Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

.gitea/workflows/build-test-deploy.yml

@@ -21,6 +21,8 @@ on:
       - 'docs/**'
       - 'scripts/**'
       - '.gitea/workflows/**'
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch:
     inputs:
       force_deploy:
@@ -28,6 +30,11 @@ on:
         required: false
         default: 'false'
         type: boolean
+      excititor_batch:
+        description: 'Run Excititor batch-ingest validation suite'
+        required: false
+        default: 'false'
+        type: boolean
 
 env:
   DOTNET_VERSION: '10.0.100-rc.1.25451.107'
@@ -48,6 +55,18 @@ jobs:
           tar -xzf /tmp/helm.tgz -C /tmp
           sudo install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm
 
+      - name: Validate Helm chart rendering
+        run: |
+          set -euo pipefail
+          CHART_PATH="deploy/helm/stellaops"
+          helm lint "$CHART_PATH"
+          for values in values.yaml values-dev.yaml values-stage.yaml values-prod.yaml values-airgap.yaml values-mirror.yaml; do
+            release="stellaops-${values%.*}"
+            echo "::group::Helm template ${release} (${values})"
+            helm template "$release" "$CHART_PATH" -f "$CHART_PATH/$values" >/dev/null
+            echo "::endgroup::"
+          done
+
       - name: Validate deployment profiles
         run: ./deploy/tools/validate-profiles.sh
 
@@ -442,6 +461,15 @@ PY
           if-no-files-found: error
           retention-days: 7
 
+      - name: Run console endpoint tests
+        run: |
+          mkdir -p "$TEST_RESULTS_DIR"
+          dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/StellaOps.Authority.Tests.csproj \
+            --configuration $BUILD_CONFIGURATION \
+            --logger "trx;LogFileName=console-endpoints.trx" \
+            --results-directory "$TEST_RESULTS_DIR" \
+            --filter ConsoleEndpointsTests
+
       - name: Upload test results
         if: always()
         uses: actions/upload-artifact@v4
@@ -451,6 +479,44 @@ PY
           if-no-files-found: ignore
           retention-days: 7
 
+  sealed-mode-ci:
+    runs-on: ubuntu-22.04
+    needs: build-test
+    permissions:
+      contents: read
+      packages: read
+    env:
+      COMPOSE_PROJECT_NAME: sealedmode
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Login to registry
+        if: ${{ secrets.REGISTRY_USERNAME != '' && secrets.REGISTRY_PASSWORD != '' }}
+        uses: docker/login-action@v3
+        with:
+          registry: registry.stella-ops.org
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Run sealed-mode CI harness
+        working-directory: ops/devops/sealed-mode-ci
+        env:
+          COMPOSE_PROJECT_NAME: sealedmode
+        run: |
+          set -euo pipefail
+          ./run-sealed-ci.sh
+
+      - name: Upload sealed-mode CI artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sealed-mode-ci
+          path: ops/devops/sealed-mode-ci/artifacts/sealed-mode-ci
+          if-no-files-found: error
+          retention-days: 14
+
   authority-container:
     runs-on: ubuntu-22.04
     needs: build-test
@@ -464,6 +530,41 @@ PY
       - name: Build Authority container image
         run: docker build -f ops/authority/Dockerfile -t stellaops-authority:ci .
 
+  excititor-batch-validation:
+    needs: build-test
+    if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.excititor_batch == 'true')
+    runs-on: ubuntu-22.04
+    env:
+      BATCH_RESULTS_DIR: ${{ github.workspace }}/artifacts/test-results/excititor-batch
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: ${{ env.DOTNET_VERSION }}
+          include-prerelease: true
+
+      - name: Run Excititor batch ingest validation suite
+        env:
+          DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1
+        run: |
+          set -euo pipefail
+          mkdir -p "$BATCH_RESULTS_DIR"
+          dotnet test src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj \
+            --configuration $BUILD_CONFIGURATION \
+            --filter "Category=BatchIngestValidation" \
+            --logger "trx;LogFileName=excititor-batch.trx" \
+            --results-directory "$BATCH_RESULTS_DIR"
+
+      - name: Upload Excititor batch ingest results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: excititor-batch-ingest-results
+          path: ${{ env.BATCH_RESULTS_DIR }}
+
   docs:
     runs-on: ubuntu-22.04
     env: