partly or unimplemented features - now implemented
This commit is contained in:
master
48
docs/modules/authority/timestamping-ci-cd.md
Normal file
48
docs/modules/authority/timestamping-ci-cd.md
Normal file
@@ -0,0 +1,48 @@
|
||||
# Authority CI/CD Timestamping
|
||||
|
||||
This document describes the CI/CD timestamping orchestration added in Sprint `SPRINT_20260208_025_Authority_rfc_3161_tsa_client_for_ci_cd_timestamping`.
|
||||
|
||||
## Scope
|
||||
- Automatically request RFC-3161 timestamps for pipeline artifacts (SBOMs, attestations, logs, or other digest-addressed artifacts).
|
||||
- Persist deterministic artifact-to-token mappings for replay, lookup, and audit.
|
||||
- Support pipeline-scoped and environment-scoped timestamp policies without requiring network access in tests.
|
||||
|
||||
## Implementation
|
||||
- Orchestration service:
|
||||
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/CiCdTimestampingService.cs`
|
||||
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/ICiCdTimestampingService.cs`
|
||||
- Artifact timestamp registry:
|
||||
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/IArtifactTimestampRegistry.cs`
|
||||
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/InMemoryArtifactTimestampRegistry.cs`
|
||||
- Policy models:
|
||||
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/PipelineTimestampingPolicyOptions.cs`
|
||||
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/CiCdTimestampingModels.cs`
|
||||
- DI registration:
|
||||
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimestampingServiceCollectionExtensions.cs`
|
||||
|
||||
## Policy behavior
|
||||
- `DefaultPolicy` applies when no pipeline override exists.
|
||||
- `Pipelines[<pipelineId>]` overrides the default policy.
|
||||
- `Pipelines[<pipelineId>].Environments[<environment>]` overrides the pipeline policy.
|
||||
- Core controls:
|
||||
- `Enabled`
|
||||
- `RequiredSuccessCount`
|
||||
- `MaxAttemptsPerArtifact`
|
||||
- `RequireDistinctProviders`
|
||||
- `IncludeNonce`
|
||||
- `CertificateRequired`
|
||||
- `HashAlgorithm`
|
||||
- `PolicyOid`
|
||||
|
||||
## Determinism and offline posture
|
||||
- Artifact processing is deterministic: artifacts are sorted by digest and type before orchestration.
|
||||
- Digest normalization is deterministic (`algo:hex-lowercase`).
|
||||
- Nonce generation is deterministic when `IncludeNonce=true` (derived from pipeline/artifact identity and attempt index).
|
||||
- Tests use in-memory fakes only and run without network access.
|
||||
|
||||
## Test coverage
|
||||
- `src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/CiCdTimestampingServiceTests.cs`
|
||||
- `src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/InMemoryArtifactTimestampRegistryTests.cs`
|
||||
|
||||
Validation command used:
|
||||
- `dotnet test src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/StellaOps.Authority.Timestamping.Tests.csproj --no-restore -p:BuildProjectReferences=false -v minimal`
|
||||
Reference in New Issue
Block a user