stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add LDAP Distinguished Name Helper and Credential Audit Context
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.
This commit is contained in:
master
2025-11-09 12:21:38 +02:00
parent ba4c935182
commit 75c2bcafce
385 changed files with 7354 additions and 7344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md
View File

@@ -1,13 +0,0 @@
# Attestation Bundle Export Task Board — Epic 19: Attestor Console
## Sprint 74 Builder
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-ATTEST-74-001 | TODO | Attestation Bundle Guild, Attestor Service Guild | ATTESTOR-73-003 | Implement export job producing attestation bundles with manifest, checksums, DSSE signature, and optional transparency log segments. | Bundle built in staging; manifest recorded; signature verification tests pass. |
| EXPORT-ATTEST-74-002 | TODO | Attestation Bundle Guild, DevOps Guild | EXPORT-ATTEST-74-001 | Integrate bundle job into CI/offline kit packaging with checksum publication. | Pipeline publishes bundle artifact + checksums; documentation updated. |
## Sprint 75 Verification & Import
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-ATTEST-75-001 | TODO | Attestation Bundle Guild, CLI Attestor Guild | EXPORT-ATTEST-74-001 | Provide CLI command `stella attest bundle verify/import` for air-gap usage. | CLI verifies/signatures; import seeds attestor store; tests cover corrupted bundle. |
| EXPORT-ATTEST-75-002 | TODO | Attestation Bundle Guild, Docs Guild | EXPORT-ATTEST-75-001 | Document `/docs/modules/attestor/airgap.md` with bundle workflows and verification steps. | Doc merged with banner; examples verified. |

7
src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md
View File

@@ -1,7 +0,0 @@
# DevPortal Offline Export Task Board — Epic 17: SDKs & OpenAPI Docs
## Sprint 64 Bundle Implementation
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| DVOFF-64-001 | DONE (2025-11-05) | DevPortal Offline Guild, Exporter Guild | DEVPORT-64-001, SDKREL-64-002 | Implement Export Center job `devportal --offline` bundling portal HTML, specs, SDK artifacts, changelogs, and verification manifest. | Job executes in staging; manifest contains checksums + DSSE signatures; docs updated. |
| DVOFF-64-002 | TODO | DevPortal Offline Guild, AirGap Controller Guild | DVOFF-64-001 | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. | CLI command validates signatures; integration test covers corrupted bundle; runbook updated. |

13
src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md
View File

@@ -1,13 +0,0 @@
# Risk Bundle Export Task Board — Epic 18: Risk Scoring Profiles
## Sprint 69 Bundle Builder
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| RISK-BUNDLE-69-001 | TODO | Risk Bundle Export Guild, Risk Engine Guild | RISK-ENGINE-67-003 | Implement `stella export risk-bundle` job producing tarball with provider datasets, manifests, and DSSE signatures. | Bundle builds in staging; manifest lists datasets + TTL; signatures verified. |
| RISK-BUNDLE-69-002 | TODO | Risk Bundle Export Guild, DevOps Guild | RISK-BUNDLE-69-001 | Integrate bundle job into CI/offline kit pipelines with checksum publication. | CI produces bundle artifact; checksums in release metadata; docs updated. |
## Sprint 70 Verification & Docs
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| RISK-BUNDLE-70-001 | TODO | Risk Bundle Export Guild, CLI Guild | RISK-BUNDLE-69-001 | Provide CLI `stella risk bundle verify` command to validate bundles before import. | CLI verifies DSSE + checksums; integration tests cover tampered bundle. |
| RISK-BUNDLE-70-002 | TODO | Risk Bundle Export Guild, Docs Guild | RISK-BUNDLE-69-002 | Publish `/docs/airgap/risk-bundles.md` detailing build/import/verification workflows. | Doc merged with banner; examples validated. |

80
src/ExportCenter/StellaOps.ExportCenter/TASKS.md
View File

@@ -1,80 +0,0 @@
# Exporter Service Task Board — Epic 10: Export Center
> 2025-11-03: Link-Not-Merge migration playbook docs/migration/no-merge.md is live—coordinate export bundle staging with its rollout/backfill phases when planning advisory evidence updates.
## Sprint 35 Foundations (JSON + Mirror Full, Download Only)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-SVC-35-001 | BLOCKED (2025-10-29) | Exporter Service Guild | ORCH-SVC-35-101, LEDGER-EXPORT-35-001 | Bootstrap exporter service project, configuration, and Postgres migrations for `export_profiles`, `export_runs`, `export_inputs`, `export_distributions` with tenant scoping + tests. | Service builds/tests; migrations generated with scripts; baseline integration test seeds schema; compliance checklist recorded. |
> Blocked: waiting on Orchestrator export job contract (ORCH-SVC-35-101) and Findings Ledger export endpoints (LEDGER-EXPORT-35-001) before bootstrapping service schema.
| EXPORT-SVC-35-002 | TODO | Exporter Service Guild | EXPORT-SVC-35-001 | Implement planner + scope resolver translating filters into ledger iterators and orchestrator job payloads; include deterministic sampling and validation. | Planner passes unit/property tests; orchestrator contract documented; filter validation errors mapped. |
| EXPORT-SVC-35-003 | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Deliver JSON adapters (`json:raw`, `json:policy`) with canonical normalization, redaction allowlists, compression, and manifest counts. | JSONL outputs deterministic; redaction enforced; unit/integration tests cover advisories/VEX/SBOM/findings. |
| EXPORT-SVC-35-004 | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Build mirror (full) adapter producing filesystem layout, indexes, manifests, and README with download-only distribution. | Mirror bundle passes integration tests; indexes generated; manifest validated; docs cross-referenced. |
| EXPORT-SVC-35-005 | TODO | Exporter Service Guild | EXPORT-SVC-35-003 | Implement manifest/provenance writer and KMS signing/attestation (detached + embedded) for bundle outputs. | `export.json`/`provenance.json` generated with hashes; signatures produced via KMS; verification test passes. |
| EXPORT-SVC-35-006 | TODO | Exporter Service Guild | EXPORT-SVC-35-001..005 | Expose Export API (profiles, runs, download, SSE updates) with audit logging, concurrency controls, and viewer/operator RBAC integration. | OpenAPI published; SSE stream validated; audit logs captured; rate limits enforced in tests. |
| EXPORT-CRYPTO-90-001 `Crypto provider adoption` | TODO | Exporter Service Guild, Security Guild | SEC-CRYPTO-90-003, SEC-CRYPTO-90-004 | Ensure manifest hashing, signing, and bundle encryption flows route through `ICryptoProviderRegistry`/`ICryptoHash` (see `docs/security/crypto-routing-audit-2025-11-07.md`) so RootPack deployments can select CryptoPro/PKCS#11 providers. | Bundle manifests, DSSE signing, and encryption keys respect profile ordering; integration tests cover default + `ru-offline`; docs updated with sovereign config instructions. |
## Sprint 36 Trivy + Distribution
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-SVC-36-001 | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Implement Trivy DB adapter (core) with schema mappings, version flag gating, and validation harness. | Trivy bundle builds for fixtures; compatibility tests against reference Trivy; errors surfaced for unknown schema. |
| EXPORT-SVC-36-002 | TODO | Exporter Service Guild | EXPORT-SVC-36-001 | Add Trivy Java DB variant with shared manifest entries and adapter regression tests. | Java DB bundle produced when enabled; manifest annotated; integration tests cover optional config. |
| EXPORT-SVC-36-003 | TODO | Exporter Service Guild | EXPORT-SVC-35-006 | Build OCI distribution engine (manifests, descriptors, annotations) with registry auth support and retries. | OCI push works in integration tests; annotations present; retry/backoff validated. |
| EXPORT-SVC-36-004 | TODO | Exporter Service Guild | EXPORT-SVC-36-003 | Extend planner/run lifecycle for distribution targets (OCI/object storage) with idempotent metadata updates and retention timestamps. | Export runs track distribution state; object storage writer tested; retention metadata stored. |
## Sprint 37 Delta, Encryption, Scheduling, GA
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-SVC-37-001 | TODO | Exporter Service Guild | EXPORT-SVC-35-004 | Implement mirror delta adapter with base manifest comparison, change set generation, and content-addressed reuse. | Delta bundles generated with accurate adds/removes; manifest references base export; tests cover large datasets. |
| EXPORT-SVC-37-002 | TODO | Exporter Service Guild | EXPORT-SVC-35-005, AUTH-EXPORT-37-001 | Add bundle encryption (age/AES-GCM), key wrapping via KMS, and verification tooling for encrypted outputs. | Encrypted bundles produced; decrypt tool validated; key rotation tests pass. |
| EXPORT-SVC-37-003 | TODO | Exporter Service Guild | ORCH-SVC-37-101 | Implement export scheduling (cron/event), retention pruning, retry idempotency, and failure classification. | Schedules persisted; retention jobs prune data; retries clean; metrics/logs emitted. |
| EXPORT-SVC-37-004 | TODO | Exporter Service Guild | EXPORT-SVC-35-005 | Provide verification API to stream manifests/hashes, compute hash+signature checks, and return attest status for CLI/UI. | Verification endpoint live; integration tests cover success/failure; metrics track verify attempts. |
## CLI Parity & Task Packs Integration
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-SVC-43-001 | TODO | Exporter Service Guild | PACKS-REG-41-001, TASKRUN-41-001 | Integrate pack run manifests/artifacts into export bundles and CLI verification flows; expose provenance links. | Pack run exports available; manifests signed; CLI verify uses exports; tests cover workflow. |
## Authority-Backed Scopes & Tenancy (Epic 14)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-TEN-48-001 | TODO | Exporter Service Guild | WEB-TEN-48-001 | Prefix artifacts/manifests with tenant/project, enforce scope checks, and prevent cross-tenant exports unless explicitly whitelisted; update provenance. | Exports contain tenant id; cross-tenant attempt denied; tests cover scope enforcement. |
## Observability & Forensics (Epic 15)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-OBS-50-001 | TODO | Exporter Service Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Telemetry confirmed via integration tests; logging contract validated; CLI trace linking works. |
| EXPORT-OBS-51-001 | TODO | Exporter Service Guild, DevOps Guild | EXPORT-OBS-50-001, TELEMETRY-OBS-51-001 | Emit metrics for export planner latency, bundle build time, distribution success rate, bundle size, and define SLOs (bundle availability P95 <90s). Add Grafana dashboards + burn-rate alerts. | Metrics visible; alerts tested; documentation updated. |
| EXPORT-OBS-52-001 | TODO | Exporter Service Guild | EXPORT-OBS-50-001, TIMELINE-OBS-52-002 | Publish timeline events for export lifecycle (`export.requested`, `export.built`, `export.distributed`, `export.failed`) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. | Timeline events verified; duplicates suppressed; docs record schema. |
| EXPORT-OBS-53-001 | TODO | Exporter Service Guild, Evidence Locker Guild | EXPORT-OBS-52-001, EVID-OBS-53-002 | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. | Evidence bundles include export data; manifests deterministic; integration tests pass. |
| EXPORT-OBS-54-001 | TODO | Exporter Service Guild, Provenance Guild | EXPORT-OBS-53-001, PROV-OBS-53-002 | Produce DSSE attestations for each export artifact and distribution target, expose verification API `/exports/{id}/attestation`, and integrate with CLI verify path. | Attestations generated/verified; API live; CLI integration tests updated. |
| EXPORT-OBS-55-001 | TODO | Exporter Service Guild, DevOps Guild | EXPORT-OBS-51-001, DEVOPS-OBS-55-001 | Add incident mode enhancements (extra tracing for slow exports, additional debug logs, retention bump). Emit incident activation events to timeline + notifier. | Incident mode validated; extra telemetry captured; events observed. |
## Air-Gapped Mode (Epic 16)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-AIRGAP-56-001 | TODO | Exporter Service Guild, Mirror Creator Guild | MIRROR-CRT-56-001, AIRGAP-IMP-56-001 | Extend Export Center to build Mirror Bundles as export profiles, including advisories/VEX/policy packs manifesting DSSE/TUF metadata. | Export profile produces bundle matching mirror spec; verification succeeds; audit entry stored. |
| EXPORT-AIRGAP-56-002 | TODO | Exporter Service Guild, DevOps Guild | EXPORT-AIRGAP-56-001, DEVOPS-OBS-50-003 | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gapped deployment. | Bootstrap pack generated; digests recorded; documentation stubbed. |
| EXPORT-AIRGAP-57-001 | TODO | Exporter Service Guild, Evidence Locker Guild | EXPORT-AIRGAP-56-001, EVID-OBS-54-002 | Integrate portable evidence export mode producing sealed evidence bundles with DSSE signatures and chain-of-custody metadata. | Portable bundles generated and verified; CLI/Console flows consume exports; tests cover tampering. |
| EXPORT-AIRGAP-58-001 | TODO | Exporter Service Guild, Notifications Guild | EXPORT-AIRGAP-56-001, NOTIFY-OBS-51-001 | Emit notifications and timeline events when Mirror Bundles or Bootstrap packs are ready for transfer. | Notifications delivered with links; timeline events recorded; metrics updated. |
## SDKs & OpenAPI (Epic 17)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-OAS-61-001 | TODO | Exporter Service Guild, API Contracts Guild | OAS-61-001 | Update Exporter OAS covering profiles, runs, downloads, devportal exports with standard error envelope and examples. | Spec complete; lint passes; examples validated. |
| EXPORT-OAS-61-002 | TODO | Exporter Service Guild | EXPORT-OAS-61-001 | Provide `/.well-known/openapi` discovery endpoint with version metadata and ETag. | Endpoint deployed; contract tests cover discovery. |
| EXPORT-OAS-62-001 | TODO | Exporter Service Guild, SDK Generator Guild | EXPORT-OAS-61-001, SDKGEN-63-001 | Ensure SDKs include export profile/run clients with streaming download helpers; add smoke tests. | SDK tests download/export artifact; documentation includes snippets. |
| EXPORT-OAS-63-001 | TODO | Exporter Service Guild, API Governance Guild | APIGOV-63-001 | Implement deprecation headers and notifications for legacy export endpoints. | Headers emitted; notifications pipeline validated. |
## Risk Profiles (Epic 18)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-RISK-69-001 | TODO | Exporter Service Guild, Risk Bundle Export Guild | RISK-BUNDLE-69-001 | Add Export Center job handler `risk-bundle` with provider selection, manifest signing, and audit logging. | Job deploys; manifest stored; audit logs include actor and scope. |
| EXPORT-RISK-69-002 | TODO | Exporter Service Guild, Risk Engine Guild | EXPORT-RISK-69-001 | Enable simulation report exports pulling scored data + explainability snapshots. | Simulation exports available via API/CLI; tests ensure deterministic output. |
| EXPORT-RISK-70-001 | TODO | Exporter Service Guild, DevOps Guild | EXPORT-RISK-69-001 | Integrate risk bundle builds into offline kit packaging with checksum verification. | Offline kit includes risk bundle; verification pipeline passes; docs updated. |
## Attestor Console (Epic 19)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| EXPORT-ATTEST-74-001 | TODO | Exporter Service Guild, Attestation Bundle Guild | ATTESTOR-74-002 | Implement attestation bundle export job via Export Center. | Job builds bundle; manifest signed; tests pass. |
| EXPORT-ATTEST-75-001 | TODO | Exporter Service Guild | EXPORT-ATTEST-74-001 | Integrate attestation bundles into offline kit flows and CLI commands. | Offline kit updated; CLI `export attestation-bundle` operational; docs refreshed. |