stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add call graph fixtures for various languages and scenarios
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Details
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Reachability Corpus Validation / validate-corpus (push) Has been cancelled
Details
Reachability Corpus Validation / validate-ground-truths (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Reachability Corpus Validation / determinism-check (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details

Browse Source 
- Introduced `all-edge-reasons.json` to test edge resolution reasons in .NET.
- Added `all-visibility-levels.json` to validate method visibility levels in .NET.
- Created `dotnet-aspnetcore-minimal.json` for a minimal ASP.NET Core application.
- Included `go-gin-api.json` for a Go Gin API application structure.
- Added `java-spring-boot.json` for the Spring PetClinic application in Java.
- Introduced `legacy-no-schema.json` for legacy application structure without schema.
- Created `node-express-api.json` for an Express.js API application structure.
This commit is contained in:
master
2025-12-16 10:44:24 +02:00
parent 4391f35d8a
commit 5a480a3c2a
223 changed files with 19367 additions and 727 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/Cli/StellaOps.Cli/Commands/CommandFactory.cs
View File

@@ -80,6 +80,7 @@ internal static class CommandFactory
root.Add(BuildSdkCommand(services, verboseOption, cancellationToken));
root.Add(BuildMirrorCommand(services, verboseOption, cancellationToken));
root.Add(BuildAirgapCommand(services, verboseOption, cancellationToken));
root.Add(OfflineCommandGroup.BuildOfflineCommand(services, verboseOption, cancellationToken));
root.Add(BuildDevPortalCommand(services, verboseOption, cancellationToken));
root.Add(BuildSymbolsCommand(services, verboseOption, cancellationToken));
root.Add(SystemCommandBuilder.BuildSystemCommand(services, verboseOption, cancellationToken));
@@ -9338,6 +9339,53 @@ internal static class CommandFactory
start.Add(startAttestation);
export.Add(start);
var cache = new Command("cache", "Local evidence cache operations.");
var scanOutputPathOption = new Option<string>("--scan-output", new[] { "-p" })
{
Description = "Path to scan output directory containing a local evidence cache (.evidence).",
Required = true
};
var cacheStats = new Command("stats", "Show local evidence cache statistics.");
cacheStats.Add(scanOutputPathOption);
cacheStats.Add(jsonOption);
cacheStats.Add(verboseOption);
cacheStats.SetAction((parseResult, _) =>
{
var scanOutputPath = parseResult.GetValue(scanOutputPathOption) ?? string.Empty;
var json = parseResult.GetValue(jsonOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleExportCacheStatsAsync(
services,
scanOutputPath,
json,
verbose,
cancellationToken);
});
var cacheProcessQueue = new Command("process-queue", "Process deferred enrichment queue for local evidence cache.");
cacheProcessQueue.Add(scanOutputPathOption);
cacheProcessQueue.Add(jsonOption);
cacheProcessQueue.Add(verboseOption);
cacheProcessQueue.SetAction((parseResult, _) =>
{
var scanOutputPath = parseResult.GetValue(scanOutputPathOption) ?? string.Empty;
var json = parseResult.GetValue(jsonOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleExportCacheProcessQueueAsync(
services,
scanOutputPath,
json,
verbose,
cancellationToken);
});
cache.Add(cacheStats);
cache.Add(cacheProcessQueue);
export.Add(cache);
return export;
}

113
src/Cli/StellaOps.Cli/Commands/CommandHandlers.ExportCache.cs Normal file
View File

@@ -0,0 +1,113 @@
using System.Globalization;
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using Spectre.Console;
using StellaOps.ExportCenter.Core.EvidenceCache;
namespace StellaOps.Cli.Commands;
internal static partial class CommandHandlers
{
internal static async Task<int> HandleExportCacheStatsAsync(
IServiceProvider services,
string scanOutputPath,
bool json,
bool verbose,
CancellationToken cancellationToken)
{
SetVerbosity(services, verbose);
if (string.IsNullOrWhiteSpace(scanOutputPath))
{
AnsiConsole.MarkupLine("[red]Scan output path is required.[/]");
return 1;
}
scanOutputPath = Path.GetFullPath(scanOutputPath);
if (!Directory.Exists(scanOutputPath))
{
AnsiConsole.MarkupLine($"[red]Scan output directory not found:[/] {Markup.Escape(scanOutputPath)}");
return 1;
}
var cache = services.GetRequiredService<IEvidenceCacheService>();
var statistics = await cache.GetStatisticsAsync(scanOutputPath, cancellationToken).ConfigureAwait(false);
if (json)
{
var payload = new
{
scanOutput = scanOutputPath,
statistics
};
AnsiConsole.WriteLine(JsonSerializer.Serialize(payload, JsonOptions));
return 0;
}
if (statistics.TotalBundles == 0)
{
AnsiConsole.MarkupLine("[yellow]No evidence cache entries found.[/]");
}
var table = new Table().AddColumns("Field", "Value");
table.AddRow("Scan output", Markup.Escape(scanOutputPath));
table.AddRow("Total bundles", statistics.TotalBundles.ToString(CultureInfo.InvariantCulture));
table.AddRow("Fully available", statistics.FullyAvailable.ToString(CultureInfo.InvariantCulture));
table.AddRow("Partially available", statistics.PartiallyAvailable.ToString(CultureInfo.InvariantCulture));
table.AddRow("Pending enrichment", statistics.PendingEnrichment.ToString(CultureInfo.InvariantCulture));
table.AddRow("Offline resolvable", FormattableString.Invariant($"{statistics.OfflineResolvablePercentage:0.##}%"));
table.AddRow("Total size", FormatBytes(statistics.TotalSizeBytes));
AnsiConsole.Write(table);
return 0;
}
internal static async Task<int> HandleExportCacheProcessQueueAsync(
IServiceProvider services,
string scanOutputPath,
bool json,
bool verbose,
CancellationToken cancellationToken)
{
SetVerbosity(services, verbose);
if (string.IsNullOrWhiteSpace(scanOutputPath))
{
AnsiConsole.MarkupLine("[red]Scan output path is required.[/]");
return 1;
}
scanOutputPath = Path.GetFullPath(scanOutputPath);
if (!Directory.Exists(scanOutputPath))
{
AnsiConsole.MarkupLine($"[red]Scan output directory not found:[/] {Markup.Escape(scanOutputPath)}");
return 1;
}
var cache = services.GetRequiredService<IEvidenceCacheService>();
var result = await cache.ProcessEnrichmentQueueAsync(scanOutputPath, cancellationToken).ConfigureAwait(false);
if (json)
{
var payload = new
{
scanOutput = scanOutputPath,
result
};
AnsiConsole.WriteLine(JsonSerializer.Serialize(payload, JsonOptions));
return 0;
}
var table = new Table().AddColumns("Field", "Value");
table.AddRow("Scan output", Markup.Escape(scanOutputPath));
table.AddRow("Processed", result.ProcessedCount.ToString(CultureInfo.InvariantCulture));
table.AddRow("Failed", result.FailedCount.ToString(CultureInfo.InvariantCulture));
table.AddRow("Remaining", result.RemainingCount.ToString(CultureInfo.InvariantCulture));
AnsiConsole.Write(table);
return 0;
}
}

1308
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Offline.cs Normal file
View File

File diff suppressed because it is too large Load Diff

6
src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs
View File

@@ -49,10 +49,14 @@ using StellaOps.Scanner.Analyzers.Lang.Php;
using StellaOps.Scanner.Analyzers.Lang.Bun;
using StellaOps.Policy;
using StellaOps.PolicyDsl;
using StellaOps.AirGap.Importer.Contracts;
using StellaOps.AirGap.Importer.Quarantine;
using StellaOps.AirGap.Importer.Validation;
using StellaOps.AirGap.Importer.Versioning;
namespace StellaOps.Cli.Commands;
internal static class CommandHandlers
internal static partial class CommandHandlers
{
private const string KmsPassphraseEnvironmentVariable = "STELLAOPS_KMS_PASSPHRASE";
private static readonly JsonSerializerOptions KmsJsonOptions = new(JsonSerializerDefaults.Web)

164
src/Cli/StellaOps.Cli/Commands/OfflineCommandGroup.cs Normal file
View File

@@ -0,0 +1,164 @@
using System.CommandLine;
using StellaOps.Cli.Extensions;
namespace StellaOps.Cli.Commands;
internal static class OfflineCommandGroup
{
internal static Command BuildOfflineCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var offline = new Command("offline", "Air-gap and offline kit operations.");
offline.Add(BuildOfflineImportCommand(services, verboseOption, cancellationToken));
offline.Add(BuildOfflineStatusCommand(services, verboseOption, cancellationToken));
return offline;
}
private static Command BuildOfflineImportCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var tenantOption = new Option<string?>("--tenant")
{
Description = "Tenant context for the import (defaults to profile/ENV)."
};
var bundleOption = new Option<string>("--bundle", new[] { "-b" })
{
Description = "Path to the offline kit payload bundle (.tar.zst).",
Required = true
};
var manifestOption = new Option<string?>("--manifest", new[] { "-m" })
{
Description = "Path to offline manifest JSON (defaults to manifest.json next to the bundle)."
};
var verifyDsseOption = new Option<bool>("--verify-dsse")
{
Description = "Verify DSSE signature on the kit statement."
}.SetDefaultValue(true);
var verifyRekorOption = new Option<bool>("--verify-rekor")
{
Description = "Verify Rekor receipt (offline mode)."
}.SetDefaultValue(true);
var trustRootOption = new Option<string?>("--trust-root")
{
Description = "Path to trust root public key file for DSSE verification."
};
var forceActivateOption = new Option<bool>("--force-activate")
{
Description = "Override monotonicity check (requires justification)."
};
var forceReasonOption = new Option<string?>("--force-reason")
{
Description = "Justification for force activation (required with --force-activate)."
};
var dryRunOption = new Option<bool>("--dry-run")
{
Description = "Validate the kit without activating."
};
var outputOption = new Option<string?>("--output", new[] { "-o" })
{
Description = "Output format: table (default), json."
}.SetDefaultValue("table").FromAmong("table", "json");
var command = new Command("import", "Import an offline kit with verification.")
{
tenantOption,
bundleOption,
manifestOption,
verifyDsseOption,
verifyRekorOption,
trustRootOption,
forceActivateOption,
forceReasonOption,
dryRunOption,
outputOption,
verboseOption
};
command.SetAction(parseResult =>
{
var tenant = parseResult.GetValue(tenantOption);
var bundle = parseResult.GetValue(bundleOption) ?? string.Empty;
var manifest = parseResult.GetValue(manifestOption);
var verifyDsse = parseResult.GetValue(verifyDsseOption);
var verifyRekor = parseResult.GetValue(verifyRekorOption);
var trustRoot = parseResult.GetValue(trustRootOption);
var forceActivate = parseResult.GetValue(forceActivateOption);
var forceReason = parseResult.GetValue(forceReasonOption);
var dryRun = parseResult.GetValue(dryRunOption);
var output = parseResult.GetValue(outputOption) ?? "table";
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleOfflineImportAsync(
services,
tenant,
bundle,
manifest,
verifyDsse,
verifyRekor,
trustRoot,
forceActivate,
forceReason,
dryRun,
output,
verbose,
cancellationToken);
});
return command;
}
private static Command BuildOfflineStatusCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var tenantOption = new Option<string?>("--tenant")
{
Description = "Tenant context for the status (defaults to profile/ENV)."
};
var outputOption = new Option<string?>("--output", new[] { "-o" })
{
Description = "Output format: table (default), json."
}.SetDefaultValue("table").FromAmong("table", "json");
var command = new Command("status", "Display current offline kit status.")
{
tenantOption,
outputOption,
verboseOption
};
command.SetAction(parseResult =>
{
var tenant = parseResult.GetValue(tenantOption);
var output = parseResult.GetValue(outputOption) ?? "table";
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleOfflineStatusAsync(
services,
tenant,
output,
verbose,
cancellationToken);
});
return command;
}
}

25
src/Cli/StellaOps.Cli/Commands/OfflineExitCodes.cs Normal file
View File

@@ -0,0 +1,25 @@
namespace StellaOps.Cli.Commands;
/// <summary>
/// Exit codes for offline commands.
/// Per advisory A11.1-11.2.
/// </summary>
internal static class OfflineExitCodes
{
public const int Success = 0;
public const int FileNotFound = 1;
public const int ChecksumMismatch = 2; // HASH_MISMATCH
public const int SignatureFailure = 3; // SIG_FAIL_COSIGN, SIG_FAIL_MANIFEST
public const int FormatError = 4;
public const int DsseVerificationFailed = 5; // DSSE_VERIFY_FAIL
public const int RekorVerificationFailed = 6; // REKOR_VERIFY_FAIL
public const int ImportFailed = 7;
public const int VersionNonMonotonic = 8; // VERSION_NON_MONOTONIC
public const int PolicyDenied = 9; // POLICY_DENY
public const int SelftestFailed = 10; // SELFTEST_FAIL
public const int ValidationFailed = 11;
public const int VerificationFailed = 12;
public const int PolicyLoadFailed = 13;
public const int Cancelled = 130; // Standard SIGINT
}

14
src/Cli/StellaOps.Cli/Output/CliError.cs
View File

@@ -249,6 +249,20 @@ public static class CliErrorCodes
public const string ValidationFailed = "ERR_VALIDATION_FAILED";
public const string RateLimited = "ERR_RATE_LIMIT";
public const string AirGapBlocked = "ERR_AIRGAP_EGRESS_BLOCKED";
// CLI-AIRGAP-341-001: Offline Kit / AirGap error codes (exit code 7)
public const string OfflineKitImportFailed = "ERR_AIRGAP_OFFLINE_KIT_IMPORT_FAILED";
public const string OfflineKitStatusFailed = "ERR_AIRGAP_OFFLINE_KIT_STATUS_FAILED";
public const string OfflineKitVerifyFailed = "ERR_AIRGAP_OFFLINE_KIT_VERIFY_FAILED";
public const string OfflineKitHashMismatch = "ERR_AIRGAP_OFFLINE_KIT_HASH_MISMATCH";
public const string OfflineKitCosignSignatureInvalid = "ERR_AIRGAP_OFFLINE_KIT_SIG_FAIL_COSIGN";
public const string OfflineKitManifestSignatureInvalid = "ERR_AIRGAP_OFFLINE_KIT_SIG_FAIL_MANIFEST";
public const string OfflineKitDsseVerifyFailed = "ERR_AIRGAP_OFFLINE_KIT_DSSE_VERIFY_FAIL";
public const string OfflineKitRekorVerifyFailed = "ERR_AIRGAP_OFFLINE_KIT_REKOR_VERIFY_FAIL";
public const string OfflineKitSelfTestFailed = "ERR_AIRGAP_OFFLINE_KIT_SELFTEST_FAIL";
public const string OfflineKitVersionNonMonotonic = "ERR_AIRGAP_OFFLINE_KIT_VERSION_NON_MONOTONIC";
public const string OfflineKitPolicyDenied = "ERR_AIRGAP_OFFLINE_KIT_POLICY_DENY";
public const string AocViolation = "ERR_AOC_001";
public const string NetworkError = "ERR_NETWORK_FAILED";
public const string Timeout = "ERR_TIMEOUT";

41
src/Cli/StellaOps.Cli/Output/CliErrorRenderer.cs
View File

@@ -67,6 +67,11 @@ internal static class CliErrorRenderer
// Error code
AnsiConsole.MarkupLine($"[grey]Code:[/] {Markup.Escape(error.Code)}");
if (TryGetReasonCode(error, out var reasonCode))
{
AnsiConsole.MarkupLine($"[grey]Reason:[/] {Markup.Escape(reasonCode)}");
}
// Detail (if present)
if (!string.IsNullOrWhiteSpace(error.Detail))
{
@@ -207,5 +212,41 @@ internal static class CliErrorRenderer
RenderScopeGuidance(error);
RenderRateLimitGuidance(error);
RenderAuthGuidance(error);
RenderOfflineKitGuidance(error);
}
private static bool TryGetReasonCode(CliError error, out string reasonCode)
{
reasonCode = "";
if (error.Metadata is null || error.Metadata.Count == 0)
{
return false;
}
if ((!error.Metadata.TryGetValue("reason_code", out reasonCode) || string.IsNullOrWhiteSpace(reasonCode)) &&
(!error.Metadata.TryGetValue("reasonCode", out reasonCode) || string.IsNullOrWhiteSpace(reasonCode)))
{
return false;
}
reasonCode = OfflineKitReasonCodes.Normalize(reasonCode) ?? "";
return reasonCode.Length > 0;
}
private static void RenderOfflineKitGuidance(CliError error)
{
if (!TryGetReasonCode(error, out var reasonCode))
{
return;
}
var remediation = OfflineKitReasonCodes.GetRemediation(reasonCode);
if (string.IsNullOrWhiteSpace(remediation))
{
return;
}
AnsiConsole.WriteLine();
AnsiConsole.MarkupLine($"[yellow]Remediation:[/] {Markup.Escape(remediation)}");
}
}

63
src/Cli/StellaOps.Cli/Output/OfflineKitReasonCodes.cs Normal file
View File

@@ -0,0 +1,63 @@
using StellaOps.Cli.Commands;
namespace StellaOps.Cli.Output;
public static class OfflineKitReasonCodes
{
public const string HashMismatch = "HASH_MISMATCH";
public const string SigFailCosign = "SIG_FAIL_COSIGN";
public const string SigFailManifest = "SIG_FAIL_MANIFEST";
public const string DsseVerifyFail = "DSSE_VERIFY_FAIL";
public const string RekorVerifyFail = "REKOR_VERIFY_FAIL";
public const string SelfTestFail = "SELFTEST_FAIL";
public const string VersionNonMonotonic = "VERSION_NON_MONOTONIC";
public const string PolicyDeny = "POLICY_DENY";
public static string? Normalize(string? reasonCode)
=> string.IsNullOrWhiteSpace(reasonCode) ? null : reasonCode.Trim().ToUpperInvariant();
public static int GetExitCode(string? reasonCode)
{
reasonCode = Normalize(reasonCode);
return reasonCode switch
{
HashMismatch => OfflineExitCodes.ChecksumMismatch,
SigFailCosign => OfflineExitCodes.SignatureFailure,
SigFailManifest => OfflineExitCodes.SignatureFailure,
DsseVerifyFail => OfflineExitCodes.DsseVerificationFailed,
RekorVerifyFail => OfflineExitCodes.RekorVerificationFailed,
VersionNonMonotonic => OfflineExitCodes.VersionNonMonotonic,
PolicyDeny => OfflineExitCodes.PolicyDenied,
SelfTestFail => OfflineExitCodes.SelftestFailed,
null => OfflineExitCodes.ImportFailed,
_ => OfflineExitCodes.ImportFailed
};
}
public static string? GetRemediation(string? reasonCode)
{
reasonCode = Normalize(reasonCode);
return reasonCode switch
{
HashMismatch =>
"Re-download the bundle and re-run import. If using removable media, verify the device is healthy and that the bundle digest matches the manifest.",
SigFailCosign =>
"Verify the Cosign signature and trust roots. Ensure you imported the correct signing public keys and that the signature matches the bundle.",
SigFailManifest =>
"Verify the manifest signature and trust roots. Ensure the manifest and its detached signature belong to the same kit version.",
DsseVerifyFail =>
"Verify DSSE trust roots and that the envelope key ID matches an allowed signer. Re-export the kit if the envelope is missing or malformed.",
RekorVerifyFail =>
"Verify Rekor inclusion proof settings (offline snapshot, UUID/index) and re-run verification. Check for time skew and stale transparency data.",
VersionNonMonotonic =>
"The incoming kit version is older than the active version. Import a newer kit, or use --force-activate (with a reason) for emergency rollback testing only.",
PolicyDeny =>
"The current policy denies activation. Review policy gates, waivers, and VEX precedence; then re-run import after updating policy inputs.",
SelfTestFail =>
"Run the Offline Kit self-test and review its output. Confirm required binaries, permissions, and disk space are available in the air-gapped environment.",
null => null,
_ => null
};
}
}

3
src/Cli/StellaOps.Cli/Program.cs
View File

@@ -16,6 +16,7 @@ using StellaOps.AirGap.Policy;
using StellaOps.Configuration;
using StellaOps.Policy.Scoring.Engine;
using StellaOps.ExportCenter.Client;
using StellaOps.ExportCenter.Core.EvidenceCache;
namespace StellaOps.Cli;
@@ -155,6 +156,8 @@ internal static class Program
services.AddSingleton<IScannerExecutor, ScannerExecutor>();
services.AddSingleton<IScannerInstaller, ScannerInstaller>();
services.AddSingleton<MigrationCommandService>();
services.AddSingleton(TimeProvider.System);
services.AddSingleton<IEvidenceCacheService, LocalEvidenceCacheService>();
// CLI-FORENSICS-53-001: Forensic snapshot client
services.AddHttpClient<IForensicSnapshotClient, ForensicSnapshotClient>(client =>

54
src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs
View File

@@ -2320,6 +2320,37 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
return null;
}
private static string? ExtractProblemExtensionString(ProblemDocument? problem, params string[] keys)
{
if (problem?.Extensions is null || problem.Extensions.Count == 0 || keys.Length == 0)
{
return null;
}
foreach (var key in keys)
{
if (!problem.Extensions.TryGetValue(key, out var value) || value is null)
{
continue;
}
switch (value)
{
case string text when !string.IsNullOrWhiteSpace(text):
return text;
case JsonElement element when element.ValueKind == JsonValueKind.String:
var parsed = element.GetString();
if (!string.IsNullOrWhiteSpace(parsed))
{
return parsed;
}
break;
}
}
return null;
}
private static string BuildPolicyFindingsQueryString(PolicyFindingsQuery query)
{
var parameters = new List<string>();
@@ -2853,6 +2884,7 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
{
// Extract error code from problem type URI
errorCode = ExtractErrorCodeFromProblemType(problem.Type);
errorCode ??= ExtractProblemErrorCode(problem);
if (!string.IsNullOrWhiteSpace(problem.Title))
{
@@ -2868,21 +2900,23 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
// Check for trace_id in extensions
if (problem.Extensions is not null)
{
if (problem.Extensions.TryGetValue("trace_id", out var tid) && tid is string tidStr)
var extensionTraceId = ExtractProblemExtensionString(problem, "trace_id", "traceId");
if (!string.IsNullOrWhiteSpace(extensionTraceId))
{
traceId ??= tidStr;
traceId ??= extensionTraceId;
}
if (problem.Extensions.TryGetValue("traceId", out var tid2) && tid2 is string tid2Str)
var extensionErrorCode = ExtractProblemExtensionString(problem, "error_code", "errorCode");
if (!string.IsNullOrWhiteSpace(extensionErrorCode))
{
traceId ??= tid2Str;
errorCode ??= extensionErrorCode;
}
if (problem.Extensions.TryGetValue("error_code", out var ec) && ec is string ecStr)
var reasonCode = ExtractProblemExtensionString(problem, "reason_code", "reasonCode");
if (!string.IsNullOrWhiteSpace(reasonCode))
{
errorCode ??= ecStr;
}
if (problem.Extensions.TryGetValue("errorCode", out var ec2) && ec2 is string ec2Str)
{
errorCode ??= ec2Str;
metadata ??= new Dictionary<string, object?>(StringComparer.Ordinal);
metadata["reason_code"] = reasonCode;
}
}
}

120
src/Cli/StellaOps.Cli/Services/FileBundleVersionStore.cs Normal file
View File

@@ -0,0 +1,120 @@
using System.Text.Json;
using Microsoft.Extensions.Logging;
using StellaOps.AirGap.Importer.Versioning;
namespace StellaOps.Cli.Services;
internal sealed class FileBundleVersionStore : IBundleVersionStore
{
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
{
WriteIndented = true
};
private readonly string _stateDirectory;
private readonly ILogger<FileBundleVersionStore> _logger;
public FileBundleVersionStore(string stateDirectory, ILogger<FileBundleVersionStore> logger)
{
ArgumentException.ThrowIfNullOrWhiteSpace(stateDirectory);
_stateDirectory = stateDirectory;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<BundleVersionRecord?> GetCurrentAsync(
string tenantId,
string bundleType,
CancellationToken ct = default)
{
var history = await GetHistoryInternalAsync(tenantId, bundleType, ct).ConfigureAwait(false);
return history
.OrderByDescending(record => record.ActivatedAt)
.ThenByDescending(record => record.VersionString, StringComparer.Ordinal)
.FirstOrDefault();
}
public async Task UpsertAsync(BundleVersionRecord record, CancellationToken ct = default)
{
ArgumentNullException.ThrowIfNull(record);
Directory.CreateDirectory(_stateDirectory);
var path = GetStatePath(record.TenantId, record.BundleType);
var history = await GetHistoryInternalAsync(record.TenantId, record.BundleType, ct).ConfigureAwait(false);
history.Add(record);
var ordered = history
.OrderBy(r => r.ActivatedAt)
.ThenBy(r => r.VersionString, StringComparer.Ordinal)
.ToList();
var tempPath = path + ".tmp";
await using (var stream = File.Create(tempPath))
{
await JsonSerializer.SerializeAsync(stream, ordered, JsonOptions, ct).ConfigureAwait(false);
}
File.Copy(tempPath, path, overwrite: true);
File.Delete(tempPath);
}
public async Task<IReadOnlyList<BundleVersionRecord>> GetHistoryAsync(
string tenantId,
string bundleType,
int limit = 10,
CancellationToken ct = default)
{
var history = await GetHistoryInternalAsync(tenantId, bundleType, ct).ConfigureAwait(false);
return history
.OrderByDescending(r => r.ActivatedAt)
.ThenByDescending(r => r.VersionString, StringComparer.Ordinal)
.Take(Math.Max(0, limit))
.ToArray();
}
private async Task<List<BundleVersionRecord>> GetHistoryInternalAsync(
string tenantId,
string bundleType,
CancellationToken ct)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(bundleType);
var path = GetStatePath(tenantId, bundleType);
if (!File.Exists(path))
{
return new List<BundleVersionRecord>();
}
try
{
await using var stream = File.OpenRead(path);
var records = await JsonSerializer.DeserializeAsync<List<BundleVersionRecord>>(stream, JsonOptions, ct).ConfigureAwait(false);
return records ?? new List<BundleVersionRecord>();
}
catch (Exception ex) when (ex is IOException or JsonException)
{
_logger.LogWarning(ex, "Failed to read bundle version history from {Path}", path);
return new List<BundleVersionRecord>();
}
}
private string GetStatePath(string tenantId, string bundleType)
{
var safeTenant = SanitizePathSegment(tenantId);
var safeBundleType = SanitizePathSegment(bundleType);
return Path.Combine(_stateDirectory, $"bundle-versions__{safeTenant}__{safeBundleType}.json");
}
private static string SanitizePathSegment(string value)
{
var trimmed = value.Trim().ToLowerInvariant();
var invalid = Path.GetInvalidFileNameChars();
var chars = trimmed
.Select(c => invalid.Contains(c) || c == '/' || c == '\\' || char.IsWhiteSpace(c) ? '_' : c)
.ToArray();
return new string(chars);
}
}

2
src/Cli/StellaOps.Cli/Services/MirrorBundleImportService.cs
View File

@@ -23,7 +23,6 @@ public sealed class MirrorBundleImportService : IMirrorBundleImportService
{
private readonly IBundleCatalogRepository _catalogRepository;
private readonly IBundleItemRepository _itemRepository;
private readonly ImportValidator _validator;
private readonly ILogger<MirrorBundleImportService> _logger;
public MirrorBundleImportService(
@@ -34,7 +33,6 @@ public sealed class MirrorBundleImportService : IMirrorBundleImportService
_catalogRepository = catalogRepository ?? throw new ArgumentNullException(nameof(catalogRepository));
_itemRepository = itemRepository ?? throw new ArgumentNullException(nameof(itemRepository));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_validator = new ImportValidator();
}
public async Task<MirrorImportResult> ImportAsync(MirrorImportRequest request, CancellationToken cancellationToken)

92
src/Cli/StellaOps.Cli/Services/OfflineKitStateStore.cs Normal file
View File

@@ -0,0 +1,92 @@
using System.Text.Json;
using Microsoft.Extensions.Logging;
namespace StellaOps.Cli.Services;
internal sealed class OfflineKitStateStore
{
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
{
WriteIndented = true
};
private readonly string _stateDirectory;
private readonly ILogger<OfflineKitStateStore> _logger;
public OfflineKitStateStore(string stateDirectory, ILogger<OfflineKitStateStore> logger)
{
ArgumentException.ThrowIfNullOrWhiteSpace(stateDirectory);
_stateDirectory = stateDirectory;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task SaveActiveAsync(OfflineKitActiveState state, CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(state);
Directory.CreateDirectory(_stateDirectory);
var path = GetActiveStatePath(state.TenantId);
var temp = path + ".tmp";
await using (var stream = File.Create(temp))
{
await JsonSerializer.SerializeAsync(stream, state, JsonOptions, cancellationToken).ConfigureAwait(false);
}
File.Copy(temp, path, overwrite: true);
File.Delete(temp);
}
public async Task<OfflineKitActiveState?> LoadActiveAsync(string tenantId, CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
var path = GetActiveStatePath(tenantId);
if (!File.Exists(path))
{
return null;
}
try
{
await using var stream = File.OpenRead(path);
return await JsonSerializer.DeserializeAsync<OfflineKitActiveState>(stream, JsonOptions, cancellationToken).ConfigureAwait(false);
}
catch (Exception ex) when (ex is IOException or JsonException)
{
_logger.LogWarning(ex, "Failed to read offline kit state from {Path}", path);
return null;
}
}
private string GetActiveStatePath(string tenantId)
{
var safeTenant = SanitizePathSegment(tenantId);
return Path.Combine(_stateDirectory, $"offline-kit-active__{safeTenant}.json");
}
private static string SanitizePathSegment(string value)
{
var trimmed = value.Trim().ToLowerInvariant();
var invalid = Path.GetInvalidFileNameChars();
var chars = trimmed
.Select(c => invalid.Contains(c) || c == '/' || c == '\\' || char.IsWhiteSpace(c) ? '_' : c)
.ToArray();
return new string(chars);
}
}
internal sealed record OfflineKitActiveState(
string TenantId,
string BundlePath,
string ManifestPath,
string Version,
DateTimeOffset ManifestCreatedAt,
string PayloadSha256,
string BundleDigest,
DateTimeOffset ActivatedAt,
bool DsseVerified,
bool RekorVerified,
bool WasForceActivated,
string? ForceActivateReason);

80
src/Cli/StellaOps.Cli/Services/Transport/StellaOpsClientBase.cs
View File

@@ -237,10 +237,29 @@ public abstract class StellaOpsClientBase : IDisposable
var problem = JsonSerializer.Deserialize<ProblemDocument>(content, JsonOptions);
if (problem is not null)
{
var code = ExtractErrorCodeFromProblemType(problem.Type)
?? ExtractProblemExtensionString(problem, "error_code", "errorCode")
?? ExtractProblemExtensionString(problem, "code")
?? $"ERR_HTTP_{statusCode}";
var traceId = ExtractProblemExtensionString(problem, "trace_id", "traceId");
Dictionary<string, string>? metadata = null;
var reasonCode = ExtractProblemExtensionString(problem, "reason_code", "reasonCode");
if (!string.IsNullOrWhiteSpace(reasonCode))
{
metadata = new Dictionary<string, string>(StringComparer.Ordinal)
{
["reason_code"] = reasonCode
};
}
return new CliError(
Code: problem.Type ?? $"ERR_HTTP_{statusCode}",
Code: code,
Message: problem.Title ?? $"HTTP error {statusCode}",
Detail: problem.Detail);
TraceId: traceId,
Detail: problem.Detail,
Metadata: metadata);
}
}
catch (JsonException)
@@ -253,6 +272,63 @@ public abstract class StellaOpsClientBase : IDisposable
return CliError.FromHttpStatus(statusCode, content);
}
private static string? ExtractErrorCodeFromProblemType(string? type)
{
if (string.IsNullOrWhiteSpace(type))
{
return null;
}
if (type.StartsWith("urn:stellaops:error:", StringComparison.OrdinalIgnoreCase))
{
return type[20..];
}
if (type.Contains("/errors/", StringComparison.OrdinalIgnoreCase))
{
var idx = type.LastIndexOf("/errors/", StringComparison.OrdinalIgnoreCase);
return idx < 0 ? null : type[(idx + 8)..];
}
if (type.StartsWith("ERR_", StringComparison.OrdinalIgnoreCase))
{
return type;
}
return null;
}
private static string? ExtractProblemExtensionString(ProblemDocument? problem, params string[] keys)
{
if (problem?.Extensions is null || problem.Extensions.Count == 0 || keys.Length == 0)
{
return null;
}
foreach (var key in keys)
{
if (!problem.Extensions.TryGetValue(key, out var value) || value is null)
{
continue;
}
switch (value)
{
case string text when !string.IsNullOrWhiteSpace(text):
return text;
case JsonElement element when element.ValueKind == JsonValueKind.String:
var parsed = element.GetString();
if (!string.IsNullOrWhiteSpace(parsed))
{
return parsed;
}
break;
}
}
return null;
}
public void Dispose()
{
if (_disposed)

1
src/Cli/StellaOps.Cli/StellaOps.Cli.csproj
View File

@@ -71,6 +71,7 @@
<ProjectReference Include="../../Excititor/__Libraries/StellaOps.Excititor.Storage.Postgres/StellaOps.Excititor.Storage.Postgres.csproj" />
<ProjectReference Include="../../Policy/StellaOps.Policy.Scoring/StellaOps.Policy.Scoring.csproj" />
<ProjectReference Include="../../ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Client/StellaOps.ExportCenter.Client.csproj" />
<ProjectReference Include="../../ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj" />
</ItemGroup>
<ItemGroup Condition="'$(StellaOpsEnableCryptoPro)' == 'true'">

2
src/Cli/StellaOps.Cli/TASKS.md
View File

@@ -7,3 +7,5 @@
| `CLI-AIAI-31-002` | DONE (2025-11-24) | `stella advise explain` (conflict narrative) command implemented and tested. |
| `CLI-AIAI-31-003` | DONE (2025-11-24) | `stella advise remediate` command implemented and tested. |
| `CLI-AIAI-31-004` | DONE (2025-11-24) | `stella advise batch` supports multi-key runs, per-key outputs, summary table, and tests (`HandleAdviseBatchAsync_RunsAllAdvisories`). |
| `CLI-AIRGAP-339-001` | DONE (2025-12-15) | Implemented `stella offline import/status` (DSSE verify, monotonicity + quarantine hooks, state storage), plus tests and docs; Rekor inclusion proof verification and `verify offline` policy remain blocked pending contracts. |
| `CLI-AIRGAP-341-001` | DONE (2025-12-15) | Sprint 0341: Offline Kit reason/error codes and ProblemDetails integration shipped; tests passing. |