stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Complete Entrypoint Detection Re-Engineering Program (Sprints 0410-0415) and Sprint 3500.0002.0003 (Proof Replay + API)

Browse Source 
Entrypoint Detection Program (100% complete):
- Sprint 0411: Semantic Entrypoint Engine - all 25 tasks DONE
- Sprint 0412: Temporal & Mesh Entrypoint - all 19 tasks DONE
- Sprint 0413: Speculative Execution Engine - all 19 tasks DONE
- Sprint 0414: Binary Intelligence - all 19 tasks DONE
- Sprint 0415: Predictive Risk Scoring - all tasks DONE

Key deliverables:
- SemanticEntrypoint schema with ApplicationIntent/CapabilityClass
- TemporalEntrypointGraph and MeshEntrypointGraph
- ShellSymbolicExecutor with PathEnumerator and PathConfidenceScorer
- CodeFingerprint index with symbol recovery
- RiskScore with multi-dimensional risk assessment

Sprint 3500.0002.0003 (Proof Replay + API):
- ManifestEndpoints with DSSE content negotiation
- Proof bundle endpoints by root hash
- IdempotencyMiddleware with RFC 9530 Content-Digest
- Rate limiting (100 req/hr per tenant)
- OpenAPI documentation updates

Tests: 357 EntryTrace tests pass, WebService tests blocked by pre-existing infrastructure issue
This commit is contained in:
StellaOps Bot
2025-12-20 17:46:27 +02:00
parent ce8cdcd23d
commit 3698ebf4a8
46 changed files with 4156 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

313
src/Api/StellaOps.Api.OpenApi/scanner/openapi.yaml
View File

@@ -314,6 +314,108 @@ paths:
schema:
type: object
/scans/{scanId}/manifest:
get:
tags: [Scans]
operationId: getScanManifest
summary: Get scan manifest
description: |
Returns the scan manifest containing all input hashes and configuration.
Supports content negotiation for DSSE envelope format.
Rate limited: 200 requests/hour per tenant.
parameters:
- $ref: '#/components/parameters/ScanIdPath'
- name: Accept
in: header
description: Request format. Use application/dsse+json for signed envelope.
schema:
type: string
enum: [application/json, application/dsse+json]
default: application/json
responses:
'200':
description: Scan manifest
headers:
Content-Digest:
description: RFC 9530 content digest
schema:
type: string
X-RateLimit-Limit:
description: Rate limit ceiling
schema:
type: integer
X-RateLimit-Remaining:
description: Remaining requests
schema:
type: integer
content:
application/json:
schema:
$ref: '#/components/schemas/ScanManifestResponse'
application/dsse+json:
schema:
$ref: '#/components/schemas/DsseEnvelope'
'404':
$ref: '#/components/responses/NotFound'
'429':
$ref: '#/components/responses/TooManyRequests'
/scans/{scanId}/proofs:
get:
tags: [ProofSpines]
operationId: listProofBundles
summary: List proof bundles for a scan
description: |
Returns proof bundles with Merkle verification for deterministic replay.
Rate limited: 200 requests/hour per tenant.
parameters:
- $ref: '#/components/parameters/ScanIdPath'
responses:
'200':
description: List of proof bundles
content:
application/json:
schema:
$ref: '#/components/schemas/ProofBundleList'
'404':
$ref: '#/components/responses/NotFound'
'429':
$ref: '#/components/responses/TooManyRequests'
/scans/{scanId}/proofs/{rootHash}:
get:
tags: [ProofSpines]
operationId: getProofBundle
summary: Get proof bundle by root hash
description: |
Returns a specific proof bundle matching the root hash.
Includes Merkle verification status.
Rate limited: 200 requests/hour per tenant.
parameters:
- $ref: '#/components/parameters/ScanIdPath'
- name: rootHash
in: path
required: true
description: SHA-256 root hash of the proof bundle
schema:
type: string
pattern: '^sha256:[a-f0-9]{64}$'
example: 'sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
responses:
'200':
description: Proof bundle with verification
content:
application/json:
schema:
$ref: '#/components/schemas/ProofBundleResponse'
'404':
$ref: '#/components/responses/NotFound'
'429':
$ref: '#/components/responses/TooManyRequests'
/scans/{scanId}/spines:
get:
tags: [ProofSpines]
@@ -374,6 +476,25 @@ components:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
TooManyRequests:
description: Rate limit exceeded
headers:
Retry-After:
description: Seconds to wait before retrying
schema:
type: integer
X-RateLimit-Limit:
description: Rate limit ceiling
schema:
type: integer
X-RateLimit-Remaining:
description: Remaining requests (always 0)
schema:
type: integer
content:
application/json:
schema:
$ref: '#/components/schemas/RateLimitError'
schemas:
CreateScanRequest:
@@ -868,3 +989,195 @@ components:
type: string
details:
type: object
RateLimitError:
type: object
properties:
type:
type: string
example: 'https://stellaops.org/problems/rate-limit'
title:
type: string
example: 'Too Many Requests'
status:
type: integer
example: 429
detail:
type: string
example: 'Rate limit exceeded. Please retry after the specified time.'
retryAfterSeconds:
type: integer
example: 60
ScanManifestResponse:
type: object
required: [scanId, manifestHash, inputHashes, createdAt]
properties:
scanId:
type: string
format: uuid
manifestHash:
type: string
description: SHA-256 hash of the manifest
example: 'sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
inputHashes:
$ref: '#/components/schemas/ManifestInputHashes'
configuration:
$ref: '#/components/schemas/ManifestConfiguration'
createdAt:
type: string
format: date-time
signedAt:
type: string
format: date-time
ManifestInputHashes:
type: object
properties:
artifactDigest:
type: string
description: Image or artifact digest
sbomDigest:
type: string
description: SBOM content digest
concelierSnapshotHash:
type: string
description: Advisory database snapshot hash
excititorSnapshotHash:
type: string
description: VEX database snapshot hash
latticePolicyHash:
type: string
description: Policy profile hash
ManifestConfiguration:
type: object
properties:
scannerVersion:
type: string
workerVersion:
type: string
deterministic:
type: boolean
seed:
type: string
description: Base64-encoded determinism seed
knobs:
type: object
additionalProperties:
type: string
DsseEnvelope:
type: object
required: [payloadType, payload, signatures]
properties:
payloadType:
type: string
description: DSSE payload type URI
example: 'application/vnd.stellaops.scan-manifest.v1+json'
payload:
type: string
description: Base64-encoded payload
signatures:
type: array
items:
$ref: '#/components/schemas/DsseSignature'
DsseSignature:
type: object
required: [keyid, sig]
properties:
keyid:
type: string
description: Key identifier
sig:
type: string
description: Base64-encoded signature
algorithm:
type: string
description: Signature algorithm
example: 'ecdsa-p256-sha256'
ProofBundleList:
type: object
properties:
items:
type: array
items:
$ref: '#/components/schemas/ProofBundleSummary'
total:
type: integer
ProofBundleSummary:
type: object
properties:
rootHash:
type: string
description: SHA-256 root hash
scanId:
type: string
format: uuid
nodeCount:
type: integer
algorithm:
type: string
example: 'sha256'
createdAt:
type: string
format: date-time
ProofBundleResponse:
type: object
properties:
rootHash:
type: string
scanId:
type: string
format: uuid
manifestHash:
type: string
scoreProofHash:
type: string
algorithm:
type: string
nodeCount:
type: integer
nodes:
type: array
items:
$ref: '#/components/schemas/ProofNode'
verification:
$ref: '#/components/schemas/ProofVerification'
createdAt:
type: string
format: date-time
ProofNode:
type: object
properties:
nodeId:
type: string
nodeKind:
type: string
enum: [input, transform, delta, score]
nodeHash:
type: string
parentHash:
type: string
value:
type: number
timestamp:
type: string
format: date-time
ProofVerification:
type: object
properties:
isValid:
type: boolean
computedRootHash:
type: string
errors:
type: array
items:
type: string