more audit work

2026-01-08 10:21:51 +02:00
parent 43c02081ef
commit 51cf4bc16c
546 changed files with 36721 additions and 4003 deletions
--- a/src/Policy/StellaOps.Policy.Engine/Endpoints/ViolationEndpoints.cs
+++ b/src/Policy/StellaOps.Policy.Engine/Endpoints/ViolationEndpoints.cs
@@ -1,7 +1,7 @@
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 using StellaOps.Auth.Abstractions;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Policy.Engine.Services;
 using StellaOps.Policy.Persistence.Postgres.Models;
 using StellaOps.Policy.Persistence.Postgres.Repositories;
--- a/src/Policy/StellaOps.Policy.Engine/Services/VerdictLinkService.cs
+++ b/src/Policy/StellaOps.Policy.Engine/Services/VerdictLinkService.cs
@@ -5,7 +5,7 @@
 // -----------------------------------------------------------------------------

 using Microsoft.Extensions.Logging;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.SbomService.Repositories;

 namespace StellaOps.Policy.Engine.Services;
--- a/src/Policy/StellaOps.Policy.Engine/Storage/InMemory/InMemoryExceptionRepository.cs
+++ b/src/Policy/StellaOps.Policy.Engine/Storage/InMemory/InMemoryExceptionRepository.cs
@@ -1,7 +1,7 @@
 using System.Collections.Concurrent;
 using System.Collections.Immutable;
 using System.Text.RegularExpressions;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Policy.Persistence.Postgres.Models;
 using StellaOps.Policy.Persistence.Postgres.Repositories;

--- a/src/Policy/StellaOps.Policy.Gateway/Services/ExceptionService.cs
+++ b/src/Policy/StellaOps.Policy.Gateway/Services/ExceptionService.cs
@@ -5,7 +5,7 @@

 using System.Collections.Immutable;
 using Microsoft.Extensions.Logging;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Policy.Exceptions.Models;
 using StellaOps.Policy.Exceptions.Repositories;

--- a/src/Policy/StellaOps.Policy.Gateway/Services/PolicyGatewayDpopProofGenerator.cs
+++ b/src/Policy/StellaOps.Policy.Gateway/Services/PolicyGatewayDpopProofGenerator.cs
@@ -8,7 +8,7 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.Tokens;
 using System.IdentityModel.Tokens.Jwt;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Policy.Gateway.Options;

 namespace StellaOps.Policy.Gateway.Services;
--- a/src/Policy/StellaOps.Policy.Registry/Services/BatchSimulationOrchestrator.cs
+++ b/src/Policy/StellaOps.Policy.Registry/Services/BatchSimulationOrchestrator.cs
@@ -1,7 +1,7 @@
 using System.Collections.Concurrent;
 using System.Security.Cryptography;
 using System.Text;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Policy.Registry.Contracts;

 namespace StellaOps.Policy.Registry.Services;
--- a/src/Policy/StellaOps.Policy.Registry/Services/ReviewWorkflowService.cs
+++ b/src/Policy/StellaOps.Policy.Registry/Services/ReviewWorkflowService.cs
@@ -1,7 +1,7 @@
 using System.Collections.Concurrent;
 using System.Security.Cryptography;
 using System.Text;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Policy.Registry.Contracts;
 using StellaOps.Policy.Registry.Storage;

--- a/src/Policy/StellaOps.Policy.RiskProfile/Schema/RiskProfileSchemaProvider.cs
+++ b/src/Policy/StellaOps.Policy.RiskProfile/Schema/RiskProfileSchemaProvider.cs
@@ -12,11 +12,11 @@ public static class RiskProfileSchemaProvider

    private static string? _cachedSchemaText;
    private static string? _cachedETag;
+    private static readonly Lazy<JsonSchema> Schema = new(() => JsonSchema.FromText(GetSchemaText()));

    public static JsonSchema GetSchema()
    {
-        var schemaText = GetSchemaText();
-        return JsonSchema.FromText(schemaText);
+        return Schema.Value;
    }

    /// <summary>
--- a/src/Policy/StellaOps.Policy.RiskProfile/Validation/RiskProfileValidator.cs
+++ b/src/Policy/StellaOps.Policy.RiskProfile/Validation/RiskProfileValidator.cs
@@ -25,6 +25,10 @@ public sealed class RiskProfileValidator
        }

        using var document = JsonDocument.Parse(json);
-        return _schema.Evaluate(document.RootElement);
+        var options = new EvaluationOptions
+        {
+            OutputFormat = OutputFormat.List
+        };
+        return _schema.Evaluate(document.RootElement, options);
    }
 }
--- a/src/Policy/StellaOps.Policy.Scoring/Receipts/ReceiptBuilder.cs
+++ b/src/Policy/StellaOps.Policy.Scoring/Receipts/ReceiptBuilder.cs
@@ -5,7 +5,7 @@ using System.Text.Encodings.Web;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using StellaOps.Attestor.Envelope;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Policy.Scoring.Engine;

 namespace StellaOps.Policy.Scoring.Receipts;
--- a/src/Policy/StellaOps.Policy.Scoring/Receipts/ReceiptHistoryService.cs
+++ b/src/Policy/StellaOps.Policy.Scoring/Receipts/ReceiptHistoryService.cs
@@ -1,6 +1,6 @@
 using System.Collections.Immutable;
 using StellaOps.Attestor.Envelope;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;

 namespace StellaOps.Policy.Scoring.Receipts;

--- a/src/Policy/StellaOps.Policy.Scoring/StellaOps.Policy.Scoring.csproj
+++ b/src/Policy/StellaOps.Policy.Scoring/StellaOps.Policy.Scoring.csproj
@@ -14,6 +14,7 @@

  <ItemGroup>
    <PackageReference Include="JsonSchema.Net" />
+    <ProjectReference Include="..\..\__Libraries\StellaOps.Determinism.Abstractions\StellaOps.Determinism.Abstractions.csproj" />
    <ProjectReference Include="..\..\Attestor\StellaOps.Attestor.Envelope\StellaOps.Attestor.Envelope.csproj" />
  </ItemGroup>

--- a/src/Policy/__Libraries/StellaOps.Policy.Exceptions/Repositories/PostgresExceptionRepository.cs
+++ b/src/Policy/__Libraries/StellaOps.Policy.Exceptions/Repositories/PostgresExceptionRepository.cs
@@ -7,7 +7,7 @@ using System.Collections.Immutable;
 using System.Text.Json;
 using Microsoft.Extensions.Logging;
 using Npgsql;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Policy.Exceptions.Models;

 namespace StellaOps.Policy.Exceptions.Repositories;
--- a/src/Policy/__Libraries/StellaOps.Policy.Exceptions/StellaOps.Policy.Exceptions.csproj
+++ b/src/Policy/__Libraries/StellaOps.Policy.Exceptions/StellaOps.Policy.Exceptions.csproj
@@ -19,4 +19,8 @@
    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
    <PackageReference Include="Npgsql" />
  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Determinism.Abstractions\StellaOps.Determinism.Abstractions.csproj" />
+  </ItemGroup>
 </Project>
--- a/src/Policy/__Libraries/StellaOps.Policy.Persistence/Postgres/Migration/PolicyMigrator.cs
+++ b/src/Policy/__Libraries/StellaOps.Policy.Persistence/Postgres/Migration/PolicyMigrator.cs
@@ -1,5 +1,5 @@
 using Microsoft.Extensions.Logging;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Policy.Persistence.Postgres.Models;
 using StellaOps.Policy.Persistence.Postgres.Repositories;

--- a/src/Policy/__Libraries/StellaOps.Policy.Persistence/Postgres/Repositories/ExceptionApprovalRepository.cs
+++ b/src/Policy/__Libraries/StellaOps.Policy.Persistence/Postgres/Repositories/ExceptionApprovalRepository.cs
@@ -1,6 +1,6 @@
 using Microsoft.Extensions.Logging;
 using Npgsql;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Infrastructure.Postgres.Repositories;
 using StellaOps.Policy.Persistence.Postgres.Models;

--- a/src/Policy/__Libraries/StellaOps.Policy.Persistence/Postgres/Repositories/ExplanationRepository.cs
+++ b/src/Policy/__Libraries/StellaOps.Policy.Persistence/Postgres/Repositories/ExplanationRepository.cs
@@ -1,6 +1,6 @@
 using Microsoft.Extensions.Logging;
 using Npgsql;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Infrastructure.Postgres.Repositories;
 using StellaOps.Policy.Persistence.Postgres.Models;

--- a/src/Policy/__Libraries/StellaOps.Policy.Persistence/Postgres/Repositories/PostgresExceptionObjectRepository.cs
+++ b/src/Policy/__Libraries/StellaOps.Policy.Persistence/Postgres/Repositories/PostgresExceptionObjectRepository.cs
@@ -3,7 +3,7 @@ using System.Text;
 using System.Text.Json;
 using Microsoft.Extensions.Logging;
 using Npgsql;
-using StellaOps.Determinism.Abstractions;
+using StellaOps.Determinism;
 using StellaOps.Infrastructure.Postgres.Repositories;
 using StellaOps.Policy.Exceptions.Models;
 using StellaOps.Policy.Exceptions.Repositories;
--- a/src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ProofBundle.cs
+++ b/src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ProofBundle.cs
@@ -281,6 +281,7 @@ public sealed record ProofBundleStats
 /// </summary>
 public sealed class ProofBundleBuilder
 {
+    private readonly TimeProvider _timeProvider;
    private readonly List<ProofInput> _inputs = [];
    private readonly List<NormalizationTrace> _normalization = [];
    private readonly List<Claim> _claims = [];
@@ -289,6 +290,15 @@ public sealed class ProofBundleBuilder
    private string _policyBundleId = "unknown";
    private string? _policyBundleVersion;

+    /// <summary>
+    /// Initializes a new instance of the <see cref="ProofBundleBuilder"/> class.
+    /// </summary>
+    /// <param name="timeProvider">The time provider for deterministic timestamps.</param>
+    public ProofBundleBuilder(TimeProvider? timeProvider = null)
+    {
+        _timeProvider = timeProvider ?? TimeProvider.System;
+    }
+
    /// <summary>
    /// Sets the policy bundle.
    /// </summary>
@@ -381,6 +391,7 @@ public sealed class ProofBundleBuilder
        {
            PolicyBundleId = _policyBundleId,
            PolicyBundleVersion = _policyBundleVersion,
+            CreatedAt = _timeProvider.GetUtcNow(),
            Inputs = _inputs,
            Normalization = _normalization,
            Claims = _claims,
--- a/src/Policy/__Tests/StellaOps.Policy.Pack.Tests/PolicyPackSchemaTests.cs
+++ b/src/Policy/__Tests/StellaOps.Policy.Pack.Tests/PolicyPackSchemaTests.cs
@@ -14,6 +14,13 @@ namespace StellaOps.Policy.Pack.Tests;

 public class PolicyPackSchemaTests
 {
+    private static readonly Lazy<JsonSchema> Schema = new(() =>
+    {
+        var schemaPath = Path.Combine(AppContext.BaseDirectory, "TestData", "policy-pack.schema.json");
+        var schemaContent = File.ReadAllText(schemaPath);
+        return JsonSchema.FromText(schemaContent);
+    });
+
    private readonly string _testDataPath;
    private readonly JsonSchema _schema;
    private readonly IDeserializer _yamlDeserializer;
@@ -22,9 +29,7 @@ public class PolicyPackSchemaTests
    public PolicyPackSchemaTests()
    {
        _testDataPath = Path.Combine(AppContext.BaseDirectory, "TestData");
-        var schemaPath = Path.Combine(_testDataPath, "policy-pack.schema.json");
-        var schemaContent = File.ReadAllText(schemaPath);
-        _schema = JsonSchema.FromText(schemaContent);
+        _schema = Schema.Value;

        _yamlDeserializer = new DeserializerBuilder()
            .WithNamingConvention(CamelCaseNamingConvention.Instance)
--- a/src/Policy/__Tests/StellaOps.Policy.Pack.Tests/TASKS.md
+++ b/src/Policy/__Tests/StellaOps.Policy.Pack.Tests/TASKS.md
@@ -8,3 +8,5 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
 | AUDIT-0447-M | DONE | Revalidated 2026-01-07; maintainability audit for StellaOps.Policy.Pack.Tests. |
 | AUDIT-0447-T | DONE | Revalidated 2026-01-07; test coverage audit for StellaOps.Policy.Pack.Tests. |
 | AUDIT-0447-A | DONE | Waived (test project; revalidated 2026-01-07). |
+| AUDIT-0563-T | DONE | Revalidated 2026-01-08 (starter policy pack schema + overrides). |
+| AUDIT-0563-A | DONE | Revalidated 2026-01-08 (starter policy pack schema + overrides). |
--- a/src/Policy/__Tests/StellaOps.Policy.RiskProfile.Tests/RiskProfileValidatorTests.cs
+++ b/src/Policy/__Tests/StellaOps.Policy.RiskProfile.Tests/RiskProfileValidatorTests.cs
@@ -1,4 +1,5 @@
 using System.Text.Json;
+using System.Linq;
 using StellaOps.Policy.RiskProfile.Validation;
 using Xunit;

@@ -56,7 +57,8 @@ public class RiskProfileValidatorTests
        var result = _validator.Validate(invalidProfile);

        Assert.False(result.IsValid);
-        Assert.NotEmpty(result.Errors!);
+        var hasErrors = result.Errors is { Count: > 0 } || (result.Details?.Any(detail => !detail.IsValid) ?? false);
+        Assert.True(hasErrors, "Expected schema validation errors");
    }

    [Trait("Category", TestCategories.Unit)]
--- a/src/Policy/__Tests/StellaOps.Policy.RiskProfile.Tests/TASKS.md
+++ b/src/Policy/__Tests/StellaOps.Policy.RiskProfile.Tests/TASKS.md
@@ -8,3 +8,5 @@ Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.
 | AUDIT-0452-M | DONE | Revalidated 2026-01-07; maintainability audit for StellaOps.Policy.RiskProfile.Tests. |
 | AUDIT-0452-T | DONE | Revalidated 2026-01-07; test coverage audit for StellaOps.Policy.RiskProfile.Tests. |
 | AUDIT-0452-A | DONE | Waived (test project; revalidated 2026-01-07). |
+| AUDIT-0565-T | DONE | Revalidated 2026-01-08 (risk profile schema caching + errors). |
+| AUDIT-0565-A | DONE | Revalidated 2026-01-08 (risk profile schema caching + errors). |