feat: Implement IsolatedReplayContext for deterministic audit replay

- Added IsolatedReplayContext class to provide an isolated environment for replaying audit bundles without external calls. - Introduced methods for initializing the context, verifying input digests, and extracting inputs for policy evaluation. - Created supporting interfaces and options for context configuration. feat: Create ReplayExecutor for executing policy re-evaluation and verdict comparison - Developed ReplayExecutor class to handle the execution of replay processes, including input verification and verdict comparison. - Implemented detailed drift detection and error handling during replay execution. - Added interfaces for policy evaluation and replay execution options. feat: Add ScanSnapshotFetcher for fetching scan data and snapshots - Introduced ScanSnapshotFetcher class to retrieve necessary scan data and snapshots for audit bundle creation. - Implemented methods to fetch scan metadata, advisory feeds, policy snapshots, and VEX statements. - Created supporting interfaces for scan data, feed snapshots, and policy snapshots.
2025-12-23 07:46:34 +02:00
parent e47627cfff
commit 7e384ab610
77 changed files with 153346 additions and 209 deletions
--- a/src/Policy/StellaOps.Policy.Gateway/Services/DeltaSnapshotServiceAdapter.cs
+++ b/src/Policy/StellaOps.Policy.Gateway/Services/DeltaSnapshotServiceAdapter.cs
@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// Sprint: SPRINT_4100_0004_0001 - Security State Delta & Verdict
+// Task: T6 - Add Delta API endpoints
+
+using StellaOps.Policy.Deltas;
+using StellaOps.Policy.Snapshots;
+
+namespace StellaOps.Policy.Gateway.Services;
+
+/// <summary>
+/// Adapter that bridges between the KnowledgeSnapshotManifest-based snapshot store
+/// and the SnapshotData interface required by the DeltaComputer.
+/// </summary>
+public sealed class DeltaSnapshotServiceAdapter : StellaOps.Policy.Deltas.ISnapshotService
+{
+    private readonly ISnapshotStore _snapshotStore;
+    private readonly ILogger<DeltaSnapshotServiceAdapter> _logger;
+
+    public DeltaSnapshotServiceAdapter(
+        ISnapshotStore snapshotStore,
+        ILogger<DeltaSnapshotServiceAdapter> logger)
+    {
+        _snapshotStore = snapshotStore ?? throw new ArgumentNullException(nameof(snapshotStore));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <summary>
+    /// Gets snapshot data by ID, converting from KnowledgeSnapshotManifest.
+    /// </summary>
+    public async Task<SnapshotData?> GetSnapshotAsync(string snapshotId, CancellationToken ct = default)
+    {
+        if (string.IsNullOrWhiteSpace(snapshotId))
+        {
+            return null;
+        }
+
+        var manifest = await _snapshotStore.GetAsync(snapshotId, ct).ConfigureAwait(false);
+        if (manifest is null)
+        {
+            _logger.LogDebug("Snapshot {SnapshotId} not found in store", snapshotId);
+            return null;
+        }
+
+        return ConvertToSnapshotData(manifest);
+    }
+
+    private static SnapshotData ConvertToSnapshotData(KnowledgeSnapshotManifest manifest)
+    {
+        // Get policy version from manifest sources
+        var policySource = manifest.Sources.FirstOrDefault(s => s.Type == KnowledgeSourceTypes.Policy);
+        var policyVersion = policySource?.Digest;
+
+        // Note: In a full implementation, we would fetch and parse the bundled content
+        // from each source to extract packages, reachability, VEX statements, etc.
+        // For now, we return the manifest metadata only.
+        return new SnapshotData
+        {
+            SnapshotId = manifest.SnapshotId,
+            Packages = [],
+            Reachability = [],
+            VexStatements = [],
+            PolicyViolations = [],
+            Unknowns = [],
+            PolicyVersion = policyVersion
+        };
+    }
+}