stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint. addition features and their state. check some ofthem

Browse Source
This commit is contained in:
master
2026-02-10 07:54:44 +02:00
parent 4bdc298ec1
commit 5593212b41
211 changed files with 10248 additions and 1208 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/features/unchecked/cryptography/additional-crypto-profiles.md
View File

@@ -1,40 +0,0 @@
# Additional Crypto Profiles (GOST, SM2, eIDAS, PQC)
## Status
IMPLEMENTED (PARTIALLY)
## Description
The advisory explicitly deferred GOST R 34.10-2012, SM2, eIDAS, and post-quantum crypto profiles to future work. Note: the broader repo does have crypto modules under src/Cryptography and src/SmRemote, but those are part of separate efforts.
## Why Marked as Dropped (Correction)
**FINDING: These crypto profiles ARE implemented as plugins.** The following plugin projects exist under `src/Cryptography/`:
- `StellaOps.Cryptography.Plugin.Gost` -- GOST R 34.10-2012 support via `GostPlugin.cs`
- `StellaOps.Cryptography.Plugin.Eidas` -- eIDAS support via `EidasPlugin.cs`, includes ETSI conformance test vectors
- `StellaOps.Cryptography.Plugin.Sm` -- SM2/SM3 support
- `StellaOps.Cryptography.Plugin.Fips` -- FIPS 140 compliance plugin
- `StellaOps.Cryptography.Plugin.Hsm` -- HSM integration plugin
Additional infrastructure: `StellaOps.Cryptography.Plugin` base class (`CryptoPluginBase.cs`), `MultiProfileSigner.cs`, `SignatureProfile.cs`, ECDSA and EdDSA profile libraries. PQC (post-quantum) is the only profile that does not appear to have a dedicated plugin yet.
## Implementation Details
- Plugin architecture: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs`
- GOST: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs`
- eIDAS: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs`
- SM2: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/`
- FIPS: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/`
- HSM: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/`
- Tests: `src/Cryptography/__Tests/`, plus tests in `src/__Libraries/__Tests/StellaOps.Cryptography.Tests/`
## E2E Test Plan
- Verify each crypto plugin can sign and verify payloads
- Validate ETSI conformance test vectors pass for eIDAS plugin
- Test multi-profile signing via MultiProfileSigner
- Confirm plugin discovery and loading via CryptoPluginBase
## Source
- Feature matrix scan
## Notes
- Module: Cryptography
- Modules referenced: `src/Cryptography/`, `src/SmRemote/`
- **Status should be reclassified from NOT_FOUND to IMPLEMENTED (PARTIALLY) -- only PQC remains unimplemented**

34
docs/features/unchecked/cryptography/crypto-provider-plugin-architecture.md
View File

@@ -1,34 +0,0 @@
# Crypto Provider Plugin Architecture (GOST, SM, FIPS, eIDAS)
## Module
Cryptography
## Status
IMPLEMENTED
## Description
Full plugin-based crypto architecture with dedicated plugins for GOST, SM (Chinese), FIPS, and eIDAS regional crypto profiles. MultiProfileSigner supports runtime profile selection.
## Implementation Details
- **CryptoPluginBase**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` -- abstract base class for all crypto plugins implementing IPlugin + ICryptoCapability; provides lifecycle management, SignAsync/VerifyAsync/EncryptAsync/DecryptAsync/HashAsync abstract methods, CanHandle for algorithm routing
- **GostPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs` -- GOST R 34.10-2012 / GOST R 34.11-2012 (Streebog) crypto provider for Russian Federation compliance
- **SmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/SmPlugin.cs` -- SM2/SM3/SM4 crypto provider for Chinese national standards compliance
- **FipsPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/FipsPlugin.cs` -- FIPS 140-2/3 compliant crypto provider restricting operations to FIPS-approved algorithms
- **EidasPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- EU eIDAS regulation crypto provider with qualified timestamping and CAdES signature support
- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- Hardware Security Module plugin with PKCS#11 integration
- **MultiProfileSigner**: `src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs` -- orchestrates concurrent signing with multiple IContentSigner profiles (e.g., EdDSA + GOST dual-stack); SignAllAsync runs all profiles via Task.WhenAll; returns MultiSignatureResult with all signatures + timestamp
- **IContentSigner**: `src/Cryptography/StellaOps.Cryptography/IContentSigner.cs` -- signer interface: SignAsync, Profile, Algorithm, KeyId; extends IDisposable
- **IContentVerifier**: `src/Cryptography/StellaOps.Cryptography/IContentVerifier.cs` -- verifier interface
- **SignatureProfile**: `src/Cryptography/StellaOps.Cryptography/SignatureProfile.cs` -- enum/model for crypto profiles
- **Models**: `src/Cryptography/StellaOps.Cryptography/Models/` -- MultiSignatureResult, SignatureResult, Signature, VerificationResult
- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/CryptographyModelTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify each crypto plugin (GOST, SM, FIPS, eIDAS, HSM) can be loaded and initialized through the plugin system
- [ ] Verify CryptoPluginBase lifecycle: initialization, health check, and disposal
- [ ] Test CanHandle routes signing requests to the correct plugin based on algorithm prefix
- [ ] Verify MultiProfileSigner signs with all configured profiles concurrently and returns combined result
- [ ] Test dual-stack signing (e.g., EdDSA + GOST) produces two independent signatures
- [ ] Verify plugin health checks report connected/disconnected status
- [ ] Verify FIPS plugin rejects non-FIPS-approved algorithms

35
docs/features/unchecked/cryptography/eidas-qualified-timestamping.md
View File

@@ -1,35 +0,0 @@
# eIDAS Qualified Timestamping
## Module
Cryptography
## Status
IMPLEMENTED
## Description
EU-qualified timestamp verification with TSA configuration, EU Trust List integration, and CAdES signature building for eIDAS compliance.
## Implementation Details
- **EidasPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- eIDAS crypto provider plugin extending CryptoPluginBase
- **QualifiedTimestampVerifier**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/QualifiedTimestampVerifier.cs` -- verifies RFC 3161 timestamps from EU-qualified TSAs against the EU Trust List
- **IQualifiedTimestampVerifier**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/IQualifiedTimestampVerifier.cs` -- verification interface
- **EuTrustListService**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/EuTrustListService.cs` -- fetches and caches the EU Trusted List of TSA providers for validation
- **IEuTrustListService**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/IEuTrustListService.cs` -- trust list interface
- **TimestampModeSelector**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/TimestampModeSelector.cs` -- selects between qualified and standard timestamping based on configuration and TSA availability
- **ITimestampModeSelector**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/ITimestampModeSelector.cs` -- mode selection interface
- **CadesSignatureBuilder**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/CadesSignatureBuilder.cs` -- builds CAdES (CMS Advanced Electronic Signatures) signatures with embedded timestamps per EU regulation requirements
- **ICadesSignatureBuilder**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/ICadesSignatureBuilder.cs` -- CAdES builder interface
- **QualifiedTsaConfiguration**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/QualifiedTsaConfiguration.cs` -- TSA endpoint URL, authentication, certificate chain configuration
- **EidasTimestampingExtensions**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/EidasTimestampingExtensions.cs` -- DI registration extensions for eIDAS timestamping services
- **EtsiConformanceTestVectors**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Tests/EtsiConformanceTestVectors.cs` -- ETSI conformance test vectors
- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Eidas/QualifiedTsaProviderTests.cs`, `TimestampModeSelectorTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify qualified timestamp verification validates RFC 3161 timestamp against EU Trust List
- [ ] Test timestamp mode selector chooses qualified mode when TSA is available and standard mode as fallback
- [ ] Verify CAdES signature builder produces valid CMS Advanced Electronic Signatures with embedded timestamps
- [ ] Test EU Trust List service fetches and caches TSA provider list
- [ ] Verify QualifiedTsaConfiguration validates TSA endpoint URL and certificate chain
- [ ] Test ETSI conformance test vectors pass validation
- [ ] Verify timestamp verification fails for non-qualified TSA providers

30
docs/features/unchecked/cryptography/hardware-backed-org-key-kms-signing.md
View File

@@ -1,30 +0,0 @@
# Hardware-Backed Org Key / KMS Signing
## Module
Cryptography
## Status
IMPLEMENTED
## Description
HSM and KMS key support via pluggable cryptography module with dedicated plugins for hardware-backed signing.
## Implementation Details
- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- PKCS#11 HSM integration supporting RSA (SHA-256/384/512, PSS-SHA256), ECDSA (P-256, P-384), and AES-GCM (128/256) operations; ConnectAsync/DisconnectAsync for HSM session management; simulation mode for testing without hardware
- **Pkcs11HsmClientImpl**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/Pkcs11HsmClientImpl.cs` -- production PKCS#11 native library wrapper for hardware key operations
- **CryptoPluginBase**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` -- base class providing plugin lifecycle + ICryptoCapability interface with Sign/Verify/Encrypt/Decrypt/Hash operations
- **MultiProfileSigner**: `src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs` -- orchestrates concurrent signing with multiple profiles (e.g., HSM-backed + software EdDSA dual-stack)
- **IContentSigner**: `src/Cryptography/StellaOps.Cryptography/IContentSigner.cs` -- abstraction: SignAsync, Profile, Algorithm, KeyId
- **DefaultSigningKeyResolver**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs` -- resolves signing keys from trust anchors and key management
- **CryptoDsseSigner**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/CryptoDsseSigner.cs` -- DSSE signer using crypto plugin infrastructure
- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Hsm/Pkcs11HsmClientIntegrationTests.cs`, `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Integration/CryptoDsseSignerIntegrationTests.cs`, `MultiPluginSignVerifyIntegrationTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify HSM-backed signing via PKCS#11 produces valid signatures verifiable with the corresponding public key
- [ ] Verify HSM key operations work through the CryptoPluginBase plugin interface
- [ ] Test multi-profile signing with HSM + software key profiles combined
- [ ] Verify signing key resolution from trust anchors routes to HSM plugin for HSM-prefixed algorithms
- [ ] Test CryptoDsseSigner produces valid DSSE envelopes when backed by HSM keys
- [ ] Verify HSM disconnect and reconnect behavior during key operations
- [ ] Test simulation mode provides functional signing for development/testing environments

31
docs/features/unchecked/cryptography/hsm-integration.md
View File

@@ -1,31 +0,0 @@
# HSM Integration (PKCS#11)
## Module
Cryptography
## Status
IMPLEMENTED
## Description
PKCS#11 HSM client implementation for hardware security module integration, with integration tests.
## Implementation Details
- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- HSM crypto plugin extending CryptoPluginBase; supports algorithms: HSM-RSA-SHA256/384/512, HSM-RSA-PSS-SHA256, HSM-ECDSA-P256/P384, HSM-AES-128/256-GCM; initializes with PKCS#11 library path (or simulation mode when unconfigured); SignAsync/VerifyAsync/EncryptAsync/DecryptAsync delegate to IHsmClient; HashAsync (SHA-256/384/512) computed locally; health check reports connected/disconnected/degraded status with slot info
- **IHsmClient**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- HSM client interface: ConnectAsync (slotId, pin), DisconnectAsync, PingAsync, SignAsync, VerifyAsync, EncryptAsync, DecryptAsync
- **Pkcs11HsmClientImpl**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/Pkcs11HsmClientImpl.cs` -- production PKCS#11 client implementation wrapping native PKCS#11 library
- **Pkcs11HsmClient**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- adapter delegating to Pkcs11HsmClientImpl with connection management
- **SimulatedHsmClient**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- test double for HSM operations without hardware: generates RSA-2048 + AES-256 keys on connect; RSA sign/verify with PKCS1/PSS padding; AES-GCM encrypt/decrypt with IV + tag management
- **HsmOptions**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- configuration: LibraryPath (.so/.dll path, empty for simulation), SlotId, Pin, TokenLabel, ConnectionTimeoutSeconds (30), ReadOnlySession flag
- **HsmMechanism**: enum for signing/encryption mechanism mapping: RsaSha256/384/512, RsaPssSha256, EcdsaP256/P384, Aes128Gcm, Aes256Gcm
- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Hsm/Pkcs11HsmClientIntegrationTests.cs`, `SoftHsmTestFixture.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify HSM plugin initializes in simulation mode when no library path is configured
- [ ] Verify HSM plugin connects to PKCS#11 library when LibraryPath is set
- [ ] Test RSA signing and verification with SHA-256/384/512 and PKCS1/PSS padding
- [ ] Test ECDSA P-256 and P-384 signing and verification
- [ ] Test AES-128-GCM and AES-256-GCM encryption and decryption
- [ ] Verify health check returns Unhealthy when not connected, Degraded on slow response, Healthy with slot details
- [ ] Verify CanHandle only accepts algorithms with HSM- prefix
- [ ] Test plugin lifecycle: initialize -> active -> health check -> dispose (disconnect)

35
docs/features/unchecked/cryptography/regional-crypto-profiles.md
View File

@@ -1,35 +0,0 @@
# Regional Crypto Profiles (FIPS, GOST, eIDAS, SM)
## Module
Cryptography
## Status
IMPLEMENTED
## Description
Full crypto profile system with plugins for FIPS, GOST, eIDAS (with qualified timestamping), SM (Chinese standards), and HSM (PKCS#11). Supports multi-profile signing and EdDSA/ECDSA-P256 profiles.
## Implementation Details
- **FipsPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/FipsPlugin.cs` -- FIPS 140-2/3 compliant crypto provider restricting to approved algorithms (RSA, ECDSA, AES-GCM, SHA-2)
- **GostPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs` -- Russian Federation GOST R 34.10-2012 (digital signatures) and GOST R 34.11-2012 Streebog (hashing) provider
- **EidasPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- EU eIDAS provider with qualified timestamping (QualifiedTimestampVerifier, EuTrustListService, TimestampModeSelector) and CAdES signature building (CadesSignatureBuilder)
- **SmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/SmPlugin.cs` -- Chinese national standards: SM2 (elliptic curve), SM3 (hash), SM4 (block cipher) provider
- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- PKCS#11 HSM integration with RSA/ECDSA/AES-GCM support
- **CryptoPluginBase**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` -- abstract base for all crypto plugins; lifecycle management + ICryptoCapability interface
- **MultiProfileSigner**: `src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs` -- concurrent multi-profile signing via Task.WhenAll across IContentSigner profiles; returns MultiSignatureResult with all signatures
- **Ed25519Signer/Verifier**: `src/Cryptography/StellaOps.Cryptography.Profiles.EdDsa/Ed25519Signer.cs`, `Ed25519Verifier.cs` -- EdDSA Ed25519 profile implementation
- **EcdsaP256Signer**: `src/Cryptography/StellaOps.Cryptography.Profiles.Ecdsa/EcdsaP256Signer.cs` -- ECDSA P-256 profile implementation
- **IContentSigner/IContentVerifier**: `src/Cryptography/StellaOps.Cryptography/IContentSigner.cs`, `IContentVerifier.cs` -- signer/verifier abstractions with Profile, Algorithm, KeyId
- **SignatureProfile**: `src/Cryptography/StellaOps.Cryptography/SignatureProfile.cs` -- profile model
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify each regional plugin (FIPS, GOST, eIDAS, SM, HSM) loads and passes health check
- [ ] Verify FIPS plugin rejects non-FIPS algorithms and accepts approved ones
- [ ] Verify GOST plugin supports GOST R 34.10-2012 signing and GOST R 34.11-2012 hashing
- [ ] Verify eIDAS plugin integrates qualified timestamping with EU Trust List validation
- [ ] Verify SM plugin supports SM2 signing, SM3 hashing, SM4 encryption
- [ ] Test multi-profile signing with EdDSA + GOST dual-stack produces two independent signatures
- [ ] Verify Ed25519 signer/verifier round-trip (sign then verify)
- [ ] Verify ECDSA P-256 signer round-trip
- [ ] Test profile selection routes to correct plugin based on algorithm

23
docs/features/unchecked/gateway/gateway-connection-lifecycle-management.md
View File

@@ -1,23 +0,0 @@
# Gateway Connection Lifecycle Management
## Module
Gateway
## Status
IMPLEMENTED
## Description
HELLO frame processing for microservice registration, connection lifecycle management with cleanup on disconnect, and `ConnectionManager` hosted service for monitoring active connections.
## Implementation Details
- **Gateway hosted service**: `src/Gateway/StellaOps.Gateway.WebService/Services/GatewayHostedService.cs` -- connection lifecycle management background service
- **Health monitoring**: `src/Gateway/StellaOps.Gateway.WebService/Services/GatewayHealthMonitorService.cs` -- monitors active connections, detects stale instances
- **Metrics**: `src/Gateway/StellaOps.Gateway.WebService/Services/GatewayMetrics.cs` -- connection metrics tracking
- **Configuration**: `src/Gateway/StellaOps.Gateway.WebService/Configuration/GatewayOptions.cs`, `GatewayOptionsValidator.cs`
- **Source**: batch_51/file_22.md
## E2E Test Plan
- [ ] Verify HELLO frame processing registers new microservice connections
- [ ] Test connection cleanup on client disconnect
- [ ] Verify GatewayHealthMonitorService detects stale connections
- [ ] Verify edge cases and error handling

31
docs/features/unchecked/gateway/gateway-http-middleware-pipeline.md
View File

@@ -1,31 +0,0 @@
# Gateway HTTP Middleware Pipeline
## Module
Gateway
## Status
IMPLEMENTED
## Description
Full HTTP middleware pipeline for the Gateway WebService including endpoint resolution, authorization with claims propagation, routing decision, transport dispatch, correlation ID tracking, tenant isolation, health checks, and global error handling.
## Implementation Details
- **Authorization**: `src/Gateway/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs` -- endpoint authorization
- **Claims propagation**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/ClaimsPropagationMiddleware.cs` -- propagates authenticated claims to downstream services
- **Correlation ID**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/CorrelationIdMiddleware.cs` -- request correlation tracking
- **Routing**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs` -- route resolution and dispatch
- **Routes**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/GatewayRoutes.cs` -- route definitions
- **Health checks**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/HealthCheckMiddleware.cs`
- **Identity header policy**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/IdentityHeaderPolicyMiddleware.cs` -- identity header enforcement
- **Sender constraints**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs`
- **Tenant isolation**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/TenantMiddleware.cs`
- **Context keys**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/GatewayContextKeys.cs`
- **Security**: `src/Gateway/StellaOps.Gateway.WebService/Security/AllowAllAuthenticationHandler.cs`
- **Source**: batch_51/file_21.md
## E2E Test Plan
- [ ] Verify middleware pipeline executes in correct order
- [ ] Test authorization middleware blocks unauthorized requests
- [ ] Verify correlation IDs propagate through gateway to downstream services
- [ ] Test tenant isolation prevents cross-tenant access
- [ ] Verify edge cases and error handling

24
docs/features/unchecked/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware.md
View File

@@ -1,24 +0,0 @@
# Gateway Identity Header Strip-and-Overwrite Policy Middleware
## Module
Gateway
## Status
IMPLEMENTED
## Description
Security middleware that enforces identity header integrity at the Gateway/Router level. Strips incoming identity headers from external requests and overwrites them with verified claims from the authenticated session, preventing header spoofing attacks in service-to-service communication.
## Implementation Details
- **Identity header middleware**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/IdentityHeaderPolicyMiddleware.cs` -- strips incoming identity headers and overwrites with verified claims
- **Claims store**: `src/Gateway/StellaOps.Gateway.WebService/Authorization/EffectiveClaimsStore.cs`, `IEffectiveClaimsStore.cs` -- manages effective claims after header processing
- **Authorization middleware**: `src/Gateway/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs` -- enforces authorization after identity header processing
- **Sender constraints**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs` -- validates sender identity
- **Source**: SPRINT_8100_0011_0002_gateway_identity_header_hardening.md
## E2E Test Plan
- [ ] Verify incoming identity headers are stripped from external requests
- [ ] Test verified claims replace stripped headers correctly
- [ ] Verify header spoofing attempts are blocked
- [ ] Test service-to-service communication uses verified identity headers
- [ ] Verify edge cases and error handling

23
docs/features/unchecked/gateway/router-authority-claims-integration.md
View File

@@ -1,23 +0,0 @@
# Router Authority Claims Integration
## Module
Gateway
## Status
IMPLEMENTED
## Description
`IAuthorityClaimsProvider` integration enabling centralized Authority service to override endpoint claim requirements. Three-tier precedence: Code attributes < YAML config < Authority overrides. EffectiveClaimsStore caches resolved claims.
## Implementation Details
- **Effective claims store**: `src/Gateway/StellaOps.Gateway.WebService/Authorization/EffectiveClaimsStore.cs`, `IEffectiveClaimsStore.cs` -- caches resolved claims with three-tier precedence
- **Authorization middleware**: `src/Gateway/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs` -- enforces Authority-provided claim requirements
- **Claims propagation**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/ClaimsPropagationMiddleware.cs` -- propagates resolved claims downstream
- **Gateway value parser**: `src/Gateway/StellaOps.Gateway.WebService/Configuration/GatewayValueParser.cs` -- parses configuration values for claims
- **Source**: batch_52/file_09.md
## E2E Test Plan
- [ ] Verify three-tier precedence: code attributes < YAML config < Authority overrides
- [ ] Test EffectiveClaimsStore caching behaves correctly
- [ ] Verify Authority-provided claim overrides take highest priority
- [ ] Test claims propagation to downstream services

37
docs/features/unchecked/gateway/router-back-pressure-middleware.md
View File

@@ -1,37 +0,0 @@
# Router Back-Pressure Middleware (Dual-Window Rate Limiting + Circuit Breaker)
## Module
Gateway
## Status
IMPLEMENTED
## Description
Rate limiting is present in the Gateway and Graph API services. The advisory's highly detailed dual-window rate limiter with Redis/Valkey-backed environment limiter, ring counter, and custom circuit breaker pattern is not implemented as described. Standard ASP.NET rate limiting is used instead.
## What's Implemented
- Gateway middleware pipeline with request routing: `src/Gateway/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs`
- Sender constraint middleware: `src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs`
- Gateway options with configurable limits: `src/Gateway/StellaOps.Gateway.WebService/Configuration/GatewayOptions.cs`
- Gateway metrics: `src/Gateway/StellaOps.Gateway.WebService/Services/GatewayMetrics.cs`
- Standard ASP.NET rate limiting via middleware pipeline
- **Router module has advanced rate limiting** (separate from Gateway):
- `src/Router/__Libraries/StellaOps.Router.Gateway/RateLimit/EnvironmentRateLimiter.cs` -- Valkey-backed environment rate limiter with circuit breaker
- `src/Router/__Libraries/StellaOps.Router.Gateway/RateLimit/InstanceRateLimiter.cs` -- per-instance rate limiting
- `src/Router/__Libraries/StellaOps.Router.Gateway/RateLimit/RateLimitService.cs` -- rate limit service orchestrator
- `src/Router/__Libraries/StellaOps.Messaging.Transport.Valkey/ValkeyRateLimiter.cs` -- Valkey-backed distributed rate limiter
- Source: Feature matrix scan
## What's Missing
- **Gateway integration with Router rate limiting**: The Router module has Valkey-backed rate limiting and circuit breaker, but the Gateway module does not consume these services. The Gateway still uses standard ASP.NET rate limiting.
- Dual-window rate limiter with sliding window algorithm in the Gateway
- Ring counter implementation for rate tracking in the Gateway
- Unified rate limit configuration across Gateway and Router modules
## Implementation Plan
- Evaluate whether standard ASP.NET rate limiting is sufficient for current scale
- If needed, implement Redis/Valkey-backed rate limiting for distributed deployment
- Add circuit breaker pattern for downstream service protection
## Related Documentation
- Source: See feature catalog

24
docs/features/unchecked/gateway/router-heartbeat-and-health-monitoring.md
View File

@@ -1,24 +0,0 @@
# Router Heartbeat and Health Monitoring
## Module
Gateway
## Status
IMPLEMENTED
## Description
Heartbeat protocol with configurable intervals, `HealthMonitorService` for stale instance detection, ping latency tracking with exponential moving average, Draining health status for graceful shutdown, and automatic instance removal on missed heartbeats.
## Implementation Details
- **Health monitor service**: `src/Gateway/StellaOps.Gateway.WebService/Services/GatewayHealthMonitorService.cs` -- stale instance detection, heartbeat tracking
- **Health check middleware**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/HealthCheckMiddleware.cs` -- health endpoint processing
- **Gateway metrics**: `src/Gateway/StellaOps.Gateway.WebService/Services/GatewayMetrics.cs` -- latency tracking, connection metrics
- **Gateway hosted service**: `src/Gateway/StellaOps.Gateway.WebService/Services/GatewayHostedService.cs` -- connection lifecycle management
- **Options**: `src/Gateway/StellaOps.Gateway.WebService/Configuration/GatewayOptions.cs` -- configurable heartbeat intervals
- **Source**: batch_51/file_23.md
## E2E Test Plan
- [ ] Verify heartbeat protocol detects stale instances
- [ ] Test configurable heartbeat intervals
- [ ] Verify Draining status for graceful shutdown
- [ ] Test automatic instance removal on missed heartbeats

23
docs/features/unchecked/gateway/router-payload-size-enforcement.md
View File

@@ -1,23 +0,0 @@
# Router Payload Size Enforcement
## Module
Gateway
## Status
IMPLEMENTED
## Description
PayloadLimitsMiddleware with per-request, per-connection, and aggregate byte limits using `ByteCountingStream`. Returns HTTP 413 (payload too large), 429 (rate limited), or 503 (service unavailable) with configurable thresholds.
## Implementation Details
- **Gateway options**: `src/Gateway/StellaOps.Gateway.WebService/Configuration/GatewayOptions.cs` -- configurable payload size thresholds
- **Options validator**: `src/Gateway/StellaOps.Gateway.WebService/Configuration/GatewayOptionsValidator.cs` -- validates payload limit configuration
- **Routing middleware**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs` -- request routing with size checks
- **Sender constraints**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs` -- sender-level enforcement
- **Source**: batch_52/file_02.md
## E2E Test Plan
- [ ] Verify HTTP 413 returned for oversized payloads
- [ ] Test per-request, per-connection, and aggregate limits independently
- [ ] Verify configurable thresholds are respected
- [ ] Test HTTP 429 and 503 responses for rate limiting and service unavailability

30
docs/features/unchecked/gateway/stellarouter-performance-testing-pipeline.md
View File

@@ -1,30 +0,0 @@
# StellaRouter Performance Testing Pipeline (k6 + Prometheus + Correlation IDs)
## Module
Gateway
## Status
IMPLEMENTED
## Description
The StellaRouter gateway service exists but the advisory's proposed k6 performance testing scenarios (A-G), correlation ID instrumentation, and Prometheus metric dashboards for performance curve modeling are not present as source code artifacts. These may exist as devops artifacts outside src/.
## What's Implemented
- Gateway service with full middleware pipeline: `src/Gateway/StellaOps.Gateway.WebService/`
- Correlation ID middleware: `src/Gateway/StellaOps.Gateway.WebService/Middleware/CorrelationIdMiddleware.cs`
- Gateway metrics: `src/Gateway/StellaOps.Gateway.WebService/Services/GatewayMetrics.cs` -- Prometheus-compatible metrics
- Health monitoring: `src/Gateway/StellaOps.Gateway.WebService/Services/GatewayHealthMonitorService.cs`
- Source: Feature matrix scan
## What's Missing
- k6 performance testing scripts (scenarios A-G)
- Prometheus metric dashboards for performance curve modeling
- These may exist under `devops/` rather than `src/` -- check `devops/` directory
## Implementation Plan
- Create k6 test scripts for Gateway performance scenarios
- Add Grafana/Prometheus dashboards for Gateway metrics visualization
- These are DevOps artifacts and may belong under `devops/perf/` or similar
## Related Documentation
- Source: See feature catalog

33
docs/features/unchecked/graph/graph-analytics-engine.md
View File

@@ -1,33 +0,0 @@
# Graph Analytics Engine
## Module
Graph
## Status
IMPLEMENTED
## Description
Graph analytics with engine, pipeline, DI extensions, and Postgres persistence for analytics results.
## Implementation Details
- **Analytics engine**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsEngine.cs` -- core graph analytics computation engine
- **Analytics pipeline**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsPipeline.cs` -- multi-stage analytics pipeline orchestration
- **Hosted service**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsHostedService.cs` -- background service running analytics on schedule
- **Analytics types**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsTypes.cs` -- clustering, centrality, and analytics result types
- **Metrics**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsMetrics.cs` -- Prometheus-compatible analytics execution metrics
- **Options**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsOptions.cs` -- configurable analytics parameters
- **Writer options**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsWriterOptions.cs` -- result persistence configuration
- **Overlay exporter**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphOverlayExporter.cs` -- exports analytics results as graph overlays
- **In-memory writer**: `src/Graph/StellaOps.Graph.Indexer/Analytics/InMemoryGraphAnalyticsWriter.cs` -- test analytics writer
- **In-memory snapshot**: `src/Graph/StellaOps.Graph.Indexer/Analytics/InMemoryGraphSnapshotProvider.cs` -- test snapshot provider
- **DI extensions**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsServiceCollectionExtensions.cs` -- DI registration
- **Postgres persistence**: `src/Graph/__Libraries/StellaOps.Graph.Indexer.Persistence/Postgres/Repositories/PostgresGraphAnalyticsWriter.cs` -- PostgreSQL analytics result storage
- **Tests**: `src/Graph/__Tests/StellaOps.Graph.Indexer.Tests/GraphAnalyticsEngineTests.cs`, `GraphAnalyticsPipelineTests.cs`, `GraphOverlayExporterTests.cs`, `GraphAnalyticsTestData.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify analytics engine computes clustering and centrality scores
- [ ] Test pipeline executes multi-stage analytics in correct order
- [ ] Verify hosted service runs analytics on configured schedule
- [ ] Test Postgres persistence stores analytics results correctly
- [ ] Verify overlay exporter generates valid overlay data from analytics

35
docs/features/unchecked/graph/graph-edge-metadata-with-reason-evidence-provenance.md
View File

@@ -1,35 +0,0 @@
# Graph Edge Metadata with Reason/Evidence/Provenance
## Module
Graph
## Status
IMPLEMENTED
## Description
EdgeReason and CallgraphEdge models exist in Signals with persistence projection, and EdgeBundle exists in Scanner reachability. However, the Graph module itself (src/Graph) does not contain EdgeReason/EdgeVia/ExplanationPayload types -- the human-readable explanation layer described in the advisory is not present in the Graph API.
## What's Implemented
- **Graph API services**: `src/Graph/StellaOps.Graph.Api/Services/` -- query, search, path, diff, export, lineage, overlay services (all with in-memory implementations)
- **Graph snapshot documents**: `src/Graph/StellaOps.Graph.Indexer/Documents/GraphSnapshot.cs`, `GraphSnapshotBuilder.cs` -- graph document model (nodes/edges with metadata)
- **Graph document factory**: `src/Graph/StellaOps.Graph.Indexer/Schema/GraphDocumentFactory.cs` -- creates graph documents with identity
- **Graph identity**: `src/Graph/StellaOps.Graph.Indexer/Schema/GraphIdentity.cs` -- content-addressed graph identity
- **CVE observation nodes**: `src/Graph/__Libraries/StellaOps.Graph.Core/CveObservationNode.cs` -- CVE observation data on graph nodes
- **Advisory linkset**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Advisory/AdvisoryLinksetProcessor.cs`, `AdvisoryLinksetTransformer.cs` -- advisory evidence linking to graph edges
- **Inspector**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Inspector/GraphInspectorProcessor.cs`, `GraphInspectorTransformer.cs` -- inspection evidence on edges
- **Postgres persistence**: `src/Graph/__Libraries/StellaOps.Graph.Indexer.Persistence/Postgres/Repositories/PostgresGraphDocumentWriter.cs`, `PostgresGraphSnapshotProvider.cs`
- Source: Feature matrix scan
## What's Missing
- `EdgeReason`/`EdgeVia`/`ExplanationPayload` types in Graph API -- human-readable explanation layer for why edges exist
- Edge provenance metadata linking back to source evidence (SBOM provenance, scan evidence, attestation references)
- Graph API endpoints to query edge-level metadata (reason, evidence, provenance)
## Implementation Plan
- Add `EdgeReason`, `EdgeVia`, and `ExplanationPayload` types to `src/Graph/StellaOps.Graph.Api/`
- Expose edge metadata through graph query and path APIs
- Link edge metadata to Signals `EdgeReason` and Scanner `EdgeBundle` models
- Add tests for edge metadata query and provenance tracking
## Related Documentation
- Source: See feature catalog

35
docs/features/unchecked/graph/graph-explorer-api-with-streaming-tiles.md
View File

@@ -1,35 +0,0 @@
# Graph Explorer API with Streaming Tiles
## Module
Graph
## Status
IMPLEMENTED
## Description
Graph query and visualization API providing streaming tile-based graph rendering, path queries, diff computation between graph revisions, RBAC-enforced exports (SVG/PNG/GraphML), and overlay support for policy/VEX/reachability annotations.
## Implementation Details
- **API program**: `src/Graph/StellaOps.Graph.Api/Program.cs` -- minimal API endpoints for graph queries, diffs, exports, search, paths, lineage, overlays
- **Query service**: `src/Graph/StellaOps.Graph.Api/Services/IGraphQueryService.cs`, `InMemoryGraphQueryService.cs` -- graph node/edge query
- **Search service**: `src/Graph/StellaOps.Graph.Api/Services/IGraphSearchService.cs`, `InMemoryGraphSearchService.cs` -- full-text graph search
- **Path service**: `src/Graph/StellaOps.Graph.Api/Services/IGraphPathService.cs`, `InMemoryGraphPathService.cs` -- graph path traversal
- **Diff service**: `src/Graph/StellaOps.Graph.Api/Services/IGraphDiffService.cs`, `InMemoryGraphDiffService.cs` -- diff computation between graph revisions
- **Export service**: `src/Graph/StellaOps.Graph.Api/Services/IGraphExportService.cs`, `InMemoryGraphExportService.cs` -- RBAC-enforced export (SVG/PNG/GraphML)
- **Lineage service**: `src/Graph/StellaOps.Graph.Api/Services/IGraphLineageService.cs`, `InMemoryGraphLineageService.cs` -- lineage traversal
- **Overlay service**: `src/Graph/StellaOps.Graph.Api/Services/IOverlayService.cs`, `InMemoryOverlayService.cs` -- policy/VEX/reachability overlays
- **Reachability delta**: `src/Graph/StellaOps.Graph.Api/Services/IReachabilityDeltaService.cs`, `InMemoryReachabilityDeltaService.cs` -- reachability delta computation
- **Rate limiting**: `src/Graph/StellaOps.Graph.Api/Services/RateLimiterService.cs` -- API rate limiting
- **Metrics**: `src/Graph/StellaOps.Graph.Api/Services/GraphMetrics.cs` -- Prometheus-compatible API metrics
- **Audit**: `src/Graph/StellaOps.Graph.Api/Services/IAuditLogger.cs` -- audit logging for graph access
- **Contracts**: `src/Graph/StellaOps.Graph.Api/Contracts/SearchContracts.cs`, `LineageContracts.cs`, `ReachabilityContracts.cs`
- **Tests**: `src/Graph/__Tests/StellaOps.Graph.Api.Tests/` -- QueryServiceTests, SearchServiceTests, PathServiceTests, DiffServiceTests, ExportServiceTests, LineageServiceTests, LoadTests, MetricsTests, RateLimiterServiceTests, GraphApiContractTests
- **Source**: SPRINT_0207_0001_0001_graph.md
## E2E Test Plan
- [ ] Verify graph query API returns nodes and edges for given criteria
- [ ] Test streaming tile rendering for large graphs
- [ ] Verify diff computation between two graph revisions
- [ ] Test RBAC-enforced export in SVG/PNG/GraphML formats
- [ ] Verify overlay annotations for policy/VEX/reachability layers
- [ ] Test search API returns relevant results with ranking

29
docs/features/unchecked/graph/graph-indexer-clustering-and-centrality-background-jobs.md
View File

@@ -1,29 +0,0 @@
# Graph Indexer Clustering and Centrality Background Jobs
## Module
Graph
## Status
IMPLEMENTED
## Description
Background hosted service that runs graph analytics (Louvain community detection, betweenness/closeness centrality) on the dependency graph, producing cluster assignments and centrality scores for risk prioritization.
## Implementation Details
- **Hosted service**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsHostedService.cs` -- background service that schedules clustering and centrality jobs
- **Analytics engine**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsEngine.cs` -- Louvain community detection and betweenness/closeness centrality algorithms
- **Analytics pipeline**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsPipeline.cs` -- orchestrates multi-stage analytics (clustering -> centrality -> export)
- **Analytics types**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsTypes.cs` -- `ClusterAssignment`, centrality score models
- **Metrics**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsMetrics.cs` -- job execution metrics (duration, cluster count, centrality stats)
- **Options**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphAnalyticsOptions.cs` -- configurable job intervals and algorithm parameters
- **Snapshot provider**: `src/Graph/StellaOps.Graph.Indexer/Analytics/InMemoryGraphSnapshotProvider.cs` -- provides graph snapshot for analytics input
- **Postgres writer**: `src/Graph/__Libraries/StellaOps.Graph.Indexer.Persistence/Postgres/Repositories/PostgresGraphAnalyticsWriter.cs` -- persists cluster and centrality results
- **Tests**: `src/Graph/__Tests/StellaOps.Graph.Indexer.Tests/GraphAnalyticsEngineTests.cs`, `GraphAnalyticsPipelineTests.cs`
- **Source**: SPRINT_0141_0001_0001_graph_indexer.md
## E2E Test Plan
- [ ] Verify Louvain community detection produces stable cluster assignments
- [ ] Test betweenness and closeness centrality score computation
- [ ] Verify background service runs on configured schedule
- [ ] Test analytics results are persisted to PostgreSQL
- [ ] Verify metrics are emitted for job duration and cluster counts

31
docs/features/unchecked/graph/graph-indexer-incremental-update-pipeline.md
View File

@@ -1,31 +0,0 @@
# Graph Indexer Incremental Update Pipeline
## Module
Graph
## Status
IMPLEMENTED
## Description
Change-stream processor for incremental graph updates, consuming SBOM/scan events and applying delta mutations to the indexed graph with idempotency tracking and backfill metrics.
## Implementation Details
- **Change stream processor**: `src/Graph/StellaOps.Graph.Indexer/Incremental/GraphChangeStreamProcessor.cs` -- consumes SBOM/scan events and applies delta mutations to indexed graph
- **Change event model**: `src/Graph/StellaOps.Graph.Indexer/Incremental/GraphChangeEvent.cs` -- event model for graph mutations
- **Stream options**: `src/Graph/StellaOps.Graph.Indexer/Incremental/GraphChangeStreamOptions.cs` -- configurable stream processing parameters
- **Idempotency store**: `src/Graph/StellaOps.Graph.Indexer/Incremental/InMemoryIdempotencyStore.cs` -- in-memory deduplication for event processing
- **Postgres idempotency**: `src/Graph/__Libraries/StellaOps.Graph.Indexer.Persistence/Postgres/Repositories/PostgresIdempotencyStore.cs` -- PostgreSQL-backed idempotency tracking
- **No-op event source**: `src/Graph/StellaOps.Graph.Indexer/Incremental/NoOpGraphChangeEventSource.cs` -- stub event source for testing
- **Backfill metrics**: `src/Graph/StellaOps.Graph.Indexer/Incremental/GraphBackfillMetrics.cs` -- metrics for backfill operations
- **DI extensions**: `src/Graph/StellaOps.Graph.Indexer/Incremental/GraphChangeStreamServiceCollectionExtensions.cs` -- DI registration
- **SBOM ingestion**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Sbom/SbomIngestProcessor.cs`, `SbomIngestTransformer.cs` -- SBOM event processing and graph transformation
- **Tests**: `src/Graph/__Tests/StellaOps.Graph.Indexer.Tests/GraphChangeStreamProcessorTests.cs`, `GraphIndexerEndToEndTests.cs`
- **Persistence tests**: `src/Graph/__Tests/StellaOps.Graph.Indexer.Persistence.Tests/PostgresIdempotencyStoreTests.cs`
- **Source**: SPRINT_0141_0001_0001_graph_indexer.md
## E2E Test Plan
- [ ] Verify change stream processor applies delta mutations correctly
- [ ] Test idempotency ensures duplicate events are not processed
- [ ] Verify backfill metrics track progress accurately
- [ ] Test SBOM ingestion transforms events into graph updates
- [ ] Verify PostgreSQL idempotency store persists across restarts

30
docs/features/unchecked/graph/graph-overlay-system.md
View File

@@ -1,30 +0,0 @@
# Graph Overlay System (Policy, VEX, Reachability)
## Module
Graph
## Status
IMPLEMENTED
## Description
Overlay system with exporter, in-memory overlay service, and tests for layering policy/VEX/reachability data onto dependency graphs.
## Implementation Details
- **Overlay service interface**: `src/Graph/StellaOps.Graph.Api/Services/IOverlayService.cs` -- overlay query contract
- **In-memory overlay service**: `src/Graph/StellaOps.Graph.Api/Services/InMemoryOverlayService.cs` -- in-memory overlay implementation for testing
- **Overlay exporter**: `src/Graph/StellaOps.Graph.Indexer/Analytics/GraphOverlayExporter.cs` -- exports analytics results as overlay layers
- **Policy overlay processor**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Policy/PolicyOverlayProcessor.cs` -- ingests policy decisions as graph overlays
- **Policy overlay transformer**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Policy/PolicyOverlayTransformer.cs` -- transforms policy data for graph overlay
- **Policy overlay snapshot**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Policy/PolicyOverlaySnapshot.cs` -- policy overlay state
- **Policy overlay metrics**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Policy/PolicyOverlayMetrics.cs`, `IPolicyOverlayMetrics.cs` -- overlay processing metrics
- **VEX overlay**: `src/Graph/StellaOps.Graph.Indexer/Ingestion/Vex/VexOverlayTransformer.cs`, `VexOverlaySnapshot.cs` -- VEX verdict overlays on graph
- **Reachability delta**: `src/Graph/StellaOps.Graph.Api/Services/IReachabilityDeltaService.cs`, `InMemoryReachabilityDeltaService.cs` -- reachability annotation overlays
- **Tests**: `src/Graph/__Tests/StellaOps.Graph.Indexer.Tests/GraphOverlayExporterTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify policy overlay renders policy decisions on graph nodes
- [ ] Test VEX overlay annotates graph with VEX verdict data
- [ ] Verify reachability overlay shows reachability status per edge
- [ ] Test overlay exporter generates valid overlay from analytics results
- [ ] Verify overlay stacking (multiple overlays on same graph)

29
docs/features/unchecked/graph/graph-query-and-search-api.md
View File

@@ -1,29 +0,0 @@
# Graph Query and Search API
## Module
Graph
## Status
IMPLEMENTED
## Description
Graph API with query, search, and path services for traversing and querying dependency graphs.
## Implementation Details
- **Query service**: `src/Graph/StellaOps.Graph.Api/Services/IGraphQueryService.cs`, `InMemoryGraphQueryService.cs` -- graph node/edge query with filtering
- **Search service**: `src/Graph/StellaOps.Graph.Api/Services/IGraphSearchService.cs`, `InMemoryGraphSearchService.cs` -- full-text search across graph entities
- **Path service**: `src/Graph/StellaOps.Graph.Api/Services/IGraphPathService.cs`, `InMemoryGraphPathService.cs` -- shortest-path and reachability path queries
- **Repository**: `src/Graph/StellaOps.Graph.Api/Services/InMemoryGraphRepository.cs` -- in-memory graph data store
- **Search contracts**: `src/Graph/StellaOps.Graph.Api/Contracts/SearchContracts.cs` -- search request/response DTOs
- **Lineage contracts**: `src/Graph/StellaOps.Graph.Api/Contracts/LineageContracts.cs` -- lineage query contracts
- **Reachability contracts**: `src/Graph/StellaOps.Graph.Api/Contracts/ReachabilityContracts.cs` -- reachability query contracts
- **Rate limiting**: `src/Graph/StellaOps.Graph.Api/Services/RateLimiterService.cs` -- query rate limiting
- **Tests**: `src/Graph/__Tests/StellaOps.Graph.Api.Tests/QueryServiceTests.cs`, `SearchServiceTests.cs`, `PathServiceTests.cs`, `RateLimiterServiceTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify query API returns nodes and edges matching filter criteria
- [ ] Test full-text search returns ranked results across graph entities
- [ ] Verify path queries find shortest paths between nodes
- [ ] Test rate limiting prevents query abuse
- [ ] Verify search contracts handle empty results and pagination

25
docs/features/unchecked/plugin/plugin-configuration-and-context.md
View File

@@ -1,25 +0,0 @@
# Plugin Configuration and Context
## Module
Plugin
## Status
IMPLEMENTED
## Description
Plugin configuration loading and context injection for runtime plugin behavior customization.
## Implementation Details
- **IPluginContext**: `src/Plugin/StellaOps.Plugin.Abstractions/Context/IPluginContext.cs` -- provides configuration, logging, and service access to plugins during initialization
- **PluginContext**: `src/Plugin/StellaOps.Plugin.Host/Context/PluginContext.cs` -- implementation of IPluginContext with runtime services
- **PluginConfiguration**: `src/Plugin/StellaOps.Plugin.Host/Context/PluginConfiguration.cs` -- loads plugin-specific configuration from host settings
- **PluginLogger**: `src/Plugin/StellaOps.Plugin.Host/Context/PluginLogger.cs` -- IPluginLogger implementation wrapping host logging
- **PluginServices**: `src/Plugin/StellaOps.Plugin.Host/Context/PluginServices.cs` -- service locator for plugin runtime dependencies
- **PluginContextFactory**: creates PluginContext instances per plugin with trust level and shutdown token
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify plugin context provides correct configuration values for plugin-specific settings
- [ ] Test plugin logger routes messages through host logging infrastructure
- [ ] Verify plugin services resolve registered dependencies correctly
- [ ] Test context creation includes trust level and cancellation token propagation

23
docs/features/unchecked/plugin/plugin-dependency-resolution.md
View File

@@ -1,23 +0,0 @@
# Plugin Dependency Resolution
## Module
Plugin
## Status
IMPLEMENTED
## Description
Plugin dependency resolution with resolver service, interface, and comprehensive tests.
## Implementation Details
- **PluginDependencyResolver**: `src/Plugin/StellaOps.Plugin.Host/Dependencies/PluginDependencyResolver.cs` -- topological sorting of plugin manifests for load order; cycle detection via DFS with CircularDependencyError reporting; version constraint parsing (>=, >, <=, <, =, ~pessimistic, ^compatible); AreDependenciesSatisfied/GetMissingDependencies for optional dependency support; reverse load order for unload sequence
- **IPluginDependencyResolver**: `src/Plugin/StellaOps.Plugin.Host/Dependencies/IPluginDependencyResolver.cs` -- interface: ResolveLoadOrder, ResolveUnloadOrder, AreDependenciesSatisfied, GetMissingDependencies, ValidateDependencyGraph
- **DependencyGraph**: `src/Plugin/StellaOps.Plugin.Host/Dependencies/DependencyGraph.cs` -- graph data structure with AddNode, AddEdge, HasNode, GetDependents
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify topological sort produces correct load order for a dependency chain
- [ ] Test circular dependency detection reports correct cycle paths
- [ ] Verify version constraint matching for all operators (>=, >, <=, <, =, ~, ^)
- [ ] Test unload order is reverse of load order
- [ ] Verify optional dependencies do not block loading when missing

25
docs/features/unchecked/plugin/plugin-discovery.md
View File

@@ -1,25 +0,0 @@
# Plugin Discovery (FileSystem and Embedded)
## Module
Plugin
## Status
IMPLEMENTED
## Description
Multi-strategy plugin discovery with filesystem scanning, embedded plugins, and composite discovery that combines both approaches.
## Implementation Details
- **CompositePluginDiscovery**: `src/Plugin/StellaOps.Plugin.Host/Discovery/CompositePluginDiscovery.cs` -- combines multiple IPluginDiscovery sources; deduplicates by plugin ID (first-wins); supports DiscoverAsync (bulk) and DiscoverSingleAsync (by PluginSource); routes FileSystem/Embedded source types to appropriate discoverer
- **FileSystemPluginDiscovery**: `src/Plugin/StellaOps.Plugin.Host/Discovery/FileSystemPluginDiscovery.cs` -- scans filesystem directories for plugin assemblies and manifests
- **EmbeddedPluginDiscovery**: `src/Plugin/StellaOps.Plugin.Host/Discovery/EmbeddedPluginDiscovery.cs` -- discovers plugins embedded in host assemblies
- **IPluginDiscovery**: `src/Plugin/StellaOps.Plugin.Host/Discovery/IPluginDiscovery.cs` -- interface: DiscoverAsync, DiscoverSingleAsync
- **PluginManifest**: `src/Plugin/StellaOps.Plugin.Abstractions/Manifest/PluginManifest.cs` -- manifest model with Info, Dependencies, Capabilities
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify filesystem discovery scans configured paths and finds plugin assemblies
- [ ] Test embedded discovery locates plugins within host assemblies
- [ ] Verify composite discovery deduplicates plugins by ID across sources
- [ ] Test single plugin discovery routes to correct discoverer by source type
- [ ] Verify error in one discoverer does not block others

25
docs/features/unchecked/plugin/plugin-host-with-assembly-isolation.md
View File

@@ -1,25 +0,0 @@
# Plugin Host with Assembly Isolation
## Module
Plugin
## Status
IMPLEMENTED
## Description
Plugin host with assembly-based loading, isolated AssemblyLoadContext, and configurable host options.
## Implementation Details
- **PluginHost**: `src/Plugin/StellaOps.Plugin.Host/PluginHost.cs` -- central coordinator implementing IPluginHost + IAsyncDisposable; manages discovery -> dependency validation -> load order -> assembly loading -> initialization -> health monitoring lifecycle; ConcurrentDictionary<string, LoadedPlugin> registry; events for state changes and health changes; auto-recovery of unhealthy plugins via reload; configurable initialization/shutdown timeouts
- **PluginAssemblyLoadContext**: `src/Plugin/StellaOps.Plugin.Host/Loading/PluginAssemblyLoadContext.cs` -- collectible AssemblyLoadContext for plugin isolation; uses AssemblyDependencyResolver for plugin-local dependency resolution; WeakReference for GC tracking; supports unmanaged DLL loading; PluginLoadContextReference wrapper with IsCollected/Unload
- **AssemblyPluginLoader**: `src/Plugin/StellaOps.Plugin.Host/Loading/AssemblyPluginLoader.cs` -- IHostPluginLoader implementation for assembly-based loading
- **PluginHostOptions**: `src/Plugin/StellaOps.Plugin.Host/PluginHostOptions.cs` -- configures PluginPaths, BuiltInPluginIds, TrustedPluginIds, TrustedVendors, FailOnPluginLoadError, AutoRecoverUnhealthyPlugins, InitializationTimeout, ShutdownTimeout
- **IPluginHost**: `src/Plugin/StellaOps.Plugin.Host/IPluginHost.cs` -- interface: StartAsync, StopAsync, LoadPluginAsync, UnloadPluginAsync, ReloadPluginAsync, GetPluginsWithCapability<T>, GetPlugin, GetCapability<T>
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify plugin host loads plugins in dependency order and transitions through lifecycle states
- [ ] Test assembly isolation prevents plugin assemblies from conflicting with host assemblies
- [ ] Verify collectible AssemblyLoadContext allows plugin unloading and GC collection
- [ ] Test auto-recovery reloads unhealthy plugins when enabled
- [ ] Verify trust level determination routes BuiltIn/Trusted/Untrusted correctly

25
docs/features/unchecked/plugin/plugin-sandbox.md
View File

@@ -1,25 +0,0 @@
# Plugin Sandbox (Process Isolation)
## Module
Plugin
## Status
IMPLEMENTED
## Description
Process-level plugin sandboxing with gRPC communication bridge for secure out-of-process plugin execution.
## Implementation Details
- **PluginTrustLevel**: `src/Plugin/StellaOps.Plugin.Abstractions/PluginTrustLevel.cs` -- enum: BuiltIn (in-process full access), Trusted (isolated monitored), Untrusted (sandboxed restricted)
- **PluginHost trust routing**: `src/Plugin/StellaOps.Plugin.Host/PluginHost.cs` -- DetermineTrustLevel routes plugins to BuiltIn (matching BuiltInPluginIds), Trusted (matching TrustedPluginIds/TrustedVendors), or Untrusted (default); trust level passed to loader and context factory for execution environment selection
- **PluginLifecycleManager**: `src/Plugin/StellaOps.Plugin.Host/Lifecycle/PluginLifecycleManager.cs` -- manages state transitions with PluginStateMachine
- **PluginStateMachine**: `src/Plugin/StellaOps.Plugin.Host/Lifecycle/PluginStateMachine.cs` -- enforces valid lifecycle state transitions
- **PluginHealthMonitor**: `src/Plugin/StellaOps.Plugin.Host/Health/PluginHealthMonitor.cs` -- periodic health checks with HealthChanged events
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify untrusted plugins execute in sandboxed process with restricted capabilities
- [ ] Test trusted plugins run isolated but with monitoring
- [ ] Verify built-in plugins run in-process with full access
- [ ] Test health monitoring detects unhealthy sandboxed plugins
- [ ] Verify process isolation prevents sandbox escape

30
docs/features/unchecked/plugin/unified-plugin-architecture-with-trust-based-execution-model.md
View File

@@ -1,30 +0,0 @@
# Unified Plugin Architecture with Trust-Based Execution Model
## Module
Plugin
## Status
IMPLEMENTED
## Description
Complete unified plugin system reworking seven disparate plugin patterns (Crypto, Auth, LLM, SCM, Scanner, Router, Concelier) into a single IPlugin interface with trust-based execution (Built-in=in-process, Untrusted=sandboxed), capability composition (11 capability interfaces including ICryptoCapability, IAuthCapability, ILlmCapability, IScmCapability), database-backed PostgreSQL registry with health tracking, process-based sandbox with gRPC bridge/resource limits/filesystem isolation/secret pr
## Implementation Details
- **IPlugin**: `src/Plugin/StellaOps.Plugin.Abstractions/IPlugin.cs` -- core interface: Info (PluginInfo), TrustLevel (BuiltIn/Trusted/Untrusted), Capabilities (PluginCapabilities), State (PluginLifecycleState), InitializeAsync(IPluginContext), HealthCheckAsync; extends IAsyncDisposable
- **Capability interfaces**: `src/Plugin/StellaOps.Plugin.Abstractions/Capabilities/` -- IAnalysisCapability, IAuthCapability, IConnectorCapability, ICryptoCapability, IFeedCapability, ILlmCapability, IScmCapability, ITransportCapability
- **PluginAttribute**: `src/Plugin/StellaOps.Plugin.Abstractions/Attributes/PluginAttribute.cs` -- assembly attribute for plugin discovery
- **PluginCapabilities**: `src/Plugin/StellaOps.Plugin.Abstractions/PluginCapabilities.cs` -- flags enum for capability composition
- **PluginInfo**: `src/Plugin/StellaOps.Plugin.Abstractions/PluginInfo.cs` -- ID, version, vendor metadata
- **PluginHost**: `src/Plugin/StellaOps.Plugin.Host/PluginHost.cs` -- full lifecycle coordinator with discovery, dependency validation, assembly isolation, initialization, health monitoring, auto-recovery
- **HelloWorldPlugin**: `src/Plugin/Samples/StellaOps.Plugin.Samples.HelloWorld/HelloWorldPlugin.cs` -- sample plugin implementation
- **Tests**: `src/Plugin/Samples/StellaOps.Plugin.Samples.HelloWorld.Tests/HelloWorldPluginTests.cs`
- **ServiceCollectionExtensions**: `src/Plugin/StellaOps.Plugin.Host/Extensions/ServiceCollectionExtensions.cs` -- DI registration for plugin host services
- **Source**: SPRINT_20260110_100_000_INDEX_plugin_unification.md
## E2E Test Plan
- [ ] Verify IPlugin lifecycle transitions: Discovered -> Loading -> Initializing -> Active -> Stopping -> Stopped
- [ ] Test trust-based execution: BuiltIn=in-process, Trusted=monitored, Untrusted=sandboxed
- [ ] Verify capability composition allows multiple capabilities per plugin
- [ ] Test GetPluginsWithCapability<T> returns only active plugins with matching capability
- [ ] Verify plugin unload disposes and unloads AssemblyLoadContext
- [ ] Test plugin reload preserves configuration after restart

33
docs/features/unchecked/riskengine/cvss-kev-risk-signal-combination.md
View File

@@ -1,33 +0,0 @@
# CVSS + KEV Risk Signal Combination
## Module
RiskEngine
## Status
IMPLEMENTED
## Description
Risk engine combining CVSS scores with KEV (Known Exploited Vulnerabilities) data and EPSS scores for prioritization. Deterministic formula tested via integration tests.
## Implementation Details
- **CVSS+KEV Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/CvssKevProvider.cs` (implements `IRiskScoreProvider`) -- combines CVSS base scores with CISA KEV catalog data; KEV-listed vulnerabilities receive a risk boost reflecting active exploitation.
- **Risk Score Provider Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IRiskScoreProvider.cs` -- contract for risk score computation providers.
- **CVSS+KEV Sources Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/ICvssKevSources.cs` -- data source contract for CVSS scores and KEV catalog.
- **VEX Gate Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/VexGateProvider.cs` -- applies VEX status as a risk gate, reducing or zeroing risk scores for findings with "not_affected" or "fixed" status.
- **Fix Exposure Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixExposureProvider.cs` -- adjusts risk based on fix availability and exposure window.
- **Fix Chain Risk Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainRiskProvider.cs` -- computes risk from fix chain analysis including attestation verification.
- **Fix Chain Attestation Client**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainAttestationClient.cs` (implements `IFixChainAttestationClient`) -- fetches fix chain attestation data for risk computation.
- **Fix Chain Risk Metrics/Display**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/FixChain/FixChainRiskMetrics.cs`, `FixChainRiskDisplay.cs` -- metrics and display models for fix chain risk.
- **Default Transforms Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/DefaultTransformsProvider.cs` -- default risk score transformation rules.
- **Score Request/Result**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Contracts/ScoreRequest.cs`, `RiskScoreResult.cs` -- request/response models for risk score computation.
- **Risk Score Worker**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Services/RiskScoreWorker.cs` -- background worker processing risk score computation queue.
- **Risk Score Queue**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Services/RiskScoreQueue.cs` -- queue for asynchronous risk score computation requests.
- **Tests**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/RiskEngineApiTests.cs`, `FixChainRiskProviderTests.cs`, `FixChainRiskIntegrationTests.cs`
## E2E Test Plan
- [ ] Submit a score request for a CVE with a CVSS score of 7.5 that is listed in the KEV catalog and verify the combined risk score is higher than the CVSS score alone
- [ ] Submit a score request for the same CVSS score but without KEV listing and verify the risk score equals the CVSS base score (no KEV boost)
- [ ] Verify VEX gate: submit a score request for a KEV-listed CVE with VEX status "not_affected" and confirm the `VexGateProvider` reduces the risk score
- [ ] Verify fix chain risk: submit a score request for a CVE with a verified fix attestation and confirm `FixChainRiskProvider` reduces the risk score based on fix verification
- [ ] Verify determinism: compute the same risk score 10 times with identical inputs and confirm all results are bit-for-bit identical
- [ ] Verify the risk score worker processes queued requests and stores results in `IRiskScoreResultStore`

27
docs/features/unchecked/riskengine/epss-risk-band-mapping.md
View File

@@ -1,27 +0,0 @@
# EPSS Risk Band Mapping
## Module
RiskEngine
## Status
IMPLEMENTED
## Description
EPSS provider with bundle loading, fetching, and risk band mapping that converts EPSS probabilities into actionable risk categorizations.
## Implementation Details
- **EPSS Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssProvider.cs` (implements `IRiskScoreProvider`) -- converts EPSS probability scores into risk band categorizations (Critical, High, Medium, Low) using configurable thresholds.
- **EPSS Bundle Loader**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssBundleLoader.cs` -- loads EPSS score bundles from local files or cached downloads for offline operation.
- **EPSS Fetcher**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssFetcher.cs` -- fetches EPSS score data from the FIRST.org EPSS API for periodic updates.
- **EPSS Sources Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IEpssSources.cs` -- data source contract for EPSS score lookups.
- **In-Memory Result Store**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/Stores/InMemoryRiskScoreResultStore.cs` (implements `IRiskScoreResultStore`) -- in-memory store for computed risk scores with EPSS band mappings.
- **Risk Score Result Store Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Services/IRiskScoreResultStore.cs` -- persistence contract for risk score results.
- **Tests**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/EpssBundleTests.cs`, `RiskEngineApiTests.cs`
## E2E Test Plan
- [ ] Load an EPSS bundle via `EpssBundleLoader` and query the score for a known CVE; verify the returned probability matches the bundle data
- [ ] Map an EPSS probability of 0.95 and verify it is categorized as "Critical" risk band
- [ ] Map an EPSS probability of 0.01 and verify it is categorized as "Low" risk band
- [ ] Verify bundle loading from file: place an EPSS CSV bundle in the expected path and confirm `EpssBundleLoader` loads it without network access
- [ ] Verify the EPSS fetcher downloads fresh data and the bundle loader caches it for subsequent offline lookups
- [ ] Combine EPSS with CVSS: compute a risk score using both EPSS and CVSS providers and verify the combined score reflects both signals

33
docs/features/unchecked/riskengine/exploit-maturity-mapping.md
View File

@@ -1,33 +0,0 @@
# Exploit Maturity Mapping
## Status
IMPLEMENTED
## Description
No dedicated exploit maturity mapping service found. The EPSS provider in RiskEngine may partially cover this.
## Module
RiskEngine
## What's Implemented
- **EPSS provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssProvider.cs` (implements `IRiskScoreProvider`)
- **Combined CVSS+KEV+EPSS**: `CvssKevEpssProvider` in same file
- **Scanner EPSS**: `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs`
- **EPSS API endpoints**: `src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs`
- **Golden benchmark corpus**: `src/__Tests/__Benchmarks/golden-corpus/` (includes EPSS/KEV scoring)
- **SBOM vulnerability assessment**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Models/SbomVulnerabilityAssessmentType.cs`
- **Policy-level exploit scoring**: `UnknownRanker` uses `EpssScore` for prioritization
- **Tests**: `src/Scanner/__Tests/StellaOps.Scanner.Storage.Tests/EpssProviderTests.cs`
## What's Missing
- Dedicated "exploit maturity mapping" service consolidating all maturity signals (EPSS, KEV, in-the-wild reports) into a unified maturity level (e.g., POC/Active/Weaponized)
- Exploit maturity lifecycle tracking over time
- Integration of in-the-wild exploitation reports beyond KEV
## Implementation Plan
- Create unified exploit maturity service that combines EPSS, KEV, and in-the-wild signals
- Define maturity level taxonomy (POC/Active/Weaponized)
- Expose maturity level in finding detail UI
## Source
- Feature matrix scan

28
docs/features/unchecked/signer/ci-cd-keyless-signing-workflow-templates.md
View File

@@ -1,28 +0,0 @@
# CI/CD Keyless Signing Workflow Templates (GitHub/GitLab/Gitea)
## Module
Signer
## Status
IMPLEMENTED
## Description
Production-ready reusable CI/CD workflow templates for keyless signing integration across GitHub Actions (stellaops-sign.yml, stellaops-verify.yml), GitLab CI (.gitlab-ci-stellaops.yml), and Gitea. Enables zero-configuration OIDC-based keyless signing with identity verification gates and cross-platform signature verification.
## Implementation Details
- **SigstoreSigningService**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreSigningService.cs` -- orchestrates complete Sigstore keyless signing: (1) generate ephemeral ECDSA P-256 key pair, (2) compute SHA-256 artifact hash, (3) create proof-of-possession by signing OIDC token, (4) request certificate from Fulcio, (5) sign artifact with ephemeral key, (6) upload to Rekor transparency log; VerifyKeylessAsync validates signature, certificate, and Rekor entry timestamp
- **SigstoreServiceCollectionExtensions**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreServiceCollectionExtensions.cs` -- DI registration for Sigstore services
- **SigstoreOptions**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreOptions.cs` -- configurable Fulcio URL, Rekor URL, RequireRekorEntry flag, retry/backoff settings
- **SignerEndpoints**: `src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/SignerEndpoints.cs` -- signing API endpoints consumed by CI/CD workflow templates
- **AmbientOidcTokenProvider**: `src/Signer/__Libraries/StellaOps.Signer.Keyless/AmbientOidcTokenProvider.cs` -- detects OIDC tokens from CI runner environment (GitHub Actions, GitLab CI, Gitea)
- **KeylessDsseSigner**: `src/Signer/__Libraries/StellaOps.Signer.Keyless/KeylessDsseSigner.cs` -- DSSE signer used by workflow templates for in-toto statement signing
- **Source**: SPRINT_20251226_004_BE_cicd_signing_templates.md
## E2E Test Plan
- [ ] Verify signing endpoint accepts OIDC identity token and returns signed DSSE envelope with certificate chain
- [ ] Verify verification endpoint validates signature, certificate chain, and Rekor entry
- [ ] Test ambient OIDC token detection for GitHub Actions, GitLab CI, and Gitea CI environments
- [ ] Verify Rekor transparency log entry is created when RequireRekorEntry is enabled
- [ ] Verify signing fails gracefully when Fulcio is unavailable (proper error response)
- [ ] Test cross-platform signature verification: sign on GitHub Actions, verify on GitLab CI
- [ ] Verify signed artifacts include proper in-toto statement format with subject digests

32
docs/features/unchecked/signer/dual-control-signing-ceremonies.md
View File

@@ -1,32 +0,0 @@
# Dual-Control Signing Ceremonies (M-of-N Threshold)
## Module
Signer
## Status
IMPLEMENTED
## Description
Orchestrator for M-of-N threshold signing ceremonies requiring multiple authorized participants to approve key operations, with API endpoints for ceremony initiation, participant enrollment, share submission, and ceremony completion.
## Implementation Details
- **CeremonyOrchestrator**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOrchestrator.cs` -- full M-of-N orchestration: CreateCeremonyAsync (configurable threshold/expiration per operation type), ApproveCeremonyAsync (duplicate detection, approver validation via ICeremonyApproverValidator, signature verification), ExecuteCeremonyAsync (only from Approved state), CancelCeremonyAsync, ProcessExpiredCeremoniesAsync (batch expiry); ICeremonyAuditSink for all lifecycle events
- **CeremonyStateMachine**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyStateMachine.cs` -- enforces valid state transitions: Pending -> PartiallyApproved -> Approved -> Executed; terminal states (Executed/Expired/Cancelled); CanAcceptApproval, CanExecute, CanCancel guards; ComputeStateAfterApproval for threshold-based transitions
- **CeremonyModels**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyModels.cs` -- Ceremony, CeremonyApproval, CeremonyResult, CeremonyFilter, CeremonyState enum (Pending/PartiallyApproved/Approved/Executed/Expired/Cancelled), CeremonyOperationType enum (KeyGeneration/KeyRotation/KeyRevocation/KeyExport/KeyImport/KeyRecovery), CeremonyErrorCode enum
- **CeremonyOptions**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOptions.cs` -- configurable thresholds and expiration per operation type
- **CeremonyAuditEvents**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyAuditEvents.cs` -- Initiated, Approved, ApprovalRejected, ThresholdReached, Executed, Cancelled, Expired audit event types
- **ICeremonyOrchestrator**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyOrchestrator.cs` -- interface contract
- **ICeremonyRepository**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyRepository.cs` -- persistence interface: CreateAsync, GetByIdAsync, HasApprovedAsync, AddApprovalAsync, UpdateStateAsync, ListAsync, GetExpiredCeremoniesAsync, MarkExpiredAsync
- **CeremonyEndpoints**: `src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/CeremonyEndpoints.cs` -- REST API at `/api/v1/ceremonies`: POST / (create, ceremony:create), GET / (list with state/operationType/initiatedBy/tenantId/limit/offset filters), GET /{ceremonyId} (get by ID), POST /{ceremonyId}/approve (ceremony:approve, base64 signature required), POST /{ceremonyId}/execute (ceremony:execute), DELETE /{ceremonyId} (ceremony:cancel); all require ceremony:read authorization
- **Tests**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Ceremonies/CeremonyOrchestratorIntegrationTests.cs`, `CeremonyStateMachineTests.cs`
- **Source**: SPRINT_20260112_018_SIGNER_dual_control_ceremonies.md
## E2E Test Plan
- [ ] POST /api/v1/ceremonies creates a new ceremony with threshold, expiration, and operation type; verify 201 response with ceremonyId
- [ ] POST /{ceremonyId}/approve accepts approval with base64 signature; verify duplicate approval returns 409, unauthorized approver returns 403
- [ ] Verify state transitions: Pending -> PartiallyApproved (after first approval) -> Approved (when threshold reached) -> Executed (after execution)
- [ ] POST /{ceremonyId}/execute succeeds only when state is Approved; verify 409 for non-approved states
- [ ] DELETE /{ceremonyId} cancels ceremony; verify only non-terminal ceremonies can be cancelled
- [ ] Verify expired ceremonies cannot accept approvals or be executed (409)
- [ ] GET / returns filtered list with pagination (limit/offset) and state/operationType filters
- [ ] Verify audit events are recorded for all lifecycle transitions (Initiated, Approved, Executed, Cancelled, Expired)

36
docs/features/unchecked/signer/fulcio-sigstore-keyless-signing-client.md
View File

@@ -1,36 +0,0 @@
# Fulcio/Sigstore Keyless Signing Client
## Module
Signer
## Status
IMPLEMENTED
## Description
Fulcio-based keyless signing using OIDC tokens from CI runners, ephemeral key pairs, short-lived X.509 certificates, DSSE signing, and certificate chain validation. Tests exist for all components.
## Implementation Details
- **KeylessDsseSigner**: `src/Signer/__Libraries/StellaOps.Signer.Keyless/KeylessDsseSigner.cs` -- DSSE signer implementing Sigstore keyless workflow: (1) acquire OIDC token via IOidcTokenProvider, (2) generate ephemeral key pair via IEphemeralKeyGenerator, (3) serialize in-toto statement, (4) create proof-of-possession (SHA-256 hash signed with ephemeral key), (5) request short-lived certificate from Fulcio, (6) create DSSE signature using ephemeral key; returns SigningBundle with DsseEnvelope + certificate chain + signing identity metadata
- **EphemeralKeyGenerator**: `src/Signer/__Libraries/StellaOps.Signer.Keyless/EphemeralKeyGenerator.cs` -- generates ECDSA P-256 key pairs using .NET crypto APIs; supports EcdsaP256 algorithm; Ed25519 placeholder for future .NET 9+ support
- **HttpFulcioClient**: `src/Signer/__Libraries/StellaOps.Signer.Keyless/HttpFulcioClient.cs` -- HTTP client for Fulcio v2 API (`/api/v2/signingCert`): sends OIDC token + public key + proof-of-possession; parses PEM certificate chain from response; extracts OIDC issuer from Fulcio extension OID 1.3.6.1.4.1.57264.1.1; retry logic with exponential backoff; non-retryable errors (400/401/403) vs retryable (5xx)
- **SigstoreSigningService**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreSigningService.cs` -- orchestrates full Sigstore keyless flow: ephemeral ECDSA P-256 key generation, Fulcio certificate request, artifact signing, Rekor transparency log upload; VerifyKeylessAsync validates signature, certificate validity, and Rekor entry timestamp within certificate window
- **IOidcTokenProvider**: `src/Signer/__Libraries/StellaOps.Signer.Keyless/IOidcTokenProvider.cs` -- interface for OIDC token acquisition
- **AmbientOidcTokenProvider**: `src/Signer/__Libraries/StellaOps.Signer.Keyless/AmbientOidcTokenProvider.cs` -- CI runner ambient OIDC token detection
- **EphemeralKeyPair**: `src/Signer/__Libraries/StellaOps.Signer.Keyless/EphemeralKeyPair.cs` -- disposable key pair model with Sign method
- **ICertificateChainValidator**: `src/Signer/__Libraries/StellaOps.Signer.Keyless/ICertificateChainValidator.cs` -- certificate chain validation interface
- **FulcioHttpClient**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/FulcioHttpClient.cs` -- infrastructure-level Fulcio client
- **RekorHttpClient**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/RekorHttpClient.cs` -- Rekor transparency log HTTP client
- **ISigstoreClients**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/ISigstoreClients.cs` -- IFulcioClient and IRekorClient interfaces
- **SigstoreOptions**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreOptions.cs` -- Fulcio URL, Rekor URL, RequireRekorEntry, retry/backoff config
- **Tests**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Keyless/KeylessDsseSignerTests.cs`, `EphemeralKeyGeneratorTests.cs`, `HttpFulcioClientTests.cs`, `CertificateChainValidatorTests.cs`, `KeylessSigningIntegrationTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify keyless signing produces a valid DSSE envelope with base64-encoded payload and signature
- [ ] Verify certificate chain includes leaf certificate from Fulcio and intermediate/root certificates
- [ ] Verify proof-of-possession is computed as SHA-256 hash of statement signed with ephemeral key
- [ ] Test Fulcio client retry logic with exponential backoff on 5xx errors
- [ ] Verify non-retryable Fulcio errors (400/401/403) fail immediately
- [ ] Test keyless verification validates signature, certificate chain, and Rekor timestamp
- [ ] Verify signing identity metadata includes OIDC issuer, subject, and certificate expiry
- [ ] Test ephemeral key disposal after signing completes

34
docs/features/unchecked/signer/key-rotation-service-with-temporal-validity.md
View File

@@ -1,34 +0,0 @@
# Key Rotation Service with Temporal Validity
## Module
Signer
## Status
IMPLEMENTED
## Description
Automated key rotation service with temporal key validity windows, key history tracking (key_history and key_audit_log tables), trust anchor management with PURL pattern matching, and CLI commands for key lifecycle operations. Ensures proof verification uses the correct key for the attestation timestamp.
## Implementation Details
- **KeyRotationService**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyRotationService.cs` -- implements advisory section 8.2: AddKeyAsync (validates algorithm against AllowedAlgorithms, creates KeyHistoryEntity + KeyAuditLogEntity, updates anchor AllowedKeyIds), RevokeKeyAsync (sets RevokedAt + RevokeReason, moves key from AllowedKeyIds to RevokedKeyIds), CheckKeyValidityAsync (temporal validation: NotYetValid if signedAt < AddedAt, Revoked if signedAt >= RevokedAt, Expired if signedAt >= ExpiresAt), GetRotationWarningsAsync (ExpiryApproaching within ExpiryWarningDays, LongLived exceeding MaxKeyAgeDays, AlgorithmDeprecating for deprecated algorithms), GetKeyHistoryAsync; EF Core transactions with InMemory provider detection
- **TrustAnchorManager**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs` -- implements advisory section 8.3: GetAnchorAsync, FindAnchorForPurlAsync (glob-style PURL pattern matching with specificity scoring, most-specific-match-wins), CreateAnchorAsync (validates PURL pattern), UpdateAnchorAsync (AllowedPredicateTypes/PolicyRef/PolicyVersion), DeactivateAnchorAsync, VerifySignatureAuthorizationAsync (combines temporal key validity + predicate type authorization), GetActiveAnchorsAsync
- **PurlPatternMatcher**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs` -- glob-to-regex pattern matching for PURLs (e.g., pkg:npm/*, pkg:maven/org.apache/*); specificity scoring (segments * 10 - wildcards * 5)
- **KeyRotationOptions**: configurable AllowedAlgorithms (ES256, ES384, ES512, RS256, EdDSA, SM2, GOST12-256, DILITHIUM3, FALCON512, etc.), ExpiryWarningDays (60), MaxKeyAgeDays (365), DeprecatedAlgorithms (RSA-2048, SHA1-RSA)
- **KeyManagementDbContext**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyManagementDbContext.cs` -- EF Core context with TrustAnchors, KeyHistory, KeyAuditLog DbSets
- **KeyEntities**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/Entities/KeyEntities.cs` -- KeyHistoryEntity (HistoryId, AnchorId, KeyId, PublicKey, Algorithm, AddedAt, ExpiresAt, RevokedAt, RevokeReason), KeyAuditLogEntity (LogId, Operation enum: Add/Revoke/Rotate, Actor, Reason)
- **TrustAnchorEntity**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/Entities/TrustAnchorEntity.cs` -- AnchorId, PurlPattern, AllowedKeyIds, RevokedKeyIds, AllowedPredicateTypes, PolicyRef, PolicyVersion, IsActive
- **KeyRotationEndpoints**: `src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/KeyRotationEndpoints.cs` -- REST API at `/api/v1/anchors`: POST /{anchorId}/keys (add key), POST /{anchorId}/keys/{keyId}/revoke, GET /{anchorId}/keys/{keyId}/validity?signedAt=, GET /{anchorId}/keys/history, GET /{anchorId}/keys/warnings; all require KeyManagement authorization
- **IKeyRotationService**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/IKeyRotationService.cs` -- interface contract
- **ITrustAnchorManager**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/ITrustAnchorManager.cs` -- interface contract
- **Tests**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/KeyManagement/KeyRotationServiceTests.cs`, `TemporalKeyVerificationTests.cs`, `TrustAnchorManagerTests.cs`, `Integration/KeyRotationWorkflowIntegrationTests.cs`
- **Source**: SPRINT_0501_0008_0001_proof_chain_key_rotation.md
## E2E Test Plan
- [ ] POST /api/v1/anchors/{anchorId}/keys adds a key and returns updated AllowedKeyIds with audit log ID
- [ ] POST /{anchorId}/keys/{keyId}/revoke sets RevokedAt and moves key from allowed to revoked list
- [ ] GET /{anchorId}/keys/{keyId}/validity returns correct temporal validity (Active, NotYetValid, Revoked, Expired) for a given signedAt timestamp
- [ ] Verify temporal key validation: key added at T1 is invalid for signatures before T1, valid between T1 and revocation/expiry
- [ ] GET /{anchorId}/keys/warnings returns ExpiryApproaching, LongLived, and AlgorithmDeprecating warnings
- [ ] Verify PURL pattern matching finds most-specific anchor for a given PURL
- [ ] Verify VerifySignatureAuthorizationAsync combines key validity + predicate type check
- [ ] Verify algorithm validation rejects keys with unsupported algorithms

32
docs/features/unchecked/signer/shamir-secret-sharing-key-escrow.md
View File

@@ -1,32 +0,0 @@
# Shamir Secret Sharing Key Escrow
## Module
Signer
## Status
IMPLEMENTED
## Description
Key escrow system using Shamir's Secret Sharing over GF(256) to split signing keys into M-of-N shares distributed to escrow agents, with ceremony-authorized recovery requiring quorum approval.
## Implementation Details
- **ShamirSecretSharing**: `src/Cryptography/StellaOps.Cryptography/KeyEscrow/ShamirSecretSharing.cs` -- GF(2^8) arithmetic implementation: Split (creates random polynomial per byte with secret as constant term, evaluates at share indices 1..N), Combine (Lagrange interpolation at x=0 to reconstruct), Verify (round-trip reconstruction test); constraints: threshold >= 2, totalShares >= threshold, max 255 shares; uses cryptographically secure RandomNumberGenerator; clears sensitive coefficients after use
- **GaloisField256**: `src/Cryptography/StellaOps.Cryptography/KeyEscrow/GaloisField256.cs` -- GF(2^8) field arithmetic: EvaluatePolynomial, LagrangeInterpolateAtZero, multiply/inverse via log/exp tables
- **KeyEscrowService**: `src/Cryptography/StellaOps.Cryptography/KeyEscrow/KeyEscrowService.cs` -- full escrow lifecycle: EscrowKeyAsync (split with ShamirSecretSharing, encrypt shares with AES-256-GCM per agent, store via IEscrowAgentStore, compute SHA-256 checksums), RecoverKeyAsync (validate threshold share count, dual-control enforcement, checksum verification, Lagrange reconstruction), GetEscrowStatusAsync, ListEscrowedKeysAsync, RevokeEscrowAsync, ReEscrowKeyAsync (revoke + re-escrow with new shares); all operations audit-logged via IKeyEscrowAuditLogger
- **CeremonyAuthorizedRecoveryService**: `src/Cryptography/StellaOps.Cryptography/KeyEscrow/CeremonyAuthorizedRecoveryService.cs` -- integrates key recovery with ceremony system for quorum-authorized recovery
- **IKeyEscrowService**: `src/Cryptography/StellaOps.Cryptography/KeyEscrow/IKeyEscrowService.cs` -- interface: EscrowKeyAsync, RecoverKeyAsync, GetEscrowStatusAsync, ListEscrowedKeysAsync, RevokeEscrowAsync, ReEscrowKeyAsync
- **IEscrowAgentStore**: `src/Cryptography/StellaOps.Cryptography/KeyEscrow/IEscrowAgentStore.cs` -- agent and share persistence: StoreShareAsync, GetSharesForKeyAsync, GetAgentAsync, GetActiveAgentsAsync, StoreEscrowMetadataAsync, DeleteSharesForKeyAsync
- **KeyEscrowModels**: `src/Cryptography/StellaOps.Cryptography/KeyEscrow/KeyEscrowModels.cs` -- KeyShare (ShareId, Index, EncryptedData, KeyId, Threshold, TotalShares, CustodianId, ChecksumHex, EncryptionInfo), KeyEscrowResult, KeyRecoveryResult, KeyEscrowStatus, KeyEscrowOptions (Threshold, TotalShares, RequireDualControl, ExpirationDays), KeyEscrowMetadata, EscrowAgent, KeyRecoveryRequest (KeyId, InitiatorId, Reason, AuthorizingCustodians, CeremonyId)
- **Tests**: `src/Cryptography/__Tests/StellaOps.Cryptography.Tests/ShamirSecretSharingTests.cs`, `KeyEscrow/KeyEscrowRecoveryIntegrationTests.cs`, `KeyEscrow/KeyEscrowRecoveryIntegrationTests.Fixed.cs`
- **Source**: SPRINT_20260112_018_CRYPTO_key_escrow_shamir.md
## E2E Test Plan
- [ ] Verify M-of-N split produces N shares and any M shares can reconstruct the original secret
- [ ] Verify fewer than M shares cannot reconstruct the secret (information-theoretic security)
- [ ] Verify duplicate share indices are rejected during reconstruction
- [ ] Test key escrow flow: escrow key -> retrieve status -> recover with threshold shares
- [ ] Verify dual-control enforcement requires at least 2 authorizing custodians when enabled
- [ ] Verify share checksums (SHA-256) are validated during recovery
- [ ] Verify escrow revocation deletes all shares and audit-logs the action
- [ ] Test re-escrow preserves original parameters when no new options provided
- [ ] Verify maximum 255 shares constraint from GF(2^8) field

30
docs/features/unchecked/signer/tuf-client-for-trust-root-management.md
View File

@@ -1,30 +0,0 @@
# TUF Client for Trust Root Management
## Module
Signer
## Status
IMPLEMENTED
## Description
Full TUF (The Update Framework) client implementation for secure trust root management, including root rotation, timestamp verification, target hash validation, cached state management, and offline mode support. Provides the foundation for Sigstore trust root bootstrapping.
## Implementation Details
- **TrustAnchorManager**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs` -- trust anchor CRUD with PURL pattern matching: CreateAnchorAsync (validates PURL pattern format), FindAnchorForPurlAsync (glob-style matching with specificity scoring: segments*10 - wildcards*5, most-specific-match-wins), GetActiveAnchorsAsync, DeactivateAnchorAsync; VerifySignatureAuthorizationAsync combines temporal key validity check with predicate type authorization; each anchor has AllowedKeyIds, RevokedKeyIds, AllowedPredicateTypes, PolicyRef, PolicyVersion
- **PurlPatternMatcher**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs` -- validates PURL patterns (must start with pkg:), converts glob patterns to regex (*/? wildcards), computes specificity scores for best-match resolution
- **KeyRotationService**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyRotationService.cs` -- trust anchor key lifecycle: AddKeyAsync, RevokeKeyAsync, CheckKeyValidityAsync (temporal validation), GetRotationWarningsAsync (expiry/age/algorithm warnings), GetKeyHistoryAsync; supports key rotation while preserving historical key validity for signature verification at signing time
- **KeyRotationAuditRepository**: `src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyRotationAuditRepository.cs` -- audit trail for all key operations
- **SigstoreModels**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreModels.cs` -- Sigstore trust root data models
- **DefaultSigningKeyResolver**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs` -- resolves signing keys from trust anchors
- **Tests**: `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/KeyManagement/TrustAnchorManagerTests.cs`
- **Source**: batch_38/file_08.md
## E2E Test Plan
- [ ] Verify trust anchor creation with valid PURL pattern succeeds
- [ ] Verify trust anchor creation with invalid PURL pattern (missing pkg: prefix) is rejected
- [ ] Test PURL pattern matching: exact match, wildcard match (pkg:npm/*), namespace wildcard (pkg:maven/org.apache/*)
- [ ] Verify most-specific pattern wins when multiple patterns match a PURL
- [ ] Verify VerifySignatureAuthorizationAsync returns IsAuthorized=false when key is not valid at signing time
- [ ] Verify predicate type authorization restricts signing to allowed predicate types
- [ ] Test trust anchor deactivation prevents matching
- [ ] Verify key rotation updates AllowedKeyIds on the anchor while preserving historical validity

30
docs/features/unchecked/timeline/hybrid-logical-clock-audit-safe-job-queue-ordering.md
View File

@@ -1,30 +0,0 @@
# Hybrid Logical Clock (HLC) Audit-Safe Job Queue Ordering
## Module
Timeline
## Status
IMPLEMENTED
## Description
HLC-based global job ordering for distributed deployments, replacing wall-clock timestamps. Includes HLC core library (PhysicalTime+NodeId+LogicalCounter), Scheduler queue chain integration with chain-linked audit logs, offline merge protocol for air-gapped job synchronization with deterministic merge and conflict resolution, and cross-module integration tests.
## Implementation Details
- **TimelineQueryService**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/TimelineQueryService.cs` -- queries events by correlation ID with HLC range filtering (FromHlc/ToHlc); GetByCorrelationIdAsync supports limit/offset pagination, service/kind filtering; HLC-based cursor pagination via ToSortableString(); CountByCorrelationIdAsync for total counts
- **ITimelineQueryService**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/ITimelineQueryService.cs` -- interface: GetByCorrelationIdAsync, GetCriticalPathAsync, GetByServiceAsync
- **TimelineEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/TimelineEndpoints.cs` -- REST API at `/api/v1/timeline`: GET /{correlationId} (query with limit, offset, fromHlc, toHlc, services, kinds filters; returns TimelineResponse with events, totalCount, hasMore, nextCursor), GET /{correlationId}/critical-path (returns stages sorted by duration descending)
- **HlcTimestamp**: referenced from `StellaOps.HybridLogicalClock` namespace -- Parse, TryParse, ToSortableString for HLC values
- **TimelineEvent**: referenced from `StellaOps.Eventing.Models` -- EventId, THlc (HlcTimestamp), TsWall (wall-clock), Service, Kind, Payload, PayloadDigest, EngineVersion (EngineName/Version/SourceDigest), CorrelationId, SchemaVersion
- **ITimelineEventStore**: referenced from `StellaOps.Eventing.Storage` -- persistence: GetByCorrelationIdAsync, GetByHlcRangeAsync, GetByServiceAsync, CountByCorrelationIdAsync
- **TimelineMetrics**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Telemetry/TimelineMetrics.cs` -- OpenTelemetry metrics for timeline operations
- **Tests**: `src/Timeline/__Tests/StellaOps.Timeline.Core.Tests/TimelineQueryServiceTests.cs`, `src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests/TimelineApiIntegrationTests.cs`
- **Source**: SPRINT_20260105_002_000_INDEX_hlc_audit_safe_ordering.md
## E2E Test Plan
- [ ] GET /api/v1/timeline/{correlationId} returns HLC-ordered events with correct pagination
- [ ] Verify HLC range filtering (fromHlc/toHlc) returns only events within the specified range
- [ ] Test service and kind filters narrow results correctly
- [ ] Verify cursor-based pagination using nextCursor (HLC sortable string)
- [ ] Verify events are ordered by HLC timestamp, not wall-clock time
- [ ] Test critical path analysis returns stages sorted by duration descending with percentage
- [ ] Verify deterministic event IDs are consistent across queries

30
docs/features/unchecked/timeline/immutable-audit-log.md
View File

@@ -1,30 +0,0 @@
# Immutable Audit Log (Timeline)
## Module
Timeline
## Status
IMPLEMENTED
## Description
Immutable timeline audit log with a dedicated web service and indexer for recording all scan, attestation, and verdict events.
## Implementation Details
- **TimelineQueryService**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/TimelineQueryService.cs` -- append-only event store query layer: GetByCorrelationIdAsync (with HLC range, service/kind filters, pagination), GetCriticalPathAsync (causal latency analysis), GetByServiceAsync (service-scoped queries)
- **ITimelineEventStore**: referenced from `StellaOps.Eventing.Storage` -- append-only persistence interface: events stored with deterministic EventId (SHA-256 of correlation_id+t_hlc+service+kind), HLC timestamps, payload digests, engine version fingerprints
- **TimelineEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/TimelineEndpoints.cs` -- REST API at `/api/v1/timeline`: GET /{correlationId} returns immutable event chain, GET /{correlationId}/critical-path for latency analysis
- **ExportEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/ExportEndpoints.cs` -- forensic export at `/api/v1/timeline/{correlationId}/export`: NDJSON/JSON bundle with optional DSSE signing for evidence preservation
- **TimelineBundleBuilder**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Export/TimelineBundleBuilder.cs` -- builds NDJSON/JSON export bundles with event metadata (event_id, t_hlc, ts_wall, service, kind, payload_digest, engine_version); optional DSSE signing via IEventSigner
- **HealthEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/HealthEndpoints.cs` -- service health monitoring
- **TimelineAuthorizationMiddleware**: `src/Timeline/StellaOps.Timeline.WebService/Authorization/TimelineAuthorizationMiddleware.cs` -- authorization for timeline access
- **Tests**: `src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests/TimelineApiIntegrationTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify events stored are immutable (no update/delete operations exposed)
- [ ] Verify event IDs are deterministic based on correlation_id + t_hlc + service + kind
- [ ] Test export endpoint produces valid NDJSON bundle with all event metadata
- [ ] Verify DSSE-signed export bundles can be verified with the signing key
- [ ] Test JSON export format includes event metadata section with count and export timestamp
- [ ] Verify payload digests in exported events match original payloads
- [ ] Test authorization middleware restricts timeline access to authorized users

32
docs/features/unchecked/timeline/timeline-indexer-service.md
View File

@@ -1,32 +0,0 @@
# Timeline Indexer Service
## Module
Timeline
## Status
IMPLEMENTED
## Description
Dedicated service for ingesting, indexing, and querying timeline events across all platform modules, with Postgres-backed storage (RLS), REST APIs for event retrieval, and evidence linkage to correlate events with attestation artifacts.
## Implementation Details
- **TimelineQueryService**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/TimelineQueryService.cs` -- central query service: GetByCorrelationIdAsync (HLC range, service/kind filters, limit/offset pagination, cursor-based paging via HLC sortable strings), GetCriticalPathAsync (builds stage list from consecutive event pairs, sorts by duration descending), GetByServiceAsync (service-scoped queries with HLC cursor)
- **ITimelineQueryService**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/ITimelineQueryService.cs` -- query interface
- **ITimelineEventStore**: referenced from `StellaOps.Eventing.Storage` -- PostgreSQL-backed event store: GetByCorrelationIdAsync, GetByHlcRangeAsync, GetByServiceAsync, CountByCorrelationIdAsync; append-only with RLS for tenant isolation
- **TimelineEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/TimelineEndpoints.cs` -- REST API: GET /api/v1/timeline/{correlationId} (with fromHlc, toHlc, services, kinds, limit, offset query parameters; returns events, totalCount, hasMore, nextCursor), GET /{correlationId}/critical-path
- **ExportEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/ExportEndpoints.cs` -- export API: POST /{correlationId}/export (NDJSON/JSON format, optional DSSE signing), GET /export/{exportId} (status), GET /export/{exportId}/download (bundle download)
- **TimelineBundleBuilder**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Export/TimelineBundleBuilder.cs` -- asynchronous bundle building with progress tracking, NDJSON/JSON serialization, optional DSSE signing via IEventSigner
- **ServiceCollectionExtensions**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/ServiceCollectionExtensions.cs` -- DI registration for timeline services
- **TimelineMetrics**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Telemetry/TimelineMetrics.cs` -- OpenTelemetry metrics: replay and export operation tracking
- **Tests**: `src/Timeline/__Tests/StellaOps.Timeline.Core.Tests/TimelineQueryServiceTests.cs`, `src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests/TimelineApiIntegrationTests.cs`
- **Source**: SPRINT_0165_0001_0001_timelineindexer.md
## E2E Test Plan
- [ ] Verify GET /api/v1/timeline/{correlationId} returns indexed events with correct HLC ordering
- [ ] Test service and kind filters narrow indexed results
- [ ] Verify HLC range queries (fromHlc/toHlc) return correct event subsets
- [ ] Test cursor-based pagination produces consistent results across pages
- [ ] Verify critical path endpoint computes stage durations and percentages correctly
- [ ] Test export API: initiate -> check status -> download bundle
- [ ] Verify NDJSON export includes all event fields (event_id, t_hlc, ts_wall, service, kind, payload_digest, engine_version)
- [ ] Test evidence linkage: events with attestation references are queryable by correlation

31
docs/features/unchecked/timeline/timeline-replay-api.md
View File

@@ -1,31 +0,0 @@
# Timeline Replay API
## Module
Timeline
## Status
IMPLEMENTED
## Description
REST API endpoints for querying and replaying HLC-ordered events: GET /timeline/{correlationId} with service/kind/HLC-range/pagination filters, critical path analysis endpoint, and integration with StellaOps.Replay.Core for deterministic replay at a specific HLC timestamp.
## Implementation Details
- **ReplayEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/ReplayEndpoints.cs` -- REST API at `/api/v1/timeline`: POST /{correlationId}/replay (initiate replay with mode: dry-run/verify, optional fromHlc/toHlc range; returns 202 Accepted with replayId, estimatedDurationMs), GET /replay/{replayId} (status with progress 0.0-1.0, eventsProcessed/totalEvents, originalDigest, replayDigest, deterministicMatch), POST /replay/{replayId}/cancel, DELETE /replay/{replayId}
- **TimelineReplayOrchestrator**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Replay/TimelineReplayOrchestrator.cs` -- InitiateReplayAsync (ConcurrentDictionary<string, ReplayOperation> for in-memory state, spawns background Task for execution), ExecuteReplayAsync (FakeTimeProvider for deterministic replay, IncrementalHash SHA-256 chain digest computation, progress tracking, deterministic match verification by comparing original chain digest vs replayed payload digest), GetReplayStatusAsync, CancelReplayAsync
- **ITimelineReplayOrchestrator**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Replay/ITimelineReplayOrchestrator.cs` -- interface: InitiateReplayAsync, GetReplayStatusAsync, CancelReplayAsync
- **ReplayOperation**: record with ReplayId, CorrelationId, Mode, Status (Initiated/InProgress/Completed/Failed/Cancelled), Progress, EventsProcessed, TotalEvents, StartedAt, CompletedAt, OriginalDigest, ReplayDigest, DeterministicMatch, Error
- **ReplayStatus**: enum: Initiated, InProgress, Completed, Failed, Cancelled
- **TimelineMetrics**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Telemetry/TimelineMetrics.cs` -- RecordReplay(mode, outcome, eventCount, durationSeconds)
- **Tests**: `src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests/ReplayOrchestratorIntegrationTests.cs`
- **Source**: SPRINT_20260107_003_002_BE_timeline_replay_api.md
## E2E Test Plan
- [ ] POST /api/v1/timeline/{correlationId}/replay returns 202 Accepted with replayId and estimatedDurationMs
- [ ] GET /replay/{replayId} returns progress from 0.0 to 1.0 with eventsProcessed and totalEvents
- [ ] Verify completed replay includes originalDigest and replayDigest (SHA-256 chain hashes)
- [ ] Verify deterministicMatch is true when replayed output matches original event chain
- [ ] Test dry-run mode processes all events without side effects
- [ ] POST /replay/{replayId}/cancel stops an in-progress replay
- [ ] Verify cancelled replay cannot be restarted
- [ ] Test replay with HLC range (fromHlc/toHlc) replays only events within the range
- [ ] Verify replay of non-existent correlationId returns appropriate error

34
docs/features/unchecked/timeline/unified-event-timeline-service.md
View File

@@ -1,34 +0,0 @@
# Unified Event Timeline Service
## Module
Timeline
## Status
IMPLEMENTED
## Description
Cross-service event timeline with HLC-ordered events, deterministic event IDs (SHA-256 of correlation_id+t_hlc+service+kind), W3C Trace Context integration, PostgreSQL append-only storage with materialized critical-path views. Provides event SDK for Scheduler/AirGap/Attestor/Policy/VexLens integration, timeline query API with HLC range filtering, causal latency measurement, and forensic event export with DSSE attestation.
## Implementation Details
- **TimelineQueryService**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/TimelineQueryService.cs` -- central query engine: GetByCorrelationIdAsync (HLC range, service/kind filters, limit/offset, cursor paging), GetCriticalPathAsync (stage duration analysis: consecutive event pairs with percentage of total, sorted by duration descending), GetByServiceAsync (cross-correlation service queries)
- **TimelineEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/TimelineEndpoints.cs` -- `/api/v1/timeline`: GET /{correlationId} returns TimelineResponse (events with EventId, THlc, TsWall, Service, Kind, Payload, EngineVersion; totalCount, hasMore, nextCursor); GET /{correlationId}/critical-path returns CriticalPathResponse (totalDurationMs, stages with durationMs/percentage/fromHlc/toHlc)
- **ReplayEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/ReplayEndpoints.cs` -- deterministic replay: POST /{correlationId}/replay (dry-run/verify modes, HLC range), GET /replay/{replayId} (progress, deterministic match verification via SHA-256 chain digest comparison)
- **ExportEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/ExportEndpoints.cs` -- forensic export: POST /{correlationId}/export (NDJSON/JSON, optional DSSE signing), GET /export/{exportId}, GET /export/{exportId}/download
- **TimelineReplayOrchestrator**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Replay/TimelineReplayOrchestrator.cs` -- background replay execution with FakeTimeProvider for determinism, IncrementalHash chain digest, progress tracking, cancellation support
- **TimelineBundleBuilder**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Export/TimelineBundleBuilder.cs` -- NDJSON/JSON bundle building with IEventSigner integration for DSSE-attested exports; includes event_id, t_hlc, ts_wall, correlation_id, service, kind, payload_digest, engine_version, schema_version
- **ServiceCollectionExtensions**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/ServiceCollectionExtensions.cs` -- DI registration for all timeline services
- **TimelineMetrics**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Telemetry/TimelineMetrics.cs` -- OpenTelemetry metrics: RecordReplay, RecordExport
- **Program.cs**: `src/Timeline/StellaOps.Timeline.WebService/Program.cs` -- maps TimelineEndpoints, ReplayEndpoints, ExportEndpoints, HealthEndpoints
- **Tests**: `src/Timeline/__Tests/StellaOps.Timeline.Core.Tests/TimelineQueryServiceTests.cs`, `src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests/TimelineApiIntegrationTests.cs`, `ReplayOrchestratorIntegrationTests.cs`
- **Source**: SPRINT_20260107_003_000_INDEX_unified_event_timeline.md
## E2E Test Plan
- [ ] GET /api/v1/timeline/{correlationId} returns cross-service events ordered by HLC timestamp
- [ ] Verify deterministic event IDs are SHA-256 hashes of correlation_id+t_hlc+service+kind
- [ ] Test HLC range filtering returns only events within the specified window
- [ ] Verify critical path analysis computes correct stage durations and percentages
- [ ] Test deterministic replay: initiate -> poll status -> verify deterministicMatch=true
- [ ] Verify forensic export produces NDJSON bundle with all event fields
- [ ] Test DSSE-signed export bundles include valid signature attestation
- [ ] Verify service and kind filters work correctly across multiple source services
- [ ] Test pagination with cursor returns consistent ordered results

25
docs/features/unchecked/tools/ci-cd-workflow-generator.md
View File

@@ -1,25 +0,0 @@
# CI/CD Workflow Generator (Multi-Platform Pipeline Templates)
## Module
Tools
## Status
IMPLEMENTED
## Description
Generates CI/CD pipeline templates for GitHub Actions, GitLab CI, and Azure DevOps that integrate StellaOps scanning with automatic SARIF upload to code scanning platforms. Supports configurable triggers, scan options, and upload configurations.
## Implementation Details
- **Workflow Generator Factory**: `src/Tools/StellaOps.Tools.WorkflowGenerator/WorkflowGeneratorFactory.cs` -- factory that selects the appropriate generator implementation based on target CI/CD platform (GitHub Actions, GitLab CI, Azure DevOps).
- **IWorkflowGenerator Interface**: `src/Tools/StellaOps.Tools.WorkflowGenerator/IWorkflowGenerator.cs` -- common interface for all workflow generators defining `Generate(config)` method that produces platform-specific pipeline YAML/JSON.
- **GitHub Actions Generator**: `src/Tools/StellaOps.Tools.WorkflowGenerator/GitHubActionsGenerator.cs` -- generates `.github/workflows/*.yml` files with StellaOps scan steps, SARIF upload to GitHub Code Scanning, and configurable triggers (push, PR, schedule).
- **GitLab CI Generator**: `src/Tools/StellaOps.Tools.WorkflowGenerator/GitLabCiGenerator.cs` -- generates `.gitlab-ci.yml` pipeline definitions with StellaOps scan jobs, artifact reporting, and GitLab SAST integration.
- **Azure DevOps Generator**: `src/Tools/StellaOps.Tools.WorkflowGenerator/AzureDevOpsGenerator.cs` -- generates `azure-pipelines.yml` with StellaOps scan tasks, SARIF publish to Azure DevOps Code Analysis, and configurable pool/agent specifications.
## E2E Test Plan
- [ ] Generate a GitHub Actions workflow using `WorkflowGeneratorFactory`, parse the output YAML, and verify it contains the scan step, SARIF upload step, and correct trigger configuration
- [ ] Generate a GitLab CI pipeline, parse the output YAML, and verify it contains the scan job with correct stage, artifacts, and runner tags
- [ ] Generate an Azure DevOps pipeline, parse the output YAML, and verify it contains the scan task with correct pool specification and SARIF publish step
- [ ] Generate workflows for all three platforms with the same scan configuration and verify scan arguments (image reference, policy file, output format) are consistent across all outputs
- [ ] Generate a workflow with custom triggers (e.g., schedule-only) and verify the output reflects the custom trigger configuration, not the defaults
- [ ] Verify the generated GitHub Actions workflow is valid YAML and passes `actionlint` or equivalent schema validation

22
docs/features/unchecked/tools/fixture-harvester-tool.md
View File

@@ -1,22 +0,0 @@
# Fixture Harvester Tool
## Module
Tools
## Status
IMPLEMENTED
## Description
CLI tool (harvest/validate/regen commands) for deterministic test fixture management. Supports tiered fixtures (Synthetic, Spec Examples, Real Samples, Regression), SHA-256 hash pinning, YAML manifests with schema versioning, and configurable refresh policies.
## Implementation Details
- **Fixture Updater App**: `src/Tools/FixtureUpdater/StellaOps.Tools.FixtureUpdater/FixtureUpdaterApp.cs` -- CLI entry point that parses commands (harvest, validate, regen) and dispatches to the runner; manages fixture tier selection and output directory configuration.
- **Fixture Updater Runner**: `src/Tools/FixtureUpdater/StellaOps.Tools.FixtureUpdater/FixtureUpdaterRunner.cs` -- core execution engine that walks fixture manifests, computes SHA-256 hashes, compares against pinned baselines, and regenerates stale fixtures according to refresh policies.
## E2E Test Plan
- [ ] Run the `harvest` command against a known fixture source directory and verify it produces a YAML manifest with SHA-256 hashes for each harvested artifact
- [ ] Run the `validate` command against an existing manifest and verify it reports all fixtures as valid when hashes match, and flags mismatches when a fixture file is modified
- [ ] Run the `regen` command for a single fixture tier (e.g., Synthetic) and verify only fixtures in that tier are regenerated while other tiers remain untouched
- [ ] Modify a fixture file's content, run `validate`, and verify the tool reports the specific file and expected vs. actual hash
- [ ] Verify the YAML manifest includes schema version metadata and that the tool rejects manifests with an unsupported schema version
- [ ] Run the tool with a configurable refresh policy (e.g., "refresh if older than 7 days") and verify it only regenerates fixtures that exceed the staleness threshold

28
docs/features/unchecked/tools/golden-pairs-mirror-and-diff-pipeline.md
View File

@@ -1,28 +0,0 @@
# Golden Pairs Mirror and Diff Pipeline
## Module
Tools
## Status
IMPLEMENTED
## Description
Package mirror service to download pre/post-patch binary pairs from distro repos, and a diff pipeline service that runs section-hash diffing to produce golden diff reports for backport detection validation.
## Implementation Details
- **Golden Pairs App**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/GoldenPairsApp.cs` -- CLI entry point for the golden pairs toolchain; orchestrates mirror downloads and diff pipeline execution.
- **Package Mirror Service**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/PackageMirrorService.cs` -- downloads pre-patch and post-patch binary packages from distribution repositories (Debian, RPM, Alpine) for known CVE fixes.
- **Diff Pipeline Service**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/DiffPipelineService.cs` -- runs section-hash diffing between pre/post-patch binaries, producing structured diff reports that serve as ground truth for backport detection validation.
- **Section Hash Provider**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/SectionHashProvider.cs` -- computes per-section hashes (e.g., .text, .rodata) for ELF/PE binaries to enable fine-grained diff comparison.
- **Golden Pair Loader**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/GoldenPairLoader.cs` -- loads golden pair metadata from the local store for comparison against new diff results.
- **Golden Pairs Schema Provider**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Schema/GoldenPairsSchemaProvider.cs` -- provides JSON schema definitions for golden pair metadata and diff report validation.
- **Golden Pairs Models**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Models/` -- data models for golden pair records, diff reports, section hashes, and mirror source definitions.
- **Serialization**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Serialization/` -- JSON serialization for golden pair data with canonical formatting for deterministic output.
## E2E Test Plan
- [ ] Run `PackageMirrorService` to download a known CVE fix pair (e.g., a Debian openssl patch), and verify both pre-patch and post-patch binaries are downloaded and stored with correct metadata
- [ ] Run `DiffPipelineService` on a downloaded pair and verify the diff report identifies the changed sections (e.g., .text section modified, .rodata unchanged)
- [ ] Run `SectionHashProvider` on a known binary and verify section hashes are deterministic across multiple runs
- [ ] Load a golden pair via `GoldenPairLoader`, re-run the diff pipeline, and verify the new diff report matches the stored golden diff
- [ ] Validate a diff report against the JSON schema from `GoldenPairsSchemaProvider` and verify it passes schema validation
- [ ] Mirror a package pair, intentionally corrupt the post-patch binary, run the diff pipeline, and verify the diff report reflects the unexpected changes

25
docs/features/unchecked/tools/golden-pairs-validation-infrastructure.md
View File

@@ -1,25 +0,0 @@
# Golden Pairs Validation Infrastructure
## Module
Tools
## Status
IMPLEMENTED
## Description
Data model for golden pair metadata, binary artifacts, and diff reports used to validate binary diff detection against known-good CVE fix pairs.
## Implementation Details
- **Golden Pairs Models**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Models/` -- data models defining golden pair records (CVE ID, package name, distro, pre/post versions), binary artifact metadata (section hashes, file sizes, architectures), and diff report structures (changed sections, confidence scores).
- **Golden Pairs Schema Provider**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Schema/GoldenPairsSchemaProvider.cs` -- provides JSON schema definitions for validating golden pair metadata files, diff reports, and mirror source configurations.
- **Golden Pair Loader**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/GoldenPairLoader.cs` -- loads and validates golden pair records from the local file store, resolving binary artifact paths and associated diff reports.
- **Serialization**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Serialization/` -- canonical JSON serialization for golden pair data ensuring deterministic output for hash comparison and attestation purposes.
- **Section Hash Provider**: `src/Tools/GoldenPairs/StellaOps.Tools.GoldenPairs/Services/SectionHashProvider.cs` -- computes deterministic per-section hashes for binary artifacts, enabling reproducible diff comparisons across environments.
## E2E Test Plan
- [ ] Load a golden pair record via `GoldenPairLoader` and verify all required fields (CVE ID, package name, pre/post versions, distro) are populated and valid
- [ ] Validate a golden pair metadata file against the schema from `GoldenPairsSchemaProvider` and verify it passes; then corrupt a required field and verify validation fails
- [ ] Serialize a golden pair record via the canonical serializer, deserialize it back, and verify round-trip fidelity (all fields match, no data loss)
- [ ] Compute section hashes for a binary artifact using `SectionHashProvider` on two separate runs and verify the hashes are identical (determinism check)
- [ ] Load a diff report for a known CVE fix pair and verify it correctly identifies which binary sections changed between pre-patch and post-patch versions
- [ ] Verify the schema provider covers all model types: golden pair records, diff reports, and mirror source configurations