fix tests. new product advisories enhancements

devops/compose/tile-proxy/README.md

@@ -0,0 +1,161 @@
+# Tile Proxy Docker Compose
+
+This directory contains the Docker Compose configuration for deploying the StellaOps Tile Proxy service.
+
+## Overview
+
+The Tile Proxy acts as a caching intermediary between StellaOps clients and upstream Rekor transparency logs. It provides:
+
+- **Tile Caching**: Caches tiles locally for faster subsequent requests
+- **Request Coalescing**: Deduplicates concurrent requests for the same tile
+- **Offline Support**: Serves from cache when upstream is unavailable
+- **TUF Integration**: Optional validation using TUF trust anchors
+
+## Quick Start
+
+```bash
+# Start with default configuration
+docker compose up -d
+
+# Check health
+curl http://localhost:8090/_admin/health
+
+# View cache statistics
+curl http://localhost:8090/_admin/cache/stats
+```
+
+## Configuration
+
+### Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `REKOR_UPSTREAM_URL` | Upstream Rekor URL | `https://rekor.sigstore.dev` |
+| `REKOR_ORIGIN` | Log origin identifier | `rekor.sigstore.dev - 1985497715` |
+| `TUF_ENABLED` | Enable TUF integration | `false` |
+| `TUF_ROOT_URL` | TUF repository URL | - |
+| `TUF_VALIDATE_CHECKPOINT` | Validate checkpoint signatures | `true` |
+| `CACHE_MAX_SIZE_GB` | Maximum cache size | `10` |
+| `CHECKPOINT_TTL_MINUTES` | Checkpoint cache TTL | `5` |
+| `SYNC_ENABLED` | Enable scheduled sync | `true` |
+| `SYNC_SCHEDULE` | Sync cron schedule | `0 */6 * * *` |
+| `SYNC_DEPTH` | Entries to sync tiles for | `10000` |
+| `LOG_LEVEL` | Logging level | `Information` |
+
+### Using a .env file
+
+Create a `.env` file to customize configuration:
+
+```bash
+# .env
+REKOR_UPSTREAM_URL=https://rekor.sigstore.dev
+CACHE_MAX_SIZE_GB=20
+SYNC_ENABLED=true
+SYNC_SCHEDULE=0 */4 * * *
+LOG_LEVEL=Debug
+```
+
+## API Endpoints
+
+### Proxy Endpoints
+
+| Endpoint | Description |
+|----------|-------------|
+| `GET /tile/{level}/{index}` | Get a tile (cache-through) |
+| `GET /tile/{level}/{index}.p/{width}` | Get partial tile |
+| `GET /checkpoint` | Get current checkpoint |
+
+### Admin Endpoints
+
+| Endpoint | Description |
+|----------|-------------|
+| `GET /_admin/cache/stats` | Cache statistics |
+| `GET /_admin/metrics` | Proxy metrics |
+| `POST /_admin/cache/sync` | Trigger manual sync |
+| `DELETE /_admin/cache/prune` | Prune old tiles |
+| `GET /_admin/health` | Health check |
+| `GET /_admin/ready` | Readiness check |
+
+## Volumes
+
+| Volume | Path | Description |
+|--------|------|-------------|
+| `tile-cache` | `/var/cache/stellaops/tiles` | Cached tiles |
+| `tuf-cache` | `/var/cache/stellaops/tuf` | TUF metadata |
+
+## Integration with StellaOps
+
+Configure your StellaOps Attestor to use the tile proxy:
+
+```yaml
+attestor:
+  rekor:
+    url: http://tile-proxy:8080
+    # or if running standalone:
+    # url: http://localhost:8090
+```
+
+## Monitoring
+
+### Prometheus Metrics
+
+The tile proxy exposes metrics at `/_admin/metrics`:
+
+```bash
+curl http://localhost:8090/_admin/metrics
+```
+
+Example response:
+```json
+{
+  "cacheHits": 12450,
+  "cacheMisses": 234,
+  "hitRatePercent": 98.15,
+  "upstreamRequests": 234,
+  "upstreamErrors": 2,
+  "inflightRequests": 0
+}
+```
+
+### Health Checks
+
+```bash
+# Liveness (is the service running?)
+curl http://localhost:8090/_admin/health
+
+# Readiness (can it serve requests?)
+curl http://localhost:8090/_admin/ready
+```
+
+## Troubleshooting
+
+### Cache is not being used
+
+1. Check cache stats: `curl http://localhost:8090/_admin/cache/stats`
+2. Verify cache volume is mounted correctly
+3. Check logs for write errors
+
+### Upstream connection failures
+
+1. Check network connectivity to upstream
+2. Verify `REKOR_UPSTREAM_URL` is correct
+3. Check for firewall/proxy issues
+
+### High memory usage
+
+1. Reduce `CACHE_MAX_SIZE_GB`
+2. Trigger manual prune: `curl -X DELETE http://localhost:8090/_admin/cache/prune?targetSizeBytes=5368709120`
+
+## Development
+
+Build the image locally:
+
+```bash
+docker compose build
+```
+
+Run with local source:
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.dev.yml up
+```

devops/compose/tile-proxy/docker-compose.yml

@@ -0,0 +1,64 @@
+# -----------------------------------------------------------------------------
+# docker-compose.yml
+# Sprint: SPRINT_20260125_002_Attestor_trust_automation
+# Task: PROXY-008 - Docker Compose for tile-proxy stack
+# Description: Docker Compose configuration for tile-proxy deployment
+# -----------------------------------------------------------------------------
+
+services:
+  tile-proxy:
+    build:
+      context: ../../..
+      dockerfile: src/Attestor/StellaOps.Attestor.TileProxy/Dockerfile
+    image: stellaops/tile-proxy:latest
+    container_name: stellaops-tile-proxy
+    ports:
+      - "8090:8080"
+    volumes:
+      - tile-cache:/var/cache/stellaops/tiles
+      - tuf-cache:/var/cache/stellaops/tuf
+    environment:
+      # Upstream Rekor configuration
+      - TILE_PROXY__UPSTREAMURL=${REKOR_UPSTREAM_URL:-https://rekor.sigstore.dev}
+      - TILE_PROXY__ORIGIN=${REKOR_ORIGIN:-rekor.sigstore.dev - 1985497715}
+
+      # TUF configuration (optional)
+      - TILE_PROXY__TUF__ENABLED=${TUF_ENABLED:-false}
+      - TILE_PROXY__TUF__URL=${TUF_ROOT_URL:-}
+      - TILE_PROXY__TUF__VALIDATECHECKPOINTSIGNATURE=${TUF_VALIDATE_CHECKPOINT:-true}
+
+      # Cache configuration
+      - TILE_PROXY__CACHE__BASEPATH=/var/cache/stellaops/tiles
+      - TILE_PROXY__CACHE__MAXSIZEGB=${CACHE_MAX_SIZE_GB:-10}
+      - TILE_PROXY__CACHE__CHECKPOINTTTLMINUTES=${CHECKPOINT_TTL_MINUTES:-5}
+
+      # Sync job configuration
+      - TILE_PROXY__SYNC__ENABLED=${SYNC_ENABLED:-true}
+      - TILE_PROXY__SYNC__SCHEDULE=${SYNC_SCHEDULE:-0 */6 * * *}
+      - TILE_PROXY__SYNC__DEPTH=${SYNC_DEPTH:-10000}
+
+      # Request handling
+      - TILE_PROXY__REQUEST__COALESCINGENABLED=${COALESCING_ENABLED:-true}
+      - TILE_PROXY__REQUEST__TIMEOUTSECONDS=${REQUEST_TIMEOUT_SECONDS:-30}
+
+      # Logging
+      - Serilog__MinimumLevel__Default=${LOG_LEVEL:-Information}
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/_admin/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 5s
+    restart: unless-stopped
+    networks:
+      - stellaops
+
+volumes:
+  tile-cache:
+    driver: local
+  tuf-cache:
+    driver: local
+
+networks:
+  stellaops:
+    driver: bridge