stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add LDAP Distinguished Name Helper and Credential Audit Context
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.
This commit is contained in:
master
2025-11-09 12:21:38 +02:00
parent ba4c935182
commit 75c2bcafce
385 changed files with 7354 additions and 7344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md
View File

@@ -1,7 +0,0 @@
# Scheduler ImpactIndex Task Board (Sprint 16)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SCHED-IMPACT-16-303 | TODO | Scheduler ImpactIndex Guild | SCHED-IMPACT-16-301 | Snapshot/compaction + invalidation for removed images; persistence to RocksDB/Redis per architecture. | Snapshot routine implemented; invalidation tests pass; docs describe recovery. |
> Removal tracking note: see `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/REMOVAL_NOTE.md` for follow-up actions once the roaring bitmap implementation lands.

15
src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md
View File

@@ -1,15 +0,0 @@
# Scheduler Models Task Board (Sprint 16)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
## Policy Engine v2 (Sprint 20)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
> 2025-10-29: Added lifecycle table, environment metadata section, and diff payload breakdown to `SCHED-MODELS-20-001-POLICY-RUNS.md`; compliance checklist extended to cover new documentation.
## Graph Explorer v1 (Sprint 21)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|

6
src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md
View File

@@ -1,6 +0,0 @@
# Scheduler Queue Task Board (Sprint 16)
> **Status note (2025-10-19):** Scheduler DTOs and sample payloads are now available (SCHED-MODELS-16-102). Queue tasks remain pending on this board.
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|

6
src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md
View File

@@ -1,6 +0,0 @@
# Scheduler Storage Task Board (Sprint 16)
> **Status note (2025-10-19):** Scheduler models/samples delivered in SCHED-MODELS-16-102. Tasks below remain pending for the Storage guild.
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|

71
src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md
View File

@@ -1,71 +0,0 @@
# Scheduler Worker Task Board (Sprint 16)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SCHED-WORKER-20-301 | DOING (2025-11-07) | Scheduler Worker Guild | POLICY-ENGINE-20-001 | Schedule policy runs via API with idempotent job tracking (policy id + target digest set), retries/backoff, and persisted run metadata for Console/CLI consumption. | `/scheduler/policy/runs` returns deterministic job IDs, status endpoints reflect progress/cancellations, retries/backoff covered by integration tests, and docs capture the API/metadata contract. |
> 2025-11-07: DTOs finalized with Web guild; policy-run targeting service replay tests passing, wiring REST surface next.
| SCHED-SURFACE-01 | TODO | Scheduler Worker Guild | SURFACE-FS-02, SCANNER-SURFACE-02 | Evaluate Surface.FS pointers when planning delta scans to avoid redundant work and prioritise drift-triggered assets. | Planner reads Surface.FS manifests; regression tests cover cache hits/misses; documentation updated. |
| SCHED-SURFACE-02 | TODO | Scheduler Worker Guild, Surface FS Guild | SURFACE-FS-02, SCHED-SURFACE-01 | Integrate Surface manifest reader to prefetch CAS manifests before scheduling reruns and persist pointer metadata alongside run plans. See `docs/modules/scanner/design/surface-fs-consumers.md` §3 for checklist. | Prefetch pipeline prevents redundant scans; scheduler persists manifest URIs/digests; integration tests cover cache hit/miss fallbacks and telemetry wiring. |
> 2025-10-27: Impact targeting sanitizes selector-constrained results, dedupes digests, and documents shard planning in `docs/SCHED-WORKER-16-202-IMPACT-TARGETING.md`.
> 2025-10-27: Planner loop processes Planning runs via PlannerExecutionService; documented in docs/SCHED-WORKER-16-201-PLANNER.md.
> 2025-10-27: Runner dispatcher + execution service documented in docs/SCHED-WORKER-16-203-RUNNER.md; queue pipeline now drives scanner invocations, aggregates deltas back into run stats, and `AddSchedulerWorker` wires the background services into the host.
## Policy Engine v2 (Sprint 20)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
> 2025-10-26: Align worker serializers with `PolicyRunRequest/Status/DiffSummary` contracts from `src/Scheduler/__Libraries/StellaOps.Scheduler.Models`. Reference fixtures in `samples/api/scheduler/` for expected payload ordering.
> 2025-10-29: `PolicyRunTargetingService` translates change-stream metadata into SBOM sets, marks no-work jobs completed, and surfaces targeting options (`Policy.Targeting`). See `docs/SCHED-WORKER-20-302-POLICY-DELTA-TARGETING.md` for supported metadata keys and behaviour.
> 2025-10-29: Added `scheduler_policy_run_events_total` + latency histogram, instrumented policy dispatch success/retry/failure/cancel paths, and upgraded structured logs with tenant/policy/run identifiers. Docs updated in `docs/SCHED-WORKER-20-301-POLICY-RUNS.md` Observability section.
## Graph Explorer v1 (Sprint 21)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
> 2025-10-29: Graph build worker background service + execution pipeline added. Cartographer + Scheduler API options documented in `docs/SCHED-WORKER-21-201-GRAPH-BUILD.md`; unit tests cover success/retry/failure paths.
> 2025-10-29: Overlay worker now polls pending jobs, posts to Cartographer overlay endpoint, and reports completion via Scheduler webhook. Config + behaviour documented in `docs/SCHED-WORKER-21-202-GRAPH-OVERLAY.md`.
| SCHED-WORKER-21-203 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-21-201 | Export metrics (`graph_build_seconds`, `graph_jobs_inflight`, `overlay_lag_seconds`) and structured logs with tenant/graph identifiers. | Metrics/traces exposed; dashboards updated; integration tests verify metrics emission. |
## Policy Engine + Editor v1 (Sprint 23)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SCHED-WORKER-23-101 | TODO | Scheduler Worker Guild, Policy Guild | POLICY-ENGINE-50-004 | Implement policy re-evaluation worker that shards assets, honours rate limits, and updates progress for Console after policy activation events. | Worker processes staging workloads; metrics (`policy_reeval_seconds`) emitted; retries/backoff validated. |
| SCHED-WORKER-23-102 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-23-101 | Add reconciliation job ensuring re-eval completion within SLA, emitting alerts on backlog and persisting status to `policy_runs`. | Reconciliation job operational with alert thresholds; integration tests simulate failure recovery; dashboards updated. |
| SCHED-WORKER-CONSOLE-23-201 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-301, SCHED-WORKER-23-101 | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. | Event stream schema documented, latency <2s, console integration tests consume events, metrics/alerts in place. |
| SCHED-WORKER-CONSOLE-23-202 | TODO | Scheduler Worker Guild, Policy Guild | EXPORT-CONSOLE-23-001, SCHED-WORKER-20-301 | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. | Job lifecycle implemented with idempotent identifiers, cancellation/resume tested, manifests persisted with retention policy, runbooks updated. |
## Policy Studio (Sprint 27)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SCHED-WORKER-27-301 | TODO | Scheduler Worker Guild, Policy Registry Guild | SCHED-WORKER-20-301, REGISTRY-API-27-005 | Implement policy batch simulation worker: shard SBOM inventories, invoke Policy Engine, emit partial results, handle retries/backoff, and publish progress events. | Worker processes seeded workloads, retries/backoff validated, metrics (`policy_simulation_shard_seconds`) emitted, integration tests cover failure recovery. |
> Docs dependency: `DOCS-POLICY-27-004` blocked until batch simulation worker shipping.
| SCHED-WORKER-27-302 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-27-301, REGISTRY-API-27-005 | Build reducer job aggregating shard outputs into final manifests (counts, deltas, samples) and writing to object storage with checksums; emit completion events. | Reducer produces deterministic manifests with checksums, events notify Registry/Web, dashboards updated with aggregate latency metrics. |
> Docs dependency: `DOCS-POLICY-27-004` requires reducer outputs for bundles.
| SCHED-WORKER-27-303 | TODO | Scheduler Worker Guild, Security Guild | SCHED-WORKER-27-301, AUTH-POLICY-27-002 | Enforce tenant isolation, scope checks, and attestation integration for simulation jobs; secret scanning pipeline for uploaded policy sources. | Jobs validate tenant scope before execution, attestation metadata attached to results, secret scan failures logged/blocked, security tests added. |
> Docs dependency: `DOCS-POLICY-27-009/012` need security/runbook details once delivered.
## Exceptions v1 (Sprint 25)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SCHED-WORKER-25-101 | TODO | Scheduler Worker Guild, Policy Guild | POLICY-ENGINE-70-005 | Implement exception lifecycle worker handling auto-activation/expiry and publishing `exception.*` events with retries/backoff. | Worker transitions exceptions correctly; events emitted with metrics; tests cover activation/expiry paths. |
| SCHED-WORKER-25-102 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-25-101 | Add expiring notification job generating digests, marking `expiring` state, updating metrics/alerts. | Notifications produced; metrics/alerts configured; documentation updated. |
## Reachability v1 (Sprint 26)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SCHED-WORKER-26-201 | TODO | Scheduler Worker Guild, Signals Guild | SIGNALS-24-004 | Build reachability joiner worker that combines SBOM snapshots with signals, writes cached facts, and schedules updates on new events. | Worker processes fixtures; cache updated; metrics emitted; tests cover event-triggered runs. |
| SCHED-WORKER-26-202 | TODO | Scheduler Worker Guild | SCHED-WORKER-26-201 | Implement staleness monitor + notifier for outdated reachability facts, publishing warnings and updating dashboards. | Monitor flags stale assets; notifications emitted; documentation updated. |
## Vulnerability Explorer (Sprint 29)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SCHED-WORKER-29-001 | TODO | Scheduler Worker Guild, Findings Ledger Guild | SBOM-VULN-29-001, CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001 | Implement resolver worker generating candidate findings from inventory + advisory evidence, respecting ecosystem version semantics and path scope; emit jobs for policy evaluation. | Worker produces deterministic candidates; property tests cover version comparisons; metrics emitted (`resolver_candidates_total`). |
| SCHED-WORKER-29-002 | TODO | Scheduler Worker Guild, Policy Guild | SCHED-WORKER-29-001, POLICY-ENGINE-29-001 | Build evaluation orchestration worker invoking Policy Engine batch eval, writing results to Findings Ledger projector queue, and handling retries/backoff. | Evaluation worker meets SLA; retries documented; integration tests cover failure modes. |
| SCHED-WORKER-29-003 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-29-001..002 | Add monitoring for resolver/evaluation backlog, SLA breaches, and export job queue; expose metrics/alerts feeding DevOps dashboards. | Metrics/alerts live; runbooks updated; CI verifies metric emission. |