AdvisoryLinksetQueryOptions(tenant, advisoryIds, sources, 1000, null);
var result = await linksetService.QueryAsync(options, cancellationToken).ConfigureAwait(false);
// Export format with provenance metadata
var exportItems = result.Linksets.Select(linkset => new
{
advisoryId = linkset.AdvisoryId,
source = linkset.Source,
tenantId = linkset.TenantId,
observationIds = linkset.ObservationIds.ToArray(),
confidence = linkset.Confidence,
conflicts = linkset.Conflicts?.Select(c => new
{
field = c.Field,
reason = c.Reason,
values = c.Values,
sourceIds = c.SourceIds
}).ToArray(),
normalized = linkset.Normalized is not null ? new
{
purls = linkset.Normalized.Purls,
cpes = linkset.Normalized.Cpes,
versions = linkset.Normalized.Versions
} : null,
provenance = linkset.Provenance is not null ? new
{
observationHashes = linkset.Provenance.ObservationHashes,
toolVersion = linkset.Provenance.ToolVersion,
policyHash = linkset.Provenance.PolicyHash
} : null,
createdAt = linkset.CreatedAt,
builtByJobId = linkset.BuiltByJobId
}).ToArray();
var export = new
{
tenant = tenant,
exportedAt = timeProvider.GetUtcNow(),
count = exportItems.Length,
hasMore = result.HasMore,
linksets = exportItems
};
return JsonResult(export);
}).WithName("ExportAdvisoryLinksets");
if (authorityConfigured)
{
advisoryLinksetsExportEndpoint.RequireAuthorization(AdvisoryReadPolicyName);
}
// Internal endpoint for publishing observation events to NATS/Redis.
// Publishes advisory.observation.updated@1 events with tenant + provenance references only.
app.MapPost("/internal/events/observations/publish", async (
HttpContext context,
[FromBody] ObservationEventPublishRequest request,
[FromServices] IAdvisoryObservationQueryService observationService,
[FromServices] IAdvisoryObservationEventPublisher? eventPublisher,
[FromServices] TimeProvider timeProvider,
CancellationToken cancellationToken) =>
{
ApplyNoCache(context.Response);
if (!TryResolveTenant(context, requireHeader: true, out var tenant, out var tenantError))
{
return tenantError;
}
if (eventPublisher is null)
{
return Problem(context, "Event publishing not configured", StatusCodes.Status503ServiceUnavailable, ProblemTypes.ServiceUnavailable, "Event publisher service is not available.");
}
if (request?.ObservationIds is null || request.ObservationIds.Count == 0)
{
return Problem(context, "observationIds required", StatusCodes.Status400BadRequest, ProblemTypes.Validation, "Provide at least one observation ID.");
}
var options = new AdvisoryObservationQueryOptions(tenant, observationIds: request.ObservationIds);
var result = await observationService.QueryAsync(options, cancellationToken).ConfigureAwait(false);
var published = 0;
foreach (var observation in result.Observations)
{
var @event = AdvisoryObservationUpdatedEvent.FromObservation(
observation,
supersedesId: null,
traceId: context.TraceIdentifier);
await eventPublisher.PublishAsync(@event, cancellationToken).ConfigureAwait(false);
published++;
}
return Results.Ok(new { tenant, published, requestedCount = request.ObservationIds.Count, timestamp = timeProvider.GetUtcNow() });
}).WithName("PublishObservationEvents");
// Internal endpoint for publishing linkset events to NATS/Redis.
// Publishes advisory.linkset.updated@1 events with idempotent keys and tenant + provenance references.
app.MapPost("/internal/events/linksets/publish", async (
HttpContext context,
[FromBody] LinksetEventPublishRequest request,
[FromServices] IAdvisoryLinksetQueryService linksetService,
[FromServices] IAdvisoryLinksetEventPublisher? eventPublisher,
[FromServices] TimeProvider timeProvider,
CancellationToken cancellationToken) =>
{
ApplyNoCache(context.Response);
if (!TryResolveTenant(context, requireHeader: true, out var tenant, out var tenantError))
{
return tenantError;
}
if (eventPublisher is null)
{
return Problem(context, "Event publishing not configured", StatusCodes.Status503ServiceUnavailable, ProblemTypes.ServiceUnavailable, "Event publisher service is not available.");
}
if (request?.AdvisoryIds is null || request.AdvisoryIds.Count == 0)
{
return Problem(context, "advisoryIds required", StatusCodes.Status400BadRequest, ProblemTypes.Validation, "Provide at least one advisory ID.");
}
var options = new AdvisoryLinksetQueryOptions(tenant, request.AdvisoryIds, null, 500);
var result = await linksetService.QueryAsync(options, cancellationToken).ConfigureAwait(false);
var published = 0;
foreach (var linkset in result.Linksets)
{
var linksetId = $"{linkset.TenantId}:{linkset.Source}:{linkset.AdvisoryId}";
var @event = AdvisoryLinksetUpdatedEvent.FromLinkset(
linkset,
previousLinkset: null,
linksetId: linksetId,
traceId: context.TraceIdentifier);
await eventPublisher.PublishAsync(@event, cancellationToken).ConfigureAwait(false);
published++;
}
return Results.Ok(new { tenant, published, requestedCount = request.AdvisoryIds.Count, hasMore = result.HasMore, timestamp = timeProvider.GetUtcNow() });
}).WithName("PublishLinksetEvents");
var advisoryEvidenceEndpoint = app.MapGet("/vuln/evidence/advisories/{advisoryKey}", async (
string advisoryKey,
HttpContext context,
@@ -1743,7 +2117,7 @@ var advisorySummaryEndpoint = app.MapGet("/advisories/summary", async (
}
catch (FormatException ex)
{
return Results.BadRequest(ex.Message);
return ConcelierProblemResultFactory.ValidationFailed(context, ex.Message);
}
var items = queryResult.Linksets
@@ -1947,13 +2321,13 @@ app.MapGet("/concelier/advisories/{vulnerabilityKey}/replay", async (
{
if (string.IsNullOrWhiteSpace(vulnerabilityKey))
{
return Results.BadRequest("vulnerabilityKey must be provided.");
return ConcelierProblemResultFactory.VulnerabilityKeyRequired(context);
}
var replay = await eventLog.ReplayAsync(vulnerabilityKey.Trim(), asOf, cancellationToken).ConfigureAwait(false);
if (replay.Statements.Length == 0 && replay.Conflicts.Length == 0)
{
return Results.NotFound();
return ConcelierProblemResultFactory.VulnerabilityNotFound(context, vulnerabilityKey);
}
var response = new
@@ -2309,7 +2683,7 @@ IResult JsonResult<T>(T value, int? statusCode = null)
return Results.Content(payload, "application/json", Encoding.UTF8, statusCode);
}
IResult Problem(HttpContext context, string title, int statusCode, string type, string? detail = null, IDictionary<string, object?>? extensions = null)
IResult Problem(HttpContext context, string title, int statusCode, string type, string? detail = null, IDictionary<string, object?>? extensions = null, string? errorCode = null)
{
var traceId = Activity.Current?.TraceId.ToString() ?? context.TraceIdentifier;
extensions ??= new Dictionary<string, object?>(StringComparer.Ordinal)
@@ -2322,6 +2696,12 @@ IResult Problem(HttpContext context, string title, int statusCode, string type,
extensions["traceId"] = traceId;
}
// Per CONCELIER-WEB-OAS-61-002: Add error code extension for machine-readable errors
if (!string.IsNullOrEmpty(errorCode))
{
extensions["error"] = new { code = errorCode, message = detail ?? title };
}
var problemDetails = new ProblemDetails
{
Type = type,
@@ -3208,7 +3588,7 @@ var concelierTimelineEndpoint = app.MapGet("/obs/concelier/timeline", async (
var candidateCursor = cursor ?? context.Request.Headers["Last-Event-ID"].FirstOrDefault();
if (!string.IsNullOrWhiteSpace(candidateCursor) && !int.TryParse(candidateCursor, NumberStyles.Integer, CultureInfo.InvariantCulture, out startId))
{
return Results.BadRequest(new { error = "cursor must be integer" });
return ConcelierProblemResultFactory.InvalidCursor(context);
}
var logger = loggerFactory.CreateLogger("ConcelierTimeline");

398
src/Concelier/StellaOps.Concelier.WebService/Results/ConcelierProblemResultFactory.cs Normal file
View File

@@ -0,0 +1,398 @@
using System.Diagnostics;
using Microsoft.AspNetCore.Http;
using StellaOps.Concelier.WebService.Contracts;
using StellaOps.Concelier.WebService.Diagnostics;
namespace StellaOps.Concelier.WebService.Results;
/// <summary>
/// Factory for creating standardized error responses.
/// Per CONCELIER-WEB-OAS-61-002.
/// </summary>
public static class ConcelierProblemResultFactory
{
/// <summary>
/// Creates a standardized Problem response with error code.
/// </summary>
public static IResult Problem(
HttpContext context,
string type,
string title,
int statusCode,
string errorCode,
string? detail = null,
string? target = null,
IReadOnlyDictionary<string, object?>? metadata = null,
IReadOnlyList<ValidationError>? innerErrors = null)
{
var envelope = new ErrorEnvelope
{
Type = type,
Title = title,
Status = statusCode,
Detail = detail,
Instance = context.Request.Path,
TraceId = Activity.Current?.TraceId.ToString() ?? context.TraceIdentifier,
Error = new ErrorDetail
{
Code = errorCode,
Message = detail ?? title,
Target = target,
Metadata = metadata,
InnerErrors = innerErrors
}
};
return Microsoft.AspNetCore.Http.Results.Json(envelope, statusCode: statusCode);
}
// ─────────────────────────────────────────────────────────────────────────
// Validation Errors (400)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>
/// Creates a 400 Bad Request response for validation failure.
/// </summary>
public static IResult ValidationFailed(
HttpContext context,
string detail,
string? target = null,
IReadOnlyList<ValidationError>? innerErrors = null)
{
return Problem(
context,
ProblemTypes.Validation,
"Validation failed",
StatusCodes.Status400BadRequest,
ErrorCodes.ValidationFailed,
detail,
target,
innerErrors: innerErrors);
}
/// <summary>
/// Creates a 400 Bad Request response for required field missing.
/// </summary>
public static IResult RequiredFieldMissing(
HttpContext context,
string fieldName)
{
return Problem(
context,
ProblemTypes.Validation,
"Required field missing",
StatusCodes.Status400BadRequest,
ErrorCodes.RequiredFieldMissing,
$"{fieldName} is required.",
fieldName);
}
/// <summary>
/// Creates a 400 Bad Request response for advisory ID required.
/// </summary>
public static IResult AdvisoryIdRequired(HttpContext context)
{
return Problem(
context,
ProblemTypes.Validation,
"Advisory ID required",
StatusCodes.Status400BadRequest,
ErrorCodes.AdvisoryIdRequired,
"advisoryId is required.",
"advisoryId");
}
/// <summary>
/// Creates a 400 Bad Request response for vulnerability key required.
/// </summary>
public static IResult VulnerabilityKeyRequired(HttpContext context)
{
return Problem(
context,
ProblemTypes.Validation,
"Vulnerability key required",
StatusCodes.Status400BadRequest,
ErrorCodes.VulnerabilityKeyRequired,
"vulnerabilityKey must be provided.",
"vulnerabilityKey");
}
/// <summary>
/// Creates a 400 Bad Request response for invalid cursor.
/// </summary>
public static IResult InvalidCursor(HttpContext context)
{
return Problem(
context,
ProblemTypes.Validation,
"Invalid cursor",
StatusCodes.Status400BadRequest,
ErrorCodes.InvalidCursor,
"cursor must be an integer.",
"cursor");
}
// ─────────────────────────────────────────────────────────────────────────
// Not Found Errors (404)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>
/// Creates a 404 Not Found response for resource not found.
/// </summary>
public static IResult NotFound(
HttpContext context,
string errorCode,
string resourceType,
string? resourceId = null)
{
var detail = resourceId is not null
? $"{resourceType} '{resourceId}' not found."
: $"{resourceType} not found.";
return Problem(
context,
ProblemTypes.NotFound,
$"{resourceType} not found",
StatusCodes.Status404NotFound,
errorCode,
detail,
resourceId);
}
/// <summary>
/// Creates a 404 Not Found response for advisory not found.
/// </summary>
public static IResult AdvisoryNotFound(HttpContext context, string? advisoryId = null)
{
return NotFound(context, ErrorCodes.AdvisoryNotFound, "Advisory", advisoryId);
}
/// <summary>
/// Creates a 404 Not Found response for vulnerability not found.
/// </summary>
public static IResult VulnerabilityNotFound(HttpContext context, string? vulnerabilityKey = null)
{
return NotFound(context, ErrorCodes.VulnerabilityNotFound, "Vulnerability", vulnerabilityKey);
}
/// <summary>
/// Creates a 404 Not Found response for evidence not found.
/// </summary>
public static IResult EvidenceNotFound(HttpContext context, string? evidenceId = null)
{
return NotFound(context, ErrorCodes.EvidenceNotFound, "Evidence", evidenceId);
}
/// <summary>
/// Creates a 404 Not Found response for mirror not found.
/// </summary>
public static IResult MirrorNotFound(HttpContext context, string? mirrorId = null)
{
return NotFound(context, ErrorCodes.MirrorNotFound, "Mirror", mirrorId);
}
/// <summary>
/// Creates a 404 Not Found response for bundle source not found.
/// </summary>
public static IResult BundleSourceNotFound(HttpContext context, string? sourceId = null)
{
return NotFound(context, ErrorCodes.BundleSourceNotFound, "Bundle source", sourceId);
}
/// <summary>
/// Creates a generic 404 Not Found response.
/// </summary>
public static IResult ResourceNotFound(HttpContext context, string? detail = null)
{
return Problem(
context,
ProblemTypes.NotFound,
"Resource not found",
StatusCodes.Status404NotFound,
ErrorCodes.ResourceNotFound,
detail ?? "The requested resource was not found.");
}
// ─────────────────────────────────────────────────────────────────────────
// Conflict Errors (409)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>
/// Creates a 409 Conflict response.
/// </summary>
public static IResult Conflict(
HttpContext context,
string errorCode,
string detail,
string? target = null)
{
return Problem(
context,
ProblemTypes.Conflict,
"Conflict",
StatusCodes.Status409Conflict,
errorCode,
detail,
target);
}
/// <summary>
/// Creates a 409 Conflict response for lease conflict.
/// </summary>
public static IResult LeaseConflict(HttpContext context, string detail)
{
return Conflict(context, ErrorCodes.LeaseConflict, detail);
}
// ─────────────────────────────────────────────────────────────────────────
// Locked Errors (423)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>
/// Creates a 423 Locked response.
/// </summary>
public static IResult Locked(
HttpContext context,
string errorCode,
string detail)
{
return Problem(
context,
ProblemTypes.Locked,
"Resource locked",
StatusCodes.Status423Locked,
errorCode,
detail);
}
/// <summary>
/// Creates a 423 Locked response for lease rejection.
/// </summary>
public static IResult LeaseRejected(HttpContext context, string detail)
{
return Problem(
context,
ProblemTypes.LeaseRejected,
"Lease rejected",
StatusCodes.Status423Locked,
ErrorCodes.LeaseRejected,
detail);
}
// ─────────────────────────────────────────────────────────────────────────
// AirGap/Sealed Mode Errors
// ─────────────────────────────────────────────────────────────────────────
/// <summary>
/// Creates a 404 Not Found response for AirGap disabled.
/// </summary>
public static IResult AirGapDisabled(HttpContext context)
{
return Problem(
context,
"https://stellaops.org/problems/airgap-disabled",
"AirGap mode disabled",
StatusCodes.Status404NotFound,
ErrorCodes.AirGapDisabled,
"AirGap mode is not enabled on this instance.");
}
/// <summary>
/// Creates a 403 Forbidden response for sealed mode violation.
/// </summary>
public static IResult SealedModeViolation(
HttpContext context,
string sourceName,
string destination)
{
return Problem(
context,
"https://stellaops.org/problems/sealed-violation",
"Sealed mode violation",
StatusCodes.Status403Forbidden,
ErrorCodes.SealedModeViolation,
$"Source '{sourceName}' is not allowed to access '{destination}' in sealed mode.",
sourceName,
new Dictionary<string, object?> { ["destination"] = destination });
}
// ─────────────────────────────────────────────────────────────────────────
// Rate Limiting (429)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>
/// Creates a 429 Too Many Requests response.
/// </summary>
public static IResult RateLimitExceeded(HttpContext context, int? retryAfterSeconds = null)
{
var envelope = new ErrorEnvelope
{
Type = "https://stellaops.org/problems/rate-limit",
Title = "Rate limit exceeded",
Status = StatusCodes.Status429TooManyRequests,
Detail = "Too many requests. Please try again later.",
Instance = context.Request.Path,
TraceId = Activity.Current?.TraceId.ToString() ?? context.TraceIdentifier,
Error = new ErrorDetail
{
Code = ErrorCodes.RateLimitExceeded,
Message = "Too many requests. Please try again later.",
RetryAfter = retryAfterSeconds
}
};
return Microsoft.AspNetCore.Http.Results.Json(envelope, statusCode: StatusCodes.Status429TooManyRequests);
}
// ─────────────────────────────────────────────────────────────────────────
// Server Errors (5xx)
// ─────────────────────────────────────────────────────────────────────────
/// <summary>
/// Creates a 500 Internal Server Error response.
/// </summary>
public static IResult InternalError(
HttpContext context,
string? detail = null)
{
return Problem(
context,
"https://stellaops.org/problems/internal-error",
"Internal server error",
StatusCodes.Status500InternalServerError,
ErrorCodes.InternalError,
detail ?? "An unexpected error occurred.");
}
/// <summary>
/// Creates a 503 Service Unavailable response.
/// </summary>
public static IResult ServiceUnavailable(
HttpContext context,
string? detail = null)
{
return Problem(
context,
ProblemTypes.ServiceUnavailable,
"Service unavailable",
StatusCodes.Status503ServiceUnavailable,
ErrorCodes.ServiceUnavailable,
detail ?? "The service is temporarily unavailable.");
}
/// <summary>
/// Creates a 500 response for job failure.
/// </summary>
public static IResult JobFailure(
HttpContext context,
string detail)
{
return Problem(
context,
ProblemTypes.JobFailure,
"Job failure",
StatusCodes.Status500InternalServerError,
ErrorCodes.JobFailure,
detail);
}
}

77
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/AirGapServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,77 @@
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
namespace StellaOps.Concelier.Core.AirGap;
/// <summary>
/// Service collection extensions for AirGap services.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public static class AirGapServiceCollectionExtensions
{
/// <summary>
/// Adds AirGap services to the service collection.
/// </summary>
/// <param name="services">The service collection.</param>
/// <param name="configureSealed">Optional sealed mode configuration.</param>
/// <returns>The service collection for chaining.</returns>
public static IServiceCollection AddConcelierAirGapServices(
this IServiceCollection services,
Action<SealedModeConfiguration>? configureSealed = null)
{
ArgumentNullException.ThrowIfNull(services);
// Register TimeProvider if not already registered
services.TryAddSingleton(TimeProvider.System);
// Register core services
services.TryAddSingleton<IBundleSourceRegistry, BundleSourceRegistry>();
services.TryAddSingleton<IBundleCatalogService, BundleCatalogService>();
// Configure and register sealed mode enforcer
var sealedConfig = new SealedModeConfiguration();
configureSealed?.Invoke(sealedConfig);
services.TryAddSingleton<ISealedModeEnforcer>(sp =>
{
var logger = sp.GetRequiredService<Microsoft.Extensions.Logging.ILogger<SealedModeEnforcer>>();
var timeProvider = sp.GetService<TimeProvider>();
return new SealedModeEnforcer(
logger,
isSealed: sealedConfig.IsSealed,
warnOnly: sealedConfig.WarnOnly,
allowedSources: sealedConfig.AllowedSources,
allowedHosts: sealedConfig.AllowedHosts,
timeProvider: timeProvider);
});
return services;
}
}
/// <summary>
/// Configuration for sealed mode.
/// </summary>
public sealed class SealedModeConfiguration
{
/// <summary>
/// Enable sealed mode.
/// </summary>
public bool IsSealed { get; set; }
/// <summary>
/// Enable warn-only mode (log violations but don't block).
/// </summary>
public bool WarnOnly { get; set; }
/// <summary>
/// Sources allowed even in sealed mode.
/// </summary>
public IList<string> AllowedSources { get; } = new List<string>();
/// <summary>
/// Hosts allowed even in sealed mode.
/// </summary>
public IList<string> AllowedHosts { get; } = new List<string>();
}

250
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/BundleCatalogService.cs Normal file
View File

@@ -0,0 +1,250 @@
using System.Collections.Immutable;
using System.Security.Cryptography;
using System.Text;
using Microsoft.Extensions.Logging;
using StellaOps.Concelier.Core.AirGap.Models;
namespace StellaOps.Concelier.Core.AirGap;
/// <summary>
/// Default implementation of <see cref="IBundleCatalogService"/>.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed class BundleCatalogService : IBundleCatalogService
{
private readonly IBundleSourceRegistry _sourceRegistry;
private readonly ILogger<BundleCatalogService> _logger;
private readonly TimeProvider _timeProvider;
private readonly int _defaultPageSize;
private readonly int _maxPageSize;
private AggregatedCatalog? _cachedCatalog;
private DateTimeOffset _cacheExpiry = DateTimeOffset.MinValue;
private readonly object _cacheLock = new();
public BundleCatalogService(
IBundleSourceRegistry sourceRegistry,
ILogger<BundleCatalogService> logger,
TimeProvider? timeProvider = null,
int defaultPageSize = 50,
int maxPageSize = 100)
{
_sourceRegistry = sourceRegistry ?? throw new ArgumentNullException(nameof(sourceRegistry));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_timeProvider = timeProvider ?? TimeProvider.System;
_defaultPageSize = defaultPageSize;
_maxPageSize = maxPageSize;
}
/// <inheritdoc />
public async Task<AggregatedCatalog> GetCatalogAsync(
string? cursor = null,
int? limit = null,
CancellationToken cancellationToken = default)
{
var fullCatalog = await GetOrRefreshCatalogAsync(cancellationToken).ConfigureAwait(false);
return ApplyPagination(fullCatalog, cursor, limit);
}
/// <inheritdoc />
public async Task<AggregatedCatalog> GetCatalogBySourceAsync(
string sourceId,
string? cursor = null,
int? limit = null,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sourceId);
var fullCatalog = await GetOrRefreshCatalogAsync(cancellationToken).ConfigureAwait(false);
var filteredEntries = fullCatalog.Entries
.Where(e => string.Equals(e.SourceId, sourceId, StringComparison.OrdinalIgnoreCase))
.ToImmutableArray();
var filteredCatalog = fullCatalog with
{
Entries = filteredEntries,
TotalCount = filteredEntries.Length,
SourceIds = ImmutableArray.Create(sourceId)
};
return ApplyPagination(filteredCatalog, cursor, limit);
}
/// <inheritdoc />
public async Task<BundleCatalogEntry?> GetBundleAsync(
string bundleId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(bundleId);
var catalog = await GetOrRefreshCatalogAsync(cancellationToken).ConfigureAwait(false);
return catalog.Entries.FirstOrDefault(e =>
string.Equals(e.BundleId, bundleId, StringComparison.OrdinalIgnoreCase));
}
/// <inheritdoc />
public Task RefreshAsync(CancellationToken cancellationToken = default)
{
lock (_cacheLock)
{
_cachedCatalog = null;
_cacheExpiry = DateTimeOffset.MinValue;
}
_logger.LogDebug("Catalog cache invalidated");
return Task.CompletedTask;
}
private async Task<AggregatedCatalog> GetOrRefreshCatalogAsync(CancellationToken cancellationToken)
{
var now = _timeProvider.GetUtcNow();
lock (_cacheLock)
{
if (_cachedCatalog is not null && now < _cacheExpiry)
{
return _cachedCatalog;
}
}
var catalog = await BuildCatalogAsync(cancellationToken).ConfigureAwait(false);
lock (_cacheLock)
{
_cachedCatalog = catalog;
_cacheExpiry = now.AddMinutes(5); // Default 5-minute cache
}
return catalog;
}
private Task<AggregatedCatalog> BuildCatalogAsync(CancellationToken cancellationToken)
{
var sources = _sourceRegistry.GetSources()
.Where(s => s.Enabled && s.Status != BundleSourceStatus.Error)
.ToList();
var entries = new List<BundleCatalogEntry>();
var sourceIds = new List<string>();
foreach (var source in sources)
{
var sourceEntries = DiscoverBundles(source);
entries.AddRange(sourceEntries);
sourceIds.Add(source.Id);
}
var now = _timeProvider.GetUtcNow();
var etag = ComputeETag(entries);
_logger.LogDebug(
"Built catalog with {EntryCount} entries from {SourceCount} sources",
entries.Count, sources.Count);
return Task.FromResult(new AggregatedCatalog
{
Entries = entries.OrderBy(e => e.BundleId).ToImmutableArray(),
TotalCount = entries.Count,
SourceIds = sourceIds.ToImmutableArray(),
ComputedAt = now,
ETag = etag
});
}
private IEnumerable<BundleCatalogEntry> DiscoverBundles(BundleSourceInfo source)
{
// Actual implementation would discover bundles from the source
// For now, return empty - this would be expanded based on source type
return source.Type switch
{
"directory" => DiscoverDirectoryBundles(source),
"archive" => DiscoverArchiveBundles(source),
"remote" => Enumerable.Empty<BundleCatalogEntry>(), // Would require async HTTP calls
_ => Enumerable.Empty<BundleCatalogEntry>()
};
}
private IEnumerable<BundleCatalogEntry> DiscoverDirectoryBundles(BundleSourceInfo source)
{
if (!Directory.Exists(source.Location))
{
yield break;
}
foreach (var file in Directory.EnumerateFiles(source.Location, "*.bundle.json", SearchOption.AllDirectories))
{
var fileInfo = new FileInfo(file);
var bundleId = Path.GetFileNameWithoutExtension(fileInfo.Name);
yield return new BundleCatalogEntry
{
BundleId = bundleId,
SourceId = source.Id,
Type = "advisory", // Would be parsed from bundle metadata
ContentHash = $"sha256:{ComputeFileHash(file)}",
SizeBytes = fileInfo.Length,
CreatedAt = fileInfo.CreationTimeUtc,
ModifiedAt = fileInfo.LastWriteTimeUtc
};
}
}
private IEnumerable<BundleCatalogEntry> DiscoverArchiveBundles(BundleSourceInfo source)
{
// Would extract and inspect archive contents
yield break;
}
private AggregatedCatalog ApplyPagination(AggregatedCatalog catalog, string? cursor, int? limit)
{
var pageSize = Math.Min(limit ?? _defaultPageSize, _maxPageSize);
var offset = ParseCursor(cursor);
var pagedEntries = catalog.Entries
.Skip(offset)
.Take(pageSize)
.ToImmutableArray();
string? nextCursor = null;
if (offset + pageSize < catalog.TotalCount)
{
nextCursor = (offset + pageSize).ToString();
}
return catalog with
{
Entries = pagedEntries,
NextCursor = nextCursor
};
}
private static int ParseCursor(string? cursor)
{
if (string.IsNullOrEmpty(cursor))
{
return 0;
}
return int.TryParse(cursor, out var offset) ? offset : 0;
}
private static string ComputeETag(IEnumerable<BundleCatalogEntry> entries)
{
var builder = new StringBuilder();
foreach (var entry in entries.OrderBy(e => e.BundleId))
{
builder.Append(entry.BundleId);
builder.Append(entry.ContentHash);
}
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(builder.ToString()));
return $"W/\"{Convert.ToHexString(hash)[..16]}\"";
}
private static string ComputeFileHash(string filePath)
{
using var stream = File.OpenRead(filePath);
var hash = SHA256.HashData(stream);
return Convert.ToHexString(hash).ToLowerInvariant();
}
}

185
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/BundleSourceRegistry.cs Normal file
View File

@@ -0,0 +1,185 @@
using System.Collections.Concurrent;
using System.Collections.Immutable;
using Microsoft.Extensions.Logging;
using StellaOps.Concelier.Core.AirGap.Models;
namespace StellaOps.Concelier.Core.AirGap;
/// <summary>
/// Default implementation of <see cref="IBundleSourceRegistry"/>.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed class BundleSourceRegistry : IBundleSourceRegistry
{
private readonly ConcurrentDictionary<string, BundleSourceInfo> _sources = new(StringComparer.OrdinalIgnoreCase);
private readonly ILogger<BundleSourceRegistry> _logger;
private readonly TimeProvider _timeProvider;
public BundleSourceRegistry(
ILogger<BundleSourceRegistry> logger,
TimeProvider? timeProvider = null)
{
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_timeProvider = timeProvider ?? TimeProvider.System;
}
/// <inheritdoc />
public IReadOnlyList<BundleSourceInfo> GetSources()
=> _sources.Values.OrderBy(s => s.Priority).ThenBy(s => s.Id).ToList();
/// <inheritdoc />
public BundleSourceInfo? GetSource(string sourceId)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sourceId);
return _sources.GetValueOrDefault(sourceId);
}
/// <inheritdoc />
public Task<BundleSourceInfo> RegisterAsync(
BundleSourceRegistration registration,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(registration);
ArgumentException.ThrowIfNullOrWhiteSpace(registration.Id);
ArgumentException.ThrowIfNullOrWhiteSpace(registration.Type);
ArgumentException.ThrowIfNullOrWhiteSpace(registration.Location);
var now = _timeProvider.GetUtcNow();
var sourceInfo = new BundleSourceInfo
{
Id = registration.Id,
DisplayName = registration.DisplayName,
Type = registration.Type,
Location = registration.Location,
Enabled = registration.Enabled,
Priority = registration.Priority,
VerificationMode = registration.VerificationMode,
RegisteredAt = now,
Status = BundleSourceStatus.Unknown,
Metadata = ImmutableDictionary<string, string>.Empty
};
_sources[registration.Id] = sourceInfo;
_logger.LogInformation(
"Registered bundle source: {SourceId}, type={Type}, location={Location}",
registration.Id, registration.Type, registration.Location);
return Task.FromResult(sourceInfo);
}
/// <inheritdoc />
public Task<bool> UnregisterAsync(string sourceId, CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sourceId);
var removed = _sources.TryRemove(sourceId, out _);
if (removed)
{
_logger.LogInformation("Unregistered bundle source: {SourceId}", sourceId);
}
return Task.FromResult(removed);
}
/// <inheritdoc />
public Task<BundleSourceValidationResult> ValidateAsync(
string sourceId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sourceId);
if (!_sources.TryGetValue(sourceId, out var source))
{
return Task.FromResult(BundleSourceValidationResult.Failure(sourceId, $"Source '{sourceId}' not found"));
}
var now = _timeProvider.GetUtcNow();
// Basic validation - actual implementation would check source accessibility
var result = source.Type switch
{
"directory" => ValidateDirectorySource(source),
"archive" => ValidateArchiveSource(source),
"remote" => ValidateRemoteSource(source),
_ => BundleSourceValidationResult.Failure(sourceId, $"Unknown source type: {source.Type}")
};
// Update source status
var updatedSource = source with
{
LastValidatedAt = now,
Status = result.Status,
BundleCount = result.BundleCount,
ErrorMessage = result.Errors.Length > 0 ? string.Join("; ", result.Errors) : null
};
_sources[sourceId] = updatedSource;
_logger.LogDebug(
"Validated bundle source: {SourceId}, status={Status}, bundles={BundleCount}",
sourceId, result.Status, result.BundleCount);
return Task.FromResult(result);
}
/// <inheritdoc />
public Task<bool> SetEnabledAsync(string sourceId, bool enabled, CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sourceId);
if (!_sources.TryGetValue(sourceId, out var source))
{
return Task.FromResult(false);
}
var updatedSource = source with
{
Enabled = enabled,
Status = enabled ? source.Status : BundleSourceStatus.Disabled
};
_sources[sourceId] = updatedSource;
_logger.LogInformation("Set bundle source {SourceId} enabled={Enabled}", sourceId, enabled);
return Task.FromResult(true);
}
private BundleSourceValidationResult ValidateDirectorySource(BundleSourceInfo source)
{
if (!Directory.Exists(source.Location))
{
return BundleSourceValidationResult.Failure(source.Id, $"Directory not found: {source.Location}");
}
var bundleFiles = Directory.GetFiles(source.Location, "*.bundle.json", SearchOption.AllDirectories);
return BundleSourceValidationResult.Success(source.Id, bundleFiles.Length);
}
private BundleSourceValidationResult ValidateArchiveSource(BundleSourceInfo source)
{
if (!File.Exists(source.Location))
{
return BundleSourceValidationResult.Failure(source.Id, $"Archive not found: {source.Location}");
}
// Actual implementation would inspect archive contents
return BundleSourceValidationResult.Success(source.Id, 0);
}
private BundleSourceValidationResult ValidateRemoteSource(BundleSourceInfo source)
{
if (!Uri.TryCreate(source.Location, UriKind.Absolute, out var uri))
{
return BundleSourceValidationResult.Failure(source.Id, $"Invalid URL: {source.Location}");
}
// Actual implementation would check remote accessibility
return new BundleSourceValidationResult
{
SourceId = source.Id,
IsValid = true,
Status = BundleSourceStatus.Unknown,
ValidatedAt = _timeProvider.GetUtcNow(),
Warnings = ImmutableArray.Create("Remote validation not implemented - assuming valid")
};
}
}

39
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/IBundleCatalogService.cs Normal file
View File

@@ -0,0 +1,39 @@
using StellaOps.Concelier.Core.AirGap.Models;
namespace StellaOps.Concelier.Core.AirGap;
/// <summary>
/// Service for accessing the aggregated bundle catalog.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public interface IBundleCatalogService
{
/// <summary>
/// Gets the aggregated catalog from all sources.
/// </summary>
Task<AggregatedCatalog> GetCatalogAsync(
string? cursor = null,
int? limit = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets catalog entries for a specific source.
/// </summary>
Task<AggregatedCatalog> GetCatalogBySourceAsync(
string sourceId,
string? cursor = null,
int? limit = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets a specific bundle entry.
/// </summary>
Task<BundleCatalogEntry?> GetBundleAsync(
string bundleId,
CancellationToken cancellationToken = default);
/// <summary>
/// Refreshes the catalog cache.
/// </summary>
Task RefreshAsync(CancellationToken cancellationToken = default);
}

44
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/IBundleSourceRegistry.cs Normal file
View File

@@ -0,0 +1,44 @@
using StellaOps.Concelier.Core.AirGap.Models;
namespace StellaOps.Concelier.Core.AirGap;
/// <summary>
/// Registry for managing bundle sources in air-gap mode.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public interface IBundleSourceRegistry
{
/// <summary>
/// Gets all registered sources.
/// </summary>
IReadOnlyList<BundleSourceInfo> GetSources();
/// <summary>
/// Gets a specific source by ID.
/// </summary>
BundleSourceInfo? GetSource(string sourceId);
/// <summary>
/// Registers a new bundle source.
/// </summary>
Task<BundleSourceInfo> RegisterAsync(
BundleSourceRegistration registration,
CancellationToken cancellationToken = default);
/// <summary>
/// Unregisters a bundle source.
/// </summary>
Task<bool> UnregisterAsync(string sourceId, CancellationToken cancellationToken = default);
/// <summary>
/// Validates a bundle source.
/// </summary>
Task<BundleSourceValidationResult> ValidateAsync(
string sourceId,
CancellationToken cancellationToken = default);
/// <summary>
/// Enables or disables a source.
/// </summary>
Task<bool> SetEnabledAsync(string sourceId, bool enabled, CancellationToken cancellationToken = default);
}

52
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/ISealedModeEnforcer.cs Normal file
View File

@@ -0,0 +1,52 @@
using StellaOps.Concelier.Core.AirGap.Models;
namespace StellaOps.Concelier.Core.AirGap;
/// <summary>
/// Enforces sealed mode by blocking direct internet feeds.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public interface ISealedModeEnforcer
{
/// <summary>
/// Gets whether sealed mode is currently active.
/// </summary>
bool IsSealed { get; }
/// <summary>
/// Ensures a source is allowed to access the given destination.
/// Throws <see cref="SealedModeViolationException"/> if not allowed and not in warn-only mode.
/// </summary>
void EnsureSourceAllowed(string sourceName, Uri destination);
/// <summary>
/// Checks if a source is allowed to access the given destination.
/// </summary>
bool IsSourceAllowed(string sourceName, Uri destination);
/// <summary>
/// Gets the list of currently blocked sources.
/// </summary>
IReadOnlyList<string> GetBlockedSources();
/// <summary>
/// Gets the current sealed mode status.
/// </summary>
SealedModeStatus GetStatus();
}
/// <summary>
/// Exception thrown when a sealed mode violation occurs.
/// </summary>
public sealed class SealedModeViolationException : Exception
{
public SealedModeViolationException(string sourceName, Uri destination)
: base($"Sealed mode violation: source '{sourceName}' attempted to access '{destination}'")
{
SourceName = sourceName;
Destination = destination;
}
public string SourceName { get; }
public Uri Destination { get; }
}

40
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/Models/AggregatedCatalog.cs Normal file
View File

@@ -0,0 +1,40 @@
using System.Collections.Immutable;
namespace StellaOps.Concelier.Core.AirGap.Models;
/// <summary>
/// Aggregated bundle catalog from all sources.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed record AggregatedCatalog
{
/// <summary>
/// Catalog entries.
/// </summary>
public ImmutableArray<BundleCatalogEntry> Entries { get; init; } = ImmutableArray<BundleCatalogEntry>.Empty;
/// <summary>
/// Total number of entries (may differ from Entries.Length if paginated).
/// </summary>
public int TotalCount { get; init; }
/// <summary>
/// Sources that contributed to this catalog.
/// </summary>
public ImmutableArray<string> SourceIds { get; init; } = ImmutableArray<string>.Empty;
/// <summary>
/// When the catalog was computed.
/// </summary>
public DateTimeOffset ComputedAt { get; init; }
/// <summary>
/// Catalog version/ETag for caching.
/// </summary>
public string? ETag { get; init; }
/// <summary>
/// Cursor for pagination.
/// </summary>
public string? NextCursor { get; init; }
}

117
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/Models/BundleCatalogEntry.cs Normal file
View File

@@ -0,0 +1,117 @@
using System.Collections.Immutable;
namespace StellaOps.Concelier.Core.AirGap.Models;
/// <summary>
/// Entry in the aggregated bundle catalog.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed record BundleCatalogEntry
{
/// <summary>
/// Bundle identifier.
/// </summary>
public required string BundleId { get; init; }
/// <summary>
/// Source that provides this bundle.
/// </summary>
public required string SourceId { get; init; }
/// <summary>
/// Bundle type (advisory, vex, sbom, etc.).
/// </summary>
public required string Type { get; init; }
/// <summary>
/// Bundle version.
/// </summary>
public string? Version { get; init; }
/// <summary>
/// Content hash for integrity verification.
/// </summary>
public required string ContentHash { get; init; }
/// <summary>
/// Size of the bundle in bytes.
/// </summary>
public long SizeBytes { get; init; }
/// <summary>
/// When the bundle was created.
/// </summary>
public DateTimeOffset CreatedAt { get; init; }
/// <summary>
/// When the bundle was last modified.
/// </summary>
public DateTimeOffset? ModifiedAt { get; init; }
/// <summary>
/// Number of items in the bundle.
/// </summary>
public int ItemCount { get; init; }
/// <summary>
/// Bundle metadata.
/// </summary>
public ImmutableDictionary<string, string> Metadata { get; init; } = ImmutableDictionary<string, string>.Empty;
/// <summary>
/// Provenance information if available.
/// </summary>
public BundleProvenance? Provenance { get; init; }
}
/// <summary>
/// Provenance information for a bundle.
/// </summary>
public sealed record BundleProvenance
{
/// <summary>
/// Origin of the bundle data.
/// </summary>
public required string Origin { get; init; }
/// <summary>
/// Signature information if signed.
/// </summary>
public BundleSignature? Signature { get; init; }
/// <summary>
/// When the bundle was retrieved.
/// </summary>
public DateTimeOffset RetrievedAt { get; init; }
/// <summary>
/// Pipeline version that created this bundle.
/// </summary>
public string? PipelineVersion { get; init; }
}
/// <summary>
/// Signature information for a bundle.
/// </summary>
public sealed record BundleSignature
{
/// <summary>
/// Signature format (dsse, pgp, etc.).
/// </summary>
public required string Format { get; init; }
/// <summary>
/// Key identifier.
/// </summary>
public required string KeyId { get; init; }
/// <summary>
/// Whether signature was verified.
/// </summary>
public bool Verified { get; init; }
/// <summary>
/// When signature was verified.
/// </summary>
public DateTimeOffset? VerifiedAt { get; init; }
}

96
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/Models/BundleSourceInfo.cs Normal file
View File

@@ -0,0 +1,96 @@
using System.Collections.Immutable;
namespace StellaOps.Concelier.Core.AirGap.Models;
/// <summary>
/// Information about a registered bundle source.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed record BundleSourceInfo
{
/// <summary>
/// Unique identifier for the source.
/// </summary>
public required string Id { get; init; }
/// <summary>
/// Display name for the source.
/// </summary>
public string? DisplayName { get; init; }
/// <summary>
/// Source type (directory, archive, remote).
/// </summary>
public required string Type { get; init; }
/// <summary>
/// Location of the source (path or URL).
/// </summary>
public required string Location { get; init; }
/// <summary>
/// Whether the source is enabled.
/// </summary>
public bool Enabled { get; init; } = true;
/// <summary>
/// Priority for this source (lower = higher priority).
/// </summary>
public int Priority { get; init; } = 100;
/// <summary>
/// Verification mode for bundles (signature, hash, none).
/// </summary>
public string VerificationMode { get; init; } = "signature";
/// <summary>
/// When the source was registered.
/// </summary>
public DateTimeOffset RegisteredAt { get; init; }
/// <summary>
/// When the source was last validated.
/// </summary>
public DateTimeOffset? LastValidatedAt { get; init; }
/// <summary>
/// Number of bundles available from this source.
/// </summary>
public int BundleCount { get; init; }
/// <summary>
/// Source health status.
/// </summary>
public BundleSourceStatus Status { get; init; } = BundleSourceStatus.Unknown;
/// <summary>
/// Error message if status is Error.
/// </summary>
public string? ErrorMessage { get; init; }
/// <summary>
/// Metadata from the source catalog.
/// </summary>
public ImmutableDictionary<string, string> Metadata { get; init; } = ImmutableDictionary<string, string>.Empty;
}
/// <summary>
/// Bundle source health status.
/// </summary>
public enum BundleSourceStatus
{
/// <summary>Status unknown (not yet validated).</summary>
Unknown = 0,
/// <summary>Source is healthy and accessible.</summary>
Healthy = 1,
/// <summary>Source has warnings but is functional.</summary>
Degraded = 2,
/// <summary>Source is in error state.</summary>
Error = 3,
/// <summary>Source is disabled.</summary>
Disabled = 4
}

43
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/Models/BundleSourceRegistration.cs Normal file
View File

@@ -0,0 +1,43 @@
namespace StellaOps.Concelier.Core.AirGap.Models;
/// <summary>
/// Registration request for a new bundle source.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed record BundleSourceRegistration
{
/// <summary>
/// Unique identifier for the source.
/// </summary>
public required string Id { get; init; }
/// <summary>
/// Display name for the source.
/// </summary>
public string? DisplayName { get; init; }
/// <summary>
/// Source type (directory, archive, remote).
/// </summary>
public required string Type { get; init; }
/// <summary>
/// Location of the source (path or URL).
/// </summary>
public required string Location { get; init; }
/// <summary>
/// Whether the source should be enabled immediately.
/// </summary>
public bool Enabled { get; init; } = true;
/// <summary>
/// Priority for this source (lower = higher priority).
/// </summary>
public int Priority { get; init; } = 100;
/// <summary>
/// Verification mode for bundles (signature, hash, none).
/// </summary>
public string VerificationMode { get; init; } = "signature";
}

69
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/Models/BundleSourceValidationResult.cs Normal file
View File

@@ -0,0 +1,69 @@
using System.Collections.Immutable;
namespace StellaOps.Concelier.Core.AirGap.Models;
/// <summary>
/// Result of validating a bundle source.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed record BundleSourceValidationResult
{
/// <summary>
/// Source identifier that was validated.
/// </summary>
public required string SourceId { get; init; }
/// <summary>
/// Whether the source is valid.
/// </summary>
public bool IsValid { get; init; }
/// <summary>
/// Source status after validation.
/// </summary>
public BundleSourceStatus Status { get; init; }
/// <summary>
/// Validation errors if any.
/// </summary>
public ImmutableArray<string> Errors { get; init; } = ImmutableArray<string>.Empty;
/// <summary>
/// Validation warnings if any.
/// </summary>
public ImmutableArray<string> Warnings { get; init; } = ImmutableArray<string>.Empty;
/// <summary>
/// Number of bundles discovered.
/// </summary>
public int BundleCount { get; init; }
/// <summary>
/// When the validation was performed.
/// </summary>
public DateTimeOffset ValidatedAt { get; init; }
/// <summary>
/// Creates a successful validation result.
/// </summary>
public static BundleSourceValidationResult Success(string sourceId, int bundleCount) => new()
{
SourceId = sourceId,
IsValid = true,
Status = BundleSourceStatus.Healthy,
BundleCount = bundleCount,
ValidatedAt = DateTimeOffset.UtcNow
};
/// <summary>
/// Creates a failed validation result.
/// </summary>
public static BundleSourceValidationResult Failure(string sourceId, params string[] errors) => new()
{
SourceId = sourceId,
IsValid = false,
Status = BundleSourceStatus.Error,
Errors = errors.ToImmutableArray(),
ValidatedAt = DateTimeOffset.UtcNow
};
}

71
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/Models/SealedModeStatus.cs Normal file
View File

@@ -0,0 +1,71 @@
using System.Collections.Immutable;
namespace StellaOps.Concelier.Core.AirGap.Models;
/// <summary>
/// Status of sealed mode enforcement.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed record SealedModeStatus
{
/// <summary>
/// Whether sealed mode is enabled.
/// </summary>
public bool IsSealed { get; init; }
/// <summary>
/// Whether warn-only mode is active.
/// </summary>
public bool WarnOnly { get; init; }
/// <summary>
/// Sources that are allowed even in sealed mode.
/// </summary>
public ImmutableArray<string> AllowedSources { get; init; } = ImmutableArray<string>.Empty;
/// <summary>
/// Hosts that are allowed even in sealed mode.
/// </summary>
public ImmutableArray<string> AllowedHosts { get; init; } = ImmutableArray<string>.Empty;
/// <summary>
/// Sources that are currently blocked.
/// </summary>
public ImmutableArray<string> BlockedSources { get; init; } = ImmutableArray<string>.Empty;
/// <summary>
/// Recent seal violations (if warn-only mode).
/// </summary>
public ImmutableArray<SealViolation> RecentViolations { get; init; } = ImmutableArray<SealViolation>.Empty;
/// <summary>
/// When status was computed.
/// </summary>
public DateTimeOffset ComputedAt { get; init; }
}
/// <summary>
/// Record of a seal mode violation attempt.
/// </summary>
public sealed record SealViolation
{
/// <summary>
/// Source that attempted the violation.
/// </summary>
public required string SourceName { get; init; }
/// <summary>
/// Destination that was blocked.
/// </summary>
public required string Destination { get; init; }
/// <summary>
/// When the violation occurred.
/// </summary>
public DateTimeOffset OccurredAt { get; init; }
/// <summary>
/// Whether the request was blocked or just warned.
/// </summary>
public bool WasBlocked { get; init; }
}

169
src/Concelier/__Libraries/StellaOps.Concelier.Core/AirGap/SealedModeEnforcer.cs Normal file
View File

@@ -0,0 +1,169 @@
using System.Collections.Concurrent;
using System.Collections.Immutable;
using Microsoft.Extensions.Logging;
using StellaOps.Concelier.Core.AirGap.Models;
namespace StellaOps.Concelier.Core.AirGap;
/// <summary>
/// Default implementation of <see cref="ISealedModeEnforcer"/>.
/// Per CONCELIER-WEB-AIRGAP-56-001.
/// </summary>
public sealed class SealedModeEnforcer : ISealedModeEnforcer
{
private readonly ILogger<SealedModeEnforcer> _logger;
private readonly TimeProvider _timeProvider;
private readonly bool _isSealed;
private readonly bool _warnOnly;
private readonly ImmutableHashSet<string> _allowedSources;
private readonly ImmutableHashSet<string> _allowedHosts;
private readonly ConcurrentQueue<SealViolation> _recentViolations = new();
private readonly ConcurrentDictionary<string, bool> _blockedSources = new(StringComparer.OrdinalIgnoreCase);
private const int MaxRecentViolations = 100;
public SealedModeEnforcer(
ILogger<SealedModeEnforcer> logger,
bool isSealed = false,
bool warnOnly = false,
IEnumerable<string>? allowedSources = null,
IEnumerable<string>? allowedHosts = null,
TimeProvider? timeProvider = null)
{
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_timeProvider = timeProvider ?? TimeProvider.System;
_isSealed = isSealed;
_warnOnly = warnOnly;
_allowedSources = (allowedSources ?? Enumerable.Empty<string>())
.ToImmutableHashSet(StringComparer.OrdinalIgnoreCase);
_allowedHosts = (allowedHosts ?? Enumerable.Empty<string>())
.ToImmutableHashSet(StringComparer.OrdinalIgnoreCase);
}
/// <inheritdoc />
public bool IsSealed => _isSealed;
/// <inheritdoc />
public void EnsureSourceAllowed(string sourceName, Uri destination)
{
ArgumentException.ThrowIfNullOrWhiteSpace(sourceName);
ArgumentNullException.ThrowIfNull(destination);
if (!_isSealed)
{
return;
}
if (IsAllowed(sourceName, destination))
{
return;
}
RecordViolation(sourceName, destination);
if (_warnOnly)
{
_logger.LogWarning(
"Sealed mode violation (warn-only): source '{SourceName}' attempted to access '{Destination}'",
sourceName, destination);
return;
}
_logger.LogError(
"Sealed mode violation blocked: source '{SourceName}' attempted to access '{Destination}'",
sourceName, destination);
throw new SealedModeViolationException(sourceName, destination);
}
/// <inheritdoc />
public bool IsSourceAllowed(string sourceName, Uri destination)
{
if (!_isSealed)
{
return true;
}
return IsAllowed(sourceName, destination);
}
/// <inheritdoc />
public IReadOnlyList<string> GetBlockedSources()
=> _blockedSources.Keys.ToList();
/// <inheritdoc />
public SealedModeStatus GetStatus()
{
var violations = new List<SealViolation>();
foreach (var v in _recentViolations)
{
violations.Add(v);
}
return new SealedModeStatus
{
IsSealed = _isSealed,
WarnOnly = _warnOnly,
AllowedSources = _allowedSources.ToImmutableArray(),
AllowedHosts = _allowedHosts.ToImmutableArray(),
BlockedSources = _blockedSources.Keys.ToImmutableArray(),
RecentViolations = violations.TakeLast(20).ToImmutableArray(),
ComputedAt = _timeProvider.GetUtcNow()
};
}
private bool IsAllowed(string sourceName, Uri destination)
{
// Check if source is explicitly allowed
if (_allowedSources.Contains(sourceName))
{
return true;
}
// Check if host is explicitly allowed
if (_allowedHosts.Contains(destination.Host))
{
return true;
}
// Check for localhost/internal addresses
if (IsLocalAddress(destination))
{
return true;
}
// Mark source as blocked for status reporting
_blockedSources.TryAdd(sourceName, true);
return false;
}
private static bool IsLocalAddress(Uri uri)
{
var host = uri.Host.ToLowerInvariant();
return host == "localhost" ||
host == "127.0.0.1" ||
host == "::1" ||
host.StartsWith("192.168.") ||
host.StartsWith("10.") ||
host.StartsWith("172.16.") ||
host.EndsWith(".local");
}
private void RecordViolation(string sourceName, Uri destination)
{
var violation = new SealViolation
{
SourceName = sourceName,
Destination = destination.ToString(),
OccurredAt = _timeProvider.GetUtcNow(),
WasBlocked = !_warnOnly
};
_recentViolations.Enqueue(violation);
// Trim old violations
while (_recentViolations.Count > MaxRecentViolations)
{
_recentViolations.TryDequeue(out _);
}
}
}

313
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/GridFsMigrationService.cs Normal file
View File

@@ -0,0 +1,313 @@
using System.Security.Cryptography;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using MongoDB.Bson;
using MongoDB.Driver;
using MongoDB.Driver.GridFS;
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Service for migrating raw payloads from GridFS to S3-compatible object storage.
/// </summary>
public sealed class GridFsMigrationService
{
private readonly IGridFSBucket _gridFs;
private readonly IObjectStore _objectStore;
private readonly IMigrationTracker _migrationTracker;
private readonly ObjectStorageOptions _options;
private readonly TimeProvider _timeProvider;
private readonly ILogger<GridFsMigrationService> _logger;
public GridFsMigrationService(
IGridFSBucket gridFs,
IObjectStore objectStore,
IMigrationTracker migrationTracker,
IOptions<ObjectStorageOptions> options,
TimeProvider timeProvider,
ILogger<GridFsMigrationService> logger)
{
_gridFs = gridFs ?? throw new ArgumentNullException(nameof(gridFs));
_objectStore = objectStore ?? throw new ArgumentNullException(nameof(objectStore));
_migrationTracker = migrationTracker ?? throw new ArgumentNullException(nameof(migrationTracker));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_timeProvider = timeProvider ?? TimeProvider.System;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <summary>
/// Migrates a single GridFS document to object storage.
/// </summary>
public async Task<MigrationResult> MigrateAsync(
string gridFsId,
string tenantId,
string sourceId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(sourceId);
// Check if already migrated
if (await _migrationTracker.IsMigratedAsync(gridFsId, cancellationToken).ConfigureAwait(false))
{
_logger.LogDebug("GridFS {GridFsId} already migrated, skipping", gridFsId);
return MigrationResult.AlreadyMigrated(gridFsId);
}
try
{
// Download from GridFS
var objectId = ObjectId.Parse(gridFsId);
using var downloadStream = new MemoryStream();
await _gridFs.DownloadToStreamAsync(objectId, downloadStream, cancellationToken: cancellationToken)
.ConfigureAwait(false);
var data = downloadStream.ToArray();
var sha256 = ComputeSha256(data);
// Get GridFS file info
var filter = Builders<GridFSFileInfo>.Filter.Eq("_id", objectId);
var fileInfo = await _gridFs.Find(filter)
.FirstOrDefaultAsync(cancellationToken)
.ConfigureAwait(false);
var ingestedAt = fileInfo?.UploadDateTime ?? _timeProvider.GetUtcNow().UtcDateTime;
// Create provenance metadata
var provenance = new ProvenanceMetadata
{
SourceId = sourceId,
IngestedAt = new DateTimeOffset(ingestedAt, TimeSpan.Zero),
TenantId = tenantId,
OriginalFormat = DetectFormat(fileInfo?.Filename),
OriginalSize = data.Length,
GridFsLegacyId = gridFsId,
Transformations =
[
new TransformationRecord
{
Type = TransformationType.Migration,
Timestamp = _timeProvider.GetUtcNow(),
Agent = "concelier-gridfs-migration-v1"
}
]
};
// Store in object storage
var reference = await _objectStore.StoreAsync(
tenantId,
data,
provenance,
GetContentType(fileInfo?.Filename),
cancellationToken).ConfigureAwait(false);
// Record migration
await _migrationTracker.RecordMigrationAsync(
gridFsId,
reference.Pointer,
MigrationStatus.Migrated,
cancellationToken).ConfigureAwait(false);
_logger.LogInformation(
"Migrated GridFS {GridFsId} to {Bucket}/{Key}, size {Size} bytes",
gridFsId, reference.Pointer.Bucket, reference.Pointer.Key, data.Length);
return MigrationResult.Success(gridFsId, reference);
}
catch (GridFSFileNotFoundException)
{
_logger.LogWarning("GridFS file not found: {GridFsId}", gridFsId);
return MigrationResult.NotFound(gridFsId);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to migrate GridFS {GridFsId}", gridFsId);
return MigrationResult.Failed(gridFsId, ex.Message);
}
}
/// <summary>
/// Verifies a migrated document by comparing hashes.
/// </summary>
public async Task<bool> VerifyMigrationAsync(
string gridFsId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var record = await _migrationTracker.GetByGridFsIdAsync(gridFsId, cancellationToken)
.ConfigureAwait(false);
if (record is null)
{
_logger.LogWarning("No migration record found for {GridFsId}", gridFsId);
return false;
}
// Download original from GridFS
var objectId = ObjectId.Parse(gridFsId);
using var downloadStream = new MemoryStream();
try
{
await _gridFs.DownloadToStreamAsync(objectId, downloadStream, cancellationToken: cancellationToken)
.ConfigureAwait(false);
}
catch (GridFSFileNotFoundException)
{
_logger.LogWarning("Original GridFS file not found for verification: {GridFsId}", gridFsId);
return false;
}
var originalHash = ComputeSha256(downloadStream.ToArray());
// Verify the migrated object
var reference = PayloadReference.CreateObjectStorage(record.Pointer, new ProvenanceMetadata
{
SourceId = string.Empty,
IngestedAt = record.MigratedAt,
TenantId = string.Empty,
});
var verified = await _objectStore.VerifyIntegrityAsync(reference, cancellationToken)
.ConfigureAwait(false);
if (verified && string.Equals(originalHash, record.Pointer.Sha256, StringComparison.OrdinalIgnoreCase))
{
await _migrationTracker.MarkVerifiedAsync(gridFsId, cancellationToken).ConfigureAwait(false);
_logger.LogInformation("Verified migration for {GridFsId}", gridFsId);
return true;
}
_logger.LogWarning(
"Verification failed for {GridFsId}: original hash {Original}, stored hash {Stored}",
gridFsId, originalHash, record.Pointer.Sha256);
return false;
}
/// <summary>
/// Batches migration of multiple GridFS documents.
/// </summary>
public async Task<BatchMigrationResult> MigrateBatchAsync(
IEnumerable<GridFsMigrationRequest> requests,
CancellationToken cancellationToken = default)
{
var results = new List<MigrationResult>();
foreach (var request in requests)
{
if (cancellationToken.IsCancellationRequested)
{
break;
}
var result = await MigrateAsync(
request.GridFsId,
request.TenantId,
request.SourceId,
cancellationToken).ConfigureAwait(false);
results.Add(result);
}
return new BatchMigrationResult(results);
}
private static string ComputeSha256(byte[] data)
{
var hash = SHA256.HashData(data);
return Convert.ToHexStringLower(hash);
}
private static OriginalFormat? DetectFormat(string? filename)
{
if (string.IsNullOrEmpty(filename))
{
return null;
}
return Path.GetExtension(filename).ToLowerInvariant() switch
{
".json" => OriginalFormat.Json,
".xml" => OriginalFormat.Xml,
".csv" => OriginalFormat.Csv,
".ndjson" => OriginalFormat.Ndjson,
".yaml" or ".yml" => OriginalFormat.Yaml,
_ => null
};
}
private static string GetContentType(string? filename)
{
if (string.IsNullOrEmpty(filename))
{
return "application/octet-stream";
}
return Path.GetExtension(filename).ToLowerInvariant() switch
{
".json" => "application/json",
".xml" => "application/xml",
".csv" => "text/csv",
".ndjson" => "application/x-ndjson",
".yaml" or ".yml" => "application/x-yaml",
_ => "application/octet-stream"
};
}
}
/// <summary>
/// Request to migrate a GridFS document.
/// </summary>
public sealed record GridFsMigrationRequest(
string GridFsId,
string TenantId,
string SourceId);
/// <summary>
/// Result of a single migration.
/// </summary>
public sealed record MigrationResult
{
public required string GridFsId { get; init; }
public required MigrationResultStatus Status { get; init; }
public PayloadReference? Reference { get; init; }
public string? ErrorMessage { get; init; }
public static MigrationResult Success(string gridFsId, PayloadReference reference)
=> new() { GridFsId = gridFsId, Status = MigrationResultStatus.Success, Reference = reference };
public static MigrationResult AlreadyMigrated(string gridFsId)
=> new() { GridFsId = gridFsId, Status = MigrationResultStatus.AlreadyMigrated };
public static MigrationResult NotFound(string gridFsId)
=> new() { GridFsId = gridFsId, Status = MigrationResultStatus.NotFound };
public static MigrationResult Failed(string gridFsId, string errorMessage)
=> new() { GridFsId = gridFsId, Status = MigrationResultStatus.Failed, ErrorMessage = errorMessage };
}
/// <summary>
/// Status of a migration result.
/// </summary>
public enum MigrationResultStatus
{
Success,
AlreadyMigrated,
NotFound,
Failed
}
/// <summary>
/// Result of a batch migration.
/// </summary>
public sealed record BatchMigrationResult(IReadOnlyList<MigrationResult> Results)
{
public int TotalCount => Results.Count;
public int SuccessCount => Results.Count(r => r.Status == MigrationResultStatus.Success);
public int AlreadyMigratedCount => Results.Count(r => r.Status == MigrationResultStatus.AlreadyMigrated);
public int NotFoundCount => Results.Count(r => r.Status == MigrationResultStatus.NotFound);
public int FailedCount => Results.Count(r => r.Status == MigrationResultStatus.Failed);
}

60
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/IMigrationTracker.cs Normal file
View File

@@ -0,0 +1,60 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Tracks GridFS to S3 migrations.
/// </summary>
public interface IMigrationTracker
{
/// <summary>
/// Records a migration attempt.
/// </summary>
Task<MigrationRecord> RecordMigrationAsync(
string gridFsId,
ObjectPointer pointer,
MigrationStatus status,
CancellationToken cancellationToken = default);
/// <summary>
/// Updates a migration record status.
/// </summary>
Task UpdateStatusAsync(
string gridFsId,
MigrationStatus status,
string? errorMessage = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Marks a migration as verified.
/// </summary>
Task MarkVerifiedAsync(
string gridFsId,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets a migration record by GridFS ID.
/// </summary>
Task<MigrationRecord?> GetByGridFsIdAsync(
string gridFsId,
CancellationToken cancellationToken = default);
/// <summary>
/// Lists pending migrations.
/// </summary>
Task<IReadOnlyList<MigrationRecord>> ListPendingAsync(
int limit = 100,
CancellationToken cancellationToken = default);
/// <summary>
/// Lists migrations needing verification.
/// </summary>
Task<IReadOnlyList<MigrationRecord>> ListNeedingVerificationAsync(
int limit = 100,
CancellationToken cancellationToken = default);
/// <summary>
/// Checks if a GridFS ID has been migrated.
/// </summary>
Task<bool> IsMigratedAsync(
string gridFsId,
CancellationToken cancellationToken = default);
}

98
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/IObjectStore.cs Normal file
View File

@@ -0,0 +1,98 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Abstraction for S3-compatible object storage operations.
/// </summary>
public interface IObjectStore
{
/// <summary>
/// Stores a payload, returning a reference (either inline or object storage).
/// Automatically decides based on size thresholds.
/// </summary>
/// <param name="tenantId">Tenant identifier for bucket selection.</param>
/// <param name="data">Payload data to store.</param>
/// <param name="provenance">Provenance metadata for the payload.</param>
/// <param name="contentType">MIME type of the content.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Reference to the stored payload.</returns>
Task<PayloadReference> StoreAsync(
string tenantId,
ReadOnlyMemory<byte> data,
ProvenanceMetadata provenance,
string contentType = "application/json",
CancellationToken cancellationToken = default);
/// <summary>
/// Stores a payload from a stream.
/// </summary>
/// <param name="tenantId">Tenant identifier for bucket selection.</param>
/// <param name="stream">Stream containing payload data.</param>
/// <param name="provenance">Provenance metadata for the payload.</param>
/// <param name="contentType">MIME type of the content.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Reference to the stored payload.</returns>
Task<PayloadReference> StoreStreamAsync(
string tenantId,
Stream stream,
ProvenanceMetadata provenance,
string contentType = "application/json",
CancellationToken cancellationToken = default);
/// <summary>
/// Retrieves a payload by its reference.
/// </summary>
/// <param name="reference">Reference to the payload.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Payload data, or null if not found.</returns>
Task<byte[]?> RetrieveAsync(
PayloadReference reference,
CancellationToken cancellationToken = default);
/// <summary>
/// Retrieves a payload as a stream.
/// </summary>
/// <param name="reference">Reference to the payload.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Stream containing payload data, or null if not found.</returns>
Task<Stream?> RetrieveStreamAsync(
PayloadReference reference,
CancellationToken cancellationToken = default);
/// <summary>
/// Checks if an object exists.
/// </summary>
/// <param name="pointer">Object pointer to check.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if object exists.</returns>
Task<bool> ExistsAsync(
ObjectPointer pointer,
CancellationToken cancellationToken = default);
/// <summary>
/// Deletes an object.
/// </summary>
/// <param name="pointer">Object pointer to delete.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task DeleteAsync(
ObjectPointer pointer,
CancellationToken cancellationToken = default);
/// <summary>
/// Ensures the tenant bucket exists.
/// </summary>
/// <param name="tenantId">Tenant identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task EnsureBucketExistsAsync(
string tenantId,
CancellationToken cancellationToken = default);
/// <summary>
/// Verifies a payload's integrity by comparing its hash.
/// </summary>
/// <param name="reference">Reference to verify.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if hash matches.</returns>
Task<bool> VerifyIntegrityAsync(
PayloadReference reference,
CancellationToken cancellationToken = default);
}

63
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/MigrationRecord.cs Normal file
View File

@@ -0,0 +1,63 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Record of a migration from GridFS to S3.
/// </summary>
public sealed record MigrationRecord
{
/// <summary>
/// Original GridFS ObjectId.
/// </summary>
public required string GridFsId { get; init; }
/// <summary>
/// Pointer to the migrated object.
/// </summary>
public required ObjectPointer Pointer { get; init; }
/// <summary>
/// Timestamp when migration was performed.
/// </summary>
public required DateTimeOffset MigratedAt { get; init; }
/// <summary>
/// Current status of the migration.
/// </summary>
public required MigrationStatus Status { get; init; }
/// <summary>
/// Timestamp when content hash was verified post-migration.
/// </summary>
public DateTimeOffset? VerifiedAt { get; init; }
/// <summary>
/// Whether GridFS tombstone still exists for rollback.
/// </summary>
public bool RollbackAvailable { get; init; } = true;
/// <summary>
/// Error message if migration failed.
/// </summary>
public string? ErrorMessage { get; init; }
}
/// <summary>
/// Status of a GridFS to S3 migration.
/// </summary>
public enum MigrationStatus
{
/// <summary>Migration pending.</summary>
Pending,
/// <summary>Migration completed.</summary>
Migrated,
/// <summary>Migration verified via hash comparison.</summary>
Verified,
/// <summary>Migration failed.</summary>
Failed,
/// <summary>Original GridFS tombstoned.</summary>
Tombstoned
}

232
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/MongoMigrationTracker.cs Normal file
View File

@@ -0,0 +1,232 @@
using Microsoft.Extensions.Logging;
using MongoDB.Bson;
using MongoDB.Bson.Serialization.Attributes;
using MongoDB.Driver;
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// MongoDB-backed migration tracker for GridFS to S3 migrations.
/// </summary>
public sealed class MongoMigrationTracker : IMigrationTracker
{
private const string CollectionName = "object_storage_migrations";
private readonly IMongoCollection<MigrationDocument> _collection;
private readonly TimeProvider _timeProvider;
private readonly ILogger<MongoMigrationTracker> _logger;
public MongoMigrationTracker(
IMongoDatabase database,
TimeProvider timeProvider,
ILogger<MongoMigrationTracker> logger)
{
ArgumentNullException.ThrowIfNull(database);
_collection = database.GetCollection<MigrationDocument>(CollectionName);
_timeProvider = timeProvider ?? TimeProvider.System;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<MigrationRecord> RecordMigrationAsync(
string gridFsId,
ObjectPointer pointer,
MigrationStatus status,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
ArgumentNullException.ThrowIfNull(pointer);
var now = _timeProvider.GetUtcNow();
var document = new MigrationDocument
{
GridFsId = gridFsId,
Bucket = pointer.Bucket,
Key = pointer.Key,
Sha256 = pointer.Sha256,
Size = pointer.Size,
ContentType = pointer.ContentType,
Encoding = pointer.Encoding.ToString().ToLowerInvariant(),
MigratedAt = now.UtcDateTime,
Status = status.ToString().ToLowerInvariant(),
RollbackAvailable = true,
};
await _collection.InsertOneAsync(document, cancellationToken: cancellationToken)
.ConfigureAwait(false);
_logger.LogInformation(
"Recorded migration for GridFS {GridFsId} to {Bucket}/{Key}",
gridFsId, pointer.Bucket, pointer.Key);
return ToRecord(document);
}
public async Task UpdateStatusAsync(
string gridFsId,
MigrationStatus status,
string? errorMessage = null,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var filter = Builders<MigrationDocument>.Filter.Eq(d => d.GridFsId, gridFsId);
var update = Builders<MigrationDocument>.Update
.Set(d => d.Status, status.ToString().ToLowerInvariant())
.Set(d => d.ErrorMessage, errorMessage);
await _collection.UpdateOneAsync(filter, update, cancellationToken: cancellationToken)
.ConfigureAwait(false);
_logger.LogDebug("Updated migration status for {GridFsId} to {Status}", gridFsId, status);
}
public async Task MarkVerifiedAsync(
string gridFsId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var now = _timeProvider.GetUtcNow();
var filter = Builders<MigrationDocument>.Filter.Eq(d => d.GridFsId, gridFsId);
var update = Builders<MigrationDocument>.Update
.Set(d => d.Status, MigrationStatus.Verified.ToString().ToLowerInvariant())
.Set(d => d.VerifiedAt, now.UtcDateTime);
await _collection.UpdateOneAsync(filter, update, cancellationToken: cancellationToken)
.ConfigureAwait(false);
_logger.LogDebug("Marked migration as verified for {GridFsId}", gridFsId);
}
public async Task<MigrationRecord?> GetByGridFsIdAsync(
string gridFsId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var filter = Builders<MigrationDocument>.Filter.Eq(d => d.GridFsId, gridFsId);
var document = await _collection.Find(filter)
.FirstOrDefaultAsync(cancellationToken)
.ConfigureAwait(false);
return document is null ? null : ToRecord(document);
}
public async Task<IReadOnlyList<MigrationRecord>> ListPendingAsync(
int limit = 100,
CancellationToken cancellationToken = default)
{
var filter = Builders<MigrationDocument>.Filter.Eq(
d => d.Status, MigrationStatus.Pending.ToString().ToLowerInvariant());
var documents = await _collection.Find(filter)
.Limit(limit)
.ToListAsync(cancellationToken)
.ConfigureAwait(false);
return documents.Select(ToRecord).ToList();
}
public async Task<IReadOnlyList<MigrationRecord>> ListNeedingVerificationAsync(
int limit = 100,
CancellationToken cancellationToken = default)
{
var filter = Builders<MigrationDocument>.Filter.Eq(
d => d.Status, MigrationStatus.Migrated.ToString().ToLowerInvariant());
var documents = await _collection.Find(filter)
.Limit(limit)
.ToListAsync(cancellationToken)
.ConfigureAwait(false);
return documents.Select(ToRecord).ToList();
}
public async Task<bool> IsMigratedAsync(
string gridFsId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var filter = Builders<MigrationDocument>.Filter.And(
Builders<MigrationDocument>.Filter.Eq(d => d.GridFsId, gridFsId),
Builders<MigrationDocument>.Filter.In(d => d.Status, new[]
{
MigrationStatus.Migrated.ToString().ToLowerInvariant(),
MigrationStatus.Verified.ToString().ToLowerInvariant()
}));
var count = await _collection.CountDocumentsAsync(filter, cancellationToken: cancellationToken)
.ConfigureAwait(false);
return count > 0;
}
private static MigrationRecord ToRecord(MigrationDocument document)
{
return new MigrationRecord
{
GridFsId = document.GridFsId,
Pointer = new ObjectPointer
{
Bucket = document.Bucket,
Key = document.Key,
Sha256 = document.Sha256,
Size = document.Size,
ContentType = document.ContentType,
Encoding = Enum.Parse<ContentEncoding>(document.Encoding, ignoreCase: true),
},
MigratedAt = new DateTimeOffset(document.MigratedAt, TimeSpan.Zero),
Status = Enum.Parse<MigrationStatus>(document.Status, ignoreCase: true),
VerifiedAt = document.VerifiedAt.HasValue
? new DateTimeOffset(document.VerifiedAt.Value, TimeSpan.Zero)
: null,
RollbackAvailable = document.RollbackAvailable,
ErrorMessage = document.ErrorMessage,
};
}
[BsonIgnoreExtraElements]
private sealed class MigrationDocument
{
[BsonId]
[BsonRepresentation(BsonType.ObjectId)]
public string? Id { get; set; }
[BsonElement("gridFsId")]
public required string GridFsId { get; set; }
[BsonElement("bucket")]
public required string Bucket { get; set; }
[BsonElement("key")]
public required string Key { get; set; }
[BsonElement("sha256")]
public required string Sha256 { get; set; }
[BsonElement("size")]
public required long Size { get; set; }
[BsonElement("contentType")]
public required string ContentType { get; set; }
[BsonElement("encoding")]
public required string Encoding { get; set; }
[BsonElement("migratedAt")]
public required DateTime MigratedAt { get; set; }
[BsonElement("status")]
public required string Status { get; set; }
[BsonElement("verifiedAt")]
public DateTime? VerifiedAt { get; set; }
[BsonElement("rollbackAvailable")]
public bool RollbackAvailable { get; set; }
[BsonElement("errorMessage")]
public string? ErrorMessage { get; set; }
}
}

52
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/ObjectPointer.cs Normal file
View File

@@ -0,0 +1,52 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Deterministic pointer to an object in S3-compatible storage.
/// </summary>
public sealed record ObjectPointer
{
/// <summary>
/// S3 bucket name (tenant-prefixed).
/// </summary>
public required string Bucket { get; init; }
/// <summary>
/// Object key (deterministic, content-addressed).
/// </summary>
public required string Key { get; init; }
/// <summary>
/// SHA-256 hash of object content (hex encoded).
/// </summary>
public required string Sha256 { get; init; }
/// <summary>
/// Object size in bytes.
/// </summary>
public required long Size { get; init; }
/// <summary>
/// MIME type of the object.
/// </summary>
public string ContentType { get; init; } = "application/octet-stream";
/// <summary>
/// Content encoding if compressed.
/// </summary>
public ContentEncoding Encoding { get; init; } = ContentEncoding.Identity;
}
/// <summary>
/// Content encoding for stored objects.
/// </summary>
public enum ContentEncoding
{
/// <summary>No compression.</summary>
Identity,
/// <summary>Gzip compression.</summary>
Gzip,
/// <summary>Zstandard compression.</summary>
Zstd
}

75
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/ObjectStorageOptions.cs Normal file
View File

@@ -0,0 +1,75 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Configuration options for S3-compatible object storage.
/// </summary>
public sealed class ObjectStorageOptions
{
/// <summary>
/// Configuration section name.
/// </summary>
public const string SectionName = "Concelier:ObjectStorage";
/// <summary>
/// S3-compatible endpoint URL (MinIO, AWS S3, etc.).
/// </summary>
public string Endpoint { get; set; } = "http://localhost:9000";
/// <summary>
/// Storage region (use 'us-east-1' for MinIO).
/// </summary>
public string Region { get; set; } = "us-east-1";
/// <summary>
/// Use path-style addressing (required for MinIO).
/// </summary>
public bool UsePathStyle { get; set; } = true;
/// <summary>
/// Prefix for tenant bucket names.
/// </summary>
public string BucketPrefix { get; set; } = "stellaops-concelier-";
/// <summary>
/// Maximum object size in bytes (default 5GB).
/// </summary>
public long MaxObjectSize { get; set; } = 5L * 1024 * 1024 * 1024;
/// <summary>
/// Objects larger than this (bytes) will be compressed.
/// Default: 1MB.
/// </summary>
public int CompressionThreshold { get; set; } = 1024 * 1024;
/// <summary>
/// Objects smaller than this (bytes) will be stored inline.
/// Default: 64KB.
/// </summary>
public int InlineThreshold { get; set; } = 64 * 1024;
/// <summary>
/// Whether object storage is enabled. When false, uses GridFS fallback.
/// </summary>
public bool Enabled { get; set; } = false;
/// <summary>
/// AWS access key ID (or MinIO access key).
/// </summary>
public string? AccessKeyId { get; set; }
/// <summary>
/// AWS secret access key (or MinIO secret key).
/// </summary>
public string? SecretAccessKey { get; set; }
/// <summary>
/// Gets the bucket name for a tenant.
/// </summary>
public string GetBucketName(string tenantId)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
// Normalize tenant ID to lowercase and replace invalid characters
var normalized = tenantId.ToLowerInvariant().Replace('_', '-');
return $"{BucketPrefix}{normalized}";
}
}

128
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/ObjectStorageServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,128 @@
using Amazon;
using Amazon.Runtime;
using Amazon.S3;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.Extensions.Options;
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Extension methods for registering object storage services.
/// </summary>
public static class ObjectStorageServiceCollectionExtensions
{
/// <summary>
/// Adds object storage services for Concelier raw payload storage.
/// </summary>
public static IServiceCollection AddConcelierObjectStorage(
this IServiceCollection services,
IConfiguration configuration)
{
ArgumentNullException.ThrowIfNull(services);
ArgumentNullException.ThrowIfNull(configuration);
// Bind options
services.Configure<ObjectStorageOptions>(
configuration.GetSection(ObjectStorageOptions.SectionName));
// Register TimeProvider if not already registered
services.TryAddSingleton(TimeProvider.System);
// Register S3 client
services.TryAddSingleton<IAmazonS3>(sp =>
{
var options = sp.GetRequiredService<IOptions<ObjectStorageOptions>>().Value;
var config = new AmazonS3Config
{
RegionEndpoint = RegionEndpoint.GetBySystemName(options.Region),
ForcePathStyle = options.UsePathStyle,
};
if (!string.IsNullOrEmpty(options.Endpoint))
{
config.ServiceURL = options.Endpoint;
}
if (!string.IsNullOrEmpty(options.AccessKeyId) &&
!string.IsNullOrEmpty(options.SecretAccessKey))
{
var credentials = new BasicAWSCredentials(
options.AccessKeyId,
options.SecretAccessKey);
return new AmazonS3Client(credentials, config);
}
// Use default credentials chain (env vars, IAM role, etc.)
return new AmazonS3Client(config);
});
// Register object store
services.TryAddSingleton<IObjectStore, S3ObjectStore>();
// Register migration tracker
services.TryAddSingleton<IMigrationTracker, MongoMigrationTracker>();
// Register migration service
services.TryAddSingleton<GridFsMigrationService>();
return services;
}
/// <summary>
/// Adds object storage services with explicit options.
/// </summary>
public static IServiceCollection AddConcelierObjectStorage(
this IServiceCollection services,
Action<ObjectStorageOptions> configureOptions)
{
ArgumentNullException.ThrowIfNull(services);
ArgumentNullException.ThrowIfNull(configureOptions);
services.Configure(configureOptions);
// Register TimeProvider if not already registered
services.TryAddSingleton(TimeProvider.System);
// Register S3 client
services.TryAddSingleton<IAmazonS3>(sp =>
{
var options = sp.GetRequiredService<IOptions<ObjectStorageOptions>>().Value;
var config = new AmazonS3Config
{
RegionEndpoint = RegionEndpoint.GetBySystemName(options.Region),
ForcePathStyle = options.UsePathStyle,
};
if (!string.IsNullOrEmpty(options.Endpoint))
{
config.ServiceURL = options.Endpoint;
}
if (!string.IsNullOrEmpty(options.AccessKeyId) &&
!string.IsNullOrEmpty(options.SecretAccessKey))
{
var credentials = new BasicAWSCredentials(
options.AccessKeyId,
options.SecretAccessKey);
return new AmazonS3Client(credentials, config);
}
return new AmazonS3Client(config);
});
// Register object store
services.TryAddSingleton<IObjectStore, S3ObjectStore>();
// Register migration tracker
services.TryAddSingleton<IMigrationTracker, MongoMigrationTracker>();
// Register migration service
services.TryAddSingleton<GridFsMigrationService>();
return services;
}
}

79
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/PayloadReference.cs Normal file
View File

@@ -0,0 +1,79 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Reference to a large payload stored in object storage (used in advisory_observations).
/// </summary>
public sealed record PayloadReference
{
/// <summary>
/// Discriminator for payload type.
/// </summary>
public const string TypeDiscriminator = "object-storage-ref";
/// <summary>
/// Type discriminator value.
/// </summary>
public string Type { get; init; } = TypeDiscriminator;
/// <summary>
/// Pointer to the object in storage.
/// </summary>
public required ObjectPointer Pointer { get; init; }
/// <summary>
/// Provenance metadata for the payload.
/// </summary>
public required ProvenanceMetadata Provenance { get; init; }
/// <summary>
/// If true, payload is small enough to be inline (not in object storage).
/// </summary>
public bool Inline { get; init; }
/// <summary>
/// Base64-encoded inline data (only if Inline=true and size less than threshold).
/// </summary>
public string? InlineData { get; init; }
/// <summary>
/// Creates a reference for inline data.
/// </summary>
public static PayloadReference CreateInline(
byte[] data,
string sha256,
ProvenanceMetadata provenance,
string contentType = "application/octet-stream")
{
return new PayloadReference
{
Pointer = new ObjectPointer
{
Bucket = string.Empty,
Key = string.Empty,
Sha256 = sha256,
Size = data.Length,
ContentType = contentType,
Encoding = ContentEncoding.Identity,
},
Provenance = provenance,
Inline = true,
InlineData = Convert.ToBase64String(data),
};
}
/// <summary>
/// Creates a reference for object storage data.
/// </summary>
public static PayloadReference CreateObjectStorage(
ObjectPointer pointer,
ProvenanceMetadata provenance)
{
return new PayloadReference
{
Pointer = pointer,
Provenance = provenance,
Inline = false,
InlineData = null,
};
}
}

86
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/ProvenanceMetadata.cs Normal file
View File

@@ -0,0 +1,86 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Provenance metadata preserved from original ingestion.
/// </summary>
public sealed record ProvenanceMetadata
{
/// <summary>
/// Identifier of the original data source (URI).
/// </summary>
public required string SourceId { get; init; }
/// <summary>
/// UTC timestamp of original ingestion.
/// </summary>
public required DateTimeOffset IngestedAt { get; init; }
/// <summary>
/// Tenant identifier for multi-tenant isolation.
/// </summary>
public required string TenantId { get; init; }
/// <summary>
/// Original format before normalization.
/// </summary>
public OriginalFormat? OriginalFormat { get; init; }
/// <summary>
/// Original size before any transformation.
/// </summary>
public long? OriginalSize { get; init; }
/// <summary>
/// List of transformations applied.
/// </summary>
public IReadOnlyList<TransformationRecord> Transformations { get; init; } = [];
/// <summary>
/// Original GridFS ObjectId for migration tracking.
/// </summary>
public string? GridFsLegacyId { get; init; }
}
/// <summary>
/// Original format of ingested data.
/// </summary>
public enum OriginalFormat
{
Json,
Xml,
Csv,
Ndjson,
Yaml
}
/// <summary>
/// Record of a transformation applied to the payload.
/// </summary>
public sealed record TransformationRecord
{
/// <summary>
/// Type of transformation.
/// </summary>
public required TransformationType Type { get; init; }
/// <summary>
/// Timestamp when transformation was applied.
/// </summary>
public required DateTimeOffset Timestamp { get; init; }
/// <summary>
/// Agent/service that performed the transformation.
/// </summary>
public required string Agent { get; init; }
}
/// <summary>
/// Types of transformations that can be applied.
/// </summary>
public enum TransformationType
{
Compression,
Normalization,
Redaction,
Migration
}

320
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/S3ObjectStore.cs Normal file
View File

@@ -0,0 +1,320 @@
using System.IO.Compression;
using System.Security.Cryptography;
using Amazon.S3;
using Amazon.S3.Model;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// S3-compatible object store implementation for raw advisory payloads.
/// </summary>
public sealed class S3ObjectStore : IObjectStore
{
private readonly IAmazonS3 _s3;
private readonly ObjectStorageOptions _options;
private readonly TimeProvider _timeProvider;
private readonly ILogger<S3ObjectStore> _logger;
public S3ObjectStore(
IAmazonS3 s3,
IOptions<ObjectStorageOptions> options,
TimeProvider timeProvider,
ILogger<S3ObjectStore> logger)
{
_s3 = s3 ?? throw new ArgumentNullException(nameof(s3));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_timeProvider = timeProvider ?? TimeProvider.System;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<PayloadReference> StoreAsync(
string tenantId,
ReadOnlyMemory<byte> data,
ProvenanceMetadata provenance,
string contentType = "application/json",
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentNullException.ThrowIfNull(provenance);
var dataArray = data.ToArray();
var sha256 = ComputeSha256(dataArray);
// Use inline storage for small payloads
if (dataArray.Length < _options.InlineThreshold)
{
_logger.LogDebug(
"Storing inline payload for tenant {TenantId}, size {Size} bytes",
tenantId, dataArray.Length);
return PayloadReference.CreateInline(dataArray, sha256, provenance, contentType);
}
// Store in S3
var bucket = _options.GetBucketName(tenantId);
await EnsureBucketExistsAsync(tenantId, cancellationToken).ConfigureAwait(false);
var shouldCompress = dataArray.Length >= _options.CompressionThreshold;
var encoding = ContentEncoding.Identity;
byte[] payloadToStore = dataArray;
if (shouldCompress)
{
payloadToStore = CompressGzip(dataArray);
encoding = ContentEncoding.Gzip;
_logger.LogDebug(
"Compressed payload from {OriginalSize} to {CompressedSize} bytes",
dataArray.Length, payloadToStore.Length);
}
var key = GenerateKey(sha256, provenance.IngestedAt, contentType, encoding);
var request = new PutObjectRequest
{
BucketName = bucket,
Key = key,
InputStream = new MemoryStream(payloadToStore),
ContentType = encoding == ContentEncoding.Gzip ? "application/gzip" : contentType,
AutoCloseStream = true,
};
// Add metadata
request.Metadata["x-stellaops-sha256"] = sha256;
request.Metadata["x-stellaops-original-size"] = dataArray.Length.ToString();
request.Metadata["x-stellaops-encoding"] = encoding.ToString().ToLowerInvariant();
request.Metadata["x-stellaops-source-id"] = provenance.SourceId;
request.Metadata["x-stellaops-ingested-at"] = provenance.IngestedAt.ToString("O");
await _s3.PutObjectAsync(request, cancellationToken).ConfigureAwait(false);
_logger.LogDebug(
"Stored object {Bucket}/{Key}, size {Size} bytes, encoding {Encoding}",
bucket, key, payloadToStore.Length, encoding);
var pointer = new ObjectPointer
{
Bucket = bucket,
Key = key,
Sha256 = sha256,
Size = payloadToStore.Length,
ContentType = contentType,
Encoding = encoding,
};
return PayloadReference.CreateObjectStorage(pointer, provenance);
}
public async Task<PayloadReference> StoreStreamAsync(
string tenantId,
Stream stream,
ProvenanceMetadata provenance,
string contentType = "application/json",
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentNullException.ThrowIfNull(stream);
ArgumentNullException.ThrowIfNull(provenance);
// Read stream to memory for hash computation
using var memoryStream = new MemoryStream();
await stream.CopyToAsync(memoryStream, cancellationToken).ConfigureAwait(false);
var data = memoryStream.ToArray();
return await StoreAsync(tenantId, data, provenance, contentType, cancellationToken)
.ConfigureAwait(false);
}
public async Task<byte[]?> RetrieveAsync(
PayloadReference reference,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(reference);
// Handle inline data
if (reference.Inline && reference.InlineData is not null)
{
return Convert.FromBase64String(reference.InlineData);
}
var stream = await RetrieveStreamAsync(reference, cancellationToken).ConfigureAwait(false);
if (stream is null)
{
return null;
}
using (stream)
{
using var memoryStream = new MemoryStream();
await stream.CopyToAsync(memoryStream, cancellationToken).ConfigureAwait(false);
return memoryStream.ToArray();
}
}
public async Task<Stream?> RetrieveStreamAsync(
PayloadReference reference,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(reference);
// Handle inline data
if (reference.Inline && reference.InlineData is not null)
{
return new MemoryStream(Convert.FromBase64String(reference.InlineData));
}
var pointer = reference.Pointer;
try
{
var response = await _s3.GetObjectAsync(pointer.Bucket, pointer.Key, cancellationToken)
.ConfigureAwait(false);
Stream resultStream = response.ResponseStream;
// Decompress if needed
if (pointer.Encoding == ContentEncoding.Gzip)
{
var decompressed = new MemoryStream();
using (var gzip = new GZipStream(response.ResponseStream, CompressionMode.Decompress))
{
await gzip.CopyToAsync(decompressed, cancellationToken).ConfigureAwait(false);
}
decompressed.Position = 0;
resultStream = decompressed;
}
return resultStream;
}
catch (AmazonS3Exception ex) when (ex.StatusCode == System.Net.HttpStatusCode.NotFound)
{
_logger.LogWarning("Object not found: {Bucket}/{Key}", pointer.Bucket, pointer.Key);
return null;
}
}
public async Task<bool> ExistsAsync(
ObjectPointer pointer,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(pointer);
try
{
var metadata = await _s3.GetObjectMetadataAsync(pointer.Bucket, pointer.Key, cancellationToken)
.ConfigureAwait(false);
return metadata.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
catch (AmazonS3Exception ex) when (ex.StatusCode == System.Net.HttpStatusCode.NotFound)
{
return false;
}
}
public async Task DeleteAsync(
ObjectPointer pointer,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(pointer);
await _s3.DeleteObjectAsync(pointer.Bucket, pointer.Key, cancellationToken)
.ConfigureAwait(false);
_logger.LogDebug("Deleted object {Bucket}/{Key}", pointer.Bucket, pointer.Key);
}
public async Task EnsureBucketExistsAsync(
string tenantId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
var bucket = _options.GetBucketName(tenantId);
try
{
await _s3.EnsureBucketExistsAsync(bucket).ConfigureAwait(false);
_logger.LogDebug("Ensured bucket exists: {Bucket}", bucket);
}
catch (AmazonS3Exception ex)
{
_logger.LogError(ex, "Failed to ensure bucket exists: {Bucket}", bucket);
throw;
}
}
public async Task<bool> VerifyIntegrityAsync(
PayloadReference reference,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(reference);
var data = await RetrieveAsync(reference, cancellationToken).ConfigureAwait(false);
if (data is null)
{
return false;
}
var computedHash = ComputeSha256(data);
var matches = string.Equals(computedHash, reference.Pointer.Sha256, StringComparison.OrdinalIgnoreCase);
if (!matches)
{
_logger.LogWarning(
"Integrity check failed for {Bucket}/{Key}: expected {Expected}, got {Actual}",
reference.Pointer.Bucket, reference.Pointer.Key,
reference.Pointer.Sha256, computedHash);
}
return matches;
}
private static string ComputeSha256(byte[] data)
{
var hash = SHA256.HashData(data);
return Convert.ToHexStringLower(hash);
}
private static byte[] CompressGzip(byte[] data)
{
using var output = new MemoryStream();
using (var gzip = new GZipStream(output, CompressionLevel.Optimal, leaveOpen: true))
{
gzip.Write(data);
}
return output.ToArray();
}
private static string GenerateKey(
string sha256,
DateTimeOffset ingestedAt,
string contentType,
ContentEncoding encoding)
{
var date = ingestedAt.UtcDateTime;
var extension = GetExtension(contentType, encoding);
// Format: advisories/raw/YYYY/MM/DD/sha256-{hash}.{extension}
return $"advisories/raw/{date:yyyy}/{date:MM}/{date:dd}/sha256-{sha256[..16]}{extension}";
}
private static string GetExtension(string contentType, ContentEncoding encoding)
{
var baseExt = contentType switch
{
"application/json" => ".json",
"application/xml" or "text/xml" => ".xml",
"text/csv" => ".csv",
"application/x-ndjson" => ".ndjson",
"application/x-yaml" or "text/yaml" => ".yaml",
_ => ".bin"
};
return encoding switch
{
ContentEncoding.Gzip => baseExt + ".gz",
ContentEncoding.Zstd => baseExt + ".zst",
_ => baseExt
};
}
}

11
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/StellaOps.Concelier.Storage.Mongo.csproj
View File

@@ -4,7 +4,18 @@
<LangVersion>preview</LangVersion>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="AWSSDK.S3" Version="3.7.305.6" />
<PackageReference Include="MongoDB.Driver" Version="3.5.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="10.0.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="../StellaOps.Concelier.RawModels/StellaOps.Concelier.RawModels.csproj" />
<ProjectReference Include="../StellaOps.Concelier.Models/StellaOps.Concelier.Models.csproj" />

4
src/Findings/StellaOps.Findings.Ledger/Domain/LedgerEventConstants.cs
View File

@@ -15,6 +15,8 @@ public static class LedgerEventConstants
public const string EventFindingAttachmentAdded = "finding.attachment_added";
public const string EventFindingClosed = "finding.closed";
public const string EventAirgapBundleImported = "airgap.bundle_imported";
public const string EventEvidenceSnapshotLinked = "airgap.evidence_snapshot_linked";
public const string EventAirgapTimelineImpact = "airgap.timeline_impact";
public const string EventOrchestratorExportRecorded = "orchestrator.export_recorded";
public static readonly ImmutableHashSet<string> SupportedEventTypes = ImmutableHashSet.Create(StringComparer.Ordinal,
@@ -29,6 +31,8 @@ public static class LedgerEventConstants
EventFindingAttachmentAdded,
EventFindingClosed,
EventAirgapBundleImported,
EventEvidenceSnapshotLinked,
EventAirgapTimelineImpact,
EventOrchestratorExportRecorded);
public static readonly ImmutableHashSet<string> FindingEventTypes = ImmutableHashSet.Create(StringComparer.Ordinal,

36
src/Findings/StellaOps.Findings.Ledger/Infrastructure/AirGap/AirgapTimelineImpact.cs Normal file
View File

@@ -0,0 +1,36 @@
namespace StellaOps.Findings.Ledger.Infrastructure.AirGap;
/// <summary>
/// Represents the impact of an air-gap bundle import on findings.
/// </summary>
public sealed record AirgapTimelineImpact(
string TenantId,
string BundleId,
int NewFindings,
int ResolvedFindings,
int CriticalDelta,
int HighDelta,
int MediumDelta,
int LowDelta,
DateTimeOffset TimeAnchor,
bool SealedMode,
DateTimeOffset CalculatedAt,
Guid? LedgerEventId);
/// <summary>
/// Input for calculating and emitting bundle import timeline impact.
/// </summary>
public sealed record AirgapTimelineImpactInput(
string TenantId,
string BundleId,
DateTimeOffset TimeAnchor,
bool SealedMode);
/// <summary>
/// Result of emitting a timeline impact event.
/// </summary>
public sealed record AirgapTimelineImpactResult(
bool Success,
AirgapTimelineImpact? Impact,
Guid? EventId,
string? Error);

31
src/Findings/StellaOps.Findings.Ledger/Infrastructure/AirGap/EvidenceSnapshotRecord.cs Normal file
View File

@@ -0,0 +1,31 @@
namespace StellaOps.Findings.Ledger.Infrastructure.AirGap;
/// <summary>
/// Record linking a finding to an evidence snapshot in a portable bundle.
/// </summary>
public sealed record EvidenceSnapshotRecord(
string TenantId,
string FindingId,
string BundleUri,
string DsseDigest,
DateTimeOffset CreatedAt,
DateTimeOffset? ExpiresAt,
Guid? LedgerEventId);
/// <summary>
/// Input for creating an evidence snapshot link.
/// </summary>
public sealed record EvidenceSnapshotLinkInput(
string TenantId,
string FindingId,
string BundleUri,
string DsseDigest,
TimeSpan? ValidFor);
/// <summary>
/// Result of linking an evidence snapshot.
/// </summary>
public sealed record EvidenceSnapshotLinkResult(
bool Success,
Guid? EventId,
string? Error);

23
src/Findings/StellaOps.Findings.Ledger/Infrastructure/AirGap/IAirgapImportRepository.cs
View File

@@ -3,4 +3,27 @@ namespace StellaOps.Findings.Ledger.Infrastructure.AirGap;
public interface IAirgapImportRepository
{
Task InsertAsync(AirgapImportRecord record, CancellationToken cancellationToken);
/// <summary>
/// Gets the latest import record for a specific domain.
/// </summary>
Task<AirgapImportRecord?> GetLatestByDomainAsync(
string tenantId,
string domainId,
CancellationToken cancellationToken);
/// <summary>
/// Gets the latest import records for all domains in a tenant.
/// </summary>
Task<IReadOnlyList<AirgapImportRecord>> GetAllLatestByDomainAsync(
string tenantId,
CancellationToken cancellationToken);
/// <summary>
/// Gets the count of bundles imported for a specific domain.
/// </summary>
Task<int> GetBundleCountByDomainAsync(
string tenantId,
string domainId,
CancellationToken cancellationToken);
}

45
src/Findings/StellaOps.Findings.Ledger/Infrastructure/AirGap/IEvidenceSnapshotRepository.cs Normal file
View File

@@ -0,0 +1,45 @@
namespace StellaOps.Findings.Ledger.Infrastructure.AirGap;
/// <summary>
/// Repository for managing evidence snapshot links.
/// </summary>
public interface IEvidenceSnapshotRepository
{
/// <summary>
/// Inserts a new evidence snapshot record.
/// </summary>
Task InsertAsync(EvidenceSnapshotRecord record, CancellationToken cancellationToken);
/// <summary>
/// Gets evidence snapshots for a finding.
/// </summary>
Task<IReadOnlyList<EvidenceSnapshotRecord>> GetByFindingIdAsync(
string tenantId,
string findingId,
CancellationToken cancellationToken);
/// <summary>
/// Gets the latest evidence snapshot for a finding.
/// </summary>
Task<EvidenceSnapshotRecord?> GetLatestByFindingIdAsync(
string tenantId,
string findingId,
CancellationToken cancellationToken);
/// <summary>
/// Gets all evidence snapshots for a bundle.
/// </summary>
Task<IReadOnlyList<EvidenceSnapshotRecord>> GetByBundleUriAsync(
string tenantId,
string bundleUri,
CancellationToken cancellationToken);
/// <summary>
/// Checks if an evidence snapshot exists and is not expired.
/// </summary>
Task<bool> ExistsValidAsync(
string tenantId,
string findingId,
string dsseDigest,
CancellationToken cancellationToken);
}

92
src/Findings/StellaOps.Findings.Ledger/Infrastructure/AirGap/StalenessResult.cs Normal file
View File

@@ -0,0 +1,92 @@
using StellaOps.Findings.Ledger.Options;
namespace StellaOps.Findings.Ledger.Infrastructure.AirGap;
/// <summary>
/// Result of a staleness validation check.
/// </summary>
public sealed record StalenessValidationResult(
bool Passed,
string? DomainId,
long StalenessSeconds,
int ThresholdSeconds,
StalenessEnforcementMode EnforcementMode,
StalenessError? Error,
IReadOnlyList<StalenessWarning> Warnings);
/// <summary>
/// Error returned when staleness validation fails.
/// </summary>
public sealed record StalenessError(
StalenessErrorCode Code,
string Message,
string? DomainId,
long StalenessSeconds,
int ThresholdSeconds,
string Recommendation);
/// <summary>
/// Warning generated during staleness validation.
/// </summary>
public sealed record StalenessWarning(
StalenessWarningCode Code,
string Message,
double PercentOfThreshold,
DateTimeOffset? ProjectedStaleAt);
/// <summary>
/// Staleness error codes.
/// </summary>
public enum StalenessErrorCode
{
ErrAirgapStale,
ErrAirgapNoBundle,
ErrAirgapTimeAnchorMissing,
ErrAirgapTimeDrift,
ErrAirgapAttestationInvalid
}
/// <summary>
/// Staleness warning codes.
/// </summary>
public enum StalenessWarningCode
{
WarnAirgapApproachingStale,
WarnAirgapTimeUncertaintyHigh,
WarnAirgapBundleOld,
WarnAirgapNoRecentImport
}
/// <summary>
/// Staleness metrics for a domain.
/// </summary>
public sealed record DomainStalenessMetric(
string DomainId,
long StalenessSeconds,
DateTimeOffset LastImportAt,
DateTimeOffset? LastSourceTimestamp,
int BundleCount,
bool IsStale,
double PercentOfThreshold,
DateTimeOffset? ProjectedStaleAt);
/// <summary>
/// Aggregate staleness metrics.
/// </summary>
public sealed record AggregateStalenessMetrics(
int TotalDomains,
int StaleDomains,
int WarningDomains,
int HealthyDomains,
long MaxStalenessSeconds,
double AvgStalenessSeconds,
DateTimeOffset? OldestBundle);
/// <summary>
/// Complete staleness metrics snapshot.
/// </summary>
public sealed record StalenessMetricsSnapshot(
DateTimeOffset CollectedAt,
string? TenantId,
IReadOnlyList<DomainStalenessMetric> DomainMetrics,
AggregateStalenessMetrics Aggregates);

19
src/Findings/StellaOps.Findings.Ledger/Infrastructure/IFindingProjectionRepository.cs
View File

@@ -2,6 +2,17 @@ using StellaOps.Findings.Ledger.Domain;
namespace StellaOps.Findings.Ledger.Infrastructure;
/// <summary>
/// Statistics about finding changes since a given timestamp.
/// </summary>
public sealed record FindingStatsResult(
int NewFindings,
int ResolvedFindings,
int CriticalDelta,
int HighDelta,
int MediumDelta,
int LowDelta);
public interface IFindingProjectionRepository
{
Task<FindingProjection?> GetAsync(string tenantId, string findingId, string policyVersion, CancellationToken cancellationToken);
@@ -15,4 +26,12 @@ public interface IFindingProjectionRepository
Task<ProjectionCheckpoint> GetCheckpointAsync(CancellationToken cancellationToken);
Task SaveCheckpointAsync(ProjectionCheckpoint checkpoint, CancellationToken cancellationToken);
/// <summary>
/// Gets finding statistics since a given timestamp for timeline impact calculation.
/// </summary>
Task<FindingStatsResult> GetFindingStatsSinceAsync(
string tenantId,
DateTimeOffset since,
CancellationToken cancellationToken);
}

136
src/Findings/StellaOps.Findings.Ledger/Infrastructure/Postgres/PostgresAirgapImportRepository.cs
View File

@@ -45,6 +45,51 @@ public sealed class PostgresAirgapImportRepository : IAirgapImportRepository
ledger_event_id = EXCLUDED.ledger_event_id;
""";
private const string SelectLatestByDomainSql = """
SELECT
tenant_id,
bundle_id,
mirror_generation,
merkle_root,
time_anchor,
publisher,
hash_algorithm,
contents,
imported_at,
import_operator,
ledger_event_id
FROM airgap_imports
WHERE tenant_id = @tenant_id
AND bundle_id = @domain_id
ORDER BY time_anchor DESC
LIMIT 1;
""";
private const string SelectAllLatestByDomainSql = """
SELECT DISTINCT ON (bundle_id)
tenant_id,
bundle_id,
mirror_generation,
merkle_root,
time_anchor,
publisher,
hash_algorithm,
contents,
imported_at,
import_operator,
ledger_event_id
FROM airgap_imports
WHERE tenant_id = @tenant_id
ORDER BY bundle_id, time_anchor DESC;
""";
private const string SelectBundleCountSql = """
SELECT COUNT(*)
FROM airgap_imports
WHERE tenant_id = @tenant_id
AND bundle_id = @domain_id;
""";
private readonly LedgerDataSource _dataSource;
private readonly ILogger<PostgresAirgapImportRepository> _logger;
@@ -91,4 +136,95 @@ public sealed class PostgresAirgapImportRepository : IAirgapImportRepository
throw;
}
}
public async Task<AirgapImportRecord?> GetLatestByDomainAsync(
string tenantId,
string domainId,
CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(domainId);
await using var connection = await _dataSource.OpenConnectionAsync(tenantId, "airgap-query", cancellationToken).ConfigureAwait(false);
await using var command = new NpgsqlCommand(SelectLatestByDomainSql, connection)
{
CommandTimeout = _dataSource.CommandTimeoutSeconds
};
command.Parameters.Add(new NpgsqlParameter<string>("tenant_id", tenantId) { NpgsqlDbType = NpgsqlDbType.Text });
command.Parameters.Add(new NpgsqlParameter<string>("domain_id", domainId) { NpgsqlDbType = NpgsqlDbType.Text });
await using var reader = await command.ExecuteReaderAsync(cancellationToken).ConfigureAwait(false);
if (await reader.ReadAsync(cancellationToken).ConfigureAwait(false))
{
return MapRecord(reader);
}
return null;
}
public async Task<IReadOnlyList<AirgapImportRecord>> GetAllLatestByDomainAsync(
string tenantId,
CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
var results = new List<AirgapImportRecord>();
await using var connection = await _dataSource.OpenConnectionAsync(tenantId, "airgap-query", cancellationToken).ConfigureAwait(false);
await using var command = new NpgsqlCommand(SelectAllLatestByDomainSql, connection)
{
CommandTimeout = _dataSource.CommandTimeoutSeconds
};
command.Parameters.Add(new NpgsqlParameter<string>("tenant_id", tenantId) { NpgsqlDbType = NpgsqlDbType.Text });
await using var reader = await command.ExecuteReaderAsync(cancellationToken).ConfigureAwait(false);
while (await reader.ReadAsync(cancellationToken).ConfigureAwait(false))
{
results.Add(MapRecord(reader));
}
return results;
}
public async Task<int> GetBundleCountByDomainAsync(
string tenantId,
string domainId,
CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(domainId);
await using var connection = await _dataSource.OpenConnectionAsync(tenantId, "airgap-query", cancellationToken).ConfigureAwait(false);
await using var command = new NpgsqlCommand(SelectBundleCountSql, connection)
{
CommandTimeout = _dataSource.CommandTimeoutSeconds
};
command.Parameters.Add(new NpgsqlParameter<string>("tenant_id", tenantId) { NpgsqlDbType = NpgsqlDbType.Text });
command.Parameters.Add(new NpgsqlParameter<string>("domain_id", domainId) { NpgsqlDbType = NpgsqlDbType.Text });
var result = await command.ExecuteScalarAsync(cancellationToken).ConfigureAwait(false);
return Convert.ToInt32(result);
}
private static AirgapImportRecord MapRecord(NpgsqlDataReader reader)
{
var contentsJson = reader.GetString(7);
var contents = JsonNode.Parse(contentsJson) as JsonArray ?? new JsonArray();
return new AirgapImportRecord(
TenantId: reader.GetString(0),
BundleId: reader.GetString(1),
MirrorGeneration: reader.IsDBNull(2) ? null : reader.GetString(2),
MerkleRoot: reader.GetString(3),
TimeAnchor: reader.GetDateTime(4),
Publisher: reader.IsDBNull(5) ? null : reader.GetString(5),
HashAlgorithm: reader.IsDBNull(6) ? null : reader.GetString(6),
Contents: contents,
ImportedAt: reader.GetDateTime(8),
ImportOperator: reader.IsDBNull(9) ? null : reader.GetString(9),
LedgerEventId: reader.IsDBNull(10) ? null : reader.GetGuid(10));
}
}

45
src/Findings/StellaOps.Findings.Ledger/Infrastructure/Postgres/PostgresFindingProjectionRepository.cs
View File

@@ -155,6 +155,22 @@ public sealed class PostgresFindingProjectionRepository : IFindingProjectionRepo
updated_at = EXCLUDED.updated_at;
""";
private const string SelectFindingStatsSql = """
SELECT
COALESCE(SUM(CASE WHEN status = 'new' AND updated_at >= @since THEN 1 ELSE 0 END), 0) as new_findings,
COALESCE(SUM(CASE WHEN status IN ('resolved', 'closed', 'fixed') AND updated_at >= @since THEN 1 ELSE 0 END), 0) as resolved_findings,
COALESCE(SUM(CASE WHEN risk_severity = 'critical' AND updated_at >= @since THEN 1 ELSE 0 END) -
SUM(CASE WHEN risk_severity = 'critical' AND status IN ('resolved', 'closed', 'fixed') AND updated_at >= @since THEN 1 ELSE 0 END), 0) as critical_delta,
COALESCE(SUM(CASE WHEN risk_severity = 'high' AND updated_at >= @since THEN 1 ELSE 0 END) -
SUM(CASE WHEN risk_severity = 'high' AND status IN ('resolved', 'closed', 'fixed') AND updated_at >= @since THEN 1 ELSE 0 END), 0) as high_delta,
COALESCE(SUM(CASE WHEN risk_severity = 'medium' AND updated_at >= @since THEN 1 ELSE 0 END) -
SUM(CASE WHEN risk_severity = 'medium' AND status IN ('resolved', 'closed', 'fixed') AND updated_at >= @since THEN 1 ELSE 0 END), 0) as medium_delta,
COALESCE(SUM(CASE WHEN risk_severity = 'low' AND updated_at >= @since THEN 1 ELSE 0 END) -
SUM(CASE WHEN risk_severity = 'low' AND status IN ('resolved', 'closed', 'fixed') AND updated_at >= @since THEN 1 ELSE 0 END), 0) as low_delta
FROM findings_projection
WHERE tenant_id = @tenant_id
""";
private const string DefaultWorkerId = "default";
private readonly LedgerDataSource _dataSource;
@@ -350,4 +366,33 @@ public sealed class PostgresFindingProjectionRepository : IFindingProjectionRepo
throw;
}
}
public async Task<FindingStatsResult> GetFindingStatsSinceAsync(
string tenantId,
DateTimeOffset since,
CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
await using var connection = await _dataSource.OpenConnectionAsync(tenantId, "projector", cancellationToken).ConfigureAwait(false);
await using var command = new NpgsqlCommand(SelectFindingStatsSql, connection);
command.CommandTimeout = _dataSource.CommandTimeoutSeconds;
command.Parameters.AddWithValue("tenant_id", tenantId);
command.Parameters.AddWithValue("since", since);
await using var reader = await command.ExecuteReaderAsync(cancellationToken).ConfigureAwait(false);
if (await reader.ReadAsync(cancellationToken).ConfigureAwait(false))
{
return new FindingStatsResult(
NewFindings: reader.GetInt32(0),
ResolvedFindings: reader.GetInt32(1),
CriticalDelta: reader.GetInt32(2),
HighDelta: reader.GetInt32(3),
MediumDelta: reader.GetInt32(4),
LowDelta: reader.GetInt32(5));
}
return new FindingStatsResult(0, 0, 0, 0, 0, 0);
}
}

44
src/Findings/StellaOps.Findings.Ledger/Observability/LedgerMetrics.cs
View File

@@ -59,6 +59,21 @@ internal static class LedgerMetrics
"ledger_attachments_encryption_failures_total",
description: "Count of attachment encryption/signing/upload failures.");
private static readonly Histogram<double> AirgapStalenessSeconds = Meter.CreateHistogram<double>(
"ledger_airgap_staleness_seconds",
unit: "s",
description: "Current staleness of air-gap imported data by domain.");
private static readonly Counter<long> StalenessValidationFailures = Meter.CreateCounter<long>(
"ledger_staleness_validation_failures_total",
description: "Count of staleness validation failures blocking exports.");
private static readonly ObservableGauge<double> AirgapStalenessGauge =
Meter.CreateObservableGauge("ledger_airgap_staleness_gauge_seconds", ObserveAirgapStaleness, unit: "s",
description: "Current staleness of air-gap data by domain.");
private static readonly ConcurrentDictionary<string, double> AirgapStalenessByDomain = new(StringComparer.Ordinal);
private static readonly ObservableGauge<double> ProjectionLagGauge =
Meter.CreateObservableGauge("ledger_projection_lag_seconds", ObserveProjectionLag, unit: "s",
description: "Lag between ledger recorded_at and projection application time.");
@@ -228,6 +243,27 @@ internal static class LedgerMetrics
public static void RecordProjectionLag(TimeSpan lag, string? tenantId) =>
UpdateProjectionLag(tenantId, lag.TotalSeconds);
public static void RecordAirgapStaleness(string? domainId, long stalenessSeconds)
{
var key = string.IsNullOrWhiteSpace(domainId) ? "unknown" : domainId;
var tags = new KeyValuePair<string, object?>[]
{
new("domain", key)
};
AirgapStalenessSeconds.Record(stalenessSeconds, tags);
AirgapStalenessByDomain[key] = stalenessSeconds;
}
public static void RecordStalenessValidationFailure(string? domainId)
{
var key = string.IsNullOrWhiteSpace(domainId) ? "unknown" : domainId;
var tags = new KeyValuePair<string, object?>[]
{
new("domain", key)
};
StalenessValidationFailures.Add(1, tags);
}
private static IEnumerable<Measurement<double>> ObserveProjectionLag()
{
foreach (var kvp in ProjectionLagByTenant)
@@ -267,6 +303,14 @@ internal static class LedgerMetrics
new KeyValuePair<string, object?>("git_sha", GitSha));
}
private static IEnumerable<Measurement<double>> ObserveAirgapStaleness()
{
foreach (var kvp in AirgapStalenessByDomain)
{
yield return new Measurement<double>(kvp.Value, new KeyValuePair<string, object?>("domain", kvp.Key));
}
}
private static string NormalizeRole(string role) => string.IsNullOrWhiteSpace(role) ? "unspecified" : role.ToLowerInvariant();
private static string NormalizeTenant(string? tenantId) => string.IsNullOrWhiteSpace(tenantId) ? string.Empty : tenantId;

45
src/Findings/StellaOps.Findings.Ledger/Observability/LedgerTimeline.cs
View File

@@ -15,6 +15,8 @@ internal static class LedgerTimeline
private static readonly EventId ProjectionUpdated = new(6201, "ledger.projection.updated");
private static readonly EventId OrchestratorExport = new(6301, "ledger.export.recorded");
private static readonly EventId AirgapImport = new(6401, "ledger.airgap.imported");
private static readonly EventId EvidenceSnapshotLinkedEvent = new(6501, "ledger.evidence.snapshot_linked");
private static readonly EventId AirgapTimelineImpactEvent = new(6601, "ledger.airgap.timeline_impact");
public static void EmitLedgerAppended(ILogger logger, LedgerEventRecord record, string? evidenceBundleRef = null)
{
@@ -99,4 +101,47 @@ internal static class LedgerTimeline
merkleRoot,
ledgerEventId?.ToString() ?? string.Empty);
}
public static void EmitEvidenceSnapshotLinked(ILogger logger, string tenantId, string findingId, string bundleUri, string dsseDigest)
{
if (logger is null)
{
return;
}
logger.LogInformation(
EvidenceSnapshotLinkedEvent,
"timeline ledger.evidence.snapshot_linked tenant={Tenant} finding={FindingId} bundle_uri={BundleUri} dsse_digest={DsseDigest}",
tenantId,
findingId,
bundleUri,
dsseDigest);
}
public static void EmitAirgapTimelineImpact(
ILogger logger,
string tenantId,
string bundleId,
int newFindings,
int resolvedFindings,
int criticalDelta,
DateTimeOffset timeAnchor,
bool sealedMode)
{
if (logger is null)
{
return;
}
logger.LogInformation(
AirgapTimelineImpactEvent,
"timeline ledger.airgap.timeline_impact tenant={Tenant} bundle={BundleId} new_findings={NewFindings} resolved_findings={ResolvedFindings} critical_delta={CriticalDelta} time_anchor={TimeAnchor} sealed_mode={SealedMode}",
tenantId,
bundleId,
newFindings,
resolvedFindings,
criticalDelta,
timeAnchor.ToString("O"),
sealedMode);
}
}

98
src/Findings/StellaOps.Findings.Ledger/Options/AirGapOptions.cs Normal file
View File

@@ -0,0 +1,98 @@
namespace StellaOps.Findings.Ledger.Options;
/// <summary>
/// Configuration for air-gap staleness enforcement and freshness thresholds.
/// </summary>
public sealed class AirGapOptions
{
public const string SectionName = "findings:ledger:airgap";
/// <summary>
/// Maximum age in seconds before data is considered stale.
/// Default: 604800 seconds (7 days).
/// </summary>
public int FreshnessThresholdSeconds { get; set; } = 604800;
/// <summary>
/// Grace period in seconds after threshold before hard enforcement.
/// Default: 86400 seconds (1 day).
/// </summary>
public int GracePeriodSeconds { get; set; } = 86400;
/// <summary>
/// How staleness violations are handled.
/// </summary>
public StalenessEnforcementMode EnforcementMode { get; set; } = StalenessEnforcementMode.Strict;
/// <summary>
/// Domains exempt from staleness enforcement.
/// </summary>
public IList<string> AllowedDomains { get; } = new List<string>();
/// <summary>
/// Percentage thresholds for warning notifications.
/// </summary>
public IList<NotificationThresholdConfig> NotificationThresholds { get; } = new List<NotificationThresholdConfig>
{
new() { PercentOfThreshold = 75, Severity = NotificationSeverity.Warning },
new() { PercentOfThreshold = 90, Severity = NotificationSeverity.Critical }
};
/// <summary>
/// Whether to emit staleness metrics.
/// </summary>
public bool EmitMetrics { get; set; } = true;
public void Validate()
{
if (FreshnessThresholdSeconds <= 0)
{
throw new InvalidOperationException("FreshnessThresholdSeconds must be greater than zero.");
}
if (GracePeriodSeconds < 0)
{
throw new InvalidOperationException("GracePeriodSeconds must be non-negative.");
}
}
}
/// <summary>
/// Staleness enforcement mode.
/// </summary>
public enum StalenessEnforcementMode
{
/// <summary>
/// Block exports when stale.
/// </summary>
Strict,
/// <summary>
/// Warn but allow exports when stale.
/// </summary>
Warn,
/// <summary>
/// No enforcement.
/// </summary>
Disabled
}
/// <summary>
/// Notification threshold configuration.
/// </summary>
public sealed class NotificationThresholdConfig
{
public int PercentOfThreshold { get; set; }
public NotificationSeverity Severity { get; set; }
}
/// <summary>
/// Notification severity levels.
/// </summary>
public enum NotificationSeverity
{
Info,
Warning,
Critical
}

178
src/Findings/StellaOps.Findings.Ledger/Services/AirgapTimelineService.cs Normal file
View File

@@ -0,0 +1,178 @@
using System.Text.Json.Nodes;
using Microsoft.Extensions.Logging;
using StellaOps.Findings.Ledger.Domain;
using StellaOps.Findings.Ledger.Infrastructure;
using StellaOps.Findings.Ledger.Infrastructure.AirGap;
using StellaOps.Findings.Ledger.Observability;
namespace StellaOps.Findings.Ledger.Services;
/// <summary>
/// Service for emitting timeline events for bundle import impacts.
/// </summary>
public sealed class AirgapTimelineService
{
private readonly ILedgerEventRepository _ledgerEventRepository;
private readonly ILedgerEventWriteService _writeService;
private readonly IFindingProjectionRepository _projectionRepository;
private readonly TimeProvider _timeProvider;
private readonly ILogger<AirgapTimelineService> _logger;
public AirgapTimelineService(
ILedgerEventRepository ledgerEventRepository,
ILedgerEventWriteService writeService,
IFindingProjectionRepository projectionRepository,
TimeProvider timeProvider,
ILogger<AirgapTimelineService> logger)
{
_ledgerEventRepository = ledgerEventRepository ?? throw new ArgumentNullException(nameof(ledgerEventRepository));
_writeService = writeService ?? throw new ArgumentNullException(nameof(writeService));
_projectionRepository = projectionRepository ?? throw new ArgumentNullException(nameof(projectionRepository));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <summary>
/// Calculates and emits a timeline event for bundle import impact.
/// </summary>
public async Task<AirgapTimelineImpactResult> EmitImpactAsync(
AirgapTimelineImpactInput input,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(input);
ArgumentException.ThrowIfNullOrWhiteSpace(input.TenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(input.BundleId);
var now = _timeProvider.GetUtcNow();
// Calculate impact by comparing findings before and after bundle time anchor
var impact = await CalculateImpactAsync(input, now, cancellationToken).ConfigureAwait(false);
// Create ledger event for the timeline impact
var chainId = LedgerChainIdGenerator.FromTenantSubject(input.TenantId, $"timeline::{input.BundleId}");
var chainHead = await _ledgerEventRepository.GetChainHeadAsync(input.TenantId, chainId, cancellationToken)
.ConfigureAwait(false);
var sequence = (chainHead?.SequenceNumber ?? 0) + 1;
var previousHash = chainHead?.EventHash ?? LedgerEventConstants.EmptyHash;
var eventId = Guid.NewGuid();
var payload = new JsonObject
{
["airgapImpact"] = new JsonObject
{
["bundleId"] = input.BundleId,
["newFindings"] = impact.NewFindings,
["resolvedFindings"] = impact.ResolvedFindings,
["criticalDelta"] = impact.CriticalDelta,
["highDelta"] = impact.HighDelta,
["mediumDelta"] = impact.MediumDelta,
["lowDelta"] = impact.LowDelta,
["timeAnchor"] = input.TimeAnchor.ToString("O"),
["sealedMode"] = input.SealedMode
}
};
var envelope = new JsonObject
{
["event"] = new JsonObject
{
["id"] = eventId.ToString(),
["type"] = LedgerEventConstants.EventAirgapTimelineImpact,
["tenant"] = input.TenantId,
["chainId"] = chainId.ToString(),
["sequence"] = sequence,
["policyVersion"] = "airgap-timeline",
["artifactId"] = input.BundleId,
["finding"] = new JsonObject
{
["id"] = input.BundleId,
["artifactId"] = input.BundleId,
["vulnId"] = "timeline-impact"
},
["actor"] = new JsonObject
{
["id"] = "timeline-service",
["type"] = "system"
},
["occurredAt"] = FormatTimestamp(input.TimeAnchor),
["recordedAt"] = FormatTimestamp(now),
["payload"] = payload.DeepClone()
}
};
var draft = new LedgerEventDraft(
input.TenantId,
chainId,
sequence,
eventId,
LedgerEventConstants.EventAirgapTimelineImpact,
"airgap-timeline",
input.BundleId,
input.BundleId,
SourceRunId: null,
ActorId: "timeline-service",
ActorType: "system",
OccurredAt: input.TimeAnchor,
RecordedAt: now,
Payload: payload,
CanonicalEnvelope: envelope,
ProvidedPreviousHash: previousHash);
var writeResult = await _writeService.AppendAsync(draft, cancellationToken).ConfigureAwait(false);
if (writeResult.Status is not (LedgerWriteStatus.Success or LedgerWriteStatus.Idempotent))
{
var error = string.Join(";", writeResult.Errors);
return new AirgapTimelineImpactResult(false, null, null, error);
}
var ledgerEventId = writeResult.Record?.EventId;
var finalImpact = impact with { LedgerEventId = ledgerEventId };
// Emit structured log for Console/Notify subscribers
LedgerTimeline.EmitAirgapTimelineImpact(
_logger,
input.TenantId,
input.BundleId,
impact.NewFindings,
impact.ResolvedFindings,
impact.CriticalDelta,
input.TimeAnchor,
input.SealedMode);
return new AirgapTimelineImpactResult(true, finalImpact, ledgerEventId, null);
}
/// <summary>
/// Calculates the impact of a bundle import on findings.
/// </summary>
private async Task<AirgapTimelineImpact> CalculateImpactAsync(
AirgapTimelineImpactInput input,
DateTimeOffset calculatedAt,
CancellationToken cancellationToken)
{
// Query projection repository for finding changes since last import
// For now, we calculate based on current projections updated since the bundle time anchor
var stats = await _projectionRepository.GetFindingStatsSinceAsync(
input.TenantId,
input.TimeAnchor,
cancellationToken).ConfigureAwait(false);
return new AirgapTimelineImpact(
input.TenantId,
input.BundleId,
NewFindings: stats.NewFindings,
ResolvedFindings: stats.ResolvedFindings,
CriticalDelta: stats.CriticalDelta,
HighDelta: stats.HighDelta,
MediumDelta: stats.MediumDelta,
LowDelta: stats.LowDelta,
TimeAnchor: input.TimeAnchor,
SealedMode: input.SealedMode,
CalculatedAt: calculatedAt,
LedgerEventId: null);
}
private static string FormatTimestamp(DateTimeOffset value)
=> value.ToUniversalTime().ToString("yyyy-MM-dd'T'HH:mm:ss.fff'Z'");
}

220
src/Findings/StellaOps.Findings.Ledger/Services/EvidenceSnapshotService.cs Normal file
View File

@@ -0,0 +1,220 @@
using System.Text.Json.Nodes;
using Microsoft.Extensions.Logging;
using StellaOps.Findings.Ledger.Domain;
using StellaOps.Findings.Ledger.Infrastructure;
using StellaOps.Findings.Ledger.Infrastructure.AirGap;
using StellaOps.Findings.Ledger.Observability;
namespace StellaOps.Findings.Ledger.Services;
/// <summary>
/// Service for linking findings evidence to portable bundles.
/// </summary>
public sealed class EvidenceSnapshotService
{
private readonly ILedgerEventRepository _ledgerEventRepository;
private readonly ILedgerEventWriteService _writeService;
private readonly IEvidenceSnapshotRepository _repository;
private readonly TimeProvider _timeProvider;
private readonly ILogger<EvidenceSnapshotService> _logger;
public EvidenceSnapshotService(
ILedgerEventRepository ledgerEventRepository,
ILedgerEventWriteService writeService,
IEvidenceSnapshotRepository repository,
TimeProvider timeProvider,
ILogger<EvidenceSnapshotService> logger)
{
_ledgerEventRepository = ledgerEventRepository ?? throw new ArgumentNullException(nameof(ledgerEventRepository));
_writeService = writeService ?? throw new ArgumentNullException(nameof(writeService));
_repository = repository ?? throw new ArgumentNullException(nameof(repository));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <summary>
/// Links a finding to an evidence snapshot in a portable bundle.
/// </summary>
public async Task<EvidenceSnapshotLinkResult> LinkAsync(
EvidenceSnapshotLinkInput input,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(input);
ArgumentException.ThrowIfNullOrWhiteSpace(input.TenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(input.FindingId);
ArgumentException.ThrowIfNullOrWhiteSpace(input.BundleUri);
ArgumentException.ThrowIfNullOrWhiteSpace(input.DsseDigest);
var now = _timeProvider.GetUtcNow();
var expiresAt = input.ValidFor.HasValue ? now.Add(input.ValidFor.Value) : (DateTimeOffset?)null;
// Check if already linked (idempotency)
var exists = await _repository.ExistsValidAsync(
input.TenantId,
input.FindingId,
input.DsseDigest,
cancellationToken).ConfigureAwait(false);
if (exists)
{
_logger.LogDebug(
"Evidence snapshot already linked for finding {FindingId} with digest {DsseDigest}",
input.FindingId, input.DsseDigest);
return new EvidenceSnapshotLinkResult(true, null, null);
}
// Create ledger event for the linkage
var chainId = LedgerChainIdGenerator.FromTenantSubject(input.TenantId, $"evidence::{input.FindingId}");
var chainHead = await _ledgerEventRepository.GetChainHeadAsync(input.TenantId, chainId, cancellationToken)
.ConfigureAwait(false);
var sequence = (chainHead?.SequenceNumber ?? 0) + 1;
var previousHash = chainHead?.EventHash ?? LedgerEventConstants.EmptyHash;
var eventId = Guid.NewGuid();
var payload = new JsonObject
{
["airgap"] = new JsonObject
{
["evidenceSnapshot"] = new JsonObject
{
["bundleUri"] = input.BundleUri,
["dsseDigest"] = input.DsseDigest,
["expiresAt"] = expiresAt?.ToString("O")
}
}
};
var envelope = new JsonObject
{
["event"] = new JsonObject
{
["id"] = eventId.ToString(),
["type"] = LedgerEventConstants.EventEvidenceSnapshotLinked,
["tenant"] = input.TenantId,
["chainId"] = chainId.ToString(),
["sequence"] = sequence,
["policyVersion"] = "evidence-snapshot",
["artifactId"] = input.FindingId,
["finding"] = new JsonObject
{
["id"] = input.FindingId,
["artifactId"] = input.FindingId,
["vulnId"] = "evidence-snapshot"
},
["actor"] = new JsonObject
{
["id"] = "evidence-linker",
["type"] = "system"
},
["occurredAt"] = FormatTimestamp(now),
["recordedAt"] = FormatTimestamp(now),
["payload"] = payload.DeepClone()
}
};
var draft = new LedgerEventDraft(
input.TenantId,
chainId,
sequence,
eventId,
LedgerEventConstants.EventEvidenceSnapshotLinked,
"evidence-snapshot",
input.FindingId,
input.FindingId,
SourceRunId: null,
ActorId: "evidence-linker",
ActorType: "system",
OccurredAt: now,
RecordedAt: now,
Payload: payload,
CanonicalEnvelope: envelope,
ProvidedPreviousHash: previousHash);
var writeResult = await _writeService.AppendAsync(draft, cancellationToken).ConfigureAwait(false);
if (writeResult.Status is not (LedgerWriteStatus.Success or LedgerWriteStatus.Idempotent))
{
var error = string.Join(";", writeResult.Errors);
return new EvidenceSnapshotLinkResult(false, null, error);
}
var ledgerEventId = writeResult.Record?.EventId;
var record = new EvidenceSnapshotRecord(
input.TenantId,
input.FindingId,
input.BundleUri,
input.DsseDigest,
now,
expiresAt,
ledgerEventId);
await _repository.InsertAsync(record, cancellationToken).ConfigureAwait(false);
LedgerTimeline.EmitEvidenceSnapshotLinked(_logger, input.TenantId, input.FindingId, input.BundleUri, input.DsseDigest);
return new EvidenceSnapshotLinkResult(true, ledgerEventId, null);
}
/// <summary>
/// Gets evidence snapshots for a finding.
/// </summary>
public async Task<IReadOnlyList<EvidenceSnapshotRecord>> GetSnapshotsAsync(
string tenantId,
string findingId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(findingId);
return await _repository.GetByFindingIdAsync(tenantId, findingId, cancellationToken)
.ConfigureAwait(false);
}
/// <summary>
/// Verifies that an evidence snapshot exists and is valid for cross-enclave verification.
/// </summary>
public async Task<bool> VerifyCrossEnclaveAsync(
string tenantId,
string findingId,
string expectedDsseDigest,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(findingId);
ArgumentException.ThrowIfNullOrWhiteSpace(expectedDsseDigest);
var snapshot = await _repository.GetLatestByFindingIdAsync(tenantId, findingId, cancellationToken)
.ConfigureAwait(false);
if (snapshot is null)
{
_logger.LogWarning(
"No evidence snapshot found for finding {FindingId}",
findingId);
return false;
}
// Check expiration
if (snapshot.ExpiresAt.HasValue && snapshot.ExpiresAt.Value < _timeProvider.GetUtcNow())
{
_logger.LogWarning(
"Evidence snapshot for finding {FindingId} has expired at {ExpiresAt}",
findingId, snapshot.ExpiresAt);
return false;
}
// Verify DSSE digest matches
if (!string.Equals(snapshot.DsseDigest, expectedDsseDigest, StringComparison.OrdinalIgnoreCase))
{
_logger.LogWarning(
"Evidence snapshot DSSE digest mismatch for finding {FindingId}: expected {Expected}, got {Actual}",
findingId, expectedDsseDigest, snapshot.DsseDigest);
return false;
}
return true;
}
private static string FormatTimestamp(DateTimeOffset value)
=> value.ToUniversalTime().ToString("yyyy-MM-dd'T'HH:mm:ss.fff'Z'");
}

275
src/Findings/StellaOps.Findings.Ledger/Services/StalenessValidationService.cs Normal file
View File

@@ -0,0 +1,275 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Findings.Ledger.Infrastructure.AirGap;
using StellaOps.Findings.Ledger.Observability;
using StellaOps.Findings.Ledger.Options;
namespace StellaOps.Findings.Ledger.Services;
/// <summary>
/// Service for validating staleness and enforcing freshness thresholds.
/// </summary>
public sealed class StalenessValidationService
{
private readonly IAirgapImportRepository _importRepository;
private readonly AirGapOptions _options;
private readonly TimeProvider _timeProvider;
private readonly ILogger<StalenessValidationService> _logger;
public StalenessValidationService(
IAirgapImportRepository importRepository,
IOptions<AirGapOptions> options,
TimeProvider timeProvider,
ILogger<StalenessValidationService> logger)
{
_importRepository = importRepository ?? throw new ArgumentNullException(nameof(importRepository));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <summary>
/// Validates staleness for a specific domain before allowing an export.
/// </summary>
public async Task<StalenessValidationResult> ValidateForExportAsync(
string tenantId,
string domainId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(domainId);
// Check if domain is exempt
if (_options.AllowedDomains.Contains(domainId, StringComparer.OrdinalIgnoreCase))
{
return CreatePassedResult(domainId, 0);
}
var latestImport = await _importRepository.GetLatestByDomainAsync(tenantId, domainId, cancellationToken)
.ConfigureAwait(false);
if (latestImport is null)
{
return CreateNoBundleError(domainId);
}
var now = _timeProvider.GetUtcNow();
var stalenessSeconds = (long)(now - latestImport.TimeAnchor).TotalSeconds;
return Validate(domainId, stalenessSeconds, latestImport.TimeAnchor);
}
/// <summary>
/// Validates staleness using an explicit staleness value.
/// </summary>
public StalenessValidationResult Validate(
string? domainId,
long stalenessSeconds,
DateTimeOffset? timeAnchor = null)
{
var warnings = new List<StalenessWarning>();
var thresholdSeconds = _options.FreshnessThresholdSeconds;
var percentOfThreshold = (double)stalenessSeconds / thresholdSeconds * 100.0;
// Check notification thresholds for warnings
foreach (var threshold in _options.NotificationThresholds.OrderBy(t => t.PercentOfThreshold))
{
if (percentOfThreshold >= threshold.PercentOfThreshold && percentOfThreshold < 100)
{
var projectedStaleAt = timeAnchor?.AddSeconds(thresholdSeconds);
warnings.Add(new StalenessWarning(
StalenessWarningCode.WarnAirgapApproachingStale,
$"Data is {percentOfThreshold:F1}% of staleness threshold ({threshold.Severity})",
percentOfThreshold,
projectedStaleAt));
}
}
// Check if stale
if (stalenessSeconds > thresholdSeconds)
{
var actualThresholdWithGrace = thresholdSeconds + _options.GracePeriodSeconds;
var isInGracePeriod = stalenessSeconds <= actualThresholdWithGrace;
if (_options.EnforcementMode == StalenessEnforcementMode.Disabled)
{
return CreatePassedResult(domainId, stalenessSeconds, warnings);
}
if (_options.EnforcementMode == StalenessEnforcementMode.Warn || isInGracePeriod)
{
warnings.Add(new StalenessWarning(
StalenessWarningCode.WarnAirgapBundleOld,
$"Data is stale ({stalenessSeconds / 86400.0:F1} days old, threshold {thresholdSeconds / 86400.0:F0} days)",
percentOfThreshold,
null));
// Emit metric
if (_options.EmitMetrics)
{
LedgerMetrics.RecordAirgapStaleness(domainId, stalenessSeconds);
}
return CreatePassedResult(domainId, stalenessSeconds, warnings);
}
// Strict enforcement - block the export
var error = new StalenessError(
StalenessErrorCode.ErrAirgapStale,
$"Data is stale ({stalenessSeconds / 86400.0:F1} days old, threshold {thresholdSeconds / 86400.0:F0} days)",
domainId,
stalenessSeconds,
thresholdSeconds,
$"Import a fresh bundle from upstream using 'stella airgap import --domain {domainId}'");
_logger.LogWarning(
"Staleness validation failed for domain {DomainId}: {StalenessSeconds}s > {ThresholdSeconds}s",
domainId, stalenessSeconds, thresholdSeconds);
// Emit metric
if (_options.EmitMetrics)
{
LedgerMetrics.RecordAirgapStaleness(domainId, stalenessSeconds);
LedgerMetrics.RecordStalenessValidationFailure(domainId);
}
return new StalenessValidationResult(
false,
domainId,
stalenessSeconds,
thresholdSeconds,
_options.EnforcementMode,
error,
warnings);
}
// Emit metric for healthy staleness
if (_options.EmitMetrics)
{
LedgerMetrics.RecordAirgapStaleness(domainId, stalenessSeconds);
}
return CreatePassedResult(domainId, stalenessSeconds, warnings);
}
/// <summary>
/// Collects staleness metrics for all domains in a tenant.
/// </summary>
public async Task<StalenessMetricsSnapshot> CollectMetricsAsync(
string tenantId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
var now = _timeProvider.GetUtcNow();
var thresholdSeconds = _options.FreshnessThresholdSeconds;
var imports = await _importRepository.GetAllLatestByDomainAsync(tenantId, cancellationToken)
.ConfigureAwait(false);
var domainMetrics = new List<DomainStalenessMetric>();
var staleDomains = 0;
var warningDomains = 0;
var healthyDomains = 0;
var totalStaleness = 0L;
var maxStaleness = 0L;
DateTimeOffset? oldestBundle = null;
foreach (var import in imports)
{
var stalenessSeconds = (long)(now - import.TimeAnchor).TotalSeconds;
var percentOfThreshold = (double)stalenessSeconds / thresholdSeconds * 100.0;
var isStale = stalenessSeconds > thresholdSeconds;
var projectedStaleAt = import.TimeAnchor.AddSeconds(thresholdSeconds);
if (isStale)
{
staleDomains++;
}
else if (percentOfThreshold >= 75)
{
warningDomains++;
}
else
{
healthyDomains++;
}
totalStaleness += stalenessSeconds;
maxStaleness = Math.Max(maxStaleness, stalenessSeconds);
if (oldestBundle is null || import.TimeAnchor < oldestBundle)
{
oldestBundle = import.TimeAnchor;
}
var bundleCount = await _importRepository.GetBundleCountByDomainAsync(tenantId, import.BundleId, cancellationToken)
.ConfigureAwait(false);
domainMetrics.Add(new DomainStalenessMetric(
import.BundleId, // Using BundleId as domain since we don't have domain in the record
stalenessSeconds,
import.ImportedAt,
import.TimeAnchor,
bundleCount,
isStale,
percentOfThreshold,
isStale ? null : projectedStaleAt));
// Emit per-domain metric
if (_options.EmitMetrics)
{
LedgerMetrics.RecordAirgapStaleness(import.BundleId, stalenessSeconds);
}
}
var totalDomains = domainMetrics.Count;
var avgStaleness = totalDomains > 0 ? (double)totalStaleness / totalDomains : 0.0;
var aggregates = new AggregateStalenessMetrics(
totalDomains,
staleDomains,
warningDomains,
healthyDomains,
maxStaleness,
avgStaleness,
oldestBundle);
return new StalenessMetricsSnapshot(now, tenantId, domainMetrics, aggregates);
}
private StalenessValidationResult CreatePassedResult(
string? domainId,
long stalenessSeconds,
IReadOnlyList<StalenessWarning>? warnings = null)
{
return new StalenessValidationResult(
true,
domainId,
stalenessSeconds,
_options.FreshnessThresholdSeconds,
_options.EnforcementMode,
null,
warnings ?? Array.Empty<StalenessWarning>());
}
private StalenessValidationResult CreateNoBundleError(string domainId)
{
var error = new StalenessError(
StalenessErrorCode.ErrAirgapNoBundle,
$"No bundle found for domain '{domainId}'",
domainId,
0,
_options.FreshnessThresholdSeconds,
$"Import a bundle using 'stella airgap import --domain {domainId}'");
return new StalenessValidationResult(
false,
domainId,
0,
_options.FreshnessThresholdSeconds,
_options.EnforcementMode,
error,
Array.Empty<StalenessWarning>());
}
}

2
src/Findings/StellaOps.Findings.Ledger/TASKS.md
View File

@@ -6,7 +6,7 @@
| LEDGER-34-101 | DONE | Orchestrator export linkage | 2025-11-22 |
| LEDGER-AIRGAP-56-001 | DONE | Mirror bundle provenance recording | 2025-11-22 |
Status changes must be mirrored in `docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md`.
Status changes must be mirrored in `docs/implplan/SPRINT_0120_0001_0001_policy_reasoning.md`.
# Findings Ledger · Sprint 0121-0001-0001

2
src/Web/StellaOps.Web/TASKS.md
View File

@@ -19,7 +19,7 @@
| UI-POLICY-23-001 | DONE (2025-12-05) | Workspace route `/policy-studio/packs` with pack list + quick actions; cached pack store with offline fallback. |
| UI-POLICY-23-002 | DONE (2025-12-05) | YAML editor route `/policy-studio/packs/:packId/yaml` with canonical preview and lint diagnostics. |
| UI-POLICY-23-003 | DONE (2025-12-05) | Rule Builder route `/policy-studio/packs/:packId/rules` with guided inputs and deterministic preview JSON. |
| UI-POLICY-23-004 | DONE (2025-12-05) | Approval workflow UI updated with readiness checklist, schedule window card, comment thread, and two-person indicator; tests attempted but Angular CLI hit missing rxjs util module. |
| UI-POLICY-23-004 | DONE (2025-12-05) | Approval workflow UI updated with readiness checklist, schedule window card, comment thread, and two-person indicator; targeted Karma spec build succeeds, execution blocked by missing system lib (`libnss3.so`) for ChromeHeadless. |
| UI-POLICY-23-005 | DONE (2025-12-05) | Simulator updated with SBOM/advisory pickers and explain trace view; uses PolicyApiService simulate. |
| UI-POLICY-23-006 | DOING (2025-12-05) | Explain view route `/policy-studio/packs/:packId/explain/:runId` with trace + JSON export; PDF export pending backend. |
| UI-POLICY-23-001 | DONE (2025-12-05) | Workspace route `/policy-studio/packs` with pack list + quick actions; cached pack store with offline fallback. |

25
src/Web/StellaOps.Web/src/app/core/api/console-status.client.spec.ts
View File

@@ -11,13 +11,28 @@ class FakeAuthSessionStore {
}
}
class FakeEventSource {
class FakeEventSource implements EventSource {
static readonly CONNECTING = 0;
static readonly OPEN = 1;
static readonly CLOSED = 2;
readonly CONNECTING = FakeEventSource.CONNECTING;
readonly OPEN = FakeEventSource.OPEN;
readonly CLOSED = FakeEventSource.CLOSED;
public onopen: ((this: EventSource, ev: Event) => any) | null = null;
public onmessage: ((this: EventSource, ev: MessageEvent) => any) | null = null;
public onerror: ((this: EventSource, ev: Event) => any) | null = null;
readonly readyState = FakeEventSource.CONNECTING;
readonly withCredentials = false;
constructor(public readonly url: string) {}
close(): void {
// no-op for tests
}
addEventListener(): void {}
removeEventListener(): void {}
dispatchEvent(): boolean { return true; }
close(): void { /* no-op for tests */ }
}
describe('ConsoleStatusClient', () => {
@@ -83,7 +98,7 @@ describe('ConsoleStatusClient', () => {
// Simulate incoming message
const fakeSource = eventSourceFactory.calls.mostRecent().returnValue as unknown as FakeEventSource;
const message = { data: JSON.stringify({ runId: 'run-123', kind: 'progress', progressPercent: 50, updatedAt: '2025-12-01T00:00:00Z' }) } as MessageEvent;
fakeSource.onmessage?.(message);
fakeSource.onmessage?.call(fakeSource as unknown as EventSource, message);
expect(events.length).toBe(1);
expect(events[0].kind).toBe('progress');

2
src/Web/StellaOps.Web/src/app/core/api/risk-http.client.ts
View File

@@ -41,7 +41,7 @@ export class RiskHttpClient implements RiskApi {
...page,
page: page.page ?? 1,
pageSize: page.pageSize ?? 20,
}),
})),
catchError((err) => throwError(() => this.normalizeError(err)))
);
}

35
src/Web/StellaOps.Web/src/app/core/api/vulnerability.models.ts
View File

@@ -34,17 +34,24 @@ export interface VulnerabilityStats {
readonly criticalOpen: number;
}
export interface VulnerabilitiesQueryOptions {
readonly severity?: VulnerabilitySeverity | 'all';
readonly status?: VulnerabilityStatus | 'all';
readonly search?: string;
readonly hasException?: boolean;
readonly limit?: number;
readonly offset?: number;
}
export interface VulnerabilitiesResponse {
readonly items: readonly Vulnerability[];
readonly total: number;
readonly hasMore: boolean;
}
export interface VulnerabilitiesQueryOptions {
readonly severity?: VulnerabilitySeverity | 'all';
readonly status?: VulnerabilityStatus | 'all';
readonly search?: string;
readonly hasException?: boolean;
readonly limit?: number;
readonly offset?: number;
readonly page?: number;
readonly pageSize?: number;
readonly tenantId?: string;
readonly projectId?: string;
readonly traceId?: string;
}
export interface VulnerabilitiesResponse {
readonly items: readonly Vulnerability[];
readonly total: number;
readonly hasMore?: boolean;
readonly page?: number;
readonly pageSize?: number;
}

8
src/Web/StellaOps.Web/src/app/features/policy-studio/approvals/policy-approvals.component.spec.ts
View File

@@ -110,10 +110,10 @@ describe('PolicyApprovalsComponent', () => {
});
it('submits with schedule window attached', () => {
component.submitForm.patchValue({
(component as any).submitForm.patchValue({
message: 'Please review',
});
component.scheduleForm.patchValue({
(component as any).scheduleForm.patchValue({
start: '2025-12-10T00:00',
end: '2025-12-11T00:00',
});
@@ -132,7 +132,7 @@ describe('PolicyApprovalsComponent', () => {
});
it('persists schedule changes via updateApprovalSchedule', () => {
component.scheduleForm.patchValue({ start: '2025-12-12T00:00', end: '2025-12-13T00:00' });
(component as any).scheduleForm.patchValue({ start: '2025-12-12T00:00', end: '2025-12-13T00:00' });
component.onScheduleSave();
expect(api.updateApprovalSchedule).toHaveBeenCalledWith('pack-1', '1.0.0', {
start: '2025-12-12T00:00',
@@ -148,7 +148,7 @@ describe('PolicyApprovalsComponent', () => {
}));
it('posts a comment', fakeAsync(() => {
component.commentForm.setValue({ message: 'Looks good' });
(component as any).commentForm.setValue({ message: 'Looks good' });
component.onComment();
tick();
expect(api.addComment).toHaveBeenCalledWith('pack-1', '1.0.0', 'Looks good');

10
src/Web/StellaOps.Web/src/app/features/policy-studio/approvals/policy-approvals.component.ts
View File

@@ -462,6 +462,11 @@ import { PolicyApiService } from '../services/policy-api.service';
],
})
export class PolicyApprovalsComponent {
private readonly fb = inject(FormBuilder);
private readonly route = inject(ActivatedRoute);
private readonly policyApi = inject(PolicyApiService);
private readonly auth = inject(AUTH_SERVICE) as AuthService;
protected workflow?: ApprovalWorkflow;
protected checklist: ApprovalChecklistItem[] = [];
protected comments: ApprovalComment[] = [];
@@ -491,11 +496,6 @@ export class PolicyApprovalsComponent {
message: ['', [Validators.required, Validators.minLength(2)]],
});
private readonly fb = inject(FormBuilder);
private readonly route = inject(ActivatedRoute);
private readonly policyApi = inject(PolicyApiService);
private readonly auth = inject(AUTH_SERVICE) as AuthService;
get sortedReviews(): ApprovalReview[] {
if (!this.workflow?.reviews) return [];
return [...this.workflow.reviews].sort((a, b) =>

2
src/Web/StellaOps.Web/src/app/features/policy-studio/editor/monaco-loader.service.ts
View File

@@ -65,7 +65,7 @@ export class MonacoLoaderService {
// @ts-ignore - MonacoEnvironment lives on global scope
self.MonacoEnvironment = {
getWorker(_: unknown, label: string): Worker {
const factory = workerByLabel[label] ?? workerByLabel.default;
const factory = workerByLabel[label] ?? workerByLabel['default'];
return factory();
},
};

11
src/Web/StellaOps.Web/src/app/features/policy-studio/editor/policy-editor.component.ts
View File

@@ -633,12 +633,11 @@ export class PolicyEditorComponent implements OnInit, AfterViewInit, OnDestroy {
ariaLabel: 'Policy DSL editor',
});
this.subscriptions.add(
this.editor.onDidChangeModelContent(() => {
const value = this.model?.getValue() ?? '';
this.content$.next(value);
})
);
const contentDisposable = this.editor.onDidChangeModelContent(() => {
const value = this.model?.getValue() ?? '';
this.content$.next(value);
});
this.subscriptions.add(() => contentDisposable.dispose());
this.loadingEditor = false;
this.cdr.markForCheck();

14
src/Web/StellaOps.Web/src/app/features/policy-studio/editor/stella-dsl.completions.ts
View File

@@ -16,7 +16,7 @@ import { STELLA_DSL_LANGUAGE_ID } from './stella-dsl.language';
/**
* Completion items for stella-dsl keywords.
*/
const keywordCompletions: Monaco.languages.CompletionItem[] = [
const keywordCompletions: ReadonlyArray<Omit<Monaco.languages.CompletionItem, 'range'>> = [
{
label: 'policy',
kind: 14, // Keyword
@@ -110,7 +110,7 @@ const keywordCompletions: Monaco.languages.CompletionItem[] = [
/**
* Completion items for built-in functions.
*/
const functionCompletions: Monaco.languages.CompletionItem[] = [
const functionCompletions: ReadonlyArray<Omit<Monaco.languages.CompletionItem, 'range'>> = [
{
label: 'normalize_cvss',
kind: 1, // Function
@@ -196,7 +196,7 @@ const functionCompletions: Monaco.languages.CompletionItem[] = [
/**
* Completion items for VEX functions.
*/
const vexFunctionCompletions: Monaco.languages.CompletionItem[] = [
const vexFunctionCompletions: ReadonlyArray<Omit<Monaco.languages.CompletionItem, 'range'>> = [
{
label: 'vex.any',
kind: 1,
@@ -234,7 +234,7 @@ const vexFunctionCompletions: Monaco.languages.CompletionItem[] = [
/**
* Completion items for namespace fields.
*/
const namespaceCompletions: Monaco.languages.CompletionItem[] = [
const namespaceCompletions: ReadonlyArray<Omit<Monaco.languages.CompletionItem, 'range'>> = [
// SBOM fields
{ label: 'sbom.purl', kind: 5, insertText: 'sbom.purl', documentation: 'Package URL of the component.' },
{ label: 'sbom.name', kind: 5, insertText: 'sbom.name', documentation: 'Component name.' },
@@ -292,7 +292,7 @@ const namespaceCompletions: Monaco.languages.CompletionItem[] = [
/**
* Completion items for action keywords.
*/
const actionCompletions: Monaco.languages.CompletionItem[] = [
const actionCompletions: ReadonlyArray<Omit<Monaco.languages.CompletionItem, 'range'>> = [
{
label: 'status :=',
kind: 14,
@@ -362,7 +362,7 @@ const actionCompletions: Monaco.languages.CompletionItem[] = [
/**
* Completion items for VEX statuses.
*/
const vexStatusCompletions: Monaco.languages.CompletionItem[] = [
const vexStatusCompletions: ReadonlyArray<Omit<Monaco.languages.CompletionItem, 'range'>> = [
{ label: 'affected', kind: 21, insertText: '"affected"', documentation: 'Component is affected by the vulnerability.' },
{ label: 'not_affected', kind: 21, insertText: '"not_affected"', documentation: 'Component is not affected.' },
{ label: 'fixed', kind: 21, insertText: '"fixed"', documentation: 'Vulnerability has been fixed.' },
@@ -374,7 +374,7 @@ const vexStatusCompletions: Monaco.languages.CompletionItem[] = [
/**
* Completion items for VEX justifications.
*/
const vexJustificationCompletions: Monaco.languages.CompletionItem[] = [
const vexJustificationCompletions: ReadonlyArray<Omit<Monaco.languages.CompletionItem, 'range'>> = [
{ label: 'component_not_present', kind: 21, insertText: '"component_not_present"', documentation: 'Component is not present in the product.' },
{ label: 'vulnerable_code_not_present', kind: 21, insertText: '"vulnerable_code_not_present"', documentation: 'Vulnerable code is not present.' },
{ label: 'vulnerable_code_not_in_execute_path', kind: 21, insertText: '"vulnerable_code_not_in_execute_path"', documentation: 'Vulnerable code is not in execution path.' },

8
src/Web/StellaOps.Web/src/app/features/policy-studio/explain/jspdf.stub.ts Normal file
View File

@@ -0,0 +1,8 @@
// Minimal jsPDF shim for offline/testing builds.
export default class JsPdfStub {
constructor(..._args: any[]) {}
text(_text: string, _x: number, _y: number): this { return this; }
setFontSize(_size: number): this { return this; }
addPage(): this { return this; }
save(_filename: string): void { /* no-op */ }
}

2
src/Web/StellaOps.Web/src/app/features/policy-studio/explain/policy-explain.component.ts
View File

@@ -4,7 +4,7 @@ import { ActivatedRoute } from '@angular/router';
import { PolicyApiService } from '../services/policy-api.service';
import { SimulationResult } from '../models/policy.models';
import jsPDF from 'jspdf';
import jsPDF from './jspdf.stub';
@Component({
selector: 'app-policy-explain',

4
src/Web/StellaOps.Web/src/app/features/policy-studio/rule-builder/policy-rule-builder.component.spec.ts
View File

@@ -30,8 +30,8 @@ describe('PolicyRuleBuilderComponent', () => {
});
it('sorts exceptions deterministically in preview JSON', () => {
component.form.patchValue({ exceptions: 'b, a' });
const preview = component.previewJson();
(component as any).form.patchValue({ exceptions: 'b, a' });
const preview = (component as any).previewJson();
expect(preview).toContain('"exceptions": [\n "a",\n "b"');
});
});

6
src/Web/StellaOps.Web/src/app/features/policy-studio/rule-builder/policy-rule-builder.component.ts
View File

@@ -90,6 +90,9 @@ import { ActivatedRoute } from '@angular/router';
})
export class PolicyRuleBuilderComponent {
protected packId?: string;
private readonly fb = inject(FormBuilder);
private readonly route = inject(ActivatedRoute);
protected readonly form = this.fb.nonNullable.group({
source: 'nvd',
severityMin: 4,
@@ -98,9 +101,6 @@ export class PolicyRuleBuilderComponent {
quiet: 'none',
});
private readonly route = inject(ActivatedRoute);
private readonly fb = inject(FormBuilder);
constructor() {
this.packId = this.route.snapshot.paramMap.get('packId') || undefined;
}

10
src/Web/StellaOps.Web/src/app/features/policy-studio/simulation/policy-simulation.component.ts
View File

@@ -441,6 +441,10 @@ export class PolicySimulationComponent {
protected result?: SimulationResult;
protected explainTrace: ExplainEntry[] = [];
private readonly fb = inject(FormBuilder);
private readonly route = inject(ActivatedRoute);
private readonly policyApi = inject(PolicyApiService);
protected readonly form = this.fb.group({
components: [''],
advisories: [''],
@@ -453,10 +457,6 @@ export class PolicySimulationComponent {
protected readonly sboms = ['sbom-dev-001', 'sbom-prod-2024-11', 'sbom-preprod-05'];
protected readonly advisoryOptions = ['CVE-2025-0001', 'GHSA-1234', 'CVE-2024-9999'];
private readonly fb = inject(FormBuilder);
private readonly route = inject(ActivatedRoute);
private readonly policyApi = inject(PolicyApiService);
get severityBands() {
if (!this.result) return [];
const order: Array<{ key: string; label: string }> = [
@@ -516,7 +516,7 @@ export class PolicySimulationComponent {
.subscribe({
next: (res) => {
this.result = this.sortDiff(res);
this.explainTrace = res.explainTrace ?? [];
this.explainTrace = Array.from(res.explainTrace ?? []);
this.form.markAsPristine();
},
error: () => {

2
src/Web/StellaOps.Web/src/app/features/policy-studio/yaml/policy-yaml-editor.component.spec.ts
View File

@@ -59,6 +59,6 @@ describe('PolicyYamlEditorComponent', () => {
it('builds canonical YAML with sorted keys', fakeAsync(() => {
fixture.detectChanges();
tick(500);
expect(component.canonicalYaml).toContain('id');
expect((component as any).canonicalYaml).toContain('id');
}));
});

125
src/Web/StellaOps.Web/src/app/testing/policy-fixtures.ts
View File

@@ -1,23 +1,112 @@
import previewSample from '../../../../../samples/policy/policy-preview-unknown.json';
import reportSample from '../../../../../samples/policy/policy-report-unknown.json';
import {
PolicyPreviewSample,
PolicyReportSample,
} from '../core/api/policy-preview.models';
const previewFixture: PolicyPreviewSample =
previewSample as unknown as PolicyPreviewSample;
const reportFixture: PolicyReportSample =
reportSample as unknown as PolicyReportSample;
export function getPolicyPreviewFixture(): PolicyPreviewSample {
return clone(previewFixture);
}
import {
PolicyPreviewSample,
PolicyReportSample,
PolicyPreviewFindingDto,
PolicyPreviewVerdictDto,
PolicyReportDocumentDto,
DsseEnvelopeDto,
} from '../core/api/policy-preview.models';
// Deterministic inline fixtures (kept small for offline tests)
const previewFixture: PolicyPreviewSample = {
previewRequest: {
imageDigest: 'sha256:' + 'a'.repeat(64),
findings: [
{
id: 'finding-1',
severity: 'critical',
cve: 'CVE-2025-0001',
purl: 'pkg:npm/example@1.0.0',
source: 'scanner',
} as PolicyPreviewFindingDto,
],
baseline: [],
},
previewResponse: {
success: true,
policyDigest: 'b'.repeat(64),
changed: 1,
diffs: [
{
findingId: 'finding-1',
changed: true,
baseline: buildVerdict('unknown', 0.2, 'unknown'),
projected: buildVerdict('blocked', 0.8, 'reachable'),
},
],
issues: [],
},
};
const reportDocument: PolicyReportDocumentDto = {
reportId: 'report-1',
imageDigest: previewFixture.previewRequest.imageDigest,
generatedAt: '2025-12-05T00:00:00Z',
verdict: 'blocked',
policy: {
digest: previewFixture.previewResponse.policyDigest,
},
summary: {
total: 1,
blocked: 1,
warned: 0,
ignored: 0,
quieted: 0,
},
verdicts: [previewFixture.previewResponse.diffs[0].projected],
issues: [],
};
const reportEnvelope: DsseEnvelopeDto = {
payloadType: 'application/vnd.stellaops.report+json',
payload: 'eyJmb28iOiAiYmFyIn0=',
signatures: [
{
keyId: 'test-key',
algorithm: 'ed25519',
signature: 'deadbeef',
},
],
};
const reportFixture: PolicyReportSample = {
reportRequest: {
imageDigest: previewFixture.previewRequest.imageDigest,
findings: previewFixture.previewRequest.findings,
baseline: previewFixture.previewRequest.baseline,
},
reportResponse: {
report: reportDocument,
dsse: reportEnvelope,
},
};
export function getPolicyPreviewFixture(): PolicyPreviewSample {
return clone(previewFixture);
}
export function getPolicyReportFixture(): PolicyReportSample {
return clone(reportFixture);
}
function clone<T>(value: T): T {
return JSON.parse(JSON.stringify(value));
}
function clone<T>(value: T): T {
return JSON.parse(JSON.stringify(value));
}
function buildVerdict(status: string, confidence: number, reachability: string): PolicyPreviewVerdictDto {
return {
findingId: 'finding-1',
status,
ruleName: 'rule-1',
ruleAction: 'block',
score: confidence,
confidenceBand: 'high',
unknownConfidence: confidence,
reachability,
inputs: { entropy: 0.5 },
quiet: false,
quietedBy: null,
sourceTrust: 'trusted',
unknownAgeDays: 1,
};
}

9
src/Web/StellaOps.Web/src/types/jspdf.d.ts vendored Normal file
View File

@@ -0,0 +1,9 @@
declare module 'jspdf' {
export default class jsPDF {
constructor(...args: any[]);
text(text: string, x: number, y: number): this;
setFontSize(size: number): this;
addPage(): this;
save(filename: string): void;
}
}