Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

docs/implplan/archived/sprints/20251226/SPRINT_20251226_001_SIGNER_fulcio_keyless_client.md

@@ -2,7 +2,7 @@
 
 **Sprint ID:** 20251226_001_SIGNER
 **Topic:** Fulcio Keyless Signing Client Implementation
-**Status:** PARTIAL (Core implementation complete, remaining tasks are integration tests and docs)
+**Status:** DONE
 **Priority:** P0 (Critical Path)
 **Created:** 2025-12-26
 **Working Directory:** `src/Signer/`
@@ -170,13 +170,13 @@ public sealed class EphemeralKeyPair : IDisposable
 | 0011 | Implement certificate chain validation | — | DONE | 0006 | Validates to configured Fulcio roots |
 | 0012 | Add OIDC token acquisition from Authority | — | DONE | — | Client credentials flow, caching |
 | 0013 | Unit tests: EphemeralKeyGenerator | — | DONE | 0003 | Key generation, disposal, algorithm coverage |
-| 0014 | Unit tests: HttpFulcioClient (mocked) | — | TODO | 0005 | Happy path, error handling, retries |
+| 0014 | Unit tests: HttpFulcioClient (mocked) | — | DONE | 0005 | Happy path, error handling, retries |
 | 0015 | Unit tests: KeylessDsseSigner | — | DONE | 0007 | Signing roundtrip, cert attachment |
-| 0016 | Unit tests: Certificate chain validation | — | TODO | 0011 | Valid chain, expired cert, untrusted root |
-| 0017 | Integration test: Full keyless signing flow | — | TODO | 0010 | End-to-end with mock Fulcio |
-| 0018 | Integration test: Verify signed bundle | — | TODO | 0017 | Signature verification, cert chain |
-| 0019 | Documentation: Keyless signing guide | — | TODO | 0017 | `docs/modules/signer/guides/keyless-signing.md` |
-| 0020 | Update `src/Signer/AGENTS.md` | — | TODO | 0019 | Add keyless components to charter |
+| 0016 | Unit tests: Certificate chain validation | — | DONE | 0011 | Valid chain, expired cert, untrusted root |
+| 0017 | Integration test: Full keyless signing flow | — | DONE | 0010 | End-to-end with mock Fulcio |
+| 0018 | Integration test: Verify signed bundle | — | DONE | 0017 | Signature verification, cert chain |
+| 0019 | Documentation: Keyless signing guide | — | DONE | 0017 | `docs/modules/signer/guides/keyless-signing.md` |
+| 0020 | Update `src/Signer/AGENTS.md` | — | DONE | 0019 | Add keyless components to charter |
 
 ---
 
@@ -426,6 +426,7 @@ public void KeylessSigning_SignatureDeterminism_SameKeyPair(
 | 2025-12-26 | Impl | Tasks 0008, 0011 DONE | Added CertificateChainValidator with Fulcio root validation, identity verification, and expected issuer/subject pattern matching. Added StellaOpsVerdict and StellaOpsVerdictAlt predicate types to PredicateTypes.cs with IsVerdictType() helper. |
 | 2025-12-26 | Impl | Tasks 0013, 0015 DONE | Created comprehensive unit tests for EphemeralKeyGenerator (14 tests) and KeylessDsseSigner (14 tests) in src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Keyless/. Fixed pre-existing build errors: added X509Certificates using to SigstoreSigningService.cs, fixed IList-to-IReadOnlyList conversion in KeyRotationService.cs, added KeyManagement project reference to WebService. Note: Pre-existing test files (TemporalKeyVerificationTests.cs, KeyRotationWorkflowIntegrationTests.cs) have stale entity references blocking full test build. |
 | 2025-12-26 | Impl | Pre-existing test fixes | Fixed stale entity references in TemporalKeyVerificationTests.cs and KeyRotationWorkflowIntegrationTests.cs (Id→AnchorId, KeyHistories→KeyHistory, TrustAnchorId→AnchorId, added PublicKey property). Signer.Tests now builds successfully with 0 errors. |
+| 2025-12-26 | Impl | Tasks 0014-0020 DONE | Created HttpFulcioClientTests.cs (14 tests for retry, error handling, certificate parsing), CertificateChainValidatorTests.cs (12 tests for chain validation, identity verification), KeylessSigningIntegrationTests.cs (10+ end-to-end tests with mock Fulcio server). Created comprehensive keyless-signing.md documentation. Updated Signer AGENTS.md with keyless components. Sprint COMPLETE. |
 
 ---