stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add call graph fixtures for various languages and scenarios
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Details
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Reachability Corpus Validation / validate-corpus (push) Has been cancelled
Details
Reachability Corpus Validation / validate-ground-truths (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Reachability Corpus Validation / determinism-check (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details

Browse Source 
- Introduced `all-edge-reasons.json` to test edge resolution reasons in .NET.
- Added `all-visibility-levels.json` to validate method visibility levels in .NET.
- Created `dotnet-aspnetcore-minimal.json` for a minimal ASP.NET Core application.
- Included `go-gin-api.json` for a Go Gin API application structure.
- Added `java-spring-boot.json` for the Spring PetClinic application in Java.
- Introduced `legacy-no-schema.json` for legacy application structure without schema.
- Created `node-express-api.json` for an Express.js API application structure.
This commit is contained in:
master
2025-12-16 10:44:24 +02:00
parent 4391f35d8a
commit 5a480a3c2a
223 changed files with 19367 additions and 727 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/Cli/StellaOps.Cli/Commands/CommandFactory.cs
View File

@@ -80,6 +80,7 @@ internal static class CommandFactory
root.Add(BuildSdkCommand(services, verboseOption, cancellationToken));
root.Add(BuildMirrorCommand(services, verboseOption, cancellationToken));
root.Add(BuildAirgapCommand(services, verboseOption, cancellationToken));
root.Add(OfflineCommandGroup.BuildOfflineCommand(services, verboseOption, cancellationToken));
root.Add(BuildDevPortalCommand(services, verboseOption, cancellationToken));
root.Add(BuildSymbolsCommand(services, verboseOption, cancellationToken));
root.Add(SystemCommandBuilder.BuildSystemCommand(services, verboseOption, cancellationToken));
@@ -9338,6 +9339,53 @@ internal static class CommandFactory
start.Add(startAttestation);
export.Add(start);
var cache = new Command("cache", "Local evidence cache operations.");
var scanOutputPathOption = new Option<string>("--scan-output", new[] { "-p" })
{
Description = "Path to scan output directory containing a local evidence cache (.evidence).",
Required = true
};
var cacheStats = new Command("stats", "Show local evidence cache statistics.");
cacheStats.Add(scanOutputPathOption);
cacheStats.Add(jsonOption);
cacheStats.Add(verboseOption);
cacheStats.SetAction((parseResult, _) =>
{
var scanOutputPath = parseResult.GetValue(scanOutputPathOption) ?? string.Empty;
var json = parseResult.GetValue(jsonOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleExportCacheStatsAsync(
services,
scanOutputPath,
json,
verbose,
cancellationToken);
});
var cacheProcessQueue = new Command("process-queue", "Process deferred enrichment queue for local evidence cache.");
cacheProcessQueue.Add(scanOutputPathOption);
cacheProcessQueue.Add(jsonOption);
cacheProcessQueue.Add(verboseOption);
cacheProcessQueue.SetAction((parseResult, _) =>
{
var scanOutputPath = parseResult.GetValue(scanOutputPathOption) ?? string.Empty;
var json = parseResult.GetValue(jsonOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleExportCacheProcessQueueAsync(
services,
scanOutputPath,
json,
verbose,
cancellationToken);
});
cache.Add(cacheStats);
cache.Add(cacheProcessQueue);
export.Add(cache);
return export;
}

113
src/Cli/StellaOps.Cli/Commands/CommandHandlers.ExportCache.cs Normal file
View File

@@ -0,0 +1,113 @@
using System.Globalization;
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using Spectre.Console;
using StellaOps.ExportCenter.Core.EvidenceCache;
namespace StellaOps.Cli.Commands;
internal static partial class CommandHandlers
{
internal static async Task<int> HandleExportCacheStatsAsync(
IServiceProvider services,
string scanOutputPath,
bool json,
bool verbose,
CancellationToken cancellationToken)
{
SetVerbosity(services, verbose);
if (string.IsNullOrWhiteSpace(scanOutputPath))
{
AnsiConsole.MarkupLine("[red]Scan output path is required.[/]");
return 1;
}
scanOutputPath = Path.GetFullPath(scanOutputPath);
if (!Directory.Exists(scanOutputPath))
{
AnsiConsole.MarkupLine($"[red]Scan output directory not found:[/] {Markup.Escape(scanOutputPath)}");
return 1;
}
var cache = services.GetRequiredService<IEvidenceCacheService>();
var statistics = await cache.GetStatisticsAsync(scanOutputPath, cancellationToken).ConfigureAwait(false);
if (json)
{
var payload = new
{
scanOutput = scanOutputPath,
statistics
};
AnsiConsole.WriteLine(JsonSerializer.Serialize(payload, JsonOptions));
return 0;
}
if (statistics.TotalBundles == 0)
{
AnsiConsole.MarkupLine("[yellow]No evidence cache entries found.[/]");
}
var table = new Table().AddColumns("Field", "Value");
table.AddRow("Scan output", Markup.Escape(scanOutputPath));
table.AddRow("Total bundles", statistics.TotalBundles.ToString(CultureInfo.InvariantCulture));
table.AddRow("Fully available", statistics.FullyAvailable.ToString(CultureInfo.InvariantCulture));
table.AddRow("Partially available", statistics.PartiallyAvailable.ToString(CultureInfo.InvariantCulture));
table.AddRow("Pending enrichment", statistics.PendingEnrichment.ToString(CultureInfo.InvariantCulture));
table.AddRow("Offline resolvable", FormattableString.Invariant($"{statistics.OfflineResolvablePercentage:0.##}%"));
table.AddRow("Total size", FormatBytes(statistics.TotalSizeBytes));
AnsiConsole.Write(table);
return 0;
}
internal static async Task<int> HandleExportCacheProcessQueueAsync(
IServiceProvider services,
string scanOutputPath,
bool json,
bool verbose,
CancellationToken cancellationToken)
{
SetVerbosity(services, verbose);
if (string.IsNullOrWhiteSpace(scanOutputPath))
{
AnsiConsole.MarkupLine("[red]Scan output path is required.[/]");
return 1;
}
scanOutputPath = Path.GetFullPath(scanOutputPath);
if (!Directory.Exists(scanOutputPath))
{
AnsiConsole.MarkupLine($"[red]Scan output directory not found:[/] {Markup.Escape(scanOutputPath)}");
return 1;
}
var cache = services.GetRequiredService<IEvidenceCacheService>();
var result = await cache.ProcessEnrichmentQueueAsync(scanOutputPath, cancellationToken).ConfigureAwait(false);
if (json)
{
var payload = new
{
scanOutput = scanOutputPath,
result
};
AnsiConsole.WriteLine(JsonSerializer.Serialize(payload, JsonOptions));
return 0;
}
var table = new Table().AddColumns("Field", "Value");
table.AddRow("Scan output", Markup.Escape(scanOutputPath));
table.AddRow("Processed", result.ProcessedCount.ToString(CultureInfo.InvariantCulture));
table.AddRow("Failed", result.FailedCount.ToString(CultureInfo.InvariantCulture));
table.AddRow("Remaining", result.RemainingCount.ToString(CultureInfo.InvariantCulture));
AnsiConsole.Write(table);
return 0;
}
}

1308
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Offline.cs Normal file
View File

File diff suppressed because it is too large Load Diff

6
src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs
View File

@@ -49,10 +49,14 @@ using StellaOps.Scanner.Analyzers.Lang.Php;
using StellaOps.Scanner.Analyzers.Lang.Bun;
using StellaOps.Policy;
using StellaOps.PolicyDsl;
using StellaOps.AirGap.Importer.Contracts;
using StellaOps.AirGap.Importer.Quarantine;
using StellaOps.AirGap.Importer.Validation;
using StellaOps.AirGap.Importer.Versioning;
namespace StellaOps.Cli.Commands;
internal static class CommandHandlers
internal static partial class CommandHandlers
{
private const string KmsPassphraseEnvironmentVariable = "STELLAOPS_KMS_PASSPHRASE";
private static readonly JsonSerializerOptions KmsJsonOptions = new(JsonSerializerDefaults.Web)

164
src/Cli/StellaOps.Cli/Commands/OfflineCommandGroup.cs Normal file
View File

@@ -0,0 +1,164 @@
using System.CommandLine;
using StellaOps.Cli.Extensions;
namespace StellaOps.Cli.Commands;
internal static class OfflineCommandGroup
{
internal static Command BuildOfflineCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var offline = new Command("offline", "Air-gap and offline kit operations.");
offline.Add(BuildOfflineImportCommand(services, verboseOption, cancellationToken));
offline.Add(BuildOfflineStatusCommand(services, verboseOption, cancellationToken));
return offline;
}
private static Command BuildOfflineImportCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var tenantOption = new Option<string?>("--tenant")
{
Description = "Tenant context for the import (defaults to profile/ENV)."
};
var bundleOption = new Option<string>("--bundle", new[] { "-b" })
{
Description = "Path to the offline kit payload bundle (.tar.zst).",
Required = true
};
var manifestOption = new Option<string?>("--manifest", new[] { "-m" })
{
Description = "Path to offline manifest JSON (defaults to manifest.json next to the bundle)."
};
var verifyDsseOption = new Option<bool>("--verify-dsse")
{
Description = "Verify DSSE signature on the kit statement."
}.SetDefaultValue(true);
var verifyRekorOption = new Option<bool>("--verify-rekor")
{
Description = "Verify Rekor receipt (offline mode)."
}.SetDefaultValue(true);
var trustRootOption = new Option<string?>("--trust-root")
{
Description = "Path to trust root public key file for DSSE verification."
};
var forceActivateOption = new Option<bool>("--force-activate")
{
Description = "Override monotonicity check (requires justification)."
};
var forceReasonOption = new Option<string?>("--force-reason")
{
Description = "Justification for force activation (required with --force-activate)."
};
var dryRunOption = new Option<bool>("--dry-run")
{
Description = "Validate the kit without activating."
};
var outputOption = new Option<string?>("--output", new[] { "-o" })
{
Description = "Output format: table (default), json."
}.SetDefaultValue("table").FromAmong("table", "json");
var command = new Command("import", "Import an offline kit with verification.")
{
tenantOption,
bundleOption,
manifestOption,
verifyDsseOption,
verifyRekorOption,
trustRootOption,
forceActivateOption,
forceReasonOption,
dryRunOption,
outputOption,
verboseOption
};
command.SetAction(parseResult =>
{
var tenant = parseResult.GetValue(tenantOption);
var bundle = parseResult.GetValue(bundleOption) ?? string.Empty;
var manifest = parseResult.GetValue(manifestOption);
var verifyDsse = parseResult.GetValue(verifyDsseOption);
var verifyRekor = parseResult.GetValue(verifyRekorOption);
var trustRoot = parseResult.GetValue(trustRootOption);
var forceActivate = parseResult.GetValue(forceActivateOption);
var forceReason = parseResult.GetValue(forceReasonOption);
var dryRun = parseResult.GetValue(dryRunOption);
var output = parseResult.GetValue(outputOption) ?? "table";
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleOfflineImportAsync(
services,
tenant,
bundle,
manifest,
verifyDsse,
verifyRekor,
trustRoot,
forceActivate,
forceReason,
dryRun,
output,
verbose,
cancellationToken);
});
return command;
}
private static Command BuildOfflineStatusCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var tenantOption = new Option<string?>("--tenant")
{
Description = "Tenant context for the status (defaults to profile/ENV)."
};
var outputOption = new Option<string?>("--output", new[] { "-o" })
{
Description = "Output format: table (default), json."
}.SetDefaultValue("table").FromAmong("table", "json");
var command = new Command("status", "Display current offline kit status.")
{
tenantOption,
outputOption,
verboseOption
};
command.SetAction(parseResult =>
{
var tenant = parseResult.GetValue(tenantOption);
var output = parseResult.GetValue(outputOption) ?? "table";
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleOfflineStatusAsync(
services,
tenant,
output,
verbose,
cancellationToken);
});
return command;
}
}

25
src/Cli/StellaOps.Cli/Commands/OfflineExitCodes.cs Normal file
View File

@@ -0,0 +1,25 @@
namespace StellaOps.Cli.Commands;
/// <summary>
/// Exit codes for offline commands.
/// Per advisory A11.1-11.2.
/// </summary>
internal static class OfflineExitCodes
{
public const int Success = 0;
public const int FileNotFound = 1;
public const int ChecksumMismatch = 2; // HASH_MISMATCH
public const int SignatureFailure = 3; // SIG_FAIL_COSIGN, SIG_FAIL_MANIFEST
public const int FormatError = 4;
public const int DsseVerificationFailed = 5; // DSSE_VERIFY_FAIL
public const int RekorVerificationFailed = 6; // REKOR_VERIFY_FAIL
public const int ImportFailed = 7;
public const int VersionNonMonotonic = 8; // VERSION_NON_MONOTONIC
public const int PolicyDenied = 9; // POLICY_DENY
public const int SelftestFailed = 10; // SELFTEST_FAIL
public const int ValidationFailed = 11;
public const int VerificationFailed = 12;
public const int PolicyLoadFailed = 13;
public const int Cancelled = 130; // Standard SIGINT
}

14
src/Cli/StellaOps.Cli/Output/CliError.cs
View File

@@ -249,6 +249,20 @@ public static class CliErrorCodes
public const string ValidationFailed = "ERR_VALIDATION_FAILED";
public const string RateLimited = "ERR_RATE_LIMIT";
public const string AirGapBlocked = "ERR_AIRGAP_EGRESS_BLOCKED";
// CLI-AIRGAP-341-001: Offline Kit / AirGap error codes (exit code 7)
public const string OfflineKitImportFailed = "ERR_AIRGAP_OFFLINE_KIT_IMPORT_FAILED";
public const string OfflineKitStatusFailed = "ERR_AIRGAP_OFFLINE_KIT_STATUS_FAILED";
public const string OfflineKitVerifyFailed = "ERR_AIRGAP_OFFLINE_KIT_VERIFY_FAILED";
public const string OfflineKitHashMismatch = "ERR_AIRGAP_OFFLINE_KIT_HASH_MISMATCH";
public const string OfflineKitCosignSignatureInvalid = "ERR_AIRGAP_OFFLINE_KIT_SIG_FAIL_COSIGN";
public const string OfflineKitManifestSignatureInvalid = "ERR_AIRGAP_OFFLINE_KIT_SIG_FAIL_MANIFEST";
public const string OfflineKitDsseVerifyFailed = "ERR_AIRGAP_OFFLINE_KIT_DSSE_VERIFY_FAIL";
public const string OfflineKitRekorVerifyFailed = "ERR_AIRGAP_OFFLINE_KIT_REKOR_VERIFY_FAIL";
public const string OfflineKitSelfTestFailed = "ERR_AIRGAP_OFFLINE_KIT_SELFTEST_FAIL";
public const string OfflineKitVersionNonMonotonic = "ERR_AIRGAP_OFFLINE_KIT_VERSION_NON_MONOTONIC";
public const string OfflineKitPolicyDenied = "ERR_AIRGAP_OFFLINE_KIT_POLICY_DENY";
public const string AocViolation = "ERR_AOC_001";
public const string NetworkError = "ERR_NETWORK_FAILED";
public const string Timeout = "ERR_TIMEOUT";

41
src/Cli/StellaOps.Cli/Output/CliErrorRenderer.cs
View File

@@ -67,6 +67,11 @@ internal static class CliErrorRenderer
// Error code
AnsiConsole.MarkupLine($"[grey]Code:[/] {Markup.Escape(error.Code)}");
if (TryGetReasonCode(error, out var reasonCode))
{
AnsiConsole.MarkupLine($"[grey]Reason:[/] {Markup.Escape(reasonCode)}");
}
// Detail (if present)
if (!string.IsNullOrWhiteSpace(error.Detail))
{
@@ -207,5 +212,41 @@ internal static class CliErrorRenderer
RenderScopeGuidance(error);
RenderRateLimitGuidance(error);
RenderAuthGuidance(error);
RenderOfflineKitGuidance(error);
}
private static bool TryGetReasonCode(CliError error, out string reasonCode)
{
reasonCode = "";
if (error.Metadata is null || error.Metadata.Count == 0)
{
return false;
}
if ((!error.Metadata.TryGetValue("reason_code", out reasonCode) || string.IsNullOrWhiteSpace(reasonCode)) &&
(!error.Metadata.TryGetValue("reasonCode", out reasonCode) || string.IsNullOrWhiteSpace(reasonCode)))
{
return false;
}
reasonCode = OfflineKitReasonCodes.Normalize(reasonCode) ?? "";
return reasonCode.Length > 0;
}
private static void RenderOfflineKitGuidance(CliError error)
{
if (!TryGetReasonCode(error, out var reasonCode))
{
return;
}
var remediation = OfflineKitReasonCodes.GetRemediation(reasonCode);
if (string.IsNullOrWhiteSpace(remediation))
{
return;
}
AnsiConsole.WriteLine();
AnsiConsole.MarkupLine($"[yellow]Remediation:[/] {Markup.Escape(remediation)}");
}
}

63
src/Cli/StellaOps.Cli/Output/OfflineKitReasonCodes.cs Normal file
View File

@@ -0,0 +1,63 @@
using StellaOps.Cli.Commands;
namespace StellaOps.Cli.Output;
public static class OfflineKitReasonCodes
{
public const string HashMismatch = "HASH_MISMATCH";
public const string SigFailCosign = "SIG_FAIL_COSIGN";
public const string SigFailManifest = "SIG_FAIL_MANIFEST";
public const string DsseVerifyFail = "DSSE_VERIFY_FAIL";
public const string RekorVerifyFail = "REKOR_VERIFY_FAIL";
public const string SelfTestFail = "SELFTEST_FAIL";
public const string VersionNonMonotonic = "VERSION_NON_MONOTONIC";
public const string PolicyDeny = "POLICY_DENY";
public static string? Normalize(string? reasonCode)
=> string.IsNullOrWhiteSpace(reasonCode) ? null : reasonCode.Trim().ToUpperInvariant();
public static int GetExitCode(string? reasonCode)
{
reasonCode = Normalize(reasonCode);
return reasonCode switch
{
HashMismatch => OfflineExitCodes.ChecksumMismatch,
SigFailCosign => OfflineExitCodes.SignatureFailure,
SigFailManifest => OfflineExitCodes.SignatureFailure,
DsseVerifyFail => OfflineExitCodes.DsseVerificationFailed,
RekorVerifyFail => OfflineExitCodes.RekorVerificationFailed,
VersionNonMonotonic => OfflineExitCodes.VersionNonMonotonic,
PolicyDeny => OfflineExitCodes.PolicyDenied,
SelfTestFail => OfflineExitCodes.SelftestFailed,
null => OfflineExitCodes.ImportFailed,
_ => OfflineExitCodes.ImportFailed
};
}
public static string? GetRemediation(string? reasonCode)
{
reasonCode = Normalize(reasonCode);
return reasonCode switch
{
HashMismatch =>
"Re-download the bundle and re-run import. If using removable media, verify the device is healthy and that the bundle digest matches the manifest.",
SigFailCosign =>
"Verify the Cosign signature and trust roots. Ensure you imported the correct signing public keys and that the signature matches the bundle.",
SigFailManifest =>
"Verify the manifest signature and trust roots. Ensure the manifest and its detached signature belong to the same kit version.",
DsseVerifyFail =>
"Verify DSSE trust roots and that the envelope key ID matches an allowed signer. Re-export the kit if the envelope is missing or malformed.",
RekorVerifyFail =>
"Verify Rekor inclusion proof settings (offline snapshot, UUID/index) and re-run verification. Check for time skew and stale transparency data.",
VersionNonMonotonic =>
"The incoming kit version is older than the active version. Import a newer kit, or use --force-activate (with a reason) for emergency rollback testing only.",
PolicyDeny =>
"The current policy denies activation. Review policy gates, waivers, and VEX precedence; then re-run import after updating policy inputs.",
SelfTestFail =>
"Run the Offline Kit self-test and review its output. Confirm required binaries, permissions, and disk space are available in the air-gapped environment.",
null => null,
_ => null
};
}
}

3
src/Cli/StellaOps.Cli/Program.cs
View File

@@ -16,6 +16,7 @@ using StellaOps.AirGap.Policy;
using StellaOps.Configuration;
using StellaOps.Policy.Scoring.Engine;
using StellaOps.ExportCenter.Client;
using StellaOps.ExportCenter.Core.EvidenceCache;
namespace StellaOps.Cli;
@@ -155,6 +156,8 @@ internal static class Program
services.AddSingleton<IScannerExecutor, ScannerExecutor>();
services.AddSingleton<IScannerInstaller, ScannerInstaller>();
services.AddSingleton<MigrationCommandService>();
services.AddSingleton(TimeProvider.System);
services.AddSingleton<IEvidenceCacheService, LocalEvidenceCacheService>();
// CLI-FORENSICS-53-001: Forensic snapshot client
services.AddHttpClient<IForensicSnapshotClient, ForensicSnapshotClient>(client =>

54
src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs
View File

@@ -2320,6 +2320,37 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
return null;
}
private static string? ExtractProblemExtensionString(ProblemDocument? problem, params string[] keys)
{
if (problem?.Extensions is null || problem.Extensions.Count == 0 || keys.Length == 0)
{
return null;
}
foreach (var key in keys)
{
if (!problem.Extensions.TryGetValue(key, out var value) || value is null)
{
continue;
}
switch (value)
{
case string text when !string.IsNullOrWhiteSpace(text):
return text;
case JsonElement element when element.ValueKind == JsonValueKind.String:
var parsed = element.GetString();
if (!string.IsNullOrWhiteSpace(parsed))
{
return parsed;
}
break;
}
}
return null;
}
private static string BuildPolicyFindingsQueryString(PolicyFindingsQuery query)
{
var parameters = new List<string>();
@@ -2853,6 +2884,7 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
{
// Extract error code from problem type URI
errorCode = ExtractErrorCodeFromProblemType(problem.Type);
errorCode ??= ExtractProblemErrorCode(problem);
if (!string.IsNullOrWhiteSpace(problem.Title))
{
@@ -2868,21 +2900,23 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
// Check for trace_id in extensions
if (problem.Extensions is not null)
{
if (problem.Extensions.TryGetValue("trace_id", out var tid) && tid is string tidStr)
var extensionTraceId = ExtractProblemExtensionString(problem, "trace_id", "traceId");
if (!string.IsNullOrWhiteSpace(extensionTraceId))
{
traceId ??= tidStr;
traceId ??= extensionTraceId;
}
if (problem.Extensions.TryGetValue("traceId", out var tid2) && tid2 is string tid2Str)
var extensionErrorCode = ExtractProblemExtensionString(problem, "error_code", "errorCode");
if (!string.IsNullOrWhiteSpace(extensionErrorCode))
{
traceId ??= tid2Str;
errorCode ??= extensionErrorCode;
}
if (problem.Extensions.TryGetValue("error_code", out var ec) && ec is string ecStr)
var reasonCode = ExtractProblemExtensionString(problem, "reason_code", "reasonCode");
if (!string.IsNullOrWhiteSpace(reasonCode))
{
errorCode ??= ecStr;
}
if (problem.Extensions.TryGetValue("errorCode", out var ec2) && ec2 is string ec2Str)
{
errorCode ??= ec2Str;
metadata ??= new Dictionary<string, object?>(StringComparer.Ordinal);
metadata["reason_code"] = reasonCode;
}
}
}

120
src/Cli/StellaOps.Cli/Services/FileBundleVersionStore.cs Normal file
View File

@@ -0,0 +1,120 @@
using System.Text.Json;
using Microsoft.Extensions.Logging;
using StellaOps.AirGap.Importer.Versioning;
namespace StellaOps.Cli.Services;
internal sealed class FileBundleVersionStore : IBundleVersionStore
{
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
{
WriteIndented = true
};
private readonly string _stateDirectory;
private readonly ILogger<FileBundleVersionStore> _logger;
public FileBundleVersionStore(string stateDirectory, ILogger<FileBundleVersionStore> logger)
{
ArgumentException.ThrowIfNullOrWhiteSpace(stateDirectory);
_stateDirectory = stateDirectory;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<BundleVersionRecord?> GetCurrentAsync(
string tenantId,
string bundleType,
CancellationToken ct = default)
{
var history = await GetHistoryInternalAsync(tenantId, bundleType, ct).ConfigureAwait(false);
return history
.OrderByDescending(record => record.ActivatedAt)
.ThenByDescending(record => record.VersionString, StringComparer.Ordinal)
.FirstOrDefault();
}
public async Task UpsertAsync(BundleVersionRecord record, CancellationToken ct = default)
{
ArgumentNullException.ThrowIfNull(record);
Directory.CreateDirectory(_stateDirectory);
var path = GetStatePath(record.TenantId, record.BundleType);
var history = await GetHistoryInternalAsync(record.TenantId, record.BundleType, ct).ConfigureAwait(false);
history.Add(record);
var ordered = history
.OrderBy(r => r.ActivatedAt)
.ThenBy(r => r.VersionString, StringComparer.Ordinal)
.ToList();
var tempPath = path + ".tmp";
await using (var stream = File.Create(tempPath))
{
await JsonSerializer.SerializeAsync(stream, ordered, JsonOptions, ct).ConfigureAwait(false);
}
File.Copy(tempPath, path, overwrite: true);
File.Delete(tempPath);
}
public async Task<IReadOnlyList<BundleVersionRecord>> GetHistoryAsync(
string tenantId,
string bundleType,
int limit = 10,
CancellationToken ct = default)
{
var history = await GetHistoryInternalAsync(tenantId, bundleType, ct).ConfigureAwait(false);
return history
.OrderByDescending(r => r.ActivatedAt)
.ThenByDescending(r => r.VersionString, StringComparer.Ordinal)
.Take(Math.Max(0, limit))
.ToArray();
}
private async Task<List<BundleVersionRecord>> GetHistoryInternalAsync(
string tenantId,
string bundleType,
CancellationToken ct)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(bundleType);
var path = GetStatePath(tenantId, bundleType);
if (!File.Exists(path))
{
return new List<BundleVersionRecord>();
}
try
{
await using var stream = File.OpenRead(path);
var records = await JsonSerializer.DeserializeAsync<List<BundleVersionRecord>>(stream, JsonOptions, ct).ConfigureAwait(false);
return records ?? new List<BundleVersionRecord>();
}
catch (Exception ex) when (ex is IOException or JsonException)
{
_logger.LogWarning(ex, "Failed to read bundle version history from {Path}", path);
return new List<BundleVersionRecord>();
}
}
private string GetStatePath(string tenantId, string bundleType)
{
var safeTenant = SanitizePathSegment(tenantId);
var safeBundleType = SanitizePathSegment(bundleType);
return Path.Combine(_stateDirectory, $"bundle-versions__{safeTenant}__{safeBundleType}.json");
}
private static string SanitizePathSegment(string value)
{
var trimmed = value.Trim().ToLowerInvariant();
var invalid = Path.GetInvalidFileNameChars();
var chars = trimmed
.Select(c => invalid.Contains(c) || c == '/' || c == '\\' || char.IsWhiteSpace(c) ? '_' : c)
.ToArray();
return new string(chars);
}
}

2
src/Cli/StellaOps.Cli/Services/MirrorBundleImportService.cs
View File

@@ -23,7 +23,6 @@ public sealed class MirrorBundleImportService : IMirrorBundleImportService
{
private readonly IBundleCatalogRepository _catalogRepository;
private readonly IBundleItemRepository _itemRepository;
private readonly ImportValidator _validator;
private readonly ILogger<MirrorBundleImportService> _logger;
public MirrorBundleImportService(
@@ -34,7 +33,6 @@ public sealed class MirrorBundleImportService : IMirrorBundleImportService
_catalogRepository = catalogRepository ?? throw new ArgumentNullException(nameof(catalogRepository));
_itemRepository = itemRepository ?? throw new ArgumentNullException(nameof(itemRepository));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_validator = new ImportValidator();
}
public async Task<MirrorImportResult> ImportAsync(MirrorImportRequest request, CancellationToken cancellationToken)

92
src/Cli/StellaOps.Cli/Services/OfflineKitStateStore.cs Normal file
View File

@@ -0,0 +1,92 @@
using System.Text.Json;
using Microsoft.Extensions.Logging;
namespace StellaOps.Cli.Services;
internal sealed class OfflineKitStateStore
{
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
{
WriteIndented = true
};
private readonly string _stateDirectory;
private readonly ILogger<OfflineKitStateStore> _logger;
public OfflineKitStateStore(string stateDirectory, ILogger<OfflineKitStateStore> logger)
{
ArgumentException.ThrowIfNullOrWhiteSpace(stateDirectory);
_stateDirectory = stateDirectory;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task SaveActiveAsync(OfflineKitActiveState state, CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(state);
Directory.CreateDirectory(_stateDirectory);
var path = GetActiveStatePath(state.TenantId);
var temp = path + ".tmp";
await using (var stream = File.Create(temp))
{
await JsonSerializer.SerializeAsync(stream, state, JsonOptions, cancellationToken).ConfigureAwait(false);
}
File.Copy(temp, path, overwrite: true);
File.Delete(temp);
}
public async Task<OfflineKitActiveState?> LoadActiveAsync(string tenantId, CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
var path = GetActiveStatePath(tenantId);
if (!File.Exists(path))
{
return null;
}
try
{
await using var stream = File.OpenRead(path);
return await JsonSerializer.DeserializeAsync<OfflineKitActiveState>(stream, JsonOptions, cancellationToken).ConfigureAwait(false);
}
catch (Exception ex) when (ex is IOException or JsonException)
{
_logger.LogWarning(ex, "Failed to read offline kit state from {Path}", path);
return null;
}
}
private string GetActiveStatePath(string tenantId)
{
var safeTenant = SanitizePathSegment(tenantId);
return Path.Combine(_stateDirectory, $"offline-kit-active__{safeTenant}.json");
}
private static string SanitizePathSegment(string value)
{
var trimmed = value.Trim().ToLowerInvariant();
var invalid = Path.GetInvalidFileNameChars();
var chars = trimmed
.Select(c => invalid.Contains(c) || c == '/' || c == '\\' || char.IsWhiteSpace(c) ? '_' : c)
.ToArray();
return new string(chars);
}
}
internal sealed record OfflineKitActiveState(
string TenantId,
string BundlePath,
string ManifestPath,
string Version,
DateTimeOffset ManifestCreatedAt,
string PayloadSha256,
string BundleDigest,
DateTimeOffset ActivatedAt,
bool DsseVerified,
bool RekorVerified,
bool WasForceActivated,
string? ForceActivateReason);

80
src/Cli/StellaOps.Cli/Services/Transport/StellaOpsClientBase.cs
View File

@@ -237,10 +237,29 @@ public abstract class StellaOpsClientBase : IDisposable
var problem = JsonSerializer.Deserialize<ProblemDocument>(content, JsonOptions);
if (problem is not null)
{
var code = ExtractErrorCodeFromProblemType(problem.Type)
?? ExtractProblemExtensionString(problem, "error_code", "errorCode")
?? ExtractProblemExtensionString(problem, "code")
?? $"ERR_HTTP_{statusCode}";
var traceId = ExtractProblemExtensionString(problem, "trace_id", "traceId");
Dictionary<string, string>? metadata = null;
var reasonCode = ExtractProblemExtensionString(problem, "reason_code", "reasonCode");
if (!string.IsNullOrWhiteSpace(reasonCode))
{
metadata = new Dictionary<string, string>(StringComparer.Ordinal)
{
["reason_code"] = reasonCode
};
}
return new CliError(
Code: problem.Type ?? $"ERR_HTTP_{statusCode}",
Code: code,
Message: problem.Title ?? $"HTTP error {statusCode}",
Detail: problem.Detail);
TraceId: traceId,
Detail: problem.Detail,
Metadata: metadata);
}
}
catch (JsonException)
@@ -253,6 +272,63 @@ public abstract class StellaOpsClientBase : IDisposable
return CliError.FromHttpStatus(statusCode, content);
}
private static string? ExtractErrorCodeFromProblemType(string? type)
{
if (string.IsNullOrWhiteSpace(type))
{
return null;
}
if (type.StartsWith("urn:stellaops:error:", StringComparison.OrdinalIgnoreCase))
{
return type[20..];
}
if (type.Contains("/errors/", StringComparison.OrdinalIgnoreCase))
{
var idx = type.LastIndexOf("/errors/", StringComparison.OrdinalIgnoreCase);
return idx < 0 ? null : type[(idx + 8)..];
}
if (type.StartsWith("ERR_", StringComparison.OrdinalIgnoreCase))
{
return type;
}
return null;
}
private static string? ExtractProblemExtensionString(ProblemDocument? problem, params string[] keys)
{
if (problem?.Extensions is null || problem.Extensions.Count == 0 || keys.Length == 0)
{
return null;
}
foreach (var key in keys)
{
if (!problem.Extensions.TryGetValue(key, out var value) || value is null)
{
continue;
}
switch (value)
{
case string text when !string.IsNullOrWhiteSpace(text):
return text;
case JsonElement element when element.ValueKind == JsonValueKind.String:
var parsed = element.GetString();
if (!string.IsNullOrWhiteSpace(parsed))
{
return parsed;
}
break;
}
}
return null;
}
public void Dispose()
{
if (_disposed)

1
src/Cli/StellaOps.Cli/StellaOps.Cli.csproj
View File

@@ -71,6 +71,7 @@
<ProjectReference Include="../../Excititor/__Libraries/StellaOps.Excititor.Storage.Postgres/StellaOps.Excititor.Storage.Postgres.csproj" />
<ProjectReference Include="../../Policy/StellaOps.Policy.Scoring/StellaOps.Policy.Scoring.csproj" />
<ProjectReference Include="../../ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Client/StellaOps.ExportCenter.Client.csproj" />
<ProjectReference Include="../../ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj" />
</ItemGroup>
<ItemGroup Condition="'$(StellaOpsEnableCryptoPro)' == 'true'">

2
src/Cli/StellaOps.Cli/TASKS.md
View File

@@ -7,3 +7,5 @@
| `CLI-AIAI-31-002` | DONE (2025-11-24) | `stella advise explain` (conflict narrative) command implemented and tested. |
| `CLI-AIAI-31-003` | DONE (2025-11-24) | `stella advise remediate` command implemented and tested. |
| `CLI-AIAI-31-004` | DONE (2025-11-24) | `stella advise batch` supports multi-key runs, per-key outputs, summary table, and tests (`HandleAdviseBatchAsync_RunsAllAdvisories`). |
| `CLI-AIRGAP-339-001` | DONE (2025-12-15) | Implemented `stella offline import/status` (DSSE verify, monotonicity + quarantine hooks, state storage), plus tests and docs; Rekor inclusion proof verification and `verify offline` policy remain blocked pending contracts. |
| `CLI-AIRGAP-341-001` | DONE (2025-12-15) | Sprint 0341: Offline Kit reason/error codes and ProblemDetails integration shipped; tests passing. |

25
src/Cli/__Tests/StellaOps.Cli.Tests/Commands/CommandFactoryTests.cs
View File

@@ -11,6 +11,31 @@ namespace StellaOps.Cli.Tests.Commands;
public sealed class CommandFactoryTests
{
[Fact]
public void Create_ExposesOfflineCommands()
{
using var loggerFactory = LoggerFactory.Create(builder => builder.SetMinimumLevel(LogLevel.None));
var services = new ServiceCollection().BuildServiceProvider();
var root = CommandFactory.Create(services, new StellaOpsCliOptions(), CancellationToken.None, loggerFactory);
var offline = Assert.Single(root.Subcommands, command => string.Equals(command.Name, "offline", StringComparison.Ordinal));
Assert.Contains(offline.Subcommands, command => string.Equals(command.Name, "import", StringComparison.Ordinal));
Assert.Contains(offline.Subcommands, command => string.Equals(command.Name, "status", StringComparison.Ordinal));
}
[Fact]
public void Create_ExposesExportCacheCommands()
{
using var loggerFactory = LoggerFactory.Create(builder => builder.SetMinimumLevel(LogLevel.None));
var services = new ServiceCollection().BuildServiceProvider();
var root = CommandFactory.Create(services, new StellaOpsCliOptions(), CancellationToken.None, loggerFactory);
var export = Assert.Single(root.Subcommands, command => string.Equals(command.Name, "export", StringComparison.Ordinal));
var cache = Assert.Single(export.Subcommands, command => string.Equals(command.Name, "cache", StringComparison.Ordinal));
Assert.Contains(cache.Subcommands, command => string.Equals(command.Name, "stats", StringComparison.Ordinal));
Assert.Contains(cache.Subcommands, command => string.Equals(command.Name, "process-queue", StringComparison.Ordinal));
}
[Fact]
public void Create_ExposesRubyInspectAndResolveCommands()
{

282
src/Cli/__Tests/StellaOps.Cli.Tests/Commands/CommandHandlersTests.cs
View File

@@ -134,21 +134,23 @@ public sealed class CommandHandlersTests
var console = new TestConsole();
var originalConsole = AnsiConsole.Console;
var bestPlan = new EntryTracePlan(
ImmutableArray.Create("/usr/bin/python", "app.py"),
ImmutableDictionary<string, string>.Empty,
"/workspace",
"appuser",
"/usr/bin/python",
EntryTraceTerminalType.Managed,
"python",
0.95,
ImmutableDictionary<string, string>.Empty);
var graph = new EntryTraceGraph(
EntryTraceOutcome.Resolved,
ImmutableArray<EntryTraceNode>.Empty,
ImmutableArray<EntryTraceEdge>.Empty,
ImmutableArray<EntryTraceDiagnostic>.Empty,
ImmutableArray.Create(new EntryTracePlan(
ImmutableArray.Create("/usr/bin/python", "app.py"),
ImmutableDictionary<string, string>.Empty,
"/workspace",
"appuser",
"/usr/bin/python",
EntryTraceTerminalType.Managed,
"python",
0.95,
ImmutableDictionary<string, string>.Empty)),
ImmutableArray.Create(bestPlan),
ImmutableArray.Create(new EntryTraceTerminal(
"/usr/bin/python",
EntryTraceTerminalType.Managed,
@@ -166,7 +168,8 @@ public sealed class CommandHandlersTests
"sha256:deadbeef",
DateTimeOffset.Parse("2025-11-02T12:00:00Z", CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal | DateTimeStyles.AdjustToUniversal),
graph,
new[] { "{\"type\":\"terminal\"}" })
new[] { "{\"type\":\"terminal\"}" },
bestPlan)
};
var provider = BuildServiceProvider(backend);
@@ -178,6 +181,7 @@ public sealed class CommandHandlersTests
provider,
"scan-123",
includeNdjson: true,
includeSemantic: false,
verbose: false,
cancellationToken: CancellationToken.None);
@@ -211,6 +215,7 @@ public sealed class CommandHandlersTests
provider,
"scan-missing",
includeNdjson: false,
includeSemantic: false,
verbose: false,
cancellationToken: CancellationToken.None));
@@ -1342,104 +1347,6 @@ public sealed class CommandHandlersTests
}
}
[Fact]
public async Task HandleAdviseRunAsync_WritesMarkdownWithCitations_ForExplain()
{
var originalExit = Environment.ExitCode;
var originalConsole = AnsiConsole.Console;
var testConsole = new TestConsole();
try
{
Environment.ExitCode = 0;
AnsiConsole.Console = testConsole;
var planResponse = new AdvisoryPipelinePlanResponseModel
{
TaskType = "Conflict",
CacheKey = "plan-conflict",
PromptTemplate = "prompts/advisory/conflict.liquid",
Budget = new AdvisoryTaskBudgetModel
{
PromptTokens = 128,
CompletionTokens = 64
},
Chunks = Array.Empty<PipelineChunkSummaryModel>(),
Vectors = Array.Empty<PipelineVectorSummaryModel>(),
Metadata = new Dictionary<string, string>()
};
var outputResponse = new AdvisoryPipelineOutputModel
{
CacheKey = planResponse.CacheKey,
TaskType = planResponse.TaskType,
Profile = "default",
Prompt = "Sanitized prompt",
Response = "Rendered conflict body.",
Citations = new[]
{
new AdvisoryOutputCitationModel { Index = 1, DocumentId = "doc-42", ChunkId = "chunk-42" }
},
Metadata = new Dictionary<string, string>(),
Guardrail = new AdvisoryOutputGuardrailModel
{
Blocked = false,
SanitizedPrompt = "Sanitized prompt",
Violations = Array.Empty<AdvisoryOutputGuardrailViolationModel>(),
Metadata = new Dictionary<string, string>()
},
Provenance = new AdvisoryOutputProvenanceModel
{
InputDigest = "sha256:conflict-in",
OutputHash = "sha256:conflict-out",
Signatures = Array.Empty<string>()
},
GeneratedAtUtc = DateTimeOffset.Parse("2025-11-06T12:00:00Z", CultureInfo.InvariantCulture),
PlanFromCache = false
};
var backend = new StubBackendClient(new JobTriggerResult(true, "ok", null, null))
{
AdvisoryPlanResponse = planResponse,
AdvisoryOutputResponse = outputResponse
};
var provider = BuildServiceProvider(backend);
var outputPath = Path.GetTempFileName();
await CommandHandlers.HandleAdviseRunAsync(
provider,
AdvisoryAiTaskType.Conflict,
"ADV-42",
null,
null,
null,
"default",
Array.Empty<string>(),
forceRefresh: false,
timeoutSeconds: 0,
outputFormat: AdvisoryOutputFormat.Markdown,
outputPath: outputPath,
verbose: false,
cancellationToken: CancellationToken.None);
var markdown = await File.ReadAllTextAsync(outputPath);
Assert.Contains("Conflict", markdown, StringComparison.OrdinalIgnoreCase);
Assert.Contains("Rendered conflict body", markdown, StringComparison.OrdinalIgnoreCase);
Assert.Contains("doc-42", markdown, StringComparison.OrdinalIgnoreCase);
Assert.Contains("chunk-42", markdown, StringComparison.OrdinalIgnoreCase);
Assert.Contains("Citations", markdown, StringComparison.OrdinalIgnoreCase);
Assert.Equal(0, Environment.ExitCode);
Assert.Contains("Conflict", testConsole.Output, StringComparison.OrdinalIgnoreCase);
Assert.Equal(AdvisoryAiTaskType.Conflict, backend.AdvisoryPlanRequests.Last().TaskType);
}
finally
{
AnsiConsole.Console = originalConsole;
Environment.ExitCode = originalExit;
}
}
[Fact]
public async Task HandleAdviseRunAsync_WritesMarkdownWithCitations_ForRemediationTask()
{
@@ -2503,6 +2410,7 @@ public sealed class CommandHandlersTests
"sbom:S-42",
new[] { "CVE-2021-23337", "GHSA-xxxx-yyyy" },
new PolicyFindingVexMetadata("VendorX-123", "vendor-x", "not_affected"),
null,
4,
DateTimeOffset.Parse("2025-10-26T14:06:01Z", CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal),
"run:P-7:2025-10-26:auto")
@@ -2570,6 +2478,7 @@ public sealed class CommandHandlersTests
"sbom:S-99",
Array.Empty<string>(),
null,
null,
3,
DateTimeOffset.MinValue,
null)
@@ -2638,6 +2547,7 @@ public sealed class CommandHandlersTests
"sbom:S-1",
new[] { "CVE-1111" },
new PolicyFindingVexMetadata("VendorY-9", null, "affected"),
null,
7,
DateTimeOffset.Parse("2025-10-26T12:34:56Z", CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal),
"run:P-9:1234")
@@ -2787,6 +2697,14 @@ public sealed class CommandHandlersTests
outputPath: null,
explain: true,
failOnDiff: false,
withExceptions: Array.Empty<string>(),
withoutExceptions: Array.Empty<string>(),
mode: null,
sbomSelectors: Array.Empty<string>(),
includeHeatmap: false,
manifestDownload: false,
reachabilityStates: Array.Empty<string>(),
reachabilityScores: Array.Empty<string>(),
verbose: false,
cancellationToken: CancellationToken.None);
@@ -2849,6 +2767,14 @@ public sealed class CommandHandlersTests
outputPath: null,
explain: false,
failOnDiff: false,
withExceptions: Array.Empty<string>(),
withoutExceptions: Array.Empty<string>(),
mode: null,
sbomSelectors: Array.Empty<string>(),
includeHeatmap: false,
manifestDownload: false,
reachabilityStates: Array.Empty<string>(),
reachabilityScores: Array.Empty<string>(),
verbose: false,
cancellationToken: CancellationToken.None);
@@ -2898,6 +2824,14 @@ public sealed class CommandHandlersTests
outputPath: null,
explain: false,
failOnDiff: true,
withExceptions: Array.Empty<string>(),
withoutExceptions: Array.Empty<string>(),
mode: null,
sbomSelectors: Array.Empty<string>(),
includeHeatmap: false,
manifestDownload: false,
reachabilityStates: Array.Empty<string>(),
reachabilityScores: Array.Empty<string>(),
verbose: false,
cancellationToken: CancellationToken.None);
@@ -2937,6 +2871,14 @@ public sealed class CommandHandlersTests
outputPath: null,
explain: false,
failOnDiff: false,
withExceptions: Array.Empty<string>(),
withoutExceptions: Array.Empty<string>(),
mode: null,
sbomSelectors: Array.Empty<string>(),
includeHeatmap: false,
manifestDownload: false,
reachabilityStates: Array.Empty<string>(),
reachabilityScores: Array.Empty<string>(),
verbose: false,
cancellationToken: CancellationToken.None);
@@ -4454,6 +4396,7 @@ spec:
"sbom:default",
Array.Empty<string>(),
null,
null,
1,
DateTimeOffset.UtcNow,
null);
@@ -4472,7 +4415,7 @@ spec:
public List<(AdvisoryAiTaskType TaskType, AdvisoryPipelinePlanRequestModel Request)> AdvisoryPlanRequests { get; } = new();
public AdvisoryPipelinePlanResponseModel? AdvisoryPlanResponse { get; set; }
public Exception? AdvisoryPlanException { get; set; }
public Queue<AdvisoryPipelineOutputModel?> AdvisoryOutputQueue { get; } = new();
public Queue<AdvisoryPipelineOutputModel?> AdvisoryOutputQueue { get; set; } = new();
public AdvisoryPipelineOutputModel? AdvisoryOutputResponse { get; set; }
public Exception? AdvisoryOutputException { get; set; }
public List<(string CacheKey, AdvisoryAiTaskType TaskType, string Profile)> AdvisoryOutputRequests { get; } = new();
@@ -4704,6 +4647,119 @@ spec:
return Task.FromResult(AdvisoryOutputResponse);
}
public Task<RiskProfileListResponse> ListRiskProfilesAsync(RiskProfileListRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new RiskProfileListResponse());
public Task<RiskSimulateResult> SimulateRiskAsync(RiskSimulateRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new RiskSimulateResult());
public Task<RiskResultsResponse> GetRiskResultsAsync(RiskResultsRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new RiskResultsResponse());
public Task<RiskBundleVerifyResult> VerifyRiskBundleAsync(RiskBundleVerifyRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new RiskBundleVerifyResult());
public Task<ReachabilityUploadCallGraphResult> UploadCallGraphAsync(ReachabilityUploadCallGraphRequest request, Stream callGraphStream, CancellationToken cancellationToken)
=> Task.FromResult(new ReachabilityUploadCallGraphResult());
public Task<ReachabilityListResponse> ListReachabilityAnalysesAsync(ReachabilityListRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new ReachabilityListResponse());
public Task<ReachabilityExplainResult> ExplainReachabilityAsync(ReachabilityExplainRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new ReachabilityExplainResult());
public Task<GraphExplainResult> ExplainGraphAsync(GraphExplainRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new GraphExplainResult());
public Task<ApiSpecListResponse> ListApiSpecsAsync(string? tenant, CancellationToken cancellationToken)
=> Task.FromResult(new ApiSpecListResponse());
public Task<ApiSpecDownloadResult> DownloadApiSpecAsync(ApiSpecDownloadRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new ApiSpecDownloadResult());
public Task<SdkUpdateResponse> CheckSdkUpdatesAsync(SdkUpdateRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new SdkUpdateResponse());
public Task<SdkListResponse> ListInstalledSdksAsync(string? language, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult(new SdkListResponse());
public Task<PolicyHistoryResponse> GetPolicyHistoryAsync(PolicyHistoryRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyHistoryResponse());
public Task<PolicyExplainResult> GetPolicyExplainAsync(PolicyExplainRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyExplainResult());
public Task<PolicyVersionBumpResult> BumpPolicyVersionAsync(PolicyVersionBumpRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyVersionBumpResult());
public Task<PolicySubmitResult> SubmitPolicyForReviewAsync(PolicySubmitRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicySubmitResult());
public Task<PolicyReviewCommentResult> AddPolicyReviewCommentAsync(PolicyReviewCommentRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyReviewCommentResult());
public Task<PolicyApproveResult> ApprovePolicyReviewAsync(PolicyApproveRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyApproveResult());
public Task<PolicyRejectResult> RejectPolicyReviewAsync(PolicyRejectRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyRejectResult());
public Task<PolicyReviewSummary?> GetPolicyReviewStatusAsync(PolicyReviewStatusRequest request, CancellationToken cancellationToken)
=> Task.FromResult<PolicyReviewSummary?>(null);
public Task<PolicyPublishResult> PublishPolicyAsync(PolicyPublishRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyPublishResult());
public Task<PolicyPromoteResult> PromotePolicyAsync(PolicyPromoteRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyPromoteResult());
public Task<PolicyRollbackResult> RollbackPolicyAsync(PolicyRollbackRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyRollbackResult());
public Task<PolicySignResult> SignPolicyAsync(PolicySignRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicySignResult());
public Task<PolicyVerifySignatureResult> VerifyPolicySignatureAsync(PolicyVerifySignatureRequest request, CancellationToken cancellationToken)
=> Task.FromResult(new PolicyVerifySignatureResult());
public Task<VexConsensusListResponse> ListVexConsensusAsync(VexConsensusListRequest request, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult(new VexConsensusListResponse(Array.Empty<VexConsensusItem>(), 0, 0, 0, false));
public Task<VexConsensusDetailResponse?> GetVexConsensusAsync(string vulnerabilityId, string productKey, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult<VexConsensusDetailResponse?>(null);
public Task<VexSimulationResponse> SimulateVexConsensusAsync(VexSimulationRequest request, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult(new VexSimulationResponse(
Array.Empty<VexSimulationResultItem>(),
new VexSimulationParameters(0.0, 0),
new VexSimulationSummary(0, 0, 0, 0, 0)));
public Task<VexExportResponse> ExportVexConsensusAsync(VexExportRequest request, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult(new VexExportResponse("export-0"));
public Task<Stream> DownloadVexExportAsync(string exportId, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult<Stream>(new MemoryStream(Encoding.UTF8.GetBytes("{}")));
public Task<VulnListResponse> ListVulnerabilitiesAsync(VulnListRequest request, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult(new VulnListResponse(Array.Empty<VulnItem>(), 0, 0, 0, false));
public Task<VulnDetailResponse?> GetVulnerabilityAsync(string vulnerabilityId, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult<VulnDetailResponse?>(null);
public Task<VulnWorkflowResponse> ExecuteVulnWorkflowAsync(VulnWorkflowRequest request, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult(new VulnWorkflowResponse(true, request.Action, 0, Array.Empty<string>()));
public Task<VulnSimulationResponse> SimulateVulnerabilitiesAsync(VulnSimulationRequest request, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult(new VulnSimulationResponse(
Array.Empty<VulnSimulationDelta>(),
new VulnSimulationSummary(0, 0, 0, 0, 0)));
public Task<VulnExportResponse> ExportVulnerabilitiesAsync(VulnExportRequest request, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult(new VulnExportResponse("export-0"));
public Task<Stream> DownloadVulnExportAsync(string exportId, string? tenant, CancellationToken cancellationToken)
=> Task.FromResult<Stream>(new MemoryStream(Encoding.UTF8.GetBytes("{}")));
}
private sealed class StubExecutor : IScannerExecutor
@@ -4832,6 +4888,12 @@ spec:
LastQuery = query;
return Task.FromResult(_response);
}
public Task<AdvisoryLinksetResponse> GetLinksetAsync(AdvisoryLinksetQuery query, CancellationToken cancellationToken)
=> Task.FromResult(new AdvisoryLinksetResponse());
public Task<AdvisoryLinksetObservation?> GetObservationByIdAsync(string tenant, string observationId, CancellationToken cancellationToken)
=> Task.FromResult<AdvisoryLinksetObservation?>(null);
}
[Fact]

126
src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ExportCacheCommandHandlersTests.cs Normal file
View File

@@ -0,0 +1,126 @@
using System;
using System.IO;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Spectre.Console;
using Spectre.Console.Testing;
using StellaOps.Cli.Commands;
using StellaOps.Cli.Tests.Testing;
using StellaOps.ExportCenter.Core.EvidenceCache;
namespace StellaOps.Cli.Tests.Commands;
public sealed class ExportCacheCommandHandlersTests
{
[Fact]
public async Task HandleExportCacheStatsAsync_Json_EmitsStatistics()
{
using var temp = new TempDirectory();
var scanOutputPath = temp.Path;
var cacheService = new LocalEvidenceCacheService(TimeProvider.System, NullLogger<LocalEvidenceCacheService>.Instance);
await cacheService.CacheEvidenceAsync(
scanOutputPath,
new CachedEvidenceBundle
{
AlertId = "alert-1",
ArtifactId = "scan-1",
ComputedAt = DateTimeOffset.Parse("2025-12-14T00:00:00Z"),
Reachability = new CachedEvidenceSection { Status = EvidenceStatus.Available },
CallStack = new CachedEvidenceSection { Status = EvidenceStatus.Available },
Provenance = new CachedEvidenceSection { Status = EvidenceStatus.Available },
VexStatus = new CachedEvidenceSection { Status = EvidenceStatus.Available }
},
CancellationToken.None);
using var services = BuildServices(cacheService);
var output = await CaptureTestConsoleAsync(console => CommandHandlers.HandleExportCacheStatsAsync(
services,
scanOutputPath,
json: true,
verbose: false,
CancellationToken.None));
Assert.Equal(0, output.ExitCode);
using var document = JsonDocument.Parse(output.Console.Trim());
Assert.Equal(Path.GetFullPath(scanOutputPath), document.RootElement.GetProperty("scanOutput").GetString());
Assert.Equal(1, document.RootElement.GetProperty("statistics").GetProperty("totalBundles").GetInt32());
}
[Fact]
public async Task HandleExportCacheProcessQueueAsync_Json_EmitsCounts()
{
using var temp = new TempDirectory();
var scanOutputPath = temp.Path;
var cacheService = new LocalEvidenceCacheService(TimeProvider.System, NullLogger<LocalEvidenceCacheService>.Instance);
await cacheService.CacheEvidenceAsync(
scanOutputPath,
new CachedEvidenceBundle
{
AlertId = "alert-1",
ArtifactId = "scan-1",
ComputedAt = DateTimeOffset.Parse("2025-12-14T00:00:00Z"),
Reachability = new CachedEvidenceSection { Status = EvidenceStatus.Available },
CallStack = new CachedEvidenceSection { Status = EvidenceStatus.Available },
Provenance = new CachedEvidenceSection { Status = EvidenceStatus.PendingEnrichment, UnavailableReason = "offline" },
VexStatus = new CachedEvidenceSection { Status = EvidenceStatus.Available }
},
CancellationToken.None);
using var services = BuildServices(cacheService);
var output = await CaptureTestConsoleAsync(console => CommandHandlers.HandleExportCacheProcessQueueAsync(
services,
scanOutputPath,
json: true,
verbose: false,
CancellationToken.None));
Assert.Equal(0, output.ExitCode);
using var document = JsonDocument.Parse(output.Console.Trim());
var result = document.RootElement.GetProperty("result");
Assert.Equal(0, result.GetProperty("processedCount").GetInt32());
Assert.Equal(1, result.GetProperty("failedCount").GetInt32());
Assert.Equal(1, result.GetProperty("remainingCount").GetInt32());
}
private static ServiceProvider BuildServices(IEvidenceCacheService cacheService)
{
var services = new ServiceCollection();
services.AddSingleton(TimeProvider.System);
services.AddSingleton(cacheService);
services.AddSingleton<ILoggerFactory>(_ => LoggerFactory.Create(builder => builder.SetMinimumLevel(LogLevel.None)));
return services.BuildServiceProvider();
}
private static async Task<CapturedConsoleOutput> CaptureTestConsoleAsync(Func<TestConsole, Task<int>> action)
{
var testConsole = new TestConsole();
testConsole.Width(4000);
var originalConsole = AnsiConsole.Console;
var originalOut = Console.Out;
using var writer = new StringWriter();
try
{
AnsiConsole.Console = testConsole;
Console.SetOut(writer);
var exitCode = await action(testConsole).ConfigureAwait(false);
return new CapturedConsoleOutput(exitCode, testConsole.Output.ToString(), writer.ToString());
}
finally
{
Console.SetOut(originalOut);
AnsiConsole.Console = originalConsole;
}
}
private sealed record CapturedConsoleOutput(int ExitCode, string Console, string Plain);
}

277
src/Cli/__Tests/StellaOps.Cli.Tests/Commands/OfflineCommandHandlersTests.cs Normal file
View File

@@ -0,0 +1,277 @@
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Spectre.Console;
using Spectre.Console.Testing;
using StellaOps.Cli.Commands;
using StellaOps.Cli.Configuration;
using StellaOps.Cli.Telemetry;
using StellaOps.Cli.Tests.Testing;
namespace StellaOps.Cli.Tests.Commands;
public sealed class OfflineCommandHandlersTests
{
[Fact]
public async Task HandleOfflineImportAsync_ForceActivateRequiresReason()
{
using var temp = new TempDirectory();
var bundlePath = Path.Combine(temp.Path, "bundle.tar.zst");
await File.WriteAllTextAsync(bundlePath, "payload", CancellationToken.None);
using var services = BuildServices(new StellaOpsCliOptions
{
Offline = new StellaOpsCliOfflineOptions
{
KitsDirectory = Path.Combine(temp.Path, "offline-kits")
}
});
var originalExitCode = Environment.ExitCode;
try
{
var output = await CaptureTestConsoleAsync(console => CommandHandlers.HandleOfflineImportAsync(
services,
tenant: null,
bundlePath: bundlePath,
manifestPath: null,
verifyDsse: false,
verifyRekor: false,
trustRootPath: null,
forceActivate: true,
forceReason: null,
dryRun: true,
outputFormat: "json",
verbose: false,
cancellationToken: CancellationToken.None));
Assert.Equal(OfflineExitCodes.ValidationFailed, Environment.ExitCode);
using var document = JsonDocument.Parse(output.Console.Trim());
Assert.Equal("error", document.RootElement.GetProperty("status").GetString());
Assert.Equal(OfflineExitCodes.ValidationFailed, document.RootElement.GetProperty("exitCode").GetInt32());
Assert.Contains("force-reason", document.RootElement.GetProperty("message").GetString() ?? string.Empty, StringComparison.OrdinalIgnoreCase);
}
finally
{
Environment.ExitCode = originalExitCode;
}
}
[Fact]
public async Task HandleOfflineImportAndStatusAsync_SavesActiveState()
{
using var temp = new TempDirectory();
var bundleDir = Path.Combine(temp.Path, "bundle");
Directory.CreateDirectory(bundleDir);
var bundlePath = Path.Combine(bundleDir, "bundle-1.0.0.tar.zst");
var bundleBytes = Encoding.UTF8.GetBytes("deterministic-offline-kit");
await File.WriteAllBytesAsync(bundlePath, bundleBytes, CancellationToken.None);
var bundleDigest = ComputeSha256Hex(bundleBytes);
var manifestPath = Path.Combine(bundleDir, "manifest.json");
var manifestJson = JsonSerializer.Serialize(new
{
version = "1.0.0",
created_at = "2025-12-14T00:00:00Z",
payload_sha256 = bundleDigest
}, new JsonSerializerOptions(JsonSerializerDefaults.Web) { WriteIndented = true });
await File.WriteAllTextAsync(manifestPath, manifestJson, CancellationToken.None);
using var rsa = RSA.Create(2048);
var publicKeyDer = rsa.ExportSubjectPublicKeyInfo();
var fingerprint = ComputeSha256Hex(publicKeyDer);
var trustRootPath = Path.Combine(bundleDir, "trust-root.pub");
await File.WriteAllTextAsync(trustRootPath, WrapPem("PUBLIC KEY", publicKeyDer), CancellationToken.None);
var payloadJson = JsonSerializer.Serialize(new
{
subject = new[]
{
new
{
digest = new
{
sha256 = bundleDigest
}
}
}
}, new JsonSerializerOptions(JsonSerializerDefaults.Web));
var payloadBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payloadJson));
var pae = BuildDssePae("application/vnd.in-toto+json", payloadBase64);
var signature = Convert.ToBase64String(rsa.SignData(pae, HashAlgorithmName.SHA256, RSASignaturePadding.Pss));
var dssePath = Path.Combine(bundleDir, "statement.dsse.json");
var dsseJson = JsonSerializer.Serialize(new
{
payloadType = "application/vnd.in-toto+json",
payload = payloadBase64,
signatures = new[]
{
new { keyid = fingerprint, sig = signature }
}
}, new JsonSerializerOptions(JsonSerializerDefaults.Web) { WriteIndented = true });
await File.WriteAllTextAsync(dssePath, dsseJson, CancellationToken.None);
var rootHash = "deadbeef";
var rekorPath = Path.Combine(bundleDir, "rekor-receipt.json");
var rekorJson = JsonSerializer.Serialize(new
{
uuid = "rekor-test",
logIndex = 42,
rootHash,
hashes = new[] { "hash-1" },
checkpoint = $"checkpoint {rootHash}"
}, new JsonSerializerOptions(JsonSerializerDefaults.Web) { WriteIndented = true });
await File.WriteAllTextAsync(rekorPath, rekorJson, CancellationToken.None);
var kitsDirectory = Path.Combine(temp.Path, "offline-kits");
using var services = BuildServices(new StellaOpsCliOptions
{
Offline = new StellaOpsCliOfflineOptions
{
KitsDirectory = kitsDirectory
}
});
var originalExitCode = Environment.ExitCode;
try
{
var importOutput = await CaptureTestConsoleAsync(console => CommandHandlers.HandleOfflineImportAsync(
services,
tenant: null,
bundlePath: bundlePath,
manifestPath: manifestPath,
verifyDsse: true,
verifyRekor: true,
trustRootPath: trustRootPath,
forceActivate: false,
forceReason: null,
dryRun: false,
outputFormat: "json",
verbose: false,
cancellationToken: CancellationToken.None));
Assert.Equal(OfflineExitCodes.Success, Environment.ExitCode);
using (var document = JsonDocument.Parse(importOutput.Console.Trim()))
{
Assert.Equal("imported", document.RootElement.GetProperty("status").GetString());
Assert.Equal(OfflineExitCodes.Success, document.RootElement.GetProperty("exitCode").GetInt32());
Assert.True(document.RootElement.GetProperty("dsseVerified").GetBoolean());
Assert.True(document.RootElement.GetProperty("rekorVerified").GetBoolean());
Assert.Equal("1.0.0", document.RootElement.GetProperty("version").GetString());
}
var statePath = Path.Combine(kitsDirectory, ".state", "offline-kit-active__default.json");
Assert.True(File.Exists(statePath));
var statusOutput = await CaptureTestConsoleAsync(console => CommandHandlers.HandleOfflineStatusAsync(
services,
tenant: null,
outputFormat: "json",
verbose: false,
cancellationToken: CancellationToken.None));
Assert.Equal(OfflineExitCodes.Success, Environment.ExitCode);
using (var document = JsonDocument.Parse(statusOutput.Console.Trim()))
{
Assert.Equal("default", document.RootElement.GetProperty("tenantId").GetString());
var active = document.RootElement.GetProperty("active");
Assert.Equal("bundle-1.0.0.tar.zst", active.GetProperty("kitId").GetString());
Assert.Equal("1.0.0", active.GetProperty("version").GetString());
Assert.Equal($"sha256:{bundleDigest}", active.GetProperty("digest").GetString());
}
}
finally
{
Environment.ExitCode = originalExitCode;
}
}
private static ServiceProvider BuildServices(StellaOpsCliOptions options)
{
var services = new ServiceCollection();
services.AddSingleton(options);
services.AddSingleton(new VerbosityState());
services.AddSingleton<ILoggerFactory>(_ => LoggerFactory.Create(builder => builder.SetMinimumLevel(LogLevel.None)));
return services.BuildServiceProvider();
}
private static async Task<CapturedConsoleOutput> CaptureTestConsoleAsync(Func<TestConsole, Task> action)
{
var testConsole = new TestConsole();
testConsole.Width(4000);
var originalConsole = AnsiConsole.Console;
var originalOut = Console.Out;
using var writer = new StringWriter();
try
{
AnsiConsole.Console = testConsole;
Console.SetOut(writer);
await action(testConsole).ConfigureAwait(false);
return new CapturedConsoleOutput(testConsole.Output.ToString(), writer.ToString());
}
finally
{
Console.SetOut(originalOut);
AnsiConsole.Console = originalConsole;
}
}
private static string ComputeSha256Hex(byte[] bytes)
{
var hash = SHA256.HashData(bytes);
return Convert.ToHexString(hash).ToLowerInvariant();
}
private static byte[] BuildDssePae(string payloadType, string payloadBase64)
{
var payloadBytes = Convert.FromBase64String(payloadBase64);
var payloadText = Encoding.UTF8.GetString(payloadBytes);
var parts = new[]
{
"DSSEv1",
payloadType,
payloadText
};
var builder = new StringBuilder();
builder.Append("PAE:");
builder.Append(parts.Length);
foreach (var part in parts)
{
builder.Append(' ');
builder.Append(part.Length);
builder.Append(' ');
builder.Append(part);
}
return Encoding.UTF8.GetBytes(builder.ToString());
}
private static string WrapPem(string label, byte[] derBytes)
{
var base64 = Convert.ToBase64String(derBytes);
var builder = new StringBuilder();
builder.Append("-----BEGIN ").Append(label).AppendLine("-----");
for (var offset = 0; offset < base64.Length; offset += 64)
{
builder.AppendLine(base64.Substring(offset, Math.Min(64, base64.Length - offset)));
}
builder.Append("-----END ").Append(label).AppendLine("-----");
return builder.ToString();
}
private sealed record CapturedConsoleOutput(string Console, string Plain);
}

3
src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ScannerDownloadVerifyTests.cs
View File

@@ -2,6 +2,7 @@ using System;
using System.IO;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Cli.Commands;
using Xunit;
@@ -54,7 +55,7 @@ internal static class CommandHandlersTestShim
{
public static Task VerifyBundlePublicAsync(string path, ILogger logger, CancellationToken token)
=> typeof(CommandHandlers)
.GetMethod(\"VerifyBundleAsync\", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static)!
.GetMethod("VerifyBundleAsync", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static)!
.Invoke(null, new object[] { path, logger, token }) as Task
?? Task.CompletedTask;
}

19
src/Cli/__Tests/StellaOps.Cli.Tests/Contracts/CliSpecTests.cs
View File

@@ -7,7 +7,24 @@ namespace StellaOps.Cli.Tests.Contracts;
public sealed class CliSpecTests
{
private static readonly string SpecPath = Path.Combine("docs", "modules", "cli", "contracts", "cli-spec-v1.yaml");
private static readonly string SpecPath = ResolveSpecPath();
private static string ResolveSpecPath()
{
var relative = Path.Combine("docs", "modules", "cli", "contracts", "cli-spec-v1.yaml");
var baseDirectory = new DirectoryInfo(AppContext.BaseDirectory);
for (var directory = baseDirectory; directory is not null; directory = directory.Parent)
{
var candidate = Path.Combine(directory.FullName, relative);
if (File.Exists(candidate))
{
return candidate;
}
}
return relative;
}
[Fact]
public async Task Spec_Exists_And_Has_PrivacyDefaults()

3
src/Cli/__Tests/StellaOps.Cli.Tests/Services/BackendOperationsClientTests.cs
View File

@@ -292,7 +292,8 @@ public sealed class BackendOperationsClientTests
"sha256:test",
generatedAt,
graph,
EntryTraceNdjsonWriter.Serialize(graph, new EntryTraceNdjsonMetadata(scanId, "sha256:test", generatedAt)));
EntryTraceNdjsonWriter.Serialize(graph, new EntryTraceNdjsonMetadata(scanId, "sha256:test", generatedAt)),
plan);
var json = JsonSerializer.Serialize(responseModel, new JsonSerializerOptions(JsonSerializerDefaults.Web));
var handler = new StubHttpMessageHandler((request, _) =>