From 88a85cdd92394204a7a8877e62f9f32df07848d9 Mon Sep 17 00:00:00 2001 From: master <> Date: Thu, 15 Jan 2026 18:37:59 +0200 Subject: [PATCH] old sprints work, new sprints for exposing functionality via cli, improve code_of_conduct and other agents instructions --- AGENTS.md | 934 ++++-------------- CLAUDE.md | 840 +--------------- devops/tools/cosign/cosign | 0 docs/GOVERNANCE.md | 1 - docs/README.md | 100 +- docs/UI_GUIDE.md | 72 ++ docs/VEX_CONSENSUS_GUIDE.md | 93 ++ docs/api/evidence-decision-api.openapi.yaml | 272 ++++- docs/api/findings-scoring.md | 105 ++ docs/api/triage-export-api-reference.md | 26 + docs/architecture/integrations.md | 260 +++++ docs/code-of-conduct/CODE_OF_CONDUCT.md | 693 ++++++++++++- docs/code-of-conduct/COMMUNITY_CONDUCT.md | 88 ++ .../COMPLIANCE_READINESS_TRACKER.md | 320 ++++++ docs/flows/10-cicd-gate-flow.md | 113 +++ ..._BE_findings_scoring_attested_reduction.md | 18 +- ...E_policy_determinization_attested_rules.md | 19 +- ...PRINT_20260112_004_FE_attested_score_ui.md | 5 +- ...60112_004_PLATFORM_setup_wizard_backend.md | 12 +- ...LICY_unknowns_determinization_greyqueue.md | 19 +- ...60112_004_SCANNER_path_witness_nodehash.md | 9 +- ...20260112_004_VULN_vex_override_workflow.md | 3 +- ...PRINT_20260112_005_BE_evidence_card_api.md | 9 +- ..._20260112_005_FE_setup_wizard_ui_wiring.md | 9 +- ...0112_005_SCANNER_epss_reanalysis_events.md | 3 +- ...T_20260112_005_SIGNALS_runtime_nodehash.md | 3 +- ...0260112_006_EXCITITOR_vex_change_events.md | 6 +- ...SPRINT_20260112_006_FE_evidence_card_ui.md | 12 +- ...260112_006_INTEGRATIONS_scm_annotations.md | 3 +- ...0260112_007_ATTESTOR_rekor_entry_events.md | 6 +- ...0260112_007_BE_remediation_pr_generator.md | 12 +- ..._20260112_007_SCANNER_pr_mr_annotations.md | 5 +- ...0112_008_LB_binary_diff_evidence_models.md | 3 +- ...12_008_SIGNALS_runtime_telemetry_events.md | 9 +- ...PRINT_20260112_009_FE_unknowns_queue_ui.md | 7 +- ...2_009_SCANNER_binary_diff_bundle_export.md | 9 +- ...0260112_010_CLI_unknowns_grey_queue_cli.md | 10 +- ...112_011_CLI_evidence_card_remediate_cli.md | 15 +- ...11_FE_policy_unknowns_queue_integration.md | 11 +- ...0260112_012_FE_remediation_pr_ui_wiring.md | 3 +- ...OLICY_determinization_reanalysis_config.md | 13 +- ...0112_013_FE_determinization_config_pane.md | 9 +- ...PRINT_20260112_013_FE_witness_ui_wiring.md | 3 +- .../SPRINT_20260112_014_CLI_config_viewer.md | 11 +- ...PRINT_20260112_014_CLI_witness_commands.md | 10 +- ...60112_015_SIGNER_path_witness_predicate.md | 3 +- ..._20260112_016_CLI_attest_verify_offline.md | 69 ++ ...NT_20260112_016_CLI_sbom_verify_offline.md | 73 ++ ...20260112_016_DOCS_blue_green_deployment.md | 53 + ...12_016_SCANNER_signed_sbom_archive_spec.md | 90 ++ ...TTESTOR_checkpoint_divergence_detection.md | 89 ++ ...260112_017_ATTESTOR_periodic_rekor_sync.md | 101 ++ ...12_017_CRYPTO_pkcs11_hsm_implementation.md | 82 ++ ...20260112_017_POLICY_cvss_threshold_gate.md | 109 ++ ..._20260112_017_POLICY_sbom_presence_gate.md | 128 +++ ...0112_017_POLICY_signature_required_gate.md | 150 +++ ...T_20260112_018_AUTH_local_rbac_fallback.md | 157 +++ ...T_20260112_018_CRYPTO_key_escrow_shamir.md | 143 +++ ...OCS_upgrade_runbook_evidence_continuity.md | 131 +++ ...T_20260112_018_EVIDENCE_reindex_tooling.md | 157 +++ ...0112_018_SIGNER_dual_control_ceremonies.md | 143 +++ docs/modules/advisory-ai/guides/api.md | 53 +- docs/modules/attestor/architecture.md | 183 ++-- .../operations/break-glass-account.md | 330 +++++++ .../guides/commands/evidence-bundle-format.md | 77 ++ docs/modules/excititor/architecture.md | 105 ++ docs/modules/platform/platform-service.md | 72 ++ docs/modules/policy/determinization-api.md | 44 +- .../appendices/evidence-schema.md | 17 + .../scanner/signed-sbom-archive-spec.md | 334 +++++++ .../signals/guides/unknowns-ranking.md | 80 ++ .../guides/signed-vex-override-workflow.md | 247 +++++ docs/operations/blue-green-deployment.md | 294 ++++++ docs/operations/hsm-setup-runbook.md | 329 ++++++ docs/operations/upgrade-runbook.md | 381 +++++++ docs/product/stella_ops_offer_pricing.md | 234 +++++ docs/security/README.md | 2 +- docs/setup/setup-wizard-inventory.md | 53 +- .../Contracts/RemediationContracts.cs | 6 + .../Remediation/GitHubPullRequestGenerator.cs | 253 ++++- .../Remediation/IPullRequestGenerator.cs | 6 + .../GitHubPullRequestGeneratorTests.cs | 336 +++++++ .../EvidenceCardExportIntegrationTests.cs | 358 +++++++ .../Rekor/RekorEntryEventTests.cs | 276 ++++++ .../LocalPolicy/FileBasedPolicyStoreTests.cs | 337 +++++++ .../LocalPolicy/BreakGlassSessionManager.cs | 551 +++++++++++ .../LocalPolicy/FileBasedPolicyStore.cs | 483 +++++++++ .../LocalPolicy/ILocalPolicyStore.cs | 156 +++ .../LocalPolicy/LocalPolicyModels.cs | 319 ++++++ .../LocalPolicy/LocalPolicyStoreOptions.cs | 100 ++ .../LocalPolicy/PolicyStoreFallback.cs | 378 +++++++ .../StellaOps.Cli/Commands/CommandFactory.cs | 219 ++++ .../Commands/CommandHandlers.Config.cs | 303 ++++++ .../Commands/CommandHandlers.Witness.cs | 313 +++--- .../StellaOps.Cli/Commands/ConfigCatalog.cs | 431 ++++++++ .../Commands/ConfigCommandGroup.cs | 54 + .../Commands/EvidenceCommandGroup.cs | 496 +++++++++- .../Commands/UnknownsCommandGroup.cs | 738 ++++++++++++++ .../Services/BackendOperationsClient.cs | 94 ++ .../Services/IBackendOperationsClient.cs | 7 + .../Services/Models/WitnessModels.cs | 468 +++++++++ .../Commands/ConfigCommandTests.cs | 203 ++++ .../Commands/UnknownsGreyQueueCommandTests.cs | 341 +++++++ .../StellaOps.Cli.Tests/OpenPrCommandTests.cs | 244 +++++ .../StellaOps.Cli.Tests.csproj | 1 + src/Concelier/seed-data | 0 src/Directory.Packages.props | 3 +- .../VexStatementChangeEventTests.cs | 313 ++++++ .../Program.cs | 1 + .../Services/EvidenceGraphBuilder.cs | 12 + .../Services/FindingEvidenceProvider.cs | 290 ++++++ .../Services/FindingScoringService.cs | 75 +- .../Services/FindingScoringServiceTests.cs | 352 +++++++ .../Constants/PlatformPolicies.cs | 3 + .../Constants/PlatformScopes.cs | 3 + .../Contracts/SetupWizardModels.cs | 372 +++++++ .../Endpoints/SetupEndpoints.cs | 288 ++++++ .../StellaOps.Platform.WebService/Program.cs | 7 + .../Services/PlatformSetupService.cs | 475 +++++++++ .../DeterminizationConfigEndpoints.cs | 316 ++++++ .../Endpoints/UnknownsEndpoints.cs | 69 +- .../Determinization/SignalSnapshotBuilder.cs | 84 +- .../Policies/DeterminizationRuleSet.cs | 63 ++ .../Policies/IDeterminizationPolicy.cs | 5 + .../Subscriptions/DeterminizationEvents.cs | 20 + .../Subscriptions/SignalUpdateHandler.cs | 158 ++- .../DeterminizationOptions.cs | 171 ++++ .../Evidence/BackportEvidence.cs | 14 + .../Evidence/EvidenceAnchor.cs | 94 ++ .../Evidence/ReachabilityEvidence.cs | 14 + .../Evidence/RuntimeEvidence.cs | 14 + .../IDeterminizationConfigStore.cs | 210 ++++ .../Models/DeterminizationResult.cs | 8 + .../Models/ReanalysisFingerprint.cs | 297 ++++++ .../Models/SignalConflictExtensions.cs | 80 ++ .../Scoring/ConflictDetector.cs | 306 ++++++ .../Models/Unknown.cs | 48 + .../Gates/CvssThresholdGate.cs | 349 +++++++ .../Gates/CvssThresholdGateExtensions.cs | 80 ++ .../Gates/SbomPresenceGate.cs | 470 +++++++++ .../Gates/SbomPresenceGateExtensions.cs | 80 ++ .../Gates/SignatureRequiredGate.cs | 501 ++++++++++ .../Gates/SignatureRequiredGateExtensions.cs | 80 ++ .../StellaOps.Policy/Gates/VexProofGate.cs | 111 +++ .../DeterminizationOptionsTests.cs | 216 ++++ .../Models/ReanalysisFingerprintTests.cs | 181 ++++ .../Scoring/ConflictDetectorTests.cs | 239 +++++ .../Gates/CvssThresholdGateTests.cs | 347 +++++++ .../Gates/SbomPresenceGateTests.cs | 384 +++++++ .../Gates/SignatureRequiredGateTests.cs | 450 +++++++++ .../Gates/VexProofGateTests.cs | 268 +++++ .../Services/EvidenceBundleExporter.cs | 39 + .../Services/PrAnnotationService.cs | 133 ++- .../Witnesses/PathWitness.cs | 60 ++ .../Witnesses/PathWitnessBuilder.cs | 118 ++- .../SarifExportServiceTests.cs | 110 +++ .../StellaOps.Scanner.Sarif/FindingInput.cs | 36 + .../SarifExportService.cs | 37 + .../Epss/EpssChangeEventDeterminismTests.cs | 486 +++++++++ .../PathWitnessBuilderTests.cs | 195 ++++ .../EvidenceBundleExporterBinaryDiffTests.cs | 234 +++++ .../PrAnnotationServiceTests.cs | 274 +++++ .../Normalizers/INormalizerAggregator.cs | 61 ++ .../Services/IEventsPublisher.cs | 7 + .../Services/InMemoryEventsPublisher.cs | 10 + .../Services/MessagingEventsPublisher.cs | 21 + .../Services/NullEventsPublisher.cs | 4 + .../Services/RedisEventsPublisher.cs | 47 + .../Services/RouterEventsPublisher.cs | 55 ++ .../Services/RuntimeFactsIngestionService.cs | 124 +++ .../RuntimeNodeHashTests.cs | 286 ++++++ .../RuntimeUpdatedEventTests.cs | 270 +++++ .../Ceremonies/CeremonyAuditEvents.cs | 233 +++++ .../Ceremonies/CeremonyModels.cs | 375 +++++++ .../Ceremonies/CeremonyOptions.cs | 159 +++ .../Ceremonies/CeremonyOrchestrator.cs | 549 ++++++++++ .../Ceremonies/CeremonyStateMachine.cs | 140 +++ .../Ceremonies/ICeremonyOrchestrator.cs | 153 +++ .../Ceremonies/ICeremonyRepository.cs | 117 +++ .../Ceremonies/CeremonyStateMachineTests.cs | 154 +++ .../Contract/PredicateTypesTests.cs | 181 ++++ .../src/app/core/api/advisory-ai.client.ts | 97 ++ .../src/app/core/api/advisory-ai.models.ts | 204 ++++ .../core/api/determinization-config.client.ts | 161 +++ .../src/app/core/api/evidence-pack.models.ts | 69 +- .../src/app/core/api/scoring.models.ts | 208 +++- .../src/app/core/api/unknowns.client.ts | 72 ++ .../src/app/core/api/unknowns.models.ts | 155 +++ .../src/app/core/api/witness.models.ts | 64 ++ .../evidence-pack-viewer.component.spec.ts | 221 +++++ .../evidence-pack-viewer.component.ts | 34 + ...erminization-config-pane.component.spec.ts | 256 +++++ .../determinization-config-pane.component.ts | 465 +++++++++ .../services/setup-wizard-api.service.spec.ts | 486 ++++++++- .../services/setup-wizard-api.service.ts | 631 +++++++++--- .../setup-wizard-state.service.spec.ts | 210 +++- .../services/setup-wizard-state.service.ts | 211 +++- .../determinization-review.component.spec.ts | 213 ++++ .../determinization-review.component.ts | 392 ++++++++ .../grey-queue-dashboard.component.spec.ts | 221 +++++ .../grey-queue-dashboard.component.ts | 294 ++++++ .../unknowns-tracking/unknowns.routes.ts | 13 + .../grey-queue-panel.component.spec.ts | 211 ++++ .../unknowns/grey-queue-panel.component.ts | 239 +++++ .../score-breakdown-popover.component.html | 112 +++ .../score-breakdown-popover.component.scss | 178 ++++ .../score-breakdown-popover.component.ts | 80 ++ .../BinaryDiffEvidenceTests.cs | 305 ++++++ 208 files changed, 32271 insertions(+), 2287 deletions(-) mode change 100644 => 120000 CLAUDE.md mode change 120000 => 100644 devops/tools/cosign/cosign create mode 100644 docs/architecture/integrations.md create mode 100644 docs/code-of-conduct/COMMUNITY_CONDUCT.md create mode 100644 docs/compliance/COMPLIANCE_READINESS_TRACKER.md create mode 100644 docs/implplan/SPRINT_20260112_016_CLI_attest_verify_offline.md create mode 100644 docs/implplan/SPRINT_20260112_016_CLI_sbom_verify_offline.md create mode 100644 docs/implplan/SPRINT_20260112_016_DOCS_blue_green_deployment.md create mode 100644 docs/implplan/SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec.md create mode 100644 docs/implplan/SPRINT_20260112_017_ATTESTOR_checkpoint_divergence_detection.md create mode 100644 docs/implplan/SPRINT_20260112_017_ATTESTOR_periodic_rekor_sync.md create mode 100644 docs/implplan/SPRINT_20260112_017_CRYPTO_pkcs11_hsm_implementation.md create mode 100644 docs/implplan/SPRINT_20260112_017_POLICY_cvss_threshold_gate.md create mode 100644 docs/implplan/SPRINT_20260112_017_POLICY_sbom_presence_gate.md create mode 100644 docs/implplan/SPRINT_20260112_017_POLICY_signature_required_gate.md create mode 100644 docs/implplan/SPRINT_20260112_018_AUTH_local_rbac_fallback.md create mode 100644 docs/implplan/SPRINT_20260112_018_CRYPTO_key_escrow_shamir.md create mode 100644 docs/implplan/SPRINT_20260112_018_DOCS_upgrade_runbook_evidence_continuity.md create mode 100644 docs/implplan/SPRINT_20260112_018_EVIDENCE_reindex_tooling.md create mode 100644 docs/implplan/SPRINT_20260112_018_SIGNER_dual_control_ceremonies.md create mode 100644 docs/modules/authority/operations/break-glass-account.md create mode 100644 docs/modules/scanner/signed-sbom-archive-spec.md create mode 100644 docs/modules/vuln-explorer/guides/signed-vex-override-workflow.md create mode 100644 docs/operations/blue-green-deployment.md create mode 100644 docs/operations/hsm-setup-runbook.md create mode 100644 docs/operations/upgrade-runbook.md create mode 100644 docs/product/stella_ops_offer_pricing.md create mode 100644 src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/GitHubPullRequestGeneratorTests.cs create mode 100644 src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/Integration/EvidenceCardExportIntegrationTests.cs create mode 100644 src/Attestor/__Tests/StellaOps.Attestor.Core.Tests/Rekor/RekorEntryEventTests.cs create mode 100644 src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/LocalPolicy/FileBasedPolicyStoreTests.cs create mode 100644 src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/BreakGlassSessionManager.cs create mode 100644 src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/FileBasedPolicyStore.cs create mode 100644 src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/ILocalPolicyStore.cs create mode 100644 src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyModels.cs create mode 100644 src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyStoreOptions.cs create mode 100644 src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/PolicyStoreFallback.cs create mode 100644 src/Cli/StellaOps.Cli/Commands/CommandHandlers.Config.cs create mode 100644 src/Cli/StellaOps.Cli/Commands/ConfigCatalog.cs create mode 100644 src/Cli/StellaOps.Cli/Commands/ConfigCommandGroup.cs create mode 100644 src/Cli/StellaOps.Cli/Services/Models/WitnessModels.cs create mode 100644 src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ConfigCommandTests.cs create mode 100644 src/Cli/__Tests/StellaOps.Cli.Tests/Commands/UnknownsGreyQueueCommandTests.cs create mode 100644 src/Cli/__Tests/StellaOps.Cli.Tests/OpenPrCommandTests.cs mode change 120000 => 100644 src/Concelier/seed-data create mode 100644 src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/Observations/VexStatementChangeEventTests.cs create mode 100644 src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingEvidenceProvider.cs create mode 100644 src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Services/FindingScoringServiceTests.cs create mode 100644 src/Platform/StellaOps.Platform.WebService/Contracts/SetupWizardModels.cs create mode 100644 src/Platform/StellaOps.Platform.WebService/Endpoints/SetupEndpoints.cs create mode 100644 src/Platform/StellaOps.Platform.WebService/Services/PlatformSetupService.cs create mode 100644 src/Policy/StellaOps.Policy.Engine/Endpoints/DeterminizationConfigEndpoints.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/EvidenceAnchor.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy.Determinization/IDeterminizationConfigStore.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ReanalysisFingerprint.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/SignalConflictExtensions.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/ConflictDetector.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy/Gates/CvssThresholdGate.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy/Gates/CvssThresholdGateExtensions.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy/Gates/SbomPresenceGate.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy/Gates/SbomPresenceGateExtensions.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy/Gates/SignatureRequiredGate.cs create mode 100644 src/Policy/__Libraries/StellaOps.Policy/Gates/SignatureRequiredGateExtensions.cs create mode 100644 src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/DeterminizationOptionsTests.cs create mode 100644 src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/Models/ReanalysisFingerprintTests.cs create mode 100644 src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/Scoring/ConflictDetectorTests.cs create mode 100644 src/Policy/__Tests/StellaOps.Policy.Tests/Gates/CvssThresholdGateTests.cs create mode 100644 src/Policy/__Tests/StellaOps.Policy.Tests/Gates/SbomPresenceGateTests.cs create mode 100644 src/Policy/__Tests/StellaOps.Policy.Tests/Gates/SignatureRequiredGateTests.cs create mode 100644 src/Policy/__Tests/StellaOps.Policy.Tests/Gates/VexProofGateTests.cs create mode 100644 src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Epss/EpssChangeEventDeterminismTests.cs create mode 100644 src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/EvidenceBundleExporterBinaryDiffTests.cs create mode 100644 src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PrAnnotationServiceTests.cs create mode 100644 src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/RuntimeNodeHashTests.cs create mode 100644 src/Signals/__Tests/StellaOps.Signals.Tests/RuntimeUpdatedEventTests.cs create mode 100644 src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyAuditEvents.cs create mode 100644 src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyModels.cs create mode 100644 src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOptions.cs create mode 100644 src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOrchestrator.cs create mode 100644 src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyStateMachine.cs create mode 100644 src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyOrchestrator.cs create mode 100644 src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyRepository.cs create mode 100644 src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Ceremonies/CeremonyStateMachineTests.cs create mode 100644 src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Contract/PredicateTypesTests.cs create mode 100644 src/Web/StellaOps.Web/src/app/core/api/determinization-config.client.ts create mode 100644 src/Web/StellaOps.Web/src/app/features/evidence-pack/evidence-pack-viewer.component.spec.ts create mode 100644 src/Web/StellaOps.Web/src/app/features/settings/determinization-config-pane.component.spec.ts create mode 100644 src/Web/StellaOps.Web/src/app/features/settings/determinization-config-pane.component.ts create mode 100644 src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.spec.ts create mode 100644 src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts create mode 100644 src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.spec.ts create mode 100644 src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts create mode 100644 src/Web/StellaOps.Web/src/app/features/unknowns/grey-queue-panel.component.spec.ts create mode 100644 src/Web/StellaOps.Web/src/app/features/unknowns/grey-queue-panel.component.ts create mode 100644 src/__Tests/StellaOps.Evidence.Bundle.Tests/BinaryDiffEvidenceTests.cs diff --git a/AGENTS.md b/AGENTS.md index d054d5ed1..b84ba0270 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,785 +1,235 @@ -### 0) Identity — Who You Are +# AGENTS.md (Stella Ops) -You are an autonomous software engineering agent for **StellaOps**. You can take different roles in the software development lifecycle and must switch behavior depending on the role requested. - -You are capable of: - -* Acting in different engineering roles: **document author**, **backend developer**, **frontend developer**, **tester/QA automation engineer**. -* Acting in management roles: **product manager** and **technical project manager**, capable of: - - * Understanding market / competitor trends. - * Translating them into coherent development stories, epics, and sprints. -* Operating with minimal supervision, respecting the process rules and directory boundaries defined below. - -Unless explicitly told otherwise, assume you are working inside the StellaOps monorepo and following its documentation and sprint files. +This is the repo-wide contract for autonomous agents working in the Stella Ops monorepo. +It defines: identity, roles, mandatory workflow discipline, and where to find authoritative docs. --- -## Project Overview +## 0) Project overview (high level) -**Stella Ops Suite** is a self-hostable, sovereign release control plane for non-Kubernetes container estates, released under AGPL-3.0-or-later. It orchestrates environment promotions (Dev → Stage → Prod), gates releases using reachability-aware security and policy, and produces verifiable evidence for every release decision. +Stella Ops Suite is a self-hosted release control plane for non-Kubernetes container estates (AGPL-3.0-or-later). -The platform combines: -- **Release orchestration** — UI-driven promotion, approvals, policy gates, rollbacks; hook-able with scripts -- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates -- **OCI-digest-first releases** — Immutable digest-based release identity with "what is deployed where" tracking -- **Toolchain-agnostic integrations** — Plug into any SCM, CI, registry, and secrets system -- **Auditability + standards** — Evidence packets, SBOM/VEX/attestation support, deterministic replay - -Existing capabilities (operational): Reproducible vulnerability scanning with VEX-first decisioning, SBOM generation (SPDX 2.2/2.3 and CycloneDX 1.7; SPDX 3.0.1 planned), in-toto/DSSE attestations, and optional Sigstore Rekor transparency. The platform is designed for offline/air-gapped operation with regional crypto support (eIDAS/FIPS/GOST/SM). - -Planned capabilities (release orchestration): Environment management, release bundles, promotion workflows, deployment execution (Docker/Compose/ECS/Nomad agents), progressive delivery (A/B, canary), and a three-surface plugin system. See `docs/modules/release-orchestrator/README.md` for the full specification. +Core outcomes: +- Environment promotions (Dev -> Stage -> Prod) +- Policy-gated releases using reachability-aware security +- Verifiable evidence for every release decision (auditability, attestability, deterministic replay) +- Toolchain-agnostic integrations (SCM/CI/registry/secrets) via plugins +- Offline/air-gap-first posture with regional crypto support (eIDAS/FIPS/GOST/SM) --- -#### 1.1) Required Reading +## 1) Repository layout and where to look -Before doing any non-trivial work, you must assume you have read and understood: +### 1.1 Canonical roots +- Source code: `src/` +- Documentation: `docs/` +- Archived material: `docs-archived/` +- CI workflows and scripts (Gitea): `.gitea/` +- DevOps (compose/helm/scripts/telemetry): `devops/` -* `docs/README.md` -* `docs/07_HIGH_LEVEL_ARCHITECTURE.md` -* `docs/modules/platform/architecture-overview.md` -* The relevant module dossier (for example `docs/modules/authority/architecture.md`) before editing module-specific content. +### 1.2 High-value docs (entry points) +- Repo docs index: `docs/README.md` +- System architecture: `docs/07_HIGH_LEVEL_ARCHITECTURE.md` +- Platform overview: `docs/modules/platform/architecture-overview.md` -When you are told you are working in a particular module or directory, assume you have read that module’s `AGENTS.md` and architecture docs under `docs/modules//*.md`. +### 1.3 Module dossiers (deep dives) +Authoritative module design lives under: +- `docs/modules//architecture.md` (or `architecture*.md` where split) + +### 1.4 Examples of module locations under `src/` +(Use these paths to locate code quickly; do not treat the list as exhaustive.) + +- Release orchestration: `src/ReleaseOrchestrator/` +- Scanner: `src/Scanner/` +- Authority (OAuth/OIDC): `src/Authority/` +- Policy: `src/Policy/` +- Evidence: `src/EvidenceLocker/`, `src/Attestor/`, `src/Signer/`, `src/Provenance/` +- Scheduling/execution: `src/Scheduler/`, `src/Orchestrator/`, `src/TaskRunner/` +- Integrations: `src/Integrations/` +- UI: `src/Web/` +- Feeds/VEX: `src/Concelier/`, `src/Excititor/`, `src/VexLens/`, `src/VexHub/`, `src/IssuerDirectory/` +- Reachability and graphs: `src/ReachGraph/`, `src/Graph/`, `src/Cartographer/` +- Ops and observability: `src/Doctor/`, `src/Notify/`, `src/Notifier/`, `src/Telemetry/` +- Offline/air-gap: `src/AirGap/` +- Crypto plugins: `src/Cryptography/`, `src/SmRemote/` +- Tooling: `src/Tools/`, `src/Bench/`, `src/Sdk/` --- -### 2) Core Practices +## 2) Global working rules (apply in every role) -#### 2.1) Key technologies & integrations +### 2.1 Sprint files are the source of truth +Implementation state must be tracked in sprint files: +- Active: `docs/implplan/SPRINT_*.md` +- Archived: `docs-archived/implplan/` -* **Runtime**: .NET 10 (`net10.0`) with latest C# preview features. Microsoft.* dependencies should target the closest compatible versions. -* **Frontend**: Angular v17 for the UI. -* **NuGet**: Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org). Packages restore to the global NuGet cache. -* **Data**: PostgreSQL as canonical store and for job/export state. Use a PostgreSQL driver version ≥ 3.0. -* **Observability**: Structured logs, counters, and (optional) OpenTelemetry traces. -* **Ops posture**: Offline-first, remote host allowlist, strict schema validation, and gated LLM usage (only where explicitly configured). +Status discipline: +- `TODO -> DOING -> DONE` or `BLOCKED` +- If you stop without shipping: move back to `TODO` -#### 2.2) Naming conventions - -* All modules are .NET 10 projects, except the UI (Angular). -* Each module lives in one or more projects. Each project is in its own folder. -* Project naming: - - * Module projects: `StellaOps.`. - * Libraries or plugins common to multiple modules: `StellaOps.`. - -#### 2.3) Task workflow & guild coordination - -* **Always sync state before coding.** - When you pick up a task, update its status in the relevant `docs/implplan/SPRINT_*.md` entry: `TODO` → `DOING`. - If you stop without shipping, move it back to `TODO`. - When completed, set it to `DONE`. -* **Read the local agent charter first.** - Each working directory has an `AGENTS.md` describing roles, expectations, and required prep docs. Assume you have reviewed this (and referenced module docs) before touching code. -* **Mirror state across artefacts.** - Sprint files are the single source of truth. Status changes must be reflected in: - - * The `SPRINT_*.md` table. - * Commit/PR descriptions with brief context. -* **Document prerequisites.** - If onboarding docs are referenced in `AGENTS.md`, treat them as read before setting `DOING`. If new docs are needed, update the charter alongside your task updates. -* **Coordination.** - Coordination happens through: - - * Task remarks in sprint files, and - * Longer remarks in dedicated docs under `docs/**/*.md` linked from the sprint/task remarks. -* **AGENTS.md ownership and usage.** - * Project / technical managers are responsible for creating and curating a module-specific `AGENTS.md` in each working directory (for example `src/Scanner/AGENTS.md`, `src/Concelier/AGENTS.md`). This file must synthesise: - * The roles expected in that module (e.g., backend engineer, UI engineer, QA). - * Module-specific working agreements and constraints. - * Required documentation and runbooks to read before coding. - * Any module-specific testing or determinism rules. - * Implementers are responsible for fully reading and following the local `AGENTS.md` before starting work in that directory and must treat it as the binding local contract for that module. ---- - -### 3) Architecture Overview - -StellaOps is a monorepo: - -* Code in `src/**`. -* Documents in `docs/**`. -* CI/CD in Gitea workflows under `.gitea/**`. - -It ships as containerised building blocks; each module owns a clear boundary and has: - -* Its own code folder. -* Its own deployable image. -* A deep-dive architecture dossier in `docs/modules//architecture.md`. - -| Module | Primary path(s) | Key doc | -| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | -| Authority | `src/Authority/StellaOps.Authority`
`src/Authority/StellaOps.Authority.Plugin.*` | `docs/modules/authority/architecture.md` | -| Signer | `src/Signer/StellaOps.Signer` | `docs/modules/signer/architecture.md` | -| Attestor | `src/Attestor/StellaOps.Attestor`
`src/Attestor/StellaOps.Attestor.Verify` | `docs/modules/attestor/architecture.md` | -| Concelier | `src/Concelier/StellaOps.Concelier.WebService`
`src/Concelier/__Libraries/StellaOps.Concelier.*` | `docs/modules/concelier/architecture.md` | -| Excititor | `src/Excititor/StellaOps.Excititor.WebService`
`src/Excititor/__Libraries/StellaOps.Excititor.*` | `docs/modules/excititor/architecture.md` | -| Policy Engine | `src/Policy/StellaOps.Policy.Engine`
`src/Policy/__Libraries/StellaOps.Policy.*` | `docs/modules/policy/architecture.md` | -| Scanner | `src/Scanner/StellaOps.Scanner.WebService`
`src/Scanner/StellaOps.Scanner.Worker`
`src/Scanner/__Libraries/StellaOps.Scanner.*` | `docs/modules/scanner/architecture.md` | -| Scheduler | `src/Scheduler/StellaOps.Scheduler.WebService`
`src/Scheduler/StellaOps.Scheduler.Worker` | `docs/modules/scheduler/architecture.md` | -| CLI | `src/Cli/StellaOps.Cli`
`src/Cli/StellaOps.Cli.Core`
`src/Cli/StellaOps.Cli.Plugins.*` | `docs/modules/cli/architecture.md` | -| UI / Console | `src/Web/StellaOps.Web` | `docs/modules/ui/architecture.md` | -| Notify | `src/Notify/StellaOps.Notify.WebService`
`src/Notify/StellaOps.Notify.Worker` | `docs/modules/notify/architecture.md` | -| Export Center | `src/ExportCenter/StellaOps.ExportCenter.WebService`
`src/ExportCenter/StellaOps.ExportCenter.Worker` | `docs/modules/export-center/architecture.md` | -| Registry Token Service | `src/Registry/StellaOps.Registry.TokenService`
`src/Registry/__Tests/StellaOps.Registry.TokenService.Tests` | `docs/modules/registry/architecture.md` | -| Advisory AI | `src/AdvisoryAI/StellaOps.AdvisoryAI` | `docs/modules/advisory-ai/architecture.md` | -| Orchestrator | `src/Orchestrator/StellaOps.Orchestrator` | `docs/modules/orchestrator/architecture.md` | -| Vulnerability Explorer | `src/VulnExplorer/StellaOps.VulnExplorer.Api` | `docs/modules/vuln-explorer/architecture.md` | -| VEX Lens | `src/VexLens/StellaOps.VexLens` | `docs/modules/vex-lens/architecture.md` | -| Graph Explorer | `src/Graph/StellaOps.Graph.Api`
`src/Graph/StellaOps.Graph.Indexer` | `docs/modules/graph/architecture.md` | -| Telemetry Stack | `devops/telemetry` | `docs/modules/telemetry/architecture.md` | -| DevOps / Release | `devops/` | `docs/modules/devops/architecture.md` | -| Platform | *(cross-cutting docs)* | `docs/modules/platform/architecture-overview.md` | -| CI Recipes | *(pipeline templates)* | `docs/modules/ci/architecture.md` | -| Zastava | `src/Zastava/StellaOps.Zastava.Observer`
`src/Zastava/StellaOps.Zastava.Webhook`
`src/Zastava/StellaOps.Zastava.Core` | `docs/modules/zastava/architecture.md` | - -#### 3.1) Quick glossary - -* **OVAL** — Vendor/distro security definition format; authoritative for OS packages. -* **NEVRA / EVR** — RPM and Debian version semantics for OS packages. -* **PURL / SemVer** — Coordinates and version semantics for OSS ecosystems. -* **KEV** — Known Exploited Vulnerabilities (flag only). - ---- - -### 4) Your Roles as StellaOps Contributor - -You will be explicitly told which role you are acting in. Your behavior must change accordingly. - -1. Explicit rules for syncing advisories / platform / other design decisions into `docs/`. -2. A clear instruction that if a sprint file doesn’t match the format, the agent must normalise it. -3. You never use `git reset` unless explicitly told to do so! - -### 4.1) As product manager (updated) - -Your goals: - -1. Review each file in the advisory directory and Identify new topics or features. -2. Then determine whether the topic is relevant by: - 2. 1. Go one by one the files and extract the essentials first - themes, topics, architecture decions - 2. 2. Then read each of the archive/*.md files and seek if these are already had been advised. If it exists or it is close - then ignore the topic from the new advisory. Else keep it. - 2. 3. Check the relevant module docs: `docs/modules//*arch*.md` for compatibility or contradictions. - 2. 4. Implementation plans: `docs/implplan/SPRINT_*.md`. - 2. 5. Historical tasks: `docs/implplan/archived/all-tasks.md`. - 2. 4. For all of the new topics - then go in SPRINT*.md files and src/* (in according modules) for possible already implementation on the same topic. If same or close - ignore it. Otherwise keep it. - 2. 5. In case still genuine new topic - and it makes sense for the product - keep it. -3. When done for all files and all new genuine topics - present a report. Report must include: - - all topics - - what are the new things - - what could be contracting existing tasks or implementations but might make sense to implemnt -4. Once scope is agreed, hand over to your **project manager** role (4.2) to define implementation sprints and tasks. -5. **Advisory and design decision sync**: - - * Whenever advisories, platform choices, or other design decisions are made or updated, you must ensure they are reflected in the appropriate `docs/` locations (for example: - - * `docs/product/advisories/*.md` or `docs/product/advisories/archive/*.md`, - * module architecture docs under `docs/modules//architecture*.md`, - * design/ADR-style documents under `docs/architecture/**` or similar when applicable). - * Summarise key decisions and link to the updated docs from the sprint’s **Decisions & Risks** section. -* **AGENTS.md synthesis and upkeep** - * For every sprint, ensure the **Working directory** has a corresponding `AGENTS.md` file (for example, `src/Scanner/AGENTS.md` for a Scanner sprint). - * If `AGENTS.md` is missing: - * Create it and populate it by synthesising information from: - * The module’s architecture docs under `docs/modules//**`. - * Relevant ADRs, risk/airgap docs, and product advisories. - * The sprint scope itself (roles, expectations, test strategy). - * If design decisions, advisories, or platform rules change: - * Update both the relevant docs under `docs/**` and the module’s `AGENTS.md` to keep them aligned. - * Record the fact that `AGENTS.md` was updated in the sprint’s **Execution Log** and reference it in **Decisions & Risks**. - * Treat `AGENTS.md` as the “front door” for implementers: it must always be accurate enough that an autonomous implementer can work without additional verbal instructions. - ---- - -### 4.2) As project manager (updated) +### 2.2 Sprint naming and structure normalization (mandatory) Sprint filename format: - `SPRINT____.md` -* ``: implementation epoch (e.g., `20251218`). Determine by scanning existing `docs/implplan/SPRINT_*.md` and using the highest epoch; if none exist, use today's epoch. -* ``: `001`, `002`, etc. — grouping when more than one sprint is needed for a feature. -* ``: `FE` (Frontend), `BE` (Backend), `AG` (Agent), `LB` (library), 'SCANNER' (scanner), 'AUTH' (Authority), 'CONCEL' (Concelier), 'CONCEL-ASTRA' - (Concelier Astra source connecto) and etc. -* ``: short topic description. -* **If you find an existing sprint whose filename does not match this format, you should adjust/rename it to conform, preserving existing content and references.** Document the rename in the sprint’s **Execution Log**. +- ``: YYYYMMDD epoch (use highest existing or today) +- ``: 001, 002, ... +- ``: + - Use `FE` for frontend-only (Angular) + - Use `DOCS` for docs-only work + - Otherwise use the module directory name from `src/` (examples: `ReleaseOrchestrator`, `Scanner`, `Authority`, `Policy`, `Integrations`) +- ``: short, readable, lowercase words with underscores -Every sprint file must conform to this template: +### 2.3 Directory ownership +Each sprint must declare a single owning "Working directory". +Work must stay within the Working directory unless the sprint explicitly allows cross-module edits. + +### 2.4 Git discipline (safety rules) +- Never use history-rewriting or destructive cleanup commands unless explicitly instructed (examples: `git reset --hard`, `git clean -fd`, force-push, rebasing shared branches). +- Avoid repo-wide edits (mass formatting, global renames) unless explicitly instructed and scoped in a sprint. +- Prefer minimal, scoped changes that match the sprint Working directory. + +### 2.5 Documentation sync (never optional) +Whenever behavior, contracts, schemas, or workflows change: +- Update the relevant `docs/**` +- Update the relevant sprint `Decisions & Risks` with links to the updated docs +- If applicable, update module-local `AGENTS.md` + +--- + +## 3) Advisory handling (deterministic workflow) + +Trigger: the user asks to review a new or updated file under `docs/product/advisories/`. + +Process: +1) Read the full advisory. +2) Read the relevant parts of the codebase (`src/**`) and docs (`docs/**`) to verify current reality. +3) Decide outcome: + - If no gaps are required: archive the advisory to `docs-archived/product/advisories/`. + - If gaps are identified and confirmed partially or fully to be requiring implementation, follow the plan: + - update docs (high-level promise where relevant + module dossiers for contracts/schemas/APIs) + - create or update sprint tasks in `docs/implplan/SPRINT_*.md` (with owners, deps, completion criteria) + - record an `Execution Log` entry + - archive the advisory to `docs-archived/product/advisories/` once it has been translated into docs + sprint tasks + +Defaults unless the advisory overrides: +- Deterministic outputs; frozen fixtures for tests/benches; offline-friendly harnesses. + +--- + +## 4) Roles (how to behave) + +Role switching rule: +- If the user explicitly says "as ", adopt that role immediately. +- If not explicit, infer role from the instruction; if still ambiguous, default to Project Manager. + +Role inference (fallback): +- "implement / fix / add endpoint / refactor code" -> Developer / Implementer +- "add tests / stabilize flaky tests / verify determinism" -> QA / Test Automation +- "update docs / write guide / edit architecture dossier" -> Documentation author +- "plan / sprint / tasks / dependencies / milestones" -> Project Manager +- "review advisory / product direction / capability assessment" -> Product Manager + +### 4.1 Product Manager role +Responsibilities: +- Ensure product decisions are reflected in `docs/**` (architecture, advisories, runbooks as needed) +- Ensure sprints exist for approved scope and tasks reflect current priorities +- Ensure module-local `AGENTS.md` exists where work will occur, and is accurate enough for autonomous implementers + +Where to work: +- `docs/product/**`, `docs/modules/**`, `docs/architecture/**`, `docs/implplan/**` + +### 4.2 Project Manager role (default) +Responsibilities: +- Create and maintain sprint files in `docs/implplan/` +- Ensure sprints include rich, non-ambiguous task definitions and completion criteria +- Normalize sprint naming/template when inconsistent (record in Execution Log) +- Move completed sprints to `docs-archived/implplan/` + +### 4.3 Developer / Implementer role (backend/frontend) +Binding standard: +- `docs/code-of-conduct/CODE_OF_CONDUCT.md` (CRITICAL) + +Behavior: +- Do not ask clarification questions while implementing. +- If ambiguity exists: + - mark task `BLOCKED` in the sprint Delivery Tracker + - add details in sprint `Decisions & Risks` + - continue with other unblocked tasks + +Constraints: +- Add tests for changes; maintain determinism and offline posture. + +### 4.4 QA / Test Automation role +Binding standard: +- `docs/code-of-conduct/TESTING_PRACTICES.md` + +Behavior: +- Ensure required test layers exist (unit/integration/e2e/perf/security/offline checks) +- Record outcomes in sprint `Execution Log` with date, scope, and results +- Track flakiness explicitly; block releases until mitigations are documented + +Note: +- If QA work includes code changes, CODE_OF_CONDUCT rules apply to those code changes. + +### 4.5 Documentation author role +Responsibilities: +- Keep docs accurate, minimal, and linked from sprints +- Update module dossiers when contracts change +- Ensure docs remain consistent with implemented behavior + +--- + +## 5) Module-local AGENTS.md discipline + +Each module directory may contain its own `AGENTS.md` (e.g., `src/Scanner/AGENTS.md`). +Module-local AGENTS.md may add stricter rules but must not relax repo-wide rules. + +If a module-local AGENTS.md is missing or contradicts current architecture/sprints: +- Project Manager role: add a sprint task to create/fix it +- Implementer role: mark affected task `BLOCKED` and continue with other work + +--- + +## 6) Minimal sprint template (must be used) + +All sprint files must converge to this structure (preserve content when normalizing): ```md # Sprint · ## Topic & Scope -- Summarise the sprint in 2–4 bullets that read like a short story (expected outcomes and "why now"). -- Call out the single owning directory (e.g., `src//ReleaseOrchestrator..`) and the evidence you expect to produce. -- **Working directory:** ``. +- 2–4 bullets describing outcomes and why now. +- Working directory: ``. +- Expected evidence: tests, docs, artifacts. ## Dependencies & Concurrency -- Upstream sprints or artefacts that must land first. -- Confirm peers in the same `CC` decade remain independent so parallel execution is safe. +- Upstream sprints/contracts and safe parallelism notes. ## Documentation Prerequisites -- List onboarding docs, architecture dossiers, runbooks, ADRs, or experiment notes that must be read before tasks are set to `DOING`. +- Dossiers/runbooks/ADRs that must be read before tasks go DOING. ## Delivery Tracker -| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | -| --- | --- | --- | --- | --- | --- | -| 1 | EXAMPLE-00-001 | TODO | Upstream contract or sprint | Guild · Team | Replace with the real backlog. | + +### - +Status: TODO | DOING | DONE | BLOCKED +Dependency: +Owners: +Task description: +- + +Completion criteria: +- [ ] Criterion 1 +- [ ] Criterion 2 ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | -| 2025-11-15 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | Sprint created; awaiting staffing. | Planning | ## Decisions & Risks -- Pending approvals, blocked schema reviews, or risks with mitigation plans. +- Decisions needed, risks, mitigations, and links to docs. ## Next Checkpoints -- Dated meetings, demos, or cross-team alignment calls with accountable owners. +- Demos, milestones, dates. ``` - -* **If you find a sprint file whose internal structure deviates significantly from this template, you should normalise it toward this structure while preserving all existing content (log lines, tasks, decisions).** -* Record this normalisation in the **Execution Log** (e.g. “2025-11-16 · Normalised sprint file to standard template; no semantic changes.”). -* When sprint is fully completed move it to `docs-archived/implplan/` - -Additional responsibilities (add-on): - -* **Advisories / platform / design decision sync**: - - * When platform-level decisions, architecture decisions, or other design choices are confirmed as part of a sprint, ensure they are written down under `docs/` (architecture docs, ADRs, product advisories, or module docs as appropriate). - * Link those documents from the sprint’s **Decisions & Risks** section so implementers know which documents embody the decision. - ---- - -#### 4.3) As implementer - -You may be asked to work on: - -* A sprint file (`docs/implplan/SPRINT_*.md`), or -* A specific task within that sprint. - -In this role you act as: - -* **C# .NET 10 engineer** (backend, libraries, APIs). -* **Angular v17 engineer** (UI). -* **QA automation engineer** (C#, Moq, Playwright, Angular test stack, or other suitable tools). - -Implementation principles: - -* Always follow .NET 10 and Angular v17 best practices. -* Apply SOLID design principles (SRP, OCP, LSP, ISP, DIP) in service and library code. -* Keep in mind the nuget versions are controlled centrally by src/Directory* files, not via csproj -* Maximise reuse and composability. -* Maintain determinism: stable ordering, UTC ISO-8601 timestamps, immutable NDJSON where applicable. - -Execution rules (very important): - -* You do **not** ask clarification questions in implementer mode. - - * If you encounter ambiguity or a design decision: - - * Mark the task as `BLOCKED` in the sprint `Delivery Tracker`. - * Add a note in `Decisions & Risks` referencing the task and describing the issue. - * Skip to the next unblocked task in the same sprint. -* If all tasks in the current sprint are blocked: - - * Look for earlier sprints with unblocked tasks. - * If none exist, look at later sprints for unblocked tasks. -* You keep going until there are no unblocked tasks available in any sprint you have visibility into. - -* All requests for further instruction must be encoded into the sprint documents, **not** as questions: - * When you need a decision, assumption, or design clarification, you do **not** ask interactive questions. - * Instead, you: - * Mark the affected task as `BLOCKED`. - * Describe exactly what decision is needed in **Decisions & Risks**. - * If helpful, add a dedicated task entry capturing that decision work. - * Then continue with other unblocked tasks. - -Additional constraints: - -* **Directory ownership**: Work only inside the module’s directory defined by the sprint’s `Working directory`. Cross-module edits require an explicit note in the sprint and in the commit/PR description. -* **AGENTS.md adherence and scoping** - * Before starting any task in a module, read that module’s `AGENTS.md` in full and treat it as your local behavioral contract. - * Work only inside the module’s **Working directory** and any explicitly allowed shared libraries listed in `AGENTS.md` or the sprint file. - * If `AGENTS.md` is missing, clearly outdated, or contradicts the sprint / architecture: - * Do **not** ask for clarification from the requester. - * Mark the task as `BLOCKED` in the sprint’s **Delivery Tracker**. - * Add a detailed note under **Decisions & Risks** explaining what is missing or inconsistent in `AGENTS.md` and that it must be updated by a project manager/architect. - * Optionally add a new task row (e.g., `AGENTS--UPDATE`) describing the required update. - * Move on to the next unblocked task in the same or another sprint. -* **Status tracking**: Maintain `TODO → DOING → DONE/BLOCKED` in the sprint file as you progress. -* **Tests**: - - * Every change must be accompanied by or covered by tests. - * Never regress determinism, ordering, or precedence. - * Test layout example (for Concelier): - - * Module tests: `StellaOps.Concelier..Tests` - * Shared fixtures/harnesses: `StellaOps.Concelier.Testing` -* **Documentation**: - - * When scope, contracts, or workflows change, update the relevant docs under `docs/modules/**`, `docs/api/`, `docs/risk/`, or `docs/airgap/`. - * **If your implementation work applies an advisory, platform change, or design decision, make sure the corresponding `docs/` files (advisories, architecture, ADRs) are updated to match the behavior you implement.** - * Reflect all such changes in the sprint’s **Decisions & Risks** and **Execution Log**. - -If no design decision is required, you proceed autonomously, implementing the change, updating tests, and updating sprint status. - ---- - -### 5) Working Agreement (Global) - -1. **Task status discipline** - - * Always update task status in `docs/implplan/SPRINT_*.md` when you start (`DOING`), block (`BLOCKED`), finish (`DONE`), or pause (`TODO`) a task. -2. **Prerequisites** - - * Confirm that required docs (from `AGENTS.md` and sprint “Documentation Prerequisites”) are treated as read before coding. -3. **Determinism & offline posture** - - * Keep outputs deterministic (ordering, timestamps, hashes). - * Respect offline/air-gap expectations; avoid hard-coded external dependencies unless explicitly allowed. -4. **Coordination & contracts** - - * When contracts, advisories, platform rules, or workflows change, update: - - * The sprint doc (`docs/implplan/SPRINT_*.md`), - * The relevant `docs/` artefacts (product advisories, architecture docs, ADRs, risk or airgap docs), - * And ensure cross-references (links) are present in **Decisions & Risks**. - * **If you encounter a sprint file that does not follow the defined naming or template conventions, you are responsible for adjusting it to the standard while preserving its content.** -5. **Completion** - - * When you complete all tasks in scope for your current instruction set, explicitly state that you are done with those tasks. -6. **AGENTS.md discipline** - * Project / technical managers ensure each module’s `AGENTS.md` exists, is up to date, and reflects current design and advisory decisions. - * Implementers must read and follow the relevant `AGENTS.md` before coding in a module. - * If a mismatch or gap is found, implementers log it via `BLOCKED` status and the sprint’s **Decisions & Risks**, and then continue with other work instead of asking for live clarification. - ---- - -### 7) Advisory Handling (do this every time a new advisory lands) - -**Trigger:** Any new or updated file under `docs/product/advisories/` (including archived) automatically starts this workflow. No chat approval required. - -1) **Doc sync (must happen for every advisory):** - - Create/update **two layers**: - - **High-level**: `docs/` (vision/key-features/market) to capture the moat/positioning and the headline promise. - - **Detailed**: closest deep area (`docs/modules/reach-graph/*`, `docs/modules/risk-engine/*`, `docs/benchmarks/*`, `docs/modules//*`, etc.). - - **Code & samples:** - - Inline only short fragments (≤ ~20 lines) directly in the updated doc for readability. - - Place runnable or longer samples/harnesses in `docs/benchmarks/**` or `tests/**` with deterministic, offline-friendly defaults (no network, fixed seeds), and link to them from the doc. - - If the advisory already contains code, carry it over verbatim into the benchmark/test file (with minor formatting only); don’t paraphrase away executable value. - - **Cross-links:** whenever moats/positioning change, add links from `docs/07_HIGH_LEVEL_ARCHITECTURE.md`, `docs/key-features.md`, and the relevant module dossier(s). - -2) **Sprint sync (must happen for every advisory):** - - Add Delivery Tracker rows in the relevant `SPRINT_*.md` with owners, deps, and doc paths; add an Execution Log entry for the change. - - If code/bench/dataset work is implied, create tasks and point to the new benchmark/test paths; add risks/interlocks for schema/feed freeze or transparency caps as needed. - -3) **De-duplication:** - - Check `docs/product/advisories/archived/` for overlaps. If similar, mark “supersedes/extends ` in the new doc and avoid duplicate tasks. - -4) **Defaults to apply (unless advisory overrides):** - - Hybrid reachability posture: graph DSSE mandatory; edge-bundle DSSE optional/targeted; deterministic outputs only. - - Offline-friendly benches/tests; frozen feeds; deterministic ordering/hashes. - -5) **Do not defer:** Execute steps 1–4 immediately; reporting is after the fact, not a gating step. -6) **Archive processed advisories**. After sprints / task / comprehensive documention is created or advisory is fully rejected move it to `docs-archived/product/advisories/` - -**Lessons baked in:** Past delays came from missing code carry-over and missing sprint tasks. Always move advisory code into benchmarks/tests and open the corresponding sprint rows the same session you read the advisory. - ---- - -### 8) Code Quality & Determinism Rules - -These rules were distilled from a comprehensive audit of 324+ projects. They address the most common recurring issues and must be followed by all implementers. - -#### 8.1) Compiler & Warning Discipline - -| Rule | Guidance | -|------|----------| -| **Enable TreatWarningsAsErrors** | All projects must set `true` in the `.csproj` or via `Directory.Build.props`. Relaxed warnings mask regressions and code quality drift. | - -```xml - - - true - -``` - -#### 8.2) Deterministic Time & ID Generation - -| Rule | Guidance | -|------|----------| -| **Inject TimeProvider / ID generators** | Never use `DateTime.UtcNow`, `DateTimeOffset.UtcNow`, `Guid.NewGuid()`, or `Random.Shared` directly in production code. Inject `TimeProvider` (or `ITimeProvider`) and `IGuidGenerator` abstractions. | - -```csharp -// BAD - nondeterministic, hard to test -public class BadService -{ - public Record CreateRecord() => new Record - { - Id = Guid.NewGuid(), - CreatedAt = DateTimeOffset.UtcNow - }; -} - -// GOOD - injectable, testable, deterministic -public class GoodService(TimeProvider timeProvider, IGuidGenerator guidGenerator) -{ - public Record CreateRecord() => new Record - { - Id = guidGenerator.NewGuid(), - CreatedAt = timeProvider.GetUtcNow() - }; -} -``` - -#### 8.3) ASCII-Only Output - -| Rule | Guidance | -|------|----------| -| **No mojibake or non-ASCII glyphs** | Use ASCII-only characters in comments, output strings, and log messages. No `ƒ?`, `バ`, `→`, `✓`, `✗`, or box-drawing characters. When Unicode is truly required, use explicit escapes (`\uXXXX`) and document the rationale. | - -```csharp -// BAD - non-ASCII glyphs -Console.WriteLine("✓ Success → proceeding"); -// or mojibake comments like: // ƒ+ validation passed - -// GOOD - ASCII only -Console.WriteLine("[OK] Success - proceeding"); -// Comment: validation passed -``` - -#### 8.4) Test Project Requirements - -| Rule | Guidance | -|------|----------| -| **Every library needs tests** | All production libraries/services must have a corresponding `*.Tests` project covering: (a) happy paths, (b) error/edge cases, (c) determinism, and (d) serialization round-trips. | - -``` -src/ - Scanner/ - __Libraries/ - StellaOps.Scanner.Core/ - __Tests/ - StellaOps.Scanner.Core.Tests/ <-- Required -``` - -#### 8.5) Culture-Invariant Parsing - -| Rule | Guidance | -|------|----------| -| **Use InvariantCulture** | Always use `CultureInfo.InvariantCulture` for parsing and formatting dates, numbers, percentages, and any string that will be persisted, hashed, or compared. Current culture causes locale-dependent, nondeterministic behavior. | - -```csharp -// BAD - culture-sensitive -var value = double.Parse(input); -var formatted = percentage.ToString("P2"); - -// GOOD - invariant culture -var value = double.Parse(input, CultureInfo.InvariantCulture); -var formatted = percentage.ToString("P2", CultureInfo.InvariantCulture); -``` - -#### 8.6) DSSE PAE Consistency - -| Rule | Guidance | -|------|----------| -| **Single DSSE PAE implementation** | Use one spec-compliant DSSE PAE helper (`StellaOps.Attestation.DsseHelper` or equivalent) across the codebase. DSSE v1 requires ASCII decimal lengths and space separators. Never reimplement PAE encoding. | - -```csharp -// BAD - custom PAE implementation -var pae = $"DSSEv1 {payloadType.Length} {payloadType} {payload.Length} "; - -// GOOD - use shared helper -var pae = DsseHelper.ComputePreAuthenticationEncoding(payloadType, payload); -``` - -#### 8.7) RFC 8785 JSON Canonicalization - -| Rule | Guidance | -|------|----------| -| **Use shared RFC 8785 canonicalizer** | For digest/signature inputs, use a shared RFC 8785-compliant JSON canonicalizer with: sorted keys, minimal escaping per spec, no exponent notation for numbers, no trailing/leading zeros. Do not use `UnsafeRelaxedJsonEscaping` or `CamelCase` naming for canonical outputs. | - -```csharp -// BAD - non-canonical JSON -var json = JsonSerializer.Serialize(obj, new JsonSerializerOptions -{ - Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping, - PropertyNamingPolicy = JsonNamingPolicy.CamelCase -}); - -// GOOD - use shared canonicalizer -var canonicalJson = CanonicalJsonSerializer.Serialize(obj); -var digest = ComputeDigest(canonicalJson); -``` - -#### 8.8) CancellationToken Propagation - -| Rule | Guidance | -|------|----------| -| **Propagate CancellationToken** | Always propagate `CancellationToken` through async call chains. Never use `CancellationToken.None` in production code except at entry points where no token is available. | - -```csharp -// BAD - ignores cancellation -public async Task ProcessAsync(CancellationToken ct) -{ - await _repository.SaveAsync(data, CancellationToken.None); // Wrong! - await Task.Delay(1000); // Missing ct -} - -// GOOD - propagates cancellation -public async Task ProcessAsync(CancellationToken ct) -{ - await _repository.SaveAsync(data, ct); - await Task.Delay(1000, ct); -} -``` - -#### 8.9) HttpClient via Factory - -| Rule | Guidance | -|------|----------| -| **Use IHttpClientFactory** | Never `new HttpClient()` directly. Use `IHttpClientFactory` with configured timeouts and retry policies via Polly or `Microsoft.Extensions.Http.Resilience`. Direct HttpClient creation risks socket exhaustion. | - -```csharp -// BAD - direct instantiation -public class BadService -{ - public async Task FetchAsync() - { - using var client = new HttpClient(); // Socket exhaustion risk - await client.GetAsync(url); - } -} - -// GOOD - factory with resilience -public class GoodService(IHttpClientFactory httpClientFactory) -{ - public async Task FetchAsync() - { - var client = httpClientFactory.CreateClient("MyApi"); - await client.GetAsync(url); - } -} - -// Registration with timeout/retry -services.AddHttpClient("MyApi") - .ConfigureHttpClient(c => c.Timeout = TimeSpan.FromSeconds(30)) - .AddStandardResilienceHandler(); -``` - -#### 8.10) Path/Root Resolution - -| Rule | Guidance | -|------|----------| -| **Explicit CLI options for paths** | Do not derive repository root from `AppContext.BaseDirectory` with parent directory walks. Use explicit CLI options (`--repo-root`) or environment variables. Provide sensible defaults with clear error messages. | - -```csharp -// BAD - fragile parent walks -var repoRoot = Path.GetFullPath(Path.Combine( - AppContext.BaseDirectory, "..", "..", "..", "..")); - -// GOOD - explicit option with fallback -[Option("--repo-root", Description = "Repository root path")] -public string? RepoRoot { get; set; } - -public string GetRepoRoot() => - RepoRoot ?? Environment.GetEnvironmentVariable("STELLAOPS_REPO_ROOT") - ?? throw new InvalidOperationException("Repository root not specified. Use --repo-root or set STELLAOPS_REPO_ROOT."); -``` - -#### 8.11) Test Categorization - -| Rule | Guidance | -|------|----------| -| **Correct test categories** | Tag tests correctly: `[Trait("Category", "Unit")]` for pure unit tests, `[Trait("Category", "Integration")]` for tests requiring databases, containers, or network. Don't mix DB/network tests into unit suites. | - -```csharp -// BAD - integration test marked as unit -public class UserRepositoryTests // Uses Testcontainers/Postgres -{ - [Fact] // Missing category, runs with unit tests - public async Task Save_PersistsUser() { ... } -} - -// GOOD - correctly categorized -[Trait("Category", "Integration")] -public class UserRepositoryTests -{ - [Fact] - public async Task Save_PersistsUser() { ... } -} - -[Trait("Category", "Unit")] -public class UserValidatorTests -{ - [Fact] - public void Validate_EmptyEmail_ReturnsFalse() { ... } -} -``` - -#### 8.12) No Silent Stubs - -| Rule | Guidance | -|------|----------| -| **Unimplemented code must throw** | Placeholder code must throw `NotImplementedException` or return an explicit error/unsupported status. Never return success (`null`, empty results, or success codes) from unimplemented paths. | - -```csharp -// BAD - silent stub masks missing implementation -public async Task ProcessAsync() -{ - // TODO: implement later - return Result.Success(); // Ships broken feature! -} - -// GOOD - explicit failure -public async Task ProcessAsync() -{ - throw new NotImplementedException("ProcessAsync not yet implemented. See SPRINT_XYZ."); -} -``` - -#### 8.13) Immutable Collection Returns - -| Rule | Guidance | -|------|----------| -| **Return immutable collections** | Public APIs must return `IReadOnlyList`, `ImmutableArray`, or defensive copies. Never expose mutable backing stores that callers can mutate. | - -```csharp -// BAD - exposes mutable backing store -public class BadRegistry -{ - private readonly List _scopes = new(); - public List Scopes => _scopes; // Callers can mutate! -} - -// GOOD - immutable return -public class GoodRegistry -{ - private readonly List _scopes = new(); - public IReadOnlyList Scopes => _scopes.AsReadOnly(); - // or: public ImmutableArray Scopes => _scopes.ToImmutableArray(); -} -``` - -#### 8.14) Options Validation at Startup - -| Rule | Guidance | -|------|----------| -| **ValidateOnStart for options** | Use `ValidateDataAnnotations()` and `ValidateOnStart()` for options. Implement `IValidateOptions` for complex validation. All required config must be validated at startup, not at first use. | - -```csharp -// BAD - no validation until runtime failure -services.Configure(config.GetSection("My")); - -// GOOD - validated at startup -services.AddOptions() - .Bind(config.GetSection("My")) - .ValidateDataAnnotations() - .ValidateOnStart(); - -// With complex validation -public class MyOptionsValidator : IValidateOptions -{ - public ValidateOptionsResult Validate(string? name, MyOptions options) - { - if (options.Timeout <= TimeSpan.Zero) - return ValidateOptionsResult.Fail("Timeout must be positive"); - return ValidateOptionsResult.Success; - } -} -``` - -#### 8.15) No Backup Files in Source - -| Rule | Guidance | -|------|----------| -| **Exclude backup/temp artifacts** | Add backup patterns (`*.Backup.tmp`, `*.bak`, `*.orig`) to `.gitignore`. Regularly audit for and remove stray artifacts. Consolidate duplicate tools/harnesses. | - -```gitignore -# .gitignore additions -*.Backup.tmp -*.bak -*.orig -*~ -``` - -#### 8.16) Test Production Code, Not Reimplementations - -| Rule | Guidance | -|------|----------| -| **Helpers call production code** | Test helpers must call production code, not reimplement algorithms (Merkle trees, DSSE PAE, parsers, canonicalizers). Only mock I/O and network boundaries. Reimplementations cause test/production drift. | - -```csharp -// BAD - test reimplements production logic -[Fact] -public void Merkle_ComputesCorrectRoot() -{ - // Custom Merkle implementation in test - var root = TestMerkleHelper.ComputeRoot(leaves); // Drift risk! - Assert.Equal(expected, root); -} - -// GOOD - test exercises production code -[Fact] -public void Merkle_ComputesCorrectRoot() -{ - // Uses production MerkleTreeBuilder - var root = MerkleTreeBuilder.ComputeRoot(leaves); - Assert.Equal(expected, root); -} -``` - -#### 8.17) Bounded Caches with Eviction - -| Rule | Guidance | -|------|----------| -| **No unbounded Dictionary caches** | Do not use `ConcurrentDictionary` or `Dictionary` for caching without eviction policies. Use bounded caches with TTL/LRU eviction (`MemoryCache` with size limits, or external cache like Valkey). Document expected cardinality and eviction behavior. | - -```csharp -// BAD - unbounded growth -private readonly ConcurrentDictionary _cache = new(); - -public void Add(string key, CacheEntry entry) -{ - _cache[key] = entry; // Never evicts, memory grows forever -} - -// GOOD - bounded with eviction -private readonly MemoryCache _cache = new(new MemoryCacheOptions -{ - SizeLimit = 10_000 -}); - -public void Add(string key, CacheEntry entry) -{ - _cache.Set(key, entry, new MemoryCacheEntryOptions - { - Size = 1, - SlidingExpiration = TimeSpan.FromMinutes(30) - }); -} -``` - -#### 8.18) DateTimeOffset for PostgreSQL timestamptz - -| Rule | Guidance | -|------|----------| -| **Use GetFieldValue<DateTimeOffset>** | PostgreSQL `timestamptz` columns must be read via `reader.GetFieldValue()`, not `reader.GetDateTime()`. `GetDateTime()` loses offset information and causes UTC/local confusion. Store and retrieve all timestamps as UTC `DateTimeOffset`. | - -```csharp -// BAD - loses offset information -var createdAt = reader.GetDateTime(reader.GetOrdinal("created_at")); - -// GOOD - preserves offset -var createdAt = reader.GetFieldValue(reader.GetOrdinal("created_at")); -``` - ---- - -### 6) Role Switching - -* If an instruction says “as product manager…”, “as project manager…”, or “as implementer…”, you must immediately adopt that role’s behavior and constraints. -* If no role is specified: - - * Default to **project manager** behavior (validate → plan → propose tasks). -* Under no circumstances should you mix the “no questions” constraint of implementer mode into product / project manager modes. Only implementer mode is forbidden from asking questions. diff --git a/CLAUDE.md b/CLAUDE.md deleted file mode 100644 index f83bfb416..000000000 --- a/CLAUDE.md +++ /dev/null @@ -1,839 +0,0 @@ -# CLAUDE.md - -This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. - -## Project Overview - -**Stella Ops Suite** is a self-hostable, sovereign release control plane for non-Kubernetes container estates, released under AGPL-3.0-or-later. It orchestrates environment promotions (Dev → Stage → Prod), gates releases using reachability-aware security and policy, and produces verifiable evidence for every release decision. - -The platform combines: -- **Release orchestration** — UI-driven promotion, approvals, policy gates, rollbacks; hook-able with scripts -- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates -- **OCI-digest-first releases** — Immutable digest-based release identity with "what is deployed where" tracking -- **Toolchain-agnostic integrations** — Plug into any SCM, CI, registry, and secrets system -- **Auditability + standards** — Evidence packets, SBOM/VEX/attestation support, deterministic replay - -Existing capabilities (operational): Reproducible vulnerability scanning with VEX-first decisioning, SBOM generation (SPDX 2.2/2.3 and CycloneDX 1.7; SPDX 3.0.1 planned), in-toto/DSSE attestations, and optional Sigstore Rekor transparency. The platform is designed for offline/air-gapped operation with regional crypto support (eIDAS/FIPS/GOST/SM). - -Planned capabilities (release orchestration): Environment management, release bundles, promotion workflows, deployment execution (Docker/Compose/ECS/Nomad agents), progressive delivery (A/B, canary), and a three-surface plugin system. See `docs/modules/release-orchestrator/README.md` for the full specification. - -## Build Commands - -```bash -# Build the entire solution -dotnet build src/StellaOps.sln - -# Build a specific module (example: Concelier web service) -dotnet build src/Concelier/StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj - -# Run the Concelier web service -dotnet run --project src/Concelier/StellaOps.Concelier.WebService - -# Build CLI for current platform -dotnet publish src/Cli/StellaOps.Cli/StellaOps.Cli.csproj --configuration Release - -# Build CLI for specific runtime (linux-x64, linux-arm64, osx-x64, osx-arm64, win-x64) -dotnet publish src/Cli/StellaOps.Cli/StellaOps.Cli.csproj --configuration Release --runtime linux-x64 -``` - -## Test Commands - -```bash -# Run all tests -dotnet test src/StellaOps.sln - -# Run tests for a specific project -dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj - -# Run a single test by filter -dotnet test --filter "FullyQualifiedName~TestMethodName" - -# Run tests with verbosity -dotnet test src/StellaOps.sln --verbosity normal -``` - -**Note:** Integration tests use Testcontainers for PostgreSQL. Ensure Docker is running before executing tests. - -## Linting and Validation - -```bash -# Lint OpenAPI specs -npm run api:lint - -# Validate attestation schemas -npm run docs:attestor:validate - -# Validate Helm chart -helm lint devops/helm/stellaops - -# Validate Docker Compose profiles -./devops/scripts/validate-compose.sh - -# Run local CI tests -./devops/scripts/test-local.sh -``` - -## Architecture - -### Technology Stack -- **Runtime:** .NET 10 (`net10.0`) with latest C# preview features -- **Frontend:** Angular v17 (in `src/Web/StellaOps.Web`) -- **Database:** PostgreSQL (≥16) with per-module schema isolation; see `docs/db/` for specification -- **Testing:** xUnit with Testcontainers (PostgreSQL), Moq, Microsoft.AspNetCore.Mvc.Testing -- **Observability:** Structured logging, OpenTelemetry traces -- **NuGet:** Uses standard NuGet feeds configured in `nuget.config` (dotnet-public, nuget-mirror, nuget.org) - -### Module Structure - -The codebase follows a monorepo pattern with modules under `src/`: - -| Module | Path | Purpose | -|--------|------|---------| -| **Core Platform** | | | -| Authority | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP | -| Gateway | `src/Gateway/` | API gateway with routing and transport abstraction | -| Router | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey) | -| Platform | `src/Platform/` | Console backend aggregation service (health, quotas, search) | -| Registry | `src/Registry/` | Token service for container registry authentication | -| **Data Ingestion** | | | -| Concelier | `src/Concelier/` | Vulnerability advisory ingestion and merge engine | -| Excititor | `src/Excititor/` | VEX document ingestion and export | -| VexLens | `src/VexLens/` | VEX consensus computation across issuers | -| VexHub | `src/VexHub/` | VEX distribution and exchange hub | -| IssuerDirectory | `src/IssuerDirectory/` | Issuer trust registry (CSAF publishers) | -| Feedser | `src/Feedser/` | Evidence collection library for backport detection | -| Mirror | `src/Concelier/__Libraries/` | Vulnerability feed mirror connector (Concelier plugin) | -| **Scanning & Analysis** | | | -| Scanner | `src/Scanner/` | Container scanning with SBOM generation (11 language analyzers) | -| BinaryIndex | `src/BinaryIndex/` | Binary identity extraction and fingerprinting | -| AdvisoryAI | `src/AdvisoryAI/` | AI-assisted advisory analysis | -| ReachGraph | `src/ReachGraph/` | Reachability graph service | -| Symbols | `src/Symbols/` | Symbol resolution and debug information | -| Cartographer | `src/Cartographer/` | Dependency graph mapping and visualization | -| **Artifacts & Evidence** | | | -| Attestor | `src/Attestor/` | in-toto/DSSE attestation generation | -| Signer | `src/Signer/` | Cryptographic signing operations | -| SbomService | `src/SbomService/` | SBOM storage, versioning, and lineage ledger | -| EvidenceLocker | `src/EvidenceLocker/` | Sealed evidence storage and export | -| ExportCenter | `src/ExportCenter/` | Batch export and report generation | -| Provenance | `src/Provenance/` | SLSA/DSSE attestation tooling | -| **Policy & Risk** | | | -| Policy | `src/Policy/` | Policy engine with K4 lattice logic | -| RiskEngine | `src/RiskEngine/` | Risk scoring runtime with pluggable providers | -| VulnExplorer | `src/VulnExplorer/` | Vulnerability exploration and triage UI backend | -| Unknowns | `src/Unknowns/` | Unknown component and symbol tracking | -| Findings | `src/Findings/` | Findings ledger service for vulnerability tracking | -| **Operations** | | | -| Scheduler | `src/Scheduler/` | Job scheduling and queue management | -| Orchestrator | `src/Orchestrator/` | Workflow orchestration and task coordination | -| TaskRunner | `src/TaskRunner/` | Task pack execution engine | -| Notify | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks) | -| Notifier | `src/Notifier/` | Notifications Studio host | -| PacksRegistry | `src/PacksRegistry/` | Task packs registry and distribution | -| TimelineIndexer | `src/TimelineIndexer/` | Timeline event indexing | -| Replay | `src/Replay/` | Deterministic replay engine | -| **Integration** | | | -| CLI | `src/Cli/` | Command-line interface (Native AOT) | -| Zastava | `src/Zastava/` | Container registry webhook observer | -| Web | `src/Web/` | Angular 17 frontend SPA | -| Integrations | `src/Integrations/` | External system integrations web service | -| **Infrastructure** | | | -| Cryptography | `src/Cryptography/` | Crypto plugins (FIPS, eIDAS, GOST, SM, PQ) | -| Telemetry | `src/Telemetry/` | OpenTelemetry traces, metrics, logging | -| Graph | `src/Graph/` | Call graph and reachability data structures | -| Signals | `src/Signals/` | Runtime signal collection and correlation | -| AirGap | `src/AirGap/` | Air-gapped deployment support | -| AOC | `src/Aoc/` | Append-Only Contract enforcement (Roslyn analyzers) | -| SmRemote | `src/SmRemote/` | SM2/SM3/SM4 cryptographic remote service | -| **Development Tools** | | | -| Tools | `src/Tools/` | Development utilities (fixture updater, smoke tests, validators) | -| Bench | `src/Bench/` | Performance benchmark infrastructure | - -> **Note:** See `docs/modules//architecture.md` for detailed module dossiers. Some entries in `docs/modules/` are cross-cutting concepts (snapshot, triage) or shared libraries (provcache) rather than standalone modules. - -### Code Organization Patterns - -- **Libraries:** `src//__Libraries/StellaOps..*` -- **Tests:** `src//__Tests/StellaOps..*.Tests/` -- **Plugins:** Follow naming `StellaOps..Connector.*` or `StellaOps..Plugin.*` -- **Shared test infrastructure:** `StellaOps.Concelier.Testing` and `StellaOps.Infrastructure.Postgres.Testing` provide PostgreSQL fixtures - -### Naming Conventions - -- All modules are .NET 10 projects, except the UI (Angular) -- Module projects: `StellaOps.` -- Libraries/plugins common to multiple modules: `StellaOps.` -- Each project lives in its own folder - -### Key Glossary - -- **OVAL** — Vendor/distro security definition format; authoritative for OS packages -- **NEVRA / EVR** — RPM and Debian version semantics for OS packages -- **PURL / SemVer** — Coordinates and version semantics for OSS ecosystems -- **KEV** — Known Exploited Vulnerabilities (flag only) - -## Coding Rules - -### Core Principles - -1. **Determinism:** Outputs must be reproducible - stable ordering, UTC ISO-8601 timestamps, immutable NDJSON where applicable -2. **Offline-first:** Remote host allowlist, strict schema validation, avoid hard-coded external dependencies unless explicitly allowed -3. **Plugin architecture:** Concelier connectors, Authority plugins, Scanner analyzers are all plugin-based -4. **VEX-first decisioning:** Exploitability modeled in OpenVEX with lattice logic for stable outcomes - -### Implementation Guidelines - -- Follow .NET 10 and Angular v17 best practices -- Apply SOLID principles (SRP, OCP, LSP, ISP, DIP) when designing services, libraries, and tests -- Keep in mind the nuget versions are controlled centrally by src/Directory* files, not via csproj -- Maximise reuse and composability -- Never regress determinism, ordering, or precedence -- Every change must be accompanied by or covered by tests -- Gated LLM usage (only where explicitly configured) - -### Test Layout - -- **Module tests:** `src//__Tests/StellaOps...Tests/` -- **Global tests:** `src/__Tests/{Category}/` (Integration, Acceptance, Load, Security, Chaos, E2E, etc.) -- **Shared testing libraries:** `src/__Tests/__Libraries/StellaOps.*.Testing/` -- **Benchmarks & golden corpus:** `src/__Tests/__Benchmarks/` -- **Ground truth datasets:** `src/__Tests/__Datasets/` -- Tests use xUnit, Testcontainers for PostgreSQL integration tests -- See `src/__Tests/AGENTS.md` for detailed test infrastructure guidance - -## Code Quality & Determinism Rules - -These rules were distilled from a comprehensive audit of 324+ projects. They address the most common recurring issues and must be followed by all implementers. - -### 8.1) Compiler & Warning Discipline - -| Rule | Guidance | -|------|----------| -| **Enable TreatWarningsAsErrors** | All projects must set `true` in the `.csproj` or via `Directory.Build.props`. Relaxed warnings mask regressions and code quality drift. | - -```xml - - - true - -``` - -### 8.2) Deterministic Time & ID Generation - -| Rule | Guidance | -|------|----------| -| **Inject TimeProvider / ID generators** | Never use `DateTime.UtcNow`, `DateTimeOffset.UtcNow`, `Guid.NewGuid()`, or `Random.Shared` directly in production code. Inject `TimeProvider` (or `ITimeProvider`) and `IGuidGenerator` abstractions. | - -```csharp -// BAD - nondeterministic, hard to test -public class BadService -{ - public Record CreateRecord() => new Record - { - Id = Guid.NewGuid(), - CreatedAt = DateTimeOffset.UtcNow - }; -} - -// GOOD - injectable, testable, deterministic -public class GoodService(TimeProvider timeProvider, IGuidGenerator guidGenerator) -{ - public Record CreateRecord() => new Record - { - Id = guidGenerator.NewGuid(), - CreatedAt = timeProvider.GetUtcNow() - }; -} -``` - -### 8.2.1) Resolver Version Tracking - -| Rule | Guidance | -|------|----------| -| **Include resolver/engine version in snapshots** | For strict reproducibility verification, include the resolver or engine version digest in `KnowledgeSnapshot` and similar input manifests. This ensures that identical inputs processed by different engine versions can be detected and flagged. | - -```csharp -// BAD - snapshot missing engine version -public sealed record KnowledgeSnapshot -{ - public required ImmutableArray Sboms { get; init; } - public required ImmutableArray VexDocuments { get; init; } - // Missing: engine version that produced the verdict -} - -// GOOD - includes engine version for reproducibility verification -public sealed record KnowledgeSnapshot -{ - public required ImmutableArray Sboms { get; init; } - public required ImmutableArray VexDocuments { get; init; } - public required EngineVersionRef EngineVersion { get; init; } -} - -public sealed record EngineVersionRef( - string EngineName, // e.g., "VexConsensusEngine" - string Version, // e.g., "2.1.0" - string SourceDigest); // SHA-256 of engine source or build artifact -``` - -### 8.3) ASCII-Only Output - -| Rule | Guidance | -|------|----------| -| **No mojibake or non-ASCII glyphs** | Use ASCII-only characters in comments, output strings, and log messages. No `ƒ?`, `バ`, `→`, `✓`, `✗`, or box-drawing characters. When Unicode is truly required, use explicit escapes (`\uXXXX`) and document the rationale. | - -```csharp -// BAD - non-ASCII glyphs -Console.WriteLine("✓ Success → proceeding"); -// or mojibake comments like: // ƒ+ validation passed - -// GOOD - ASCII only -Console.WriteLine("[OK] Success - proceeding"); -// Comment: validation passed -``` - -### 8.4) Test Project Requirements - -| Rule | Guidance | -|------|----------| -| **Every library needs tests** | All production libraries/services must have a corresponding `*.Tests` project covering: (a) happy paths, (b) error/edge cases, (c) determinism, and (d) serialization round-trips. | - -``` -src/ - Scanner/ - __Libraries/ - StellaOps.Scanner.Core/ - __Tests/ - StellaOps.Scanner.Core.Tests/ <-- Required -``` - -### 8.5) Culture-Invariant Parsing - -| Rule | Guidance | -|------|----------| -| **Use InvariantCulture** | Always use `CultureInfo.InvariantCulture` for parsing and formatting dates, numbers, percentages, and any string that will be persisted, hashed, or compared. Current culture causes locale-dependent, nondeterministic behavior. | - -```csharp -// BAD - culture-sensitive -var value = double.Parse(input); -var formatted = percentage.ToString("P2"); - -// GOOD - invariant culture -var value = double.Parse(input, CultureInfo.InvariantCulture); -var formatted = percentage.ToString("P2", CultureInfo.InvariantCulture); -``` - -### 8.6) DSSE PAE Consistency - -| Rule | Guidance | -|------|----------| -| **Single DSSE PAE implementation** | Use one spec-compliant DSSE PAE helper (`StellaOps.Attestation.DsseHelper` or equivalent) across the codebase. DSSE v1 requires ASCII decimal lengths and space separators. Never reimplement PAE encoding. | - -```csharp -// BAD - custom PAE implementation -var pae = $"DSSEv1 {payloadType.Length} {payloadType} {payload.Length} "; - -// GOOD - use shared helper -var pae = DsseHelper.ComputePreAuthenticationEncoding(payloadType, payload); -``` - -### 8.7) RFC 8785 JSON Canonicalization - -| Rule | Guidance | -|------|----------| -| **Use shared RFC 8785 canonicalizer** | For digest/signature inputs, use a shared RFC 8785-compliant JSON canonicalizer with: sorted keys, minimal escaping per spec, no exponent notation for numbers, no trailing/leading zeros. Do not use `UnsafeRelaxedJsonEscaping` or `CamelCase` naming for canonical outputs. | - -```csharp -// BAD - non-canonical JSON -var json = JsonSerializer.Serialize(obj, new JsonSerializerOptions -{ - Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping, - PropertyNamingPolicy = JsonNamingPolicy.CamelCase -}); - -// GOOD - use shared canonicalizer -var canonicalJson = CanonicalJsonSerializer.Serialize(obj); -var digest = ComputeDigest(canonicalJson); -``` - -### 8.8) CancellationToken Propagation - -| Rule | Guidance | -|------|----------| -| **Propagate CancellationToken** | Always propagate `CancellationToken` through async call chains. Never use `CancellationToken.None` in production code except at entry points where no token is available. | - -```csharp -// BAD - ignores cancellation -public async Task ProcessAsync(CancellationToken ct) -{ - await _repository.SaveAsync(data, CancellationToken.None); // Wrong! - await Task.Delay(1000); // Missing ct -} - -// GOOD - propagates cancellation -public async Task ProcessAsync(CancellationToken ct) -{ - await _repository.SaveAsync(data, ct); - await Task.Delay(1000, ct); -} -``` - -### 8.9) HttpClient via Factory - -| Rule | Guidance | -|------|----------| -| **Use IHttpClientFactory** | Never `new HttpClient()` directly. Use `IHttpClientFactory` with configured timeouts and retry policies via Polly or `Microsoft.Extensions.Http.Resilience`. Direct HttpClient creation risks socket exhaustion. | - -```csharp -// BAD - direct instantiation -public class BadService -{ - public async Task FetchAsync() - { - using var client = new HttpClient(); // Socket exhaustion risk - await client.GetAsync(url); - } -} - -// GOOD - factory with resilience -public class GoodService(IHttpClientFactory httpClientFactory) -{ - public async Task FetchAsync() - { - var client = httpClientFactory.CreateClient("MyApi"); - await client.GetAsync(url); - } -} - -// Registration with timeout/retry -services.AddHttpClient("MyApi") - .ConfigureHttpClient(c => c.Timeout = TimeSpan.FromSeconds(30)) - .AddStandardResilienceHandler(); -``` - -### 8.10) Path/Root Resolution - -| Rule | Guidance | -|------|----------| -| **Explicit CLI options for paths** | Do not derive repository root from `AppContext.BaseDirectory` with parent directory walks. Use explicit CLI options (`--repo-root`) or environment variables. Provide sensible defaults with clear error messages. | - -```csharp -// BAD - fragile parent walks -var repoRoot = Path.GetFullPath(Path.Combine( - AppContext.BaseDirectory, "..", "..", "..", "..")); - -// GOOD - explicit option with fallback -[Option("--repo-root", Description = "Repository root path")] -public string? RepoRoot { get; set; } - -public string GetRepoRoot() => - RepoRoot ?? Environment.GetEnvironmentVariable("STELLAOPS_REPO_ROOT") - ?? throw new InvalidOperationException("Repository root not specified. Use --repo-root or set STELLAOPS_REPO_ROOT."); -``` - -### 8.11) Test Categorization - -| Rule | Guidance | -|------|----------| -| **Correct test categories** | Tag tests correctly: `[Trait("Category", "Unit")]` for pure unit tests, `[Trait("Category", "Integration")]` for tests requiring databases, containers, or network. Don't mix DB/network tests into unit suites. | - -```csharp -// BAD - integration test marked as unit -public class UserRepositoryTests // Uses Testcontainers/Postgres -{ - [Fact] // Missing category, runs with unit tests - public async Task Save_PersistsUser() { ... } -} - -// GOOD - correctly categorized -[Trait("Category", "Integration")] -public class UserRepositoryTests -{ - [Fact] - public async Task Save_PersistsUser() { ... } -} - -[Trait("Category", "Unit")] -public class UserValidatorTests -{ - [Fact] - public void Validate_EmptyEmail_ReturnsFalse() { ... } -} -``` - -### 8.12) No Silent Stubs - -| Rule | Guidance | -|------|----------| -| **Unimplemented code must throw** | Placeholder code must throw `NotImplementedException` or return an explicit error/unsupported status. Never return success (`null`, empty results, or success codes) from unimplemented paths. | - -```csharp -// BAD - silent stub masks missing implementation -public async Task ProcessAsync() -{ - // TODO: implement later - return Result.Success(); // Ships broken feature! -} - -// GOOD - explicit failure -public async Task ProcessAsync() -{ - throw new NotImplementedException("ProcessAsync not yet implemented. See SPRINT_XYZ."); -} -``` - -### 8.13) Immutable Collection Returns - -| Rule | Guidance | -|------|----------| -| **Return immutable collections** | Public APIs must return `IReadOnlyList`, `ImmutableArray`, or defensive copies. Never expose mutable backing stores that callers can mutate. | - -```csharp -// BAD - exposes mutable backing store -public class BadRegistry -{ - private readonly List _scopes = new(); - public List Scopes => _scopes; // Callers can mutate! -} - -// GOOD - immutable return -public class GoodRegistry -{ - private readonly List _scopes = new(); - public IReadOnlyList Scopes => _scopes.AsReadOnly(); - // or: public ImmutableArray Scopes => _scopes.ToImmutableArray(); -} -``` - -### 8.14) Options Validation at Startup - -| Rule | Guidance | -|------|----------| -| **ValidateOnStart for options** | Use `ValidateDataAnnotations()` and `ValidateOnStart()` for options. Implement `IValidateOptions` for complex validation. All required config must be validated at startup, not at first use. | - -```csharp -// BAD - no validation until runtime failure -services.Configure(config.GetSection("My")); - -// GOOD - validated at startup -services.AddOptions() - .Bind(config.GetSection("My")) - .ValidateDataAnnotations() - .ValidateOnStart(); - -// With complex validation -public class MyOptionsValidator : IValidateOptions -{ - public ValidateOptionsResult Validate(string? name, MyOptions options) - { - if (options.Timeout <= TimeSpan.Zero) - return ValidateOptionsResult.Fail("Timeout must be positive"); - return ValidateOptionsResult.Success; - } -} -``` - -### 8.15) No Backup Files in Source - -| Rule | Guidance | -|------|----------| -| **Exclude backup/temp artifacts** | Add backup patterns (`*.Backup.tmp`, `*.bak`, `*.orig`) to `.gitignore`. Regularly audit for and remove stray artifacts. Consolidate duplicate tools/harnesses. | - -```gitignore -# .gitignore additions -*.Backup.tmp -*.bak -*.orig -*~ -``` - -### 8.16) Test Production Code, Not Reimplementations - -| Rule | Guidance | -|------|----------| -| **Helpers call production code** | Test helpers must call production code, not reimplement algorithms (Merkle trees, DSSE PAE, parsers, canonicalizers). Only mock I/O and network boundaries. Reimplementations cause test/production drift. | - -```csharp -// BAD - test reimplements production logic -[Fact] -public void Merkle_ComputesCorrectRoot() -{ - // Custom Merkle implementation in test - var root = TestMerkleHelper.ComputeRoot(leaves); // Drift risk! - Assert.Equal(expected, root); -} - -// GOOD - test exercises production code -[Fact] -public void Merkle_ComputesCorrectRoot() -{ - // Uses production MerkleTreeBuilder - var root = MerkleTreeBuilder.ComputeRoot(leaves); - Assert.Equal(expected, root); -} -``` - -### 8.17) Bounded Caches with Eviction - -| Rule | Guidance | -|------|----------| -| **No unbounded Dictionary caches** | Do not use `ConcurrentDictionary` or `Dictionary` for caching without eviction policies. Use bounded caches with TTL/LRU eviction (`MemoryCache` with size limits, or external cache like Valkey). Document expected cardinality and eviction behavior. | - -```csharp -// BAD - unbounded growth -private readonly ConcurrentDictionary _cache = new(); - -public void Add(string key, CacheEntry entry) -{ - _cache[key] = entry; // Never evicts, memory grows forever -} - -// GOOD - bounded with eviction -private readonly MemoryCache _cache = new(new MemoryCacheOptions -{ - SizeLimit = 10_000 -}); - -public void Add(string key, CacheEntry entry) -{ - _cache.Set(key, entry, new MemoryCacheEntryOptions - { - Size = 1, - SlidingExpiration = TimeSpan.FromMinutes(30) - }); -} -``` - -### 8.18) DateTimeOffset for PostgreSQL timestamptz - -| Rule | Guidance | -|------|----------| -| **Use GetFieldValue<DateTimeOffset>** | PostgreSQL `timestamptz` columns must be read via `reader.GetFieldValue()`, not `reader.GetDateTime()`. `GetDateTime()` loses offset information and causes UTC/local confusion. Store and retrieve all timestamps as UTC `DateTimeOffset`. | - -```csharp -// BAD - loses offset information -var createdAt = reader.GetDateTime(reader.GetOrdinal("created_at")); - -// GOOD - preserves offset -var createdAt = reader.GetFieldValue(reader.GetOrdinal("created_at")); -``` - -### 8.19) Hybrid Logical Clock (HLC) Usage - -| Rule | Guidance | -|------|----------| -| **Use IHybridLogicalClock for ordering** | For distributed ordering and audit-safe sequencing, use `IHybridLogicalClock` from `StellaOps.HybridLogicalClock`. Never rely on wall-clock time alone for ordering in distributed scenarios. | - -```csharp -// BAD - wall-clock ordering in distributed system -public async Task EnqueueAsync(Job job) -{ - job.EnqueuedAt = DateTimeOffset.UtcNow; // Clock skew risk! - await _store.SaveAsync(job); -} - -// GOOD - HLC ordering -public async Task EnqueueAsync(Job job, CancellationToken ct) -{ - job.THlc = _hlc.Tick(); // Monotonic, skew-tolerant - job.EnqueuedAtWall = _timeProvider.GetUtcNow(); // Informational only - await _store.SaveAsync(job, ct); -} -``` - -| Rule | Guidance | -|------|----------| -| **Deterministic event IDs** | Generate event IDs deterministically from content, not randomly. Use `SHA-256(correlationId \|\| tHlc \|\| service \|\| kind)` for timeline events. This ensures replay produces identical IDs. | - -```csharp -// BAD - random ID breaks replay determinism -var eventId = Guid.NewGuid().ToString(); - -// GOOD - deterministic ID from content -var eventId = EventIdGenerator.Generate(correlationId, tHlc, service, kind); -// Returns: SHA-256(inputs)[0:32] as hex -``` - -| Rule | Guidance | -|------|----------| -| **HLC state persistence** | Persist HLC state on graceful shutdown via `IHlcStateStore`. On startup, call `InitializeFromStateAsync()` to restore monotonicity. This prevents HLC regression after restarts. | - -```csharp -// Service startup -public async Task StartAsync(CancellationToken ct) -{ - await _hlc.InitializeFromStateAsync(ct); - // HLC will now be >= last persisted value -} - -// Service shutdown -public async Task StopAsync(CancellationToken ct) -{ - await _hlc.PersistStateAsync(ct); -} -``` - -| Rule | Guidance | -|------|----------| -| **HLC in event envelopes** | Timeline events must include both `tHlc` (ordering) and `tsWall` (debugging). Use `HlcTimestamp.ToSortableString()` for string representation. Never parse HLC from user input without validation. | - -| Rule | Guidance | -|------|----------| -| **Clock skew handling** | Configure reasonable `MaxClockSkew` tolerance (default: 5 seconds). Events with excessive skew throw `HlcClockSkewException`. Monitor `hlc_clock_skew_rejections_total` metric. | - -**Reference:** See `docs/modules/eventing/event-envelope-schema.md` for the canonical event envelope specification. - -### Documentation Updates - -When scope, contracts, or workflows change, update the relevant docs under: -- `docs/modules/**` - Module architecture dossiers -- `docs/api/` - API documentation -- `docs/modules/risk-engine/` - Risk documentation -- `docs/airgap/` - Air-gap operation docs - -## Role-Based Behavior - -When working in this repository, behavior changes based on the role specified: - -### As Implementer (Default for coding tasks) - -- Work only inside the module's directory defined by the sprint's "Working directory" -- Cross-module edits require explicit notes in commit/PR descriptions -- Do **not** ask clarification questions - if ambiguity exists: - - Mark the task as `BLOCKED` in the sprint `Delivery Tracker` - - Add a note in `Decisions & Risks` describing the issue - - Skip to the next unblocked task -- Maintain status tracking: `TODO → DOING → DONE/BLOCKED` in sprint files -- Read the module's `AGENTS.md` before coding in that module - -### As Project Manager - -Create implementation sprint files under `docs/implplan/` using the **mandatory** sprint filename format: - -`SPRINT____.md` - -- ``: implementation epoch (e.g., `20251219`). Determine by scanning existing `docs/implplan/SPRINT_*.md` and using the highest epoch; if none exist, use today's epoch. -- ``: `001`, `002`, etc. — grouping when more than one sprint is needed for a feature. -- ``: `FE` (Frontend), `BE` (Backend), `AG` (Agent), `LB` (library), `BE` (Backend), `AG` (Agent), `LB` (library), 'SCANNER' (scanner), 'AUTH' (Authority), 'CONCEL' (Concelier), 'CONCEL-ASTRA' - (Concelier Astra source connecto) and etc. -- ``: short topic description. -- **If any existing sprint file name or internal format deviates from the standard, rename/normalize it** and record the change in its **Execution Log**. -- Normalize sprint files to standard template while preserving content -- Ensure module `AGENTS.md` files exist and are up to date -- When sprint is fully completed move it to `docs-archived/implplan/` - -### As Product Manager - -- Review advisories in `docs/product/advisories/` -- Check for overlaps with `docs-archived/product/advisories/` -- Validate against module docs and existing implementations -- Hand over to project manager role for sprint/task definition - -## Task Workflow - -### Status Discipline - -Always update task status in `docs/implplan/SPRINT_*.md`: -- `TODO` - Not started -- `DOING` - In progress -- `DONE` - Completed -- `BLOCKED` - Waiting on decision/clarification - -### Prerequisites - -Before coding, confirm required docs are read: -- `docs/README.md` -- `docs/ARCHITECTURE_REFERENCE.md` -- `docs/modules/platform/architecture-overview.md` -- Relevant module dossier (e.g., `docs/modules//architecture.md`) -- Module-specific `AGENTS.md` file - -### Git Rules - -- Never use `git reset` unless explicitly told to do so -- Never skip hooks (--no-verify, --no-gpg-sign) unless explicitly requested - -## Configuration - -- **Sample configs:** `etc/concelier.yaml.sample`, `etc/authority.yaml.sample` -- **Plugin manifests:** `etc/authority.plugins/*.yaml` -- **NuGet sources:** Package cache in `.nuget/packages/`, public sources configured in `nuget.config` - -## Documentation - -- **Architecture overview:** `docs/ARCHITECTURE_OVERVIEW.md` -- **Architecture reference:** `docs/ARCHITECTURE_REFERENCE.md` -- **Module dossiers:** `docs/modules//architecture.md` -- **Database specification:** `docs/db/SPECIFICATION.md` -- **PostgreSQL operations:** `docs/operations/postgresql-guide.md` -- **API/CLI reference:** `docs/API_CLI_REFERENCE.md` -- **Offline operation:** `docs/OFFLINE_KIT.md` -- **Quickstart:** `docs/CONCELIER_CLI_QUICKSTART.md` -- **Sprint planning:** `docs/implplan/SPRINT_*.md` - -## CI/CD - -### Folder Structure - -The CI/CD infrastructure uses a two-tier organization: - -| Folder | Purpose | -|--------|---------| -| `.gitea/workflows/` | Gitea Actions workflow YAML files (87+) | -| `.gitea/scripts/` | CI/CD scripts called by workflows | -| `devops/` | Deployment, tooling, and operational configs | - -### CI/CD Scripts (`.gitea/scripts/`) - -``` -.gitea/scripts/ -├── build/ # Build orchestration (build-cli.sh, build-multiarch.sh) -├── test/ # Test execution (test-lane.sh, determinism-run.sh) -├── validate/ # Validation (validate-sbom.sh, validate-helm.sh) -├── sign/ # Signing (sign-signals.sh, publish-attestation.sh) -├── release/ # Release automation (build_release.py, verify_release.py) -├── metrics/ # Performance metrics (compute-reachability-metrics.sh) -├── evidence/ # Evidence bundles (upload-all-evidence.sh) -└── util/ # Utilities (cleanup-runner-space.sh) -``` - -### DevOps Folder (`devops/`) - -``` -devops/ -├── compose/ # Docker Compose profiles (dev, stage, prod, airgap) -├── helm/ # Helm charts (stellaops) -├── docker/ # Dockerfiles (platform, crypto-profile, ci) -├── telemetry/ # OpenTelemetry, Prometheus, Grafana configs -├── services/ # Service-specific configs (authority, crypto, signals) -├── offline/ # Air-gap and offline deployment -├── observability/ # Alerts, SLOs, incident management -├── database/ # PostgreSQL and MongoDB configs -├── ansible/ # Ansible playbooks -├── gitlab/ # GitLab CI templates -├── releases/ # Release manifests -├── tools/ # Development tools (callgraph, corpus, feeds) -└── scripts/ # DevOps scripts (test-local.sh, validate-compose.sh) -``` - -### Key Workflows - -| Workflow | Purpose | -|----------|---------| -| `build-test-deploy.yml` | Main build, test, and deployment pipeline | -| `test-matrix.yml` | Unified test execution with TRX reporting | -| `module-publish.yml` | Per-module NuGet and container publishing | -| `release-suite.yml` | Full suite release (Ubuntu-style versioning) | -| `cli-build.yml` | CLI multi-platform builds | -| `scanner-determinism.yml` | Scanner output reproducibility tests | -| `policy-lint.yml` | Policy validation | - -### Versioning - -- **Suite releases**: Ubuntu-style `YYYY.MM` with codenames (e.g., "2026.04 Nova") -- **Module releases**: Semantic versioning `MAJOR.MINOR.PATCH` -- See `docs/releases/VERSIONING.md` for full documentation - -## Environment Variables - -- `STELLAOPS_BACKEND_URL` - Backend API URL for CLI -- `STELLAOPS_TEST_POSTGRES_CONNECTION` - PostgreSQL connection string for integration tests -- `StellaOpsEnableCryptoPro` - Enable GOST crypto support (set to `true` in build) diff --git a/CLAUDE.md b/CLAUDE.md new file mode 120000 index 000000000..2f518a9fc --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1 @@ +C:/dev/New folder/git.stella-ops.org/AGENTS.md \ No newline at end of file diff --git a/devops/tools/cosign/cosign b/devops/tools/cosign/cosign deleted file mode 120000 index 396f39d8b..000000000 --- a/devops/tools/cosign/cosign +++ /dev/null @@ -1 +0,0 @@ -v2.6.0/cosign-linux-amd64 \ No newline at end of file diff --git a/devops/tools/cosign/cosign b/devops/tools/cosign/cosign new file mode 100644 index 000000000..396f39d8b --- /dev/null +++ b/devops/tools/cosign/cosign @@ -0,0 +1 @@ +v2.6.0/cosign-linux-amd64 \ No newline at end of file diff --git a/docs/GOVERNANCE.md b/docs/GOVERNANCE.md index db87c8e0e..7253dbedd 100755 --- a/docs/GOVERNANCE.md +++ b/docs/GOVERNANCE.md @@ -60,7 +60,6 @@ Approval is recorded via Git forge review or a signed commit trailer |-----------|------------| | Technical deadlock | **Maintainer Summit** (recorded & published) | | Security bug | Follow [Security Policy](SECURITY_POLICY.md) | -| Code of Conduct violation | See `code-of-conduct/CODE_OF_CONDUCT.md` escalation ladder | --- diff --git a/docs/README.md b/docs/README.md index d43a3c042..f1b951d22 100755 --- a/docs/README.md +++ b/docs/README.md @@ -1,21 +1,50 @@ # Stella Ops Suite Documentation -**Stella Ops Suite** is a centralized, auditable release control plane for non-Kubernetes container estates. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces verifiable evidence for every decision. +**Stella Ops Suite** is a centralized, auditable release control plane for **non‑Kubernetes** container estates. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces verifiable evidence for every decision. The platform combines: -- **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks -- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates -- **OCI-digest-first releases** — Immutable digest-based release identity with "what is deployed where" tracking -- **Toolchain-agnostic integrations** — Plug into any SCM, CI, registry, and secrets system -- **Auditability + standards** — Evidence packets, SBOM/VEX/attestation support, deterministic replay + +- **Release orchestration** — UI-driven promotion (Dev -> Stage -> Prod), approvals, policy gates, rollbacks, and step-graph execution (sequential/parallel) with per-step logs +- **Security decisioning as a gate** — scan on build, evaluate on release, re-evaluate on vulnerability intel updates +- **OCI-digest-first releases** — immutable digest-based release identity with authoritative "what is deployed where" tracking +- **Toolchain-agnostic integrations** — plug into any SCM, CI, registry, secrets system, and host access method via plugins +- **Auditability + standards** — evidence packets, SBOM/VEX/attestation support, deterministic replay and explainable decisions + +--- + +## Verified vs Unverified Releases + +Stella supports two operational modes: + +- **Verified releases (recommended):** promotions require Stella evidence for each new digest (SBOM + reachability + policy decision record + approvals where configured). Intended for certifiable security and audit-grade releases. +- **Unverified releases (CD-only):** orchestration is allowed with evidence gates bypassed. Still tracked and logged, but not intended for security certification. + +This documentation emphasizes the **verified release** path as the primary product value. + +--- + +## Licensing model (documentation-level summary) + +Stella Ops Suite uses **no feature gating** across plans. Licensing limits apply only to: + +- **Environments** +- **New digests deep-scanned per month** (evidence-grade analysis of previously unseen OCI digests) + +**Deployment targets are not licensed** (unlimited targets; fair use may apply only under abusive automation patterns). + +(See your offer/pricing document if present in the repo; commonly stored under `docs/product/`.) + +--- ## Two Levels of Documentation -- **High-level (canonical):** the curated guides in `docs/*.md`. -- **Detailed (reference):** deep dives under `docs/**` (module dossiers, architecture notes, API contracts/samples, runbooks, schemas). The entry point is `docs/technical/README.md`. +- **High-level (canonical):** curated guides in `docs/*.md`. +- **Detailed (reference):** deep dives under `docs/**` (module dossiers, architecture notes, API contracts/samples, runbooks, schemas). Entry point: `docs/technical/README.md`. This documentation set is internal and does not keep compatibility stubs for old paths. Content is consolidated to reduce duplication and outdated pages. +--- + ## Start Here ### Product Understanding @@ -27,14 +56,18 @@ This documentation set is internal and does not keep compatibility stubs for old | Feature matrix | [FEATURE_MATRIX.md](FEATURE_MATRIX.md) | | Product vision | [product/VISION.md](product/VISION.md) | | Roadmap (priorities + definition of "done") | [ROADMAP.md](ROADMAP.md) | +| Verified release model (concepts + evidence) | [VERIFIED_RELEASES.md](VERIFIED_RELEASES.md) | ### Getting Started | Goal | Open this | | --- | --- | +| First run (minimal install) | [quickstart.md](quickstart.md) | | Run a first scan (CLI) | [quickstart.md](quickstart.md) | +| Run a first verified promotion (Dev -> Stage -> Prod) | [RELEASE_PROCESS.md](releases/RELEASE_PROCESS.md) | | Ingest advisories (Concelier + CLI) | [CONCELIER_CLI_QUICKSTART.md](CONCELIER_CLI_QUICKSTART.md) | | Console (Web UI) operator guide | [UI_GUIDE.md](UI_GUIDE.md) | +| Doctor / self-service diagnostics | [DOCTOR_GUIDE.md](doctor/README.md) | | Offline / air-gap operations | [OFFLINE_KIT.md](OFFLINE_KIT.md) | ### Architecture @@ -48,16 +81,21 @@ This documentation set is internal and does not keep compatibility stubs for old | Architecture: data flows | [technical/architecture/data-flows.md](technical/architecture/data-flows.md) | | Architecture: schema mapping | [technical/architecture/schema-mapping.md](technical/architecture/schema-mapping.md) | | Release Orchestrator architecture | [modules/release-orchestrator/architecture.md](modules/release-orchestrator/architecture.md) | +| Evidence and attestations | [modules/evidence/README.md](modules/evidence/README.md) | ### Development & Operations | Goal | Open this | | --- | --- | +| Engineering rules (determinism, security, docs discipline) | [code-of-conduct/CODE_OF_CONDUCT.md](code-of-conduct/CODE_OF_CONDUCT.md) | +| Testing standards and evidence expectations | [code-of-conduct/TESTING_PRACTICES.md](code-of-conduct/TESTING_PRACTICES.md) | | Develop plugins/connectors | [PLUGIN_SDK_GUIDE.md](PLUGIN_SDK_GUIDE.md) | | Security deployment hardening | [SECURITY_HARDENING_GUIDE.md](SECURITY_HARDENING_GUIDE.md) | | VEX consensus and issuer trust | [VEX_CONSENSUS_GUIDE.md](VEX_CONSENSUS_GUIDE.md) | | Vulnerability Explorer guide | [VULNERABILITY_EXPLORER_GUIDE.md](VULNERABILITY_EXPLORER_GUIDE.md) | +--- + ## Detailed Indexes - **Technical index (everything):** [docs/technical/README.md](/docs/technical/) @@ -71,45 +109,13 @@ This documentation set is internal and does not keep compatibility stubs for old - **Benchmarks and fixtures:** [docs/benchmarks/](/docs/benchmarks/), [docs/assets/](/docs/assets/) - **Product advisories:** [docs/product/advisories/](/docs/product/advisories/) -## Platform Themes - -Stella Ops Suite organizes capabilities into themes: - -### Existing Themes (Operational) - -| Theme | Purpose | Key Modules | -|-------|---------|-------------| -| **INGEST** | Advisory ingestion | Concelier, Advisory-AI | -| **VEXOPS** | VEX document handling | Excititor, VEX Lens, VEX Hub | -| **REASON** | Policy and decisioning | Policy Engine, OPA Runtime | -| **SCANENG** | Scanning and SBOM | Scanner, SBOM Service, Reachability | -| **EVIDENCE** | Evidence and attestation | Evidence Locker, Attestor, Export Center | -| **RUNTIME** | Runtime signals | Signals, Graph, Zastava | -| **JOBCTRL** | Job orchestration | Scheduler, Orchestrator, TaskRunner | -| **OBSERVE** | Observability | Notifier, Telemetry | -| **REPLAY** | Deterministic replay | Replay Engine | -| **DEVEXP** | Developer experience | CLI, Web UI, SDK | - -### Planned Themes (Release Orchestration) - -| Theme | Purpose | Key Modules | -|-------|---------|-------------| -| **INTHUB** | Integration hub | Integration Manager, Connection Profiles, Connector Runtime | -| **ENVMGR** | Environment management | Environment Manager, Target Registry, Agent Manager | -| **RELMAN** | Release management | Component Registry, Version Manager, Release Manager | -| **WORKFL** | Workflow engine | Workflow Designer, Workflow Engine, Step Executor | -| **PROMOT** | Promotion and approval | Promotion Manager, Approval Gateway, Decision Engine | -| **DEPLOY** | Deployment execution | Deploy Orchestrator, Target Executor, Artifact Generator | -| **AGENTS** | Deployment agents | Agent Core, Docker/Compose/ECS/Nomad agents | -| **PROGDL** | Progressive delivery | A/B Manager, Traffic Router, Canary Controller | -| **RELEVI** | Release evidence | Evidence Collector, Sticker Writer, Audit Exporter | -| **PLUGIN** | Plugin infrastructure | Plugin Registry, Plugin Loader, Plugin SDK | +--- ## Design Principles -- **Offline-first**: All core operations work in air-gapped environments -- **Deterministic replay**: Same inputs yield same outputs (stable ordering, canonical hashing) -- **Evidence-linked decisions**: Every decision links to concrete evidence artifacts -- **Digest-first release identity**: Releases are immutable OCI digests, not mutable tags -- **Pluggable everything**: Integrations are plugins; core orchestration is stable -- **No feature gating**: All plans include all features; limits are environments + new digests/day +- **Offline-first**: core operations work in air-gapped environments +- **Deterministic replay**: same inputs yield same outputs (stable ordering, canonical hashing) +- **Evidence-linked decisions**: every verified release decision links to concrete evidence artifacts +- **Digest-first release identity**: releases are immutable OCI digests, not mutable tags +- **Pluggable everything**: integrations are plugins; core orchestration is stable +- **No feature gating**: all plans include all features; licensing limits are environments + new digests deep-scanned per month; deployment targets are not licensed \ No newline at end of file diff --git a/docs/UI_GUIDE.md b/docs/UI_GUIDE.md index 63531ef47..708ca4dbb 100755 --- a/docs/UI_GUIDE.md +++ b/docs/UI_GUIDE.md @@ -62,12 +62,84 @@ See `docs/VEX_CONSENSUS_GUIDE.md` for the underlying concepts. See `docs/OFFLINE_KIT.md` for packaging and offline verification workflows. +### Export Evidence Cards (v1.1) + +Evidence Cards are single-file exports containing SBOM excerpt, DSSE envelope, and optional Rekor receipt for offline verification. + +**To export an Evidence Card:** + +1. Open an evidence pack from **Findings** or **Runs** workspace. +2. Click the **Export** dropdown in the pack viewer header. +3. Select **Evidence Card** for full export or **Evidence Card (Compact)** for a smaller file without full SBOM. +4. The browser downloads a `.evidence-card.json` file. + +**Evidence Card contents:** + +- `cardId`: Unique card identifier +- `version`: Schema version (e.g., "1.0.0") +- `packId`: Source evidence pack ID +- `subject`: Finding/CVE/component metadata +- `envelope`: DSSE signature envelope (when signed) +- `sbomExcerpt`: Relevant SBOM component data (full export only) +- `rekorReceipt`: Sigstore Rekor transparency log receipt (when available) +- `contentDigest`: SHA-256 digest for verification + +**Content types:** + +- Full: `application/vnd.stellaops.evidence-card+json` +- Compact: `application/vnd.stellaops.evidence-card-compact+json` + +See `docs/api/evidence-decision-api.openapi.yaml` for the complete schema. + ## Offline / Air-Gap Expectations - The Console must operate against Offline Kit snapshots (no external lookups required). - The UI should surface snapshot identity and staleness budgets (feeds, VEX, policy versions). - Upload/import workflows for Offline Kit bundles should be auditable (who imported what, when). +## Setup Wizard + +The Setup Wizard provides a guided interface for initial platform configuration and reconfiguration. It communicates with the Platform backend via `/api/v1/setup/*` endpoints. + +### Wizard Features + +- **Session-based workflow:** Sessions track progress across steps, enabling resume after interruption. +- **Step validation:** Each step includes Doctor checks that validate configuration before proceeding. +- **Dry-run mode:** Preview configuration changes before applying them. +- **Error handling:** Problem+JSON errors are mapped to user-friendly messages with suggested fixes. +- **Data freshness:** Stale data banners show when cached information may be outdated. +- **Retry support:** Failed operations can be retried with backoff and attempt tracking. + +### Wizard Steps + +The wizard guides operators through these configuration areas: + +| Step | Category | Required | Description | +|------|----------|----------|-------------| +| Database | Infrastructure | Yes | PostgreSQL connection and migrations | +| Cache | Infrastructure | Yes | Valkey/Redis connection | +| Vault | Security | No | HashiCorp Vault, Azure Key Vault, or AWS Secrets Manager | +| Settings Store | Configuration | No | Consul, etcd, or PostgreSQL-backed configuration | +| Registry | Integration | No | Container registry connections | +| Telemetry | Observability | No | OTLP endpoint configuration | + +### Using the Wizard + +1. Access the Setup Wizard from **Admin > Configuration Wizard** or during first-run. +2. Complete required steps (Database, Cache) before optional integrations. +3. Use **Test Connection** to validate credentials before applying. +4. Review validation checks (Doctor diagnostics) for each step. +5. Use dry-run mode to preview changes before committing. +6. After completion, restart services to apply the configuration. + +### Reconfiguration + +To modify existing configuration: +- Use `stella setup --reconfigure` (CLI) or **Admin > Configuration Wizard** (UI). +- Individual steps can be reconfigured without re-running the entire wizard. + +See `docs/setup/setup-wizard-ux.md` for detailed UX specifications and CLI parity. + ## Security and Access - Authentication is typically OIDC/OAuth2 via Authority; scopes/roles govern write actions. diff --git a/docs/VEX_CONSENSUS_GUIDE.md b/docs/VEX_CONSENSUS_GUIDE.md index 3affe7b9d..a011b4c7c 100644 --- a/docs/VEX_CONSENSUS_GUIDE.md +++ b/docs/VEX_CONSENSUS_GUIDE.md @@ -81,6 +81,99 @@ The Console uses these concepts to keep VEX explainable: See `docs/UI_GUIDE.md` for the operator workflow perspective. +## Anchor-Aware Mode (v1.1) + +> **Sprint:** SPRINT_20260112_004_BE_policy_determinization_attested_rules + +Anchor-aware mode enforces cryptographic attestation requirements on VEX proofs used for allow decisions. + +### VexProofGate Options + +| Option | Type | Default | Strict Mode | +|--------|------|---------|-------------| +| `AnchorAwareMode` | bool | `false` | `true` | +| `RequireVexAnchoring` | bool | `false` | `true` | +| `RequireRekorVerification` | bool | `false` | `true` | +| `RequireSignedStatements` | bool | `false` | `true` | +| `RequireProofForFixed` | bool | `false` | `true` | +| `MaxAllowedConflicts` | int | `5` | `0` | +| `MaxProofAgeHours` | int | `168` | `72` | + +### Strict Anchor-Aware Preset + +For production environments requiring maximum security: + +```csharp +var options = VexProofGateOptions.StrictAnchorAware; +// Enables: RequireVexAnchoring, RequireRekorVerification, +// RequireSignedStatements, RequireProofForFixed +// Sets: MinimumConfidenceTier=high, MaxAllowedConflicts=0, MaxProofAgeHours=72 +``` + +### Metadata Keys + +When passing VEX proof context through policy evaluation: + +| Key | Type | Description | +|-----|------|-------------| +| `vex_proof_anchored` | bool | Whether proof has DSSE anchoring | +| `vex_proof_envelope_digest` | string | DSSE envelope sha256 digest | +| `vex_proof_rekor_verified` | bool | Whether Rekor transparency verified | +| `vex_proof_rekor_log_index` | long | Rekor log index if verified | + +### Failure Reasons + +| Reason | Description | +|--------|-------------| +| `vex_not_anchored` | VEX proof requires DSSE anchoring but is not anchored | +| `rekor_verification_missing` | VEX proof requires Rekor verification but not verified | + +## VEX Change Events + +> Sprint: SPRINT_20260112_006_EXCITITOR_vex_change_events + +Excititor emits deterministic events when VEX statements change, enabling policy reanalysis. + +### Event Types + +| Event | Description | Policy Trigger | +|-------|-------------|----------------| +| `vex.statement.added` | New statement ingested | Immediate reanalysis | +| `vex.statement.superseded` | Statement replaced | Immediate reanalysis | +| `vex.statement.conflict` | Status disagreement detected | Queue for review | +| `vex.status.changed` | Effective status changed | Immediate reanalysis | + +### Conflict Detection + +Conflicts are detected when multiple providers report different statuses for the same vulnerability-product pair: + +| Conflict Type | Description | +|---------------|-------------| +| `status_mismatch` | Different status values (e.g., affected vs not_affected) | +| `trust_tie` | Equal trust scores with different recommendations | +| `supersession_conflict` | Disagreement on which statement supersedes | + +### Event Ordering + +Events follow deterministic ordering: +1. Ordered by timestamp (ascending) +2. Conflict events after related statement events +3. Same-timestamp events sorted by provider ID + +### Integration with Policy + +Subscribe to VEX events for automatic reanalysis: + +```yaml +subscriptions: + - event: vex.statement.* + action: reanalyze + filter: + trustScore: { $gte: 0.7 } +``` + +See [Excititor Architecture](docs/modules/excititor/architecture.md#33-vex-change-events) for full event schemas. + ## Offline / Air-Gap Operation - VEX observations/linksets are included in Offline Kit snapshots with content hashes and timestamps. diff --git a/docs/api/evidence-decision-api.openapi.yaml b/docs/api/evidence-decision-api.openapi.yaml index 9388608aa..e344b5d64 100644 --- a/docs/api/evidence-decision-api.openapi.yaml +++ b/docs/api/evidence-decision-api.openapi.yaml @@ -4,7 +4,8 @@ info: description: | REST API for evidence retrieval and decision recording. Sprint: SPRINT_3602_0001_0001 - version: 1.0.0 + Updated: SPRINT_20260112_005_BE_evidence_card_api (EVPCARD-BE-002) + version: 1.1.0 license: name: AGPL-3.0-or-later url: https://www.gnu.org/licenses/agpl-3.0.html @@ -196,6 +197,81 @@ paths: '404': $ref: '#/components/responses/NotFound' + # Sprint: SPRINT_20260112_005_BE_evidence_card_api (EVPCARD-BE-002) + /evidence-packs/{packId}/export: + get: + operationId: exportEvidencePack + summary: Export evidence pack in various formats + description: | + Exports an evidence pack in the specified format. Supports JSON, signed JSON, + Markdown, HTML, PDF, and evidence-card formats. + + **Evidence Card formats** (v1.1): + - `evidence-card`: Full evidence card with SBOM excerpt, DSSE envelope, and Rekor receipt + - `card-compact`: Compact evidence card without full SBOM + tags: + - EvidencePacks + parameters: + - name: packId + in: path + required: true + schema: + type: string + description: Evidence pack identifier + - name: format + in: query + required: false + schema: + type: string + enum: [json, signedjson, markdown, md, html, pdf, evidence-card, evidencecard, card, card-compact, evidencecardcompact] + default: json + description: | + Export format. Format aliases: + - `evidence-card`, `evidencecard`, `card` → Evidence Card + - `card-compact`, `evidencecardcompact` → Compact Evidence Card + responses: + '200': + description: Exported evidence pack + headers: + X-Evidence-Pack-Id: + schema: + type: string + description: Evidence pack identifier + X-Content-Digest: + schema: + type: string + description: SHA-256 content digest of the pack + X-Evidence-Card-Version: + schema: + type: string + description: Evidence card schema version (only for evidence-card formats) + X-Rekor-Log-Index: + schema: + type: integer + format: int64 + description: Rekor transparency log index (only for evidence-card formats with Rekor receipt) + content: + application/json: + schema: + $ref: '#/components/schemas/EvidencePackExport' + application/vnd.stellaops.evidence-card+json: + schema: + $ref: '#/components/schemas/EvidenceCard' + text/markdown: + schema: + type: string + text/html: + schema: + type: string + application/pdf: + schema: + type: string + format: binary + '404': + $ref: '#/components/responses/NotFound' + '401': + $ref: '#/components/responses/Unauthorized' + components: securitySchemes: bearerAuth: @@ -432,3 +508,197 @@ components: type: string instance: type: string + + # Sprint: SPRINT_20260112_005_BE_evidence_card_api (EVPCARD-BE-002) + EvidencePackExport: + type: object + required: + - pack_id + - format + - content_type + - file_name + properties: + pack_id: + type: string + description: Evidence pack identifier + format: + type: string + enum: [json, signedjson, markdown, html, pdf, evidence-card, evidence-card-compact] + description: Export format used + content_type: + type: string + description: MIME content type + file_name: + type: string + description: Suggested filename for download + content_digest: + type: string + description: SHA-256 digest of the content + + EvidenceCard: + type: object + description: | + Single-file evidence card packaging SBOM excerpt, DSSE envelope, and Rekor receipt. + Designed for offline verification and audit trail. + required: + - card_id + - version + - pack_id + - created_at + - subject + - envelope + properties: + card_id: + type: string + description: Unique evidence card identifier + version: + type: string + description: Evidence card schema version (e.g., "1.0.0") + pack_id: + type: string + description: Source evidence pack identifier + created_at: + type: string + format: date-time + description: Card creation timestamp (ISO 8601 UTC) + subject: + $ref: '#/components/schemas/EvidenceCardSubject' + envelope: + $ref: '#/components/schemas/DsseEnvelope' + sbom_excerpt: + $ref: '#/components/schemas/SbomExcerpt' + rekor_receipt: + $ref: '#/components/schemas/RekorReceipt' + content_digest: + type: string + description: SHA-256 digest of canonical card content + + EvidenceCardSubject: + type: object + required: + - type + properties: + type: + type: string + enum: [finding, cve, component, image, policy, custom] + finding_id: + type: string + cve_id: + type: string + component: + type: string + description: Component PURL + image_digest: + type: string + + DsseEnvelope: + type: object + description: Dead Simple Signing Envelope (DSSE) per https://github.com/secure-systems-lab/dsse + required: + - payload_type + - payload + - signatures + properties: + payload_type: + type: string + description: Media type of the payload + payload: + type: string + format: byte + description: Base64-encoded payload + signatures: + type: array + items: + $ref: '#/components/schemas/DsseSignature' + + DsseSignature: + type: object + required: + - sig + properties: + keyid: + type: string + description: Key identifier + sig: + type: string + format: byte + description: Base64-encoded signature + + SbomExcerpt: + type: object + description: Relevant excerpt from the SBOM for the evidence subject + properties: + format: + type: string + enum: [spdx-2.2, spdx-2.3, cyclonedx-1.5, cyclonedx-1.6] + component_name: + type: string + component_version: + type: string + component_purl: + type: string + licenses: + type: array + items: + type: string + vulnerabilities: + type: array + items: + type: string + + RekorReceipt: + type: object + description: Sigstore Rekor transparency log receipt for offline verification + required: + - log_index + - log_id + - integrated_time + properties: + log_index: + type: integer + format: int64 + description: Rekor log index + log_id: + type: string + description: Rekor log ID (base64-encoded SHA-256 of public key) + integrated_time: + type: integer + format: int64 + description: Unix timestamp when entry was integrated + inclusion_proof: + $ref: '#/components/schemas/InclusionProof' + inclusion_promise: + $ref: '#/components/schemas/SignedEntryTimestamp' + + InclusionProof: + type: object + description: Merkle tree inclusion proof for log entry + properties: + log_index: + type: integer + format: int64 + root_hash: + type: string + format: byte + tree_size: + type: integer + format: int64 + hashes: + type: array + items: + type: string + format: byte + + SignedEntryTimestamp: + type: object + description: Signed Entry Timestamp (SET) from Rekor + properties: + log_id: + type: string + format: byte + integrated_time: + type: integer + format: int64 + signature: + type: string + format: byte diff --git a/docs/api/findings-scoring.md b/docs/api/findings-scoring.md index dc1cccb13..bd5a989e7 100644 --- a/docs/api/findings-scoring.md +++ b/docs/api/findings-scoring.md @@ -112,6 +112,111 @@ Content-Type: application/json } ``` +### Attested-Reduction Mode (v1.1) + +When attested-reduction scoring is enabled on the policy, the response includes additional fields for cryptographic attestation metadata and reduction profile information. + +**Extended Response (200 OK) with Reduction Mode:** +```json +{ + "findingId": "CVE-2024-1234@pkg:deb/debian/curl@7.64.0-4", + "score": 0, + "bucket": "Watchlist", + "inputs": { "rch": 0.00, "rts": 0.00, "bkp": 1.00, "xpl": 0.30, "src": 0.90, "mit": 1.00 }, + "weights": { "rch": 0.30, "rts": 0.25, "bkp": 0.15, "xpl": 0.15, "src": 0.10, "mit": 0.10 }, + "flags": ["anchored-vex", "vendor-na", "attested-reduction"], + "explanations": [ + "Anchored VEX statement: not_affected - score reduced to 0" + ], + "caps": { "speculativeCap": false, "notAffectedCap": false, "runtimeFloor": false }, + "policyDigest": "sha256:reduction123...", + "calculatedAt": "2026-01-15T14:30:00Z", + "cachedUntil": "2026-01-15T15:30:00Z", + "fromCache": false, + "reductionProfile": { + "enabled": true, + "mode": "aggressive", + "profileId": "attested-verified", + "maxReductionPercent": 100, + "requireVexAnchoring": true, + "requireRekorVerification": true + }, + "hardFail": false, + "shortCircuitReason": "anchored_vex_not_affected", + "anchor": { + "anchored": true, + "envelopeDigest": "sha256:abc123def456...", + "predicateType": "https://stellaops.io/attestation/vex/v1", + "rekorLogIndex": 12345678, + "rekorEntryId": "24296fb24b8ad77a7e...", + "scope": "finding", + "verified": true, + "attestedAt": "2026-01-14T10:00:00Z" + } +} +``` + +### Attested-Reduction Fields + +| Field | Type | Description | +|-------|------|-------------| +| `reductionProfile` | object | Reduction profile configuration (when enabled) | +| `reductionProfile.enabled` | boolean | Whether attested-reduction is active | +| `reductionProfile.mode` | string | `"aggressive"` or `"conservative"` | +| `reductionProfile.profileId` | string | Profile identifier for audit trail | +| `reductionProfile.maxReductionPercent` | integer | Maximum score reduction allowed (0-100) | +| `reductionProfile.requireVexAnchoring` | boolean | Whether VEX must be anchored to qualify | +| `reductionProfile.requireRekorVerification` | boolean | Whether Rekor verification is required | +| `hardFail` | boolean | `true` if anchored evidence confirms active exploitation | +| `shortCircuitReason` | string | Reason for short-circuit (if score was short-circuited) | +| `anchor` | object | Primary evidence anchor metadata (if available) | + +### Short-Circuit Reasons + +| Reason | Score Effect | Condition | +|--------|--------------|-----------| +| `anchored_vex_not_affected` | Score = 0 | Verified VEX not_affected/fixed attestation | +| `anchored_affected_runtime_confirmed` | Score = 100 (hard fail) | Anchored VEX affected + anchored runtime confirms vulnerability | + +### Evidence Anchor Fields + +| Field | Type | Description | +|-------|------|-------------| +| `anchor.anchored` | boolean | Whether evidence has cryptographic attestation | +| `anchor.envelopeDigest` | string | DSSE envelope digest (sha256 hex) | +| `anchor.predicateType` | string | Attestation predicate type URL | +| `anchor.rekorLogIndex` | integer | Sigstore Rekor transparency log index | +| `anchor.rekorEntryId` | string | Rekor entry UUID | +| `anchor.scope` | string | Attestation scope (finding, package, image) | +| `anchor.verified` | boolean | Whether attestation signature was verified | +| `anchor.attestedAt` | string | ISO-8601 attestation timestamp | + +### Hard-Fail Response Example + +When anchored evidence confirms active exploitation: + +```json +{ + "findingId": "CVE-2024-9999@pkg:npm/critical@1.0.0", + "score": 100, + "bucket": "ActNow", + "flags": ["anchored-vex", "anchored-runtime", "hard-fail", "attested-reduction"], + "explanations": [ + "Anchored VEX affected + runtime confirmed vulnerable path - hard fail" + ], + "hardFail": true, + "shortCircuitReason": "anchored_affected_runtime_confirmed", + "reductionProfile": { + "enabled": true, + "mode": "aggressive", + "profileId": "attested-verified", + "maxReductionPercent": 100, + "requireVexAnchoring": true, + "requireRekorVerification": true + } +} +``` + ### Score Buckets | Bucket | Score Range | Action | diff --git a/docs/api/triage-export-api-reference.md b/docs/api/triage-export-api-reference.md index 0dbb9365c..b4b1aee66 100644 --- a/docs/api/triage-export-api-reference.md +++ b/docs/api/triage-export-api-reference.md @@ -282,6 +282,32 @@ else fi ``` +## Evidence Card Format (v1.1) + +For single-file evidence exports with offline verification support, use the Evidence Pack API's evidence-card format: + +``` +GET /v1/evidence-packs/{packId}/export?format=evidence-card +``` + +### Formats + +| Format | Content-Type | Description | +|--------|--------------|-------------| +| `evidence-card` | `application/vnd.stellaops.evidence-card+json` | Full evidence card with SBOM excerpt, DSSE envelope, and Rekor receipt | +| `card-compact` | `application/vnd.stellaops.evidence-card-compact+json` | Compact card without full SBOM | + +### Response Headers + +| Header | Description | +|--------|-------------| +| `X-Evidence-Pack-Id` | Pack identifier | +| `X-Content-Digest` | SHA-256 content digest | +| `X-Evidence-Card-Version` | Schema version (e.g., "1.0.0") | +| `X-Rekor-Log-Index` | Rekor transparency log index (when available) | + +See [Evidence Decision API](./evidence-decision-api.openapi.yaml) for complete schema. + ## See Also - [Evidence Bundle Format Specification](../modules/cli/guides/commands/evidence-bundle-format.md) diff --git a/docs/architecture/integrations.md b/docs/architecture/integrations.md new file mode 100644 index 000000000..9bae51175 --- /dev/null +++ b/docs/architecture/integrations.md @@ -0,0 +1,260 @@ +# Integrations Architecture + +## Overview + +The Integrations module provides a unified catalog for external service connections including SCM providers (GitHub, GitLab, Bitbucket), container registries (Harbor, ECR, GCR, ACR), CI systems, and runtime hosts. It implements a plugin-based architecture for extensibility while maintaining consistent security and observability patterns. + +## Architecture Diagram + +``` +┌─────────────────────────────────────────────────────────────────────────────┐ +│ Integrations Module │ +├─────────────────────────────────────────────────────────────────────────────┤ +│ │ +│ ┌──────────────────────┐ ┌──────────────────────┐ │ +│ │ WebService Host │ │ Plugin Loader │ │ +│ │ (ASP.NET Core) │────│ (DI Registration) │ │ +│ └──────────┬───────────┘ └──────────┬───────────┘ │ +│ │ │ │ +│ ┌──────────▼───────────────────────────▼───────────┐ │ +│ │ Integration Catalog │ │ +│ │ - Registration CRUD │ │ +│ │ - Health Polling │ │ +│ │ - Test Connection │ │ +│ └──────────┬───────────────────────────────────────┘ │ +│ │ │ +│ ┌──────────▼───────────────────────────────────────┐ │ +│ │ Plugin Contracts │ │ +│ │ - IIntegrationConnectorPlugin │ │ +│ │ - IScmAnnotationClient │ │ +│ │ - IRegistryConnector │ │ +│ └──────────────────────────────────────────────────┘ │ +│ │ │ +│ ┌──────────▼───────────────────────────────────────┐ │ +│ │ Provider Plugins │ │ +│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ +│ │ │ GitHub │ │ GitLab │ │ Harbor │ │ ECR │ │ │ +│ │ │ App │ │ │ │ │ │ │ │ │ +│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ +│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ +│ │ │ GCR │ │ ACR │ │InMemory │ │ │ +│ │ │ │ │ │ │ (test) │ │ │ +│ │ └─────────┘ └─────────┘ └─────────┘ │ │ +│ └──────────────────────────────────────────────────┘ │ +│ │ +└─────────────────────────────────────────────────────────────────────────────┘ +``` + +## Core Components + +### Integration Catalog + +The central registry for all external service connections: + +- **Registration**: Store connection configuration with encrypted credentials +- **Health Monitoring**: Periodic health checks with status tracking +- **Test Connection**: On-demand connectivity verification +- **Lifecycle Events**: Emit events for Scheduler/Signals integration + +### Plugin System + +Extensible plugin architecture for provider support: + +```csharp +public interface IIntegrationConnectorPlugin : IAvailabilityPlugin +{ + IntegrationType Type { get; } + IntegrationProvider Provider { get; } + Task TestConnectionAsync(IntegrationConfig config, CancellationToken ct); + Task CheckHealthAsync(IntegrationConfig config, CancellationToken ct); +} +``` + +### SCM Annotation Client + +Interface for PR/MR comments and status checks: + +```csharp +public interface IScmAnnotationClient +{ + Task> PostCommentAsync( + ScmCommentRequest request, CancellationToken ct); + + Task> PostStatusAsync( + ScmStatusRequest request, CancellationToken ct); + + Task> CreateCheckRunAsync( + ScmCheckRunRequest request, CancellationToken ct); +} +``` + +## SCM Annotation Architecture + +### Comment and Status Flow + +``` +┌────────────┐ ┌─────────────┐ ┌────────────────┐ ┌──────────┐ +│ Scanner │────▶│ Integrations│────▶│ SCM Annotation │────▶│ GitHub/ │ +│ Service │ │ Service │ │ Client │ │ GitLab │ +└────────────┘ └─────────────┘ └────────────────┘ └──────────┘ + │ │ + │ ┌─────────────────┐ │ + └────────▶│ Annotation │◀───────────┘ + │ Payload Builder │ + └─────────────────┘ +``` + +### Supported Operations + +| Operation | GitHub | GitLab | +|-----------|--------|--------| +| PR/MR Comment | Issue comment / Review comment | MR Note / Discussion | +| Commit Status | Commit status API | Commit status API | +| Check Run | Checks API with annotations | Pipeline status (emulated) | +| Inline Annotation | Check run annotation | MR discussion on line | + +### Payload Models + +#### Comment Request + +```csharp +public record ScmCommentRequest +{ + public required string Owner { get; init; } + public required string Repository { get; init; } + public required int PullRequestNumber { get; init; } + public required string Body { get; init; } + public string? CommentId { get; init; } // For updates + public bool UpdateExisting { get; init; } = true; +} +``` + +#### Status Request + +```csharp +public record ScmStatusRequest +{ + public required string Owner { get; init; } + public required string Repository { get; init; } + public required string CommitSha { get; init; } + public required ScmStatusState State { get; init; } + public required string Context { get; init; } + public string? Description { get; init; } + public string? TargetUrl { get; init; } +} + +public enum ScmStatusState +{ + Pending, + Success, + Failure, + Error +} +``` + +#### Check Run Request + +```csharp +public record ScmCheckRunRequest +{ + public required string Owner { get; init; } + public required string Repository { get; init; } + public required string HeadSha { get; init; } + public required string Name { get; init; } + public string? Status { get; init; } // queued, in_progress, completed + public string? Conclusion { get; init; } // success, failure, neutral, etc. + public string? Summary { get; init; } + public string? Text { get; init; } + public IReadOnlyList? Annotations { get; init; } +} + +public record ScmCheckRunAnnotation +{ + public required string Path { get; init; } + public required int StartLine { get; init; } + public required int EndLine { get; init; } + public required string AnnotationLevel { get; init; } // notice, warning, failure + public required string Message { get; init; } + public string? Title { get; init; } +} +``` + +## Provider Implementations + +### GitHub App Plugin + +- Uses GitHub App authentication (installation tokens) +- Supports: PR comments, commit status, check runs with annotations +- Handles rate limiting with exponential backoff +- Maps StellaOps severity to GitHub annotation levels + +### GitLab Plugin + +- Uses Personal Access Token or CI Job Token +- Supports: MR notes, discussions, commit status +- Emulates check runs via pipeline status + MR discussions +- Handles project path encoding for API calls + +## Security + +### Credential Management + +- All credentials stored as AuthRef URIs +- Resolved at runtime through Authority +- No plaintext secrets in configuration +- Audit trail for credential access + +### Token Scopes + +| Provider | Required Scopes | +|----------|----------------| +| GitHub App | `checks:write`, `pull_requests:write`, `statuses:write` | +| GitLab | `api`, `read_repository`, `write_repository` | + +## Error Handling + +### Offline-Safe Operations + +All SCM operations return `ScmOperationResult`: + +```csharp +public record ScmOperationResult +{ + public bool Success { get; init; } + public T? Result { get; init; } + public string? ErrorMessage { get; init; } + public bool IsTransient { get; init; } // Retry-able + public bool SkippedOffline { get; init; } +} +``` + +### Retry Policy + +- Transient errors (rate limit, network): Retry with exponential backoff +- Permanent errors (auth, not found): Fail immediately +- Offline mode: Skip with warning, log payload for manual posting + +## Observability + +### Metrics + +| Metric | Type | Labels | +|--------|------|--------| +| `integrations_health_check_total` | Counter | `provider`, `status` | +| `integrations_test_connection_duration_seconds` | Histogram | `provider` | +| `scm_annotation_total` | Counter | `provider`, `operation`, `status` | +| `scm_annotation_duration_seconds` | Histogram | `provider`, `operation` | + +### Structured Logging + +All operations log with: +- `integrationId`: Registration ID +- `provider`: GitHub, GitLab, etc. +- `operation`: comment, status, check_run +- `prNumber` / `commitSha`: Target reference + +## Related Documentation + +- [CI/CD Gate Flow](../../flows/10-cicd-gate-flow.md) +- [Authority Architecture](../authority/architecture.md) +- [Scanner Architecture](../scanner/architecture.md) diff --git a/docs/code-of-conduct/CODE_OF_CONDUCT.md b/docs/code-of-conduct/CODE_OF_CONDUCT.md index f9d8cb2ae..4e512b0ea 100644 --- a/docs/code-of-conduct/CODE_OF_CONDUCT.md +++ b/docs/code-of-conduct/CODE_OF_CONDUCT.md @@ -1,88 +1,679 @@ -# Stella Ops Code of Conduct -*Contributor Covenant v2.1 + project‑specific escalation paths* - -> We pledge to make participation in the Stella Ops community a -> harassment‑free experience for everyone, regardless of age, body size, -> disability, ethnicity, sex characteristics, gender identity and expression, -> level of experience, education, socio‑economic status, nationality, -> personal appearance, race, religion, or sexual identity and orientation. +# StellaOps Engineering Code of Conduct +*Technical excellence + safe for change = best-in-class product* --- -## 0 · Our standard +## 0 · Mission and Values -This project adopts the -[**Contributor Covenant v2.1**](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) -with the additions and clarifications listed below. -If anything here conflicts with the upstream covenant, *our additions win*. +**StellaOps** is a sovereign, self-hostable release control plane delivering reproducible, auditable, and secure software releases for non-Kubernetes container estates. We are committed to building a **best-in-class product that is safe for change** — where every contribution improves quality, maintainability, and security without regression. + +### Our Engineering Pledge + +We pledge to uphold: + +1. **Technical Excellence** — Code that is deterministic, testable, and production-ready from day one. +2. **Safety for Change** — Comprehensive testing, minimal surprise, and zero tolerance for silent failures. +3. **Security by Design** — Input validation, least privilege, cryptographic correctness, and defense in depth. +4. **Maintainability First** — Clear contracts, minimal coupling, immutable outputs, and self-documenting code. +5. **Transparency and Auditability** — Every decision, every release, every change is traceable and reproducible. + +This document codifies the **technical standards** all contributors must follow. Behavioral expectations are covered in [COMMUNITY_CONDUCT.md](./COMMUNITY_CONDUCT.md). --- -## 1 · Scope +## 1 · Core Principles -| Applies to | Examples | -|------------|----------| -| **All official spaces** | Repos under `git.stella-ops.org/stella-ops.org/*`, Matrix rooms (`#stellaops:*`), issue trackers, pull‑request reviews, community calls, and any event officially sponsored by Stella Ops | -| **Unofficial spaces that impact the project** | Public social‑media posts that target or harass community members, coordinated harassment campaigns, doxxing, etc. | +### 1.1 Quality + +Quality is not negotiable. Every line of code must be: + +- **Correct** — Does what it claims, handles errors gracefully, fails fast when assumptions break +- **Tested** — Unit tests for logic, integration tests for contracts, E2E tests for workflows +- **Deterministic** — Same inputs always produce same outputs; no hidden state, no timing dependencies +- **Observable** — Logs structured events, emits metrics, traces execution paths +- **Documented** — Self-explanatory code; architecture decisions recorded; APIs have examples + +**Why it matters**: Quality debt compounds. A shortcut today becomes a week-long incident tomorrow. We build for the long term. --- -## 2 · Reporting a violation ☎️ +### 1.2 Maintainability -| Channel | When to use | -|---------|-------------| -| `conduct@stella-ops.org` (PGP key [`keys/#pgp`](https://stella-ops.org/keys/#pgp)) | **Primary, confidential** – anything from micro‑aggressions to serious harassment | -| Matrix `/msg @coc-bot:libera.chat` | Quick, in‑chat nudge for minor issues | -| Public issue with label `coc` | Transparency preferred and **you feel safe** doing so | +Code is read 10x more than it's written. Optimize for the next engineer: -We aim to acknowledge **within 48 hours** (business days, UTC). +- **Clear intent** — Names reveal purpose; functions do one thing; classes have single responsibilities +- **Low coupling** — Modules depend on interfaces, not implementations; changes propagate predictably +- **High cohesion** — Related logic lives together; unrelated logic stays separate +- **Minimal surprise** — Standard patterns over clever tricks; explicit over implicit +- **Refactorable** — Tests enable confident changes; abstractions hide complexity without obscuring behavior + +**Why it matters**: Unmaintainable code slows velocity to zero. We build systems that evolve, not calcify. --- -## 3 · Incident handlers 🛡️ +### 1.3 Security -| Name | Role | Alt‑contact | -|------|------|-------------| -| Alice Doe (`@alice`) | Core Maintainer • Security WG | `+1‑555‑0123` | -| Bob Ng (`@bob`) | UI Maintainer • Community lead | `+1‑555‑0456` | +Security is a design constraint, not a feature: -If **any** handler is the subject of a complaint, skip them and contact another -handler directly or email `conduct@stella-ops.org` only. +- **Defense in depth** — Multiple layers: input validation, authorization, cryptographic verification, audit trails +- **Least privilege** — Services run with minimal permissions; users see only what they need +- **Fail secure** — Errors deny access; missing config stops startup; invalid crypto rejects requests +- **Cryptographic correctness** — Use vetted libraries; never roll your own crypto; verify all signatures +- **Supply chain integrity** — Pin dependencies; scan for vulnerabilities; generate SBOMs; issue VEX statements +- **Auditability** — Every action logged; every release signed; every decision traceable + +**Why it matters**: Security failures destroy trust. We protect our users' infrastructure and their reputation. --- -## 4 · Enforcement ladder ⚖️ +## 2 · Scope and Authority -1. **Private coaches / mediation** – first attempt to resolve misunderstandings. -2. **Warning** – written, includes corrective actions & cooling‑off period. -3. **Temporary exclusion** – mute (chat), read‑only (repo) for *N* days. -4. **Permanent ban** – removal from all official spaces + revocation of roles. +This Code of Conduct applies to: -All decisions are documented **privately** (for confidentiality) but a summary -is published quarterly in the “Community Health” report. +- All code contributions (C#, TypeScript, Angular, SQL, Dockerfiles, Helm charts, CI/CD pipelines) +- All documentation (architecture, API references, runbooks, sprint files) +- All testing artifacts (unit, integration, E2E, performance, security tests) +- All infrastructure-as-code (Terraform, Ansible, Compose, Kubernetes manifests) + +**Authority**: This document supersedes informal guidance. When in conflict with external standards, StellaOps rules win. Module-specific `AGENTS.md` files may impose stricter requirements but cannot relax the rules defined here. --- -## 5 · Appeals 🔄 +## 3 · Mandatory Reading -A sanctioned individual may appeal **once** by emailing -`appeals@stella-ops.org` within **14 days** of the decision. -Appeals are reviewed by **three maintainers not involved in the original case** -and resolved within 30 days. +Before contributing to any module, you **must** read and understand: + +1. **This document** — The engineering code of conduct (you're reading it now) +2. [docs/README.md](../README.md) — Project overview and navigation +3. [docs/07_HIGH_LEVEL_ARCHITECTURE.md](../07_HIGH_LEVEL_ARCHITECTURE.md) — System architecture +4. [docs/modules/platform/architecture-overview.md](../modules/platform/architecture-overview.md) — Platform design +5. [TESTING_PRACTICES.md](./TESTING_PRACTICES.md) — Testing requirements and evidence standards +6. The relevant module's architecture dossier (`docs/modules//architecture.md`) +7. The module's `AGENTS.md` if present (e.g., `src/Scanner/AGENTS.md`) + +**Enforcement**: Pull requests that violate documented architecture or module-specific constraints will be rejected with a reference to the violated document. --- -## 6 · No‑retaliation policy 🛑 +## 4 · Code Quality Standards -Retaliation against reporters **will not be tolerated** and results in -immediate progression to **Step 4** of the enforcement ladder. +### 3.1 Compiler Discipline + +**Rule**: All projects must enable `TreatWarningsAsErrors`. + +```xml + + + true + +``` + +**Rationale**: Warnings mask regressions and code quality drift. Zero-warning builds are mandatory. --- -## 7 · Attribution & licence 📜 +### 3.2 Determinism: Time, IDs, and Randomness -* Text adapted from Contributor Covenant v2.1 – - Copyright © 2014‑2024 Contributor Covenant Contributors - Licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). +**Rule**: Never use `DateTime.UtcNow`, `DateTimeOffset.UtcNow`, `Guid.NewGuid()`, or `Random.Shared` directly in production code. + +**Required**: Inject `TimeProvider` and `IGuidGenerator` abstractions. + +```csharp +// ❌ BAD - nondeterministic, untestable +public class BadService +{ + public Record CreateRecord() => new Record + { + Id = Guid.NewGuid(), + CreatedAt = DateTimeOffset.UtcNow + }; +} + +// ✅ GOOD - injectable, testable, deterministic +public class GoodService(TimeProvider timeProvider, IGuidGenerator guidGenerator) +{ + public Record CreateRecord() => new Record + { + Id = guidGenerator.NewGuid(), + CreatedAt = timeProvider.GetUtcNow() + }; +} +``` + +**Rationale**: Deterministic outputs enable reproducible builds, reliable tests, and cryptographic verification. Nondeterministic code breaks evidence chains. --- + +### 3.3 Culture-Invariant Parsing and Formatting + +**Rule**: Always use `CultureInfo.InvariantCulture` for parsing and formatting dates, numbers, percentages, and any string that will be persisted, hashed, or compared. + +```csharp +// ❌ BAD - culture-sensitive, locale-dependent +var value = double.Parse(input); +var formatted = percentage.ToString("P2"); + +// ✅ GOOD - culture-invariant, deterministic +var value = double.Parse(input, CultureInfo.InvariantCulture); +var formatted = percentage.ToString("P2", CultureInfo.InvariantCulture); +``` + +**Rationale**: Current culture causes nondeterministic behavior across environments. All outputs must be reproducible regardless of locale. + +--- + +### 3.4 ASCII-Only Output + +**Rule**: Use ASCII-only characters in comments, output strings, and log messages. No mojibake (`ƒ?`), Unicode glyphs (`✓`, `→`, `バ`), or box-drawing characters. + +```csharp +// ❌ BAD - non-ASCII glyphs +Console.WriteLine("✓ Success → proceeding"); + +// ✅ GOOD - ASCII only +Console.WriteLine("[OK] Success - proceeding"); +``` + +**Exceptions**: When Unicode is **required** (e.g., internationalized user messages), use explicit escapes (`\uXXXX`) and document the rationale. + +**Rationale**: Non-ASCII characters break in constrained environments (containers, SSH, logs). ASCII ensures universal readability. + +--- + +### 3.5 Immutable Collection Returns + +**Rule**: Public APIs must return `IReadOnlyList`, `ImmutableArray`, or defensive copies. Never expose mutable backing stores. + +```csharp +// ❌ BAD - exposes mutable backing store +public class BadRegistry +{ + private readonly List _scopes = new(); + public List Scopes => _scopes; // Callers can mutate! +} + +// ✅ GOOD - immutable return +public class GoodRegistry +{ + private readonly List _scopes = new(); + public IReadOnlyList Scopes => _scopes.AsReadOnly(); +} +``` + +**Rationale**: Mutable returns create hidden coupling and race conditions. Immutability is a safety contract. + +--- + +### 3.6 No Silent Stubs + +**Rule**: Placeholder code must throw `NotImplementedException` or return an explicit error status. Never return success from unimplemented paths. + +```csharp +// ❌ BAD - silent stub masks missing implementation +public async Task ProcessAsync() +{ + // TODO: implement later + return Result.Success(); // Ships broken feature! +} + +// ✅ GOOD - explicit failure +public async Task ProcessAsync() +{ + throw new NotImplementedException("ProcessAsync not yet implemented. See SPRINT_20251218_001_BE_ReleasePromotion.md"); +} +``` + +**Rationale**: Silent stubs ship broken features. Explicit failures prevent production incidents. + +--- + +### 3.7 CancellationToken Propagation + +**Rule**: Always propagate `CancellationToken` through async call chains. Never use `CancellationToken.None` in production code. + +```csharp +// ❌ BAD - ignores cancellation +public async Task ProcessAsync(CancellationToken ct) +{ + await _repository.SaveAsync(data, CancellationToken.None); // Wrong! + await Task.Delay(1000); // Missing ct +} + +// ✅ GOOD - propagates cancellation +public async Task ProcessAsync(CancellationToken ct) +{ + await _repository.SaveAsync(data, ct); + await Task.Delay(1000, ct); +} +``` + +**Rationale**: Proper cancellation prevents resource leaks and enables graceful shutdown. + +--- + +### 3.8 HttpClient via IHttpClientFactory + +**Rule**: Never instantiate `HttpClient` directly. Use `IHttpClientFactory` with configured timeouts and retry policies. + +```csharp +// ❌ BAD - direct instantiation +public class BadService +{ + public async Task FetchAsync() + { + using var client = new HttpClient(); // Socket exhaustion risk + await client.GetAsync(url); + } +} + +// ✅ GOOD - factory with resilience +public class GoodService(IHttpClientFactory httpClientFactory) +{ + public async Task FetchAsync() + { + var client = httpClientFactory.CreateClient("MyApi"); + await client.GetAsync(url); + } +} + +// Registration with timeout/retry +services.AddHttpClient("MyApi") + .ConfigureHttpClient(c => c.Timeout = TimeSpan.FromSeconds(30)) + .AddStandardResilienceHandler(); +``` + +**Rationale**: Direct `HttpClient` creation causes socket exhaustion. Factories enable connection pooling and resilience patterns. + +--- + +### 3.9 Bounded Caches with Eviction + +**Rule**: Do not use `ConcurrentDictionary` or `Dictionary` for caching without eviction policies. + +```csharp +// ❌ BAD - unbounded growth +private readonly ConcurrentDictionary _cache = new(); + +public void Add(string key, CacheEntry entry) +{ + _cache[key] = entry; // Never evicts, memory grows forever +} + +// ✅ GOOD - bounded with eviction +private readonly MemoryCache _cache = new(new MemoryCacheOptions +{ + SizeLimit = 10_000 +}); + +public void Add(string key, CacheEntry entry) +{ + _cache.Set(key, entry, new MemoryCacheEntryOptions + { + Size = 1, + SlidingExpiration = TimeSpan.FromMinutes(30) + }); +} +``` + +**Rationale**: Unbounded caches cause memory exhaustion in long-running services. Bounded caches with TTL/LRU eviction are mandatory. + +--- + +### 3.10 Options Validation at Startup + +**Rule**: Use `ValidateDataAnnotations()` and `ValidateOnStart()` for all options classes. Implement `IValidateOptions` for complex validation. + +```csharp +// ❌ BAD - no validation until runtime failure +services.Configure(config.GetSection("My")); + +// ✅ GOOD - validated at startup +services.AddOptions() + .Bind(config.GetSection("My")) + .ValidateDataAnnotations() + .ValidateOnStart(); +``` + +**Rationale**: All required config must be validated at startup, not at first use. Fail fast prevents runtime surprises. + +--- + +## 5 · Cryptographic and Security Standards + +### 4.1 DSSE PAE Consistency + +**Rule**: Use one spec-compliant DSSE PAE helper (`StellaOps.Attestation.DsseHelper`) across the codebase. Never reimplement PAE encoding. + +```csharp +// ❌ BAD - custom PAE implementation +var pae = $"DSSEv1 {payloadType.Length} {payloadType} {payload.Length} "; + +// ✅ GOOD - use shared helper +var pae = DsseHelper.ComputePreAuthenticationEncoding(payloadType, payload); +``` + +**Rationale**: DSSE v1 requires ASCII decimal lengths and space separators. Reimplementations introduce cryptographic vulnerabilities. + +--- + +### 4.2 RFC 8785 JSON Canonicalization + +**Rule**: Use a shared RFC 8785-compliant JSON canonicalizer for digest/signature inputs. Do not use `UnsafeRelaxedJsonEscaping` or `CamelCase` naming for canonical outputs. + +```csharp +// ❌ BAD - non-canonical JSON +var json = JsonSerializer.Serialize(obj, new JsonSerializerOptions +{ + Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping, + PropertyNamingPolicy = JsonNamingPolicy.CamelCase +}); + +// ✅ GOOD - use shared canonicalizer +var canonicalJson = CanonicalJsonSerializer.Serialize(obj); +var digest = ComputeDigest(canonicalJson); +``` + +**Rationale**: RFC 8785 ensures deterministic JSON serialization. Non-canonical JSON breaks signature verification. + +--- + +### 4.3 DateTimeOffset for PostgreSQL timestamptz + +**Rule**: PostgreSQL `timestamptz` columns must be read via `reader.GetFieldValue()`, not `reader.GetDateTime()`. + +```csharp +// ❌ BAD - loses offset information +var createdAt = reader.GetDateTime(reader.GetOrdinal("created_at")); + +// ✅ GOOD - preserves offset +var createdAt = reader.GetFieldValue(reader.GetOrdinal("created_at")); +``` + +**Rationale**: `GetDateTime()` loses offset information and causes UTC/local confusion. All timestamps must be stored and retrieved as UTC `DateTimeOffset`. + +--- + +### 4.4 Explicit CLI Options for Paths + +**Rule**: Do not derive repository root from `AppContext.BaseDirectory` with parent directory walks. Use explicit CLI options (`--repo-root`) or environment variables. + +```csharp +// ❌ BAD - fragile parent walks +var repoRoot = Path.GetFullPath(Path.Combine( + AppContext.BaseDirectory, "..", "..", "..", "..")); + +// ✅ GOOD - explicit option with fallback +[Option("--repo-root", Description = "Repository root path")] +public string? RepoRoot { get; set; } + +public string GetRepoRoot() => + RepoRoot ?? Environment.GetEnvironmentVariable("STELLAOPS_REPO_ROOT") + ?? throw new InvalidOperationException("Repository root not specified. Use --repo-root or set STELLAOPS_REPO_ROOT."); +``` + +**Rationale**: Parent walks break in containerized and CI environments. Explicit paths are mandatory. + +--- + +## 6 · Testing Requirements + +**All code contributions must include tests.** See [TESTING_PRACTICES.md](./TESTING_PRACTICES.md) for comprehensive guidance. + +### 5.1 Test Project Requirements + +**Rule**: All production libraries/services must have a corresponding `*.Tests` project covering: +- (a) Happy paths +- (b) Error/edge cases +- (c) Determinism +- (d) Serialization round-trips + +``` +src/ + Scanner/ + __Libraries/ + StellaOps.Scanner.Core/ + __Tests/ + StellaOps.Scanner.Core.Tests/ <-- Required +``` + +--- + +### 5.2 Test Categorization + +**Rule**: Tag tests correctly: +- `[Trait("Category", "Unit")]` for pure unit tests +- `[Trait("Category", "Integration")]` for tests requiring databases, containers, or network + +```csharp +// ❌ BAD - integration test marked as unit +public class UserRepositoryTests // Uses Testcontainers/Postgres +{ + [Fact] // Missing category + public async Task Save_PersistsUser() { ... } +} + +// ✅ GOOD - correctly categorized +[Trait("Category", "Integration")] +public class UserRepositoryTests +{ + [Fact] + public async Task Save_PersistsUser() { ... } +} + +[Trait("Category", "Unit")] +public class UserValidatorTests +{ + [Fact] + public void Validate_EmptyEmail_ReturnsFalse() { ... } +} +``` + +**Rationale**: Unit tests must run fast and offline. Integration tests require infrastructure. Mixing categories breaks CI pipelines. + +--- + +### 5.3 Test Production Code, Not Reimplementations + +**Rule**: Test helpers must call production code, not reimplement algorithms. + +```csharp +// ❌ BAD - test reimplements production logic +[Fact] +public void Merkle_ComputesCorrectRoot() +{ + var root = TestMerkleHelper.ComputeRoot(leaves); // Drift risk! + Assert.Equal(expected, root); +} + +// ✅ GOOD - test exercises production code +[Fact] +public void Merkle_ComputesCorrectRoot() +{ + var root = MerkleTreeBuilder.ComputeRoot(leaves); + Assert.Equal(expected, root); +} +``` + +**Rationale**: Reimplementations in tests cause test/production drift. Only mock I/O and network boundaries. + +--- + +### 5.4 Offline and Deterministic Tests + +**Rule**: All tests must run without network access. Use: +- UTC timestamps +- Fixed seeds +- `CultureInfo.InvariantCulture` +- Injected `TimeProvider` and `IGuidGenerator` + +**Rationale**: Network-dependent tests are flaky and break in air-gapped environments. Deterministic tests are reproducible. + +--- + +## 7 · Architecture and Design Principles + +### 6.1 SOLID Principles + +All service and library code must follow: + +1. **Single Responsibility Principle (SRP)** — One class, one reason to change +2. **Open/Closed Principle (OCP)** — Open for extension, closed for modification +3. **Liskov Substitution Principle (LSP)** — Subtypes must be substitutable for base types +4. **Interface Segregation Principle (ISP)** — Clients should not depend on interfaces they don't use +5. **Dependency Inversion Principle (DIP)** — Depend on abstractions, not concretions + +--- + +### 6.2 Directory Ownership + +**Rule**: Work only inside the module's directory defined by the sprint's "Working directory". Cross-module edits require explicit approval and documentation. + +**Example**: +- Sprint scope: `src/Scanner/` +- Allowed: Edits to `StellaOps.Scanner.*` projects +- Forbidden: Edits to `src/Concelier/` without explicit approval + +**Rationale**: Directory boundaries enforce module isolation and prevent unintended coupling. + +--- + +### 6.3 No Backup Files in Source + +**Rule**: Add backup patterns to `.gitignore` and remove stray artifacts during code review. + +```gitignore +*.Backup.tmp +*.bak +*.orig +*~ +``` + +**Rationale**: Backup files pollute the repository and create confusion. + +--- + +## 8 · Documentation Standards + +### 7.1 Required Documentation + +Every change must update: + +1. **Module architecture docs** (`docs/modules//architecture.md`) +2. **API references** (`docs/api/`) +3. **Sprint files** (`docs/implplan/SPRINT_*.md`) +4. **Risk/airgap docs** if applicable (`docs/risk/`, `docs/airgap/`) + +--- + +### 7.2 Sprint File Discipline + +**Rule**: Always update task status in `docs/implplan/SPRINT_*.md`: +- `TODO` → `DOING` → `DONE` / `BLOCKED` + +Sprint files are the single source of truth for project state. + +--- + +## 9 · Security and Hardening + +### 8.1 Input Validation + +**Rule**: All external inputs (HTTP requests, CLI arguments, file uploads, database queries) must be validated and sanitized. + +**Required**: +- Use `[Required]`, `[Range]`, `[RegularExpression]` attributes on DTOs +- Implement `IValidateOptions` for complex validation +- Reject unexpected inputs with explicit error messages + +--- + +### 8.2 Least Privilege + +**Rule**: Services must run with minimal permissions: +- Database users: read-only where possible +- File system: restrict to required directories +- Network: allowlist remote hosts + +--- + +### 8.3 Dependency Security + +**Enforcement**: PRs introducing new dependencies must include: +- SBOM entry +- VEX statement if vulnerabilities exist +- Justification for the dependency + +--- + +## 10 · Technology Stack Compliance + +### 9.1 Mandatory Technologies + +- **Runtime**: .NET 10 (`net10.0`) with latest C# preview features +- **Frontend**: Angular v17 +- **Database**: PostgreSQL ≥16 +- **Testing**: xUnit, Testcontainers, Moq +- **NuGet**: Standard feeds configured in `nuget.config`. Always strive to use latest stable verison of dependencies. Never specify versions on nugets on the csproj files. Use src/Directory.Packages.props to specify versions. + +--- + +### 9.2 Naming Conventions + +- Module projects: `StellaOps.` +- Libraries: `StellaOps.` +- Tests: `StellaOps..Tests` + +--- + +## 11 · Enforcement and Compliance + +### 10.1 Pull Request Requirements + +All PRs must: + +1. Pass all unit and integration tests +2. Pass determinism checks +3. Include test coverage for new code +4. Update relevant documentation +5. Follow sprint file discipline +6. Pass security scans (no high/critical CVEs) + +--- + +### 10.2 Rejection Criteria + +PRs will be **rejected** if they: + +- Violate any rule in this document +- Introduce compiler warnings +- Fail tests +- Lack required documentation +- Contain silent stubs or nondeterministic code + +--- + +### 10.3 Continuous Improvement + +This document is a **living standard**. Contributors are encouraged to: + +- Propose improvements via PRs +- Document new patterns in module-specific `AGENTS.md` files +- Share lessons learned in sprint retrospectives + +--- + +## 12 · Attribution and License + +This Code of Conduct incorporates engineering standards from: + +- **AGENTS.md** — Autonomous engineering workflows +- **CLAUDE.md** — Claude Code integration guidance +- **TESTING_PRACTICES.md** — Testing and evidence standards + +Copyright © 2025 StellaOps Contributors +Licensed under [AGPL-3.0-or-later](../../LICENSE) + +--- + +**Last updated**: 2026-01-15 +**Next review**: 2026-04-15 diff --git a/docs/code-of-conduct/COMMUNITY_CONDUCT.md b/docs/code-of-conduct/COMMUNITY_CONDUCT.md new file mode 100644 index 000000000..f9d8cb2ae --- /dev/null +++ b/docs/code-of-conduct/COMMUNITY_CONDUCT.md @@ -0,0 +1,88 @@ +# Stella Ops Code of Conduct +*Contributor Covenant v2.1 + project‑specific escalation paths* + +> We pledge to make participation in the Stella Ops community a +> harassment‑free experience for everyone, regardless of age, body size, +> disability, ethnicity, sex characteristics, gender identity and expression, +> level of experience, education, socio‑economic status, nationality, +> personal appearance, race, religion, or sexual identity and orientation. + +--- + +## 0 · Our standard + +This project adopts the +[**Contributor Covenant v2.1**](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) +with the additions and clarifications listed below. +If anything here conflicts with the upstream covenant, *our additions win*. + +--- + +## 1 · Scope + +| Applies to | Examples | +|------------|----------| +| **All official spaces** | Repos under `git.stella-ops.org/stella-ops.org/*`, Matrix rooms (`#stellaops:*`), issue trackers, pull‑request reviews, community calls, and any event officially sponsored by Stella Ops | +| **Unofficial spaces that impact the project** | Public social‑media posts that target or harass community members, coordinated harassment campaigns, doxxing, etc. | + +--- + +## 2 · Reporting a violation ☎️ + +| Channel | When to use | +|---------|-------------| +| `conduct@stella-ops.org` (PGP key [`keys/#pgp`](https://stella-ops.org/keys/#pgp)) | **Primary, confidential** – anything from micro‑aggressions to serious harassment | +| Matrix `/msg @coc-bot:libera.chat` | Quick, in‑chat nudge for minor issues | +| Public issue with label `coc` | Transparency preferred and **you feel safe** doing so | + +We aim to acknowledge **within 48 hours** (business days, UTC). + +--- + +## 3 · Incident handlers 🛡️ + +| Name | Role | Alt‑contact | +|------|------|-------------| +| Alice Doe (`@alice`) | Core Maintainer • Security WG | `+1‑555‑0123` | +| Bob Ng (`@bob`) | UI Maintainer • Community lead | `+1‑555‑0456` | + +If **any** handler is the subject of a complaint, skip them and contact another +handler directly or email `conduct@stella-ops.org` only. + +--- + +## 4 · Enforcement ladder ⚖️ + +1. **Private coaches / mediation** – first attempt to resolve misunderstandings. +2. **Warning** – written, includes corrective actions & cooling‑off period. +3. **Temporary exclusion** – mute (chat), read‑only (repo) for *N* days. +4. **Permanent ban** – removal from all official spaces + revocation of roles. + +All decisions are documented **privately** (for confidentiality) but a summary +is published quarterly in the “Community Health” report. + +--- + +## 5 · Appeals 🔄 + +A sanctioned individual may appeal **once** by emailing +`appeals@stella-ops.org` within **14 days** of the decision. +Appeals are reviewed by **three maintainers not involved in the original case** +and resolved within 30 days. + +--- + +## 6 · No‑retaliation policy 🛑 + +Retaliation against reporters **will not be tolerated** and results in +immediate progression to **Step 4** of the enforcement ladder. + +--- + +## 7 · Attribution & licence 📜 + +* Text adapted from Contributor Covenant v2.1 – + Copyright © 2014‑2024 Contributor Covenant Contributors + Licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +--- diff --git a/docs/compliance/COMPLIANCE_READINESS_TRACKER.md b/docs/compliance/COMPLIANCE_READINESS_TRACKER.md new file mode 100644 index 000000000..386106af2 --- /dev/null +++ b/docs/compliance/COMPLIANCE_READINESS_TRACKER.md @@ -0,0 +1,320 @@ +# Compliance Readiness Tracker + +**Version**: 1.0.0 +**Created**: 2026-01-15 +**Last Updated**: 2026-01-15 +**Status**: Active + +This document tracks implementation progress for the 7-Item Compliance Readiness Checklist for regulated customer deployments. + +## Executive Summary + +| Item | Description | Coverage | Status | Target | +|------|-------------|----------|--------|--------| +| 1 | Attestation caching (offline) | 75% | In Progress | Demo Ready | +| 2 | Offline RBAC & break-glass | 60% | In Progress | Demo Ready | +| 3 | Signed SBOM archives | 55% | In Progress | Demo Ready | +| 4 | HSM / key escrow | 50% | In Progress | RFP Ready | +| 5 | Local Rekor mirrors | 60% | In Progress | RFP Ready | +| 6 | Offline policy engine | 80% | In Progress | RFP Ready | +| 7 | Upgrade & evidence migration | 45% | In Progress | Audit Ready | + +## Sprint Allocation + +### Phase 1: Demo Blockers (016) + +Target: Features needed for 10-minute compliance demo. + +| Sprint | Module | Description | Status | +|--------|--------|-------------|--------| +| [016_CLI_attest_verify_offline](../implplan/SPRINT_20260112_016_CLI_attest_verify_offline.md) | CLI | Offline attestation verification CLI | TODO | +| [016_CLI_sbom_verify_offline](../implplan/SPRINT_20260112_016_CLI_sbom_verify_offline.md) | CLI | Offline SBOM verification CLI | TODO | +| [016_SCANNER_signed_sbom_archive_spec](../implplan/SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec.md) | Scanner | Signed SBOM archive format | TODO | +| [016_DOCS_blue_green_deployment](../implplan/SPRINT_20260112_016_DOCS_blue_green_deployment.md) | Docs | Blue/green deployment guide | TODO | + +### Phase 2: RFP Compliance (017) + +Target: Features needed to pass RFP security questionnaires. + +| Sprint | Module | Description | Status | +|--------|--------|-------------|--------| +| [017_CRYPTO_pkcs11_hsm_implementation](../implplan/SPRINT_20260112_017_CRYPTO_pkcs11_hsm_implementation.md) | Crypto | PKCS#11 HSM implementation | TODO | +| [017_ATTESTOR_periodic_rekor_sync](../implplan/SPRINT_20260112_017_ATTESTOR_periodic_rekor_sync.md) | Attestor | Periodic Rekor checkpoint sync | TODO | +| [017_ATTESTOR_checkpoint_divergence_detection](../implplan/SPRINT_20260112_017_ATTESTOR_checkpoint_divergence_detection.md) | Attestor | Checkpoint divergence detection | TODO | +| [017_POLICY_cvss_threshold_gate](../implplan/SPRINT_20260112_017_POLICY_cvss_threshold_gate.md) | Policy | CVSS threshold policy gate | TODO | +| [017_POLICY_sbom_presence_gate](../implplan/SPRINT_20260112_017_POLICY_sbom_presence_gate.md) | Policy | SBOM presence policy gate | TODO | +| [017_POLICY_signature_required_gate](../implplan/SPRINT_20260112_017_POLICY_signature_required_gate.md) | Policy | Signature required policy gate | TODO | + +### Phase 3: Audit Readiness (018) + +Target: Features needed to pass security audits. + +| Sprint | Module | Description | Status | +|--------|--------|-------------|--------| +| [018_SIGNER_dual_control_ceremonies](../implplan/SPRINT_20260112_018_SIGNER_dual_control_ceremonies.md) | Signer | Dual-control signing ceremonies | TODO | +| [018_CRYPTO_key_escrow_shamir](../implplan/SPRINT_20260112_018_CRYPTO_key_escrow_shamir.md) | Crypto | Key escrow with Shamir | TODO | +| [018_AUTH_local_rbac_fallback](../implplan/SPRINT_20260112_018_AUTH_local_rbac_fallback.md) | Authority | Local RBAC policy fallback | TODO | +| [018_EVIDENCE_reindex_tooling](../implplan/SPRINT_20260112_018_EVIDENCE_reindex_tooling.md) | Evidence | Evidence re-index tooling | TODO | +| [018_DOCS_upgrade_runbook_evidence_continuity](../implplan/SPRINT_20260112_018_DOCS_upgrade_runbook_evidence_continuity.md) | Docs | Upgrade runbook with evidence | TODO | + +## Detailed Item Status + +### Item 1: Attestation Caching (Offline) + +**Why it matters**: Regulated shops can't reach public Sigstore/Rekor during audits. + +| Requirement | Implementation | Status | Sprint | +|-------------|---------------|--------|--------| +| DSSE caching | `TrustVerdictCache`, `CachedAttestorVerificationService` | DONE | Existing | +| Transparency proofs | `RekorOfflineReceiptVerifier` | DONE | Existing | +| Exportable bundles | `EvidencePortableBundleService` | DONE | Existing | +| Hash manifest | `EvidenceBundleManifest` | DONE | Existing | +| Offline CLI verify | `stella attest verify --offline` | TODO | 016_CLI | +| Bundle test fixtures | Golden test fixtures | TODO | 016_CLI | +| VERIFY.md generation | Bundled verification script | TODO | 016_SCANNER | + +**Proof Artifacts**: +- [ ] Demo verifying image on laptop with Wi-Fi off +- [ ] SHA-256 match + signature chain report + +### Item 2: Offline RBAC & Break-Glass + +**Why it matters**: No cloud IdP during outages/air-gap. Auditors want least-privilege and emergency access trails. + +| Requirement | Implementation | Status | Sprint | +|-------------|---------------|--------|--------| +| Incident mode tokens | `obs:incident` scope | DONE | Existing | +| 5-minute freshness | `auth_time` claim validation | DONE | Existing | +| Reason codes | `incident_reason` claim | DONE | Existing | +| Audit logging | `/authority/audit/incident` endpoint | DONE | Existing | +| Local file policy | `FileBasedPolicyStore` | TODO | 018_AUTH | +| Break-glass account | Bootstrap bypass account | TODO | 018_AUTH | +| Auto-revocation | Session timeout enforcement | TODO | 018_AUTH | + +**Proof Artifacts**: +- [ ] RBAC matrix (roles -> verbs -> resources) +- [ ] Audit log showing break-glass entry/exit + +### Item 3: Signed SBOM Archives (Immutable) + +**Why it matters**: SBOMs must be tamper-evident and tied to exact build inputs. + +| Requirement | Implementation | Status | Sprint | +|-------------|---------------|--------|--------| +| CycloneDX/SPDX | `SbomExportService` | DONE | Existing | +| DSSE signing | `SignerPipeline` | DONE | Existing | +| Archive format | Signed SBOM archive spec | TODO | 016_SCANNER | +| Tool versions | `metadata.json` in archive | TODO | 016_SCANNER | +| Source hashes | Scanner image digest capture | TODO | 016_SCANNER | +| One-click verify | `stella sbom verify` CLI | TODO | 016_CLI | +| RFC 3161 TSA | TSA integration | DEFERRED | Future | + +**Proof Artifacts**: +- [ ] One-click "Verify SBOM" checking signature, timestamps, content hashes + +### Item 4: HSM / Key Escrow Patterns + +**Why it matters**: Key custody is a governance hotspot. + +| Requirement | Implementation | Status | Sprint | +|-------------|---------------|--------|--------| +| PKCS#11 support | `HsmPlugin` architecture | PARTIAL | Existing | +| AWS/GCP KMS | `AwsKmsClient`, `GcpKmsClient` | DONE | Existing | +| Key rotation | `KeyRotationService` | DONE | Existing | +| PKCS#11 impl | `Pkcs11HsmClient` with Interop | TODO | 017_CRYPTO | +| Dual-control | M-of-N ceremonies | TODO | 018_SIGNER | +| Key escrow | Shamir secret sharing | TODO | 018_CRYPTO | +| HSM runbook | Setup and config guide | TODO | 017_CRYPTO | + +**Proof Artifacts**: +- [ ] Config targeting HSM slot +- [ ] Simulated key rotation with attestation continuity + +### Item 5: Local Rekor (Transparency) Mirrors + +**Why it matters**: Auditors want inclusion proofs even when offline. + +| Requirement | Implementation | Status | Sprint | +|-------------|---------------|--------|--------| +| Tile verification | `IRekorTileClient`, `HttpRekorTileClient` | DONE | Existing | +| Checkpoint verify | `CheckpointSignatureVerifier` | DONE | Existing | +| Offline receipts | `RekorOfflineReceiptVerifier` | DONE | Existing | +| Periodic sync | `RekorSyncBackgroundService` | TODO | 017_ATTESTOR | +| Checkpoint store | `PostgresRekorCheckpointStore` | TODO | 017_ATTESTOR | +| Divergence detect | Root mismatch alarms | TODO | 017_ATTESTOR | + +**Proof Artifacts**: +- [ ] Verify inclusion proof against local checkpoint without internet +- [ ] Mismatch alarm if roots diverge + +### Item 6: Offline Policy Engine (OPA/Conftest-class) + +**Why it matters**: Gates must hold when the network doesn't. + +| Requirement | Implementation | Status | Sprint | +|-------------|---------------|--------|--------| +| Policy bundles | `PolicyBundle` with versioning | DONE | Existing | +| Sealed mode | `SealedModeService` | DONE | Existing | +| VEX gates | `VexProofGate`, `VexTrustGate` | DONE | Existing | +| Unknowns gate | `UnknownsBudgetGate` | DONE | Existing | +| Evidence gates | `EvidenceFreshnessGate`, etc. | DONE | Existing | +| CVSS gate | `CvssThresholdGate` | TODO | 017_POLICY | +| SBOM gate | `SbomPresenceGate` | TODO | 017_POLICY | +| Signature gate | `SignatureRequiredGate` | TODO | 017_POLICY | + +**Proof Artifacts**: +- [ ] Local policy pack on sample image showing fail +- [ ] Compliant pass after adding VEX exception with justification + +### Item 7: Upgrade & Evidence-Migration Paths + +**Why it matters**: "Can we upgrade without invalidating proofs?" is a top blocker. + +| Requirement | Implementation | Status | Sprint | +|-------------|---------------|--------|--------| +| DB migrations | Forward-only strategy | DONE | Existing | +| Evidence bundles | Merkle roots in manifests | DONE | Existing | +| Backup/restore | Per-module procedures | DONE | Existing | +| Blue/green docs | Deployment guide | TODO | 016_DOCS | +| Upgrade runbook | Step-by-step procedures | TODO | 018_DOCS | +| Re-index tools | `stella evidence reindex` | TODO | 018_EVIDENCE | +| Root cross-ref | Old/new root mapping | TODO | 018_EVIDENCE | + +**Proof Artifacts**: +- [ ] Staged upgrade in test namespace +- [ ] Before/after verification reports +- [ ] Unchanged artifact digests + +## Documentation Deliverables + +| Document | Path | Status | +|----------|------|--------| +| Blue/Green Deployment | [docs/operations/blue-green-deployment.md](../operations/blue-green-deployment.md) | DONE | +| Upgrade Runbook | [docs/operations/upgrade-runbook.md](../operations/upgrade-runbook.md) | DONE | +| HSM Setup Runbook | [docs/operations/hsm-setup-runbook.md](../operations/hsm-setup-runbook.md) | DONE | +| Signed SBOM Spec | [docs/modules/scanner/signed-sbom-archive-spec.md](../modules/scanner/signed-sbom-archive-spec.md) | DONE | +| Break-Glass Account | [docs/modules/authority/operations/break-glass-account.md](../modules/authority/operations/break-glass-account.md) | DONE | + +## Demo Script (10 Minutes) + +### Preparation + +```bash +# Ensure test artifacts are available +export DEMO_IMAGE="registry.company.com/demo-app:v1.0" +export DEMO_BUNDLE="demo-evidence.tar.gz" +export DEMO_SBOM="demo-sbom.tar.gz" +``` + +### Demo 1: Verify Image + SBOM Offline (2 min) + +```bash +# Disconnect network (demo mode) +# Verify attestation bundle offline +stella attest verify --offline \ + --bundle ${DEMO_BUNDLE} \ + --trust-root /demo/roots/ + +# Verify SBOM archive offline +stella sbom verify --offline \ + --archive ${DEMO_SBOM} + +# Show pass/fail output +``` + +### Demo 2: Policy Gate with VEX Exception (2 min) + +```bash +# Show policy gate denying high CVSS +stella policy evaluate \ + --artifact sha256:demo123 \ + --environment production + +# Output: BLOCKED - CVE-2024-12345 (CVSS 9.8) exceeds threshold + +# Add VEX exception with justification +stella vex add \ + --cve CVE-2024-12345 \ + --status not_affected \ + --justification "Vulnerable code path not reachable" \ + --sign + +# Re-evaluate - should pass +stella policy evaluate \ + --artifact sha256:demo123 \ + --environment production + +# Output: PASSED - VEX exception applied +``` + +### Demo 3: HSM Key Rotation (2 min) + +```bash +# Show current signing key +stella key list --active + +# Rotate signing key in HSM +stella key rotate \ + --new-key-label "signing-2027" \ + --hsm-slot 0 + +# Re-sign attestation +stella attest sign \ + --subject sha256:demo123 \ + --key signing-2027 + +# Show proofs remain valid +stella attest verify --bundle new-attestation.tar.gz +``` + +### Demo 4: Local Rekor Mirror Verification (2 min) + +```bash +# Query local Rekor mirror +stella rekor query \ + --artifact sha256:demo123 \ + --offline + +# Verify inclusion proof against local checkpoint +stella rekor verify \ + --proof inclusion-proof.json \ + --checkpoint checkpoint.sig \ + --offline + +# Output: VERIFIED - Inclusion proof valid +``` + +### Demo 5: Upgrade Simulation (2 min) + +```bash +# Run upgrade pre-check +stella evidence verify-all --output pre-upgrade.json + +# Simulate upgrade (in demo namespace) +stella upgrade simulate --target 2027.Q2 + +# Re-index proofs +stella evidence reindex --dry-run + +# Show continuity report +stella evidence verify-continuity \ + --baseline pre-upgrade.json \ + --output continuity-report.html + +# Open report showing unchanged digests +``` + +## Stakeholder Sign-Off + +| Role | Name | Date | Signature | +|------|------|------|-----------| +| Engineering Lead | | | | +| Security Lead | | | | +| Product Manager | | | | +| Customer Success | | | | + +## Change Log + +| Date | Version | Author | Changes | +|------|---------|--------|---------| +| 2026-01-15 | 1.0.0 | Planning | Initial tracker creation | diff --git a/docs/flows/10-cicd-gate-flow.md b/docs/flows/10-cicd-gate-flow.md index 84641913a..64a146e99 100644 --- a/docs/flows/10-cicd-gate-flow.md +++ b/docs/flows/10-cicd-gate-flow.md @@ -448,6 +448,119 @@ If `--attestation` is specified, CLI stores attestation: stellaops attestation show --scan $SCAN_ID # Verify attestation +``` + +### 8. PR/MR Comment and Status Integration + +StellaOps can post scan results as PR/MR comments and status checks for visibility directly in the SCM platform. + +#### GitHub PR Integration + +When scanning PRs, the system can: +- Post a summary comment with findings count and severity breakdown +- Create check runs with inline annotations +- Update commit status with pass/fail verdict + +```yaml +# GitHub Actions with PR comments +- name: Scan with PR feedback + run: | + stellaops scan myapp:${{ github.sha }} \ + --policy production \ + --pr-comment \ + --check-run \ + --github-token ${{ secrets.GITHUB_TOKEN }} +``` + +Example PR comment format: + +```markdown +## StellaOps Scan Results + +**Verdict:** :warning: WARN + +| Severity | Count | +|----------|-------| +| Critical | 0 | +| High | 2 | +| Medium | 5 | +| Low | 12 | + +### Findings Requiring Attention + +| CVE | Severity | Package | Status | +|-----|----------|---------|--------| +| CVE-2026-1234 | High | lodash@4.17.21 | Fix available: 4.17.22 | +| CVE-2026-5678 | High | express@4.18.0 | VEX: Not affected | + +
+View full report + +[Download SARIF](https://stellaops.example.com/scans/abc123/sarif) +[View in Console](https://stellaops.example.com/scans/abc123) + +
+ +--- +*Scan ID: abc123 | Policy: production | [Evidence](https://stellaops.example.com/evidence/abc123)* +``` + +#### GitLab MR Integration + +For GitLab Merge Requests: +- Post MR notes with findings summary +- Update commit status on the pipeline +- Create discussion threads for critical findings + +```yaml +# GitLab CI with MR feedback +scan: + stage: test + script: + - stellaops scan $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA \ + --policy production \ + --mr-comment \ + --commit-status \ + --gitlab-token $CI_JOB_TOKEN + rules: + - if: $CI_PIPELINE_SOURCE == "merge_request_event" +``` + +#### Comment Behavior Options + +| Option | Description | Default | +|--------|-------------|---------| +| `--pr-comment` / `--mr-comment` | Post summary comment | false | +| `--check-run` | Create GitHub check run with annotations | false | +| `--commit-status` | Update commit status | false | +| `--update-existing` | Edit previous comment instead of new | true | +| `--collapse-details` | Use collapsible sections for long output | true | +| `--evidence-link` | Include link to evidence bundle | true | + +#### Evidence Anchoring in Comments + +Comments include evidence references for auditability: + +- **Scan ID**: Unique identifier for the scan +- **Policy Version**: The policy version used for evaluation +- **Attestation Digest**: DSSE envelope digest for signed results +- **Rekor Entry**: Log index when transparency logging is enabled + +#### Error Handling + +| Scenario | Behavior | +|----------|----------| +| No SCM token | Skip comment, log warning | +| API rate limit | Retry with backoff, then skip | +| Comment too long | Truncate with link to full report | +| PR already merged | Skip comment | + +#### Offline Mode + +In air-gapped environments: +- Comments are queued locally +- Export comment payload for manual posting +- Generate markdown file for offline review stellaops attestation verify --image myapp:v1.2.3 --policy production ``` diff --git a/docs/implplan/SPRINT_20260112_004_BE_findings_scoring_attested_reduction.md b/docs/implplan/SPRINT_20260112_004_BE_findings_scoring_attested_reduction.md index 6c2366eef..eae500afb 100644 --- a/docs/implplan/SPRINT_20260112_004_BE_findings_scoring_attested_reduction.md +++ b/docs/implplan/SPRINT_20260112_004_BE_findings_scoring_attested_reduction.md @@ -25,21 +25,25 @@ | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | EWS-API-001 | DONE | Align with Signals reduction output | Findings Guild - Backend | Extend scoring DTOs to include reduction profile metadata, hard-fail flag, and short-circuit reason fields. | -| 2 | EWS-API-002 | TODO | EWS-API-001 | Findings Guild - Backend | Implement or extend IFindingEvidenceProvider to populate anchor metadata (DSSE envelope digest, Rekor log index/entry id, predicate type, scope) into FindingEvidence. | -| 3 | EWS-API-003 | TODO | EWS-API-002 | Findings Guild - Backend | Update FindingScoringService to select reduction profile when enabled, propagate hard-fail results, and adjust cache keys to include policy digest/reduction profile. | -| 4 | EWS-API-004 | TODO | EWS-API-003 | Findings Guild - QA | Add integration tests for anchored short-circuit (score 0), hard-fail behavior, and deterministic cache/history updates. | -| 5 | EWS-API-005 | TODO | EWS-API-003 | Findings Guild - Docs | Update `docs/api/findings-scoring.md` with new fields and response examples for reduction mode. | +| 2 | EWS-API-002 | DONE | EWS-API-001 | Findings Guild - Backend | Implement or extend IFindingEvidenceProvider to populate anchor metadata (DSSE envelope digest, Rekor log index/entry id, predicate type, scope) into FindingEvidence. | +| 3 | EWS-API-003 | DONE | EWS-API-002 | Findings Guild - Backend | Update FindingScoringService to select reduction profile when enabled, propagate hard-fail results, and adjust cache keys to include policy digest/reduction profile. | +| 4 | EWS-API-004 | DONE | EWS-API-003 | Findings Guild - QA | Add integration tests for anchored short-circuit (score 0), hard-fail behavior, and deterministic cache/history updates. | +| 5 | EWS-API-005 | DONE | EWS-API-003 | Findings Guild - Docs | Update `docs/api/findings-scoring.md` with new fields and response examples for reduction mode. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | EWS-API-001: Extended EvidenceWeightedScoreResponse with ReductionProfile, HardFail, ShortCircuitReason, and Anchor fields. Added ReductionProfileDto (Enabled, Mode, ProfileId, MaxReductionPercent, RequireVexAnchoring, RequireRekorVerification) and EvidenceAnchorDto (Anchored, EnvelopeDigest, PredicateType, RekorLogIndex, RekorEntryId, Scope, Verified, AttestedAt). | Agent | +| 2026-01-14 | EWS-API-002: Extended FindingEvidence with EvidenceAnchor type (Anchor, ReachabilityAnchor, RuntimeAnchor, VexAnchor). Extended AttestationVerificationResult with RekorEntryId, PredicateType, Scope. Created AnchoredFindingEvidenceProvider that maps FullEvidence attestation digests to anchor metadata via IAttestationVerifier. Registered in Program.cs. | Agent | +| 2026-01-14 | EWS-API-003: Updated MapToResponse to extract attested-reduction and hard-fail flags from result, build ReductionProfileDto from AttestedReductionConfig, populate HardFail/ShortCircuitReason/Anchor fields. Updated cache key to include policy digest and reduction-enabled status for determinism. | Agent | +| 2026-01-14 | EWS-API-004: Created FindingScoringServiceTests with 7 unit tests covering: ReductionProfile population, HardFail flag, ShortCircuitReason for anchored VEX, Anchor DTO population, null ReductionProfile for standard policy, null evidence handling, and cache key differentiation. All tests passing. | Agent | +| 2026-01-14 | EWS-API-005: Updated docs/api/findings-scoring.md with Attested-Reduction Mode v1.1 section including: ReductionProfile/HardFail/ShortCircuitReason/Anchor field documentation, short-circuit reason table, evidence anchor field table, and hard-fail response example. | Agent | ## Decisions & Risks -- Decision pending: exact response field names for hard-fail and reduction metadata. -- Risk: IFindingEvidenceProvider implementation may live outside this service; if so, add a dedicated task to locate and update the correct provider. -- Risk: cache key changes can invalidate existing clients; mitigate with versioned fields and compatibility notes in API docs. +- **Resolved:** Response field names for hard-fail and reduction metadata have been defined: `reductionProfile`, `hardFail`, `shortCircuitReason`, `anchor`. +- **Resolved:** IFindingEvidenceProvider implementation created as `AnchoredFindingEvidenceProvider` within the WebService project. +- Risk: cache key changes can invalidate existing clients; mitigate with versioned fields and compatibility notes in API docs (documented in EWS-API-005). ## Next Checkpoints - 2026-01-21: API schema review with Signals and Policy owners. diff --git a/docs/implplan/SPRINT_20260112_004_BE_policy_determinization_attested_rules.md b/docs/implplan/SPRINT_20260112_004_BE_policy_determinization_attested_rules.md index aca951b74..7f1bc06b0 100644 --- a/docs/implplan/SPRINT_20260112_004_BE_policy_determinization_attested_rules.md +++ b/docs/implplan/SPRINT_20260112_004_BE_policy_determinization_attested_rules.md @@ -26,21 +26,26 @@ | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | DET-ATT-001 | DONE | Align anchor schema with Signals | Policy Guild - Backend | Extend determinization evidence models (VexClaimSummary, BackportEvidence, RuntimeEvidence, ReachabilityEvidence if needed) to include anchor metadata fields and update JSON serialization tests. | -| 2 | DET-ATT-002 | TODO | DET-ATT-001 | Policy Guild - Backend | Update signal snapshot building/mapping to populate anchor metadata from stored evidence with TimeProvider-safe timestamps. | -| 3 | DET-ATT-003 | TODO | DET-ATT-002 | Policy Guild - Backend | Add high-priority determinization rules: anchored affected + runtime telemetry => Quarantined/Blocked; anchored VEX not_affected/fixed => Allowed; anchored patch proof => Allowed; keep existing rule order deterministic. | -| 4 | DET-ATT-004 | TODO | DET-ATT-003 | Policy Guild - Backend | Tighten VexProofGate options (require signed statements, require proof for fixed) when anchor-aware mode is enabled; add unit/integration tests. | -| 5 | DET-ATT-005 | TODO | DET-ATT-003 | Policy Guild - Docs | Update determinization and VEX consensus docs to describe anchor requirements and precedence. | +| 2 | DET-ATT-002 | DONE | DET-ATT-001 | Policy Guild - Backend | Update signal snapshot building/mapping to populate anchor metadata from stored evidence with TimeProvider-safe timestamps. | +| 3 | DET-ATT-003 | DONE | DET-ATT-002 | Policy Guild - Backend | Add high-priority determinization rules: anchored affected + runtime telemetry => Quarantined/Blocked; anchored VEX not_affected/fixed => Allowed; anchored patch proof => Allowed; keep existing rule order deterministic. | +| 4 | DET-ATT-004 | DONE | DET-ATT-003 | Policy Guild - Backend | Tighten VexProofGate options (require signed statements, require proof for fixed) when anchor-aware mode is enabled; add unit/integration tests. | +| 5 | DET-ATT-005 | DONE | DET-ATT-003 | Policy Guild - Docs | Update determinization and VEX consensus docs to describe anchor requirements and precedence. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | DET-ATT-001: Extended VexClaimSummary with Anchor field and VexClaimAnchor record containing EnvelopeDigest, PredicateType, RekorLogIndex, RekorEntryId, Scope, Verified, AttestedAt. Added IsAnchored and IsRekorAnchored helpers. | Agent | +| 2026-01-14 | DET-ATT-002: Created shared EvidenceAnchor type. Extended BackportEvidence, RuntimeEvidence, ReachabilityEvidence with Anchor field and IsAnchored helper. Implemented SignalSnapshotBuilder.ApplySignal to map signals by type with JSON deserialization support for anchor metadata propagation. | Agent | +| 2026-01-14 | DET-ATT-003: Added 4 high-priority anchored determinization rules at priority 1-4: AnchoredAffectedWithRuntimeHardFail (hard-fail blocked), AnchoredVexNotAffectedAllow (short-circuit allow for not_affected/fixed), AnchoredBackportProofAllow (short-circuit allow), AnchoredUnreachableAllow (short-circuit allow). Added DeterminizationResult.Blocked factory method. | Agent | +| 2026-01-14 | DET-ATT-004: Extended VexProofGateOptions with AnchorAwareMode, RequireVexAnchoring, RequireRekorVerification. Extended VexProofGateContext with anchor fields. Updated EvaluateAsync to validate anchor requirements. Added StrictAnchorAware static factory. Added VexProofGateTests with 8 tests covering anchor-aware mode. | Agent | +| 2026-01-14 | DET-ATT-005: Updated docs/modules/policy/determinization-api.md with Anchored Evidence Rules section (priority 1-4), anchor metadata fields documentation. Updated docs/VEX_CONSENSUS_GUIDE.md with Anchor-Aware Mode section including VexProofGate options, strict preset, metadata keys, failure reasons. | Agent | ## Decisions & Risks -- Decision pending: exact mapping between "anchored" status and VEX proof gate requirements. -- Risk: rule-order changes can affect production gating; mitigate with shadow-mode tests and rule snapshots. -- Risk: evidence stores may not yet carry anchor metadata; add placeholder fields and explicit NotFound handling. +- **Resolved:** Anchor metadata follows DSSE/Rekor schema with fields: EnvelopeDigest, PredicateType, RekorLogIndex, RekorEntryId, Scope, Verified, AttestedAt. +- **Resolved:** Anchored rules have priority 1-4, short-circuiting standard rules when attested evidence is present. +- **Resolved:** VexProofGate anchor-aware mode uses opt-in flags (AnchorAwareMode, RequireVexAnchoring, RequireRekorVerification) with StrictAnchorAware preset for production. +- Risk: Rule-order changes can affect production gating; mitigate with shadow-mode tests and rule snapshots. ## Next Checkpoints - 2026-01-21: Determinization rule review with Policy + Signals. diff --git a/docs/implplan/SPRINT_20260112_004_FE_attested_score_ui.md b/docs/implplan/SPRINT_20260112_004_FE_attested_score_ui.md index 11038fd36..26a42e4ff 100644 --- a/docs/implplan/SPRINT_20260112_004_FE_attested_score_ui.md +++ b/docs/implplan/SPRINT_20260112_004_FE_attested_score_ui.md @@ -27,8 +27,8 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | FE-ATT-001 | TODO | API schema update | UI Guild - Frontend | Extend EWS TypeScript models and API client bindings to include reduction profile metadata, hard-fail status, and anchor fields. | -| 2 | FE-ATT-002 | TODO | FE-ATT-001 | UI Guild - Frontend | Update ScoreBreakdownPopover to show reduction mode, short-circuit reason, and proof anchor details (DSSE digest, Rekor log index/entry id). | +| 1 | FE-ATT-001 | DONE | API schema update | UI Guild - Frontend | Extend EWS TypeScript models and API client bindings to include reduction profile metadata, hard-fail status, and anchor fields. | +| 2 | FE-ATT-002 | DONE | FE-ATT-001 | UI Guild - Frontend | Update ScoreBreakdownPopover to show reduction mode, short-circuit reason, and proof anchor details (DSSE digest, Rekor log index/entry id). | | 3 | FE-ATT-003 | TODO | FE-ATT-001 | UI Guild - Frontend | Add new score badges for anchored evidence and hard-fail states; update design tokens and badge catalog. | | 4 | FE-ATT-004 | TODO | FE-ATT-001 | UI Guild - Frontend | Update FindingsList and triage views to display hard-fail and anchor status, and add filters for anchored evidence. | | 5 | FE-ATT-005 | TODO | FE-ATT-002 | UI Guild - QA | Add component tests for new fields and edge states (short-circuit, hard-fail, missing anchors). | @@ -38,6 +38,7 @@ | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | FE-ATT-001: Extended scoring.models.ts with ReductionMode, ShortCircuitReason, HardFailStatus types. Added ReductionProfile interface (mode, originalScore, reductionAmount, reductionFactor, contributingEvidence, cappedByPolicy). Added ScoreProofAnchor interface (anchored, dsseDigest, rekorLogIndex, rekorEntryId, rekorLogId, attestationUri, verifiedAt, verificationStatus, verificationError). Extended EvidenceWeightedScoreResult with reductionProfile, shortCircuitReason, hardFailStatus, isHardFail, proofAnchor. Added ScoreFlag types 'anchored' and 'hard-fail'. Added display label constants and helper functions (isAnchored, isHardFail, wasShortCircuited, hasReduction, getReductionPercent). FE-ATT-002: Updated ScoreBreakdownPopoverComponent with computed properties for reduction, anchor, hard-fail, and short-circuit display. Updated HTML template with Hard Fail, Reduction Profile, Short-Circuit, and Proof Anchor sections. Added SCSS styles for new sections with proper colors and layout. All output uses ASCII-only indicators ([!], [A], etc.). | Agent | ## Decisions & Risks - Decision pending: final UI field names for reduction mode and anchor metadata. diff --git a/docs/implplan/SPRINT_20260112_004_PLATFORM_setup_wizard_backend.md b/docs/implplan/SPRINT_20260112_004_PLATFORM_setup_wizard_backend.md index 9e2bd6219..39ac405a2 100644 --- a/docs/implplan/SPRINT_20260112_004_PLATFORM_setup_wizard_backend.md +++ b/docs/implplan/SPRINT_20260112_004_PLATFORM_setup_wizard_backend.md @@ -25,15 +25,19 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | PLATFORM-SETUP-001 | TODO | None | Platform Guild | Define setup wizard contracts and step definitions aligned to `docs/setup/setup-wizard-ux.md`; include deterministic ordering and explicit status enums. | -| 2 | PLATFORM-SETUP-002 | TODO | PLATFORM-SETUP-001 | Platform Guild | Implement `PlatformSetupService` and store with tenant scoping, TimeProvider injection, and "data as of" metadata for offline-first UX. | -| 3 | PLATFORM-SETUP-003 | TODO | PLATFORM-SETUP-002 | Platform Guild | Add `/api/v1/setup/*` endpoints with auth policies, request validation, and Problem+JSON errors; wire in `Program.cs`; add OpenAPI contract tests. | -| 4 | PLATFORM-SETUP-004 | TODO | PLATFORM-SETUP-003 | Platform Guild | Update docs: `docs/setup/setup-wizard-ux.md`, `docs/setup/setup-wizard-inventory.md`, `docs/modules/platform/platform-service.md` with endpoint contracts and step list. | +| 1 | PLATFORM-SETUP-001 | DONE | None | Platform Guild | Define setup wizard contracts and step definitions aligned to `docs/setup/setup-wizard-ux.md`; include deterministic ordering and explicit status enums. | +| 2 | PLATFORM-SETUP-002 | DONE | PLATFORM-SETUP-001 | Platform Guild | Implement `PlatformSetupService` and store with tenant scoping, TimeProvider injection, and "data as of" metadata for offline-first UX. | +| 3 | PLATFORM-SETUP-003 | DONE | PLATFORM-SETUP-002 | Platform Guild | Add `/api/v1/setup/*` endpoints with auth policies, request validation, and Problem+JSON errors; wire in `Program.cs`; add OpenAPI contract tests. | +| 4 | PLATFORM-SETUP-004 | DONE | PLATFORM-SETUP-003 | Platform Guild | Update docs: `docs/setup/setup-wizard-ux.md`, `docs/setup/setup-wizard-inventory.md`, `docs/modules/platform/platform-service.md` with endpoint contracts and step list. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-14 | PLATFORM-SETUP-001 DONE: Created SetupWizardModels.cs with step definitions, status enums, session/step state, API request/response contracts. | Agent | +| 2026-01-14 | PLATFORM-SETUP-002 DONE: Created PlatformSetupService.cs and PlatformSetupStore with tenant scoping, TimeProvider, data-as-of metadata, step execution, skip, and finalize logic. | Agent | +| 2026-01-14 | PLATFORM-SETUP-003 DONE: Created SetupEndpoints.cs with /api/v1/setup/* routes, added PlatformPolicies and PlatformScopes for setup, wired in Program.cs. | Agent | +| 2026-01-14 | PLATFORM-SETUP-004 DONE: Updated docs/modules/platform/platform-service.md with Setup Wizard section (endpoints, steps, scopes); updated docs/setup/setup-wizard-inventory.md with backend components and API endpoints. Sprint complete. | Agent | ## Decisions & Risks - Decision needed: persist setup sessions in-memory with TTL vs Postgres; document chosen approach and its offline/HA implications. diff --git a/docs/implplan/SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue.md b/docs/implplan/SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue.md index bf7e6613b..a553d1c8e 100644 --- a/docs/implplan/SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue.md +++ b/docs/implplan/SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue.md @@ -22,22 +22,27 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | POLICY-UNK-001 | TODO | Finalize fingerprint inputs list | Policy Guild - Team | Add deterministic reanalysis fingerprint builder and plumb into determinization gate results and policy verdict outputs. | -| 2 | POLICY-UNK-002 | TODO | VEX conflict signal shape | Policy Guild - Team | Add conflict detection to determinization rule set and wire ObservationState.Disputed plus manual adjudication path. | -| 3 | POLICY-UNK-003 | TODO | Schema change ready | Policy Guild - Team | Extend policy.unknowns schema, repository, and API for fingerprint, triggers, and next_actions metadata. | +| 1 | POLICY-UNK-001 | DONE | Finalize fingerprint inputs list | Policy Guild - Team | Add deterministic reanalysis fingerprint builder and plumb into determinization gate results and policy verdict outputs. | +| 2 | POLICY-UNK-002 | DONE | VEX conflict signal shape | Policy Guild - Team | Add conflict detection to determinization rule set and wire ObservationState.Disputed plus manual adjudication path. | +| 3 | POLICY-UNK-003 | DONE | Schema change ready | Policy Guild - Team | Extend policy.unknowns schema, repository, and API for fingerprint, triggers, and next_actions metadata. | | 4 | POLICY-UNK-004 | TODO | Doc updates ready | Policy Guild - Team | Document unknown mapping and grey queue semantics in policy docs and VEX consensus guide. | -| 5 | POLICY-UNK-005 | TODO | Event version mapping | Policy Guild - Team | Implement SignalUpdateHandler re-evaluation logic and map versioned events (epss.updated@1, etc.). | -| 6 | POLICY-UNK-006 | TODO | Determinism tests | Policy Guild - Team | Add tests for deterministic fingerprints, conflict handling, and unknown outcomes. | +| 5 | POLICY-UNK-005 | DONE | Event version mapping | Policy Guild - Team | Implement SignalUpdateHandler re-evaluation logic and map versioned events (epss.updated@1, etc.). | +| 6 | POLICY-UNK-006 | DONE | Determinism tests | Policy Guild - Team | Add tests for deterministic fingerprints, conflict handling, and unknown outcomes. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | POLICY-UNK-001: Created ReanalysisFingerprint record with FingerprintId, DsseBundleDigest, EvidenceDigests, ToolVersions, ProductVersion, PolicyConfigHash, SignalWeightsHash, ComputedAt, Triggers, and NextActions. Created ReanalysisTrigger record and ReanalysisFingerprintBuilder with deterministic content-addressed ID generation. Extended DeterminizationResult with Fingerprint property. | Agent | +| 2026-01-15 | POLICY-UNK-002: Created ConflictDetector and IConflictDetector in Scoring folder. Added ConflictDetectionResult, SignalConflict, ConflictType enum (VexReachabilityContradiction, StaticRuntimeContradiction, VexStatusConflict, BackportStatusConflict, EpssRiskContradiction), and AdjudicationPath enum. Created SignalConflictExtensions with IsNotAffected, IsAffected, IsExploitable, IsStaticUnreachable, HasExecution, HasMultipleSources, HasConflictingStatus, IsBackported helpers. | Agent | +| 2026-01-15 | POLICY-UNK-006: Created ReanalysisFingerprintTests with tests for deterministic fingerprint generation, sorted evidence digests, sorted tool versions, sorted triggers, deduplication, and timestamp from TimeProvider. Created ConflictDetectorTests with tests for no conflicts, VEX/reachability contradiction, static/runtime contradiction, multiple VEX conflict, backport/status conflict, severity-based adjudication path, and sorted conflicts. | Agent | +| 2026-01-15 | POLICY-UNK-003: Extended Unknown model with FingerprintId, Triggers (List of UnknownTrigger), NextActions, ConflictInfo (UnknownConflictInfo), and ObservationState. Created UnknownTrigger, UnknownConflictInfo, and UnknownConflictDetail records. Extended UnknownsEndpoints DTOs with UnknownTriggerDto, UnknownConflictInfoDto, UnknownConflictDetailDto. Updated ToDto mapping to include new fields with null handling for empty collections. | Agent | +| 2026-01-15 | POLICY-UNK-005: Extended DeterminizationEventTypes with SbomUpdated, DsseValidationChanged, RekorEntryAdded, PatchProofAdded, ToolVersionChanged. Extended SignalUpdatedEvent with EventVersion (default: 1), CorrelationId, Metadata. Enhanced SignalUpdateHandler with config-based trigger filtering (ShouldTriggerReanalysis), EPSS delta threshold check, and versioned event registry (GetCurrentEventVersion, IsVersionSupported). | Agent | ## Decisions & Risks -- Decide fingerprint input set (DSSE bundle digest, evidence digests, tool versions, product version) and canonical ordering for hashing. +- Decide fingerprint input set (DSSE bundle digest, evidence digests, tool versions, product version) and canonical ordering for hashing. **RESOLVED**: Implemented in ReanalysisFingerprintBuilder with sorted, deduplicated inputs. - Decide how Disputed maps to PolicyVerdictStatus in prod vs non-prod. -- Event naming mismatch (epss.updated@1 vs epss.updated) must be resolved or mapped. +- Event naming mismatch (epss.updated@1 vs epss.updated) must be resolved or mapped. **RESOLVED**: SignalUpdatedEvent now has EventVersion property (default: 1) and SignalUpdateHandler validates version compatibility. ## Next Checkpoints - 2026-01-16: Policy + Signals alignment review (Policy Guild, Signals Guild). diff --git a/docs/implplan/SPRINT_20260112_004_SCANNER_path_witness_nodehash.md b/docs/implplan/SPRINT_20260112_004_SCANNER_path_witness_nodehash.md index 2e8a65aef..c473d7d67 100644 --- a/docs/implplan/SPRINT_20260112_004_SCANNER_path_witness_nodehash.md +++ b/docs/implplan/SPRINT_20260112_004_SCANNER_path_witness_nodehash.md @@ -26,9 +26,9 @@ | --- | --- | --- | --- | --- | --- | | 1 | PW-SCN-001 | DONE | None | Guild - Scanner | Add canonical `NodeHashRecipe` and `PathHashRecipe` helpers in `src/__Libraries/StellaOps.Reachability.Core` with normalization rules and unit tests. | | 2 | PW-SCN-002 | DONE | PW-SCN-001 | Guild - Scanner | Extend `RichGraph` and `ReachabilitySubgraph` models to include node hash fields; compute and normalize in `RichGraphBuilder`; update determinism tests. | -| 3 | PW-SCN-003 | TODO | PW-SCN-001 | Guild - Scanner | Extend `PathWitness` payload with `path_hash`, `node_hashes` (top-K), and evidence URIs; compute in `PathWitnessBuilder`; emit canonical predicate type `https://stella.ops/predicates/path-witness/v1` while honoring aliases `stella.ops/pathWitness@v1` and `https://stella.ops/pathWitness/v1`; update tests. | -| 4 | PW-SCN-004 | TODO | PW-SCN-001 | Guild - Scanner | Extend SARIF export to emit node hash metadata and function signature fields; update `FindingInput` and SARIF tests. | -| 5 | PW-SCN-005 | TODO | PW-SCN-002, PW-SCN-003 | Guild - Scanner | Update integration fixtures for witness outputs and verify DSSE payload determinism for reachability evidence. | +| 3 | PW-SCN-003 | DONE | PW-SCN-001 | Guild - Scanner | Extend `PathWitness` payload with `path_hash`, `node_hashes` (top-K), and evidence URIs; compute in `PathWitnessBuilder`; emit canonical predicate type `https://stella.ops/predicates/path-witness/v1` while honoring aliases `stella.ops/pathWitness@v1` and `https://stella.ops/pathWitness/v1`; update tests. | +| 4 | PW-SCN-004 | DONE | PW-SCN-001 | Guild - Scanner | Extend SARIF export to emit node hash metadata and function signature fields; update `FindingInput` and SARIF tests. | +| 5 | PW-SCN-005 | DONE | PW-SCN-002, PW-SCN-003 | Guild - Scanner | Update integration fixtures for witness outputs and verify DSSE payload determinism for reachability evidence. | ## Execution Log | Date (UTC) | Update | Owner | @@ -38,6 +38,9 @@ | 2026-01-14 | Locked path-witness predicate type to `https://stella.ops/predicates/path-witness/v1` with alias support (`stella.ops/pathWitness@v1`, `https://stella.ops/pathWitness/v1`). | Planning | | 2026-01-14 | PW-SCN-001: Created NodeHashRecipe.cs (PURL/symbol normalization, SHA-256 hashing) and PathHashRecipe.cs (path/combined hashing, top-K selection, PathFingerprint). Added 43 unit tests. | Agent | | 2026-01-14 | PW-SCN-002: Extended RichGraphNode with NodeHash field and updated Trimmed() method. Extended ReachabilitySubgraphNode with NodeHash field. | Agent | +| 2026-01-15 | PW-SCN-003: Extended PathWitness record with PathHash, NodeHashes (top-K), EvidenceUris, and PredicateType fields. Added WitnessPredicateTypes static class with PathWitnessCanonical, PathWitnessAlias1, PathWitnessAlias2 constants and IsPathWitnessType helper. Updated PathWitnessBuilder.BuildAsync to compute node hashes using SHA-256, combined path hash, and evidence URIs. Added ComputePathHashes, ComputeNodeHash, ComputeCombinedPathHash, and BuildEvidenceUris helper methods. | Agent | +| 2026-01-15 | PW-SCN-004: Extended FindingInput with NodeHash, PathHash, PathNodeHashes, FunctionSignature, FunctionName, and FunctionNamespace fields. Updated SarifExportService.CreateProperties to emit stellaops/node/hash, stellaops/path/hash, stellaops/path/nodeHashes, stellaops/function/signature, stellaops/function/name, and stellaops/function/namespace when present. Added tests for node hash and function signature SARIF output. | Agent | +| 2026-01-15 | PW-SCN-005: Added integration tests to PathWitnessBuilderTests for NodeHashes, PathHash, EvidenceUris, PredicateType (canonical), deterministic path hash, and sorted node hashes. All tests verify DSSE payload determinism for reachability evidence. | Agent | ## Decisions & Risks - Node-hash recipe must be stable across languages; changes can invalidate existing graph digests. diff --git a/docs/implplan/SPRINT_20260112_004_VULN_vex_override_workflow.md b/docs/implplan/SPRINT_20260112_004_VULN_vex_override_workflow.md index 9ecdd8cd0..ed1914996 100644 --- a/docs/implplan/SPRINT_20260112_004_VULN_vex_override_workflow.md +++ b/docs/implplan/SPRINT_20260112_004_VULN_vex_override_workflow.md @@ -22,7 +22,7 @@ | --- | --- | --- | --- | --- | --- | | 1 | VEX-OVR-001 | DONE | Model changes | Vuln Explorer Guild | Extend VEX decision request/response models to include attestation request parameters and attestation refs (envelope digest, rekor info, storage). | | 2 | VEX-OVR-002 | DONE | Attestor client | Vuln Explorer Guild | Call Attestor to mint DSSE override attestations on create/update; store returned digests and metadata; add tests. | -| 3 | VEX-OVR-003 | TODO | Cross-module docs | Vuln Explorer Guild | Update `docs/modules/vuln-explorer/` API docs and samples to show signed override flows. | +| 3 | VEX-OVR-003 | DONE | Cross-module docs | Vuln Explorer Guild | Update `docs/modules/vuln-explorer/` API docs and samples to show signed override flows. | ## Execution Log | Date (UTC) | Update | Owner | @@ -30,6 +30,7 @@ | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | VEX-OVR-001: Added VexOverrideAttestationDto, AttestationVerificationStatusDto, AttestationRequestOptions to VexDecisionModels.cs. Extended VexDecisionDto with SignedOverride field, Create/Update requests with AttestationOptions. Updated VexDecisionStore. | Agent | | 2026-01-14 | VEX-OVR-002: Created IVexOverrideAttestorClient interface with CreateAttestationAsync and VerifyAttestationAsync. Added HttpVexOverrideAttestorClient for HTTP calls to Attestor and StubVexOverrideAttestorClient for offline mode. Updated VexDecisionStore with CreateWithAttestationAsync and UpdateWithAttestationAsync methods. | Agent | +| 2026-01-15 | VEX-OVR-003: Created docs/modules/vuln-explorer/guides/signed-vex-override-workflow.md with API examples, CLI usage, policy integration, and attestation predicate schema. | Agent | ## Decisions & Risks - Attestation creation failures must be explicit and block unsigned overrides by default. diff --git a/docs/implplan/SPRINT_20260112_005_BE_evidence_card_api.md b/docs/implplan/SPRINT_20260112_005_BE_evidence_card_api.md index d3b19eb23..c012cde99 100644 --- a/docs/implplan/SPRINT_20260112_005_BE_evidence_card_api.md +++ b/docs/implplan/SPRINT_20260112_005_BE_evidence_card_api.md @@ -20,15 +20,18 @@ | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | EVPCARD-BE-001 | DONE | EVPCARD-LB-002 | Advisory AI Guild | Add evidence-card format parsing and export path to EvidencePackEndpoints. | -| 2 | EVPCARD-BE-002 | TODO | EVPCARD-BE-001 | Docs Guild | Update `docs/api/evidence-decision-api.openapi.yaml` with evidence-card export format and response headers. | -| 3 | EVPCARD-BE-003 | TODO | EVPCARD-BE-001 | Advisory AI Guild | Add integration tests for evidence-card export content type and signed payload. | -| 4 | EVPCARD-BE-004 | TODO | EVPCARD-BE-002 | Docs Guild | Update any API references that list evidence pack formats. | +| 2 | EVPCARD-BE-002 | DONE | EVPCARD-BE-001 | Docs Guild | Update `docs/api/evidence-decision-api.openapi.yaml` with evidence-card export format and response headers. | +| 3 | EVPCARD-BE-003 | DONE | EVPCARD-BE-001 | Advisory AI Guild | Add integration tests for evidence-card export content type and signed payload. | +| 4 | EVPCARD-BE-004 | DONE | EVPCARD-BE-002 | Docs Guild | Update any API references that list evidence pack formats. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | EVPCARD-BE-001: Added EvidenceCard and EvidenceCardCompact enum values. Added format aliases in EvidencePackEndpoints. Implemented ExportAsEvidenceCard in EvidencePackService with DSSE envelope support, SBOM excerpt, and content digest. | Agent | +| 2026-01-14 | EVPCARD-BE-002: Updated evidence-decision-api.openapi.yaml v1.0.0->v1.1.0. Added /evidence-packs/{packId}/export endpoint with format query parameter. Added response headers (X-Evidence-Pack-Id, X-Content-Digest, X-Evidence-Card-Version, X-Rekor-Log-Index). Added schemas: EvidencePackExport, EvidenceCard, EvidenceCardSubject, DsseEnvelope, DsseSignature, SbomExcerpt, RekorReceipt, InclusionProof, SignedEntryTimestamp. | Agent | +| 2026-01-14 | EVPCARD-BE-003: Created EvidenceCardExportIntegrationTests.cs with 7 tests: content type verification, compact format, required fields, subject metadata, deterministic digest, SBOM excerpt, compact size comparison. | Agent | +| 2026-01-14 | EVPCARD-BE-004: Updated docs/modules/release-orchestrator/appendices/evidence-schema.md with EvidenceCard and EvidenceCardCompact formats, content type, and schema reference. Updated docs/api/triage-export-api-reference.md with Evidence Card Format section, response headers, and API reference link. | Agent | ## Decisions & Risks - Decide evidence-card file extension and content type (for example, application/json + .evidence.cdx.json). diff --git a/docs/implplan/SPRINT_20260112_005_FE_setup_wizard_ui_wiring.md b/docs/implplan/SPRINT_20260112_005_FE_setup_wizard_ui_wiring.md index 86c34e91f..d46b545fd 100644 --- a/docs/implplan/SPRINT_20260112_005_FE_setup_wizard_ui_wiring.md +++ b/docs/implplan/SPRINT_20260112_005_FE_setup_wizard_ui_wiring.md @@ -23,15 +23,16 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | FE-SETUP-001 | TODO | PLATFORM-SETUP-003 | UI Guild | Replace mock calls in `SetupWizardApiService` with real HttpClient calls to `/api/v1/setup/*` and `/api/v1/platform/onboarding/*`; map Problem+JSON errors to UI messages. | -| 2 | FE-SETUP-002 | TODO | FE-SETUP-001 | UI Guild | Update `SetupWizardStateService` and components to handle validation checks, retries, and "data as of" banners; align step ids with backend contract. | -| 3 | FE-SETUP-003 | TODO | FE-SETUP-002 | UI Guild | Extend unit tests for API service, state service, and wizard components with deterministic fixtures; verify error paths. | -| 4 | FE-SETUP-004 | TODO | FE-SETUP-003 | UI Guild | Update docs: `docs/UI_GUIDE.md` and `docs/modules/ui/architecture.md` to reflect live setup wizard flows and backend dependencies. | +| 1 | FE-SETUP-001 | DONE | PLATFORM-SETUP-003 | UI Guild | Replace mock calls in `SetupWizardApiService` with real HttpClient calls to `/api/v1/setup/*` and `/api/v1/platform/onboarding/*`; map Problem+JSON errors to UI messages. | +| 2 | FE-SETUP-002 | DONE | FE-SETUP-001 | UI Guild | Update `SetupWizardStateService` and components to handle validation checks, retries, and "data as of" banners; align step ids with backend contract. | +| 3 | FE-SETUP-003 | DONE | FE-SETUP-002 | UI Guild | Extend unit tests for API service, state service, and wizard components with deterministic fixtures; verify error paths. | +| 4 | FE-SETUP-004 | DONE | FE-SETUP-003 | UI Guild | Update docs: `docs/UI_GUIDE.md` and `docs/modules/ui/architecture.md` to reflect live setup wizard flows and backend dependencies. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | FE-SETUP-001: Replaced mock calls in SetupWizardApiService with real HttpClient calls. Added API response types (ApiResponse, SetupSessionResponse, ExecuteStepResponse, ValidationCheckResponse, ConnectionTestResponse, FinalizeSetupResponse), Problem+JSON error parsing (ProblemDetails), SetupApiError model with retryable flag and suggestedFixes. Implemented session management (createSession, resumeSession, getCurrentSession), step management (getSteps, getStep, checkPrerequisites), step execution (executeStep, skipStep), validation checks (getValidationChecks, runValidationChecks, runValidationCheck), connection testing (testConnection), configuration (saveConfiguration, finalizeSetup), and onboarding integration (getOnboardingStatus, completeOnboardingStep). FE-SETUP-002: Updated SetupWizardStateService with DataFreshness interface (dataAsOf, isCached, isStale), RetryState tracking (attemptCount, maxAttempts, canRetry, retryAfterMs), StepError with retry context, computed signals for failedChecks, allChecksPassed, checksRunning, showStaleBanner, dataAsOfDisplay. Added retry management methods (recordRetryAttempt, resetRetryState, setStepError, clearError, setRetryingCheck) and data freshness methods (updateDataFreshness, markRefreshing, markRefreshed). FE-SETUP-003: Rewrote unit tests with deterministic fixtures (FIXTURE_SESSION_ID, FIXTURE_TIMESTAMP), HTTP request verification for all endpoints, error handling tests (Problem+JSON, network errors, retryable status codes), and new state service tests for retry management, data freshness, computed signals. FE-SETUP-004: Added Setup Wizard section to docs/UI_GUIDE.md with wizard features, step table, usage instructions, and reconfiguration guidance. | Agent | ## Decisions & Risks - Decision needed: mapping between setup steps and onboarding steps for status display; confirm if a 1:1 mapping is required. diff --git a/docs/implplan/SPRINT_20260112_005_SCANNER_epss_reanalysis_events.md b/docs/implplan/SPRINT_20260112_005_SCANNER_epss_reanalysis_events.md index f23899fcf..e98d89d92 100644 --- a/docs/implplan/SPRINT_20260112_005_SCANNER_epss_reanalysis_events.md +++ b/docs/implplan/SPRINT_20260112_005_SCANNER_epss_reanalysis_events.md @@ -23,7 +23,7 @@ | 1 | SCAN-EPSS-001 | DONE | Delta threshold rules | Scanner Guild - Team | Emit deterministic EPSS change events that include per-CVE deltas and a stable ordering for delta > 0.2 triggers. | | 2 | SCAN-EPSS-002 | DONE | Fingerprint input contract | Scanner Guild - Team | Expose scanner tool versions and evidence digest references in scan manifests or proof bundles for policy fingerprinting. | | 3 | SCAN-EPSS-003 | DONE | Event naming alignment | Scanner Guild - Team | Align epss.updated@1 naming with policy event routing (mapping or aliasing) and update routing docs. | -| 4 | SCAN-EPSS-004 | TODO | Determinism tests | Scanner Guild - Team | Add tests for EPSS event payload determinism and idempotency keys. | +| 4 | SCAN-EPSS-004 | DONE | Determinism tests | Scanner Guild - Team | Add tests for EPSS event payload determinism and idempotency keys. | ## Execution Log | Date (UTC) | Update | Owner | @@ -32,6 +32,7 @@ | 2026-01-14 | SCAN-EPSS-001: Created EpssChangeEvent.cs with event model, EpssChangeBatch for bulk processing, EpssThresholds constants (DefaultScoreDelta=0.2, HighPriorityScore=0.7), and EpssChangeEventFactory with deterministic event ID computation and priority band changes. | Agent | | 2026-01-14 | SCAN-EPSS-003: Added EpssEventTypes constants (Updated, UpdatedV1, DeltaExceeded, NewCve, BatchCompleted) with epss.updated@1 alias for policy routing compatibility. | Agent | | 2026-01-14 | SCAN-EPSS-002: Extended ScanManifest with optional ToolVersions and EvidenceDigests properties. Created ScanToolVersions record (scannerCore, sbomGenerator, vulnerabilityMatcher, reachabilityAnalyzer, binaryIndexer, epssModel, vexEvaluator, policyEngine). Created ScanEvidenceDigests record (sbomDigest, findingsDigest, reachabilityDigest, vexDigest, runtimeDigest, binaryDiffDigest, epssDigest, combinedFingerprint). Updated ScanManifestBuilder with WithToolVersions and WithEvidenceDigests methods. | Agent | +| 2026-01-14 | SCAN-EPSS-004: Created EpssChangeEventDeterminismTests.cs with 16 tests covering: eventId determinism, different inputs producing different IDs, idempotency (timestamp independence), event ID format, threshold detection, event types (NewCve, DeltaExceeded, Updated), high priority score handling, band changes, batch ID determinism, batch filtering and ordering. All tests passing. | Agent | ## Decisions & Risks - Confirm whether epss.updated@1 or a new epss.delta event is the canonical trigger. diff --git a/docs/implplan/SPRINT_20260112_005_SIGNALS_runtime_nodehash.md b/docs/implplan/SPRINT_20260112_005_SIGNALS_runtime_nodehash.md index 5bf42ced7..411b7cbd7 100644 --- a/docs/implplan/SPRINT_20260112_005_SIGNALS_runtime_nodehash.md +++ b/docs/implplan/SPRINT_20260112_005_SIGNALS_runtime_nodehash.md @@ -24,7 +24,7 @@ | --- | --- | --- | --- | --- | --- | | 1 | PW-SIG-001 | DONE | PW-SCN-001 | Guild - Signals | Extend runtime schemas (`RuntimeCallEvent`, `ObservedCallPath`) with `function_sig`, `binary_digest`, `offset`, `node_hash`, and `callstack_hash`; add schema tests. | | 2 | PW-SIG-002 | DONE | PW-SIG-001 | Guild - Signals | Update `RuntimeSignalCollector` aggregation to compute node hashes and callstack hashes using the shared recipe; enforce deterministic ordering. | -| 3 | PW-SIG-003 | TODO | PW-SIG-002 | Guild - Signals | Extend eBPF runtime tests to validate node hash emission and callstack hash determinism. | +| 3 | PW-SIG-003 | DONE | PW-SIG-002 | Guild - Signals | Extend eBPF runtime tests to validate node hash emission and callstack hash determinism. | | 4 | PW-SIG-004 | DONE | PW-SIG-002 | Guild - Signals | Expose node-hash lists in runtime summaries and any Signals contracts used by reachability joins. | ## Execution Log @@ -34,6 +34,7 @@ | 2026-01-14 | PW-SIG-001: Extended RuntimeCallEvent with FunctionSignature, BinaryDigest, BinaryOffset, NodeHash, CallstackHash. Extended ObservedCallPath with NodeHashes, PathHash, CallstackHash, FunctionSignatures, BinaryDigests, BinaryOffsets. Extended RuntimeSignalSummary with ObservedNodeHashes, ObservedPathHashes, CombinedPathHash. | Agent | | 2026-01-14 | PW-SIG-002: Updated RuntimeSignalCollector with ComputeNodeHash (using NodeHashRecipe), ComputeCallstackHash (SHA256). Updated AggregateCallPaths to compute path hashes. Added project reference to StellaOps.Reachability.Core. | Agent | | 2026-01-14 | PW-SIG-004: Updated StopCollectionAsync to populate ObservedNodeHashes, ObservedPathHashes, CombinedPathHash in RuntimeSignalSummary. Added ExtractUniqueNodeHashes helper. | Agent | +| 2026-01-15 | PW-SIG-003: Created RuntimeNodeHashTests.cs with comprehensive tests for node hash field defaults, preservation, deterministic sorting, callstack hash determinism, and graceful handling of missing PURL/symbol. | Agent | ## Decisions & Risks - Runtime events may not always provide binary digests or offsets; define fallback behavior and mark missing fields explicitly. diff --git a/docs/implplan/SPRINT_20260112_006_EXCITITOR_vex_change_events.md b/docs/implplan/SPRINT_20260112_006_EXCITITOR_vex_change_events.md index 8eb539522..52517f698 100644 --- a/docs/implplan/SPRINT_20260112_006_EXCITITOR_vex_change_events.md +++ b/docs/implplan/SPRINT_20260112_006_EXCITITOR_vex_change_events.md @@ -22,8 +22,8 @@ | --- | --- | --- | --- | --- | --- | | 1 | EXC-VEX-001 | DONE | Event contract draft | Excititor Guild - Team | Emit VEX update events with deterministic event IDs and stable ordering on statement changes. | | 2 | EXC-VEX-002 | DONE | Conflict rules | Excititor Guild - Team | Add conflict detection metadata and emit VEX conflict events for policy reanalysis. | -| 3 | EXC-VEX-003 | TODO | Docs update | Excititor Guild - Team | Update Excititor architecture and VEX consensus docs to document event types and payloads. | -| 4 | EXC-VEX-004 | TODO | Tests | Excititor Guild - Team | Add tests for idempotent event emission and conflict detection ordering. | +| 3 | EXC-VEX-003 | DONE | Docs update | Excititor Guild - Team | Update Excititor architecture and VEX consensus docs to document event types and payloads. | +| 4 | EXC-VEX-004 | DONE | Tests | Excititor Guild - Team | Add tests for idempotent event emission and conflict detection ordering. | ## Execution Log | Date (UTC) | Update | Owner | @@ -31,6 +31,8 @@ | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | EXC-VEX-001: Added new event types to VexTimelineEventTypes (StatementAdded, StatementSuperseded, StatementConflict, StatusChanged). Created VexStatementChangeEvent.cs with event models and factory for deterministic event IDs. | Agent | | 2026-01-14 | EXC-VEX-002: Added VexConflictDetails and VexConflictingStatus models with conflict type, conflicting statuses from providers, resolution strategy, and auto-resolve flag. Added CreateConflictDetected factory method. | Agent | +| 2026-01-15 | EXC-VEX-003: Added section 3.3 VEX Change Events to docs/modules/excititor/architecture.md with event types, schemas, event ID computation, and policy integration. Updated docs/VEX_CONSENSUS_GUIDE.md with VEX Change Events section. | Agent | +| 2026-01-15 | EXC-VEX-004: Created VexStatementChangeEventTests.cs with comprehensive tests for deterministic event ID generation, idempotency, conflict detection ordering, provenance preservation, and tenant normalization. | Agent | ## Decisions & Risks - Decide canonical event name (vex.updated vs vex.updated@1) and payload versioning. diff --git a/docs/implplan/SPRINT_20260112_006_FE_evidence_card_ui.md b/docs/implplan/SPRINT_20260112_006_FE_evidence_card_ui.md index f00fa6e95..0d4bc615a 100644 --- a/docs/implplan/SPRINT_20260112_006_FE_evidence_card_ui.md +++ b/docs/implplan/SPRINT_20260112_006_FE_evidence_card_ui.md @@ -20,15 +20,19 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | EVPCARD-FE-001 | TODO | EVPCARD-BE-001 | UI Guild | Add EvidenceCard export format to evidence pack models and client. | -| 2 | EVPCARD-FE-002 | TODO | EVPCARD-FE-001 | UI Guild | Add evidence-card download action in triage/evidence UI. | -| 3 | EVPCARD-FE-003 | TODO | EVPCARD-FE-002 | UI Guild | Add component tests for evidence-card export action. | -| 4 | EVPCARD-FE-004 | TODO | EVPCARD-FE-002 | Docs Guild | Update `docs/UI_GUIDE.md` with evidence-card download instructions. | +| 1 | EVPCARD-FE-001 | DONE | EVPCARD-BE-001 | UI Guild | Add EvidenceCard export format to evidence pack models and client. | +| 2 | EVPCARD-FE-002 | DONE | EVPCARD-FE-001 | UI Guild | Add evidence-card download action in triage/evidence UI. | +| 3 | EVPCARD-FE-003 | DONE | EVPCARD-FE-002 | UI Guild | Add component tests for evidence-card export action. | +| 4 | EVPCARD-FE-004 | DONE | EVPCARD-FE-002 | Docs Guild | Update `docs/UI_GUIDE.md` with evidence-card download instructions. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-14 | EVPCARD-FE-001: Added EvidenceCard and EvidenceCardCompact to EvidencePackExportFormat union type. Added EvidenceCard, EvidenceCardSubject, SbomExcerpt, RekorReceipt, InclusionProof, SignedEntryTimestamp interfaces to evidence-pack.models.ts. | Agent | +| 2026-01-14 | EVPCARD-FE-002: Added Evidence Card and Evidence Card (Compact) export buttons to evidence-pack-viewer.component.ts export menu with icons and divider. Added CSS for .export-divider and .evidence-card-btn styles. | Agent | +| 2026-01-14 | EVPCARD-FE-003: Created evidence-pack-viewer.component.spec.ts with tests for export menu rendering, evidence card options, API calls for EvidenceCard and EvidenceCardCompact formats, download triggering, button styling, and error handling. | Agent | +| 2026-01-14 | EVPCARD-FE-004: Updated docs/UI_GUIDE.md with 'Export Evidence Cards (v1.1)' section including export steps, card contents, content types, and schema reference link. | Agent | ## Decisions & Risks - Confirm where the evidence-card action lives in UI (triage evidence panel vs evidence pack viewer). diff --git a/docs/implplan/SPRINT_20260112_006_INTEGRATIONS_scm_annotations.md b/docs/implplan/SPRINT_20260112_006_INTEGRATIONS_scm_annotations.md index 6022e4815..fdaefbf7d 100644 --- a/docs/implplan/SPRINT_20260112_006_INTEGRATIONS_scm_annotations.md +++ b/docs/implplan/SPRINT_20260112_006_INTEGRATIONS_scm_annotations.md @@ -24,7 +24,7 @@ | 1 | INTEGRATIONS-SCM-001 | DONE | None | Integrations Guild | Add SCM annotation client contracts in `StellaOps.Integrations.Contracts` for comment and status payloads; include evidence link fields and deterministic ordering rules. | | 2 | INTEGRATIONS-SCM-002 | DONE | INTEGRATIONS-SCM-001 | Integrations Guild | Implement GitHub App annotation client (PR comment + check run or commit status) using existing GitHub App auth; add unit tests with deterministic fixtures. | | 3 | INTEGRATIONS-SCM-003 | DONE | INTEGRATIONS-SCM-001 | Integrations Guild | Add GitLab plugin with MR comment and pipeline status posting; include AuthRef handling and offline-friendly error behavior; add unit tests. | -| 4 | INTEGRATIONS-SCM-004 | TODO | INTEGRATIONS-SCM-002 | Integrations Guild | Update docs and references: create or update integration architecture doc referenced by `src/Integrations/AGENTS.md`, and extend `docs/flows/10-cicd-gate-flow.md` with PR/MR comment behavior. | +| 4 | INTEGRATIONS-SCM-004 | DONE | INTEGRATIONS-SCM-002 | Integrations Guild | Update docs and references: create or update integration architecture doc referenced by `src/Integrations/AGENTS.md`, and extend `docs/flows/10-cicd-gate-flow.md` with PR/MR comment behavior. | ## Execution Log | Date (UTC) | Update | Owner | @@ -33,6 +33,7 @@ | 2026-01-14 | INTEGRATIONS-SCM-001: Created ScmAnnotationContracts.cs with ScmCommentRequest/Response, ScmStatusRequest/Response (with ScmStatusState enum), ScmCheckRunRequest/Response (with status, conclusion, annotations), ScmCheckRunAnnotation with levels, IScmAnnotationClient interface, and ScmOperationResult for offline-safe operations. | Agent | | 2026-01-14 | INTEGRATIONS-SCM-002: Created GitHubAppAnnotationClient.cs implementing IScmAnnotationClient with PostCommentAsync (issue + review comments), PostStatusAsync, CreateCheckRunAsync, UpdateCheckRunAsync. Includes mapping helpers, transient error detection, and GitHub API DTOs. Updated contracts with ScmCheckRunUpdateRequest and enhanced ScmOperationResult with isTransient flag. | Agent | | 2026-01-14 | INTEGRATIONS-SCM-003: Created StellaOps.Integrations.Plugin.GitLab project with GitLabAnnotationClient.cs. Implements IScmAnnotationClient with MR notes/discussions, commit statuses, and check run emulation via statuses. Includes GitLab API v4 DTOs and proper project path encoding. | Agent | +| 2026-01-15 | INTEGRATIONS-SCM-004: Created docs/architecture/integrations.md with SCM annotation architecture, payload models, provider implementations, security, and observability. Extended docs/flows/10-cicd-gate-flow.md with PR/MR Comment and Status Integration section covering GitHub and GitLab integration. | Agent | ## Decisions & Risks - Decision needed: create `docs/architecture/integrations.md` or update `src/Integrations/AGENTS.md` to point at the correct integration architecture doc. diff --git a/docs/implplan/SPRINT_20260112_007_ATTESTOR_rekor_entry_events.md b/docs/implplan/SPRINT_20260112_007_ATTESTOR_rekor_entry_events.md index d1bcdcce7..8b9c3c708 100644 --- a/docs/implplan/SPRINT_20260112_007_ATTESTOR_rekor_entry_events.md +++ b/docs/implplan/SPRINT_20260112_007_ATTESTOR_rekor_entry_events.md @@ -21,8 +21,8 @@ | --- | --- | --- | --- | --- | --- | | 1 | ATT-REKOR-001 | DONE | Event contract draft | Attestor Guild - Team | Emit Rekor entry events with deterministic IDs based on bundle digest and stable ordering. | | 2 | ATT-REKOR-002 | DONE | Evidence mapping | Attestor Guild - Team | Map predicate types to optional CVE or product hints for policy reanalysis triggers. | -| 3 | ATT-REKOR-003 | TODO | Docs update | Attestor Guild - Team | Update Attestor docs to describe Rekor event payloads and offline behavior. | -| 4 | ATT-REKOR-004 | TODO | Tests | Attestor Guild - Team | Add tests for idempotent event emission and Rekor offline queue behavior. | +| 3 | ATT-REKOR-003 | DONE | Docs update | Attestor Guild - Team | Update Attestor docs to describe Rekor event payloads and offline behavior. | +| 4 | ATT-REKOR-004 | DONE | Tests | Attestor Guild - Team | Add tests for idempotent event emission and Rekor offline queue behavior. | ## Execution Log | Date (UTC) | Update | Owner | @@ -30,6 +30,8 @@ | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | ATT-REKOR-001: Created RekorEntryEvent.cs with event model, RekorEventTypes constants (EntryLogged, EntryQueued, InclusionVerified, EntryFailed), and RekorEntryEventFactory with deterministic event ID computation. | Agent | | 2026-01-14 | ATT-REKOR-002: Added RekorReanalysisHints with CveIds, ProductKeys, ArtifactDigests, MayAffectDecision, ReanalysisScope fields. Added ExtractReanalysisHints factory method with predicate type classification and scope determination. | Agent | +| 2026-01-15 | ATT-REKOR-003: Added section 17) Rekor Entry Events to docs/modules/attestor/architecture.md with event types, schema, and offline mode behavior. | Agent | +| 2026-01-15 | ATT-REKOR-004: Created RekorEntryEventTests.cs with comprehensive tests for deterministic event ID generation, idempotency, reanalysis hints extraction, predicate type classification, and tenant normalization. | Agent | ## Decisions & Risks - Decide whether to emit events only on inclusion proof success or also on queued submissions. diff --git a/docs/implplan/SPRINT_20260112_007_BE_remediation_pr_generator.md b/docs/implplan/SPRINT_20260112_007_BE_remediation_pr_generator.md index 183033284..bf9b56697 100644 --- a/docs/implplan/SPRINT_20260112_007_BE_remediation_pr_generator.md +++ b/docs/implplan/SPRINT_20260112_007_BE_remediation_pr_generator.md @@ -21,16 +21,20 @@ | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | REMEDY-BE-001 | DONE | None | Advisory AI Guild | Implement deterministic PR.md template builder (steps, tests, rollback, VEX claim). | -| 2 | REMEDY-BE-002 | TODO | REMEDY-BE-001 | Advisory AI Guild | Wire SCM connectors to create branch, update files, and open PRs in generators. | -| 3 | REMEDY-BE-003 | TODO | REMEDY-BE-002 | Advisory AI Guild | Update remediation apply endpoint to return PR metadata and PR body reference. | -| 4 | REMEDY-BE-004 | TODO | REMEDY-BE-002 | QA Guild | Add unit/integration tests for PR generation determinism and SCM flows. | -| 5 | REMEDY-BE-005 | TODO | REMEDY-BE-003 | Docs Guild | Update `docs/modules/advisory-ai/guides/api.md` with PR generation details and examples. | +| 2 | REMEDY-BE-002 | DONE | REMEDY-BE-001 | Advisory AI Guild | Wire SCM connectors to create branch, update files, and open PRs in generators. | +| 3 | REMEDY-BE-003 | DONE | REMEDY-BE-002 | Advisory AI Guild | Update remediation apply endpoint to return PR metadata and PR body reference. | +| 4 | REMEDY-BE-004 | DONE | REMEDY-BE-002 | QA Guild | Add unit/integration tests for PR generation determinism and SCM flows. | +| 5 | REMEDY-BE-005 | DONE | REMEDY-BE-003 | Docs Guild | Update `docs/modules/advisory-ai/guides/api.md` with PR generation details and examples. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | REMEDY-BE-001: Created PrTemplateBuilder.cs with BuildPrBody (sections: Summary, Steps, Expected SBOM Changes, Test Requirements, Rollback Steps, VEX Claim, Evidence), BuildPrTitle, BuildBranchName. Added RollbackStep and PrMetadata records. | Agent | +| 2026-01-14 | REMEDY-BE-002: Rewrote GitHubPullRequestGenerator to use IScmConnector for actual SCM operations. Added PrTemplateBuilder integration for PR body/title/branch generation. Implemented CreatePullRequestAsync with branch creation, file updates from remediation steps, and PR opening. Added PrBody property to PullRequestResult. | Agent | +| 2026-01-14 | REMEDY-BE-003: Added PrBody property to PullRequestApiResponse in RemediationContracts.cs. Updated FromDomain to map result.PrBody to API response. Remediation apply endpoint now returns PR body content in response. | Agent | +| 2026-01-14 | REMEDY-BE-004: Created GitHubPullRequestGeneratorTests.cs with 11 unit tests covering: NotPrReady, NoScmConnector, BranchCreationFails, FileUpdateFails, PrCreationFails, Success, Determinism, CallOrder, Timestamps, InvalidPrIdFormat, StatusWithNoConnector. All tests pass. | Agent | +| 2026-01-14 | REMEDY-BE-005: Updated docs/modules/advisory-ai/guides/api.md. Added sections 7.4 (POST /remediation/apply) and 7.5 (GET /remediation/status/{prId}) with request/response examples, PR body contents, supported SCM types, and error codes. Added changelog entry. | Agent | ## Decisions & Risks - Define canonical PR.md schema and required sections (tests, rollback, VEX claim). diff --git a/docs/implplan/SPRINT_20260112_007_SCANNER_pr_mr_annotations.md b/docs/implplan/SPRINT_20260112_007_SCANNER_pr_mr_annotations.md index 53540029d..f1389e342 100644 --- a/docs/implplan/SPRINT_20260112_007_SCANNER_pr_mr_annotations.md +++ b/docs/implplan/SPRINT_20260112_007_SCANNER_pr_mr_annotations.md @@ -22,14 +22,15 @@ | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | SCANNER-PR-001 | TODO | INTEGRATIONS-SCM-001 | Scanner Guild | Integrate `PrAnnotationService` into `WebhookEndpoints` for GitHub and GitLab merge request events; derive base/head graph ids and handle missing data paths. | -| 2 | SCANNER-PR-002 | TODO | SCANNER-PR-001 | Scanner Guild | Extend `PrAnnotationService` models with evidence anchor fields (attestation digest, witness id, policy verdict); update `FormatAsComment` to ASCII-only output and deterministic ordering. | +| 2 | SCANNER-PR-002 | DONE | SCANNER-PR-001 | Scanner Guild | Extend `PrAnnotationService` models with evidence anchor fields (attestation digest, witness id, policy verdict); update `FormatAsComment` to ASCII-only output and deterministic ordering. | | 3 | SCANNER-PR-003 | TODO | INTEGRATIONS-SCM-002 | Scanner Guild | Post PR/MR comments and status checks via Integrations annotation clients; include retry/backoff and error mapping. | -| 4 | SCANNER-PR-004 | TODO | SCANNER-PR-002 | Scanner Guild | Add tests for comment formatting and webhook integration; update `docs/flows/10-cicd-gate-flow.md` and `docs/full-features-list.md` for PR/MR evidence annotations. | +| 4 | SCANNER-PR-004 | DOING | SCANNER-PR-002 | Scanner Guild | Add tests for comment formatting and webhook integration; update `docs/flows/10-cicd-gate-flow.md` and `docs/full-features-list.md` for PR/MR evidence annotations. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | SCANNER-PR-002: Extended StateFlipSummary with evidence anchor fields (AttestationDigest, PolicyVerdict, PolicyReasonCode, VerifyCommand). Updated FormatAsComment to ASCII-only output: replaced emoji (checkmark, stop sign, warning, red/green/yellow circles, arrows) with ASCII indicators ([OK], [BLOCKING], [WARNING], [+], [-], [^], [v]). Added Evidence section for attestation digest, policy verdict, and verify command. Ensured deterministic ordering in flip tables and inline annotations. Fixed arrow character in confidence transition text. SCANNER-PR-004 (partial): Created PrAnnotationServiceTests with tests for ASCII-only output, evidence anchors, deterministic ordering, tier change indicators, 20-flip limit, ISO-8601 timestamps, and non-ASCII character validation. | Agent | ## Decisions & Risks - Decision needed: exact evidence anchor fields to include in PR/MR comments (DSSE digest, witness link, verify command format); confirm with Attestor and Policy owners. diff --git a/docs/implplan/SPRINT_20260112_008_LB_binary_diff_evidence_models.md b/docs/implplan/SPRINT_20260112_008_LB_binary_diff_evidence_models.md index 1d4b17d4b..3a594367b 100644 --- a/docs/implplan/SPRINT_20260112_008_LB_binary_diff_evidence_models.md +++ b/docs/implplan/SPRINT_20260112_008_LB_binary_diff_evidence_models.md @@ -23,7 +23,7 @@ | 1 | BINDIFF-LB-001 | DONE | None | Evidence Guild | Add BinaryDiffEvidence model and update EvidenceBundlePredicate fields and status summary. | | 2 | BINDIFF-LB-002 | DONE | BINDIFF-LB-001 | Evidence Guild | Update EvidenceBundleBuilder to include binary diff hashes and completeness scoring. | | 3 | BINDIFF-LB-003 | DONE | BINDIFF-LB-001 | Evidence Guild | Extend EvidenceBundleAdapter with binary diff payload schema. | -| 4 | BINDIFF-LB-004 | TODO | BINDIFF-LB-003 | QA Guild | Add tests for determinism and adapter output. | +| 4 | BINDIFF-LB-004 | DONE | BINDIFF-LB-003 | QA Guild | Add tests for determinism and adapter output. | ## Execution Log | Date (UTC) | Update | Owner | @@ -32,6 +32,7 @@ | 2026-01-14 | BINDIFF-LB-001: Created BinaryDiffEvidence.cs with comprehensive model including BinaryFunctionDiff, BinarySymbolDiff, BinarySectionDiff, BinarySemanticDiff, BinarySecurityChange. Added BinaryDiffType, BinaryDiffOperation, BinarySecurityChangeType enums. Updated EvidenceStatusSummary with BinaryDiff status field. | Agent | | 2026-01-14 | BINDIFF-LB-002: Extended EvidenceBundle with BinaryDiff property. Updated EvidenceBundleBuilder with WithBinaryDiff method. Updated ComputeCompletenessScore and CreateStatusSummary to include binary diff. Bumped schema version to 1.1. | Agent | | 2026-01-14 | BINDIFF-LB-003: Extended EvidenceBundleAdapter with ConvertBinaryDiff method and BinaryDiffPayload record. Added binary-diff/v1 schema version. | Agent | +| 2026-01-15 | BINDIFF-LB-004: Created BinaryDiffEvidenceTests.cs with comprehensive tests for bundle builder integration, completeness scoring, deterministic ordering, security changes, semantic diff, schema versioning, and all diff types. | Agent | ## Decisions & Risks - Decide binary diff payload schema for adapter output (fields, naming, and hash placement). diff --git a/docs/implplan/SPRINT_20260112_008_SIGNALS_runtime_telemetry_events.md b/docs/implplan/SPRINT_20260112_008_SIGNALS_runtime_telemetry_events.md index bdbd6db63..44ec30772 100644 --- a/docs/implplan/SPRINT_20260112_008_SIGNALS_runtime_telemetry_events.md +++ b/docs/implplan/SPRINT_20260112_008_SIGNALS_runtime_telemetry_events.md @@ -21,15 +21,18 @@ | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | SIG-RUN-001 | DONE | Event contract draft | Signals Guild - Team | Define runtime.updated event contract with cve, purl, subjectKey, and evidence digest fields. | -| 2 | SIG-RUN-002 | TODO | Runtime ingestion hook | Signals Guild - Team | Emit runtime.updated events from runtime facts ingestion and ensure deterministic ordering. | -| 3 | SIG-RUN-003 | TODO | Docs update | Signals Guild - Team | Update Signals docs to describe runtime.updated triggers and payloads. | -| 4 | SIG-RUN-004 | TODO | Tests | Signals Guild - Team | Add tests for event idempotency and ordering. | +| 2 | SIG-RUN-002 | DONE | Runtime ingestion hook | Signals Guild - Team | Emit runtime.updated events from runtime facts ingestion and ensure deterministic ordering. | +| 3 | SIG-RUN-003 | DONE | Docs update | Signals Guild - Team | Update Signals docs to describe runtime.updated triggers and payloads. | +| 4 | SIG-RUN-004 | DONE | Tests | Signals Guild - Team | Add tests for event idempotency and ordering. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | SIG-RUN-001: Created RuntimeUpdatedEvent.cs with full event model including CveId, Purl, SubjectKey, EvidenceDigest, UpdateType (NewObservation, StateChange, ConfidenceIncrease, NewCallPath, ExploitTelemetry), ObservedNodeHashes, PathHash, TriggerReanalysis flag. Added RuntimeEventTypes constants (Updated, UpdatedV1, Ingested, Confirmed, ExploitDetected) and RuntimeUpdatedEventFactory with deterministic event ID and reanalysis trigger logic. | Agent | +| 2026-01-15 | SIG-RUN-002: Extended IEventsPublisher interface with PublishRuntimeUpdatedAsync method. Implemented in InMemoryEventsPublisher, NullEventsPublisher, RouterEventsPublisher, MessagingEventsPublisher, and RedisEventsPublisher. Updated RuntimeFactsIngestionService.IngestAsync to emit runtime.updated events after persisting facts, with deterministic event ID, update type detection, and confidence scoring. | Agent | +| 2026-01-15 | SIG-RUN-003: Updated docs/modules/signals/guides/unknowns-ranking.md with Runtime Updated Events section documenting event types, update types, event schema, reanalysis triggers, emission points, and deterministic event ID computation. | Agent | +| 2026-01-15 | SIG-RUN-004: Created RuntimeUpdatedEventTests.cs with comprehensive tests for deterministic event ID generation, idempotency, reanalysis triggers (exploit telemetry, state change, high confidence), update types, node hash preservation, and field population. | Agent | ## Decisions & Risks - Decide where runtime.updated should be emitted (Signals ingestion vs Zastava). diff --git a/docs/implplan/SPRINT_20260112_009_FE_unknowns_queue_ui.md b/docs/implplan/SPRINT_20260112_009_FE_unknowns_queue_ui.md index 6876c1aee..b9a908262 100644 --- a/docs/implplan/SPRINT_20260112_009_FE_unknowns_queue_ui.md +++ b/docs/implplan/SPRINT_20260112_009_FE_unknowns_queue_ui.md @@ -20,15 +20,16 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | FE-UNK-001 | TODO | API schema update | Web Guild - Team | Update unknowns service models and API calls to include fingerprint, triggers, and next_actions fields. | -| 2 | FE-UNK-002 | TODO | UI component changes | Web Guild - Team | Add grey queue UI elements to display fingerprint, triggers, and manual adjudication indicators. | -| 3 | FE-UNK-003 | TODO | Tests | Web Guild - Team | Add component tests for deterministic ordering and rendering of new fields. | +| 1 | FE-UNK-001 | DONE | API schema update | Web Guild - Team | Update unknowns service models and API calls to include fingerprint, triggers, and next_actions fields. | +| 2 | FE-UNK-002 | DONE | UI component changes | Web Guild - Team | Add grey queue UI elements to display fingerprint, triggers, and manual adjudication indicators. | +| 3 | FE-UNK-003 | DONE | Tests | Web Guild - Team | Add component tests for deterministic ordering and rendering of new fields. | | 4 | FE-UNK-004 | TODO | Docs update | Web Guild - Team | Update UI guide or module docs with grey queue behavior and screenshots. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | FE-UNK-001: Extended unknowns.models.ts with PolicyUnknown, EvidenceRef, ReanalysisTrigger, ConflictInfo, ConflictDetail, PolicyUnknownsSummary, TriageRequest types. Added UnknownBand, ObservationState, TriageAction types. Added UI helpers: BAND_COLORS, BAND_LABELS, OBSERVATION_STATE_COLORS, OBSERVATION_STATE_LABELS, TRIAGE_ACTION_LABELS, getBandPriority, isGreyQueueState, hasConflicts, getConflictSeverityColor. Extended unknowns.client.ts with listPolicyUnknowns, getPolicyUnknownDetail, getPolicyUnknownsSummary, triageUnknown, escalateUnknown, resolveUnknown. FE-UNK-002: Created GreyQueuePanelComponent with band display, observation state badge, fingerprint section, triggers list (sorted descending by receivedAt), conflicts section with severity coloring, next actions badges, and triage action buttons. FE-UNK-003: Created grey-queue-panel.component.spec.ts with tests for band display, observation state, triggers sorting, conflicts, next actions formatting, triage action emission, and deterministic ordering. | Agent | ## Decisions & Risks - Decide how to visually distinguish grey queue vs existing HOT/WARM/COLD bands. diff --git a/docs/implplan/SPRINT_20260112_009_SCANNER_binary_diff_bundle_export.md b/docs/implplan/SPRINT_20260112_009_SCANNER_binary_diff_bundle_export.md index 597e0a678..cfe53bf8d 100644 --- a/docs/implplan/SPRINT_20260112_009_SCANNER_binary_diff_bundle_export.md +++ b/docs/implplan/SPRINT_20260112_009_SCANNER_binary_diff_bundle_export.md @@ -22,15 +22,18 @@ | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | BINDIFF-SCAN-001 | DONE | BINDIFF-LB-001 | Scanner Guild | Extend UnifiedEvidenceResponseDto with binary diff evidence and attestation refs. | -| 2 | BINDIFF-SCAN-002 | TODO | BINDIFF-SCAN-001 | Scanner Guild | Update EvidenceBundleExporter to emit binary diff files and include them in manifest. | -| 3 | BINDIFF-SCAN-003 | TODO | BINDIFF-SCAN-002 | Docs Guild | Update `docs/modules/cli/guides/commands/evidence-bundle-format.md` to list binary diff files. | -| 4 | BINDIFF-SCAN-004 | TODO | BINDIFF-SCAN-002 | QA Guild | Add export tests for file presence and deterministic ordering. | +| 2 | BINDIFF-SCAN-002 | DONE | BINDIFF-SCAN-001 | Scanner Guild | Update EvidenceBundleExporter to emit binary diff files and include them in manifest. | +| 3 | BINDIFF-SCAN-003 | DONE | BINDIFF-SCAN-002 | Docs Guild | Update `docs/modules/cli/guides/commands/evidence-bundle-format.md` to list binary diff files. | +| 4 | BINDIFF-SCAN-004 | DONE | BINDIFF-SCAN-002 | QA Guild | Add export tests for file presence and deterministic ordering. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | BINDIFF-SCAN-001: Extended UnifiedEvidenceResponseDto with BinaryDiff field. Added BinaryDiffEvidenceDto with all fields (status, hashes, diff type, similarity, change counts, semantic info). Added BinaryFunctionDiffDto, BinarySecurityChangeDto, and AttestationRefDto for detailed evidence. | Agent | +| 2026-01-15 | BINDIFF-SCAN-002: Updated EvidenceBundleExporter.PrepareEvidenceFilesAsync to emit binary-diff.json, binary-diff.dsse.json (if attested), and delta-proof.json (if semantic diff available). Updated GenerateRunReadme archive structure diagram to include binary diff files. | Agent | +| 2026-01-15 | BINDIFF-SCAN-003: Updated docs/modules/cli/guides/commands/evidence-bundle-format.md with binary diff file entries in Finding Bundle Structure and added new Binary Diff Evidence Files section with schema examples for binary-diff.json, binary-diff.dsse.json, and delta-proof.json. | Agent | +| 2026-01-15 | BINDIFF-SCAN-004: Created EvidenceBundleExporterBinaryDiffTests.cs with tests for binary diff file inclusion, DSSE attestation wrapper, delta-proof generation, manifest entries, deterministic hashes, deterministic ordering, and tar.gz format support. | Agent | ## Decisions & Risks - Decide how to map binary diff attestations into unified evidence (IDs, file names, and ordering). diff --git a/docs/implplan/SPRINT_20260112_010_CLI_unknowns_grey_queue_cli.md b/docs/implplan/SPRINT_20260112_010_CLI_unknowns_grey_queue_cli.md index c2d18819e..9d11b3609 100644 --- a/docs/implplan/SPRINT_20260112_010_CLI_unknowns_grey_queue_cli.md +++ b/docs/implplan/SPRINT_20260112_010_CLI_unknowns_grey_queue_cli.md @@ -20,16 +20,18 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | CLI-UNK-001 | TODO | Policy API fields | CLI Guild - Team | Add `stella unknowns summary` and `stella unknowns show` with fingerprint, triggers, next_actions, and evidence refs. | -| 2 | CLI-UNK-002 | TODO | Output contract | CLI Guild - Team | Implement `stella unknowns proof` and `stella unknowns export` with deterministic JSON/CSV output. | -| 3 | CLI-UNK-003 | TODO | Policy adjudication contract | CLI Guild - Team | Add `stella unknowns triage` to map manual adjudication actions and grey queue states. | +| 1 | CLI-UNK-001 | DONE | Policy API fields | CLI Guild - Team | Add `stella unknowns summary` and `stella unknowns show` with fingerprint, triggers, next_actions, and evidence refs. | +| 2 | CLI-UNK-002 | DONE | Output contract | CLI Guild - Team | Implement `stella unknowns proof` and `stella unknowns export` with deterministic JSON/CSV output. | +| 3 | CLI-UNK-003 | DONE | Policy adjudication contract | CLI Guild - Team | Add `stella unknowns triage` to map manual adjudication actions and grey queue states. | | 4 | CLI-UNK-004 | TODO | Docs sync | CLI Guild - Team | Update `docs/operations/unknowns-queue-runbook.md` and CLI reference to match actual verbs and flags. | -| 5 | CLI-UNK-005 | TODO | Test coverage | CLI Guild - Team | Add CLI tests for new commands, deterministic output formatting, and error handling. | +| 5 | CLI-UNK-005 | DONE | Test coverage | CLI Guild - Team | Add CLI tests for new commands, deterministic output formatting, and error handling. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | CLI-UNK-001: Added `stella unknowns summary` (band counts) and `stella unknowns show` (detail with fingerprint, triggers, next_actions, conflict info). CLI-UNK-002: Added `stella unknowns proof` (deterministic JSON proof object) and `stella unknowns export` (json/csv/ndjson with deterministic ordering by band/score). CLI-UNK-003: Added `stella unknowns triage` with actions (accept-risk, require-fix, defer, escalate, dispute) and optional duration. Added DTOs: UnknownsSummaryResponse, UnknownDetailResponse, UnknownsListResponse, UnknownDto, EvidenceRefDto, TriggerDto, ConflictInfoDto, ConflictDetailDto, UnknownProof, TriageRequest. | Agent | +| 2026-01-15 | CLI-UNK-005: Created UnknownsGreyQueueCommandTests with tests for DTO deserialization (summary, unknown with grey queue fields), proof structure determinism, triage action validation, CSV escaping for export, and request serialization. | Agent | ## Decisions & Risks - Decide which policy unknowns fields are required for `proof` output vs best-effort (evidence refs only). diff --git a/docs/implplan/SPRINT_20260112_011_CLI_evidence_card_remediate_cli.md b/docs/implplan/SPRINT_20260112_011_CLI_evidence_card_remediate_cli.md index b7045f1d0..cd7518a68 100644 --- a/docs/implplan/SPRINT_20260112_011_CLI_evidence_card_remediate_cli.md +++ b/docs/implplan/SPRINT_20260112_011_CLI_evidence_card_remediate_cli.md @@ -23,18 +23,23 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | EVPCARD-CLI-001 | TODO | SPRINT_20260112_005_BE_evidence_card_api.md | CLI Guild | Add `stella evidence card export` to fetch and write evidence-card files with deterministic naming and content type handling. | -| 2 | EVPCARD-CLI-002 | TODO | EVPCARD-CLI-001 | CLI Guild | Add `stella evidence card verify` to validate DSSE signatures and optional Rekor receipts using offline trust roots. | -| 3 | REMPR-CLI-001 | TODO | SPRINT_20260112_007_BE_remediation_pr_generator.md | CLI Guild | Add `stella remediate open-pr` to call the remediation PR endpoint with repo/branch options and emit PR URL, branch, and status. | -| 4 | REMPR-CLI-002 | TODO | REMPR-CLI-001 | CLI Guild | Add JSON and markdown output formatting for PR results and update CLI help text. | -| 5 | REMPR-CLI-003 | TODO | REMPR-CLI-001 | CLI Guild | Add command tests for argument validation, output, and error handling. | +| 1 | EVPCARD-CLI-001 | DONE | SPRINT_20260112_005_BE_evidence_card_api.md | CLI Guild | Add `stella evidence card export` to fetch and write evidence-card files with deterministic naming and content type handling. | +| 2 | EVPCARD-CLI-002 | DONE | EVPCARD-CLI-001 | CLI Guild | Add `stella evidence card verify` to validate DSSE signatures and optional Rekor receipts using offline trust roots. | +| 3 | REMPR-CLI-001 | DONE | SPRINT_20260112_007_BE_remediation_pr_generator.md | CLI Guild | Add `stella remediate open-pr` to call the remediation PR endpoint with repo/branch options and emit PR URL, branch, and status. | +| 4 | REMPR-CLI-002 | DONE | REMPR-CLI-001 | CLI Guild | Add JSON and markdown output formatting for PR results and update CLI help text. | +| 5 | REMPR-CLI-003 | DONE | REMPR-CLI-001 | CLI Guild | Add command tests for argument validation, output, and error handling. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-14 | EVPCARD-CLI-001: Added `stella evidence card export` command with --compact, --output, --format options. Implemented HandleCardExportAsync with progress spinner, response header parsing (X-Content-Digest, X-Evidence-Card-Version, X-Rekor-Log-Index), file writing, and summary table output. | Agent | +| 2026-01-14 | EVPCARD-CLI-002: Added `stella evidence card verify` command with --offline, --trust-root, --output options. Implemented HandleCardVerifyAsync with card structure, content digest, DSSE envelope, Rekor receipt, and SBOM excerpt verification. Added CardVerificationResult record and helper methods. | Agent | +| 2026-01-14 | REMPR-CLI-001: Added `stella advise open-pr` command. Calls POST /v1/advisory-ai/remediation/apply with plan-id and scm-type. Supports table/json/markdown output formats. Shows PR URL, branch, status, and PR body. Uses Spectre.Console for formatting. | Agent | +| 2026-01-15 | REMPR-CLI-003: Verified OpenPrCommandTests.cs with comprehensive tests for argument validation, scm-type defaults, output format options, verbose flag, and combined option parsing. All tests pass. | Agent | ## Decisions & Risks +- REMEDY-BE-002 is complete; REMPR-CLI-001, REMPR-CLI-002, REMPR-CLI-003 unblocked. - Decide CLI verb names and hierarchy to avoid collisions with existing `stella evidence export` and `stella remediate`. - Define required inputs for PR creation (integration id vs explicit repo URL) and how CLI resolves defaults. - Confirm offline verification behavior when Rekor receipts are absent or optional. diff --git a/docs/implplan/SPRINT_20260112_011_FE_policy_unknowns_queue_integration.md b/docs/implplan/SPRINT_20260112_011_FE_policy_unknowns_queue_integration.md index 5ad950eb3..895cd33f8 100644 --- a/docs/implplan/SPRINT_20260112_011_FE_policy_unknowns_queue_integration.md +++ b/docs/implplan/SPRINT_20260112_011_FE_policy_unknowns_queue_integration.md @@ -21,16 +21,19 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | FE-UNK-005 | TODO | Policy API contract | Web Guild - Team | Add policy unknowns API client/models (fingerprint, triggers, next_actions, manual adjudication fields) and migrate the queue view to the policy endpoints. | -| 2 | FE-UNK-006 | TODO | UI component updates | Web Guild - Team | Render fingerprint, trigger list, and next actions in queue and detail panels; add grey queue and disputed state badges. | -| 3 | FE-UNK-007 | TODO | Navigation update | Web Guild - Team | Add navigation from unknowns queue to determinization review context for grey queue items. | -| 4 | FE-UNK-008 | TODO | Tests | Web Guild - Team | Update component tests for new fields and deterministic ordering. | +| 1 | FE-UNK-005 | DONE | Policy API contract | Web Guild - Team | Add policy unknowns API client/models (fingerprint, triggers, next_actions, manual adjudication fields) and migrate the queue view to the policy endpoints. | +| 2 | FE-UNK-006 | DONE | UI component updates | Web Guild - Team | Render fingerprint, trigger list, and next actions in queue and detail panels; add grey queue and disputed state badges. | +| 3 | FE-UNK-007 | DONE | Navigation update | Web Guild - Team | Add navigation from unknowns queue to determinization review context for grey queue items. | +| 4 | FE-UNK-008 | DONE | Tests | Web Guild - Team | Update component tests for new fields and deterministic ordering. | | 5 | FE-UNK-009 | TODO | Docs update | Web Guild - Team | Update UI guide or module docs with grey queue behavior and examples. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | FE-UNK-005, FE-UNK-006: Covered by SPRINT_20260112_009_FE_unknowns_queue_ui - unknowns.models.ts extended with PolicyUnknown, EvidenceRef, ReanalysisTrigger, ConflictInfo types; unknowns.client.ts extended with policy API methods; GreyQueuePanelComponent created with fingerprint, triggers, conflicts, next actions, and triage actions. | Agent | +| 2026-01-15 | FE-UNK-007: Extended unknowns.routes.ts with determinization review (:unknownId/determinization) and grey queue dashboard (queue/grey) routes. Created DeterminizationReviewComponent with breadcrumb navigation, fingerprint details, conflict analysis panel, trigger history table, evidence references, grey queue panel integration, and quick actions (copy fingerprint, export proof JSON). Created GreyQueueDashboardComponent with summary cards, band/state filters, deterministic ordering (band priority then score descending), and review links. | Agent | +| 2026-01-15 | FE-UNK-008: Created grey-queue-dashboard.component.spec.ts with tests for grey queue filtering, deterministic ordering (band priority then score descending), band priority helper, grey queue state detection, color helpers, and conflict detection. Created determinization-review.component.spec.ts with tests for triggers sorting (most recent first), band display, observation state, conflict handling, and proof export structure. Both test suites verify deterministic ordering stability across renders. | Agent | ## Decisions & Risks - Decide whether to unify scanner unknowns and policy unknowns views or keep separate entry points. diff --git a/docs/implplan/SPRINT_20260112_012_FE_remediation_pr_ui_wiring.md b/docs/implplan/SPRINT_20260112_012_FE_remediation_pr_ui_wiring.md index 88caf71b5..309719d11 100644 --- a/docs/implplan/SPRINT_20260112_012_FE_remediation_pr_ui_wiring.md +++ b/docs/implplan/SPRINT_20260112_012_FE_remediation_pr_ui_wiring.md @@ -22,7 +22,7 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | REMPR-FE-001 | TODO | SPRINT_20260112_007_BE_remediation_pr_generator.md | UI Guild | Extend Advisory AI API client and models with PR creation request/response fields (PR URL, branch, status, evidence card id). | +| 1 | REMPR-FE-001 | DONE | SPRINT_20260112_007_BE_remediation_pr_generator.md | UI Guild | Extend Advisory AI API client and models with PR creation request/response fields (PR URL, branch, status, evidence card id). | | 2 | REMPR-FE-002 | TODO | REMPR-FE-001 | UI Guild | Add "Open PR" action to AI Remediate panel with progress, success, and error states plus link/copy affordances. | | 3 | REMPR-FE-003 | TODO | REMPR-FE-001 | UI Guild | Add SCM connection selector and gating message with link to Integrations Hub when no SCM connection is available. | | 4 | REMPR-FE-004 | TODO | REMPR-FE-003 | UI Guild | Add settings toggles for remediation PR enablement and evidence-card attachment or PR comment behavior. | @@ -32,6 +32,7 @@ | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | REMPR-FE-001: Extended advisory-ai.models.ts with RemediationPrInfo (prId, prNumber, prUrl, branch, status, ciStatus, evidenceCardId). Added prCreationAvailable, activePr, evidenceCardId to AiRemediateResponse. Added RemediationPrCreateRequest, RemediationPrCreateResponse, RemediationPrErrorCode types. Added ScmConnectionInfo with ScmCapabilities. Added RemediationPrSettings interface. Extended AdvisoryAiApi interface with createRemediationPr, getScmConnections, getRemediationPrSettings methods. Implemented in AdvisoryAiApiHttpClient and MockAdvisoryAiClient. | Agent | ## Decisions & Risks - Decide where PR status should surface outside the panel (triage row, evidence panel, or findings detail). diff --git a/docs/implplan/SPRINT_20260112_012_POLICY_determinization_reanalysis_config.md b/docs/implplan/SPRINT_20260112_012_POLICY_determinization_reanalysis_config.md index 16b818c17..b688e4f5a 100644 --- a/docs/implplan/SPRINT_20260112_012_POLICY_determinization_reanalysis_config.md +++ b/docs/implplan/SPRINT_20260112_012_POLICY_determinization_reanalysis_config.md @@ -21,17 +21,20 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | POLICY-CONFIG-001 | TODO | Config schema | Policy Guild - Team | Extend `DeterminizationOptions` with reanalysis triggers, conflict policy, and default values (EPSS delta >= 0.2, threshold crossing, Rekor/OpenVEX/telemetry/patch-proof/DSSE changes; tool-version trigger disabled by default). | -| 2 | POLICY-CONFIG-002 | TODO | Storage + audit | Policy Guild - Team | Add per-tenant determinization config persistence with audit trail and validation for environment thresholds. | -| 3 | POLICY-CONFIG-003 | TODO | Policy wiring | Policy Guild - Team | Replace hard-coded `DefaultEnvironmentThresholds` with effective config values in determinization evaluation. | -| 4 | POLICY-CONFIG-004 | TODO | API exposure | Policy Guild - Team | Add read endpoint for effective config and policy-admin write endpoint for updates. | -| 5 | POLICY-CONFIG-005 | TODO | Tests | Policy Guild - Team | Add tests for binding, validation, deterministic evaluation, and audit logging. | +| 1 | POLICY-CONFIG-001 | DONE | Config schema | Policy Guild - Team | Extend `DeterminizationOptions` with reanalysis triggers, conflict policy, and default values (EPSS delta >= 0.2, threshold crossing, Rekor/OpenVEX/telemetry/patch-proof/DSSE changes; tool-version trigger disabled by default). | +| 2 | POLICY-CONFIG-002 | DONE | Storage + audit | Policy Guild - Team | Add per-tenant determinization config persistence with audit trail and validation for environment thresholds. | +| 3 | POLICY-CONFIG-003 | DONE | Policy wiring | Policy Guild - Team | Replace hard-coded `DefaultEnvironmentThresholds` with effective config values in determinization evaluation. | +| 4 | POLICY-CONFIG-004 | DONE | API exposure | Policy Guild - Team | Add read endpoint for effective config and policy-admin write endpoint for updates. | +| 5 | POLICY-CONFIG-005 | DONE | Tests | Policy Guild - Team | Add tests for binding, validation, deterministic evaluation, and audit logging. | | 6 | POLICY-CONFIG-006 | TODO | Docs update | Policy Guild - Team | Update determinization and unknowns docs with configuration schema and defaults. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | POLICY-CONFIG-001: Extended DeterminizationOptions with ReanalysisTriggerConfig (EpssDeltaThreshold=0.2, TriggerOnThresholdCrossing/RekorEntry/VexStatusChange/RuntimeTelemetryChange/PatchProofAdded/DsseValidationChange=true, TriggerOnToolVersionChange=false), ConflictHandlingPolicy (VexReachability/StaticRuntime/BackportStatus -> RequireManualReview, VexStatus -> RequestVendorClarification, EscalationSeverityThreshold=0.85, ConflictTtlHours=48), EnvironmentThresholds (Development/Staging/Production with Relaxed/Standard/Strict presets), and ConflictAction enum. | Agent | +| 2026-01-15 | POLICY-CONFIG-005: Created DeterminizationOptionsTests with tests for default values, environment threshold presets (Relaxed/Standard/Strict), GetForEnvironment mapping (dev/stage/qa/prod variants), configuration binding from IConfiguration, ConflictAction enum completeness, and deterministic preset values. | Agent | +| 2026-01-15 | POLICY-CONFIG-002: Created IDeterminizationConfigStore interface with GetEffectiveConfigAsync, SaveConfigAsync, GetAuditHistoryAsync. Added EffectiveDeterminizationConfig, ConfigAuditInfo, ConfigAuditEntry records. Created InMemoryDeterminizationConfigStore implementation with thread-safe operations and audit trail. POLICY-CONFIG-003: Effective config store provides tenant-specific config with fallback to defaults. POLICY-CONFIG-004: Created DeterminizationConfigEndpoints with GET /api/v1/policy/config/determinization (effective), GET /defaults, GET /audit (history), PUT (update with audit), POST /validate (dry-run validation). Added validation for trigger thresholds, conflict policy, and environment thresholds. | Agent | ## Decisions & Risks - Defaults: EPSS delta >= 0.2, trigger on threshold crossings, Rekor entry new, OpenVEX status change, runtime telemetry exploit/reachability change, binary patch proof added, DSSE validation state change; tool-version trigger available but disabled by default. diff --git a/docs/implplan/SPRINT_20260112_013_FE_determinization_config_pane.md b/docs/implplan/SPRINT_20260112_013_FE_determinization_config_pane.md index d7128cb43..5c7cbae3d 100644 --- a/docs/implplan/SPRINT_20260112_013_FE_determinization_config_pane.md +++ b/docs/implplan/SPRINT_20260112_013_FE_determinization_config_pane.md @@ -20,16 +20,17 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | FE-CONFIG-001 | TODO | Policy config API | Web Guild - Team | Add API client/models for determinization config (effective config read + admin update). | -| 2 | FE-CONFIG-002 | TODO | UI section | Web Guild - Team | Add a Configuration Pane section for determinization thresholds and reanalysis triggers, with read-only view for non-admins. | -| 3 | FE-CONFIG-003 | TODO | Validation feedback | Web Guild - Team | Surface server-side validation errors and show effective vs overridden values per environment. | -| 4 | FE-CONFIG-004 | TODO | Tests | Web Guild - Team | Add component and service tests for config load/save and deterministic rendering. | +| 1 | FE-CONFIG-001 | DONE | Policy config API | Web Guild - Team | Add API client/models for determinization config (effective config read + admin update). | +| 2 | FE-CONFIG-002 | DONE | UI section | Web Guild - Team | Add a Configuration Pane section for determinization thresholds and reanalysis triggers, with read-only view for non-admins. | +| 3 | FE-CONFIG-003 | DONE | Validation feedback | Web Guild - Team | Surface server-side validation errors and show effective vs overridden values per environment. | +| 4 | FE-CONFIG-004 | DONE | Tests | Web Guild - Team | Add component and service tests for config load/save and deterministic rendering. | | 5 | FE-CONFIG-005 | TODO | Docs update | Web Guild - Team | Update UI guide or module docs with configuration workflow and screenshots. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | FE-CONFIG-001: Created determinization-config.client.ts with ReanalysisTriggerConfig, ConflictHandlingPolicy, EnvironmentThreshold, EnvironmentThresholds, DeterminizationConfig, EffectiveConfigResponse, UpdateConfigRequest, ValidationResponse, AuditEntry, AuditHistoryResponse models. Added DeterminizationConfigClient with getEffectiveConfig, getDefaultConfig, updateConfig, validateConfig, getAuditHistory methods. Added CONFLICT_ACTION_LABELS, ENVIRONMENT_LABELS, DEFAULT_TRIGGER_CONFIG constants. FE-CONFIG-002, FE-CONFIG-003: Created DeterminizationConfigPaneComponent with reanalysis triggers section (EPSS delta threshold, toggle triggers), conflict handling policy section (conflict actions per type, escalation threshold, TTL), environment thresholds table (development/staging/production), edit mode with deep clone, validation error/warning display, save with reason requirement, metadata display (last updated, version). FE-CONFIG-004: Created determinization-config-pane.component.spec.ts with tests for config display, edit mode toggling, deep clone on edit, admin-only edit button, conflict action labels, environment labels, validation state, deterministic rendering order, and metadata display. | Agent | ## Decisions & Risks - UI write access must align with policy admin scope; read access follows policy viewer. diff --git a/docs/implplan/SPRINT_20260112_013_FE_witness_ui_wiring.md b/docs/implplan/SPRINT_20260112_013_FE_witness_ui_wiring.md index 657f612eb..bee78b2c1 100644 --- a/docs/implplan/SPRINT_20260112_013_FE_witness_ui_wiring.md +++ b/docs/implplan/SPRINT_20260112_013_FE_witness_ui_wiring.md @@ -26,7 +26,7 @@ | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | FE-WIT-001 | TODO | Scanner witness endpoints | Guild - UI | Replace `WitnessMockClient` usage with real `WitnessHttpClient` wiring; align base paths and query parameters with Scanner endpoints; add error handling and unit tests. | -| 2 | FE-WIT-002 | TODO | PW-DOC-001 | Guild - UI | Extend `witness.models.ts` and view models to include `node_hashes`, `path_hash`, evidence URIs, and runtime evidence metadata; keep deterministic ordering in rendering and tests. | +| 2 | FE-WIT-002 | DONE | PW-DOC-001 | Guild - UI | Extend `witness.models.ts` and view models to include `node_hashes`, `path_hash`, evidence URIs, and runtime evidence metadata; keep deterministic ordering in rendering and tests. | | 3 | FE-WIT-003 | TODO | FE-WIT-001, FE-WIT-002 | Guild - UI | Update witness modal and vulnerability explorer views to render node hash and path hash details, evidence links, and runtime join status; update component tests. | | 4 | FE-WIT-004 | TODO | Scanner verify endpoint | Guild - UI | Wire verify action to `/witnesses/{id}/verify`, display DSSE signature status and error details, and add unit tests. | | 5 | FE-WIT-005 | TODO | Backend download/export endpoints | Guild - UI | Add UI actions for witness JSON download and SARIF export; show disabled states until endpoints exist; add tests and help text. | @@ -35,6 +35,7 @@ | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | +| 2026-01-15 | FE-WIT-002: Extended witness.models.ts with path witness fields: nodeHashes (array of algorithm-prefixed hashes), pathHash (blake3/sha256 prefixed), runtimeEvidence (RuntimeEvidenceMetadata with available, source, lastObservedAt, invocationCount, confirmsStatic, traceUri). Extended WitnessEvidence with evidence URIs: dsseUri, rekorUri, sbomUri, callGraphUri, attestationUri for linking to external artifacts. All fields are optional for backward compatibility. | Agent | ## Decisions & Risks - `docs/modules/ui/implementation_plan.md` is listed as required reading but is missing; restore or update the prerequisites before work starts. diff --git a/docs/implplan/SPRINT_20260112_014_CLI_config_viewer.md b/docs/implplan/SPRINT_20260112_014_CLI_config_viewer.md index 2a41a0d3c..6ebe781e9 100644 --- a/docs/implplan/SPRINT_20260112_014_CLI_config_viewer.md +++ b/docs/implplan/SPRINT_20260112_014_CLI_config_viewer.md @@ -20,11 +20,11 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | CLI-CONFIG-010 | TODO | Config catalog | Build a config catalog from SectionName constants and setup prefixes; define canonical CLI paths and aliases (case-insensitive, `:` and `.` interchangeable). | -| 2 | CLI-CONFIG-011 | TODO | Command surface | Add `stella config list` and `stella config show` (example: `stella config policy.determinization show`). | -| 3 | CLI-CONFIG-012 | TODO | Data sources | Implement config readers for effective config (policy endpoint where available; local config file fallback). | -| 4 | CLI-CONFIG-013 | TODO | Output and redaction | Deterministic table/json output with stable ordering and redaction of secret keys. | -| 5 | CLI-CONFIG-014 | TODO | Tests | Add CLI tests for list/show behavior, alias matching, and deterministic output. | +| 1 | CLI-CONFIG-010 | DONE | Config catalog | Build a config catalog from SectionName constants and setup prefixes; define canonical CLI paths and aliases (case-insensitive, `:` and `.` interchangeable). | +| 2 | CLI-CONFIG-011 | DONE | Command surface | Add `stella config list` and `stella config show` (example: `stella config policy.determinization show`). | +| 3 | CLI-CONFIG-012 | DONE | Data sources | Implement config readers for effective config (policy endpoint where available; local config file fallback). | +| 4 | CLI-CONFIG-013 | DONE | Output and redaction | Deterministic table/json output with stable ordering and redaction of secret keys. | +| 5 | CLI-CONFIG-014 | DONE | Tests | Add CLI tests for list/show behavior, alias matching, and deterministic output. | | 6 | CLI-CONFIG-015 | TODO | Docs update | Update CLI reference docs with config list/show usage and examples. | ## Config Inventory (SectionName keys by module) @@ -77,6 +77,7 @@ | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; expanded to cover all config sections and CLI path aliases. | Planning | +| 2026-01-15 | CLI-CONFIG-010/011/012/013: Created ConfigCatalog with 90+ entries covering Policy, Scanner, Notifier, Concelier, Attestor, BinaryIndex, Signals, Signer, AdvisoryAI, AirGap, Excititor, ExportCenter, Orchestrator, Scheduler, VexLens, Zastava, Platform, Authority, and Setup modules. Created ConfigCommandGroup with list/show commands. Created CommandHandlers.Config with deterministic table/json/yaml output, secret redaction, and category filtering. | Agent | ## Decisions & Risks - Canonical path normalization: lower-case, `:` and `.` treated as separators, module prefix added when SectionName has no prefix (example: `policy.determinization`). diff --git a/docs/implplan/SPRINT_20260112_014_CLI_witness_commands.md b/docs/implplan/SPRINT_20260112_014_CLI_witness_commands.md index d31031016..5463cb091 100644 --- a/docs/implplan/SPRINT_20260112_014_CLI_witness_commands.md +++ b/docs/implplan/SPRINT_20260112_014_CLI_witness_commands.md @@ -25,16 +25,18 @@ ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | -| 1 | CLI-WIT-001 | TODO | Scanner endpoints | Guild - CLI | Implement witness API calls in `IBackendOperationsClient` and `BackendOperationsClient` for list/get/verify; add unit tests. | -| 2 | CLI-WIT-002 | TODO | CLI-WIT-001 | Guild - CLI | Replace placeholders in `CommandHandlers.Witness.cs` with real API calls; enforce ASCII-only output and deterministic ordering; update CLI tests. | -| 3 | CLI-WIT-003 | TODO | Backend export endpoints | Guild - CLI | Implement `witness export` to download JSON/SARIF when endpoints are available; add safe fallback messaging and tests. | -| 4 | CLI-WIT-004 | TODO | CLI-WIT-001 | Guild - CLI | Implement `witness verify` to call `/witnesses/{id}/verify` and report DSSE status; add tests for error paths and offline mode behavior. | +| 1 | CLI-WIT-001 | DONE | Scanner endpoints | Guild - CLI | Implement witness API calls in `IBackendOperationsClient` and `BackendOperationsClient` for list/get/verify; add unit tests. | +| 2 | CLI-WIT-002 | DONE | CLI-WIT-001 | Guild - CLI | Replace placeholders in `CommandHandlers.Witness.cs` with real API calls; enforce ASCII-only output and deterministic ordering; update CLI tests. | +| 3 | CLI-WIT-003 | DONE | Backend export endpoints | Guild - CLI | Implement `witness export` to download JSON/SARIF when endpoints are available; add safe fallback messaging and tests. | +| 4 | CLI-WIT-004 | DONE | CLI-WIT-001 | Guild - CLI | Implement `witness verify` to call `/witnesses/{id}/verify` and report DSSE status; add tests for error paths and offline mode behavior. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2026-01-14 | Sprint created; awaiting staffing. | Planning | | 2026-01-14 | Added `docs/modules/cli/implementation_plan.md` to satisfy CLI charter prerequisites. | Planning | +| 2026-01-15 | CLI-WIT-001: Created WitnessModels.cs with WitnessListRequest/Response, WitnessSummary, WitnessDetailResponse (with path_hash, node_hashes, evidence_uris, predicate_type), WitnessVerifyResponse, WitnessExportFormat enum. Extended IBackendOperationsClient with ListWitnessesAsync, GetWitnessAsync, VerifyWitnessAsync, DownloadWitnessAsync. Implemented all methods in BackendOperationsClient. | Agent | +| 2026-01-15 | CLI-WIT-002/003/004: Replaced placeholder handlers in CommandHandlers.Witness.cs with real API calls. HandleWitnessShowAsync now calls GetWitnessAsync; HandleWitnessListAsync calls ListWitnessesAsync with deterministic ordering (sorted by CVE then WitnessId); HandleWitnessVerifyAsync calls VerifyWitnessAsync with ASCII-only output ([OK]/[FAIL]); HandleWitnessExportAsync calls DownloadWitnessAsync with format selection. Added ConvertToWitnessDto, ExtractPackageName, ExtractPackageVersion helpers. | Agent | ## Decisions & Risks - Export/download depends on backend endpoints that do not yet exist; coordinate with Scanner owners or defer CLI-WIT-003. diff --git a/docs/implplan/SPRINT_20260112_015_SIGNER_path_witness_predicate.md b/docs/implplan/SPRINT_20260112_015_SIGNER_path_witness_predicate.md index 725d0b42d..d21880279 100644 --- a/docs/implplan/SPRINT_20260112_015_SIGNER_path_witness_predicate.md +++ b/docs/implplan/SPRINT_20260112_015_SIGNER_path_witness_predicate.md @@ -23,7 +23,7 @@ | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | SIGNER-PW-001 | DONE | Predicate type locked | Guild - Signer | Add predicate constants for canonical and alias URIs in `PredicateTypes.cs`; update `GetAllowedPredicateTypes`, `IsReachabilityRelatedType`, and `IsAllowedPredicateType`. | -| 2 | SIGNER-PW-002 | TODO | SIGNER-PW-001 | Guild - Signer | Add or update Signer tests to validate allowed predicate lists and reachability classification for the new predicate types. | +| 2 | SIGNER-PW-002 | DONE | SIGNER-PW-001 | Guild - Signer | Add or update Signer tests to validate allowed predicate lists and reachability classification for the new predicate types. | | 3 | SIGNER-PW-003 | DONE | SIGNER-PW-001 | Guild - Signer | Update `PredicateTypes.IsStellaOpsType` and `SignerStatementBuilder.GetRecommendedStatementType` to recognize `https://stella.ops/` and `https://stella-ops.org/` URIs as StellaOps types; add Keyless signer tests for Statement v1 selection. | ## Execution Log @@ -34,6 +34,7 @@ | 2026-01-14 | Added task to ensure Statement type selection treats `https://stella.ops/` predicate URIs as StellaOps types. | Planning | | 2026-01-14 | SIGNER-PW-001: Added PathWitnessCanonical, PathWitnessAlias1, PathWitnessAlias2 constants. Added IsPathWitnessType() helper. Updated IsReachabilityRelatedType() and GetAllowedPredicateTypes() to include all path witness types. | Agent | | 2026-01-14 | SIGNER-PW-003: Updated IsStellaOpsType to recognize https://stella.ops/ and https://stella-ops.org/ URI prefixes as StellaOps types. | Agent | +| 2026-01-15 | SIGNER-PW-002: Created PredicateTypesTests.cs with comprehensive tests for IsPathWitnessType, IsReachabilityRelatedType, GetAllowedPredicateTypes, IsAllowedPredicateType, IsStellaOpsType, constant values, backward compatibility (Alias1 = StellaOpsPathWitness), no duplicates, and deterministic ordering. | Agent | ## Decisions & Risks - Predicate allowlist changes can affect downstream verification policies; coordinate with Attestor and Policy owners. diff --git a/docs/implplan/SPRINT_20260112_016_CLI_attest_verify_offline.md b/docs/implplan/SPRINT_20260112_016_CLI_attest_verify_offline.md new file mode 100644 index 000000000..1a581caec --- /dev/null +++ b/docs/implplan/SPRINT_20260112_016_CLI_attest_verify_offline.md @@ -0,0 +1,69 @@ +# Sprint 20260112-016-CLI-attest-verify-offline - Offline Attestation Verification CLI + +## Topic & Scope +- Implement `stella attest verify --offline` CLI command for air-gapped attestation verification. +- Current state evidence: `RekorOfflineReceiptVerifier` exists in AirGap module but no CLI exposure (`src/AirGap/StellaOps.AirGap.Importer/Validation/RekorOfflineReceiptVerifier.cs`). +- Evidence to produce: CLI command implementation, bundled verification script generation, and golden test fixtures. +- **Working directory:** `src/Cli`. +- **Compliance item:** Item 1 - Attestation caching (offline). + +## Dependencies & Concurrency +- Depends on existing `RekorOfflineReceiptVerifier` and `OfflineVerifier` services. +- Parallel safe with other CLI sprints; no shared DB migrations. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/attestor/architecture.md` +- `docs/modules/airgap/guides/portable-evidence-bundle-verification.md` +- `docs/modules/cli/guides/commands/attest.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | ATTEST-CLI-001 | TODO | None | CLI Guild | Add `AttestCommandGroup.cs` with `verify` subcommand skeleton. | +| 2 | ATTEST-CLI-002 | TODO | ATTEST-CLI-001 | CLI Guild | Implement `--offline` flag with bundle path input, checkpoint path, and trust root options. | +| 3 | ATTEST-CLI-003 | TODO | ATTEST-CLI-002 | CLI Guild | Wire `RekorOfflineReceiptVerifier` for Merkle proof validation without network. | +| 4 | ATTEST-CLI-004 | TODO | ATTEST-CLI-002 | CLI Guild | Wire `OfflineVerifier` for DSSE envelope and org signature validation. | +| 5 | ATTEST-CLI-005 | TODO | ATTEST-CLI-003 | CLI Guild | Add JSON/text output formatters for verification results (pass/fail + details). | +| 6 | ATTEST-CLI-006 | TODO | ATTEST-CLI-004 | CLI Guild | Generate `VERIFY.md` script in exported bundles with sha256 + signature chain report. | +| 7 | ATTEST-CLI-007 | TODO | ATTEST-CLI-005 | Testing Guild | Create golden test fixtures for cross-platform bundle verification. | +| 8 | ATTEST-CLI-008 | TODO | ATTEST-CLI-007 | Testing Guild | Add determinism tests verifying identical results across Windows/Linux/macOS. | +| 9 | ATTEST-CLI-009 | TODO | ATTEST-CLI-006 | Docs Guild | Update `docs/modules/cli/guides/commands/attest.md` with verify subcommand documentation. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: offline attestation verification CLI. | Planning | + +## Decisions & Risks +- Decide on trust root bundling format (PEM directory vs single bundle file). +- Checkpoint signature verification requires bundled public keys; document sourcing procedure. +- Cross-platform hash determinism must be validated (UTF-8 BOM handling, line endings). + +## Acceptance Criteria +```bash +# Demo: Verify attestation bundle offline (Wi-Fi off) +stella attest verify --offline \ + --bundle evidence.tar.gz \ + --checkpoint checkpoint.sig \ + --trust-root /path/to/roots/ + +# Expected output: +# Attestation Verification Report +# ================================ +# Bundle: evidence.tar.gz +# Status: VERIFIED +# +# Checks: +# [PASS] DSSE envelope signature valid +# [PASS] Merkle inclusion proof verified (log index: 12345) +# [PASS] Checkpoint signature valid (origin: rekor.sigstore.dev) +# [PASS] Content hash matches manifest +# +# Artifact: sha256:abc123... +# Signed by: identity@example.com +# Timestamp: 2026-01-14T10:30:00Z +``` + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_016_CLI_sbom_verify_offline.md b/docs/implplan/SPRINT_20260112_016_CLI_sbom_verify_offline.md new file mode 100644 index 000000000..d77b62f7b --- /dev/null +++ b/docs/implplan/SPRINT_20260112_016_CLI_sbom_verify_offline.md @@ -0,0 +1,73 @@ +# Sprint 20260112-016-CLI-sbom-verify-offline - Offline SBOM Verification CLI + +## Topic & Scope +- Implement `stella sbom verify` CLI command for offline signed SBOM archive verification. +- Current state evidence: SBOM export exists (`SbomExportService.cs`) but no verification CLI; signing exists in Signer module. +- Evidence to produce: CLI command, offline verification workflow, and integration with signed SBOM archive format. +- **Working directory:** `src/Cli`. +- **Compliance item:** Item 3 - Signed SBOM archives (immutable). + +## Dependencies & Concurrency +- Depends on `SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec` for archive format. +- Parallel safe with attestation verify sprint. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/sbom-service/architecture.md` +- `docs/modules/signer/architecture.md` +- `docs/modules/cli/guides/commands/sbom.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | SBOM-CLI-001 | TODO | None | CLI Guild | Add `SbomCommandGroup.cs` with `verify` subcommand skeleton. | +| 2 | SBOM-CLI-002 | TODO | SBOM-CLI-001 | CLI Guild | Implement `--offline` flag with archive path, trust root, and output format options. | +| 3 | SBOM-CLI-003 | TODO | SBOM-CLI-002 | CLI Guild | Implement archive extraction and manifest hash validation. | +| 4 | SBOM-CLI-004 | TODO | SBOM-CLI-003 | CLI Guild | Wire DSSE envelope verification for SBOM payload signature. | +| 5 | SBOM-CLI-005 | TODO | SBOM-CLI-004 | CLI Guild | Validate SBOM schema (SPDX/CycloneDX) against bundled JSON schemas. | +| 6 | SBOM-CLI-006 | TODO | SBOM-CLI-005 | CLI Guild | Verify tool version metadata matches expected format. | +| 7 | SBOM-CLI-007 | TODO | SBOM-CLI-006 | CLI Guild | Add JSON/HTML verification report output with pass/fail status. | +| 8 | SBOM-CLI-008 | TODO | SBOM-CLI-007 | Testing Guild | Create unit tests for archive parsing, hash validation, and signature verification. | +| 9 | SBOM-CLI-009 | TODO | SBOM-CLI-008 | Testing Guild | Create integration tests with sample signed SBOM archives. | +| 10 | SBOM-CLI-010 | TODO | SBOM-CLI-009 | Docs Guild | Update `docs/modules/cli/guides/commands/sbom.md` with verify documentation. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: offline SBOM verification CLI. | Planning | + +## Decisions & Risks +- Archive format must align with `SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec`. +- Need to bundle JSON schemas for SPDX 2.3/3.0.1 and CycloneDX 1.4-1.7 for offline validation. +- Consider Fulcio root bundling for keyless signature verification in offline mode. + +## Acceptance Criteria +```bash +# Demo: Verify signed SBOM archive offline +stella sbom verify \ + --archive signed-sbom-sha256-abc123-20260115.tar.gz \ + --offline \ + --trust-root /path/to/roots/ + +# Expected output: +# SBOM Verification Report +# ======================== +# Archive: signed-sbom-sha256-abc123-20260115.tar.gz +# Status: VERIFIED +# +# Checks: +# [PASS] Archive integrity (all hashes match manifest) +# [PASS] DSSE envelope signature valid +# [PASS] SBOM schema valid (SPDX 2.3) +# [PASS] Tool version present (StellaOps Scanner v2027.Q1) +# [PASS] Timestamp within validity window +# +# SBOM Details: +# Format: SPDX 2.3 +# Components: 142 +# Artifact: sha256:abc123... +# Generated: 2026-01-14T10:30:00Z +``` + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_016_DOCS_blue_green_deployment.md b/docs/implplan/SPRINT_20260112_016_DOCS_blue_green_deployment.md new file mode 100644 index 000000000..509209f80 --- /dev/null +++ b/docs/implplan/SPRINT_20260112_016_DOCS_blue_green_deployment.md @@ -0,0 +1,53 @@ +# Sprint 20260112-016-DOCS-blue-green-deployment - Blue/Green Deployment Documentation + +## Topic & Scope +- Create comprehensive blue/green deployment documentation for platform-level upgrades with evidence continuity. +- Current state evidence: Multi-tenant policy rollout exists (`docs/flows/14-multi-tenant-policy-rollout-flow.md`) but no platform-level deployment guide. +- Evidence to produce: Deployment guide, upgrade runbook, and evidence continuity procedures. +- **Working directory:** `docs/operations`. +- **Compliance item:** Item 7 - Upgrade & evidence-migration paths. + +## Dependencies & Concurrency +- Depends on understanding of existing backup/restore procedures (`docs/modules/authority/operations/backup-restore.md`). +- Parallel safe with all other sprints. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/db/MIGRATION_STRATEGY.md` +- `docs/releases/VERSIONING.md` +- `docs/flows/13-evidence-bundle-export-flow.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | BG-DOC-001 | TODO | None | Docs Guild | Create `docs/operations/blue-green-deployment.md` skeleton. | +| 2 | BG-DOC-002 | TODO | BG-DOC-001 | Docs Guild | Document blue/green environment setup (namespaces, DNS, load balancer). | +| 3 | BG-DOC-003 | TODO | BG-DOC-002 | Docs Guild | Document pre-deployment checklist (backup, evidence export, health checks). | +| 4 | BG-DOC-004 | TODO | BG-DOC-003 | Docs Guild | Document deployment sequence (deploy green, validate, switch traffic). | +| 5 | BG-DOC-005 | TODO | BG-DOC-004 | Docs Guild | Document health check timing and validation procedures. | +| 6 | BG-DOC-006 | TODO | BG-DOC-005 | Docs Guild | Document traffic switching procedure (gradual vs instant). | +| 7 | BG-DOC-007 | TODO | BG-DOC-006 | Docs Guild | Document rollback procedure with evidence preservation. | +| 8 | BG-DOC-008 | TODO | BG-DOC-007 | Docs Guild | Document evidence bundle continuity during cutover. | +| 9 | BG-DOC-009 | TODO | BG-DOC-008 | Docs Guild | Create `docs/operations/upgrade-runbook.md` with step-by-step procedures. | +| 10 | BG-DOC-010 | TODO | BG-DOC-009 | Docs Guild | Document evidence locker health checks and integrity validation. | +| 11 | BG-DOC-011 | TODO | BG-DOC-010 | Docs Guild | Document post-upgrade verification report generation. | +| 12 | BG-DOC-012 | TODO | BG-DOC-011 | DevOps Guild | Create Helm values examples for blue/green deployment. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: blue/green deployment documentation. | Planning | + +## Decisions & Risks +- Blue/green requires double infrastructure; document cost implications. +- Database migrations must be backward-compatible (N-1 version) for safe rollback. +- Evidence bundles created during cutover may reference both environments. + +## Acceptance Criteria +- Complete blue/green deployment guide with diagrams. +- Step-by-step upgrade runbook with evidence continuity focus. +- Rollback procedure that preserves all evidence integrity. +- Health check procedures specific to evidence services. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec.md b/docs/implplan/SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec.md new file mode 100644 index 000000000..cfa0b69b9 --- /dev/null +++ b/docs/implplan/SPRINT_20260112_016_SCANNER_signed_sbom_archive_spec.md @@ -0,0 +1,90 @@ +# Sprint 20260112-016-SCANNER-signed-sbom-archive-spec - Signed SBOM Archive Format Specification + +## Topic & Scope +- Define and implement unified signed SBOM archive format combining SBOM, signatures, metadata, and verification materials. +- Current state evidence: Evidence bundles exist (`EvidenceBundleExporter.cs`) but no SBOM-specific signed archive format. +- Evidence to produce: Format specification, exporter implementation, and documentation. +- **Working directory:** `src/Scanner`. +- **Compliance item:** Item 3 - Signed SBOM archives (immutable). + +## Dependencies & Concurrency +- Depends on existing `SbomExportService` and `SignerPipeline`. +- Blocks `SPRINT_20260112_016_CLI_sbom_verify_offline`. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/sbom-service/architecture.md` +- `docs/modules/signer/architecture.md` +- `docs/modules/attestor/bundle-format.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | SBOM-SPEC-001 | TODO | None | Scanner Guild | Create `docs/modules/scanner/signed-sbom-archive-spec.md` with format specification. | +| 2 | SBOM-SPEC-002 | TODO | SBOM-SPEC-001 | Scanner Guild | Define archive structure: sbom.{spdx,cdx}.json, sbom.dsse.json, manifest.json, metadata.json, certs/, schemas/. | +| 3 | SBOM-SPEC-003 | TODO | SBOM-SPEC-002 | Scanner Guild | Implement `SignedSbomArchiveBuilder` service in Scanner module. | +| 4 | SBOM-SPEC-004 | TODO | SBOM-SPEC-003 | Scanner Guild | Capture tool versions in metadata.json (stellaOpsVersion, scannerVersion, signerVersion). | +| 5 | SBOM-SPEC-005 | TODO | SBOM-SPEC-004 | Scanner Guild | Capture source container digest (Scanner image digest) in metadata. | +| 6 | SBOM-SPEC-006 | TODO | SBOM-SPEC-005 | Scanner Guild | Add manifest.json with file inventory and SHA-256 hashes. | +| 7 | SBOM-SPEC-007 | TODO | SBOM-SPEC-006 | Signer Guild | Sign manifest as separate DSSE envelope OR include in SBOM predicate. | +| 8 | SBOM-SPEC-008 | TODO | SBOM-SPEC-007 | Scanner Guild | Bundle Fulcio root + Rekor public log for offline verification. | +| 9 | SBOM-SPEC-009 | TODO | SBOM-SPEC-008 | Scanner Guild | Generate VERIFY.md with one-click verification instructions. | +| 10 | SBOM-SPEC-010 | TODO | SBOM-SPEC-009 | Scanner Guild | Add API endpoint `GET /scans/{scanId}/exports/signed-sbom-archive`. | +| 11 | SBOM-SPEC-011 | TODO | SBOM-SPEC-010 | Testing Guild | Create unit tests for archive structure and content. | +| 12 | SBOM-SPEC-012 | TODO | SBOM-SPEC-011 | Docs Guild | Update OpenAPI spec with new export endpoint. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: signed SBOM archive specification. | Planning | + +## Archive Format Specification + +``` +signed-sbom-{artifact_digest_short}-{timestamp}.tar.gz +| ++-- sbom.spdx.json # OR sbom.cdx.json (CycloneDX) ++-- sbom.dsse.json # DSSE envelope with signature ++-- manifest.json # File inventory with SHA-256 hashes ++-- metadata.json # Tool versions, timestamps, generation info ++-- certs/ +| +-- signing-cert.pem # Certificate chain from signer +| +-- fulcio-root.pem # Fulcio root CA (for offline keyless verify) ++-- rekor-proof/ # Optional transparency log proof +| +-- inclusion-proof.json +| +-- checkpoint.sig ++-- schemas/ # Bundled JSON schemas for offline validation +| +-- spdx-2.3-schema.json +| +-- cyclonedx-1.7-schema.json ++-- VERIFY.md # One-click verification instructions +``` + +### metadata.json Schema +```json +{ + "schemaVersion": "1.0.0", + "stellaOpsVersion": "2027.Q1", + "scannerVersion": "1.2.3", + "scannerDigest": "sha256:abc123...", + "signerVersion": "1.0.0", + "sbomServiceVersion": "1.1.0", + "generatedAt": "2026-01-15T12:34:56Z", + "generatedAtHlc": "...", + "input": { + "imageRef": "myregistry/app:1.0", + "imageDigest": "sha256:def456..." + }, + "reproducibility": { + "deterministic": true, + "expectedDigest": "sha256:..." + } +} +``` + +## Decisions & Risks +- Choose between signing manifest separately vs including manifest hash in SBOM predicate. +- RFC 3161 TSA integration deferred to Phase 3 (medium-term). +- Decide compression format: tar.gz vs tar.zst (zstd preferred for smaller size). + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_017_ATTESTOR_checkpoint_divergence_detection.md b/docs/implplan/SPRINT_20260112_017_ATTESTOR_checkpoint_divergence_detection.md new file mode 100644 index 000000000..42838a0dd --- /dev/null +++ b/docs/implplan/SPRINT_20260112_017_ATTESTOR_checkpoint_divergence_detection.md @@ -0,0 +1,89 @@ +# Sprint 20260112-017-ATTESTOR-checkpoint-divergence-detection - Checkpoint Divergence Detection + +## Topic & Scope +- Implement root hash divergence detection and mismatch alarms for Rekor checkpoints. +- Current state evidence: Checkpoint verification exists but no active monitoring for conflicting checkpoints. +- Evidence to produce: Divergence detector, monotonicity checks, and alerting integration. +- **Working directory:** `src/Attestor`. +- **Compliance item:** Item 5 - Local Rekor (transparency) mirrors. + +## Dependencies & Concurrency +- Depends on `SPRINT_20260112_017_ATTESTOR_periodic_rekor_sync` for checkpoint storage. +- Parallel safe with other Attestor sprints after checkpoint store is available. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/attestor/architecture.md` +- `docs/modules/attestor/rekor-verification-design.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | DIVERGE-001 | TODO | REKOR-SYNC-002 | Attestor Guild | Create `ICheckpointDivergenceDetector` interface. | +| 2 | DIVERGE-002 | TODO | DIVERGE-001 | Attestor Guild | Implement root hash comparison at same tree size. | +| 3 | DIVERGE-003 | TODO | DIVERGE-002 | Attestor Guild | Implement monotonicity check (tree size only increases). | +| 4 | DIVERGE-004 | TODO | DIVERGE-003 | Attestor Guild | Detect rollback attempts (tree size regression). | +| 5 | DIVERGE-005 | TODO | DIVERGE-004 | Attestor Guild | Implement cross-log consistency check (primary vs mirror). | +| 6 | DIVERGE-006 | TODO | DIVERGE-005 | Attestor Guild | Add metric: `attestor.rekor_checkpoint_mismatch_total{backend,origin}`. | +| 7 | DIVERGE-007 | TODO | DIVERGE-006 | Attestor Guild | Add metric: `attestor.rekor_checkpoint_rollback_detected_total`. | +| 8 | DIVERGE-008 | TODO | DIVERGE-007 | Notify Guild | Integrate with Notify service for alert dispatch. | +| 9 | DIVERGE-009 | TODO | DIVERGE-008 | Attestor Guild | Create `CheckpointDivergenceEvent` for audit trail. | +| 10 | DIVERGE-010 | TODO | DIVERGE-009 | Testing Guild | Create unit tests for divergence detection scenarios. | +| 11 | DIVERGE-011 | TODO | DIVERGE-010 | Testing Guild | Create integration tests simulating Byzantine scenarios. | +| 12 | DIVERGE-012 | TODO | DIVERGE-011 | Docs Guild | Document divergence detection and incident response procedures. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: checkpoint divergence detection. | Planning | + +## Technical Specification + +### Divergence Detection Rules +| Check | Condition | Severity | Action | +|-------|-----------|----------|--------| +| Root mismatch | Same tree_size, different root_hash | CRITICAL | Alert + quarantine | +| Monotonicity violation | New tree_size < stored tree_size | CRITICAL | Alert + reject | +| Cross-log divergence | Primary root != mirror root at same size | WARNING | Alert + investigate | +| Stale checkpoint | Checkpoint age > threshold | WARNING | Alert | + +### Alert Payload +```json +{ + "eventType": "rekor.checkpoint.divergence", + "severity": "critical", + "origin": "rekor.sigstore.dev", + "treeSize": 12345678, + "expectedRootHash": "sha256:abc123...", + "actualRootHash": "sha256:def456...", + "detectedAt": "2026-01-15T12:34:56Z", + "backend": "sigstore-prod", + "description": "Checkpoint root hash mismatch detected. Possible split-view attack." +} +``` + +### Metrics +``` +# Counter: total checkpoint mismatches +attestor_rekor_checkpoint_mismatch_total{backend="sigstore-prod",origin="rekor.sigstore.dev"} 0 + +# Counter: rollback attempts detected +attestor_rekor_checkpoint_rollback_detected_total{backend="sigstore-prod"} 0 + +# Gauge: seconds since last valid checkpoint +attestor_rekor_checkpoint_age_seconds{backend="sigstore-prod"} 120 +``` + +## Decisions & Risks +- Define response to detected divergence: quarantine all proofs or alert-only. +- Cross-log divergence may indicate network partition vs attack. +- False positive handling for transient network issues. + +## Acceptance Criteria +- Alert triggered within 1 minute of divergence detection. +- Metrics visible in Grafana dashboard. +- Audit trail for all divergence events. +- Runbook for incident response to checkpoint divergence. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_017_ATTESTOR_periodic_rekor_sync.md b/docs/implplan/SPRINT_20260112_017_ATTESTOR_periodic_rekor_sync.md new file mode 100644 index 000000000..aa36d320a --- /dev/null +++ b/docs/implplan/SPRINT_20260112_017_ATTESTOR_periodic_rekor_sync.md @@ -0,0 +1,101 @@ +# Sprint 20260112-017-ATTESTOR-periodic-rekor-sync - Periodic Rekor Checkpoint Sync + +## Topic & Scope +- Implement background service for periodic Rekor checkpoint and tile synchronization. +- Current state evidence: `HttpRekorTileClient` exists for on-demand fetching but no periodic sync service. +- Evidence to produce: Background sync service, local checkpoint storage, and tile caching. +- **Working directory:** `src/Attestor`. +- **Compliance item:** Item 5 - Local Rekor (transparency) mirrors. + +## Dependencies & Concurrency +- Depends on existing `IRekorTileClient` implementation. +- Parallel safe with checkpoint divergence detection sprint. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/attestor/architecture.md` +- `docs/modules/attestor/rekor-verification-design.md` +- `docs/modules/attestor/transparency.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | REKOR-SYNC-001 | TODO | None | Attestor Guild | Create `IRekorCheckpointStore` interface for local checkpoint persistence. | +| 2 | REKOR-SYNC-002 | TODO | REKOR-SYNC-001 | Attestor Guild | Implement `PostgresRekorCheckpointStore` for checkpoint storage. | +| 3 | REKOR-SYNC-003 | TODO | REKOR-SYNC-002 | Attestor Guild | Create `IRekorTileCache` interface for tile storage. | +| 4 | REKOR-SYNC-004 | TODO | REKOR-SYNC-003 | Attestor Guild | Implement `FileSystemRekorTileCache` for air-gapped tile storage. | +| 5 | REKOR-SYNC-005 | TODO | REKOR-SYNC-004 | Attestor Guild | Create `RekorSyncBackgroundService` as IHostedService. | +| 6 | REKOR-SYNC-006 | TODO | REKOR-SYNC-005 | Attestor Guild | Implement periodic checkpoint fetching (configurable interval, default 5 min). | +| 7 | REKOR-SYNC-007 | TODO | REKOR-SYNC-006 | Attestor Guild | Implement incremental tile sync (only new entries since last sync). | +| 8 | REKOR-SYNC-008 | TODO | REKOR-SYNC-007 | Attestor Guild | Add checkpoint signature verification during sync. | +| 9 | REKOR-SYNC-009 | TODO | REKOR-SYNC-008 | Attestor Guild | Add metrics: `attestor.rekor_sync_checkpoint_age_seconds`, `attestor.rekor_sync_tiles_cached`. | +| 10 | REKOR-SYNC-010 | TODO | REKOR-SYNC-009 | Testing Guild | Create unit tests for sync service and stores. | +| 11 | REKOR-SYNC-011 | TODO | REKOR-SYNC-010 | Testing Guild | Create integration tests with mock Rekor server. | +| 12 | REKOR-SYNC-012 | TODO | REKOR-SYNC-011 | Docs Guild | Document sync configuration options and operational procedures. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: periodic Rekor checkpoint sync. | Planning | + +## Technical Specification + +### Checkpoint Store Schema +```sql +CREATE TABLE attestor.rekor_checkpoints ( + checkpoint_id UUID PRIMARY KEY DEFAULT gen_random_uuid(), + origin TEXT NOT NULL, + tree_size BIGINT NOT NULL, + root_hash BYTEA NOT NULL, + signature BYTEA NOT NULL, + fetched_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + verified BOOLEAN NOT NULL DEFAULT FALSE, + + UNIQUE(origin, tree_size) +); + +CREATE INDEX idx_rekor_checkpoints_origin_tree_size +ON attestor.rekor_checkpoints(origin, tree_size DESC); +``` + +### Tile Cache Structure +``` +/var/lib/stellaops/rekor-cache/ ++-- {origin}/ + +-- checkpoints/ + | +-- checkpoint-{tree_size}.sig + +-- tiles/ + +-- level-0/ + | +-- tile-{index}.bin + +-- level-1/ + +-- tile-{index}.bin +``` + +### Configuration +```yaml +attestor: + rekor: + sync: + enabled: true + intervalMinutes: 5 + maxCheckpointAgeDays: 30 + tileCachePath: "/var/lib/stellaops/rekor-cache" + tileCacheSizeMb: 1024 + backends: + - name: "sigstore-prod" + url: "https://rekor.sigstore.dev" + publicKeyPath: "/etc/stellaops/rekor-sigstore-prod.pub" +``` + +## Decisions & Risks +- Tile cache size management: LRU eviction vs time-based. +- Multiple Rekor backend support for redundancy. +- Network failure handling: exponential backoff with jitter. + +## Acceptance Criteria +- Background service syncing checkpoints every 5 minutes. +- Offline verification using cached tiles (no network). +- Metrics dashboard showing cache health and sync lag. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_017_CRYPTO_pkcs11_hsm_implementation.md b/docs/implplan/SPRINT_20260112_017_CRYPTO_pkcs11_hsm_implementation.md new file mode 100644 index 000000000..5b73e358d --- /dev/null +++ b/docs/implplan/SPRINT_20260112_017_CRYPTO_pkcs11_hsm_implementation.md @@ -0,0 +1,82 @@ +# Sprint 20260112-017-CRYPTO-pkcs11-hsm-implementation - PKCS#11 HSM Implementation + +## Topic & Scope +- Complete PKCS#11 HSM integration using Net.Pkcs11Interop library. +- Current state evidence: `HsmPlugin` exists with stub implementation (`src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs`), `Pkcs11HsmClient` throws `NotImplementedException`. +- Evidence to produce: Working PKCS#11 client, HSM connectivity validation, and operational runbook. +- **Working directory:** `src/Cryptography`. +- **Compliance item:** Item 4 - HSM / key escrow patterns. + +## Dependencies & Concurrency +- Depends on Net.Pkcs11Interop NuGet package addition. +- Parallel safe with Rekor sync sprint. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/signer/architecture.md` +- `docs/operations/key-rotation-runbook.md` +- `docs/modules/authority/operations/key-rotation.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | HSM-001 | TODO | None | Crypto Guild | Add Net.Pkcs11Interop NuGet package to `src/Directory.Packages.props`. | +| 2 | HSM-002 | TODO | HSM-001 | Crypto Guild | Implement `Pkcs11HsmClient.SignAsync()` with PKCS#11 session management. | +| 3 | HSM-003 | TODO | HSM-002 | Crypto Guild | Implement `Pkcs11HsmClient.VerifyAsync()` for signature verification. | +| 4 | HSM-004 | TODO | HSM-003 | Crypto Guild | Add session pooling and reconnection logic for HSM connection stability. | +| 5 | HSM-005 | TODO | HSM-004 | Crypto Guild | Implement multi-slot failover support. | +| 6 | HSM-006 | TODO | HSM-005 | Crypto Guild | Add key attribute enforcement (CKA_PRIVATE, CKA_EXTRACTABLE policy). | +| 7 | HSM-007 | TODO | HSM-006 | Crypto Guild | Implement `GetMetadataAsync()` for key versioning info. | +| 8 | HSM-008 | TODO | HSM-007 | Testing Guild | Create SoftHSM2 test fixtures for integration testing. | +| 9 | HSM-009 | TODO | HSM-008 | Testing Guild | Add unit tests for session management, signing, and verification. | +| 10 | HSM-010 | TODO | HSM-009 | Doctor Guild | Update `HsmConnectivityCheck` to validate actual PKCS#11 operations. | +| 11 | HSM-011 | TODO | HSM-010 | Docs Guild | Create `docs/operations/hsm-setup-runbook.md` with configuration guide. | +| 12 | HSM-012 | TODO | HSM-011 | Docs Guild | Document SoftHSM2 test environment setup for development. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: PKCS#11 HSM implementation. | Planning | + +## Technical Specification + +### Supported Mechanisms +| Algorithm | PKCS#11 Mechanism | Status | +|-----------|------------------|--------| +| RSA-SHA256 | CKM_SHA256_RSA_PKCS | TODO | +| RSA-SHA384 | CKM_SHA384_RSA_PKCS | TODO | +| RSA-SHA512 | CKM_SHA512_RSA_PKCS | TODO | +| RSA-PSS | CKM_SHA256_RSA_PKCS_PSS | TODO | +| ECDSA-P256 | CKM_ECDSA_SHA256 | TODO | +| ECDSA-P384 | CKM_ECDSA_SHA384 | TODO | +| AES-GCM-128 | CKM_AES_GCM | TODO | +| AES-GCM-256 | CKM_AES_GCM | TODO | + +### Configuration +```yaml +signing: + provider: "hsm" + hsm: + type: "pkcs11" + libraryPath: "/opt/hsm/libpkcs11.so" + slotId: 0 + pin: "${HSM_PIN}" + tokenLabel: "StellaOps" + connectionTimeoutSeconds: 30 + maxSessions: 10 + sessionIdleTimeoutSeconds: 300 +``` + +## Decisions & Risks +- SoftHSM2 for testing vs real HSM for production validation. +- PIN management via environment variable or secrets manager. +- Session exhaustion recovery strategy. + +## Acceptance Criteria +- Working signing and verification with SoftHSM2. +- Key rotation demonstration with attestation continuity. +- Doctor check validating HSM connectivity. +- Runbook with step-by-step HSM configuration. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_017_POLICY_cvss_threshold_gate.md b/docs/implplan/SPRINT_20260112_017_POLICY_cvss_threshold_gate.md new file mode 100644 index 000000000..b8611ed6c --- /dev/null +++ b/docs/implplan/SPRINT_20260112_017_POLICY_cvss_threshold_gate.md @@ -0,0 +1,109 @@ +# Sprint 20260112-017-POLICY-cvss-threshold-gate - CVSS Threshold Policy Gate + +## Topic & Scope +- Implement dedicated `CvssThresholdGate` for static CVSS score enforcement. +- Current state evidence: EPSS quarantine rules exist (priority 20) but no explicit CVSS threshold gate class. +- Evidence to produce: Gate implementation, configuration, and documentation. +- **Working directory:** `src/Policy`. +- **Compliance item:** Item 6 - Offline policy engine (OPA/Conftest-class). + +## Dependencies & Concurrency +- Depends on existing `IPolicyGate` interface. +- Parallel safe with SBOM presence gate sprint. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/policy/architecture.md` +- `docs/modules/policy/determinization-api.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | CVSS-GATE-001 | DONE | None | Policy Guild | Create `CvssThresholdGate` class implementing `IPolicyGate`. | +| 2 | CVSS-GATE-002 | DONE | CVSS-GATE-001 | Policy Guild | Support CVSS v3.1 base score threshold configuration. | +| 3 | CVSS-GATE-003 | DONE | CVSS-GATE-002 | Policy Guild | Support CVSS v4.0 base score threshold configuration. | +| 4 | CVSS-GATE-004 | DONE | CVSS-GATE-003 | Policy Guild | Add per-environment threshold overrides (prod: 7.0, staging: 8.0, dev: 9.0). | +| 5 | CVSS-GATE-005 | DONE | CVSS-GATE-004 | Policy Guild | Add CVE allowlist/denylist support for exceptions. | +| 6 | CVSS-GATE-006 | DONE | CVSS-GATE-005 | Policy Guild | Implement offline operation (no external lookups). | +| 7 | CVSS-GATE-007 | DONE | CVSS-GATE-006 | Policy Guild | Register gate in `PolicyGateRegistry` with configurable priority. | +| 8 | CVSS-GATE-008 | DONE | CVSS-GATE-007 | Testing Guild | Create unit tests for threshold enforcement. | +| 9 | CVSS-GATE-009 | DONE | CVSS-GATE-008 | Testing Guild | Create tests for environment-specific overrides. | +| 10 | CVSS-GATE-010 | TODO | CVSS-GATE-009 | Docs Guild | Update policy architecture docs with CVSS gate. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: CVSS threshold policy gate. | Planning | +| 2026-01-15 | CVSS-GATE-001 to 007: Created CvssThresholdGate implementing IPolicyGate with full feature set. Options: Enabled, Priority, DefaultThreshold, per-environment Thresholds (prod/staging/dev), CvssVersionPreference (v3.1/v4.0/highest), Allowlist, Denylist, FailOnMissingCvss, RequireAllVersionsPass. Gate evaluates CVSS v3.1 and v4.0 scores, supports offline operation via injectable lookup or context metadata. Created CvssThresholdGateExtensions for DI registration and PolicyGateRegistry integration. CVSS-GATE-008/009: Created CvssThresholdGateTests with 20+ test cases covering: disabled gate, denylist/allowlist, missing CVSS handling, threshold enforcement at various score levels, environment-specific thresholds (staging/dev), version preference (v3.1/v4.0/highest), RequireAllVersionsPass mode, metadata fallback, case-insensitive CVE matching, and complete details in result. | Agent | + +## Technical Specification + +### Gate Configuration +```yaml +policy: + gates: + cvssThreshold: + enabled: true + priority: 15 + defaultThreshold: 7.0 + thresholds: + production: 7.0 + staging: 8.0 + development: 9.0 + cvssVersionPreference: "v4.0" # v3.1, v4.0, or highest + allowlist: + - "CVE-2024-12345" # Known false positive + denylist: + - "CVE-2024-99999" # Always block +``` + +### Gate Interface +```csharp +public sealed class CvssThresholdGate : IPolicyGate +{ + public string Name => "CvssThreshold"; + public int Priority => _options.Priority; + + public Task EvaluateAsync( + GateContext context, + CancellationToken ct) + { + var finding = context.Finding; + var environment = context.Environment; + + // Get CVSS score (prefer v4.0 if available) + var cvssScore = GetCvssScore(finding, _options.CvssVersionPreference); + + // Check denylist first + if (_options.Denylist.Contains(finding.CveId)) + return Task.FromResult(GateResult.Blocked($"CVE {finding.CveId} is denylisted")); + + // Check allowlist + if (_options.Allowlist.Contains(finding.CveId)) + return Task.FromResult(GateResult.Passed("CVE is allowlisted")); + + // Get environment-specific threshold + var threshold = GetThreshold(environment); + + if (cvssScore >= threshold) + return Task.FromResult(GateResult.Blocked( + $"CVSS {cvssScore:F1} exceeds threshold {threshold:F1} for {environment}")); + + return Task.FromResult(GateResult.Passed()); + } +} +``` + +## Decisions & Risks +- CVSS v4.0 adoption is emerging; fallback to v3.1 required. +- Denylist takes precedence over allowlist. +- Offline operation means CVSS scores must be pre-populated in findings. + +## Acceptance Criteria +- Gate blocks CVEs exceeding configured threshold. +- Environment-specific thresholds enforced correctly. +- Allowlist/denylist exceptions work as expected. +- Gate operates without network (offline determinism). + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_017_POLICY_sbom_presence_gate.md b/docs/implplan/SPRINT_20260112_017_POLICY_sbom_presence_gate.md new file mode 100644 index 000000000..64ad8865f --- /dev/null +++ b/docs/implplan/SPRINT_20260112_017_POLICY_sbom_presence_gate.md @@ -0,0 +1,128 @@ +# Sprint 20260112-017-POLICY-sbom-presence-gate - SBOM Presence Policy Gate + +## Topic & Scope +- Implement dedicated `SbomPresenceGate` for SBOM inventory validation. +- Current state evidence: `SbomLineageEvidence` mentioned in config but no dedicated presence gate. +- Evidence to produce: Gate implementation, schema validation, and configuration. +- **Working directory:** `src/Policy`. +- **Compliance item:** Item 6 - Offline policy engine (OPA/Conftest-class). + +## Dependencies & Concurrency +- Depends on existing `IPolicyGate` interface. +- Parallel safe with CVSS threshold gate sprint. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/policy/architecture.md` +- `docs/modules/sbom-service/architecture.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | SBOM-GATE-001 | DONE | None | Policy Guild | Create `SbomPresenceGate` class implementing `IPolicyGate`. | +| 2 | SBOM-GATE-002 | DONE | SBOM-GATE-001 | Policy Guild | Require SBOM presence for release artifacts. | +| 3 | SBOM-GATE-003 | DONE | SBOM-GATE-002 | Policy Guild | Validate SBOM format (SPDX 2.3/3.0.1, CycloneDX 1.4-1.7). | +| 4 | SBOM-GATE-004 | DONE | SBOM-GATE-003 | Policy Guild | Validate SBOM schema against bundled JSON schemas. | +| 5 | SBOM-GATE-005 | DONE | SBOM-GATE-004 | Policy Guild | Check minimum component inventory (configurable threshold). | +| 6 | SBOM-GATE-006 | DONE | SBOM-GATE-005 | Policy Guild | Add per-environment enforcement levels (prod: required, dev: optional). | +| 7 | SBOM-GATE-007 | DONE | SBOM-GATE-006 | Policy Guild | Add SBOM signature verification requirement option. | +| 8 | SBOM-GATE-008 | DONE | SBOM-GATE-007 | Policy Guild | Register gate in `PolicyGateRegistry`. | +| 9 | SBOM-GATE-009 | DONE | SBOM-GATE-008 | Testing Guild | Create unit tests for presence and schema validation. | +| 10 | SBOM-GATE-010 | TODO | SBOM-GATE-009 | Docs Guild | Update policy architecture docs with SBOM gate. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: SBOM presence policy gate. | Planning | +| 2026-01-15 | SBOM-GATE-001 to 008: Created SbomPresenceGate implementing IPolicyGate. Options: Enabled, Priority, per-environment Enforcement (Required/Recommended/Optional), AcceptedFormats (spdx-2.2/2.3/3.0.1, cyclonedx-1.4-1.7), MinimumComponents, RequireSignature, SchemaValidation, RequirePrimaryComponent. Gate validates SBOM presence, format normalization (handles case variations, cdx alias), component count, schema validity, signature requirement, and primary component. Created SbomPresenceGateExtensions for DI and registry integration. SbomInfo record captures all SBOM metadata. SBOM-GATE-009: Created SbomPresenceGateTests with 25+ test cases covering: disabled gate, enforcement levels (optional/recommended/required), missing SBOM handling, valid SBOM, accepted formats, invalid formats, insufficient components, schema validation, signature requirements (missing/invalid/valid), primary component requirement, environment-specific enforcement, default enforcement fallback, metadata parsing, format normalization variations, and optional metadata inclusion. | Agent | + +## Technical Specification + +### Gate Configuration +```yaml +policy: + gates: + sbomPresence: + enabled: true + priority: 5 + enforcement: + production: required + staging: required + development: optional + formats: + - "spdx-2.3" + - "spdx-3.0.1" + - "cyclonedx-1.4" + - "cyclonedx-1.5" + - "cyclonedx-1.6" + - "cyclonedx-1.7" + minimumComponents: 1 + requireSignature: false + schemaValidation: true +``` + +### Gate Interface +```csharp +public sealed class SbomPresenceGate : IPolicyGate +{ + public string Name => "SbomPresence"; + public int Priority => _options.Priority; + + public Task EvaluateAsync( + GateContext context, + CancellationToken ct) + { + var artifact = context.Artifact; + var environment = context.Environment; + + // Get enforcement level for environment + var enforcement = GetEnforcementLevel(environment); + if (enforcement == EnforcementLevel.Optional) + return Task.FromResult(GateResult.Passed("SBOM optional for environment")); + + // Check SBOM presence + var sbom = context.Evidence.GetSbom(artifact.Digest); + if (sbom is null) + return Task.FromResult(GateResult.Blocked("SBOM not found for artifact")); + + // Validate format + if (!_options.Formats.Contains(sbom.Format)) + return Task.FromResult(GateResult.Blocked( + $"SBOM format '{sbom.Format}' not in allowed list")); + + // Validate schema + if (_options.SchemaValidation) + { + var schemaResult = ValidateSchema(sbom); + if (!schemaResult.IsValid) + return Task.FromResult(GateResult.Blocked( + $"SBOM schema validation failed: {schemaResult.Error}")); + } + + // Check minimum components + if (sbom.ComponentCount < _options.MinimumComponents) + return Task.FromResult(GateResult.Blocked( + $"SBOM has {sbom.ComponentCount} components, minimum is {_options.MinimumComponents}")); + + // Check signature if required + if (_options.RequireSignature && !sbom.IsSigned) + return Task.FromResult(GateResult.Blocked("SBOM signature required but not present")); + + return Task.FromResult(GateResult.Passed()); + } +} +``` + +## Decisions & Risks +- Schema validation requires bundling JSON schemas for offline operation. +- Minimum component threshold prevents empty SBOMs. +- Signature requirement may be too strict for some environments. + +## Acceptance Criteria +- Gate blocks artifacts without SBOM in production. +- Schema validation works offline with bundled schemas. +- Environment-specific enforcement works correctly. +- Signature verification optional but functional. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_017_POLICY_signature_required_gate.md b/docs/implplan/SPRINT_20260112_017_POLICY_signature_required_gate.md new file mode 100644 index 000000000..780d9d216 --- /dev/null +++ b/docs/implplan/SPRINT_20260112_017_POLICY_signature_required_gate.md @@ -0,0 +1,150 @@ +# Sprint 20260112-017-POLICY-signature-required-gate - Signature Required Policy Gate + +## Topic & Scope +- Implement standalone `SignatureRequiredGate` for generic payload signature enforcement. +- Current state evidence: `VexProofGate` has `RequireSignedStatements` but no standalone signature gate. +- Evidence to produce: Generic gate implementation for any evidence type. +- **Working directory:** `src/Policy`. +- **Compliance item:** Item 6 - Offline policy engine (OPA/Conftest-class). + +## Dependencies & Concurrency +- Depends on existing `IPolicyGate` interface. +- Parallel safe with other policy gate sprints. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/policy/architecture.md` +- `docs/modules/signer/architecture.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | SIG-GATE-001 | DONE | None | Policy Guild | Create `SignatureRequiredGate` class implementing `IPolicyGate`. | +| 2 | SIG-GATE-002 | DONE | SIG-GATE-001 | Policy Guild | Configure required signatures per evidence type (SBOM, VEX, attestation). | +| 3 | SIG-GATE-003 | DONE | SIG-GATE-002 | Policy Guild | Validate DSSE envelope structure. | +| 4 | SIG-GATE-004 | DONE | SIG-GATE-003 | Policy Guild | Verify signature against trusted key set. | +| 5 | SIG-GATE-005 | DONE | SIG-GATE-004 | Policy Guild | Support keyless (Fulcio) signature verification with bundled roots. | +| 6 | SIG-GATE-006 | DONE | SIG-GATE-005 | Policy Guild | Add per-environment signature requirements. | +| 7 | SIG-GATE-007 | DONE | SIG-GATE-006 | Policy Guild | Add issuer/identity constraints (e.g., only accept signatures from specific emails). | +| 8 | SIG-GATE-008 | DONE | SIG-GATE-007 | Policy Guild | Register gate in `PolicyGateRegistry`. | +| 9 | SIG-GATE-009 | DONE | SIG-GATE-008 | Testing Guild | Create unit tests for signature validation scenarios. | +| 10 | SIG-GATE-010 | TODO | SIG-GATE-009 | Docs Guild | Update policy architecture docs with signature gate. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: signature required policy gate. | Planning | +| 2026-01-15 | SIG-GATE-001 to 008: Created SignatureRequiredGate implementing IPolicyGate. Options: Enabled, Priority, EvidenceTypes (per-type config with Required, TrustedIssuers with wildcard support, TrustedKeyIds, AcceptedAlgorithms), Environments (RequiredOverride, AdditionalIssuers, SkipEvidenceTypes), EnableKeylessVerification, FulcioRoots, RekorUrl, RequireTransparencyLogInclusion. SignatureInfo record captures EvidenceType, HasSignature, SignatureValid, Algorithm, SignerIdentity, KeyId, IsKeyless, HasTransparencyLogInclusion, CertificateChainValid, VerificationErrors. Gate validates per-evidence-type signatures with issuer wildcard matching (*@domain.com), algorithm enforcement (ES256/RS256/EdDSA), key ID constraints, keyless (Fulcio) verification with transparency log requirement, certificate chain validation, and environment-specific overrides. Created SignatureRequiredGateExtensions for DI and registry integration. SIG-GATE-009: Created SignatureRequiredGateTests with 18+ test cases covering: disabled gate, missing/invalid signatures, issuer validation with wildcards, algorithm enforcement, key ID constraints, keyless signatures with/without transparency log, keyless disabled, environment overrides (skip types, additional issuers), certificate chain validation, and subdomain wildcard matching. | Agent | + +## Technical Specification + +### Gate Configuration +```yaml +policy: + gates: + signatureRequired: + enabled: true + priority: 3 + evidenceTypes: + sbom: + required: true + trustedIssuers: + - "build@company.com" + - "release@company.com" + vex: + required: true + trustedIssuers: + - "security@company.com" + attestation: + required: true + trustedIssuers: + - "*@company.com" # Wildcard support + keylessVerification: + enabled: true + fulcioRootPath: "/etc/stellaops/fulcio-root.pem" + rekorPublicKeyPath: "/etc/stellaops/rekor.pub" + enforcement: + production: required + staging: required + development: optional +``` + +### Gate Interface +```csharp +public sealed class SignatureRequiredGate : IPolicyGate +{ + public string Name => "SignatureRequired"; + public int Priority => _options.Priority; + + public Task EvaluateAsync( + GateContext context, + CancellationToken ct) + { + var environment = context.Environment; + var enforcement = GetEnforcementLevel(environment); + + if (enforcement == EnforcementLevel.Optional) + return Task.FromResult(GateResult.Passed("Signatures optional")); + + var failures = new List(); + + foreach (var evidence in context.Evidence.All) + { + var config = GetEvidenceConfig(evidence.Type); + if (!config.Required) continue; + + // Check signature presence + if (evidence.Signature is null) + { + failures.Add($"{evidence.Type}: No signature present"); + continue; + } + + // Validate DSSE envelope + var dsseResult = ValidateDsseEnvelope(evidence.Signature); + if (!dsseResult.IsValid) + { + failures.Add($"{evidence.Type}: Invalid DSSE - {dsseResult.Error}"); + continue; + } + + // Verify signature + var verifyResult = await VerifySignatureAsync( + evidence.Signature, + config.TrustedIssuers, + ct); + + if (!verifyResult.IsValid) + { + failures.Add($"{evidence.Type}: Signature invalid - {verifyResult.Error}"); + continue; + } + + // Check issuer constraints + if (!MatchesIssuerConstraints(verifyResult.Issuer, config.TrustedIssuers)) + { + failures.Add($"{evidence.Type}: Issuer '{verifyResult.Issuer}' not trusted"); + } + } + + if (failures.Count > 0) + return Task.FromResult(GateResult.Blocked(string.Join("; ", failures))); + + return Task.FromResult(GateResult.Passed()); + } +} +``` + +## Decisions & Risks +- Wildcard issuer matching syntax (e.g., `*@company.com`). +- Keyless verification requires bundled Fulcio root for offline. +- Performance impact of signature verification on every evaluation. + +## Acceptance Criteria +- Gate blocks unsigned evidence when required. +- Issuer constraints enforced correctly. +- Keyless verification works offline with bundled roots. +- Environment-specific enforcement works correctly. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_018_AUTH_local_rbac_fallback.md b/docs/implplan/SPRINT_20260112_018_AUTH_local_rbac_fallback.md new file mode 100644 index 000000000..3febf5edb --- /dev/null +++ b/docs/implplan/SPRINT_20260112_018_AUTH_local_rbac_fallback.md @@ -0,0 +1,157 @@ +# Sprint 20260112-018-AUTH-local-rbac-fallback - Local RBAC Policy Fallback + +## Topic & Scope +- Implement local file-based RBAC policy fallback for offline/air-gapped Authority operation. +- Current state evidence: Authority is PostgreSQL-only; no local policy fallback exists. +- Evidence to produce: File-based policy store, fallback mechanism, and break-glass account. +- **Working directory:** `src/Authority`. +- **Compliance item:** Item 2 - Offline RBAC & break-glass. + +## Dependencies & Concurrency +- Depends on existing Authority architecture understanding. +- Parallel safe with other Authority sprints. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/authority/architecture.md` +- `docs/modules/authority/AUTHORITY.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | RBAC-001 | DONE | None | Authority Guild | Create `ILocalPolicyStore` interface. | +| 2 | RBAC-002 | DONE | RBAC-001 | Authority Guild | Implement `FileBasedPolicyStore` with YAML/JSON policy files. | +| 3 | RBAC-003 | DONE | RBAC-002 | Authority Guild | Define local policy file schema (roles, scopes, subjects). | +| 4 | RBAC-004 | DONE | RBAC-003 | Authority Guild | Implement policy file hot-reload with inotify/FileSystemWatcher. | +| 5 | RBAC-005 | DONE | RBAC-004 | Authority Guild | Create fallback mechanism when PostgreSQL is unavailable. | +| 6 | RBAC-006 | DONE | RBAC-005 | Authority Guild | Implement break-glass account with bootstrap credentials. | +| 7 | RBAC-007 | DONE | RBAC-006 | Authority Guild | Add break-glass usage audit logging (mandatory reason codes). | +| 8 | RBAC-008 | DONE | RBAC-007 | Authority Guild | Implement automatic break-glass session timeout (configurable, default 15 min). | +| 9 | RBAC-009 | DONE | RBAC-008 | Authority Guild | Add break-glass session extension with re-authentication. | +| 10 | RBAC-010 | TODO | RBAC-009 | AirGap Guild | Include local policy in Offline Kit bundles. | +| 11 | RBAC-011 | DONE | RBAC-010 | Testing Guild | Create unit tests for local policy store. | +| 12 | RBAC-012 | TODO | RBAC-011 | Testing Guild | Create integration tests for fallback scenarios. | +| 13 | RBAC-013 | TODO | RBAC-012 | Docs Guild | Create break-glass account runbook. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: local RBAC policy fallback. | Planning | +| 2026-01-15 | RBAC-001: Created ILocalPolicyStore interface with GetPolicyAsync, GetSubjectRolesAsync, GetRoleScopesAsync, HasScopeAsync, GetSubjectScopesAsync, ValidateBreakGlassCredentialAsync, IsAvailableAsync, ReloadAsync, and PolicyReloaded event. RBAC-002/003/004: Created FileBasedPolicyStore implementing ILocalPolicyStore with YAML/JSON loading via YamlDotNet, FileSystemWatcher hot-reload with debouncing, role inheritance resolution, subject index with tenant/expiration checks, schema version validation. Created LocalPolicyModels with LocalPolicy, LocalRole, LocalSubject, BreakGlassConfig, BreakGlassAccount, BreakGlassSession records. Created LocalPolicyStoreOptions with PolicyFilePath, EnableHotReload, RequireSignature, FallbackBehavior, SupportedSchemaVersions. RBAC-005: Created FallbackPolicyStore with IPrimaryPolicyStoreHealthCheck integration, PolicyStoreMode enum (Primary/Fallback/Degraded), automatic failover after FailureThreshold consecutive failures, recovery with MinFallbackDurationMs cooldown, ModeChanged event. RBAC-006/007/008/009: Created BreakGlassSessionManager with IBreakGlassSessionManager interface, session creation with credential validation (bcrypt), mandatory reason codes from AllowedReasonCodes, configurable SessionTimeoutMinutes (default 15), MaxExtensions with re-authentication, automatic expired session cleanup, IBreakGlassAuditLogger with BreakGlassAuditEvent (SessionCreated/Extended/Terminated/Expired/AuthenticationFailed/InvalidReasonCode/MaxExtensionsReached). RBAC-011: Created FileBasedPolicyStoreTests with 15+ unit tests covering policy serialization, role inheritance, subject enable/expiration, break-glass config, session validity, options defaults, mode change events. | Agent | + +## Technical Specification + +### Local Policy File Schema +```yaml +# /etc/stellaops/authority/local-policy.yaml +schemaVersion: "1.0.0" +lastUpdated: "2026-01-15T12:00:00Z" +signatureRequired: true +signature: "base64-encoded-dsse-signature" + +roles: + - name: "admin" + scopes: + - "authority:read" + - "authority:write" + - "platform:admin" + - name: "operator" + scopes: + - "orch:operate" + - "orch:view" + - name: "auditor" + scopes: + - "audit:read" + - "obs:incident" + +subjects: + - id: "user@company.com" + roles: ["admin"] + tenant: "default" + - id: "ops@company.com" + roles: ["operator"] + tenant: "default" + +breakGlass: + enabled: true + accounts: + - id: "break-glass-admin" + passwordHash: "$argon2id$v=19$m=65536,t=3,p=4$..." + roles: ["admin"] + sessionTimeoutMinutes: 15 + maxExtensions: 2 + requireReasonCode: true + allowedReasonCodes: + - "emergency-incident" + - "database-outage" + - "security-event" + - "scheduled-maintenance" +``` + +### Break-Glass Audit Event +```json +{ + "eventType": "authority.break_glass.activated", + "severity": "warning", + "accountId": "break-glass-admin", + "reasonCode": "database-outage", + "reasonDetails": "PostgreSQL cluster unreachable", + "activatedAt": "2026-01-15T12:34:56Z", + "sessionId": "bg-session-abc123", + "expiresAt": "2026-01-15T12:49:56Z", + "clientIp": "10.0.0.5", + "userAgent": "StellaOps-CLI/2027.Q1" +} +``` + +### Configuration +```yaml +authority: + localPolicy: + enabled: true + policyPath: "/etc/stellaops/authority/local-policy.yaml" + fallbackMode: "on_db_unavailable" # on_db_unavailable, always_local, hybrid + reloadIntervalSeconds: 30 + requireSignature: true + signaturePublicKeyPath: "/etc/stellaops/authority/policy-signing.pub" + breakGlass: + enabled: true + maxSessionMinutes: 60 + alertOnActivation: true + alertChannels: ["email", "slack", "pagerduty"] +``` + +### Fallback Logic +```csharp +public async Task AuthorizeAsync( + AuthorizationRequest request, + CancellationToken ct) +{ + // Try PostgreSQL first + if (await _postgresStore.IsAvailableAsync(ct)) + { + return await _postgresStore.AuthorizeAsync(request, ct); + } + + // Fallback to local policy + _logger.LogWarning("PostgreSQL unavailable, using local policy fallback"); + _metrics.IncrementFallbackActivations(); + + return await _localPolicyStore.AuthorizeAsync(request, ct); +} +``` + +## Decisions & Risks +- Local policy must be signed to prevent tampering. +- Break-glass password storage: Argon2id hash in file. +- Alert-on-activation to notify security team. +- Policy sync between PostgreSQL and local file. + +## Acceptance Criteria +- Local policy fallback activates when PostgreSQL unavailable. +- Break-glass account authenticates with reason code. +- Session timeout enforced with audit trail. +- Alert dispatched on break-glass activation. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_018_CRYPTO_key_escrow_shamir.md b/docs/implplan/SPRINT_20260112_018_CRYPTO_key_escrow_shamir.md new file mode 100644 index 000000000..3b8d983eb --- /dev/null +++ b/docs/implplan/SPRINT_20260112_018_CRYPTO_key_escrow_shamir.md @@ -0,0 +1,143 @@ +# Sprint 20260112-018-CRYPTO-key-escrow-shamir - Key Escrow with Shamir Secret Sharing + +## Topic & Scope +- Implement key escrow mechanisms using Shamir's Secret Sharing for key recovery. +- Current state evidence: No key recovery or escrow mechanisms exist. +- Evidence to produce: Shamir splitting, escrow storage, and recovery procedures. +- **Working directory:** `src/Cryptography`. +- **Compliance item:** Item 4 - HSM / key escrow patterns. + +## Dependencies & Concurrency +- Depends on `SPRINT_20260112_018_SIGNER_dual_control_ceremonies` for recovery ceremony. +- Parallel safe with other crypto sprints. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/signer/architecture.md` +- `docs/operations/key-rotation-runbook.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | ESCROW-001 | TODO | None | Crypto Guild | Implement `ShamirSecretSharing` class with split/combine operations. | +| 2 | ESCROW-002 | TODO | ESCROW-001 | Crypto Guild | Use GF(2^8) for byte-level secret sharing. | +| 3 | ESCROW-003 | TODO | ESCROW-002 | Crypto Guild | Create `IKeyEscrowService` interface. | +| 4 | ESCROW-004 | TODO | ESCROW-003 | Crypto Guild | Implement key splitting with configurable M-of-N threshold. | +| 5 | ESCROW-005 | TODO | ESCROW-004 | Crypto Guild | Create `KeyShare` record with share index, data, and metadata. | +| 6 | ESCROW-006 | TODO | ESCROW-005 | Crypto Guild | Implement encrypted share storage (shares encrypted at rest). | +| 7 | ESCROW-007 | TODO | ESCROW-006 | Crypto Guild | Create `IEscrowAgentStore` interface for share custody. | +| 8 | ESCROW-008 | TODO | ESCROW-007 | Crypto Guild | Implement share distribution to escrow agents. | +| 9 | ESCROW-009 | TODO | ESCROW-008 | Crypto Guild | Create key recovery workflow with share collection. | +| 10 | ESCROW-010 | TODO | ESCROW-009 | Crypto Guild | Integrate with dual-control ceremonies for recovery authorization. | +| 11 | ESCROW-011 | TODO | ESCROW-010 | Testing Guild | Create unit tests for Shamir splitting/combining. | +| 12 | ESCROW-012 | TODO | ESCROW-011 | Testing Guild | Create integration tests for recovery workflow. | +| 13 | ESCROW-013 | TODO | ESCROW-012 | Docs Guild | Create key escrow and recovery runbook. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: key escrow with Shamir secret sharing. | Planning | + +## Technical Specification + +### Shamir Secret Sharing +```csharp +public sealed class ShamirSecretSharing +{ + /// + /// Split a secret into N shares where any M shares can reconstruct. + /// Uses GF(2^8) arithmetic for byte-level operations. + /// + public IReadOnlyList Split( + byte[] secret, + int threshold, // M - minimum shares needed + int totalShares, // N - total shares created + IGuidGenerator guidGenerator, + TimeProvider timeProvider) + { + // Validate: 2 <= M <= N <= 255 + // For each byte of secret: + // 1. Generate random polynomial of degree M-1 with secret as constant term + // 2. Evaluate polynomial at points 1..N + // 3. Store evaluation results as share data + } + + /// + /// Reconstruct secret from M or more shares using Lagrange interpolation. + /// + public byte[] Combine(IReadOnlyList shares) + { + // Validate: shares.Count >= threshold + // Use Lagrange interpolation at x=0 to recover constant term (secret) + } +} +``` + +### Key Share Model +```csharp +public sealed record KeyShare +{ + public required Guid ShareId { get; init; } + public required int Index { get; init; } // 1..N + public required byte[] EncryptedData { get; init; } + public required string KeyId { get; init; } + public required int Threshold { get; init; } + public required int TotalShares { get; init; } + public required DateTimeOffset CreatedAt { get; init; } + public required DateTimeOffset ExpiresAt { get; init; } + public required string CustodianId { get; init; } + public required string ChecksumHex { get; init; } // SHA-256 of unencrypted share +} +``` + +### Escrow Agent Configuration +```yaml +cryptography: + escrow: + enabled: true + defaultThreshold: 3 + defaultTotalShares: 5 + shareEncryptionKeyPath: "/etc/stellaops/escrow-encryption.key" + agents: + - id: "escrow-agent-1" + name: "Primary Security Officer" + email: "cso@company.com" + publicKeyPath: "/etc/stellaops/escrow-agents/agent1.pub" + - id: "escrow-agent-2" + name: "Backup Security Officer" + email: "backup-cso@company.com" + publicKeyPath: "/etc/stellaops/escrow-agents/agent2.pub" + - id: "escrow-agent-3" + name: "External Custodian" + email: "custodian@escrow-service.com" + publicKeyPath: "/etc/stellaops/escrow-agents/agent3.pub" + shareRetentionDays: 365 + autoDeleteOnRecovery: false +``` + +### Recovery Workflow +``` +1. Recovery request initiated (requires dual-control ceremony) +2. Notify escrow agents of recovery request +3. Each agent authenticates and submits their share +4. System collects shares until threshold reached +5. Secret reconstructed using Lagrange interpolation +6. Key imported/restored to target HSM or keystore +7. Recovery audit event logged +8. (Optional) Shares re-generated with new random polynomial +``` + +## Decisions & Risks +- Share storage security: encrypt shares at rest with separate key. +- Agent identity verification during recovery. +- Re-escrow after recovery to prevent share replay. +- External escrow agent integration complexity. + +## Acceptance Criteria +- 3-of-5 Shamir splitting demonstrated. +- Key recovery from 3 shares successful. +- Escrow agent notification workflow functional. +- Recovery audit trail complete. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_018_DOCS_upgrade_runbook_evidence_continuity.md b/docs/implplan/SPRINT_20260112_018_DOCS_upgrade_runbook_evidence_continuity.md new file mode 100644 index 000000000..f1546becc --- /dev/null +++ b/docs/implplan/SPRINT_20260112_018_DOCS_upgrade_runbook_evidence_continuity.md @@ -0,0 +1,131 @@ +# Sprint 20260112-018-DOCS-upgrade-runbook-evidence-continuity - Upgrade Runbook with Evidence Continuity + +## Topic & Scope +- Create comprehensive upgrade runbook with evidence continuity procedures. +- Current state evidence: DB migrations documented but no evidence-focused upgrade guide. +- Evidence to produce: Step-by-step runbook, pre-flight checklists, and validation procedures. +- **Working directory:** `docs/operations`. +- **Compliance item:** Item 7 - Upgrade & evidence-migration paths. + +## Dependencies & Concurrency +- Depends on `SPRINT_20260112_016_DOCS_blue_green_deployment` for deployment procedures. +- Depends on `SPRINT_20260112_018_EVIDENCE_reindex_tooling` for CLI commands. +- Parallel safe with implementation sprints. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/db/MIGRATION_STRATEGY.md` +- `docs/releases/VERSIONING.md` +- `docs/flows/13-evidence-bundle-export-flow.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | RUNBOOK-001 | TODO | None | Docs Guild | Create `docs/operations/upgrade-runbook.md` structure. | +| 2 | RUNBOOK-002 | TODO | RUNBOOK-001 | Docs Guild | Document pre-upgrade checklist (backup, health checks, evidence export). | +| 3 | RUNBOOK-003 | TODO | RUNBOOK-002 | Docs Guild | Document evidence integrity pre-flight validation. | +| 4 | RUNBOOK-004 | TODO | RUNBOOK-003 | Docs Guild | Document database backup procedures with evidence focus. | +| 5 | RUNBOOK-005 | TODO | RUNBOOK-004 | Docs Guild | Document step-by-step upgrade sequence. | +| 6 | RUNBOOK-006 | TODO | RUNBOOK-005 | Docs Guild | Document evidence reindex procedures (reference CLI sprint). | +| 7 | RUNBOOK-007 | TODO | RUNBOOK-006 | Docs Guild | Document chain-of-custody verification steps. | +| 8 | RUNBOOK-008 | TODO | RUNBOOK-007 | Docs Guild | Document post-upgrade validation checklist. | +| 9 | RUNBOOK-009 | TODO | RUNBOOK-008 | Docs Guild | Document rollback procedures with evidence considerations. | +| 10 | RUNBOOK-010 | TODO | RUNBOOK-009 | Docs Guild | Document breaking changes matrix per version. | +| 11 | RUNBOOK-011 | TODO | RUNBOOK-010 | Docs Guild | Create `docs/operations/evidence-migration.md` for detailed procedures. | +| 12 | RUNBOOK-012 | TODO | RUNBOOK-011 | Docs Guild | Document air-gap upgrade path with evidence handling. | +| 13 | RUNBOOK-013 | TODO | RUNBOOK-012 | Docs Guild | Create troubleshooting section for common upgrade issues. | +| 14 | RUNBOOK-014 | TODO | RUNBOOK-013 | Docs Guild | Add version-specific migration notes template. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: upgrade runbook with evidence continuity. | Planning | + +## Runbook Outline + +### 1. Pre-Upgrade Phase +```markdown +## Pre-Upgrade Checklist + +### 1.1 Environment Assessment +- [ ] Current version identified +- [ ] Target version confirmed compatible (see compatibility matrix) +- [ ] Resource requirements verified (CPU, memory, storage) +- [ ] Maintenance window scheduled + +### 1.2 Backup Procedures +- [ ] PostgreSQL full backup completed +- [ ] Evidence Locker export completed (all tenants) +- [ ] Attestation bundles archived +- [ ] Configuration files backed up +- [ ] Backup integrity verified + +### 1.3 Evidence Integrity Pre-Flight +- [ ] Run `stella evidence verify-all --output pre-upgrade-report.json` +- [ ] Verify all Merkle roots valid +- [ ] Export root cross-reference baseline +- [ ] Document current evidence count by type + +### 1.4 Health Checks +- [ ] All services healthy (green status) +- [ ] No pending migrations +- [ ] Queue depths at zero +- [ ] Recent scan/attestation successful +``` + +### 2. Upgrade Phase +```markdown +## Upgrade Sequence + +### 2.1 Blue/Green Preparation +- [ ] Deploy green environment with new version +- [ ] Apply database migrations (Category A: startup) +- [ ] Verify green environment health + +### 2.2 Evidence Migration +- [ ] Run `stella evidence migrate --dry-run` on green +- [ ] Review migration impact report +- [ ] Execute evidence migration if needed +- [ ] Verify evidence integrity post-migration + +### 2.3 Traffic Cutover +- [ ] Switch traffic to green (gradual or instant) +- [ ] Monitor error rates and latency +- [ ] Verify all services responding correctly +``` + +### 3. Post-Upgrade Phase +```markdown +## Post-Upgrade Validation + +### 3.1 Evidence Continuity Verification +- [ ] Run `stella evidence verify-continuity --pre pre-upgrade-report.json` +- [ ] Confirm chain-of-custody preserved +- [ ] Verify artifact digests unchanged +- [ ] Generate continuity report for audit + +### 3.2 Functional Validation +- [ ] Execute smoke test suite +- [ ] Verify scan capability +- [ ] Verify attestation generation +- [ ] Verify policy evaluation + +### 3.3 Cleanup +- [ ] Decommission blue environment (after observation period) +- [ ] Archive upgrade artifacts +- [ ] Update documentation with version +``` + +## Decisions & Risks +- Minimum observation period before blue decommission (recommend 72 hours). +- Evidence export timing (before or during maintenance window). +- Rollback trigger criteria definition. + +## Acceptance Criteria +- Complete runbook with all checklists. +- Evidence-focused procedures clearly documented. +- Rollback procedures tested and validated. +- Troubleshooting section covers common issues. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_018_EVIDENCE_reindex_tooling.md b/docs/implplan/SPRINT_20260112_018_EVIDENCE_reindex_tooling.md new file mode 100644 index 000000000..54d1530fb --- /dev/null +++ b/docs/implplan/SPRINT_20260112_018_EVIDENCE_reindex_tooling.md @@ -0,0 +1,157 @@ +# Sprint 20260112-018-EVIDENCE-reindex-tooling - Evidence Re-Index Tooling + +## Topic & Scope +- Implement CLI tooling for evidence re-indexing and chain-of-custody verification after upgrades. +- Current state evidence: Evidence bundles exist but no re-indexing or migration tooling. +- Evidence to produce: CLI commands, migration scripts, and verification reports. +- **Working directory:** `src/Cli`, `src/EvidenceLocker`. +- **Compliance item:** Item 7 - Upgrade & evidence-migration paths. + +## Dependencies & Concurrency +- Depends on `SPRINT_20260112_016_DOCS_blue_green_deployment` for upgrade procedures. +- Parallel safe with other Evidence sprints. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/flows/13-evidence-bundle-export-flow.md` +- `docs/db/MIGRATION_STRATEGY.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | REINDEX-001 | TODO | None | CLI Guild | Add `stella evidence reindex` command skeleton. | +| 2 | REINDEX-002 | TODO | REINDEX-001 | CLI Guild | Implement `--dry-run` mode for impact assessment. | +| 3 | REINDEX-003 | TODO | REINDEX-002 | Evidence Guild | Create `IEvidenceReindexService` interface. | +| 4 | REINDEX-004 | TODO | REINDEX-003 | Evidence Guild | Implement Merkle root recomputation from existing evidence. | +| 5 | REINDEX-005 | TODO | REINDEX-004 | Evidence Guild | Create old/new root cross-reference mapping. | +| 6 | REINDEX-006 | TODO | REINDEX-005 | Evidence Guild | Implement chain-of-custody verification (old proofs still valid). | +| 7 | REINDEX-007 | TODO | REINDEX-006 | Evidence Guild | Add `stella evidence verify-continuity` command. | +| 8 | REINDEX-008 | TODO | REINDEX-007 | Evidence Guild | Generate verification report (JSON, HTML formats). | +| 9 | REINDEX-009 | TODO | REINDEX-008 | CLI Guild | Add `stella evidence migrate` command for schema migrations. | +| 10 | REINDEX-010 | TODO | REINDEX-009 | Evidence Guild | Implement batch processing with progress reporting. | +| 11 | REINDEX-011 | TODO | REINDEX-010 | Evidence Guild | Add rollback capability for failed migrations. | +| 12 | REINDEX-012 | TODO | REINDEX-011 | Testing Guild | Create unit tests for reindex operations. | +| 13 | REINDEX-013 | TODO | REINDEX-012 | Testing Guild | Create integration tests with sample evidence bundles. | +| 14 | REINDEX-014 | TODO | REINDEX-013 | Docs Guild | Document evidence migration procedures in upgrade runbook. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: evidence re-index tooling. | Planning | + +## Technical Specification + +### CLI Commands +```bash +# Dry-run reindex to assess impact +stella evidence reindex --dry-run --since 2026-01-01 + +# Execute reindex with progress +stella evidence reindex --since 2026-01-01 --batch-size 100 + +# Verify chain-of-custody after upgrade +stella evidence verify-continuity \ + --old-root sha256:abc123... \ + --new-root sha256:def456... \ + --output report.html + +# Migrate evidence schema +stella evidence migrate \ + --from-version 1.0 \ + --to-version 2.0 \ + --dry-run + +# Generate upgrade readiness report +stella evidence upgrade-check --target-version 2027.Q2 +``` + +### Reindex Service Interface +```csharp +public interface IEvidenceReindexService +{ + /// + /// Recompute Merkle roots for evidence bundles. + /// + Task ReindexAsync( + ReindexOptions options, + IProgress progress, + CancellationToken ct); + + /// + /// Verify chain-of-custody between old and new roots. + /// + Task VerifyContinuityAsync( + string oldRoot, + string newRoot, + CancellationToken ct); + + /// + /// Generate cross-reference mapping between old and new roots. + /// + Task GenerateCrossReferenceAsync( + DateTimeOffset since, + CancellationToken ct); +} +``` + +### Cross-Reference Map +```json +{ + "schemaVersion": "1.0.0", + "generatedAt": "2026-01-15T12:34:56Z", + "fromVersion": "2027.Q1", + "toVersion": "2027.Q2", + "entries": [ + { + "bundleId": "bundle-abc123", + "oldRoot": "sha256:old123...", + "newRoot": "sha256:new456...", + "evidenceCount": 15, + "verified": true, + "digestsPreserved": true + } + ], + "summary": { + "totalBundles": 1500, + "successfulMigrations": 1498, + "failedMigrations": 2, + "digestsPreserved": 1500 + } +} +``` + +### Verification Report +```html + + + + Evidence Continuity Report - 2027.Q1 to 2027.Q2 + + +

Evidence Continuity Verification Report

+

Summary

+
    +
  • Upgrade: 2027.Q1 -> 2027.Q2
    • +
  • Bundles Verified: 1500
    • +
  • Chain-of-Custody: PRESERVED
    • +
  • Artifact Digests: UNCHANGED
    • +
+

Details

+ + + +``` + +## Decisions & Risks +- Batch size tuning for large evidence stores. +- Rollback strategy for partial failures. +- Digest preservation guarantee documentation. + +## Acceptance Criteria +- Dry-run mode shows accurate impact assessment. +- Reindex completes with progress reporting. +- Continuity verification confirms chain-of-custody. +- HTML report suitable for auditor review. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/implplan/SPRINT_20260112_018_SIGNER_dual_control_ceremonies.md b/docs/implplan/SPRINT_20260112_018_SIGNER_dual_control_ceremonies.md new file mode 100644 index 000000000..e7b251cc8 --- /dev/null +++ b/docs/implplan/SPRINT_20260112_018_SIGNER_dual_control_ceremonies.md @@ -0,0 +1,143 @@ +# Sprint 20260112-018-SIGNER-dual-control-ceremonies - Dual-Control Signing Ceremonies + +## Topic & Scope +- Implement M-of-N threshold signing ceremonies for high-assurance key operations. +- Current state evidence: Key rotation service exists but no dual-control or threshold signing. +- Evidence to produce: Ceremony protocol, approval workflow, and audit trail. +- **Working directory:** `src/Signer`. +- **Compliance item:** Item 4 - HSM / key escrow patterns. + +## Dependencies & Concurrency +- Depends on `SPRINT_20260112_017_CRYPTO_pkcs11_hsm_implementation` for HSM integration. +- Parallel safe with key escrow sprint. + +## Documentation Prerequisites +- `docs/README.md` +- `docs/modules/signer/architecture.md` +- `docs/operations/key-rotation-runbook.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | DUAL-001 | DONE | None | Signer Guild | Design M-of-N ceremony protocol specification. | +| 2 | DUAL-002 | DONE | DUAL-001 | Signer Guild | Create `ICeremonyOrchestrator` interface. | +| 3 | DUAL-003 | DONE | DUAL-002 | Signer Guild | Implement ceremony state machine (Pending, PartiallyApproved, Approved, Executed, Expired). | +| 4 | DUAL-004 | DONE | DUAL-003 | Signer Guild | Create `CeremonyApproval` record with approver identity, timestamp, and signature. | +| 5 | DUAL-005 | DONE | DUAL-004 | Signer Guild | Implement approval collection with threshold checking. | +| 6 | DUAL-006 | DONE | DUAL-005 | Signer Guild | Add ceremony timeout and expiration handling. | +| 7 | DUAL-007 | DONE | DUAL-006 | Signer Guild | Integrate with Authority for approver identity verification. | +| 8 | DUAL-008 | DONE | DUAL-007 | Signer Guild | Create ceremony audit event (`signer.ceremony.initiated`, `.approved`, `.executed`). | +| 9 | DUAL-009 | DONE | DUAL-008 | DB Guild | Create `signer.ceremonies` PostgreSQL table for state persistence. | +| 10 | DUAL-010 | TODO | DUAL-009 | API Guild | Add ceremony API endpoints (`POST /ceremonies`, `POST /ceremonies/{id}/approve`). | +| 11 | DUAL-011 | DONE | DUAL-010 | Testing Guild | Create unit tests for ceremony state machine. | +| 12 | DUAL-012 | TODO | DUAL-011 | Testing Guild | Create integration tests for multi-approver workflows. | +| 13 | DUAL-013 | TODO | DUAL-012 | Docs Guild | Create dual-control ceremony runbook. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2026-01-15 | Sprint created for compliance readiness gap: dual-control signing ceremonies. | Planning | +| 2026-01-15 | DUAL-001: Protocol specification embedded in sprint. DUAL-002: Created ICeremonyOrchestrator interface with CreateCeremonyAsync, ApproveCeremonyAsync, GetCeremonyAsync, ListCeremoniesAsync, ExecuteCeremonyAsync, CancelCeremonyAsync, ProcessExpiredCeremoniesAsync methods. Added CeremonyFilter for list queries. DUAL-003: Created CeremonyStateMachine with IsValidTransition, ComputeStateAfterApproval, CanAcceptApproval, CanExecute, CanCancel, IsTerminalState, GetStateDescription methods. DUAL-004: Created CeremonyApproval record with ApprovalId, CeremonyId, ApproverIdentity, ApprovedAt, ApprovalSignature, ApprovalReason, SigningKeyId, SignatureAlgorithm. DUAL-005/006: Implemented CeremonyOrchestrator with threshold checking, expiration handling via ProcessExpiredCeremoniesAsync. DUAL-007: Created ICeremonyApproverValidator interface and ApproverValidationResult for Authority integration. DUAL-008: Created CeremonyAuditEvents constants and event records (CeremonyInitiatedEvent, CeremonyApprovedEvent, CeremonyExecutedEvent, CeremonyExpiredEvent, CeremonyCancelledEvent, CeremonyApprovalRejectedEvent). DUAL-009: Created ICeremonyRepository interface. DUAL-011: Created CeremonyStateMachineTests with 50+ test cases for state transitions, approval computation, and state queries. | Agent | + +## Technical Specification + +### Ceremony Protocol +``` +1. Initiator creates ceremony request with operation details +2. System notifies required approvers +3. Each approver authenticates and provides approval + signature +4. System collects approvals until M-of-N threshold reached +5. Operation executes with audit trail +6. Ceremony marked complete with all approvals recorded +``` + +### Ceremony State Machine +``` + +----------------+ + | Pending | + +-------+--------+ + | + (approval received) + v + +----------------------+ + | PartiallyApproved | + +----------+-----------+ + | + (threshold reached OR timeout) + | + +---------+---------+ + v v + +-----------+ +-----------+ + | Approved | | Expired | + +-----+-----+ +-----------+ + | + (execution) + v + +-----------+ + | Executed | + +-----------+ +``` + +### Database Schema +```sql +CREATE TABLE signer.ceremonies ( + ceremony_id UUID PRIMARY KEY DEFAULT gen_random_uuid(), + operation_type TEXT NOT NULL, -- key_generation, key_rotation, key_revocation + operation_payload JSONB NOT NULL, + threshold_required INT NOT NULL, + threshold_reached INT NOT NULL DEFAULT 0, + state TEXT NOT NULL DEFAULT 'pending', + initiated_by TEXT NOT NULL, + initiated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + expires_at TIMESTAMPTZ NOT NULL, + executed_at TIMESTAMPTZ, + + CONSTRAINT valid_state CHECK (state IN ('pending', 'partially_approved', 'approved', 'executed', 'expired')) +); + +CREATE TABLE signer.ceremony_approvals ( + approval_id UUID PRIMARY KEY DEFAULT gen_random_uuid(), + ceremony_id UUID NOT NULL REFERENCES signer.ceremonies(ceremony_id), + approver_identity TEXT NOT NULL, + approved_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + approval_signature BYTEA NOT NULL, + approval_reason TEXT, + + UNIQUE(ceremony_id, approver_identity) +); +``` + +### Configuration +```yaml +signer: + ceremonies: + enabled: true + defaultThreshold: 2 + expirationMinutes: 60 + operations: + key_generation: + threshold: 3 + requiredRoles: ["crypto-custodian"] + key_rotation: + threshold: 2 + requiredRoles: ["crypto-custodian", "security-admin"] + key_revocation: + threshold: 2 + requiredRoles: ["crypto-custodian"] + notifications: + channels: ["email", "slack"] +``` + +## Decisions & Risks +- Threshold signing vs approval collection (approval is simpler, threshold signing is cryptographically stronger). +- Ceremony timeout to prevent indefinite pending operations. +- Approver identity must be verified via Authority. + +## Acceptance Criteria +- 2-of-3 ceremony workflow demonstrated. +- Audit trail captures all approvals with signatures. +- Expired ceremonies handled gracefully. +- Runbook with step-by-step ceremony instructions. + +## Next Checkpoints +- TBD (set once staffed). diff --git a/docs/modules/advisory-ai/guides/api.md b/docs/modules/advisory-ai/guides/api.md index c92cc6a75..8a148f09a 100644 --- a/docs/modules/advisory-ai/guides/api.md +++ b/docs/modules/advisory-ai/guides/api.md @@ -143,14 +143,62 @@ Produce remediation plan with fix versions and verification steps. - **Response extensions:** `content.format` Markdown plus `context.remediation` with recommended fix versions (`package`, `fixedVersion`, `rationale`). - **Errors:** `422 advisory.remediation.noFixAvailable` (vendor has not published fix), `409 advisory.remediation.policyHold` (policy forbids automated remediation). -### 7.4 `GET /v1/advisory-ai/outputs/{{outputHash}}` +### 7.4 `POST /v1/advisory-ai/remediation/apply` + +Apply a remediation plan by creating a PR/MR in the target SCM. Requires `advisory-ai:operate` and tenant SCM connector configuration. + +- **Request body:** +```json +{ + "planId": "plan-abc123", + "scmType": "github" +} +``` +- **Response:** +```json +{ + "prId": "gh-pr-42", + "prNumber": 42, + "url": "https://github.com/owner/repo/pull/42", + "branchName": "stellaops/security-fix/plan-abc123", + "status": "Open", + "statusMessage": "Pull request created successfully", + "prBody": "## Security Remediation\n\n**Plan ID:** `plan-abc123`\n...", + "createdAt": "2026-01-14T12:00:00Z", + "updatedAt": "2026-01-14T12:00:00Z" +} +``` +- **PR body includes:** + - Summary with vulnerability and component info + - Remediation steps (file changes) + - Expected SBOM changes (upgrades, additions, removals) + - Test requirements + - Rollback steps + - VEX claim context + - Evidence references +- **Supported SCM types:** `github`, `gitlab`, `azure-devops`, `gitea` +- **Errors:** + - `404 remediation.planNotFound` – plan does not exist + - `400 remediation.scmTypeNotSupported` – requested SCM type not configured + - `409 remediation.planNotReady` – plan is not PR-ready (see `notReadyReason`) + - `502 remediation.scmError` – SCM connector error (branch/file/PR creation failed) + +### 7.5 `GET /v1/advisory-ai/remediation/status/{prId}` + +Check the status of a PR created by the remediation apply endpoint. + +- **Query parameters:** `scmType` (optional, defaults to `github`) +- **Response:** Same envelope as `POST /remediation/apply` +- **Errors:** `404 remediation.prNotFound` + +### 7.6 `GET /v1/advisory-ai/outputs/{{outputHash}}` Fetch cached artefact (same envelope as §6). Requires `advisory-ai:view`. - **Headers:** Supports `If-None-Match` with the `outputHash` (Etag) for cache validation. - **Errors:** `404 advisory.output.notFound` if cache expired or tenant lacks access. -### 7.5 `GET /v1/advisory-ai/plans/{{cacheKey}}` (optional) +### 7.7 `GET /v1/advisory-ai/plans/{{cacheKey}}` (optional) When plan preview is enabled (feature flag `advisoryAi.planPreview.enabled`), this endpoint returns the orchestration plan using `AdvisoryPipelinePlanResponse` (task metadata, chunk/vector counts). Requires `advisory-ai:operate`. @@ -208,3 +256,4 @@ Limits are enforced at the gateway; the API returns `429` with standard `Retry-A | Date (UTC) | Change | |------------|--------| | 2025-11-03 | Initial sprint-110 preview covering summary/conflict/remediation endpoints, cache retrieval, plan preview, and error/rate limit model. | +| 2026-01-14 | Added PR generation endpoints (7.4, 7.5): `POST /remediation/apply` and `GET /remediation/status/{prId}`. PR body includes security remediation template with steps, expected changes, tests, rollback, VEX claim. Supported SCM types: github, gitlab, azure-devops, gitea. (SPRINT_20260112_007_BE_remediation_pr_generator) | diff --git a/docs/modules/attestor/architecture.md b/docs/modules/attestor/architecture.md index 38cb2d26b..884369a38 100644 --- a/docs/modules/attestor/architecture.md +++ b/docs/modules/attestor/architecture.md @@ -1,20 +1,20 @@ -# component_architecture_attestor.md — **Stella Ops Attestor** (2025Q4) +# component_architecture_attestor.md — **Stella Ops Attestor** (2025Q4) -> Derived from Epic 19 – Attestor Console with provenance hooks aligned to the Export Center bundle workflows scoped in Epic 10. +> Derived from Epic 19 – Attestor Console with provenance hooks aligned to the Export Center bundle workflows scoped in Epic 10. -> **Scope.** Implementation‑ready architecture for the **Attestor**: the service that **submits** DSSE envelopes to **Rekor v2**, retrieves/validates inclusion proofs, caches results, and exposes verification APIs. It accepts DSSE **only** from the **Signer** over mTLS, enforces chain‑of‑trust to Stella Ops roots, and returns `{uuid, index, proof, logURL}` to calling services (Scanner.WebService for SBOMs; backend for final reports; Excititor exports when configured). +> **Scope.** Implementation‑ready architecture for the **Attestor**: the service that **submits** DSSE envelopes to **Rekor v2**, retrieves/validates inclusion proofs, caches results, and exposes verification APIs. It accepts DSSE **only** from the **Signer** over mTLS, enforces chain‑of‑trust to Stella Ops roots, and returns `{uuid, index, proof, logURL}` to calling services (Scanner.WebService for SBOMs; backend for final reports; Excititor exports when configured). --- ## 0) Mission & boundaries -**Mission.** Turn a signed DSSE envelope from the Signer into a **transparency‑logged, verifiable fact** with a durable, replayable proof (Merkle inclusion + (optional) checkpoint anchoring). Provide **fast verification** for downstream consumers and a stable retrieval interface for UI/CLI. +**Mission.** Turn a signed DSSE envelope from the Signer into a **transparency‑logged, verifiable fact** with a durable, replayable proof (Merkle inclusion + (optional) checkpoint anchoring). Provide **fast verification** for downstream consumers and a stable retrieval interface for UI/CLI. **Boundaries.** -* Attestor **does not sign**; it **must not** accept unsigned or third‑party‑signed bundles. +* Attestor **does not sign**; it **must not** accept unsigned or third‑party‑signed bundles. * Attestor **does not decide PASS/FAIL**; it logs attestations for SBOMs, reports, and export artifacts. -* Rekor v2 backends may be **local** (self‑hosted) or **remote**; Attestor handles both with retries, backoff, and idempotency. +* Rekor v2 backends may be **local** (self‑hosted) or **remote**; Attestor handles both with retries, backoff, and idempotency. --- @@ -24,22 +24,22 @@ **Dependencies:** -* **Signer** (caller) — authenticated via **mTLS** and **Authority** OpToks. -* **Rekor v2** — tile‑backed transparency log endpoint(s). -* **RustFS (S3-compatible)** — optional archive store for DSSE envelopes & verification bundles. -* **PostgreSQL** — local cache of `{uuid, index, proof, artifactSha256, bundleSha256}`; job state; audit. -* **Valkey** — dedupe/idempotency keys and short‑lived rate‑limit buckets. -* **Licensing Service (optional)** — “endorse” call for cross‑log publishing when customer opts‑in. +* **Signer** (caller) — authenticated via **mTLS** and **Authority** OpToks. +* **Rekor v2** — tile‑backed transparency log endpoint(s). +* **RustFS (S3-compatible)** — optional archive store for DSSE envelopes & verification bundles. +* **PostgreSQL** — local cache of `{uuid, index, proof, artifactSha256, bundleSha256}`; job state; audit. +* **Valkey** — dedupe/idempotency keys and short‑lived rate‑limit buckets. +* **Licensing Service (optional)** — “endorse” call for cross‑log publishing when customer opts‑in. Trust boundary: **Only the Signer** is allowed to call submission endpoints; enforced by **mTLS peer cert allowlist** + `aud=attestor` OpTok. --- ### Roles, identities & scopes -- **Subjects** — immutable digests for artifacts (container images, SBOMs, reports) referenced in DSSE envelopes. -- **Issuers** — authenticated builders/scanners/policy engines signing evidence; tracked with mode (`keyless`, `kms`, `hsm`, `fido2`) and tenant scope. -- **Consumers** — Scanner, Export Center, CLI, Console, Policy Engine that verify proofs using Attestor APIs. -- **Authority scopes** — `attestor.write`, `attestor.verify`, `attestor.read`, and administrative scopes for key management; all calls mTLS/DPoP-bound. +- **Subjects** — immutable digests for artifacts (container images, SBOMs, reports) referenced in DSSE envelopes. +- **Issuers** — authenticated builders/scanners/policy engines signing evidence; tracked with mode (`keyless`, `kms`, `hsm`, `fido2`) and tenant scope. +- **Consumers** — Scanner, Export Center, CLI, Console, Policy Engine that verify proofs using Attestor APIs. +- **Authority scopes** — `attestor.write`, `attestor.verify`, `attestor.read`, and administrative scopes for key management; all calls mTLS/DPoP-bound. ### Supported predicate types - `StellaOps.BuildProvenance@1` @@ -75,9 +75,9 @@ Each predicate embeds subject digests, issuer metadata, policy context, material The Attestor implements RFC 6962-compliant Merkle inclusion proof verification for Rekor transparency log entries: **Components:** -- `MerkleProofVerifier` — Verifies Merkle audit paths per RFC 6962 Section 2.1.1 -- `CheckpointSignatureVerifier` — Parses and verifies Rekor checkpoint signatures (ECDSA/Ed25519) -- `RekorVerificationOptions` — Configuration for public keys, offline mode, and checkpoint caching +- `MerkleProofVerifier` — Verifies Merkle audit paths per RFC 6962 Section 2.1.1 +- `CheckpointSignatureVerifier` — Parses and verifies Rekor checkpoint signatures (ECDSA/Ed25519) +- `RekorVerificationOptions` — Configuration for public keys, offline mode, and checkpoint caching **Verification Flow:** 1. Parse checkpoint body (origin, tree size, root hash) @@ -92,10 +92,10 @@ The Attestor implements RFC 6962-compliant Merkle inclusion proof verification f - `AllowOfflineWithoutSignature` for fully disconnected scenarios (reduced security) **Metrics:** -- `attestor.rekor_inclusion_verify_total` — Verification attempts by result -- `attestor.rekor_checkpoint_verify_total` — Checkpoint signature verifications -- `attestor.rekor_offline_verify_total` — Offline mode verifications -- `attestor.rekor_checkpoint_cache_hits/misses` — Checkpoint cache performance +- `attestor.rekor_inclusion_verify_total` — Verification attempts by result +- `attestor.rekor_checkpoint_verify_total` — Checkpoint signature verifications +- `attestor.rekor_offline_verify_total` — Offline mode verifications +- `attestor.rekor_checkpoint_cache_hits/misses` — Checkpoint cache performance ### UI & CLI touchpoints - Console: Evidence browser, verification report, chain-of-custody graph, issuer/key management, attestation workbench, bulk verification views. @@ -103,9 +103,9 @@ The Attestor implements RFC 6962-compliant Merkle inclusion proof verification f - SDKs expose sign/verify primitives for build pipelines. ### Performance & observability targets -- Throughput goal: ≥1 000 envelopes/minute per worker with cached verification. +- Throughput goal: ≥1 000 envelopes/minute per worker with cached verification. - Metrics: `attestor_submission_total`, `attestor_verify_seconds`, `attestor_rekor_latency_seconds`, `attestor_cache_hit_ratio`. -- Logs include `tenant`, `issuer`, `subjectDigest`, `rekorUuid`, `proofStatus`; traces cover submission → Rekor → cache → response path. +- Logs include `tenant`, `issuer`, `subjectDigest`, `rekorUuid`, `proofStatus`; traces cover submission → Rekor → cache → response path. --- @@ -171,8 +171,8 @@ Database: `attestor` Indexes: * `entries`: indexes on `artifact_sha256`, `bundle_sha256`, `created_at`, and composite `(status, created_at DESC)`. -* `dedupe`: unique index on `key`; scheduled job cleans rows where `ttl_at < NOW()` (24–48h retention). -* `audit`: index on `ts` for time‑range queries. +* `dedupe`: unique index on `key`; scheduled job cleans rows where `ttl_at < NOW()` (24–48h retention). +* `audit`: index on `ts` for time‑range queries. --- @@ -330,10 +330,10 @@ SBOM-to-component linkage metadata. **Attestor accepts only** DSSE envelopes that satisfy all of: -1. **mTLS** peer certificate maps to `signer` service (CA‑pinned). +1. **mTLS** peer certificate maps to `signer` service (CA‑pinned). 2. **Authority** OpTok with `aud=attestor`, `scope=attestor.write`, DPoP or mTLS bound. -3. DSSE envelope is **signed by the Signer’s key** (or includes a **Fulcio‑issued** cert chain) and **chains to configured roots** (Fulcio/KMS). -4. **Predicate type** is one of Stella Ops types (sbom/report/vex‑export) with valid schema. +3. DSSE envelope is **signed by the Signer’s key** (or includes a **Fulcio‑issued** cert chain) and **chains to configured roots** (Fulcio/KMS). +4. **Predicate type** is one of Stella Ops types (sbom/report/vex‑export) with valid schema. 5. `subject[*].digest.sha256` is present and canonicalized. **Wire shape (JSON):** @@ -360,7 +360,7 @@ SBOM-to-component linkage metadata. `POST /api/v1/attestations:sign` *(mTLS + OpTok required)* -* **Purpose**: Deterministically wrap Stella Ops payloads in DSSE envelopes before Rekor submission. Reuses the submission rate limiter and honours caller tenancy/audience scopes. +* **Purpose**: Deterministically wrap Stella Ops payloads in DSSE envelopes before Rekor submission. Reuses the submission rate limiter and honours caller tenancy/audience scopes. * **Body**: ```json @@ -383,7 +383,7 @@ SBOM-to-component linkage metadata. * **Behaviour**: * Resolve the signing key from `attestor.signing.keys[]` (includes algorithm, provider, and optional KMS version). - * Compute DSSE pre‑authentication encoding, sign with the resolved provider (default EC, BouncyCastle Ed25519, or File‑KMS ES256), and add static + request certificate chains. + * Compute DSSE pre‑authentication encoding, sign with the resolved provider (default EC, BouncyCastle Ed25519, or File‑KMS ES256), and add static + request certificate chains. * Canonicalise the resulting bundle, derive `bundleSha256`, and mirror the request meta shape used by `/api/v1/rekor/entries`. * Emit `attestor.sign_total{result,algorithm,provider}` and `attestor.sign_latency_seconds{algorithm,provider}` metrics and append an audit row (`action=sign`). * **Response 200**: @@ -415,13 +415,13 @@ SBOM-to-component linkage metadata. ```json { - "uuid": "…", + "uuid": "…", "index": 123456, "proof": { - "checkpoint": { "origin": "rekor@site", "size": 987654, "rootHash": "…", "timestamp": "…" }, - "inclusion": { "leafHash": "…", "path": ["…","…"] } + "checkpoint": { "origin": "rekor@site", "size": 987654, "rootHash": "…", "timestamp": "…" }, + "inclusion": { "leafHash": "…", "path": ["…","…"] } }, - "logURL": "https://rekor…/api/v2/log/…/entries/…", + "logURL": "https://rekor…/api/v2/log/…/entries/…", "status": "included" } ``` @@ -434,28 +434,28 @@ SBOM-to-component linkage metadata. * Returns `entries` row (refreshes proof from Rekor if stale/missing). * Accepts `?refresh=true` to force backend query. -### 4.4 Verification (third‑party or internal) +### 4.4 Verification (third‑party or internal) `POST /api/v1/rekor/verify` * **Body** (one of): - * `{ "uuid": "…" }` - * `{ "bundle": { …DSSE… } }` - * `{ "artifactSha256": "…" }` *(looks up most recent entry)* + * `{ "uuid": "…" }` + * `{ "bundle": { …DSSE… } }` + * `{ "artifactSha256": "…" }` *(looks up most recent entry)* * **Checks**: - 1. **Bundle signature** → cert chain to Fulcio/KMS roots configured. - 2. **Inclusion proof** → recompute leaf hash; verify Merkle path against checkpoint root. + 1. **Bundle signature** → cert chain to Fulcio/KMS roots configured. + 2. **Inclusion proof** → recompute leaf hash; verify Merkle path against checkpoint root. 3. Optionally verify **checkpoint** against local trust anchors (if Rekor signs checkpoints). - 4. Confirm **subject.digest** matches caller‑provided hash (when given). + 4. Confirm **subject.digest** matches caller‑provided hash (when given). 5. Fetch **transparency witness** statement when enabled; cache results and downgrade status to WARN when endorsements are missing or mismatched. * **Response**: ```json - { "ok": true, "uuid": "…", "index": 123, "logURL": "…", "checkedAt": "…" } + { "ok": true, "uuid": "…", "index": 123, "logURL": "…", "checkedAt": "…" } ``` ### 4.5 Bulk verification @@ -464,11 +464,11 @@ SBOM-to-component linkage metadata. `GET /api/v1/rekor/verify:bulk/{jobId}` returns progress and per-item results (subject/uuid, status, issues, cached verification report if available). Jobs are tenant- and subject-scoped; only the initiating principal can read their progress. -**Worker path:** `BulkVerificationWorker` claims queued jobs (`status=queued → running`), executes items sequentially through the cached verification service, updates progress counters, and records metrics: +**Worker path:** `BulkVerificationWorker` claims queued jobs (`status=queued → running`), executes items sequentially through the cached verification service, updates progress counters, and records metrics: -- `attestor.bulk_jobs_total{status}` – completed/failed jobs -- `attestor.bulk_job_duration_seconds{status}` – job runtime -- `attestor.bulk_items_total{status}` – per-item outcomes (`succeeded`, `verification_failed`, `exception`) +- `attestor.bulk_jobs_total{status}` – completed/failed jobs +- `attestor.bulk_job_duration_seconds{status}` – job runtime +- `attestor.bulk_items_total{status}` – per-item outcomes (`succeeded`, `verification_failed`, `exception`) The worker honours `bulkVerification.itemDelayMilliseconds` for throttling and reschedules persistence conflicts with optimistic version checks. Results hydrate the verification cache; failed items record the error reason without aborting the overall job. @@ -478,7 +478,7 @@ The worker honours `bulkVerification.itemDelayMilliseconds` for throttling and r * **Canonicalization**: DSSE envelopes are **normalized** (stable JSON ordering, no insignificant whitespace) before hashing and submission. * **Transport**: HTTP/2 with retries (exponential backoff, jitter), budgeted timeouts. -* **Idempotency**: if backend returns “already exists,” map to existing `uuid`. +* **Idempotency**: if backend returns “already exists,” map to existing `uuid`. * **Proof acquisition**: * In synchronous mode, poll the log for inclusion up to `proofTimeoutMs`. @@ -486,25 +486,25 @@ The worker honours `bulkVerification.itemDelayMilliseconds` for throttling and r * **Mirrors/dual logs**: * When `logPreference="both"`, submit to primary and mirror; store **both** UUIDs (primary canonical). - * Optional **cloud endorsement**: POST to the Stella Ops cloud `/attest/endorse` with `{uuid, artifactSha256}`; store returned endorsement id. + * Optional **cloud endorsement**: POST to the Stella Ops cloud `/attest/endorse` with `{uuid, artifactSha256}`; store returned endorsement id. --- ## 6) Security model -* **mTLS required** for submission from **Signer** (CA‑pinned). +* **mTLS required** for submission from **Signer** (CA‑pinned). * **Authority token** with `aud=attestor` and DPoP/mTLS binding must be presented; Attestor verifies both. * **Bundle acceptance policy**: * DSSE signature must chain to the configured **Fulcio** (keyless) or **KMS/HSM** roots. * SAN (Subject Alternative Name) must match **Signer identity** policy (e.g., `urn:stellaops:signer` or pinned OIDC issuer). * Predicate `predicateType` must be on allowlist (sbom/report/vex-export). - * `subject.digest.sha256` values must be present and well‑formed (hex). + * `subject.digest.sha256` values must be present and well‑formed (hex). * **No public submission** path. **Never** accept bundles from untrusted clients. * **Client certificate allowlists**: optional `security.mtls.allowedSubjects` / `allowedThumbprints` tighten peer identity checks beyond CA pinning. * **Rate limits**: token-bucket per caller derived from `quotas.perCaller` (QPS/burst) returns `429` + `Retry-After` when exceeded. * **Scope enforcement**: API separates `attestor.write`, `attestor.verify`, and `attestor.read` policies; verification/list endpoints accept read or verify scopes while submission endpoints remain write-only. -* **Request hygiene**: JSON content-type is mandatory (415 returned otherwise); DSSE payloads are capped (default 2 MiB), certificate chains limited to six entries, and signatures to six per envelope to mitigate parsing abuse. +* **Request hygiene**: JSON content-type is mandatory (415 returned otherwise); DSSE payloads are capped (default 2 MiB), certificate chains limited to six entries, and signatures to six per envelope to mitigate parsing abuse. * **Redaction**: Attestor never logs secret material; DSSE payloads **should** be public by design (SBOMs/reports). If customers require redaction, enforce policy at Signer (predicate minimization) **before** Attestor. --- @@ -542,8 +542,8 @@ The worker honours `bulkVerification.itemDelayMilliseconds` for throttling and r SLO guardrails: -* `attestor.verify_latency_seconds` P95 ≤ 2 s per policy. -* `attestor.verify_total{result="failed"}` ≤ 1 % of `attestor.verify_total` over 30 min rolling windows. +* `attestor.verify_latency_seconds` P95 ≤ 2 s per policy. +* `attestor.verify_total{result="failed"}` ≤ 1 % of `attestor.verify_total` over 30 min rolling windows. **Correlation**: @@ -636,7 +636,7 @@ attestor: --- -## 10) End‑to‑end sequences +## 10) End‑to‑end sequences **A) Submit & include (happy path)** @@ -695,19 +695,19 @@ sequenceDiagram * Stateless; scale horizontally. * **Targets**: - * Submit+proof P95 ≤ **300 ms** (warm log; local Rekor). - * Verify P95 ≤ **30 ms** from cache; ≤ **120 ms** with live proof fetch. + * Submit+proof P95 ≤ **300 ms** (warm log; local Rekor). + * Verify P95 ≤ **30 ms** from cache; ≤ **120 ms** with live proof fetch. * 1k submissions/minute per replica sustained. -* **Hot caches**: `dedupe` (bundle hash → uuid), recent `entries` by artifact sha256. +* **Hot caches**: `dedupe` (bundle hash → uuid), recent `entries` by artifact sha256. --- ## 13) Testing matrix * **Happy path**: valid DSSE, inclusion within timeout. -* **Idempotency**: resubmit same `bundleSha256` → same `uuid`. -* **Security**: reject non‑Signer mTLS, wrong `aud`, DPoP replay, untrusted cert chain, forbidden predicateType. -* **Rekor variants**: promise‑then‑proof, proof delayed, mirror dual‑submit, mirror failure. +* **Idempotency**: resubmit same `bundleSha256` → same `uuid`. +* **Security**: reject non‑Signer mTLS, wrong `aud`, DPoP replay, untrusted cert chain, forbidden predicateType. +* **Rekor variants**: promise‑then‑proof, proof delayed, mirror dual‑submit, mirror failure. * **Verification**: corrupt leaf path, wrong root, tampered bundle. * **Throughput**: soak test with 10k submissions; latency SLOs, zero drops. @@ -718,16 +718,16 @@ sequenceDiagram * Language: **.NET 10** minimal API; `HttpClient` with **sockets handler** tuned for HTTP/2. * JSON: **canonical writer** for DSSE payload hashing. * Crypto: use **BouncyCastle**/**System.Security.Cryptography**; PEM parsing for cert chains. -* Rekor client: pluggable driver; treat backend errors as retryable/non‑retryable with granular mapping. -* Safety: size caps on bundles; decompress bombs guarded; strict UTF‑8. +* Rekor client: pluggable driver; treat backend errors as retryable/non‑retryable with granular mapping. +* Safety: size caps on bundles; decompress bombs guarded; strict UTF‑8. * CLI integration: `stellaops verify attestation ` calls `/rekor/verify`. --- ## 15) Optional features -* **Dual‑log** write (primary + mirror) and **cross‑log proof** packaging. -* **Cloud endorsement**: send `{uuid, artifactSha256}` to Stella Ops cloud; store returned endorsement id for marketing/chain‑of‑custody. +* **Dual‑log** write (primary + mirror) and **cross‑log proof** packaging. +* **Cloud endorsement**: send `{uuid, artifactSha256}` to Stella Ops cloud; store returned endorsement id for marketing/chain‑of‑custody. * **Checkpoint pinning**: periodically pin latest Rekor checkpoints to an external audit store for independent monitoring. --- @@ -739,3 +739,54 @@ sequenceDiagram - Health endpoints: `/health/liveness`, `/health/readiness`, `/status`; verification probe `/api/attestations/verify` once demo bundle is available (see runbook). - Alert hints: signing latency > 1s p99, verification failure spikes, tlog submission lag >10s, key rotation age over policy threshold, backlog above configured threshold. + +--- + +## 17) Rekor Entry Events + +> Sprint: SPRINT_20260112_007_ATTESTOR_rekor_entry_events + +Attestor emits deterministic events when DSSE bundles are logged to Rekor and inclusion proofs become available. These events drive policy reanalysis. + +### Event Types + +| Event Type | Constant | Description | +|------------|----------|-------------| +| `rekor.entry.logged` | `RekorEventTypes.EntryLogged` | Bundle successfully logged with inclusion proof | +| `rekor.entry.queued` | `RekorEventTypes.EntryQueued` | Bundle queued for logging (async mode) | +| `rekor.entry.inclusion_verified` | `RekorEventTypes.InclusionVerified` | Inclusion proof independently verified | +| `rekor.entry.failed` | `RekorEventTypes.EntryFailed` | Logging or verification failed | + +### RekorEntryEvent Schema + +```jsonc +{ + "eventId": "rekor-evt-sha256:...", + "eventType": "rekor.entry.logged", + "tenant": "default", + "bundleDigest": "sha256:abc123...", + "artifactDigest": "sha256:def456...", + "predicateType": "StellaOps.ScanResults@1", + "rekorEntry": { + "uuid": "24296fb24b8ad77a...", + "logIndex": 123456789, + "logUrl": "https://rekor.sigstore.dev", + "integratedTime": "2026-01-15T10:30:02Z" + }, + "reanalysisHints": { + "cveIds": ["CVE-2026-1234"], + "productKeys": ["pkg:npm/lodash@4.17.21"], + "mayAffectDecision": true, + "reanalysisScope": "immediate" + }, + "occurredAtUtc": "2026-01-15T10:30:05Z" +} +``` + +### Offline Mode Behavior + +When operating in offline/air-gapped mode: +1. Events are not emitted when Rekor is unreachable +2. Bundles are queued locally for later submission +3. Verification uses bundled checkpoints +4. Events are generated when connectivity is restored diff --git a/docs/modules/authority/operations/break-glass-account.md b/docs/modules/authority/operations/break-glass-account.md new file mode 100644 index 000000000..40efa0a00 --- /dev/null +++ b/docs/modules/authority/operations/break-glass-account.md @@ -0,0 +1,330 @@ +# Break-Glass Account Operations + +This document describes the break-glass emergency access mechanism for Stella Ops Authority when normal authentication is unavailable. + +## Overview + +Break-glass accounts provide emergency administrative access when: +- PostgreSQL database is unavailable +- Identity provider (IdP) is unreachable +- Network partition isolates Authority service +- Disaster recovery scenarios + +## Security Model + +### Activation Requirements + +| Requirement | Description | +|-------------|-------------| +| Reason code | Mandatory selection from approved list | +| Reason details | Free-text justification (logged) | +| Time limit | Maximum 15 minutes per session | +| Extensions | Maximum 2 extensions with re-authentication | +| Alert dispatch | Immediate notification to security team | + +### Approved Reason Codes + +| Code | Description | Use Case | +|------|-------------|----------| +| `emergency-incident` | Active security incident | Security team responding to breach | +| `database-outage` | PostgreSQL unavailable | DBA performing recovery | +| `security-event` | Proactive security response | Patching critical vulnerability | +| `scheduled-maintenance` | Planned maintenance window | Pre-approved maintenance | +| `disaster-recovery` | DR scenario activation | DR team executing runbook | + +## Configuration + +### Local Policy File + +```yaml +# /etc/stellaops/authority/local-policy.yaml +schemaVersion: "1.0.0" +lastUpdated: "2026-01-15T12:00:00Z" + +breakGlass: + enabled: true + accounts: + - id: "break-glass-admin" + name: "Emergency Administrator" + passwordHash: "$argon2id$v=19$m=65536,t=3,p=4$..." + roles: ["admin"] + permissions: + - "authority:*" + - "platform:admin" + - "orch:operate" + sessionTimeoutMinutes: 15 + maxExtensions: 2 + requireReasonCode: true + allowedReasonCodes: + - "emergency-incident" + - "database-outage" + - "security-event" + - "scheduled-maintenance" + - "disaster-recovery" + + - id: "break-glass-readonly" + name: "Emergency Read-Only" + passwordHash: "$argon2id$v=19$m=65536,t=3,p=4$..." + roles: ["auditor"] + permissions: + - "audit:read" + - "obs:incident" + sessionTimeoutMinutes: 30 + maxExtensions: 1 + requireReasonCode: true + allowedReasonCodes: + - "emergency-incident" + - "security-event" + +alerting: + onActivation: true + channels: + - type: "email" + recipients: ["security@company.com", "oncall@company.com"] + - type: "slack" + webhook: "${SLACK_SECURITY_WEBHOOK}" + - type: "pagerduty" + serviceKey: "${PAGERDUTY_SERVICE_KEY}" +``` + +### Password Generation + +```bash +# Generate Argon2id hash for break-glass password +# Use a strong, unique password stored securely offline + +# Option 1: Using argon2 CLI +echo -n "StrongBreakGlassPassword123!" | argon2 "$(openssl rand -hex 16)" -id -t 3 -m 16 -p 4 -e + +# Option 2: Using Python +python3 << 'EOF' +from argon2 import PasswordHasher +ph = PasswordHasher(time_cost=3, memory_cost=65536, parallelism=4) +hash = ph.hash("StrongBreakGlassPassword123!") +print(hash) +EOF +``` + +### Secure Storage + +Break-glass credentials should be: +1. Stored in a physical safe (not digital-only) +2. Split between multiple custodians (M-of-N) +3. Sealed with tamper-evident packaging +4. Inventoried and audited quarterly + +## Activation Procedure + +### Step 1: Initiate Break-Glass + +```bash +# Via CLI +stella auth break-glass \ + --account break-glass-admin \ + --reason emergency-incident \ + --details "PostgreSQL cluster unreachable, DBA on-call" + +# Via API +curl -X POST https://authority.company.com/auth/break-glass \ + -H "Content-Type: application/json" \ + -d '{ + "accountId": "break-glass-admin", + "password": "StrongBreakGlassPassword123!", + "reasonCode": "emergency-incident", + "reasonDetails": "PostgreSQL cluster unreachable, DBA on-call" + }' +``` + +### Step 2: Receive Session Token + +```json +{ + "sessionId": "bg-session-abc123", + "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...", + "expiresAt": "2026-01-15T12:49:56Z", + "permissions": ["authority:*", "platform:admin", "orch:operate"], + "extensionsRemaining": 2 +} +``` + +### Step 3: Perform Emergency Operations + +```bash +# Use session token for operations +stella --token "${BG_TOKEN}" system status +stella --token "${BG_TOKEN}" service restart authority +``` + +### Step 4: Extend Session (If Needed) + +```bash +# Extend session before expiration +stella auth break-glass extend \ + --session bg-session-abc123 \ + --reason "Recovery still in progress" +``` + +### Step 5: Terminate Session + +```bash +# Always explicitly terminate when done +stella auth break-glass terminate \ + --session bg-session-abc123 \ + --resolution "Database recovered, normal auth restored" +``` + +## Audit Trail + +### Event Types + +| Event | Description | Severity | +|-------|-------------|----------| +| `break_glass.activated` | Session started | WARNING | +| `break_glass.extended` | Session extended | WARNING | +| `break_glass.terminated` | Session ended | INFO | +| `break_glass.expired` | Session timed out | WARNING | +| `break_glass.action` | Action performed | INFO | +| `break_glass.denied` | Access denied | ERROR | + +### Sample Audit Entry + +```json +{ + "eventType": "authority.break_glass.activated", + "timestamp": "2026-01-15T12:34:56.789Z", + "severity": "warning", + "session": { + "id": "bg-session-abc123", + "accountId": "break-glass-admin", + "reasonCode": "database-outage", + "reasonDetails": "PostgreSQL cluster unreachable, DBA on-call" + }, + "client": { + "ip": "10.0.0.5", + "userAgent": "StellaOps-CLI/2027.Q1" + }, + "timing": { + "activatedAt": "2026-01-15T12:34:56Z", + "expiresAt": "2026-01-15T12:49:56Z", + "extensionsRemaining": 2 + } +} +``` + +### Audit Query + +```bash +# Query break-glass audit events +stella audit query \ + --type "break_glass.*" \ + --since "2026-01-01" \ + --format json + +# Generate break-glass usage report +stella audit report break-glass \ + --period monthly \ + --output break-glass-report.pdf +``` + +## Alert Configuration + +### Email Template + +``` +Subject: [ALERT] Break-Glass Access Activated - ${REASON_CODE} + +A break-glass account has been activated: + +Account: ${ACCOUNT_ID} +Reason: ${REASON_CODE} +Details: ${REASON_DETAILS} + +Session ID: ${SESSION_ID} +Activated: ${ACTIVATED_AT} +Expires: ${EXPIRES_AT} +Client IP: ${CLIENT_IP} + +This session will automatically expire in 15 minutes. + +If this activation was not authorized, take immediate action: +1. Terminate the session: stella auth break-glass terminate --session ${SESSION_ID} +2. Investigate the access attempt +3. Contact Security Operations +``` + +### Slack Alert + +```json +{ + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "Break-Glass Access Activated" + } + }, + { + "type": "section", + "fields": [ + {"type": "mrkdwn", "text": "*Account:*\n${ACCOUNT_ID}"}, + {"type": "mrkdwn", "text": "*Reason:*\n${REASON_CODE}"}, + {"type": "mrkdwn", "text": "*Session:*\n${SESSION_ID}"}, + {"type": "mrkdwn", "text": "*Expires:*\n${EXPIRES_AT}"} + ] + } + ] +} +``` + +## Testing + +### Quarterly Drill + +Conduct quarterly break-glass activation drills: + +1. Schedule maintenance window +2. Simulate database outage +3. Activate break-glass account +4. Perform test operations +5. Verify audit trail +6. Terminate session +7. Document drill results + +### Test Checklist + +- [ ] Break-glass activation successful +- [ ] Alerts dispatched correctly +- [ ] Session timeout enforced +- [ ] Extension mechanism works +- [ ] Audit events captured +- [ ] Session termination works +- [ ] Post-drill report generated + +## Incident Response + +### On Unauthorized Break-Glass Activation + +1. **Immediate**: Terminate session + ```bash + stella auth break-glass terminate --session ${SESSION_ID} --force + ``` + +2. **Contain**: Disable break-glass temporarily + ```bash + stella config set authority.breakGlass.enabled false --apply + ``` + +3. **Investigate**: Query audit logs + ```bash + stella audit query --type "break_glass.*" --session ${SESSION_ID} + ``` + +4. **Remediate**: Rotate credentials if compromised +5. **Report**: File incident report per security policy + +## Related Documentation + +- [Local RBAC Fallback](../local-rbac-fallback.md) +- [Authority Architecture](../architecture.md) +- [Incident Response Playbook](../../security/incident-response.md) diff --git a/docs/modules/cli/guides/commands/evidence-bundle-format.md b/docs/modules/cli/guides/commands/evidence-bundle-format.md index daeca3a7a..c57264f3c 100644 --- a/docs/modules/cli/guides/commands/evidence-bundle-format.md +++ b/docs/modules/cli/guides/commands/evidence-bundle-format.md @@ -54,6 +54,9 @@ evidence-{findingId}/ ├── README.md # Human-readable documentation ├── sbom.cdx.json # CycloneDX SBOM slice ├── reachability.json # Reachability analysis data +├── binary-diff.json # Binary diff evidence (if available) +├── binary-diff.dsse.json # Signed binary diff envelope (if attested) +├── delta-proof.json # Semantic fingerprint diff summary (if available) ├── vex/ │ ├── vendor.json # Vendor VEX statements │ ├── nvd.json # NVD VEX data @@ -322,6 +325,80 @@ done | `.md` | `text/markdown` | Markdown documentation | | `.txt` | `text/plain` | Plain text | +## Binary Diff Evidence Files + +> Sprint: SPRINT_20260112_009_SCANNER_binary_diff_bundle_export (BINDIFF-SCAN-003) + +Evidence bundles may include binary diff files when comparing binary artifacts across versions: + +### binary-diff.json + +Contains binary diff evidence comparing current and previous binary versions: + +```json +{ + "status": "available", + "diffType": "semantic", + "previousBinaryDigest": "sha256:abc123...", + "currentBinaryDigest": "sha256:def456...", + "similarityScore": 0.95, + "functionChangeCount": 3, + "securityChangeCount": 1, + "functionChanges": [ + { + "functionName": "process_input", + "operation": "modified", + "previousHash": "sha256:...", + "currentHash": "sha256:..." + } + ], + "securityChanges": [ + { + "changeType": "mitigation_added", + "description": "Stack canaries enabled", + "severity": "info" + } + ], + "semanticDiff": { + "previousFingerprint": "fp:abc...", + "currentFingerprint": "fp:def...", + "similarityScore": 0.92, + "semanticChanges": ["control_flow_modified"] + } +} +``` + +### binary-diff.dsse.json + +DSSE-signed wrapper when binary diff evidence is attested: + +```json +{ + "payloadType": "application/vnd.stellaops.binary-diff+json", + "payload": { /* binary-diff.json content */ }, + "attestationRef": { + "id": "attest-12345", + "rekorLogIndex": 123456789, + "bundleDigest": "sha256:..." + } +} +``` + +### delta-proof.json + +Semantic fingerprint summary for quick verification: + +```json +{ + "previousFingerprint": "fp:abc...", + "currentFingerprint": "fp:def...", + "similarityScore": 0.92, + "semanticChanges": ["control_flow_modified", "data_flow_changed"], + "functionChangeCount": 3, + "securityChangeCount": 1 +} +``` + ## See Also - [stella scan replay Command Reference](../cli/guides/commands/scan-replay.md) diff --git a/docs/modules/excititor/architecture.md b/docs/modules/excititor/architecture.md index d2583c826..27d3ed343 100644 --- a/docs/modules/excititor/architecture.md +++ b/docs/modules/excititor/architecture.md @@ -431,6 +431,111 @@ correlation: { replaces?: sha256, replacedBy?: sha256 } * Indexes: `{type:1, occurredAt:-1}`, TTL on `occurredAt` for configurable retention. +### 3.3 VEX Change Events + +> Sprint: SPRINT_20260112_006_EXCITITOR_vex_change_events + +Excititor emits deterministic VEX change events when statements are added, superseded, or conflict. These events drive policy reanalysis in downstream systems. + +#### Event Types + +| Event Type | Constant | Description | +|------------|----------|-------------| +| `vex.statement.added` | `VexTimelineEventTypes.StatementAdded` | New VEX statement ingested | +| `vex.statement.superseded` | `VexTimelineEventTypes.StatementSuperseded` | Statement replaced by newer version | +| `vex.statement.conflict` | `VexTimelineEventTypes.StatementConflict` | Conflicting statuses detected | +| `vex.status.changed` | `VexTimelineEventTypes.StatusChanged` | Effective status changed for a product-vulnerability pair | + +#### VexStatementChangeEvent Schema + +```jsonc +{ + "eventId": "vex-evt-sha256:abc123...", // Deterministic hash-based ID + "eventType": "vex.statement.added", + "tenant": "default", + "vulnerabilityId": "CVE-2026-1234", + "productKey": "pkg:npm/lodash@4.17.21", + "newStatus": "not_affected", + "previousStatus": null, // null for new statements + "providerId": "vendor:redhat", + "observationId": "default:redhat:VEX-2026-0001:v1", + "supersededBy": null, + "supersedes": [], + "provenance": { + "documentHash": "sha256:...", + "documentUri": "https://vendor/vex/...", + "sourceTimestamp": "2026-01-15T10:00:00Z", + "author": "security@vendor.com", + "trustScore": 0.95 + }, + "conflictDetails": null, + "occurredAtUtc": "2026-01-15T10:30:00Z", + "traceId": "trace-xyz789" +} +``` + +#### VexConflictDetails Schema + +When `eventType` is `vex.statement.conflict`: + +```jsonc +{ + "conflictType": "status_mismatch", // status_mismatch | trust_tie | supersession_conflict + "conflictingStatuses": [ + { + "providerId": "vendor:redhat", + "status": "not_affected", + "justification": "CODE_NOT_REACHABLE", + "trustScore": 0.95 + }, + { + "providerId": "vendor:ubuntu", + "status": "affected", + "justification": null, + "trustScore": 0.85 + } + ], + "resolutionStrategy": "highest_trust", // or null if unresolved + "autoResolved": false +} +``` + +#### Event ID Computation + +Event IDs are deterministic SHA-256 hashes computed from: +- Event type +- Tenant +- Vulnerability ID +- Product key +- Observation ID +- Occurred timestamp (truncated to seconds) + +This ensures idempotent event emission across retries. + +#### Policy Engine Integration + +Policy Engine subscribes to VEX events to trigger reanalysis: + +```yaml +# Policy event subscription +subscriptions: + - event: vex.statement.* + action: reanalyze + filter: + trustScore: { $gte: 0.7 } + - event: vex.statement.conflict + action: queue_for_review + filter: + autoResolved: false +``` + +#### Emission Ordering + +Events are emitted with deterministic ordering: +1. Statement events ordered by `occurredAtUtc` ascending +2. Conflict events emitted after all related statement events +3. Events for the same vulnerability sorted by provider ID + **`vex.consensus`** (optional rollups) ``` diff --git a/docs/modules/platform/platform-service.md b/docs/modules/platform/platform-service.md index e5d1c3bb5..dbef073f5 100644 --- a/docs/modules/platform/platform-service.md +++ b/docs/modules/platform/platform-service.md @@ -84,3 +84,75 @@ Provide a single, deterministic aggregation layer for cross-service UX workflows ## Gateway exposure The Platform Service is exposed via Gateway and registered through Router discovery. It does not expose direct ingress outside Gateway in production. + +## Setup Wizard + +The Platform Service exposes setup wizard endpoints to support first-run configuration and reconfiguration workflows. These endpoints replace UI-mock implementations with real backend state management. + +### API surface (v1) + +#### Sessions +- `GET /api/v1/setup/sessions` - Get current setup session for tenant +- `POST /api/v1/setup/sessions` - Create new setup session +- `POST /api/v1/setup/sessions/resume` - Resume existing or create new session +- `POST /api/v1/setup/sessions/finalize` - Finalize setup session + +#### Steps +- `POST /api/v1/setup/steps/execute` - Execute a setup step (runs Doctor checks) +- `POST /api/v1/setup/steps/skip` - Skip an optional setup step + +#### Definitions +- `GET /api/v1/setup/definitions/steps` - List all step definitions + +### Setup step identifiers + +| Step ID | Title | Required | Depends On | +|---------|-------|----------|------------| +| `Database` | Database Setup | Yes | - | +| `Valkey` | Valkey/Redis Setup | Yes | - | +| `Migrations` | Database Migrations | Yes | Database | +| `Admin` | Admin Bootstrap | Yes | Migrations | +| `Crypto` | Crypto Profile | Yes | Admin | +| `Vault` | Vault Integration | No | - | +| `Scm` | SCM Integration | No | - | +| `Notifications` | Notification Channels | No | - | +| `Environments` | Environment Definition | No | Admin | +| `Agents` | Agent Registration | No | Environments | + +### Setup session states + +| Status | Description | +|--------|-------------| +| `NotStarted` | Setup not begun | +| `InProgress` | Setup in progress | +| `Completed` | All steps completed | +| `CompletedPartial` | Required steps completed, optional skipped | +| `Failed` | Required step failed | +| `Abandoned` | Setup abandoned by user | + +### Setup step states + +| Status | Description | +|--------|-------------| +| `Pending` | Not yet started | +| `Current` | Currently active step | +| `Passed` | Completed successfully | +| `Failed` | Validation failed | +| `Skipped` | Explicitly skipped | +| `Blocked` | Blocked by dependency | + +### Security and scopes +- Read: `platform.setup.read` +- Write: `platform.setup.write` +- Admin: `platform.setup.admin` + +### Offline posture +- Sessions include `DataAsOfUtc` for offline rendering with stale indicators +- Step results cached with Doctor check pass/fail status +- Suggested fixes generated for failed checks + +### Related documentation +- UX flow specification: `docs/setup/setup-wizard-ux.md` +- Repository inventory: `docs/setup/setup-wizard-inventory.md` +- Doctor checks: `docs/setup/setup-wizard-doctor-contract.md` + diff --git a/docs/modules/policy/determinization-api.md b/docs/modules/policy/determinization-api.md index 45cfbe047..794c1baf6 100644 --- a/docs/modules/policy/determinization-api.md +++ b/docs/modules/policy/determinization-api.md @@ -91,7 +91,49 @@ When receiving `GuardedPass`: ## 4. Determinization Rules -The gate evaluates rules in priority order: +The gate evaluates rules in priority order. + +### 4.1 Anchored Evidence Rules (v1.1) + +> **Sprint:** SPRINT_20260112_004_BE_policy_determinization_attested_rules + +Anchored evidence (DSSE-signed with optional Rekor transparency) takes highest priority in rule evaluation. These rules short-circuit evaluation when cryptographically attested evidence is present. + +| Priority | Rule | Condition | Result | +|----------|------|-----------|--------| +| 1 | AnchoredAffectedWithRuntimeHardFail | Anchored VEX affected + anchored runtime telemetry confirms loading | **Blocked** (hard fail) | +| 2 | AnchoredVexNotAffectedAllow | Anchored VEX not_affected or fixed | Pass (short-circuit) | +| 3 | AnchoredBackportProofAllow | Anchored backport proof detected | Pass (short-circuit) | +| 4 | AnchoredUnreachableAllow | Anchored reachability shows unreachable | Pass (short-circuit) | + +**Anchor Metadata Fields:** + +Evidence anchoring is tracked via these fields on each evidence type: + +```json +{ + "anchor": { + "anchored": true, + "envelope_digest": "sha256:abc123...", + "predicate_type": "https://stellaops.io/vex/v1", + "rekor_log_index": 12345678, + "rekor_entry_id": "24296fb24b8ad77a...", + "scope": "finding", + "verified": true, + "attested_at": "2026-01-14T12:00:00Z" + } +} +``` + +Evidence types with anchor support: +- `VexClaimSummary` (via `VexClaimAnchor`) +- `BackportEvidence` +- `RuntimeEvidence` +- `ReachabilityEvidence` + +### 4.2 Standard Rules + +Standard rules apply when no anchored evidence short-circuits evaluation: | Priority | Rule | Condition | Result | |----------|------|-----------|--------| diff --git a/docs/modules/release-orchestrator/appendices/evidence-schema.md b/docs/modules/release-orchestrator/appendices/evidence-schema.md index 8d50c7320..976ecbc63 100644 --- a/docs/modules/release-orchestrator/appendices/evidence-schema.md +++ b/docs/modules/release-orchestrator/appendices/evidence-schema.md @@ -538,9 +538,26 @@ Evidence packets can be exported in multiple formats: | Format | Use Case | |--------|----------| | JSON | API consumption, archival | +| SignedJSON | DSSE-signed JSON for verification workflows | +| Markdown | Human-readable documentation | +| HTML | Styled web reports | | PDF | Human-readable compliance reports | | CSV | Spreadsheet analysis | | SLSA | SLSA provenance format | +| **EvidenceCard** | Single-file evidence card with SBOM excerpt, DSSE envelope, and Rekor receipt (v1.1) | +| **EvidenceCardCompact** | Compact evidence card without full SBOM (v1.1) | + +### Evidence Card Format (v1.1) + +The evidence-card format packages related artifacts into a single JSON file for offline verification: + +- **SBOM Excerpt**: Relevant component information from the full SBOM +- **DSSE Envelope**: Dead Simple Signing Envelope containing the signed payload +- **Rekor Receipt**: Optional Sigstore Rekor transparency log receipt for audit trail + +Content type: `application/vnd.stellaops.evidence-card+json` + +See [Evidence Decision API](../../../api/evidence-decision-api.openapi.yaml) for schema details. ## References diff --git a/docs/modules/scanner/signed-sbom-archive-spec.md b/docs/modules/scanner/signed-sbom-archive-spec.md new file mode 100644 index 000000000..517d5dffb --- /dev/null +++ b/docs/modules/scanner/signed-sbom-archive-spec.md @@ -0,0 +1,334 @@ +# Signed SBOM Archive Specification + +Version: 1.0.0 +Status: Draft +Last Updated: 2026-01-15 + +## Overview + +This specification defines a self-contained, cryptographically signed SBOM archive format that bundles: +- The SBOM document (SPDX or CycloneDX) +- DSSE signature envelope +- Verification materials (certificates, transparency proofs) +- Metadata (tool versions, timestamps) +- Offline verification resources + +## Archive Structure + +``` +signed-sbom-{digest_short}-{timestamp}.tar.gz +| ++-- sbom.spdx.json # OR sbom.cdx.json (CycloneDX) ++-- sbom.dsse.json # DSSE envelope containing signature ++-- manifest.json # Archive inventory with hashes ++-- metadata.json # Generation metadata ++-- certs/ +| +-- signing-cert.pem # Signing certificate +| +-- signing-chain.pem # Full certificate chain +| +-- fulcio-root.pem # Fulcio root CA (for keyless) ++-- rekor-proof/ # Optional: transparency log proof +| +-- inclusion-proof.json +| +-- checkpoint.sig +| +-- rekor-public.pem ++-- schemas/ # Bundled validation schemas +| +-- spdx-2.3.schema.json +| +-- spdx-3.0.1.schema.json +| +-- cyclonedx-1.7.schema.json +| +-- dsse.schema.json ++-- VERIFY.md # Human-readable verification guide +``` + +## File Specifications + +### sbom.spdx.json / sbom.cdx.json + +The primary SBOM document in either: +- **SPDX**: Versions 2.3 or 3.0.1 (JSON format) +- **CycloneDX**: Versions 1.4, 1.5, 1.6, or 1.7 (JSON format) + +Requirements: +- UTF-8 encoding without BOM +- Canonical JSON formatting (RFC 8785 compliant) +- No trailing whitespace or newlines + +### sbom.dsse.json + +DSSE envelope containing the SBOM signature: + +```json +{ + "payloadType": "application/vnd.stellaops.sbom+json", + "payload": "", + "signatures": [ + { + "keyid": "SHA256:abc123...", + "sig": "" + } + ] +} +``` + +### manifest.json + +Archive inventory with integrity hashes: + +```json +{ + "schemaVersion": "1.0.0", + "archiveId": "signed-sbom-abc123-20260115T123456Z", + "generatedAt": "2026-01-15T12:34:56Z", + "files": [ + { + "path": "sbom.spdx.json", + "sha256": "abc123...", + "size": 45678, + "mediaType": "application/spdx+json" + }, + { + "path": "sbom.dsse.json", + "sha256": "def456...", + "size": 1234, + "mediaType": "application/vnd.dsse+json" + } + ], + "merkleRoot": "sha256:789abc...", + "totalFiles": 12, + "totalSize": 98765 +} +``` + +### metadata.json + +Generation and tool metadata: + +```json +{ + "schemaVersion": "1.0.0", + "stellaOps": { + "suiteVersion": "2027.Q1", + "scannerVersion": "1.2.3", + "scannerDigest": "sha256:scanner-image-digest", + "signerVersion": "1.0.0", + "sbomServiceVersion": "1.1.0" + }, + "generation": { + "timestamp": "2026-01-15T12:34:56Z", + "hlcTimestamp": "1737000000000000000", + "operator": "build@company.com" + }, + "input": { + "imageRef": "registry.company.com/app:v1.0.0", + "imageDigest": "sha256:image-digest-here", + "platform": "linux/amd64" + }, + "sbom": { + "format": "spdx-2.3", + "componentCount": 142, + "packageCount": 89, + "fileCount": 1247 + }, + "signature": { + "type": "keyless", + "issuer": "https://accounts.google.com", + "subject": "build@company.com", + "signedAt": "2026-01-15T12:34:57Z" + }, + "reproducibility": { + "deterministic": true, + "expectedDigest": "sha256:expected-sbom-digest" + } +} +``` + +### VERIFY.md + +Human-readable verification instructions: + +```markdown +# SBOM Archive Verification + +## Quick Verification + +```bash +# Verify archive integrity +sha256sum -c <HOT) | +--- + +## Runtime Updated Events + +> Sprint: SPRINT_20260112_008_SIGNALS_runtime_telemetry_events + +When runtime observations change for a CVE and product pair, the Signals module emits `runtime.updated` events to drive policy reanalysis of unknowns. + +### Event Types + +| Event Type | Constant | Description | +|------------|----------|-------------| +| `runtime.updated` | `RuntimeEventTypes.Updated` | Runtime observations changed for a subject | +| `runtime.ingested` | `RuntimeEventTypes.Ingested` | New runtime observation batch ingested | +| `runtime.confirmed` | `RuntimeEventTypes.Confirmed` | Runtime fact confirmed by additional evidence | +| `runtime.exploit_detected` | `RuntimeEventTypes.ExploitDetected` | Exploit behavior detected at runtime | + +### Update Types + +| Type | Description | +|------|-------------| +| `NewObservation` | First runtime observation for a subject | +| `StateChange` | Reachability state changed from previous observation | +| `ConfidenceIncrease` | Additional hits increased confidence score | +| `NewCallPath` | Previously unseen call path observed | +| `ExploitTelemetry` | Exploit behavior detected (always triggers reanalysis) | + +### Event Schema + +```jsonc +{ + "eventId": "sha256:abc123...", // Deterministic based on content + "eventType": "runtime.updated", + "version": "1.0.0", + "tenant": "default", + "cveId": "CVE-2026-1234", // Optional + "purl": "pkg:npm/lodash@4.17.21", // Optional + "subjectKey": "cve:CVE-2026-1234|purl:pkg:npm/lodash@4.17.21", + "callgraphId": "cg-scan-001", + "evidenceDigest": "sha256:def456...", // Digest of runtime evidence + "updateType": "NewCallPath", + "previousState": "observed", // Null for new observations + "newState": "observed", + "confidence": 0.85, // 0.0-1.0 + "fromRuntime": true, + "runtimeMethod": "ebpf", // "ebpf", "agent", "probe" + "observedNodeHashes": ["sha256:...", "sha256:..."], + "pathHash": "sha256:...", // Optional + "triggerReanalysis": true, + "reanalysisReason": "New call path observed at runtime", + "occurredAtUtc": "2026-01-15T10:30:00Z", + "traceId": "abc123" // Optional correlation ID +} +``` + +### Reanalysis Triggers + +The `triggerReanalysis` flag is set to `true` when: + +1. **Exploit telemetry detected** (always triggers) +2. **State change** from previous observation +3. **High-confidence runtime observation** (confidence >= 0.8 and fromRuntime=true) +4. **New observation** (no previous runtime data) + +### Event Emission Points + +Runtime updated events are emitted from: + +1. `RuntimeFactsIngestionService.IngestAsync` - After runtime facts are persisted +2. `ReachabilityScoringService` - When scores are recomputed with new runtime data + +### Deterministic Event IDs + +Event IDs are computed deterministically using SHA-256 of: +- `subjectKey` +- `evidenceDigest` +- `occurredAtUtc` (ISO 8601 format) + +This ensures idempotent event handling and deduplication. + ## Related Documentation - [Unknowns Registry](./unknowns-registry.md) - Data model and API for unknowns diff --git a/docs/modules/vuln-explorer/guides/signed-vex-override-workflow.md b/docs/modules/vuln-explorer/guides/signed-vex-override-workflow.md new file mode 100644 index 000000000..f609dc1ab --- /dev/null +++ b/docs/modules/vuln-explorer/guides/signed-vex-override-workflow.md @@ -0,0 +1,247 @@ +# Signed VEX Override Workflow + +This guide describes how to create and manage signed VEX override decisions using DSSE attestations for audit-grade provenance. + +## Overview + +VEX (Vulnerability Exploitability eXchange) decisions allow operators to mark vulnerabilities as not-affected, mitigated, or accepted-risk. When attestation signing is enabled, each override produces a DSSE envelope that: + +1. Cryptographically binds the decision to the operator's identity +2. Records the decision in an immutable attestation log +3. Optionally anchors the attestation to Sigstore Rekor for transparency +4. Enables downstream policy engines to require signed overrides + +## API Endpoints + +### Create Signed Override + +```http +POST /v1/vex-decisions +Content-Type: application/json +Authorization: Bearer + +{ + "findingId": "find-abc123", + "status": "NOT_AFFECTED", + "justification": "CODE_NOT_REACHABLE", + "justificationText": "Static analysis confirms code path is unreachable in production configuration", + "scope": { + "environments": ["production"], + "projects": ["myapp"] + }, + "validity": { + "notBefore": "2026-01-15T00:00:00Z", + "notAfter": "2026-07-15T00:00:00Z" + }, + "attestationOptions": { + "sign": true, + "keyRef": "default-signing-key", + "rekorUpload": true, + "predicateType": "https://stella.ops/predicates/vex-override/v1" + } +} +``` + +### Response with Attestation Reference + +```json +{ + "id": "vex-dec-xyz789", + "findingId": "find-abc123", + "status": "NOT_AFFECTED", + "justification": "CODE_NOT_REACHABLE", + "justificationText": "Static analysis confirms code path is unreachable in production configuration", + "createdAt": "2026-01-15T10:30:00Z", + "createdBy": "user@example.com", + "signedOverride": { + "envelopeDigest": "sha256:abc123def456...", + "signatureAlgorithm": "ECDSA_P256_SHA256", + "signedAt": "2026-01-15T10:30:01Z", + "keyId": "default-signing-key", + "rekorInfo": { + "logIndex": 123456789, + "entryId": "24296fb24b8ad77a...", + "integratedTime": "2026-01-15T10:30:02Z", + "logId": "c0d23d6ad406973f..." + }, + "verificationStatus": "VERIFIED" + } +} +``` + +### Update Signed Override + +Updates create superseding records while preserving history: + +```http +PATCH /v1/vex-decisions/{id} +Content-Type: application/json +Authorization: Bearer + +{ + "status": "AFFECTED_MITIGATED", + "justification": "COMPENSATING_CONTROLS", + "justificationText": "WAF rule deployed to block exploit vectors", + "attestationOptions": { + "sign": true, + "supersedes": "vex-dec-xyz789" + } +} +``` + +### List Decisions with Attestation Filter + +```http +GET /v1/vex-decisions?signedOnly=true&rekorAnchored=true +``` + +### Verify Attestation + +```http +POST /v1/vex-decisions/{id}/verify +``` + +Response: + +```json +{ + "verified": true, + "signatureValid": true, + "rekorEntryValid": true, + "certificateChain": ["CN=signing-key,..."], + "verifiedAt": "2026-01-15T10:35:00Z" +} +``` + +## CLI Usage + +### Create Signed Override + +```bash +stella vex create \ + --finding find-abc123 \ + --status NOT_AFFECTED \ + --justification CODE_NOT_REACHABLE \ + --reason "Static analysis confirms unreachable" \ + --sign \ + --key default-signing-key \ + --rekor +``` + +### View Override with Attestation + +```bash +stella vex show vex-dec-xyz789 --include-attestation +``` + +Output: + +``` +VEX Decision: vex-dec-xyz789 + Finding: find-abc123 + Status: NOT_AFFECTED + Justification: CODE_NOT_REACHABLE + Created: 2026-01-15T10:30:00Z + Created By: user@example.com + +Attestation: + Envelope Digest: sha256:abc123def456... + Algorithm: ECDSA_P256_SHA256 + Signed At: 2026-01-15T10:30:01Z + Verification: VERIFIED + +Rekor Entry: + Log Index: 123456789 + Entry ID: 24296fb24b8ad77a... + Integrated Time: 2026-01-15T10:30:02Z +``` + +### Verify Override Attestation + +```bash +stella vex verify vex-dec-xyz789 +``` + +### Export Override Evidence + +```bash +stella vex export vex-dec-xyz789 \ + --format bundle \ + --output override-evidence.zip +``` + +## Policy Engine Integration + +Signed overrides can be required by policy rules: + +```yaml +# Policy requiring signed VEX overrides +rules: + - id: require-signed-vex + condition: | + vex.status in ["NOT_AFFECTED", "AFFECTED_MITIGATED"] + and (vex.signedOverride == null or vex.signedOverride.verificationStatus != "VERIFIED") + action: FAIL + message: "VEX overrides must be signed and verified" +``` + +## Attestation Predicate Schema + +The VEX override predicate follows in-toto attestation format: + +```json +{ + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "name": "finding:find-abc123", + "digest": { "sha256": "..." } + } + ], + "predicateType": "https://stella.ops/predicates/vex-override/v1", + "predicate": { + "decision": { + "id": "vex-dec-xyz789", + "status": "NOT_AFFECTED", + "justification": "CODE_NOT_REACHABLE", + "justificationText": "...", + "scope": { "environments": ["production"] }, + "validity": { "notBefore": "...", "notAfter": "..." } + }, + "finding": { + "id": "find-abc123", + "cve": "CVE-2026-1234", + "package": "example-pkg", + "version": "1.2.3" + }, + "operator": { + "identity": "user@example.com", + "authorizedAt": "2026-01-15T10:30:00Z" + }, + "supersedes": null + } +} +``` + +## Security Considerations + +1. **Key Management**: Signing keys should be managed through Authority with appropriate access controls +2. **Rekor Anchoring**: Enable Rekor upload for public transparency; disable for air-gapped deployments +3. **Expiry**: Set appropriate validity windows; expired overrides surface warnings +4. **Audit Trail**: All signed overrides are recorded in the findings ledger history + +## Offline/Air-Gap Mode + +For air-gapped deployments: + +1. Rekor upload is disabled automatically +2. Attestations are stored locally with envelope digests +3. Verification uses local trust roots +4. Export bundles include all attestation evidence for manual verification + +## Related Documentation + +- [VEX Consensus Guide](../../../VEX_CONSENSUS_GUIDE.md) +- [Attestor Architecture](../../attestor/architecture.md) +- [Findings Ledger](./findings-ledger.md) +- [Policy Integration](../../policy/guides/vex-trust-model.md) diff --git a/docs/operations/blue-green-deployment.md b/docs/operations/blue-green-deployment.md new file mode 100644 index 000000000..ea6259c2d --- /dev/null +++ b/docs/operations/blue-green-deployment.md @@ -0,0 +1,294 @@ +# Blue/Green Deployment Guide + +This guide documents the blue/green deployment strategy for Stella Ops platform upgrades with evidence continuity preservation. + +## Overview + +Blue/green deployment maintains two identical production environments: +- **Blue**: Current production environment +- **Green**: New version deployment target + +This approach enables zero-downtime upgrades and instant rollback capability while preserving all evidence integrity. + +## Prerequisites + +### Infrastructure Requirements + +| Component | Blue Environment | Green Environment | +|-----------|-----------------|-------------------| +| Kubernetes namespace | `stellaops-prod` | `stellaops-green` | +| PostgreSQL | Shared (with migration support) | Shared | +| Redis/Valkey | Separate instance | Separate instance | +| Object Storage | Shared (evidence bundles) | Shared | +| Load Balancer | Traffic routing | Traffic routing | + +### Version Compatibility + +Before upgrading, verify version compatibility: + +```bash +# Check current version +stella version + +# Check target version compatibility +stella upgrade check --target 2027.Q2 +``` + +See `docs/releases/VERSIONING.md` for the full compatibility matrix. + +## Deployment Phases + +### Phase 1: Preparation + +#### 1.1 Environment Assessment + +```bash +# Verify current health +stella doctor --full + +# Check pending migrations +stella system migrations-status + +# Verify evidence integrity baseline +stella evidence verify-all --output pre-upgrade-baseline.json +``` + +#### 1.2 Backup Procedures + +```bash +# PostgreSQL backup +pg_dump -Fc stellaops > backup-$(date +%Y%m%d-%H%M%S).dump + +# Evidence bundle export +stella evidence export --all --output evidence-backup/ + +# Configuration backup +kubectl get configmap -n stellaops-prod -o yaml > configmaps-backup.yaml +kubectl get secret -n stellaops-prod -o yaml > secrets-backup.yaml +``` + +#### 1.3 Pre-Flight Checklist + +- [ ] All services healthy +- [ ] No active scans or attestations in progress +- [ ] Queue depths at zero +- [ ] Backup completed and verified +- [ ] Evidence baseline captured +- [ ] Maintenance window communicated + +### Phase 2: Green Environment Deployment + +#### 2.1 Deploy New Version + +```bash +# Deploy to green namespace +helm upgrade stellaops-green ./helm/stellaops \ + --namespace stellaops-green \ + --create-namespace \ + --values values-production.yaml \ + --set image.tag=2027.Q2 \ + --wait + +# Verify deployment +kubectl get pods -n stellaops-green +``` + +#### 2.2 Run Migrations + +```bash +# Apply startup migrations (Category A) +stella system migrations-run --category A + +# Verify migration status +stella system migrations-status +``` + +#### 2.3 Health Validation + +```bash +# Run health checks on green +stella doctor --full --namespace stellaops-green + +# Run smoke tests +stella test smoke --namespace stellaops-green +``` + +### Phase 3: Traffic Cutover + +#### 3.1 Gradual Cutover (Recommended) + +```yaml +# Update ingress for gradual traffic shift +# ingress-canary.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: stellaops-canary + annotations: + nginx.ingress.kubernetes.io/canary: "true" + nginx.ingress.kubernetes.io/canary-weight: "10" # Start with 10% +spec: + rules: + - host: stellaops.company.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: stellaops-green + port: + number: 80 +``` + +Increase weight gradually: 10% -> 25% -> 50% -> 100% + +#### 3.2 Instant Cutover + +```bash +# Switch DNS/load balancer to green +kubectl patch ingress stellaops-main \ + -n stellaops-prod \ + --type='json' \ + -p='[{"op": "replace", "path": "/spec/rules/0/http/paths/0/backend/service/name", "value": "stellaops-green"}]' +``` + +#### 3.3 Monitoring During Cutover + +Monitor these metrics during cutover: +- Error rate: `rate(http_requests_total{status=~"5.."}[1m])` +- Latency p99: `histogram_quantile(0.99, http_request_duration_seconds_bucket)` +- Evidence operations: `rate(evidence_operations_total[1m])` +- Attestation success: `rate(attestation_success_total[1m])` + +### Phase 4: Post-Upgrade Validation + +#### 4.1 Evidence Continuity Verification + +```bash +# Verify evidence chain-of-custody +stella evidence verify-continuity \ + --baseline pre-upgrade-baseline.json \ + --output post-upgrade-report.html + +# Generate audit report +stella evidence audit-report \ + --since $(date -d '1 hour ago' --iso-8601) \ + --output upgrade-audit.pdf +``` + +#### 4.2 Functional Validation + +```bash +# Run full test suite +stella test integration + +# Verify scan capability +stella scan --image test-image:latest --dry-run + +# Verify attestation generation +stella attest verify --bundle test-bundle.tar.gz +``` + +#### 4.3 Documentation Update + +- Update `CURRENT_VERSION.md` with new version +- Record upgrade in `CHANGELOG.md` +- Archive upgrade artifacts + +### Phase 5: Cleanup + +#### 5.1 Observation Period + +Maintain blue environment for 72 hours minimum before decommission. + +#### 5.2 Blue Environment Decommission + +```bash +# After observation period, remove blue +helm uninstall stellaops-blue -n stellaops-prod + +# Clean up resources +kubectl delete namespace stellaops-blue +``` + +## Rollback Procedures + +### Immediate Rollback (During Cutover) + +```bash +# Revert traffic to blue +kubectl patch ingress stellaops-main \ + -n stellaops-prod \ + --type='json' \ + -p='[{"op": "replace", "path": "/spec/rules/0/http/paths/0/backend/service/name", "value": "stellaops-blue"}]' +``` + +### Post-Cutover Rollback + +If rollback needed after cutover complete: + +1. **Assess impact**: Run `stella evidence verify-continuity` to check evidence state +2. **Database considerations**: Backward-compatible migrations allow rollback; breaking migrations require restore +3. **Evidence preservation**: Evidence bundles created during green operation remain valid + +```bash +# If database rollback needed +pg_restore -d stellaops backup-YYYYMMDD-HHMMSS.dump + +# Redeploy blue version +helm upgrade stellaops ./helm/stellaops \ + --namespace stellaops-prod \ + --set image.tag=2027.Q1 \ + --wait +``` + +## Evidence Continuity Guarantees + +### Preserved During Upgrade + +| Artifact | Guarantee | +|----------|-----------| +| OCI digests | Unchanged | +| SBOM content hashes | Unchanged | +| Merkle roots | Recomputed if schema changes (cross-reference maintained) | +| Attestation signatures | Valid | +| Rekor log entries | Immutable | + +### Verification Commands + +```bash +# Verify OCI digests unchanged +stella evidence verify-digests --report digests.json + +# Verify attestation validity +stella attest verify-all --since $(date -d '7 days ago' --iso-8601) + +# Generate compliance report +stella evidence compliance-report --format pdf +``` + +## Troubleshooting + +### Common Issues + +| Issue | Symptom | Resolution | +|-------|---------|------------| +| Migration timeout | Pod stuck in init | Increase `migrationTimeoutSeconds` | +| Health check failure | Ready probe failing | Check database connectivity | +| Evidence mismatch | Continuity check fails | Run `stella evidence reindex` | +| Traffic not routing | 502 errors | Verify service selector labels | + +### Support Escalation + +If upgrade issues cannot be resolved: +1. Capture diagnostics: `stella doctor --export diagnostics.tar.gz` +2. Rollback to blue environment +3. Contact support with diagnostics bundle + +## Related Documentation + +- [Upgrade Runbook](upgrade-runbook.md) +- [Evidence Migration](evidence-migration.md) +- [Database Migration Strategy](../db/MIGRATION_STRATEGY.md) +- [Versioning Policy](../releases/VERSIONING.md) diff --git a/docs/operations/hsm-setup-runbook.md b/docs/operations/hsm-setup-runbook.md new file mode 100644 index 000000000..2ead82dec --- /dev/null +++ b/docs/operations/hsm-setup-runbook.md @@ -0,0 +1,329 @@ +# HSM Setup and Configuration Runbook + +This runbook provides step-by-step procedures for configuring Hardware Security Module (HSM) integration with Stella Ops. + +## Overview + +Stella Ops supports PKCS#11-compatible HSMs for cryptographic key storage and signing operations. This includes: +- YubiHSM 2 +- Thales Luna Network HSM +- AWS CloudHSM +- SoftHSM2 (development/testing) + +## Prerequisites + +### Hardware Requirements + +| Component | Requirement | +|-----------|-------------| +| HSM Device | PKCS#11 compatible | +| Network | HSM accessible from Stella Ops services | +| Backup | Secondary HSM for key backup | + +### Software Requirements + +```bash +# PKCS#11 library for your HSM +# Example for SoftHSM2 (development) +apt-get install softhsm2 opensc + +# Verify installation +softhsm2-util --version +pkcs11-tool --version +``` + +## SoftHSM2 Setup (Development) + +### Step 1: Initialize SoftHSM + +```bash +# Create token directory +mkdir -p /var/lib/softhsm/tokens +chmod 700 /var/lib/softhsm/tokens + +# Initialize token +softhsm2-util --init-token \ + --slot 0 \ + --label "StellaOps-Dev" \ + --so-pin 12345678 \ + --pin 87654321 + +# Verify token +softhsm2-util --show-slots +``` + +### Step 2: Generate Signing Key + +```bash +# Generate ECDSA P-256 key +pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \ + --login --pin 87654321 \ + --keypairgen \ + --key-type EC:prime256v1 \ + --id 01 \ + --label "stellaops-signing-2026" + +# List keys +pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \ + --login --pin 87654321 \ + --list-objects +``` + +### Step 3: Export Public Key + +```bash +# Export public key for distribution +pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \ + --login --pin 87654321 \ + --read-object \ + --type pubkey \ + --id 01 \ + --output-file stellaops-signing-2026.pub.der + +# Convert to PEM +openssl ec -pubin -inform DER \ + -in stellaops-signing-2026.pub.der \ + -outform PEM \ + -out stellaops-signing-2026.pub.pem +``` + +## YubiHSM 2 Setup + +### Step 1: Install YubiHSM SDK + +```bash +# Download YubiHSM SDK +wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2023.01-ubuntu2204-amd64.tar.gz +tar xzf yubihsm2-sdk-*.tar.gz +cd yubihsm2-sdk +sudo ./install.sh + +# Start connector +sudo systemctl enable yubihsm-connector +sudo systemctl start yubihsm-connector +``` + +### Step 2: Initialize YubiHSM + +```bash +# Connect to YubiHSM shell +yubihsm-shell + +# Authenticate with default auth key +connect +session open 1 password + +# Create authentication key for Stella Ops +generate authkey 0 100 "StellaOps-Auth" 1 generate-asymmetric-key:sign-ecdsa:delete-asymmetric-key + +# Generate signing key +generate asymmetric 0 200 "StellaOps-Signing" 1 sign-ecdsa ecp256 + +# Export public key +get public key 0 200 stellaops-yubihsm.pub + +session close 0 +quit +``` + +### Step 3: Configure PKCS#11 + +```bash +# Create PKCS#11 configuration +cat > /etc/yubihsm_pkcs11.conf < /tmp/pre-upgrade-version.txt +echo "Current version: $(cat /tmp/pre-upgrade-version.txt)" + +# Step 2: Verify system health +stella doctor --full --output /tmp/pre-upgrade-health.json +if [ $? -ne 0 ]; then + echo "ABORT: System health check failed" + exit 1 +fi + +# Step 3: Check pending migrations +stella system migrations-status +# Ensure no pending migrations before upgrade + +# Step 4: Verify queue depths +stella queue status --all +# All queues should be empty or near-empty +``` + +### Evidence Integrity Baseline + +```bash +# Step 5: Capture evidence baseline +stella evidence verify-all \ + --output /backup/pre-upgrade-evidence-baseline.json \ + --include-merkle-roots + +# Step 6: Export Merkle root summary +stella evidence roots-export \ + --output /backup/pre-upgrade-merkle-roots.json + +# Step 7: Record evidence counts +stella evidence stats > /backup/pre-upgrade-evidence-stats.txt +``` + +### Backup Procedures + +```bash +# Step 8: PostgreSQL backup +BACKUP_TIMESTAMP=$(date +%Y%m%d-%H%M%S) +pg_dump -Fc -d stellaops -f /backup/stellaops-${BACKUP_TIMESTAMP}.dump + +# Step 9: Verify backup integrity +pg_restore --list /backup/stellaops-${BACKUP_TIMESTAMP}.dump > /dev/null +if [ $? -ne 0 ]; then + echo "ABORT: Backup verification failed" + exit 1 +fi + +# Step 10: Evidence bundle backup +stella evidence export \ + --all \ + --output /backup/evidence-bundles-${BACKUP_TIMESTAMP}/ + +# Step 11: Configuration backup +kubectl get configmap -n stellaops -o yaml > /backup/configmaps-${BACKUP_TIMESTAMP}.yaml +kubectl get secret -n stellaops -o yaml > /backup/secrets-${BACKUP_TIMESTAMP}.yaml +``` + +### Pre-Flight Approval + +Complete this checklist before proceeding: + +- [ ] Current version documented +- [ ] System health: GREEN +- [ ] Evidence baseline captured +- [ ] PostgreSQL backup completed and verified +- [ ] Evidence bundles exported +- [ ] Configuration backed up +- [ ] Maintenance window approved +- [ ] Stakeholders notified +- [ ] Rollback plan reviewed + +**Approver signature**: __________________ **Date**: __________ + +## Upgrade Execution + +### Deploy Green Environment + +```bash +# Step 12: Create green namespace +kubectl create namespace stellaops-green + +# Step 13: Copy secrets to green namespace +kubectl get secret stellaops-secrets -n stellaops -o yaml | \ + sed 's/namespace: stellaops/namespace: stellaops-green/' | \ + kubectl apply -f - + +# Step 14: Deploy new version +helm upgrade stellaops-green ./helm/stellaops \ + --namespace stellaops-green \ + --values values-production.yaml \ + --set image.tag=${TARGET_VERSION} \ + --wait --timeout 10m + +# Step 15: Verify deployment +kubectl get pods -n stellaops-green -w +# Wait for all pods to be Running and Ready +``` + +### Run Migrations + +```bash +# Step 16: Apply Category A migrations (startup) +stella system migrations-run \ + --category A \ + --namespace stellaops-green + +# Step 17: Verify migration success +stella system migrations-status --namespace stellaops-green +# All migrations should show "Applied" + +# Step 18: Apply Category B migrations if needed (manual) +# Review migration list first +stella system migrations-pending --category B + +# Apply after review +stella system migrations-run \ + --category B \ + --namespace stellaops-green \ + --confirm +``` + +### Evidence Migration (If Required) + +```bash +# Step 19: Check if evidence migration needed +stella evidence migrate --dry-run --namespace stellaops-green + +# Step 20: If migration needed, execute +stella evidence migrate \ + --namespace stellaops-green \ + --batch-size 100 \ + --progress + +# Step 21: Verify evidence integrity post-migration +stella evidence verify-all \ + --namespace stellaops-green \ + --output /tmp/post-migration-evidence.json +``` + +### Health Validation + +```bash +# Step 22: Run health checks on green +stella doctor --full --namespace stellaops-green + +# Step 23: Run smoke tests +stella test smoke --namespace stellaops-green + +# Step 24: Verify critical paths +stella test critical-paths --namespace stellaops-green +``` + +## Traffic Cutover + +### Gradual Cutover + +```bash +# Step 25: Enable canary (10%) +kubectl apply -f - < 1%: Pause cutover +- p99 latency > 5s: Investigate +- Evidence failures > 0: Rollback + +## Post-Upgrade Validation + +### Evidence Continuity Verification + +```bash +# Step 30: Verify chain-of-custody +stella evidence verify-continuity \ + --baseline /backup/pre-upgrade-evidence-baseline.json \ + --output /reports/continuity-report.html + +# Step 31: Verify Merkle roots +stella evidence verify-roots \ + --baseline /backup/pre-upgrade-merkle-roots.json \ + --output /reports/roots-verification.json + +# Step 32: Compare evidence stats +stella evidence stats > /tmp/post-upgrade-evidence-stats.txt +diff /backup/pre-upgrade-evidence-stats.txt /tmp/post-upgrade-evidence-stats.txt + +# Step 33: Generate audit report +stella evidence audit-report \ + --since "${UPGRADE_START_TIME}" \ + --format pdf \ + --output /reports/upgrade-audit-$(date +%Y%m%d).pdf +``` + +### Functional Validation + +```bash +# Step 34: Full integration test +stella test integration --full + +# Step 35: Scan test +stella scan \ + --image registry.company.com/test-app:latest \ + --sbom-format spdx-2.3 + +# Step 36: Attestation test +stella attest \ + --subject sha256:test123 \ + --predicate-type slsa-provenance + +# Step 37: Policy evaluation test +stella policy evaluate \ + --artifact sha256:test123 \ + --environment production +``` + +### Post-Upgrade Checklist + +- [ ] Evidence continuity verified +- [ ] Merkle roots consistent +- [ ] All services healthy +- [ ] Integration tests passing +- [ ] Scan capability verified +- [ ] Attestation generation working +- [ ] Policy evaluation working +- [ ] No elevated error rates +- [ ] Latency within SLO + +**Validator signature**: __________________ **Date**: __________ + +## Rollback Procedures + +### Immediate Rollback (During Cutover) + +```bash +# Revert canary to 0% +kubectl patch ingress stellaops-canary -n stellaops-green \ + --type='json' \ + -p='[{"op": "replace", "path": "/metadata/annotations/nginx.ingress.kubernetes.io~1canary-weight", "value": "0"}]' + +# Or delete canary entirely +kubectl delete ingress stellaops-canary -n stellaops-green +``` + +### Full Rollback (After Cutover) + +```bash +# Step R1: Assess database state +stella system migrations-status + +# Step R2: If migrations are backward-compatible +# Simply redeploy previous version +helm upgrade stellaops ./helm/stellaops \ + --namespace stellaops \ + --set image.tag=${PREVIOUS_VERSION} \ + --wait + +# Step R3: If database restore needed +# Stop all services first +kubectl scale deployment --all --replicas=0 -n stellaops + +# Restore database +pg_restore -d stellaops -c /backup/stellaops-${BACKUP_TIMESTAMP}.dump + +# Redeploy previous version +helm upgrade stellaops ./helm/stellaops \ + --namespace stellaops \ + --set image.tag=${PREVIOUS_VERSION} \ + --wait + +# Step R4: Verify rollback +stella doctor --full +stella evidence verify-all +``` + +## Cleanup + +### After 72-Hour Observation + +```bash +# Step 40: Verify stable operation +stella doctor --full +stella evidence verify-all + +# Step 41: Remove blue environment +kubectl delete namespace stellaops-blue + +# Step 42: Archive upgrade artifacts +tar -czf /archive/upgrade-${UPGRADE_TIMESTAMP}.tar.gz \ + /backup/ \ + /reports/ \ + /tmp/pre-upgrade-*.txt + +# Step 43: Update documentation +echo "${TARGET_VERSION}" > docs/CURRENT_VERSION.md +``` + +## Appendix + +### Version-Specific Notes + +See `docs/releases/{version}/MIGRATION.md` for version-specific migration notes. + +### Breaking Changes Matrix + +| From | To | Breaking Changes | Migration Required | +|------|-----|-----------------|-------------------| +| 2027.Q1 | 2027.Q2 | None | No | +| 2026.Q4 | 2027.Q1 | Policy schema v2 | Yes | + +### Support Contacts + +- Platform Team: platform@company.com +- DBA Team: dba@company.com +- Security Team: security@company.com +- On-Call: +1-555-OPS-CALL diff --git a/docs/product/stella_ops_offer_pricing.md b/docs/product/stella_ops_offer_pricing.md new file mode 100644 index 000000000..02c7afcff --- /dev/null +++ b/docs/product/stella_ops_offer_pricing.md @@ -0,0 +1,234 @@ +# Stella Ops Suite (On‑Prem) — Offer & Pricing + +_Self-hosted release governance + reachability-aware security gating for **non‑Kubernetes** container deployments._ + +**All features are included at every tier.** +You pay only for: + +1) **Environments** (policy/config boundaries) +2) **New digests deep‑scanned per month** (evidence-grade analysis of new container artifacts) +…and optionally support **tickets** if you want help. + +--- + +## 1) What Stella Ops Suite is + +**Stella Ops Suite is a release control plane + evidence engine for containerized applications outside Kubernetes.** + +It provides: +- **Centralized release orchestration** (environments, promotions, approvals, rollbacks, templates) +- **Practical security signal** (reachability + hybrid reachability) to reduce noise and focus on exploitable risk +- **Auditability and attestability** (evidence packets, deterministic decision records, exportable audit trail) +- **Toolchain interoperability** (plugins for SCM/CI/registry/vault/agents) + +This is designed for: +- **Small teams** that want a real, usable free tier (not a toy) +- **Mid-size companies (10–100 people)** that need **certifiable**, audit-friendly releases with practical security gates, without running Kubernetes +- **On‑prem or air‑gapped environments** where SaaS-based governance is not an option + +--- + +## 2) Key outcomes for customers + +### Secure and certifiable releases (without Kubernetes) +- Gate promotions on **evidence** (SBOM + reachability + policy explain traces) +- Produce **audit-grade proof** of “who approved what, why, and based on which evidence” +- Keep “what is deployed where” authoritative, digest-based, and reproducible + +### Reduce security noise and engineering churn +- Reachability-aware prioritization focuses attention on vulnerabilities that are actually on exploitable paths (vs. raw CVE count) + +### Predictable cost +- No per-user cost +- No per-project/microservice tax +- No per-target/machine tax +- No surprise overages (add-ons are explicit and self-serve) + +--- + +## 3) What every tier includes (no feature gating) + +All tiers (including Free) include the full Stella Ops capability set: + +### Release orchestration (non‑K8s) +- Environments, promotions, approvals, rollbacks +- Templates and step graphs (sequential/parallel) +- UI visualization of deployments in progress (per-step logs) +- Deployment inventory view (“what is deployed where”) + +### Deployment execution (non‑K8s) +- Docker Compose deployments +- Scripted deployments (**.NET 10 scripting only**) +- Immutable generated deployment artifacts +- “Version sticker” written to deployment directory for traceability +- Support for replicas and controlled restarts/reloads (e.g., config update + nginx reload) + +### Security & evidence +- Scan on build, gate on release, continuous re-evaluation on vuln intel updates +- Reachability + hybrid reachability +- Evidence packets and deterministic decision records (hashable, replayable) +- Exportable audit trail (for compliance, internal audit, incident reviews) + +### Extensibility +- Plugin model for SCM/CI/registry/vault/agent providers +- Plugin-specific deployment steps supported by the workflow engine + +### Operability +- **Doctor tooling** for self-service diagnostics (connectivity, agent health, configuration sanity, “why blocked?” traces) + +--- + +## 4) Verified releases vs Unverified releases + +Stella supports both operational styles. + +### Verified releases (recommended for production) +A **Verified Release** is one where promotions require Stella evidence for each new digest: +- SBOM + reachability evidence +- policy evaluation records +- approval records (where required) +- exportable evidence packet + +Verified releases are intended for teams that need “certifiable” releases and practical security. + +### Unverified releases (CD-only usage) +Stella can also run “CD-only” workflows where evidence gates are bypassed: +- still orchestrated, logged, and visible +- useful for teams that want orchestration without security certification + +**Note:** CD-only users are not the primary target audience for Stella Ops Suite. The product is optimized for verified releases and auditable security. + +--- + +## 5) Pricing (On‑Prem Suite) + +**Annual billing:** pay annually and get **1 month free** (pay for 11 months). + +> **Important:** All tiers have the same features. Only the scale limits and included support channels differ. + +### 5.1 Stella Ops Suite tiers + +| Tier | Monthly | Annual (11×) | Environments | New digests deep‑scanned / month | Deployment targets | Support | +|---|---:|---:|---:|---:|---:|---| +| **Free** | $0 | $0 | **10** | **1,000** | **Unlimited** | Self-service (Doctor) + community forum | +| **Plus** | **$199** | **$2,189** | **10** | **10,000** | **Unlimited** | Same as Free | +| **Pro** | **$599** | **$6,589** | **100** | **100,000** | **Unlimited** | Priority forum + **2 tickets/month** (typical response ~3 business days; best-effort) | +| **Business** | **$2,999** | **$32,989** | **1,000** | **1,000,000** | **Unlimited** | Priority forum + email channel + **20 tickets/month** (typical response ~24 hours; best-effort) + fair use | + +### 5.2 Add-ons (self-serve) + +| Add-on | Price | Notes | +|---|---:|---| +| **+10 support tickets** | **$249** | For bursts/incidents or expansion without tier change | +| **+10,000 new digest deep scans** | **$249** | Burst capacity (premium) | + +--- + +## 6) Definitions and how metering works + +### Environment +An **Environment** is a policy/config boundary (e.g., dev/stage/prod; region splits; customer isolation boundaries), with its own: +- policy profile +- targets/agents selection +- secrets/config bindings +- promotion rules + +### Deployment target +A **Deployment Target** is any endpoint that can receive a deployment (Docker host group, script target via SSH/WinRM provider, etc.). +**Targets are unlimited in licensing**. Fair use applies only in extreme abuse scenarios. + +### New digest deep scan +A **New Digest Deep Scan** occurs the first time Stella deeply analyzes a unique OCI digest to produce: +- SBOM +- reachability/hybrid reachability evidence +- vulnerability findings + verdict +- evidence references for gating and audit + +#### What does NOT consume deep scan quota +- Re-deploying or promoting an already-scanned digest +- Re-evaluation when vulnerability intelligence updates (CVE feed updates); Stella re-computes risk using existing evidence + +### Tickets +A **ticket** is a support request handled by maintainers via the paid ticket channel. For fast resolution, tickets require: +- a clear problem statement +- reproduction steps +- the **Doctor bundle** output (when applicable) + +Tickets are designed to be bounded, so Stella can remain self-serve by default. + +--- + +## 7) Fair use (Business tier) + +Business tier includes very high scale limits and support capacity. To keep pricing predictable and sustainable, fair use applies to: + +- vulnerability feed mirroring bandwidth and frequency (if mirroring is enabled) +- audit confirmation/verification traffic (if configured) +- excessive support ticket volume beyond included entitlements +- abusive automation patterns that intentionally generate excessive duplicate work + +Fair use is intended to prevent abuse, not to penalize normal operational usage. + +--- + +## 8) Why Stella pricing is simpler than typical alternatives + +### The common pain with “legacy” stacks +Many release and security tools charge based on organizational and deployment complexity: +- per developer/committer +- per project/microservice +- per deployment target/machine +- per add-on module + +That pricing becomes unpredictable as your architecture grows. + +### Stella’s approach +Stella is priced like infrastructure: +- **Scale with environments and new artifacts** (the two things that actually grow with your release and security footprint) +- Keep all features available at all tiers +- Keep adoption friction low for on‑prem teams + +Stella is designed to replace (or reduce dependence on) a multi-tool stack: +- one tool for CD governance + evidence +- another tool for scanning +- plus “glue” for approvals, audit, and exceptions + +--- + +## 9) Which tier is right for you? + +### Free +Best for: +- startups and small teams +- evaluation in real workflows +- internal PoCs +- teams learning the verified-release model + +### Plus ($199/month) +Best for: +- mid-size teams that want verified releases but do not want vendor support +- organizations that need a predictable monthly cost and on‑prem control + +### Pro ($599/month) +Best for: +- teams operating many environments and high artifact churn +- those who want occasional maintainer help without a heavy support relationship + +### Business ($2,999/month) +Best for: +- regulated and compliance-driven teams +- platform teams supporting multiple product groups +- customers who want best-effort response channels and bounded ticket entitlements + +--- + +## 10) Commercial notes (On‑Prem) + +- License delivered as an on‑prem entitlement (offline-friendly where required) +- Includes product updates during the subscription term +- Customer is responsible for compute/storage required for scanning and evidence retention +- Support channel access depends on tier and ticket entitlements + +--- + +_This document is intended as a customer-facing offer summary. Final terms and definitions may be refined in the Stella Ops subscription agreement._ diff --git a/docs/security/README.md b/docs/security/README.md index 1c1c823e8..4bba6dcc7 100644 --- a/docs/security/README.md +++ b/docs/security/README.md @@ -5,7 +5,7 @@ Authoritative sources for threat models, governance, compliance, and security op ## Policies & Governance - [SECURITY_POLICY.md](../SECURITY_POLICY.md) - responsible disclosure, support windows. - [GOVERNANCE.md](../GOVERNANCE.md) - project governance charter. -- [CODE_OF_CONDUCT.md](../code-of-conduct/CODE_OF_CONDUCT.md) - community expectations. +- [CODE_OF_CONDUCT.md](../code-of-conduct/CODE_OF_CONDUCT.md) - Code standards guidelines. - [SECURITY_HARDENING_GUIDE.md](../SECURITY_HARDENING_GUIDE.md) - deployment hardening steps. - [policy-governance.md](./policy-governance.md) - policy governance specifics. - [LEGAL_FAQ_QUOTA.md](../LEGAL_FAQ_QUOTA.md) - legal interpretation of quota. diff --git a/docs/setup/setup-wizard-inventory.md b/docs/setup/setup-wizard-inventory.md index d638a519c..48a21ffa6 100644 --- a/docs/setup/setup-wizard-inventory.md +++ b/docs/setup/setup-wizard-inventory.md @@ -424,30 +424,65 @@ Features: --- -## 12. Gaps Identified +## 12. Setup Wizard Backend (Platform Service) -### 12.1 Missing Components +### 12.1 API Endpoints + +The Platform Service now exposes setup wizard endpoints at `/api/v1/setup/*`: + +| Endpoint | Method | Description | +|----------|--------|-------------| +| `/api/v1/setup/sessions` | GET | Get current setup session for tenant | +| `/api/v1/setup/sessions` | POST | Create new setup session | +| `/api/v1/setup/sessions/resume` | POST | Resume existing or create new session | +| `/api/v1/setup/sessions/finalize` | POST | Finalize setup session | +| `/api/v1/setup/steps/execute` | POST | Execute a setup step | +| `/api/v1/setup/steps/skip` | POST | Skip an optional setup step | +| `/api/v1/setup/definitions/steps` | GET | List all step definitions | + +### 12.2 Backend Components + +| Component | Path | Description | +|-----------|------|-------------| +| **Contracts** | `src/Platform/StellaOps.Platform.WebService/Contracts/SetupWizardModels.cs` | Step definitions, session state, API models | +| **Service** | `src/Platform/StellaOps.Platform.WebService/Services/PlatformSetupService.cs` | Session management, step execution, Doctor integration | +| **Store** | `src/Platform/StellaOps.Platform.WebService/Services/PlatformSetupService.cs` | In-memory tenant-scoped session store | +| **Endpoints** | `src/Platform/StellaOps.Platform.WebService/Endpoints/SetupEndpoints.cs` | HTTP endpoint handlers with Problem+JSON errors | +| **Policies** | `src/Platform/StellaOps.Platform.WebService/Constants/PlatformPolicies.cs` | Setup-specific authorization policies | + +### 12.3 Scopes and Authorization + +| Scope | Policy | Usage | +|-------|--------|-------| +| `platform.setup.read` | `SetupRead` | Read session state and step definitions | +| `platform.setup.write` | `SetupWrite` | Create/resume sessions, execute/skip steps | +| `platform.setup.admin` | `SetupAdmin` | Admin operations (list all sessions) | + +--- + +## 13. Gaps Identified + +### 13.1 Missing Components | Gap | Description | |-----|-------------| | **`stella setup` command** | No dedicated interactive setup command exists | | **First-run detection** | No blocking wizard on first launch | -| **Wizard UI entry** | No configuration wizard in Angular UI | -| **Admin bootstrap** | Admin creation via env vars only, not interactive | -| **Integration wizard** | No guided multi-connector setup | +| **Wizard UI wiring** | UI mock exists, needs wiring to backend endpoints | +| **Doctor integration** | Backend service has placeholder, needs real Doctor calls | -### 12.2 Partial Implementations +### 13.2 Partial Implementations | Component | Current State | Gap | |-----------|---------------|-----| -| **Onboarding Service** | In-memory, 5-step user flow | No infrastructure setup steps | -| **Doctor checks** | 48+ checks exist | No wizard integration for fix commands | +| **Setup Service** | In-memory store | Postgres persistence not implemented | +| **Doctor checks** | 48+ checks exist | Step execution uses mock pass results | | **Migrations** | Automatic at startup | No interactive verification step | | **Integrations** | Plugin architecture exists | No default suggestion logic | --- -## 13. Key Architectural Patterns to Follow +## 14. Key Architectural Patterns to Follow 1. **System.CommandLine** for CLI commands 2. **Signal-based state** in Angular components diff --git a/src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Contracts/RemediationContracts.cs b/src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Contracts/RemediationContracts.cs index 3c25c4f31..fea4eee50 100644 --- a/src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Contracts/RemediationContracts.cs +++ b/src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Contracts/RemediationContracts.cs @@ -138,6 +138,7 @@ public sealed record ApplyRemediationRequest /// /// API response for PR creation. +/// Sprint: SPRINT_20260112_007_BE_remediation_pr_generator (REMEDY-BE-003) /// public sealed record PullRequestApiResponse { @@ -147,6 +148,10 @@ public sealed record PullRequestApiResponse public required string BranchName { get; init; } public required string Status { get; init; } public string? StatusMessage { get; init; } + /// + /// PR body/description content for reference. + /// + public string? PrBody { get; init; } public BuildResultResponse? BuildResult { get; init; } public TestResultResponse? TestResult { get; init; } public DeltaVerdictResponse? DeltaVerdict { get; init; } @@ -163,6 +168,7 @@ public sealed record PullRequestApiResponse BranchName = result.BranchName, Status = result.Status.ToString(), StatusMessage = result.StatusMessage, + PrBody = result.PrBody, BuildResult = result.BuildResult != null ? new BuildResultResponse { Success = result.BuildResult.Success, diff --git a/src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/GitHubPullRequestGenerator.cs b/src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/GitHubPullRequestGenerator.cs index 5d66211e3..b76198730 100644 --- a/src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/GitHubPullRequestGenerator.cs +++ b/src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/GitHubPullRequestGenerator.cs @@ -1,26 +1,33 @@ using System.Globalization; +using StellaOps.AdvisoryAI.Remediation.ScmConnector; namespace StellaOps.AdvisoryAI.Remediation; /// /// GitHub implementation of pull request generator. -/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot -/// Task: REMEDY-09 +/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot (REMEDY-09) +/// Updated: SPRINT_20260112_007_BE_remediation_pr_generator (REMEDY-BE-002) /// public sealed class GitHubPullRequestGenerator : IPullRequestGenerator { private readonly IRemediationPlanStore _planStore; + private readonly IScmConnector? _scmConnector; + private readonly PrTemplateBuilder _templateBuilder; private readonly TimeProvider _timeProvider; private readonly Func _guidFactory; private readonly Func _randomFactory; public GitHubPullRequestGenerator( IRemediationPlanStore planStore, + IScmConnector? scmConnector = null, + PrTemplateBuilder? templateBuilder = null, TimeProvider? timeProvider = null, Func? guidFactory = null, Func? randomFactory = null) { _planStore = planStore; + _scmConnector = scmConnector; + _templateBuilder = templateBuilder ?? new PrTemplateBuilder(); _timeProvider = timeProvider ?? TimeProvider.System; _guidFactory = guidFactory ?? Guid.NewGuid; _randomFactory = randomFactory ?? Random.Shared.Next; @@ -33,6 +40,7 @@ public sealed class GitHubPullRequestGenerator : IPullRequestGenerator CancellationToken cancellationToken = default) { var nowStr = _timeProvider.GetUtcNow().ToString("O", CultureInfo.InvariantCulture); + // Validate plan is PR-ready if (!plan.PrReady) { @@ -49,89 +57,254 @@ public sealed class GitHubPullRequestGenerator : IPullRequestGenerator }; } - // Generate branch name - var branchName = GenerateBranchName(plan); + // Generate branch name and PR content using the template builder + var branchName = _templateBuilder.BuildBranchName(plan); + var prTitle = _templateBuilder.BuildPrTitle(plan); + var prBody = _templateBuilder.BuildPrBody(plan); - // In a real implementation, this would: - // 1. Create a new branch - // 2. Apply remediation steps (update files) - // 3. Commit changes - // 4. Create PR via GitHub API + // Extract owner/repo from URL + var (owner, repo) = ExtractOwnerRepo(plan.Request.RepositoryUrl); + var baseBranch = plan.Request.TargetBranch; - var prId = $"gh-pr-{_guidFactory():N}"; - - return new PullRequestResult + // If no SCM connector configured, return placeholder result + if (_scmConnector is null) { - PrId = prId, - PrNumber = _randomFactory(1000, 9999), // Placeholder - Url = $"https://github.com/{ExtractOwnerRepo(plan.Request.RepositoryUrl)}/pull/{prId}", - BranchName = branchName, - Status = PullRequestStatus.Creating, - StatusMessage = "Pull request is being created", - CreatedAt = nowStr, - UpdatedAt = nowStr - }; + var prId = $"gh-pr-{_guidFactory():N}"; + return new PullRequestResult + { + PrId = prId, + PrNumber = 0, + Url = string.Empty, + BranchName = branchName, + Status = PullRequestStatus.Failed, + StatusMessage = "SCM connector not configured", + PrBody = prBody, + CreatedAt = nowStr, + UpdatedAt = nowStr + }; + } + + try + { + // Step 1: Create branch + var branchResult = await _scmConnector.CreateBranchAsync( + owner, repo, branchName, baseBranch, cancellationToken); + + if (!branchResult.Success) + { + return new PullRequestResult + { + PrId = $"pr-{_guidFactory():N}", + PrNumber = 0, + Url = string.Empty, + BranchName = branchName, + Status = PullRequestStatus.Failed, + StatusMessage = branchResult.ErrorMessage ?? "Failed to create branch", + CreatedAt = nowStr, + UpdatedAt = nowStr + }; + } + + // Step 2: Apply remediation steps (update files) + foreach (var step in plan.Steps.OrderBy(s => s.Order)) + { + if (string.IsNullOrEmpty(step.FilePath) || string.IsNullOrEmpty(step.NewValue)) + continue; + + var commitMessage = $"fix({plan.Request.VulnerabilityId}): {step.Description}"; + var fileResult = await _scmConnector.UpdateFileAsync( + owner, repo, branchName, step.FilePath, step.NewValue, commitMessage, cancellationToken); + + if (!fileResult.Success) + { + return new PullRequestResult + { + PrId = $"pr-{_guidFactory():N}", + PrNumber = 0, + Url = string.Empty, + BranchName = branchName, + Status = PullRequestStatus.Failed, + StatusMessage = $"Failed to update file {step.FilePath}: {fileResult.ErrorMessage}", + CreatedAt = nowStr, + UpdatedAt = nowStr + }; + } + } + + // Step 3: Create pull request + var prResult = await _scmConnector.CreatePullRequestAsync( + owner, repo, branchName, baseBranch, prTitle, prBody, cancellationToken); + + if (!prResult.Success) + { + return new PullRequestResult + { + PrId = $"pr-{_guidFactory():N}", + PrNumber = 0, + Url = string.Empty, + BranchName = branchName, + Status = PullRequestStatus.Failed, + StatusMessage = prResult.ErrorMessage ?? "Failed to create PR", + PrBody = prBody, + CreatedAt = nowStr, + UpdatedAt = nowStr + }; + } + + // Success + var prId = $"gh-pr-{prResult.PrNumber}"; + return new PullRequestResult + { + PrId = prId, + PrNumber = prResult.PrNumber, + Url = prResult.PrUrl ?? $"https://github.com/{owner}/{repo}/pull/{prResult.PrNumber}", + BranchName = branchName, + Status = PullRequestStatus.Open, + StatusMessage = "Pull request created successfully", + PrBody = prBody, + CreatedAt = nowStr, + UpdatedAt = nowStr + }; + } + catch (Exception ex) + { + return new PullRequestResult + { + PrId = $"pr-{_guidFactory():N}", + PrNumber = 0, + Url = string.Empty, + BranchName = branchName, + Status = PullRequestStatus.Failed, + StatusMessage = $"Unexpected error: {ex.Message}", + CreatedAt = nowStr, + UpdatedAt = nowStr + }; + } } - public Task GetStatusAsync( + public async Task GetStatusAsync( string prId, CancellationToken cancellationToken = default) { - // In a real implementation, this would query GitHub API var now = _timeProvider.GetUtcNow().ToString("O", CultureInfo.InvariantCulture); - return Task.FromResult(new PullRequestResult + // Extract PR number from prId (format: gh-pr-1234) + if (!int.TryParse(prId.Replace("gh-pr-", ""), out var prNumber)) + { + return new PullRequestResult + { + PrId = prId, + PrNumber = 0, + Url = string.Empty, + BranchName = string.Empty, + Status = PullRequestStatus.Failed, + StatusMessage = $"Invalid PR ID format: {prId}", + CreatedAt = now, + UpdatedAt = now + }; + } + + if (_scmConnector is null) + { + return new PullRequestResult + { + PrId = prId, + PrNumber = prNumber, + Url = string.Empty, + BranchName = string.Empty, + Status = PullRequestStatus.Open, + StatusMessage = "Status check not available (no SCM connector)", + CreatedAt = now, + UpdatedAt = now + }; + } + + // Note: We would need the owner/repo from context to make the actual API call + // For now, return a placeholder + return new PullRequestResult { PrId = prId, - PrNumber = 0, + PrNumber = prNumber, Url = string.Empty, BranchName = string.Empty, Status = PullRequestStatus.Open, StatusMessage = "Waiting for CI", CreatedAt = now, UpdatedAt = now - }); + }; } - public Task UpdateWithDeltaVerdictAsync( + public async Task UpdateWithDeltaVerdictAsync( string prId, DeltaVerdictResult deltaVerdict, CancellationToken cancellationToken = default) { - // In a real implementation, this would update PR description via GitHub API - return Task.CompletedTask; + if (_scmConnector is null) + return; + + // Extract PR number from prId + if (!int.TryParse(prId.Replace("gh-pr-", ""), out var prNumber)) + return; + + // Build a comment with the delta verdict + var comment = BuildDeltaVerdictComment(deltaVerdict); + + // Note: We would need owner/repo from context. Storing for later enhancement. + // For now, this is a placeholder for when context is available. + await Task.CompletedTask; } - public Task ClosePullRequestAsync( + public async Task ClosePullRequestAsync( string prId, string reason, CancellationToken cancellationToken = default) { - // In a real implementation, this would close PR via GitHub API - return Task.CompletedTask; + if (_scmConnector is null) + return; + + // Extract PR number from prId + if (!int.TryParse(prId.Replace("gh-pr-", ""), out var prNumber)) + return; + + // Note: We would need owner/repo from context to close the PR + await Task.CompletedTask; } - private string GenerateBranchName(RemediationPlan plan) + private static string BuildDeltaVerdictComment(DeltaVerdictResult verdict) { - var vulnId = plan.Request.VulnerabilityId.Replace(":", "-").ToLowerInvariant(); - var timestamp = _timeProvider.GetUtcNow().ToString("yyyyMMdd", CultureInfo.InvariantCulture); - return $"stellaops/fix-{vulnId}-{timestamp}"; + var lines = new System.Text.StringBuilder(); + lines.AppendLine("## StellaOps Delta Verdict"); + lines.AppendLine(); + lines.AppendLine($"**Improved:** {verdict.Improved}"); + lines.AppendLine($"**Vulnerabilities Fixed:** {verdict.VulnerabilitiesFixed}"); + lines.AppendLine($"**Vulnerabilities Introduced:** {verdict.VulnerabilitiesIntroduced}"); + lines.AppendLine($"**Verdict ID:** {verdict.VerdictId}"); + lines.AppendLine($"**Computed At:** {verdict.ComputedAt}"); + + return lines.ToString(); } - private static string ExtractOwnerRepo(string? repositoryUrl) + private static (string owner, string repo) ExtractOwnerRepo(string? repositoryUrl) { if (string.IsNullOrEmpty(repositoryUrl)) { - return "owner/repo"; + return ("owner", "repo"); } // Extract owner/repo from GitHub URL var uri = new Uri(repositoryUrl); var path = uri.AbsolutePath.Trim('/'); - if (path.EndsWith(".git")) + if (path.EndsWith(".git", StringComparison.OrdinalIgnoreCase)) { path = path[..^4]; } - return path; + + var parts = path.Split('/'); + if (parts.Length >= 2) + { + return (parts[0], parts[1]); + } + + return ("owner", "repo"); } } diff --git a/src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/IPullRequestGenerator.cs b/src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/IPullRequestGenerator.cs index aa2bfe867..4a4551305 100644 --- a/src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/IPullRequestGenerator.cs +++ b/src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/IPullRequestGenerator.cs @@ -96,6 +96,12 @@ public sealed record PullRequestResult /// public string? StatusMessage { get; init; } + /// + /// PR body/description content. + /// Sprint: SPRINT_20260112_007_BE_remediation_pr_generator (REMEDY-BE-002) + /// + public string? PrBody { get; init; } + /// /// Build result if available. /// diff --git a/src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/GitHubPullRequestGeneratorTests.cs b/src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/GitHubPullRequestGeneratorTests.cs new file mode 100644 index 000000000..bb0af0487 --- /dev/null +++ b/src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/GitHubPullRequestGeneratorTests.cs @@ -0,0 +1,336 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_007_BE_remediation_pr_generator (REMEDY-BE-004) +// + +using System.Globalization; +using Moq; +using StellaOps.AdvisoryAI.Remediation; +using StellaOps.AdvisoryAI.Remediation.ScmConnector; +using Xunit; + +namespace StellaOps.AdvisoryAI.Tests; + +/// +/// Tests for covering SCM connector wiring and determinism. +/// +[Trait("Category", "Unit")] +public sealed class GitHubPullRequestGeneratorTests +{ + private readonly Mock _mockPlanStore; + private readonly Mock _mockScmConnector; + private readonly FakeTimeProvider _timeProvider; + private readonly Func _guidFactory; + private int _guidCounter; + + public GitHubPullRequestGeneratorTests() + { + _mockPlanStore = new Mock(); + _mockScmConnector = new Mock(); + _timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 1, 14, 12, 0, 0, TimeSpan.Zero)); + _guidCounter = 0; + _guidFactory = () => new Guid(++_guidCounter, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); + } + + [Fact] + public async Task CreatePullRequestAsync_NotPrReady_ReturnsFailed() + { + // Arrange + var plan = CreateTestPlan(prReady: false, notReadyReason: "Missing repo URL"); + var generator = CreateGenerator(withScmConnector: false); + + // Act + var result = await generator.CreatePullRequestAsync(plan); + + // Assert + Assert.Equal(PullRequestStatus.Failed, result.Status); + Assert.Equal("Missing repo URL", result.StatusMessage); + } + + [Fact] + public async Task CreatePullRequestAsync_NoScmConnector_ReturnsFailedWithBody() + { + // Arrange + var plan = CreateTestPlan(prReady: true); + var generator = CreateGenerator(withScmConnector: false); + + // Act + var result = await generator.CreatePullRequestAsync(plan); + + // Assert + Assert.Equal(PullRequestStatus.Failed, result.Status); + Assert.Equal("SCM connector not configured", result.StatusMessage); + Assert.NotNull(result.PrBody); + Assert.Contains("Security Remediation", result.PrBody); + } + + [Fact] + public async Task CreatePullRequestAsync_BranchCreationFails_ReturnsFailed() + { + // Arrange + var plan = CreateTestPlan(prReady: true); + _mockScmConnector.Setup(c => c.CreateBranchAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .ReturnsAsync(new BranchResult { Success = false, BranchName = "test", ErrorMessage = "Branch exists" }); + + var generator = CreateGenerator(withScmConnector: true); + + // Act + var result = await generator.CreatePullRequestAsync(plan); + + // Assert + Assert.Equal(PullRequestStatus.Failed, result.Status); + Assert.Equal("Branch exists", result.StatusMessage); + } + + [Fact] + public async Task CreatePullRequestAsync_FileUpdateFails_ReturnsFailed() + { + // Arrange + var plan = CreateTestPlan(prReady: true, withSteps: true); + _mockScmConnector.Setup(c => c.CreateBranchAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .ReturnsAsync(new BranchResult { Success = true, BranchName = "test", CommitSha = "abc123" }); + _mockScmConnector.Setup(c => c.UpdateFileAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .ReturnsAsync(new FileUpdateResult { Success = false, FilePath = "package.json", ErrorMessage = "Permission denied" }); + + var generator = CreateGenerator(withScmConnector: true); + + // Act + var result = await generator.CreatePullRequestAsync(plan); + + // Assert + Assert.Equal(PullRequestStatus.Failed, result.Status); + Assert.Contains("package.json", result.StatusMessage); + Assert.Contains("Permission denied", result.StatusMessage); + } + + [Fact] + public async Task CreatePullRequestAsync_PrCreationFails_ReturnsFailed() + { + // Arrange + var plan = CreateTestPlan(prReady: true); + SetupSuccessfulBranchAndFile(); + _mockScmConnector.Setup(c => c.CreatePullRequestAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .ReturnsAsync(new PrCreateResult { Success = false, PrNumber = 0, PrUrl = string.Empty, ErrorMessage = "Rate limited" }); + + var generator = CreateGenerator(withScmConnector: true); + + // Act + var result = await generator.CreatePullRequestAsync(plan); + + // Assert + Assert.Equal(PullRequestStatus.Failed, result.Status); + Assert.Equal("Rate limited", result.StatusMessage); + } + + [Fact] + public async Task CreatePullRequestAsync_Success_ReturnsOpenWithPrBody() + { + // Arrange + var plan = CreateTestPlan(prReady: true); + SetupSuccessfulBranchAndFile(); + _mockScmConnector.Setup(c => c.CreatePullRequestAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .ReturnsAsync(new PrCreateResult { Success = true, PrNumber = 42, PrUrl = "https://github.com/owner/repo/pull/42" }); + + var generator = CreateGenerator(withScmConnector: true); + + // Act + var result = await generator.CreatePullRequestAsync(plan); + + // Assert + Assert.Equal(PullRequestStatus.Open, result.Status); + Assert.Equal("Pull request created successfully", result.StatusMessage); + Assert.Equal(42, result.PrNumber); + Assert.Equal("gh-pr-42", result.PrId); + Assert.Equal("https://github.com/owner/repo/pull/42", result.Url); + Assert.NotNull(result.PrBody); + } + + [Fact] + public async Task CreatePullRequestAsync_UsesPrTemplateBuilder_Deterministically() + { + // Arrange + var plan = CreateTestPlan(prReady: true); + SetupSuccessfulBranchAndFile(); + _mockScmConnector.Setup(c => c.CreatePullRequestAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .ReturnsAsync(new PrCreateResult { Success = true, PrNumber = 1, PrUrl = "https://github.com/o/r/pull/1" }); + + var generator = CreateGenerator(withScmConnector: true); + + // Act + var result1 = await generator.CreatePullRequestAsync(plan); + var result2 = await generator.CreatePullRequestAsync(plan); + + // Assert - PR bodies should be identical for the same plan + Assert.Equal(result1.PrBody, result2.PrBody); + } + + [Fact] + public async Task CreatePullRequestAsync_CallsScmConnectorInOrder() + { + // Arrange + var plan = CreateTestPlan(prReady: true, withSteps: true); + var callOrder = new List(); + + _mockScmConnector.Setup(c => c.CreateBranchAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .Callback(() => callOrder.Add("CreateBranch")) + .ReturnsAsync(new BranchResult { Success = true, BranchName = "test", CommitSha = "abc" }); + _mockScmConnector.Setup(c => c.UpdateFileAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .Callback(() => callOrder.Add("UpdateFile")) + .ReturnsAsync(new FileUpdateResult { Success = true, FilePath = "test", CommitSha = "def" }); + _mockScmConnector.Setup(c => c.CreatePullRequestAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .Callback(() => callOrder.Add("CreatePR")) + .ReturnsAsync(new PrCreateResult { Success = true, PrNumber = 1, PrUrl = "" }); + + var generator = CreateGenerator(withScmConnector: true); + + // Act + await generator.CreatePullRequestAsync(plan); + + // Assert + Assert.Equal(["CreateBranch", "UpdateFile", "CreatePR"], callOrder); + } + + [Fact] + public async Task CreatePullRequestAsync_TimestampsAreDeterministic() + { + // Arrange + var plan = CreateTestPlan(prReady: true); + var generator = CreateGenerator(withScmConnector: false); + + // Act + var result = await generator.CreatePullRequestAsync(plan); + + // Assert + Assert.Equal("2026-01-14T12:00:00.0000000+00:00", result.CreatedAt); + Assert.Equal("2026-01-14T12:00:00.0000000+00:00", result.UpdatedAt); + } + + [Fact] + public async Task GetStatusAsync_InvalidPrIdFormat_ReturnsFailed() + { + // Arrange + var generator = CreateGenerator(withScmConnector: false); + + // Act + var result = await generator.GetStatusAsync("invalid-pr-id"); + + // Assert + Assert.Equal(PullRequestStatus.Failed, result.Status); + Assert.Contains("Invalid PR ID format", result.StatusMessage); + } + + [Fact] + public async Task GetStatusAsync_NoScmConnector_ReturnsOpenWithPlaceholder() + { + // Arrange + var generator = CreateGenerator(withScmConnector: false); + + // Act + var result = await generator.GetStatusAsync("gh-pr-123"); + + // Assert + Assert.Equal(PullRequestStatus.Open, result.Status); + Assert.Equal(123, result.PrNumber); + Assert.Contains("no SCM connector", result.StatusMessage); + } + + private GitHubPullRequestGenerator CreateGenerator(bool withScmConnector) + { + return new GitHubPullRequestGenerator( + _mockPlanStore.Object, + withScmConnector ? _mockScmConnector.Object : null, + new PrTemplateBuilder(), + _timeProvider, + _guidFactory); + } + + private void SetupSuccessfulBranchAndFile() + { + _mockScmConnector.Setup(c => c.CreateBranchAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .ReturnsAsync(new BranchResult { Success = true, BranchName = "test", CommitSha = "abc123" }); + _mockScmConnector.Setup(c => c.UpdateFileAsync( + It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny(), It.IsAny())) + .ReturnsAsync(new FileUpdateResult { Success = true, FilePath = "test", CommitSha = "def456" }); + } + + private static RemediationPlan CreateTestPlan( + bool prReady = true, + string? notReadyReason = null, + bool withSteps = false) + { + var steps = new List(); + if (withSteps) + { + steps.Add(new RemediationStep + { + Order = 1, + ActionType = "update_package", + FilePath = "package.json", + Description = "Update lodash to 4.17.21", + NewValue = "{ \"dependencies\": { \"lodash\": \"4.17.21\" } }" + }); + } + + return new RemediationPlan + { + PlanId = "plan-test-001", + GeneratedAt = "2026-01-14T10:00:00Z", + Authority = RemediationAuthority.Suggestion, + RiskAssessment = RemediationRisk.Low, + ConfidenceScore = 0.85, + PrReady = prReady, + NotReadyReason = notReadyReason, + ModelId = "test-model-v1", + Steps = steps, + InputHashes = ["sha256:input1", "sha256:input2"], + EvidenceRefs = ["evidence:ref1"], + TestRequirements = new RemediationTestRequirements + { + TestSuites = ["unit", "integration"], + MinCoverage = 0.80, + RequireAllPass = true + }, + ExpectedDelta = new ExpectedSbomDelta + { + Added = Array.Empty(), + Removed = Array.Empty(), + Upgraded = new Dictionary + { + ["pkg:npm/lodash@4.17.20"] = "pkg:npm/lodash@4.17.21" + }, + NetVulnerabilityChange = -1 + }, + Request = new RemediationPlanRequest + { + FindingId = "FIND-001", + ArtifactDigest = "sha256:abc", + VulnerabilityId = "CVE-2024-1234", + ComponentPurl = "pkg:npm/lodash@4.17.20", + RepositoryUrl = "https://github.com/owner/repo", + TargetBranch = "main" + } + }; + } + + private sealed class FakeTimeProvider : TimeProvider + { + private readonly DateTimeOffset _fixedTime; + + public FakeTimeProvider(DateTimeOffset fixedTime) + { + _fixedTime = fixedTime; + } + + public override DateTimeOffset GetUtcNow() => _fixedTime; + } +} diff --git a/src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/Integration/EvidenceCardExportIntegrationTests.cs b/src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/Integration/EvidenceCardExportIntegrationTests.cs new file mode 100644 index 000000000..6a0c343b4 --- /dev/null +++ b/src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/Integration/EvidenceCardExportIntegrationTests.cs @@ -0,0 +1,358 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later +// Copyright (c) 2025 StellaOps +// Sprint: SPRINT_20260112_005_BE_evidence_card_api (EVPCARD-BE-003) +// Task: Integration tests for evidence-card export content type and signed payload + +using System.Collections.Immutable; +using System.Text.Json; +using Microsoft.Extensions.DependencyInjection; +using Moq; +using StellaOps.Determinism; +using StellaOps.Evidence.Pack; +using StellaOps.Evidence.Pack.Models; +using StellaOps.Evidence.Pack.Storage; +using Xunit; + +namespace StellaOps.AdvisoryAI.Tests.Integration; + +/// +/// Integration tests for evidence-card export functionality. +/// +[Trait("Category", "Integration")] +public class EvidenceCardExportIntegrationTests +{ + private static readonly DateTimeOffset FixedTime = new(2026, 1, 14, 12, 0, 0, TimeSpan.Zero); + private static readonly Guid FixedGuid = Guid.Parse("12345678-1234-1234-1234-123456789abc"); + + [Fact] + public async Task ExportAsync_EvidenceCard_ReturnsCorrectContentType() + { + // Arrange + var services = CreateServiceProvider(); + var packService = services.GetRequiredService(); + + var pack = await CreateTestEvidencePack(packService); + + // Act + var export = await packService.ExportAsync( + pack.PackId, + EvidencePackExportFormat.EvidenceCard, + CancellationToken.None); + + // Assert + Assert.Equal("application/vnd.stellaops.evidence-card+json", export.ContentType); + Assert.EndsWith(".evidence-card.json", export.FileName); + } + + [Fact] + public async Task ExportAsync_EvidenceCardCompact_ReturnsCompactContentType() + { + // Arrange + var services = CreateServiceProvider(); + var packService = services.GetRequiredService(); + + var pack = await CreateTestEvidencePack(packService); + + // Act + var export = await packService.ExportAsync( + pack.PackId, + EvidencePackExportFormat.EvidenceCardCompact, + CancellationToken.None); + + // Assert + Assert.Equal("application/vnd.stellaops.evidence-card-compact+json", export.ContentType); + Assert.EndsWith(".evidence-card-compact.json", export.FileName); + } + + [Fact] + public async Task ExportAsync_EvidenceCard_ContainsRequiredFields() + { + // Arrange + var services = CreateServiceProvider(); + var packService = services.GetRequiredService(); + + var pack = await CreateTestEvidencePack(packService); + + // Act + var export = await packService.ExportAsync( + pack.PackId, + EvidencePackExportFormat.EvidenceCard, + CancellationToken.None); + + // Assert + var json = System.Text.Encoding.UTF8.GetString(export.Content); + using var doc = JsonDocument.Parse(json); + var root = doc.RootElement; + + Assert.True(root.TryGetProperty("cardId", out _), "Missing cardId"); + Assert.True(root.TryGetProperty("version", out _), "Missing version"); + Assert.True(root.TryGetProperty("packId", out _), "Missing packId"); + Assert.True(root.TryGetProperty("createdAt", out _), "Missing createdAt"); + Assert.True(root.TryGetProperty("subject", out _), "Missing subject"); + Assert.True(root.TryGetProperty("contentDigest", out _), "Missing contentDigest"); + } + + [Fact] + public async Task ExportAsync_EvidenceCard_ContainsSubjectMetadata() + { + // Arrange + var services = CreateServiceProvider(); + var packService = services.GetRequiredService(); + + var pack = await CreateTestEvidencePack(packService); + + // Act + var export = await packService.ExportAsync( + pack.PackId, + EvidencePackExportFormat.EvidenceCard, + CancellationToken.None); + + // Assert + var json = System.Text.Encoding.UTF8.GetString(export.Content); + using var doc = JsonDocument.Parse(json); + var subject = doc.RootElement.GetProperty("subject"); + + Assert.True(subject.TryGetProperty("type", out var typeElement)); + Assert.Equal("finding", typeElement.GetString()); + Assert.True(subject.TryGetProperty("findingId", out var findingIdElement)); + Assert.Equal("FIND-001", findingIdElement.GetString()); + Assert.True(subject.TryGetProperty("cveId", out var cveIdElement)); + Assert.Equal("CVE-2024-1234", cveIdElement.GetString()); + } + + [Fact] + public async Task ExportAsync_EvidenceCard_ContentDigestIsDeterministic() + { + // Arrange + var services = CreateServiceProvider(); + var packService = services.GetRequiredService(); + + var pack = await CreateTestEvidencePack(packService); + + // Act + var export1 = await packService.ExportAsync( + pack.PackId, + EvidencePackExportFormat.EvidenceCard, + CancellationToken.None); + + var export2 = await packService.ExportAsync( + pack.PackId, + EvidencePackExportFormat.EvidenceCard, + CancellationToken.None); + + // Assert - same input should produce same digest + var json1 = System.Text.Encoding.UTF8.GetString(export1.Content); + var json2 = System.Text.Encoding.UTF8.GetString(export2.Content); + + using var doc1 = JsonDocument.Parse(json1); + using var doc2 = JsonDocument.Parse(json2); + + var digest1 = doc1.RootElement.GetProperty("contentDigest").GetString(); + var digest2 = doc2.RootElement.GetProperty("contentDigest").GetString(); + + Assert.Equal(digest1, digest2); + Assert.StartsWith("sha256:", digest1); + } + + [Fact] + public async Task ExportAsync_EvidenceCard_IncludesSbomExcerptWhenAvailable() + { + // Arrange + var services = CreateServiceProvider(); + var packService = services.GetRequiredService(); + + var pack = await CreateTestEvidencePackWithSbom(packService); + + // Act + var export = await packService.ExportAsync( + pack.PackId, + EvidencePackExportFormat.EvidenceCard, + CancellationToken.None); + + // Assert + var json = System.Text.Encoding.UTF8.GetString(export.Content); + using var doc = JsonDocument.Parse(json); + + if (doc.RootElement.TryGetProperty("sbomExcerpt", out var sbomExcerpt)) + { + Assert.True(sbomExcerpt.TryGetProperty("componentPurl", out _)); + } + // Note: sbomExcerpt may be null if not available + } + + [Fact] + public async Task ExportAsync_EvidenceCardCompact_ExcludesFullSbom() + { + // Arrange + var services = CreateServiceProvider(); + var packService = services.GetRequiredService(); + + var pack = await CreateTestEvidencePackWithSbom(packService); + + // Act + var fullExport = await packService.ExportAsync( + pack.PackId, + EvidencePackExportFormat.EvidenceCard, + CancellationToken.None); + + var compactExport = await packService.ExportAsync( + pack.PackId, + EvidencePackExportFormat.EvidenceCardCompact, + CancellationToken.None); + + // Assert - compact should be smaller or equal + Assert.True(compactExport.Content.Length <= fullExport.Content.Length, + "Compact export should be smaller or equal to full export"); + } + + private static ServiceProvider CreateServiceProvider() + { + var services = new ServiceCollection(); + + // Add deterministic time and guid providers + var timeProvider = new FakeTimeProvider(FixedTime); + var guidProvider = new FakeGuidProvider(FixedGuid); + + services.AddSingleton(timeProvider); + services.AddSingleton(guidProvider); + + // Add evidence pack services + services.AddSingleton(); + services.AddEvidencePack(); + + // Mock signer + var signerMock = new Mock(); + signerMock.Setup(s => s.SignAsync(It.IsAny(), It.IsAny())) + .ReturnsAsync(new DsseEnvelope + { + PayloadType = "application/vnd.stellaops.evidence-pack+json", + Payload = "e30=", // Base64 for "{}" + PayloadDigest = "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + Signatures = ImmutableArray.Empty + }); + services.AddSingleton(signerMock.Object); + + return services.BuildServiceProvider(); + } + + private static async Task CreateTestEvidencePack(IEvidencePackService packService) + { + var subject = new EvidenceSubject + { + Type = EvidenceSubjectType.Finding, + FindingId = "FIND-001", + CveId = "CVE-2024-1234", + Component = "pkg:npm/lodash@4.17.20" + }; + + var claims = new[] + { + new EvidenceClaim + { + ClaimId = "claim-001", + Text = "Vulnerability is not reachable in this deployment", + Type = ClaimType.Reachability, + Status = "not_affected", + Confidence = 0.85, + EvidenceIds = ImmutableArray.Create("ev-001"), + Source = "system" + } + }; + + var evidence = new[] + { + new EvidenceItem + { + EvidenceId = "ev-001", + Type = EvidenceType.Reachability, + Uri = "stellaops://reachability/FIND-001", + Digest = "sha256:abc123", + CollectedAt = FixedTime.AddHours(-1), + Snapshot = EvidenceSnapshot.Reachability("Unreachable", confidence: 0.85) + } + }; + + var context = new EvidencePackContext + { + TenantId = "test-tenant", + GeneratedBy = "EvidenceCardExportIntegrationTests" + }; + + return await packService.CreateAsync(claims, evidence, subject, context, CancellationToken.None); + } + + private static async Task CreateTestEvidencePackWithSbom(IEvidencePackService packService) + { + var subject = new EvidenceSubject + { + Type = EvidenceSubjectType.Finding, + FindingId = "FIND-002", + CveId = "CVE-2024-5678", + Component = "pkg:npm/express@4.18.2" + }; + + var claims = new[] + { + new EvidenceClaim + { + ClaimId = "claim-002", + Text = "Fixed version available", + Type = ClaimType.FixAvailability, + Status = "fixed", + Confidence = 0.95, + EvidenceIds = ImmutableArray.Create("ev-sbom-001"), + Source = "system" + } + }; + + var evidence = new[] + { + new EvidenceItem + { + EvidenceId = "ev-sbom-001", + Type = EvidenceType.Sbom, + Uri = "stellaops://sbom/image-abc123", + Digest = "sha256:def456", + CollectedAt = FixedTime.AddHours(-2), + Snapshot = EvidenceSnapshot.Sbom( + "spdx", + "2.3", + componentCount: 150, + imageDigest: "sha256:abc123") + } + }; + + var context = new EvidencePackContext + { + TenantId = "test-tenant", + GeneratedBy = "EvidenceCardExportIntegrationTests" + }; + + return await packService.CreateAsync(claims, evidence, subject, context, CancellationToken.None); + } + + private sealed class FakeTimeProvider : TimeProvider + { + private readonly DateTimeOffset _fixedTime; + + public FakeTimeProvider(DateTimeOffset fixedTime) => _fixedTime = fixedTime; + + public override DateTimeOffset GetUtcNow() => _fixedTime; + } + + private sealed class FakeGuidProvider : IGuidProvider + { + private readonly Guid _fixedGuid; + private int _counter; + + public FakeGuidProvider(Guid fixedGuid) => _fixedGuid = fixedGuid; + + public Guid NewGuid() + { + // Return deterministic GUIDs for each call + var bytes = _fixedGuid.ToByteArray(); + bytes[^1] = (byte)Interlocked.Increment(ref _counter); + return new Guid(bytes); + } + } +} diff --git a/src/Attestor/__Tests/StellaOps.Attestor.Core.Tests/Rekor/RekorEntryEventTests.cs b/src/Attestor/__Tests/StellaOps.Attestor.Core.Tests/Rekor/RekorEntryEventTests.cs new file mode 100644 index 000000000..19d6cae82 --- /dev/null +++ b/src/Attestor/__Tests/StellaOps.Attestor.Core.Tests/Rekor/RekorEntryEventTests.cs @@ -0,0 +1,276 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_007_ATTESTOR_rekor_entry_events (ATT-REKOR-004) +// + +using System; +using System.Collections.Immutable; +using StellaOps.Attestor.Core.Rekor; +using Xunit; + +namespace StellaOps.Attestor.Core.Tests.Rekor; + +[Trait("Category", "Unit")] +public sealed class RekorEntryEventTests +{ + private static readonly DateTimeOffset FixedTimestamp = new(2026, 1, 15, 10, 30, 0, TimeSpan.Zero); + + [Fact] + public void CreateEntryLogged_GeneratesDeterministicEventId() + { + // Arrange & Act + var event1 = RekorEntryEventFactory.CreateEntryLogged( + tenant: "default", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.ScanResults@1", + logIndex: 123456789, + logId: "c0d23d6ad406973f", + entryUuid: "24296fb24b8ad77a", + integratedTime: 1736937002, + createdAtUtc: FixedTimestamp); + + var event2 = RekorEntryEventFactory.CreateEntryLogged( + tenant: "default", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.ScanResults@1", + logIndex: 123456789, + logId: "c0d23d6ad406973f", + entryUuid: "24296fb24b8ad77a", + integratedTime: 1736937002, + createdAtUtc: FixedTimestamp); + + // Assert - Same inputs should produce same event ID + Assert.Equal(event1.EventId, event2.EventId); + Assert.StartsWith("rekor-evt-", event1.EventId); + Assert.Equal(RekorEventTypes.EntryLogged, event1.EventType); + } + + [Fact] + public void CreateEntryLogged_DifferentLogIndexProducesDifferentEventId() + { + // Arrange & Act + var event1 = RekorEntryEventFactory.CreateEntryLogged( + tenant: "default", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.ScanResults@1", + logIndex: 123456789, + logId: "c0d23d6ad406973f", + entryUuid: "24296fb24b8ad77a", + integratedTime: 1736937002, + createdAtUtc: FixedTimestamp); + + var event2 = RekorEntryEventFactory.CreateEntryLogged( + tenant: "default", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.ScanResults@1", + logIndex: 987654321, // Different log index + logId: "c0d23d6ad406973f", + entryUuid: "different-uuid", + integratedTime: 1736937002, + createdAtUtc: FixedTimestamp); + + // Assert + Assert.NotEqual(event1.EventId, event2.EventId); + } + + [Fact] + public void CreateEntryQueued_HasCorrectEventType() + { + // Arrange & Act + var evt = RekorEntryEventFactory.CreateEntryQueued( + tenant: "default", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.VEXAttestation@1", + queuedAtUtc: FixedTimestamp); + + // Assert + Assert.Equal(RekorEventTypes.EntryQueued, evt.EventType); + Assert.Equal(0, evt.LogIndex); + Assert.False(evt.InclusionVerified); + } + + [Fact] + public void CreateInclusionVerified_HasCorrectEventType() + { + // Arrange & Act + var evt = RekorEntryEventFactory.CreateInclusionVerified( + tenant: "default", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.ScanResults@1", + logIndex: 123456789, + logId: "c0d23d6ad406973f", + entryUuid: "24296fb24b8ad77a", + integratedTime: 1736937002, + verifiedAtUtc: FixedTimestamp); + + // Assert + Assert.Equal(RekorEventTypes.InclusionVerified, evt.EventType); + Assert.True(evt.InclusionVerified); + } + + [Fact] + public void CreateEntryFailed_HasCorrectEventType() + { + // Arrange & Act + var evt = RekorEntryEventFactory.CreateEntryFailed( + tenant: "default", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.ScanResults@1", + reason: "rekor_unavailable", + failedAtUtc: FixedTimestamp); + + // Assert + Assert.Equal(RekorEventTypes.EntryFailed, evt.EventType); + Assert.False(evt.InclusionVerified); + } + + [Fact] + public void EventIdIsIdempotentAcrossMultipleInvocations() + { + // Arrange & Act - Create same event multiple times + var events = new RekorEntryEvent[5]; + for (int i = 0; i < 5; i++) + { + events[i] = RekorEntryEventFactory.CreateEntryLogged( + tenant: "default", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.ScanResults@1", + logIndex: 123456789, + logId: "c0d23d6ad406973f", + entryUuid: "24296fb24b8ad77a", + integratedTime: 1736937002, + createdAtUtc: FixedTimestamp); + } + + // Assert - All event IDs should be identical + var firstEventId = events[0].EventId; + foreach (var evt in events) + { + Assert.Equal(firstEventId, evt.EventId); + } + } + + [Fact] + public void ExtractReanalysisHints_ScanResults_ReturnsImmediateScope() + { + // Arrange + var cveIds = ImmutableArray.Create("CVE-2026-1234", "CVE-2026-5678"); + var productKeys = ImmutableArray.Create("pkg:npm/lodash@4.17.21"); + + // Act + var hints = RekorReanalysisHintsFactory.Create( + predicateType: "StellaOps.ScanResults@1", + cveIds: cveIds, + productKeys: productKeys, + artifactDigests: ImmutableArray.Empty); + + // Assert + Assert.Equal(ReanalysisScope.Immediate, hints.ReanalysisScope); + Assert.True(hints.MayAffectDecision); + Assert.Equal(2, hints.CveIds.Length); + Assert.Single(hints.ProductKeys); + } + + [Fact] + public void ExtractReanalysisHints_VEXAttestation_ReturnsImmediateScope() + { + // Arrange & Act + var hints = RekorReanalysisHintsFactory.Create( + predicateType: "StellaOps.VEXAttestation@1", + cveIds: ImmutableArray.Create("CVE-2026-1234"), + productKeys: ImmutableArray.Create("pkg:npm/express@4.18.0"), + artifactDigests: ImmutableArray.Empty); + + // Assert + Assert.Equal(ReanalysisScope.Immediate, hints.ReanalysisScope); + Assert.True(hints.MayAffectDecision); + } + + [Fact] + public void ExtractReanalysisHints_SBOMAttestation_ReturnsScheduledScope() + { + // Arrange & Act + var hints = RekorReanalysisHintsFactory.Create( + predicateType: "StellaOps.SBOMAttestation@1", + cveIds: ImmutableArray.Empty, + productKeys: ImmutableArray.Create("pkg:npm/myapp@1.0.0"), + artifactDigests: ImmutableArray.Empty); + + // Assert + Assert.Equal(ReanalysisScope.Scheduled, hints.ReanalysisScope); + } + + [Fact] + public void ExtractReanalysisHints_BuildProvenance_ReturnsNoneScope() + { + // Arrange & Act + var hints = RekorReanalysisHintsFactory.Create( + predicateType: "StellaOps.BuildProvenance@1", + cveIds: ImmutableArray.Empty, + productKeys: ImmutableArray.Empty, + artifactDigests: ImmutableArray.Empty); + + // Assert + Assert.Equal(ReanalysisScope.None, hints.ReanalysisScope); + Assert.False(hints.MayAffectDecision); + } + + [Fact] + public void TenantNormalization_LowerCasesAndTrims() + { + // Arrange & Act + var evt = RekorEntryEventFactory.CreateEntryLogged( + tenant: " DEFAULT ", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.ScanResults@1", + logIndex: 123456789, + logId: "c0d23d6ad406973f", + entryUuid: "24296fb24b8ad77a", + integratedTime: 1736937002, + createdAtUtc: FixedTimestamp); + + // Assert + Assert.Equal("default", evt.Tenant); + } + + [Fact] + public void IntegratedTimeRfc3339_FormattedCorrectly() + { + // Arrange & Act + var evt = RekorEntryEventFactory.CreateEntryLogged( + tenant: "default", + bundleDigest: "sha256:abc123def456", + predicateType: "StellaOps.ScanResults@1", + logIndex: 123456789, + logId: "c0d23d6ad406973f", + entryUuid: "24296fb24b8ad77a", + integratedTime: 1736937002, // 2025-01-15T10:30:02Z + createdAtUtc: FixedTimestamp); + + // Assert - Should be RFC3339 formatted + Assert.Contains("2025-01-15", evt.IntegratedTimeRfc3339); + Assert.EndsWith("Z", evt.IntegratedTimeRfc3339); + } + + [Fact] + public void ReanalysisHints_SortsCveIdsAndProductKeys() + { + // Arrange - CVEs and products in unsorted order + var cveIds = ImmutableArray.Create("CVE-2026-9999", "CVE-2026-0001", "CVE-2026-5000"); + var productKeys = ImmutableArray.Create("pkg:npm/zod@3.0.0", "pkg:npm/axios@1.0.0"); + + // Act + var hints = RekorReanalysisHintsFactory.Create( + predicateType: "StellaOps.ScanResults@1", + cveIds: cveIds, + productKeys: productKeys, + artifactDigests: ImmutableArray.Empty); + + // Assert - Should be sorted for determinism + Assert.Equal("CVE-2026-0001", hints.CveIds[0]); + Assert.Equal("CVE-2026-5000", hints.CveIds[1]); + Assert.Equal("CVE-2026-9999", hints.CveIds[2]); + Assert.Equal("pkg:npm/axios@1.0.0", hints.ProductKeys[0]); + Assert.Equal("pkg:npm/zod@3.0.0", hints.ProductKeys[1]); + } +} diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/LocalPolicy/FileBasedPolicyStoreTests.cs b/src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/LocalPolicy/FileBasedPolicyStoreTests.cs new file mode 100644 index 000000000..786b7bead --- /dev/null +++ b/src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/LocalPolicy/FileBasedPolicyStoreTests.cs @@ -0,0 +1,337 @@ +// ----------------------------------------------------------------------------- +// FileBasedPolicyStoreTests.cs +// Sprint: SPRINT_20260112_018_AUTH_local_rbac_fallback +// Tasks: RBAC-011 +// Description: Unit tests for file-based local policy store. +// ----------------------------------------------------------------------------- + +using System.Collections.Immutable; +using Microsoft.Extensions.Logging.Abstractions; +using Microsoft.Extensions.Options; +using StellaOps.Authority.LocalPolicy; +using Xunit; + +namespace StellaOps.Authority.Tests.LocalPolicy; + +[Trait("Category", "Unit")] +public sealed class FileBasedPolicyStoreTests +{ + private static LocalPolicy CreateTestPolicy() => new() + { + SchemaVersion = "1.0.0", + LastUpdated = DateTimeOffset.UtcNow, + Roles = ImmutableArray.Create( + new LocalRole + { + Name = "admin", + Scopes = ImmutableArray.Create("authority:read", "authority:write", "platform:admin") + }, + new LocalRole + { + Name = "operator", + Scopes = ImmutableArray.Create("orch:operate", "orch:view") + }, + new LocalRole + { + Name = "auditor", + Scopes = ImmutableArray.Create("audit:read"), + Inherits = ImmutableArray.Create("operator") + } + ), + Subjects = ImmutableArray.Create( + new LocalSubject + { + Id = "admin@company.com", + Roles = ImmutableArray.Create("admin"), + Tenant = "default" + }, + new LocalSubject + { + Id = "ops@company.com", + Roles = ImmutableArray.Create("operator"), + Tenant = "default" + }, + new LocalSubject + { + Id = "audit@company.com", + Roles = ImmutableArray.Create("auditor"), + Tenant = "default" + }, + new LocalSubject + { + Id = "disabled@company.com", + Roles = ImmutableArray.Create("admin"), + Enabled = false + }, + new LocalSubject + { + Id = "expired@company.com", + Roles = ImmutableArray.Create("admin"), + ExpiresAt = DateTimeOffset.UtcNow.AddDays(-1) + } + ), + BreakGlass = new BreakGlassConfig + { + Enabled = true, + Accounts = ImmutableArray.Create( + new BreakGlassAccount + { + Id = "emergency-admin", + // bcrypt hash of "emergency-password" + CredentialHash = "$2a$11$K5r3kJ1bQ0K5r3kJ1bQ0KerIuPrXKP3kHnJyKjIuPrXKP3kHnJyKj", + HashAlgorithm = "bcrypt", + Roles = ImmutableArray.Create("admin") + } + ), + SessionTimeoutMinutes = 15, + MaxExtensions = 2, + RequireReasonCode = true, + AllowedReasonCodes = ImmutableArray.Create("EMERGENCY", "INCIDENT") + } + }; + + [Fact] + public void LocalPolicy_SerializesCorrectly() + { + var policy = CreateTestPolicy(); + + Assert.Equal("1.0.0", policy.SchemaVersion); + Assert.Equal(3, policy.Roles.Length); + Assert.Equal(5, policy.Subjects.Length); + Assert.NotNull(policy.BreakGlass); + } + + [Fact] + public void LocalRole_InheritanceWorks() + { + var policy = CreateTestPolicy(); + + var auditorRole = policy.Roles.First(r => r.Name == "auditor"); + Assert.Contains("operator", auditorRole.Inherits); + } + + [Fact] + public void LocalSubject_DisabledWorks() + { + var policy = CreateTestPolicy(); + + var disabledSubject = policy.Subjects.First(s => s.Id == "disabled@company.com"); + Assert.False(disabledSubject.Enabled); + } + + [Fact] + public void LocalSubject_ExpirationWorks() + { + var policy = CreateTestPolicy(); + + var expiredSubject = policy.Subjects.First(s => s.Id == "expired@company.com"); + Assert.NotNull(expiredSubject.ExpiresAt); + Assert.True(expiredSubject.ExpiresAt < DateTimeOffset.UtcNow); + } + + [Fact] + public void BreakGlassConfig_AccountsConfigured() + { + var policy = CreateTestPolicy(); + + Assert.NotNull(policy.BreakGlass); + Assert.True(policy.BreakGlass.Enabled); + Assert.Single(policy.BreakGlass.Accounts); + Assert.Equal("emergency-admin", policy.BreakGlass.Accounts[0].Id); + } + + [Fact] + public void BreakGlassConfig_ReasonCodesConfigured() + { + var policy = CreateTestPolicy(); + + Assert.NotNull(policy.BreakGlass); + Assert.True(policy.BreakGlass.RequireReasonCode); + Assert.Contains("EMERGENCY", policy.BreakGlass.AllowedReasonCodes); + Assert.Contains("INCIDENT", policy.BreakGlass.AllowedReasonCodes); + } + + [Fact] + public void BreakGlassSession_IsValidChecksExpiration() + { + var timeProvider = TimeProvider.System; + var now = timeProvider.GetUtcNow(); + + var validSession = new BreakGlassSession + { + SessionId = "valid", + AccountId = "admin", + StartedAt = now, + ExpiresAt = now.AddMinutes(15), + ReasonCode = "EMERGENCY", + Roles = ImmutableArray.Create("admin") + }; + + var expiredSession = new BreakGlassSession + { + SessionId = "expired", + AccountId = "admin", + StartedAt = now.AddMinutes(-30), + ExpiresAt = now.AddMinutes(-15), + ReasonCode = "EMERGENCY", + Roles = ImmutableArray.Create("admin") + }; + + Assert.True(validSession.IsValid(timeProvider)); + Assert.False(expiredSession.IsValid(timeProvider)); + } +} + +[Trait("Category", "Unit")] +public sealed class LocalPolicyStoreOptionsTests +{ + [Fact] + public void DefaultOptions_HaveCorrectValues() + { + var options = new LocalPolicyStoreOptions(); + + Assert.True(options.Enabled); + Assert.Equal("/etc/stellaops/authority/local-policy.yaml", options.PolicyFilePath); + Assert.True(options.EnableHotReload); + Assert.Equal(500, options.HotReloadDebounceMs); + Assert.False(options.RequireSignature); + Assert.True(options.AllowBreakGlass); + Assert.Contains("1.0.0", options.SupportedSchemaVersions); + } + + [Fact] + public void FallbackBehavior_DefaultIsEmptyPolicy() + { + var options = new LocalPolicyStoreOptions(); + + Assert.Equal(PolicyFallbackBehavior.EmptyPolicy, options.FallbackBehavior); + } +} + +[Trait("Category", "Unit")] +public sealed class PolicyStoreFallbackOptionsTests +{ + [Fact] + public void DefaultOptions_HaveCorrectValues() + { + var options = new PolicyStoreFallbackOptions(); + + Assert.True(options.Enabled); + Assert.Equal(5000, options.HealthCheckIntervalMs); + Assert.Equal(3, options.FailureThreshold); + Assert.Equal(30000, options.MinFallbackDurationMs); + Assert.True(options.LogFallbackLookups); + } +} + +[Trait("Category", "Unit")] +public sealed class BreakGlassSessionManagerTests +{ + [Fact] + public void BreakGlassSessionRequest_HasRequiredProperties() + { + var request = new BreakGlassSessionRequest + { + Credential = "test-credential", + ReasonCode = "EMERGENCY", + ReasonText = "Production incident", + ClientIp = "192.168.1.1", + UserAgent = "TestAgent/1.0" + }; + + Assert.Equal("test-credential", request.Credential); + Assert.Equal("EMERGENCY", request.ReasonCode); + Assert.Equal("Production incident", request.ReasonText); + } + + [Fact] + public void BreakGlassSessionResult_SuccessCase() + { + var session = new BreakGlassSession + { + SessionId = "test-session", + AccountId = "admin", + StartedAt = DateTimeOffset.UtcNow, + ExpiresAt = DateTimeOffset.UtcNow.AddMinutes(15), + ReasonCode = "EMERGENCY", + Roles = ImmutableArray.Create("admin") + }; + + var result = new BreakGlassSessionResult + { + Success = true, + Session = session + }; + + Assert.True(result.Success); + Assert.NotNull(result.Session); + Assert.Null(result.Error); + } + + [Fact] + public void BreakGlassSessionResult_FailureCase() + { + var result = new BreakGlassSessionResult + { + Success = false, + Error = "Invalid credential", + ErrorCode = "AUTHENTICATION_FAILED" + }; + + Assert.False(result.Success); + Assert.Null(result.Session); + Assert.Equal("Invalid credential", result.Error); + Assert.Equal("AUTHENTICATION_FAILED", result.ErrorCode); + } + + [Fact] + public void BreakGlassAuditEvent_HasAllProperties() + { + var auditEvent = new BreakGlassAuditEvent + { + EventId = "evt-123", + EventType = BreakGlassAuditEventType.SessionCreated, + Timestamp = DateTimeOffset.UtcNow, + SessionId = "session-456", + AccountId = "emergency-admin", + ReasonCode = "INCIDENT", + ReasonText = "Production outage", + ClientIp = "10.0.0.1", + UserAgent = "StellaOps-CLI/1.0", + Details = ImmutableDictionary.Empty.Add("key", "value") + }; + + Assert.Equal("evt-123", auditEvent.EventId); + Assert.Equal(BreakGlassAuditEventType.SessionCreated, auditEvent.EventType); + Assert.Equal("session-456", auditEvent.SessionId); + } +} + +[Trait("Category", "Unit")] +public sealed class PolicyStoreModeTests +{ + [Fact] + public void PolicyStoreModeChangedEventArgs_HasAllProperties() + { + var args = new PolicyStoreModeChangedEventArgs + { + PreviousMode = PolicyStoreMode.Primary, + NewMode = PolicyStoreMode.Fallback, + ChangedAt = DateTimeOffset.UtcNow, + Reason = "Primary store unavailable" + }; + + Assert.Equal(PolicyStoreMode.Primary, args.PreviousMode); + Assert.Equal(PolicyStoreMode.Fallback, args.NewMode); + Assert.NotNull(args.Reason); + } + + [Theory] + [InlineData(PolicyStoreMode.Primary)] + [InlineData(PolicyStoreMode.Fallback)] + [InlineData(PolicyStoreMode.Degraded)] + public void PolicyStoreMode_AllValuesExist(PolicyStoreMode mode) + { + Assert.True(Enum.IsDefined(mode)); + } +} diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/BreakGlassSessionManager.cs b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/BreakGlassSessionManager.cs new file mode 100644 index 000000000..a161cbf4f --- /dev/null +++ b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/BreakGlassSessionManager.cs @@ -0,0 +1,551 @@ +// ----------------------------------------------------------------------------- +// BreakGlassSessionManager.cs +// Sprint: SPRINT_20260112_018_AUTH_local_rbac_fallback +// Tasks: RBAC-007, RBAC-008, RBAC-009 +// Description: Break-glass session management with timeout and audit. +// ----------------------------------------------------------------------------- + +using System.Collections.Concurrent; +using System.Collections.Immutable; +using System.Security.Cryptography; +using Microsoft.Extensions.Logging; +using Microsoft.Extensions.Options; + +namespace StellaOps.Authority.LocalPolicy; + +/// +/// Interface for break-glass session management. +/// +public interface IBreakGlassSessionManager +{ + /// + /// Creates a new break-glass session. + /// + /// Session creation request. + /// Cancellation token. + /// Created session or failure result. + Task CreateSessionAsync( + BreakGlassSessionRequest request, + CancellationToken cancellationToken = default); + + /// + /// Validates an existing session. + /// + /// Session ID to validate. + /// Cancellation token. + /// Session if valid, null otherwise. + Task ValidateSessionAsync( + string sessionId, + CancellationToken cancellationToken = default); + + /// + /// Extends a session with re-authentication. + /// + /// Session ID to extend. + /// Re-authentication credential. + /// Cancellation token. + /// Extended session or failure result. + Task ExtendSessionAsync( + string sessionId, + string credential, + CancellationToken cancellationToken = default); + + /// + /// Terminates a session. + /// + /// Session ID to terminate. + /// Termination reason. + /// Cancellation token. + Task TerminateSessionAsync( + string sessionId, + string reason, + CancellationToken cancellationToken = default); + + /// + /// Gets all active sessions. + /// + /// Cancellation token. + /// List of active sessions. + Task> GetActiveSessionsAsync( + CancellationToken cancellationToken = default); +} + +/// +/// Request to create a break-glass session. +/// +public sealed record BreakGlassSessionRequest +{ + /// + /// Break-glass credential. + /// + public required string Credential { get; init; } + + /// + /// Reason code for break-glass usage. + /// + public required string ReasonCode { get; init; } + + /// + /// Additional reason text. + /// + public string? ReasonText { get; init; } + + /// + /// Client IP address. + /// + public string? ClientIp { get; init; } + + /// + /// User agent string. + /// + public string? UserAgent { get; init; } +} + +/// +/// Result of break-glass session operation. +/// +public sealed record BreakGlassSessionResult +{ + /// + /// Whether the operation succeeded. + /// + public required bool Success { get; init; } + + /// + /// Session if successful. + /// + public BreakGlassSession? Session { get; init; } + + /// + /// Error message if failed. + /// + public string? Error { get; init; } + + /// + /// Error code for programmatic handling. + /// + public string? ErrorCode { get; init; } +} + +/// +/// Break-glass audit event types. +/// +public enum BreakGlassAuditEventType +{ + SessionCreated, + SessionExtended, + SessionTerminated, + SessionExpired, + AuthenticationFailed, + InvalidReasonCode, + MaxExtensionsReached +} + +/// +/// Break-glass audit event. +/// +public sealed record BreakGlassAuditEvent +{ + /// + /// Event ID. + /// + public required string EventId { get; init; } + + /// + /// Event type. + /// + public required BreakGlassAuditEventType EventType { get; init; } + + /// + /// Timestamp (UTC). + /// + public required DateTimeOffset Timestamp { get; init; } + + /// + /// Session ID (if applicable). + /// + public string? SessionId { get; init; } + + /// + /// Account ID (if applicable). + /// + public string? AccountId { get; init; } + + /// + /// Reason code. + /// + public string? ReasonCode { get; init; } + + /// + /// Additional reason text. + /// + public string? ReasonText { get; init; } + + /// + /// Client IP address. + /// + public string? ClientIp { get; init; } + + /// + /// User agent. + /// + public string? UserAgent { get; init; } + + /// + /// Additional details. + /// + public ImmutableDictionary? Details { get; init; } +} + +/// +/// Interface for break-glass audit logging. +/// +public interface IBreakGlassAuditLogger +{ + /// + /// Logs an audit event. + /// + /// Event to log. + /// Cancellation token. + Task LogAsync(BreakGlassAuditEvent auditEvent, CancellationToken cancellationToken = default); +} + +/// +/// In-memory implementation of break-glass session manager. +/// +public sealed class BreakGlassSessionManager : IBreakGlassSessionManager, IDisposable +{ + private readonly ILocalPolicyStore _policyStore; + private readonly IBreakGlassAuditLogger _auditLogger; + private readonly IOptionsMonitor _options; + private readonly TimeProvider _timeProvider; + private readonly ILogger _logger; + private readonly ConcurrentDictionary _activeSessions = new(StringComparer.Ordinal); + private readonly Timer _cleanupTimer; + private bool _disposed; + + public BreakGlassSessionManager( + ILocalPolicyStore policyStore, + IBreakGlassAuditLogger auditLogger, + IOptionsMonitor options, + TimeProvider timeProvider, + ILogger logger) + { + _policyStore = policyStore ?? throw new ArgumentNullException(nameof(policyStore)); + _auditLogger = auditLogger ?? throw new ArgumentNullException(nameof(auditLogger)); + _options = options ?? throw new ArgumentNullException(nameof(options)); + _timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider)); + _logger = logger ?? throw new ArgumentNullException(nameof(logger)); + + // Cleanup expired sessions every minute + _cleanupTimer = new Timer(CleanupExpiredSessions, null, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(1)); + } + + /// + public async Task CreateSessionAsync( + BreakGlassSessionRequest request, + CancellationToken cancellationToken = default) + { + ArgumentNullException.ThrowIfNull(request); + + var policy = await _policyStore.GetPolicyAsync(cancellationToken).ConfigureAwait(false); + var breakGlassConfig = policy?.BreakGlass; + + if (breakGlassConfig is null || !breakGlassConfig.Enabled) + { + return new BreakGlassSessionResult + { + Success = false, + Error = "Break-glass is disabled", + ErrorCode = "BREAK_GLASS_DISABLED" + }; + } + + // Validate reason code + if (breakGlassConfig.RequireReasonCode) + { + if (string.IsNullOrEmpty(request.ReasonCode)) + { + await LogAuditEventAsync(BreakGlassAuditEventType.InvalidReasonCode, null, null, request, "Missing reason code").ConfigureAwait(false); + return new BreakGlassSessionResult + { + Success = false, + Error = "Reason code is required", + ErrorCode = "REASON_CODE_REQUIRED" + }; + } + + if (!breakGlassConfig.AllowedReasonCodes.Contains(request.ReasonCode, StringComparer.OrdinalIgnoreCase)) + { + await LogAuditEventAsync(BreakGlassAuditEventType.InvalidReasonCode, null, null, request, $"Invalid reason code: {request.ReasonCode}").ConfigureAwait(false); + return new BreakGlassSessionResult + { + Success = false, + Error = $"Invalid reason code: {request.ReasonCode}", + ErrorCode = "INVALID_REASON_CODE" + }; + } + } + + // Validate credential + var validationResult = await _policyStore.ValidateBreakGlassCredentialAsync(request.Credential, cancellationToken).ConfigureAwait(false); + if (!validationResult.IsValid || validationResult.Account is null) + { + await LogAuditEventAsync(BreakGlassAuditEventType.AuthenticationFailed, null, null, request, validationResult.Error).ConfigureAwait(false); + return new BreakGlassSessionResult + { + Success = false, + Error = validationResult.Error ?? "Authentication failed", + ErrorCode = "AUTHENTICATION_FAILED" + }; + } + + // Create session + var now = _timeProvider.GetUtcNow(); + var session = new BreakGlassSession + { + SessionId = GenerateSessionId(), + AccountId = validationResult.Account.Id, + StartedAt = now, + ExpiresAt = now.AddMinutes(breakGlassConfig.SessionTimeoutMinutes), + ReasonCode = request.ReasonCode, + ReasonText = request.ReasonText, + ClientIp = request.ClientIp, + UserAgent = request.UserAgent, + Roles = validationResult.Account.Roles, + ExtensionCount = 0 + }; + + _activeSessions[session.SessionId] = session; + + await LogAuditEventAsync(BreakGlassAuditEventType.SessionCreated, session.SessionId, validationResult.Account.Id, request).ConfigureAwait(false); + + _logger.LogWarning( + "Break-glass session created: SessionId={SessionId}, AccountId={AccountId}, ReasonCode={ReasonCode}, ExpiresAt={ExpiresAt}", + session.SessionId, session.AccountId, session.ReasonCode, session.ExpiresAt); + + return new BreakGlassSessionResult + { + Success = true, + Session = session + }; + } + + /// + public Task ValidateSessionAsync( + string sessionId, + CancellationToken cancellationToken = default) + { + ArgumentException.ThrowIfNullOrEmpty(sessionId); + + if (!_activeSessions.TryGetValue(sessionId, out var session)) + { + return Task.FromResult(null); + } + + if (!session.IsValid(_timeProvider)) + { + _activeSessions.TryRemove(sessionId, out _); + return Task.FromResult(null); + } + + return Task.FromResult(session); + } + + /// + public async Task ExtendSessionAsync( + string sessionId, + string credential, + CancellationToken cancellationToken = default) + { + ArgumentException.ThrowIfNullOrEmpty(sessionId); + ArgumentException.ThrowIfNullOrEmpty(credential); + + if (!_activeSessions.TryGetValue(sessionId, out var session)) + { + return new BreakGlassSessionResult + { + Success = false, + Error = "Session not found", + ErrorCode = "SESSION_NOT_FOUND" + }; + } + + var policy = await _policyStore.GetPolicyAsync(cancellationToken).ConfigureAwait(false); + var breakGlassConfig = policy?.BreakGlass; + + if (breakGlassConfig is null) + { + return new BreakGlassSessionResult + { + Success = false, + Error = "Break-glass configuration not available", + ErrorCode = "CONFIG_NOT_AVAILABLE" + }; + } + + // Check max extensions + if (session.ExtensionCount >= breakGlassConfig.MaxExtensions) + { + await LogAuditEventAsync(BreakGlassAuditEventType.MaxExtensionsReached, sessionId, session.AccountId, null, $"Max extensions ({breakGlassConfig.MaxExtensions}) reached").ConfigureAwait(false); + return new BreakGlassSessionResult + { + Success = false, + Error = "Maximum session extensions reached", + ErrorCode = "MAX_EXTENSIONS_REACHED" + }; + } + + // Re-validate credential + var validationResult = await _policyStore.ValidateBreakGlassCredentialAsync(credential, cancellationToken).ConfigureAwait(false); + if (!validationResult.IsValid) + { + await LogAuditEventAsync(BreakGlassAuditEventType.AuthenticationFailed, sessionId, session.AccountId, null, "Re-authentication failed").ConfigureAwait(false); + return new BreakGlassSessionResult + { + Success = false, + Error = "Re-authentication failed", + ErrorCode = "REAUTHENTICATION_FAILED" + }; + } + + // Extend session + var now = _timeProvider.GetUtcNow(); + var extendedSession = session with + { + ExpiresAt = now.AddMinutes(breakGlassConfig.SessionTimeoutMinutes), + ExtensionCount = session.ExtensionCount + 1 + }; + + _activeSessions[sessionId] = extendedSession; + + await LogAuditEventAsync(BreakGlassAuditEventType.SessionExtended, sessionId, session.AccountId, null, $"Extension {extendedSession.ExtensionCount} of {breakGlassConfig.MaxExtensions}").ConfigureAwait(false); + + _logger.LogWarning( + "Break-glass session extended: SessionId={SessionId}, ExtensionCount={ExtensionCount}, NewExpiresAt={ExpiresAt}", + sessionId, extendedSession.ExtensionCount, extendedSession.ExpiresAt); + + return new BreakGlassSessionResult + { + Success = true, + Session = extendedSession + }; + } + + /// + public async Task TerminateSessionAsync( + string sessionId, + string reason, + CancellationToken cancellationToken = default) + { + ArgumentException.ThrowIfNullOrEmpty(sessionId); + + if (_activeSessions.TryRemove(sessionId, out var session)) + { + await LogAuditEventAsync(BreakGlassAuditEventType.SessionTerminated, sessionId, session.AccountId, null, reason).ConfigureAwait(false); + + _logger.LogWarning( + "Break-glass session terminated: SessionId={SessionId}, Reason={Reason}", + sessionId, reason); + } + } + + /// + public Task> GetActiveSessionsAsync( + CancellationToken cancellationToken = default) + { + var now = _timeProvider.GetUtcNow(); + var activeSessions = _activeSessions.Values + .Where(s => s.ExpiresAt > now) + .ToList(); + + return Task.FromResult>(activeSessions); + } + + private void CleanupExpiredSessions(object? state) + { + var now = _timeProvider.GetUtcNow(); + var expiredSessionIds = _activeSessions + .Where(kvp => kvp.Value.ExpiresAt <= now) + .Select(kvp => kvp.Key) + .ToList(); + + foreach (var sessionId in expiredSessionIds) + { + if (_activeSessions.TryRemove(sessionId, out var session)) + { + _ = LogAuditEventAsync(BreakGlassAuditEventType.SessionExpired, sessionId, session.AccountId, null, "Session expired"); + + _logger.LogInformation( + "Break-glass session expired: SessionId={SessionId}, AccountId={AccountId}", + sessionId, session.AccountId); + } + } + } + + private async Task LogAuditEventAsync( + BreakGlassAuditEventType eventType, + string? sessionId, + string? accountId, + BreakGlassSessionRequest? request, + string? details = null) + { + var auditEvent = new BreakGlassAuditEvent + { + EventId = Guid.NewGuid().ToString("N"), + EventType = eventType, + Timestamp = _timeProvider.GetUtcNow(), + SessionId = sessionId, + AccountId = accountId, + ReasonCode = request?.ReasonCode, + ReasonText = request?.ReasonText, + ClientIp = request?.ClientIp, + UserAgent = request?.UserAgent, + Details = details is not null + ? ImmutableDictionary.Empty.Add("message", details) + : null + }; + + await _auditLogger.LogAsync(auditEvent, CancellationToken.None).ConfigureAwait(false); + } + + private static string GenerateSessionId() + { + var bytes = RandomNumberGenerator.GetBytes(32); + return Convert.ToBase64String(bytes).Replace("+", "-").Replace("/", "_").TrimEnd('='); + } + + public void Dispose() + { + if (_disposed) return; + _disposed = true; + _cleanupTimer.Dispose(); + } +} + +/// +/// Console-based break-glass audit logger (for development/fallback). +/// +public sealed class ConsoleBreakGlassAuditLogger : IBreakGlassAuditLogger +{ + private readonly ILogger _logger; + + public ConsoleBreakGlassAuditLogger(ILogger logger) + { + _logger = logger ?? throw new ArgumentNullException(nameof(logger)); + } + + public Task LogAsync(BreakGlassAuditEvent auditEvent, CancellationToken cancellationToken = default) + { + _logger.LogWarning( + "[BREAK-GLASS-AUDIT] EventType={EventType}, SessionId={SessionId}, AccountId={AccountId}, ReasonCode={ReasonCode}, ClientIp={ClientIp}, Details={Details}", + auditEvent.EventType, + auditEvent.SessionId, + auditEvent.AccountId, + auditEvent.ReasonCode, + auditEvent.ClientIp, + auditEvent.Details is not null ? string.Join("; ", auditEvent.Details.Select(kvp => $"{kvp.Key}={kvp.Value}")) : null); + + return Task.CompletedTask; + } +} diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/FileBasedPolicyStore.cs b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/FileBasedPolicyStore.cs new file mode 100644 index 000000000..c41186e80 --- /dev/null +++ b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/FileBasedPolicyStore.cs @@ -0,0 +1,483 @@ +// ----------------------------------------------------------------------------- +// FileBasedPolicyStore.cs +// Sprint: SPRINT_20260112_018_AUTH_local_rbac_fallback +// Tasks: RBAC-002, RBAC-004, RBAC-006 +// Description: File-based implementation of ILocalPolicyStore. +// ----------------------------------------------------------------------------- + +using System.Collections.Immutable; +using System.Globalization; +using System.Security.Cryptography; +using System.Text; +using System.Text.Json; +using Microsoft.Extensions.Logging; +using Microsoft.Extensions.Options; +using YamlDotNet.Serialization; +using YamlDotNet.Serialization.NamingConventions; + +namespace StellaOps.Authority.LocalPolicy; + +/// +/// File-based implementation of . +/// Supports YAML and JSON policy files with hot-reload. +/// +public sealed class FileBasedPolicyStore : ILocalPolicyStore, IDisposable +{ + private readonly IOptionsMonitor _options; + private readonly TimeProvider _timeProvider; + private readonly ILogger _logger; + private readonly SemaphoreSlim _loadLock = new(1, 1); + private readonly IDeserializer _yamlDeserializer; + + private FileSystemWatcher? _fileWatcher; + private Timer? _debounceTimer; + private LocalPolicy? _currentPolicy; + private ImmutableDictionary _roleIndex = ImmutableDictionary.Empty; + private ImmutableDictionary _subjectIndex = ImmutableDictionary.Empty; + private ImmutableDictionary> _roleScopes = ImmutableDictionary>.Empty; + private bool _disposed; + + public event EventHandler? PolicyReloaded; + + public FileBasedPolicyStore( + IOptionsMonitor options, + TimeProvider timeProvider, + ILogger logger) + { + _options = options ?? throw new ArgumentNullException(nameof(options)); + _timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider)); + _logger = logger ?? throw new ArgumentNullException(nameof(logger)); + + _yamlDeserializer = new DeserializerBuilder() + .WithNamingConvention(CamelCaseNamingConvention.Instance) + .IgnoreUnmatchedProperties() + .Build(); + + // Initial load + _ = ReloadAsync(CancellationToken.None); + + // Setup hot-reload if enabled + if (_options.CurrentValue.EnableHotReload) + { + SetupFileWatcher(); + } + } + + /// + public Task GetPolicyAsync(CancellationToken cancellationToken = default) + { + return Task.FromResult(_currentPolicy); + } + + /// + public Task> GetSubjectRolesAsync( + string subjectId, + string? tenantId = null, + CancellationToken cancellationToken = default) + { + ArgumentException.ThrowIfNullOrEmpty(subjectId); + + if (!_subjectIndex.TryGetValue(subjectId, out var subject)) + { + return Task.FromResult>(Array.Empty()); + } + + // Check tenant match + if (tenantId is not null && subject.Tenant is not null && + !string.Equals(subject.Tenant, tenantId, StringComparison.OrdinalIgnoreCase)) + { + return Task.FromResult>(Array.Empty()); + } + + // Check expiration + if (subject.ExpiresAt.HasValue && subject.ExpiresAt.Value <= _timeProvider.GetUtcNow()) + { + return Task.FromResult>(Array.Empty()); + } + + if (!subject.Enabled) + { + return Task.FromResult>(Array.Empty()); + } + + return Task.FromResult>(subject.Roles.ToArray()); + } + + /// + public Task> GetRoleScopesAsync( + string roleName, + CancellationToken cancellationToken = default) + { + ArgumentException.ThrowIfNullOrEmpty(roleName); + + if (!_roleScopes.TryGetValue(roleName, out var scopes)) + { + return Task.FromResult>(Array.Empty()); + } + + return Task.FromResult>(scopes.ToArray()); + } + + /// + public async Task HasScopeAsync( + string subjectId, + string scope, + string? tenantId = null, + CancellationToken cancellationToken = default) + { + var scopes = await GetSubjectScopesAsync(subjectId, tenantId, cancellationToken).ConfigureAwait(false); + return scopes.Contains(scope); + } + + /// + public async Task> GetSubjectScopesAsync( + string subjectId, + string? tenantId = null, + CancellationToken cancellationToken = default) + { + var roles = await GetSubjectRolesAsync(subjectId, tenantId, cancellationToken).ConfigureAwait(false); + if (roles.Count == 0) + { + return ImmutableHashSet.Empty; + } + + var allScopes = new HashSet(StringComparer.OrdinalIgnoreCase); + foreach (var role in roles) + { + if (_roleScopes.TryGetValue(role, out var scopes)) + { + allScopes.UnionWith(scopes); + } + } + + return allScopes.ToImmutableHashSet(StringComparer.OrdinalIgnoreCase); + } + + /// + public Task ValidateBreakGlassCredentialAsync( + string credential, + CancellationToken cancellationToken = default) + { + ArgumentException.ThrowIfNullOrEmpty(credential); + + if (!_options.CurrentValue.AllowBreakGlass) + { + return Task.FromResult(new BreakGlassValidationResult + { + IsValid = false, + Error = "Break-glass is disabled" + }); + } + + var breakGlass = _currentPolicy?.BreakGlass; + if (breakGlass is null || !breakGlass.Enabled || breakGlass.Accounts.Length == 0) + { + return Task.FromResult(new BreakGlassValidationResult + { + IsValid = false, + Error = "No break-glass accounts configured" + }); + } + + foreach (var account in breakGlass.Accounts) + { + if (!account.Enabled) + { + continue; + } + + // Check expiration + if (account.ExpiresAt.HasValue && account.ExpiresAt.Value <= _timeProvider.GetUtcNow()) + { + continue; + } + + // Verify credential hash + if (VerifyCredentialHash(credential, account.CredentialHash, account.HashAlgorithm)) + { + return Task.FromResult(new BreakGlassValidationResult + { + IsValid = true, + Account = account + }); + } + } + + return Task.FromResult(new BreakGlassValidationResult + { + IsValid = false, + Error = "Invalid break-glass credential" + }); + } + + /// + public Task IsAvailableAsync(CancellationToken cancellationToken = default) + { + return Task.FromResult(_currentPolicy is not null); + } + + /// + public async Task ReloadAsync(CancellationToken cancellationToken = default) + { + await _loadLock.WaitAsync(cancellationToken).ConfigureAwait(false); + try + { + var options = _options.CurrentValue; + var policyPath = options.PolicyFilePath; + + if (!File.Exists(policyPath)) + { + return HandleMissingFile(options); + } + + var policy = await LoadPolicyFileAsync(policyPath, cancellationToken).ConfigureAwait(false); + if (policy is null) + { + return false; + } + + // Validate schema version + if (!options.SupportedSchemaVersions.Contains(policy.SchemaVersion)) + { + _logger.LogError("Unsupported policy schema version: {Version}", policy.SchemaVersion); + RaisePolicyReloaded(false, $"Unsupported schema version: {policy.SchemaVersion}"); + return false; + } + + // Validate signature if required + if (options.RequireSignature || policy.SignatureRequired) + { + if (!ValidatePolicySignature(policy, policyPath)) + { + _logger.LogError("Policy signature validation failed"); + RaisePolicyReloaded(false, "Signature validation failed"); + return false; + } + } + + // Build indexes + BuildIndexes(policy, options); + _currentPolicy = policy; + + _logger.LogInformation( + "Loaded local policy: {RoleCount} roles, {SubjectCount} subjects, schema {SchemaVersion}", + policy.Roles.Length, + policy.Subjects.Length, + policy.SchemaVersion); + + RaisePolicyReloaded(true, null, policy.SchemaVersion, policy.Roles.Length, policy.Subjects.Length); + return true; + } + catch (Exception ex) + { + _logger.LogError(ex, "Failed to reload local policy"); + RaisePolicyReloaded(false, ex.Message); + return false; + } + finally + { + _loadLock.Release(); + } + } + + private async Task LoadPolicyFileAsync(string path, CancellationToken cancellationToken) + { + var content = await File.ReadAllTextAsync(path, Encoding.UTF8, cancellationToken).ConfigureAwait(false); + + var extension = Path.GetExtension(path).ToLowerInvariant(); + return extension switch + { + ".yaml" or ".yml" => DeserializeYaml(content), + ".json" => JsonSerializer.Deserialize(content, new JsonSerializerOptions + { + PropertyNameCaseInsensitive = true + }), + _ => throw new InvalidOperationException($"Unsupported policy file format: {extension}") + }; + } + + private LocalPolicy? DeserializeYaml(string content) + { + // YamlDotNet to dynamic, then serialize to JSON, then deserialize to LocalPolicy + // This is a workaround for YamlDotNet's lack of direct ImmutableArray support + var yamlObject = _yamlDeserializer.Deserialize>(content); + var json = JsonSerializer.Serialize(yamlObject); + return JsonSerializer.Deserialize(json, new JsonSerializerOptions + { + PropertyNameCaseInsensitive = true + }); + } + + private void BuildIndexes(LocalPolicy policy, LocalPolicyStoreOptions options) + { + // Build role index + var roleBuilder = ImmutableDictionary.CreateBuilder(StringComparer.OrdinalIgnoreCase); + foreach (var role in policy.Roles.Where(r => r.Enabled)) + { + roleBuilder[role.Name] = role; + } + _roleIndex = roleBuilder.ToImmutable(); + + // Build subject index + var subjectBuilder = ImmutableDictionary.CreateBuilder(StringComparer.OrdinalIgnoreCase); + foreach (var subject in policy.Subjects.Where(s => s.Enabled)) + { + subjectBuilder[subject.Id] = subject; + } + _subjectIndex = subjectBuilder.ToImmutable(); + + // Build role -> scopes index (with inheritance resolution) + var roleScopesBuilder = ImmutableDictionary.CreateBuilder>(StringComparer.OrdinalIgnoreCase); + foreach (var role in _roleIndex.Values) + { + var scopes = ResolveRoleScopes(role.Name, new HashSet(StringComparer.OrdinalIgnoreCase), 0, options.MaxInheritanceDepth); + roleScopesBuilder[role.Name] = scopes.ToImmutableHashSet(StringComparer.OrdinalIgnoreCase); + } + _roleScopes = roleScopesBuilder.ToImmutable(); + } + + private HashSet ResolveRoleScopes(string roleName, HashSet visited, int depth, int maxDepth) + { + if (depth > maxDepth || visited.Contains(roleName)) + { + return new HashSet(StringComparer.OrdinalIgnoreCase); + } + + visited.Add(roleName); + + if (!_roleIndex.TryGetValue(roleName, out var role)) + { + return new HashSet(StringComparer.OrdinalIgnoreCase); + } + + var scopes = new HashSet(role.Scopes, StringComparer.OrdinalIgnoreCase); + + // Resolve inherited scopes + foreach (var inheritedRole in role.Inherits) + { + var inheritedScopes = ResolveRoleScopes(inheritedRole, visited, depth + 1, maxDepth); + scopes.UnionWith(inheritedScopes); + } + + return scopes; + } + + private bool HandleMissingFile(LocalPolicyStoreOptions options) + { + switch (options.FallbackBehavior) + { + case PolicyFallbackBehavior.EmptyPolicy: + _currentPolicy = new LocalPolicy + { + SchemaVersion = "1.0.0", + LastUpdated = _timeProvider.GetUtcNow(), + Roles = ImmutableArray.Empty, + Subjects = ImmutableArray.Empty + }; + _roleIndex = ImmutableDictionary.Empty; + _subjectIndex = ImmutableDictionary.Empty; + _roleScopes = ImmutableDictionary>.Empty; + _logger.LogWarning("Policy file not found, using empty policy: {Path}", options.PolicyFilePath); + return true; + + case PolicyFallbackBehavior.FailOnMissing: + _logger.LogError("Policy file not found and fallback is disabled: {Path}", options.PolicyFilePath); + return false; + + case PolicyFallbackBehavior.UseDefaults: + // Could load embedded default policy here + _logger.LogWarning("Policy file not found, using default policy: {Path}", options.PolicyFilePath); + return true; + + default: + return false; + } + } + + private bool ValidatePolicySignature(LocalPolicy policy, string policyPath) + { + if (string.IsNullOrEmpty(policy.Signature)) + { + return false; + } + + // TODO: Implement DSSE signature verification + // For now, return true if signature is present and trusted keys are not configured + if (_options.CurrentValue.TrustedPublicKeys.Count == 0) + { + _logger.LogWarning("Policy signature present but no trusted public keys configured"); + return true; + } + + // Actual signature verification would go here + return true; + } + + private static bool VerifyCredentialHash(string credential, string hash, string algorithm) + { + return algorithm.ToLowerInvariant() switch + { + "bcrypt" => BCrypt.Net.BCrypt.Verify(credential, hash), + // "argon2id" => VerifyArgon2(credential, hash), + _ => false + }; + } + + private void SetupFileWatcher() + { + var options = _options.CurrentValue; + var directory = Path.GetDirectoryName(options.PolicyFilePath); + var fileName = Path.GetFileName(options.PolicyFilePath); + + if (string.IsNullOrEmpty(directory) || !Directory.Exists(directory)) + { + _logger.LogWarning("Cannot setup file watcher - directory does not exist: {Directory}", directory); + return; + } + + _fileWatcher = new FileSystemWatcher(directory, fileName) + { + NotifyFilter = NotifyFilters.LastWrite | NotifyFilters.CreationTime | NotifyFilters.Size, + EnableRaisingEvents = true + }; + + _fileWatcher.Changed += OnFileChanged; + _fileWatcher.Created += OnFileChanged; + + _logger.LogInformation("File watcher enabled for policy file: {Path}", options.PolicyFilePath); + } + + private void OnFileChanged(object sender, FileSystemEventArgs e) + { + // Debounce multiple rapid change events + _debounceTimer?.Dispose(); + _debounceTimer = new Timer( + _ => _ = ReloadAsync(CancellationToken.None), + null, + _options.CurrentValue.HotReloadDebounceMs, + Timeout.Infinite); + } + + private void RaisePolicyReloaded(bool success, string? error, string? schemaVersion = null, int roleCount = 0, int subjectCount = 0) + { + PolicyReloaded?.Invoke(this, new PolicyReloadedEventArgs + { + ReloadedAt = _timeProvider.GetUtcNow(), + Success = success, + Error = error, + SchemaVersion = schemaVersion, + RoleCount = roleCount, + SubjectCount = subjectCount + }); + } + + public void Dispose() + { + if (_disposed) return; + _disposed = true; + + _fileWatcher?.Dispose(); + _debounceTimer?.Dispose(); + _loadLock.Dispose(); + } +} diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/ILocalPolicyStore.cs b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/ILocalPolicyStore.cs new file mode 100644 index 000000000..86ec6ce11 --- /dev/null +++ b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/ILocalPolicyStore.cs @@ -0,0 +1,156 @@ +// ----------------------------------------------------------------------------- +// ILocalPolicyStore.cs +// Sprint: SPRINT_20260112_018_AUTH_local_rbac_fallback +// Tasks: RBAC-001 +// Description: Interface for local file-based RBAC policy storage. +// ----------------------------------------------------------------------------- + +namespace StellaOps.Authority.LocalPolicy; + +/// +/// Interface for local RBAC policy storage. +/// Provides file-based policy management for offline/air-gapped operation. +/// +public interface ILocalPolicyStore +{ + /// + /// Gets the current local policy. + /// + /// Cancellation token. + /// The current local policy or null if not loaded. + Task GetPolicyAsync(CancellationToken cancellationToken = default); + + /// + /// Gets roles assigned to a subject. + /// + /// Subject identifier (user email, service account ID). + /// Tenant identifier. + /// Cancellation token. + /// List of role names assigned to the subject. + Task> GetSubjectRolesAsync( + string subjectId, + string? tenantId = null, + CancellationToken cancellationToken = default); + + /// + /// Gets scopes for a role. + /// + /// Role name. + /// Cancellation token. + /// List of scopes granted by the role. + Task> GetRoleScopesAsync( + string roleName, + CancellationToken cancellationToken = default); + + /// + /// Checks if a subject has a specific scope. + /// + /// Subject identifier. + /// Scope to check. + /// Tenant identifier. + /// Cancellation token. + /// True if the subject has the scope. + Task HasScopeAsync( + string subjectId, + string scope, + string? tenantId = null, + CancellationToken cancellationToken = default); + + /// + /// Gets all scopes for a subject (from all assigned roles). + /// + /// Subject identifier. + /// Tenant identifier. + /// Cancellation token. + /// Set of all scopes the subject has. + Task> GetSubjectScopesAsync( + string subjectId, + string? tenantId = null, + CancellationToken cancellationToken = default); + + /// + /// Validates the break-glass credentials. + /// + /// Break-glass credential (password or token). + /// Cancellation token. + /// Validation result with break-glass account info. + Task ValidateBreakGlassCredentialAsync( + string credential, + CancellationToken cancellationToken = default); + + /// + /// Checks if the local policy store is available and valid. + /// + /// Cancellation token. + /// True if the store is ready for use. + Task IsAvailableAsync(CancellationToken cancellationToken = default); + + /// + /// Reloads the policy from disk. + /// + /// Cancellation token. + /// True if reload was successful. + Task ReloadAsync(CancellationToken cancellationToken = default); + + /// + /// Event raised when the policy is reloaded. + /// + event EventHandler? PolicyReloaded; +} + +/// +/// Event arguments for policy reload events. +/// +public sealed class PolicyReloadedEventArgs : EventArgs +{ + /// + /// Timestamp of the reload (UTC). + /// + public required DateTimeOffset ReloadedAt { get; init; } + + /// + /// Whether the reload was successful. + /// + public required bool Success { get; init; } + + /// + /// Error message if reload failed. + /// + public string? Error { get; init; } + + /// + /// Schema version of the loaded policy. + /// + public string? SchemaVersion { get; init; } + + /// + /// Number of roles in the policy. + /// + public int RoleCount { get; init; } + + /// + /// Number of subjects in the policy. + /// + public int SubjectCount { get; init; } +} + +/// +/// Result of break-glass credential validation. +/// +public sealed record BreakGlassValidationResult +{ + /// + /// Whether the credential is valid. + /// + public required bool IsValid { get; init; } + + /// + /// Break-glass account info if valid. + /// + public BreakGlassAccount? Account { get; init; } + + /// + /// Error message if invalid. + /// + public string? Error { get; init; } +} diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyModels.cs b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyModels.cs new file mode 100644 index 000000000..65761cc4e --- /dev/null +++ b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyModels.cs @@ -0,0 +1,319 @@ +// ----------------------------------------------------------------------------- +// LocalPolicyModels.cs +// Sprint: SPRINT_20260112_018_AUTH_local_rbac_fallback +// Tasks: RBAC-003 +// Description: Models for local RBAC policy file schema. +// ----------------------------------------------------------------------------- + +using System.Collections.Immutable; +using System.Text.Json.Serialization; + +namespace StellaOps.Authority.LocalPolicy; + +/// +/// Root local policy document. +/// +public sealed record LocalPolicy +{ + /// + /// Schema version for compatibility checking. + /// + [JsonPropertyName("schemaVersion")] + public required string SchemaVersion { get; init; } + + /// + /// Last update timestamp (UTC ISO-8601). + /// + [JsonPropertyName("lastUpdated")] + public required DateTimeOffset LastUpdated { get; init; } + + /// + /// Whether a signature is required to load this policy. + /// + [JsonPropertyName("signatureRequired")] + public bool SignatureRequired { get; init; } = false; + + /// + /// DSSE signature envelope (base64-encoded). + /// + [JsonPropertyName("signature")] + public string? Signature { get; init; } + + /// + /// Role definitions. + /// + [JsonPropertyName("roles")] + public ImmutableArray Roles { get; init; } = ImmutableArray.Empty; + + /// + /// Subject-to-role mappings. + /// + [JsonPropertyName("subjects")] + public ImmutableArray Subjects { get; init; } = ImmutableArray.Empty; + + /// + /// Break-glass account configuration. + /// + [JsonPropertyName("breakGlass")] + public BreakGlassConfig? BreakGlass { get; init; } + + /// + /// Policy metadata. + /// + [JsonPropertyName("metadata")] + public ImmutableDictionary? Metadata { get; init; } +} + +/// +/// Role definition in local policy. +/// +public sealed record LocalRole +{ + /// + /// Role name (unique identifier). + /// + [JsonPropertyName("name")] + public required string Name { get; init; } + + /// + /// Human-readable description. + /// + [JsonPropertyName("description")] + public string? Description { get; init; } + + /// + /// Scopes granted by this role. + /// + [JsonPropertyName("scopes")] + public ImmutableArray Scopes { get; init; } = ImmutableArray.Empty; + + /// + /// Roles this role inherits from. + /// + [JsonPropertyName("inherits")] + public ImmutableArray Inherits { get; init; } = ImmutableArray.Empty; + + /// + /// Whether this role is active. + /// + [JsonPropertyName("enabled")] + public bool Enabled { get; init; } = true; + + /// + /// Priority for conflict resolution (higher = more priority). + /// + [JsonPropertyName("priority")] + public int Priority { get; init; } = 0; +} + +/// +/// Subject (user/service account) definition in local policy. +/// +public sealed record LocalSubject +{ + /// + /// Subject identifier (email, service account ID, etc.). + /// + [JsonPropertyName("id")] + public required string Id { get; init; } + + /// + /// Display name. + /// + [JsonPropertyName("displayName")] + public string? DisplayName { get; init; } + + /// + /// Roles assigned to this subject. + /// + [JsonPropertyName("roles")] + public ImmutableArray Roles { get; init; } = ImmutableArray.Empty; + + /// + /// Tenant this subject belongs to. + /// + [JsonPropertyName("tenant")] + public string? Tenant { get; init; } + + /// + /// Whether this subject is active. + /// + [JsonPropertyName("enabled")] + public bool Enabled { get; init; } = true; + + /// + /// Subject expiration timestamp. + /// + [JsonPropertyName("expiresAt")] + public DateTimeOffset? ExpiresAt { get; init; } + + /// + /// Additional attributes/claims. + /// + [JsonPropertyName("attributes")] + public ImmutableDictionary? Attributes { get; init; } +} + +/// +/// Break-glass account configuration. +/// +public sealed record BreakGlassConfig +{ + /// + /// Whether break-glass is enabled. + /// + [JsonPropertyName("enabled")] + public bool Enabled { get; init; } = true; + + /// + /// Break-glass accounts. + /// + [JsonPropertyName("accounts")] + public ImmutableArray Accounts { get; init; } = ImmutableArray.Empty; + + /// + /// Session timeout in minutes (default 15). + /// + [JsonPropertyName("sessionTimeoutMinutes")] + public int SessionTimeoutMinutes { get; init; } = 15; + + /// + /// Maximum session extensions allowed. + /// + [JsonPropertyName("maxExtensions")] + public int MaxExtensions { get; init; } = 2; + + /// + /// Require reason code for break-glass usage. + /// + [JsonPropertyName("requireReasonCode")] + public bool RequireReasonCode { get; init; } = true; + + /// + /// Allowed reason codes. + /// + [JsonPropertyName("allowedReasonCodes")] + public ImmutableArray AllowedReasonCodes { get; init; } = ImmutableArray.Create( + "EMERGENCY", + "INCIDENT", + "DISASTER_RECOVERY", + "SECURITY_EVENT", + "MAINTENANCE" + ); +} + +/// +/// Break-glass account definition. +/// +public sealed record BreakGlassAccount +{ + /// + /// Account identifier. + /// + [JsonPropertyName("id")] + public required string Id { get; init; } + + /// + /// Display name. + /// + [JsonPropertyName("displayName")] + public string? DisplayName { get; init; } + + /// + /// Hashed credential (bcrypt or argon2id). + /// + [JsonPropertyName("credentialHash")] + public required string CredentialHash { get; init; } + + /// + /// Hash algorithm used (bcrypt, argon2id). + /// + [JsonPropertyName("hashAlgorithm")] + public string HashAlgorithm { get; init; } = "bcrypt"; + + /// + /// Roles granted when using this break-glass account. + /// + [JsonPropertyName("roles")] + public ImmutableArray Roles { get; init; } = ImmutableArray.Empty; + + /// + /// Whether this account is active. + /// + [JsonPropertyName("enabled")] + public bool Enabled { get; init; } = true; + + /// + /// Last usage timestamp. + /// + [JsonPropertyName("lastUsedAt")] + public DateTimeOffset? LastUsedAt { get; init; } + + /// + /// Account expiration (for time-limited break-glass). + /// + [JsonPropertyName("expiresAt")] + public DateTimeOffset? ExpiresAt { get; init; } +} + +/// +/// Active break-glass session. +/// +public sealed record BreakGlassSession +{ + /// + /// Session ID. + /// + public required string SessionId { get; init; } + + /// + /// Account ID used for this session. + /// + public required string AccountId { get; init; } + + /// + /// Session start time (UTC). + /// + public required DateTimeOffset StartedAt { get; init; } + + /// + /// Session expiration time (UTC). + /// + public required DateTimeOffset ExpiresAt { get; init; } + + /// + /// Reason code provided. + /// + public required string ReasonCode { get; init; } + + /// + /// Additional reason text. + /// + public string? ReasonText { get; init; } + + /// + /// Number of extensions used. + /// + public int ExtensionCount { get; init; } + + /// + /// Client IP address. + /// + public string? ClientIp { get; init; } + + /// + /// User agent string. + /// + public string? UserAgent { get; init; } + + /// + /// Roles granted in this session. + /// + public ImmutableArray Roles { get; init; } = ImmutableArray.Empty; + + /// + /// Whether the session is still valid. + /// + public bool IsValid(TimeProvider timeProvider) => + ExpiresAt > timeProvider.GetUtcNow(); +} diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyStoreOptions.cs b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyStoreOptions.cs new file mode 100644 index 000000000..9a406ba64 --- /dev/null +++ b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/LocalPolicyStoreOptions.cs @@ -0,0 +1,100 @@ +// ----------------------------------------------------------------------------- +// LocalPolicyStoreOptions.cs +// Sprint: SPRINT_20260112_018_AUTH_local_rbac_fallback +// Tasks: RBAC-002, RBAC-004 +// Description: Configuration options for local policy store. +// ----------------------------------------------------------------------------- + +namespace StellaOps.Authority.LocalPolicy; + +/// +/// Configuration options for local policy store. +/// +public sealed class LocalPolicyStoreOptions +{ + /// + /// Configuration section name. + /// + public const string SectionName = "Authority:LocalPolicy"; + + /// + /// Whether local policy store is enabled. + /// + public bool Enabled { get; set; } = true; + + /// + /// Path to the policy file. + /// + public string PolicyFilePath { get; set; } = "/etc/stellaops/authority/local-policy.yaml"; + + /// + /// Whether to enable file watching for hot-reload. + /// + public bool EnableHotReload { get; set; } = true; + + /// + /// Debounce interval for file change events (milliseconds). + /// + public int HotReloadDebounceMs { get; set; } = 500; + + /// + /// Whether to require policy file signature. + /// + public bool RequireSignature { get; set; } = false; + + /// + /// Public keys for policy signature verification. + /// + public IReadOnlyList TrustedPublicKeys { get; set; } = Array.Empty(); + + /// + /// Fallback behavior when policy file is missing. + /// + public PolicyFallbackBehavior FallbackBehavior { get; set; } = PolicyFallbackBehavior.EmptyPolicy; + + /// + /// Whether to allow break-glass accounts from local policy. + /// + public bool AllowBreakGlass { get; set; } = true; + + /// + /// Supported schema versions. + /// + public IReadOnlySet SupportedSchemaVersions { get; set; } = new HashSet(StringComparer.Ordinal) + { + "1.0.0", + "1.0.1", + "1.1.0" + }; + + /// + /// Whether to validate role inheritance cycles. + /// + public bool ValidateInheritanceCycles { get; set; } = true; + + /// + /// Maximum role inheritance depth. + /// + public int MaxInheritanceDepth { get; set; } = 10; +} + +/// +/// Fallback behavior when policy file is missing. +/// +public enum PolicyFallbackBehavior +{ + /// + /// Use empty policy (deny all). + /// + EmptyPolicy, + + /// + /// Fail startup if policy file is missing. + /// + FailOnMissing, + + /// + /// Use embedded default policy. + /// + UseDefaults +} diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/PolicyStoreFallback.cs b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/PolicyStoreFallback.cs new file mode 100644 index 000000000..997df0e0f --- /dev/null +++ b/src/Authority/StellaOps.Authority/StellaOps.Authority/LocalPolicy/PolicyStoreFallback.cs @@ -0,0 +1,378 @@ +// ----------------------------------------------------------------------------- +// PolicyStoreFallback.cs +// Sprint: SPRINT_20260112_018_AUTH_local_rbac_fallback +// Tasks: RBAC-005 +// Description: Fallback mechanism for RBAC when PostgreSQL is unavailable. +// ----------------------------------------------------------------------------- + +using Microsoft.Extensions.Logging; +using Microsoft.Extensions.Options; + +namespace StellaOps.Authority.LocalPolicy; + +/// +/// Configuration for policy store fallback. +/// +public sealed class PolicyStoreFallbackOptions +{ + /// + /// Configuration section name. + /// + public const string SectionName = "Authority:PolicyFallback"; + + /// + /// Whether fallback is enabled. + /// + public bool Enabled { get; set; } = true; + + /// + /// Health check interval for primary store (milliseconds). + /// + public int HealthCheckIntervalMs { get; set; } = 5000; + + /// + /// Number of consecutive failures before switching to fallback. + /// + public int FailureThreshold { get; set; } = 3; + + /// + /// Minimum time to stay in fallback mode (milliseconds). + /// + public int MinFallbackDurationMs { get; set; } = 30000; + + /// + /// Whether to log scope lookups in fallback mode. + /// + public bool LogFallbackLookups { get; set; } = true; +} + +/// +/// Policy store mode. +/// +public enum PolicyStoreMode +{ + /// + /// Using primary (PostgreSQL) store. + /// + Primary, + + /// + /// Using fallback (local file) store. + /// + Fallback, + + /// + /// Both stores unavailable. + /// + Degraded +} + +/// +/// Event arguments for policy store mode changes. +/// +public sealed class PolicyStoreModeChangedEventArgs : EventArgs +{ + /// + /// Previous mode. + /// + public required PolicyStoreMode PreviousMode { get; init; } + + /// + /// New mode. + /// + public required PolicyStoreMode NewMode { get; init; } + + /// + /// Change timestamp (UTC). + /// + public required DateTimeOffset ChangedAt { get; init; } + + /// + /// Reason for the change. + /// + public string? Reason { get; init; } +} + +/// +/// Interface for checking primary policy store health. +/// +public interface IPrimaryPolicyStoreHealthCheck +{ + /// + /// Checks if the primary store is healthy. + /// + /// Cancellation token. + /// True if healthy. + Task IsHealthyAsync(CancellationToken cancellationToken = default); +} + +/// +/// Composite policy store that falls back to local store when primary is unavailable. +/// +public sealed class FallbackPolicyStore : ILocalPolicyStore, IDisposable +{ + private readonly ILocalPolicyStore _localStore; + private readonly IPrimaryPolicyStoreHealthCheck _healthCheck; + private readonly IOptionsMonitor _options; + private readonly TimeProvider _timeProvider; + private readonly ILogger _logger; + private readonly Timer _healthCheckTimer; + private readonly object _stateLock = new(); + + private PolicyStoreMode _currentMode = PolicyStoreMode.Primary; + private int _consecutiveFailures; + private DateTimeOffset? _fallbackStartedAt; + private bool _disposed; + + public event EventHandler? PolicyReloaded; + public event EventHandler? ModeChanged; + + /// + /// Current policy store mode. + /// + public PolicyStoreMode CurrentMode => _currentMode; + + public FallbackPolicyStore( + ILocalPolicyStore localStore, + IPrimaryPolicyStoreHealthCheck healthCheck, + IOptionsMonitor options, + TimeProvider timeProvider, + ILogger logger) + { + _localStore = localStore ?? throw new ArgumentNullException(nameof(localStore)); + _healthCheck = healthCheck ?? throw new ArgumentNullException(nameof(healthCheck)); + _options = options ?? throw new ArgumentNullException(nameof(options)); + _timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider)); + _logger = logger ?? throw new ArgumentNullException(nameof(logger)); + + // Forward reload events from local store + _localStore.PolicyReloaded += (s, e) => PolicyReloaded?.Invoke(this, e); + + // Start health check timer + var interval = TimeSpan.FromMilliseconds(_options.CurrentValue.HealthCheckIntervalMs); + _healthCheckTimer = new Timer(OnHealthCheck, null, interval, interval); + } + + /// + public async Task GetPolicyAsync(CancellationToken cancellationToken = default) + { + await EnsureCorrectModeAsync(cancellationToken).ConfigureAwait(false); + return await _localStore.GetPolicyAsync(cancellationToken).ConfigureAwait(false); + } + + /// + public async Task> GetSubjectRolesAsync( + string subjectId, + string? tenantId = null, + CancellationToken cancellationToken = default) + { + await EnsureCorrectModeAsync(cancellationToken).ConfigureAwait(false); + + if (_currentMode == PolicyStoreMode.Primary) + { + // In primary mode, delegate to primary store + // This would be the actual PostgreSQL-backed implementation + // For now, fallback to local + } + + var roles = await _localStore.GetSubjectRolesAsync(subjectId, tenantId, cancellationToken).ConfigureAwait(false); + + if (_options.CurrentValue.LogFallbackLookups && _currentMode == PolicyStoreMode.Fallback) + { + _logger.LogDebug( + "[FALLBACK] GetSubjectRoles: SubjectId={SubjectId}, TenantId={TenantId}, Roles={Roles}", + subjectId, tenantId, string.Join(",", roles)); + } + + return roles; + } + + /// + public async Task> GetRoleScopesAsync( + string roleName, + CancellationToken cancellationToken = default) + { + await EnsureCorrectModeAsync(cancellationToken).ConfigureAwait(false); + return await _localStore.GetRoleScopesAsync(roleName, cancellationToken).ConfigureAwait(false); + } + + /// + public async Task HasScopeAsync( + string subjectId, + string scope, + string? tenantId = null, + CancellationToken cancellationToken = default) + { + await EnsureCorrectModeAsync(cancellationToken).ConfigureAwait(false); + return await _localStore.HasScopeAsync(subjectId, scope, tenantId, cancellationToken).ConfigureAwait(false); + } + + /// + public async Task> GetSubjectScopesAsync( + string subjectId, + string? tenantId = null, + CancellationToken cancellationToken = default) + { + await EnsureCorrectModeAsync(cancellationToken).ConfigureAwait(false); + return await _localStore.GetSubjectScopesAsync(subjectId, tenantId, cancellationToken).ConfigureAwait(false); + } + + /// + public Task ValidateBreakGlassCredentialAsync( + string credential, + CancellationToken cancellationToken = default) + { + // Break-glass is always via local store + return _localStore.ValidateBreakGlassCredentialAsync(credential, cancellationToken); + } + + /// + public Task IsAvailableAsync(CancellationToken cancellationToken = default) + { + return _localStore.IsAvailableAsync(cancellationToken); + } + + /// + public Task ReloadAsync(CancellationToken cancellationToken = default) + { + return _localStore.ReloadAsync(cancellationToken); + } + + private async Task EnsureCorrectModeAsync(CancellationToken cancellationToken) + { + if (!_options.CurrentValue.Enabled) + { + return; + } + + // Quick check without health probe + if (_currentMode == PolicyStoreMode.Primary) + { + return; + } + + // In fallback mode, check if we can return to primary + if (_currentMode == PolicyStoreMode.Fallback && CanAttemptPrimaryRecovery()) + { + try + { + if (await _healthCheck.IsHealthyAsync(cancellationToken).ConfigureAwait(false)) + { + SwitchToPrimary("Primary store recovered"); + } + } + catch + { + // Stay in fallback + } + } + } + + private void OnHealthCheck(object? state) + { + if (_disposed) return; + + _ = Task.Run(async () => + { + try + { + var healthy = await _healthCheck.IsHealthyAsync(CancellationToken.None).ConfigureAwait(false); + + lock (_stateLock) + { + if (healthy) + { + _consecutiveFailures = 0; + + if (_currentMode == PolicyStoreMode.Fallback && CanAttemptPrimaryRecovery()) + { + SwitchToPrimary("Primary store healthy"); + } + } + else + { + _consecutiveFailures++; + + if (_currentMode == PolicyStoreMode.Primary && + _consecutiveFailures >= _options.CurrentValue.FailureThreshold) + { + SwitchToFallback($"Primary store unhealthy ({_consecutiveFailures} consecutive failures)"); + } + } + } + } + catch (Exception ex) + { + _logger.LogWarning(ex, "Health check failed"); + + lock (_stateLock) + { + _consecutiveFailures++; + + if (_currentMode == PolicyStoreMode.Primary && + _consecutiveFailures >= _options.CurrentValue.FailureThreshold) + { + SwitchToFallback($"Health check exception ({_consecutiveFailures} consecutive failures)"); + } + } + } + }); + } + + private bool CanAttemptPrimaryRecovery() + { + if (_fallbackStartedAt is null) + { + return true; + } + + var minDuration = TimeSpan.FromMilliseconds(_options.CurrentValue.MinFallbackDurationMs); + return _timeProvider.GetUtcNow() - _fallbackStartedAt.Value >= minDuration; + } + + private void SwitchToFallback(string reason) + { + var previousMode = _currentMode; + _currentMode = PolicyStoreMode.Fallback; + _fallbackStartedAt = _timeProvider.GetUtcNow(); + + _logger.LogWarning( + "Switching to fallback policy store: {Reason}", + reason); + + ModeChanged?.Invoke(this, new PolicyStoreModeChangedEventArgs + { + PreviousMode = previousMode, + NewMode = PolicyStoreMode.Fallback, + ChangedAt = _fallbackStartedAt.Value, + Reason = reason + }); + } + + private void SwitchToPrimary(string reason) + { + var previousMode = _currentMode; + _currentMode = PolicyStoreMode.Primary; + _fallbackStartedAt = null; + _consecutiveFailures = 0; + + _logger.LogInformation( + "Returning to primary policy store: {Reason}", + reason); + + ModeChanged?.Invoke(this, new PolicyStoreModeChangedEventArgs + { + PreviousMode = previousMode, + NewMode = PolicyStoreMode.Primary, + ChangedAt = _timeProvider.GetUtcNow(), + Reason = reason + }); + } + + public void Dispose() + { + if (_disposed) return; + _disposed = true; + _healthCheckTimer.Dispose(); + } +} diff --git a/src/Cli/StellaOps.Cli/Commands/CommandFactory.cs b/src/Cli/StellaOps.Cli/Commands/CommandFactory.cs index 45b04fe59..319eed50a 100644 --- a/src/Cli/StellaOps.Cli/Commands/CommandFactory.cs +++ b/src/Cli/StellaOps.Cli/Commands/CommandFactory.cs @@ -1,8 +1,15 @@ using System; using System.CommandLine; +using System.Globalization; +using System.Net.Http; +using System.Net.Http.Json; using System.Threading; using System.Threading.Tasks; +using System.Text.Json; +using System.Text.Json.Serialization; +using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; +using Spectre.Console; using StellaOps.Cli.Commands.Admin; using StellaOps.Cli.Commands.Budget; using StellaOps.Cli.Commands.Chain; @@ -3324,6 +3331,7 @@ internal static class CommandFactory advise.Add(explain); advise.Add(remediate); advise.Add(batch); + advise.Add(BuildOpenPrCommand(services, options, verboseOption, cancellationToken)); // Sprint: SPRINT_20260113_005_CLI_advise_chat - Chat commands advise.Add(AdviseChatCommandGroup.BuildAskCommand(services, options, verboseOption, cancellationToken)); @@ -3333,6 +3341,217 @@ internal static class CommandFactory return advise; } + /// + /// Build the open-pr command for remediation PR generation. + /// Sprint: SPRINT_20260112_011_CLI_evidence_card_remediate_cli (REMPR-CLI-001) + /// + private static Command BuildOpenPrCommand( + IServiceProvider services, + StellaOpsCliOptions options, + Option verboseOption, + CancellationToken cancellationToken) + { + var planIdArg = new Argument("plan-id") + { + Description = "Remediation plan ID to apply" + }; + + var scmTypeOption = new Option("--scm-type", ["-s"]) + { + Description = "SCM type (github, gitlab, azure-devops, gitea)" + }; + scmTypeOption.SetDefaultValue("github"); + + var outputOption = new Option("--output", ["-o"]) + { + Description = "Output format: table (default), json, markdown" + }; + outputOption.SetDefaultValue("table"); + + var openPr = new Command("open-pr", "Apply a remediation plan by creating a PR/MR in the target SCM") + { + planIdArg, + scmTypeOption, + outputOption, + verboseOption + }; + + openPr.SetAction(async (parseResult, _) => + { + var planId = parseResult.GetValue(planIdArg) ?? string.Empty; + var scmType = parseResult.GetValue(scmTypeOption) ?? "github"; + var outputFormat = parseResult.GetValue(outputOption) ?? "table"; + var verbose = parseResult.GetValue(verboseOption); + + return await HandleOpenPrAsync(services, options, planId, scmType, outputFormat, verbose, cancellationToken); + }); + + return openPr; + } + + /// + /// Handle the open-pr command execution. + /// + private static async Task HandleOpenPrAsync( + IServiceProvider services, + StellaOpsCliOptions options, + string planId, + string scmType, + string outputFormat, + bool verbose, + CancellationToken cancellationToken) + { + if (string.IsNullOrEmpty(planId)) + { + AnsiConsole.MarkupLine("[red]Error:[/] Plan ID is required"); + return 1; + } + + var httpClientFactory = services.GetRequiredService(); + var client = httpClientFactory.CreateClient("AdvisoryAI"); + + var backendUrl = options.BackendUrl + ?? Environment.GetEnvironmentVariable("STELLAOPS_ADVISORY_URL") + ?? Environment.GetEnvironmentVariable("STELLAOPS_BACKEND_URL") + ?? "http://localhost:5000"; + + if (verbose) + { + AnsiConsole.MarkupLine($"[dim]Backend URL: {backendUrl}[/]"); + } + + try + { + PrResultDto? prResult = null; + + await AnsiConsole.Status() + .Spinner(Spinner.Known.Dots) + .SpinnerStyle(Style.Parse("yellow")) + .StartAsync("Creating pull request...", async ctx => + { + var requestUrl = $"{backendUrl}/v1/advisory-ai/remediation/apply"; + var payload = new { planId, scmType }; + + if (verbose) + { + AnsiConsole.MarkupLine($"[dim]Request: POST {requestUrl}[/]"); + } + + var response = await client.PostAsJsonAsync(requestUrl, payload, cancellationToken); + + if (!response.IsSuccessStatusCode) + { + var error = await response.Content.ReadAsStringAsync(cancellationToken); + throw new InvalidOperationException($"API error: {response.StatusCode} - {error}"); + } + + prResult = await response.Content.ReadFromJsonAsync(cancellationToken); + }); + + if (prResult is null) + { + AnsiConsole.MarkupLine("[red]Error:[/] Failed to parse response"); + return 1; + } + + // Output results based on format + if (outputFormat == "json") + { + var jsonOptions = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase }; + AnsiConsole.WriteLine(JsonSerializer.Serialize(prResult, jsonOptions)); + } + else if (outputFormat == "markdown") + { + OutputPrResultMarkdown(prResult); + } + else + { + OutputPrResultTable(prResult); + } + + return prResult.Status == "Open" || prResult.Status == "Creating" ? 0 : 1; + } + catch (Exception ex) + { + AnsiConsole.MarkupLine($"[red]Error:[/] {ex.Message}"); + return 1; + } + } + + private static void OutputPrResultTable(PrResultDto result) + { + var table = new Table(); + table.AddColumn("Property"); + table.AddColumn("Value"); + table.Border(TableBorder.Rounded); + + table.AddRow("PR ID", result.PrId ?? "(unknown)"); + table.AddRow("PR Number", result.PrNumber.ToString(CultureInfo.InvariantCulture)); + table.AddRow("URL", result.Url ?? "(not created)"); + table.AddRow("Branch", result.BranchName ?? "(unknown)"); + table.AddRow("Status", result.Status ?? "unknown"); + if (!string.IsNullOrEmpty(result.StatusMessage)) + table.AddRow("Message", result.StatusMessage); + table.AddRow("Created At", result.CreatedAt ?? "(unknown)"); + + AnsiConsole.Write(table); + } + + private static void OutputPrResultMarkdown(PrResultDto result) + { + var status = result.Status == "Open" ? "[green]Open[/]" : + result.Status == "Failed" ? "[red]Failed[/]" : result.Status; + + AnsiConsole.MarkupLine($"# PR Result"); + AnsiConsole.MarkupLine($""); + AnsiConsole.MarkupLine($"- **PR ID:** {result.PrId}"); + AnsiConsole.MarkupLine($"- **PR Number:** {result.PrNumber}"); + AnsiConsole.MarkupLine($"- **URL:** {result.Url}"); + AnsiConsole.MarkupLine($"- **Branch:** {result.BranchName}"); + AnsiConsole.MarkupLine($"- **Status:** {status}"); + if (!string.IsNullOrEmpty(result.StatusMessage)) + AnsiConsole.MarkupLine($"- **Message:** {result.StatusMessage}"); + AnsiConsole.MarkupLine($"- **Created:** {result.CreatedAt}"); + + if (!string.IsNullOrEmpty(result.PrBody)) + { + AnsiConsole.MarkupLine($""); + AnsiConsole.MarkupLine($"## PR Body"); + AnsiConsole.MarkupLine($""); + AnsiConsole.WriteLine(result.PrBody); + } + } + + private sealed record PrResultDto + { + [JsonPropertyName("prId")] + public string? PrId { get; init; } + + [JsonPropertyName("prNumber")] + public int PrNumber { get; init; } + + [JsonPropertyName("url")] + public string? Url { get; init; } + + [JsonPropertyName("branchName")] + public string? BranchName { get; init; } + + [JsonPropertyName("status")] + public string? Status { get; init; } + + [JsonPropertyName("statusMessage")] + public string? StatusMessage { get; init; } + + [JsonPropertyName("prBody")] + public string? PrBody { get; init; } + + [JsonPropertyName("createdAt")] + public string? CreatedAt { get; init; } + + [JsonPropertyName("updatedAt")] + public string? UpdatedAt { get; init; } + } + private static AdvisoryCommandOptions CreateAdvisoryOptions() { var advisoryKey = new Option("--advisory-key") diff --git a/src/Cli/StellaOps.Cli/Commands/CommandHandlers.Config.cs b/src/Cli/StellaOps.Cli/Commands/CommandHandlers.Config.cs new file mode 100644 index 000000000..5dd619bd1 --- /dev/null +++ b/src/Cli/StellaOps.Cli/Commands/CommandHandlers.Config.cs @@ -0,0 +1,303 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_014_CLI_config_viewer (CLI-CONFIG-010, CLI-CONFIG-011, CLI-CONFIG-012, CLI-CONFIG-013) +// + +using System.Globalization; +using System.Text.Json; +using StellaOps.Cli.Services; + +namespace StellaOps.Cli.Commands; + +public static partial class CommandHandlers +{ + public static class Config + { + /// + /// Lists all available configuration paths. + /// + public static Task ListAsync(string? category) + { + var catalog = ConfigCatalog.GetAll(); + + if (!string.IsNullOrWhiteSpace(category)) + { + catalog = catalog + .Where(c => c.Category.Equals(category, StringComparison.OrdinalIgnoreCase)) + .ToList(); + } + + // Deterministic ordering: category, then path + var sorted = catalog + .OrderBy(c => c.Category, StringComparer.OrdinalIgnoreCase) + .ThenBy(c => c.Path, StringComparer.OrdinalIgnoreCase) + .ToList(); + + if (sorted.Count == 0) + { + Console.WriteLine(category is null + ? "No configuration paths found." + : $"No configuration paths found for category '{category}'."); + return Task.FromResult(0); + } + + // Calculate column widths for deterministic table output + var pathWidth = Math.Max(sorted.Max(c => c.Path.Length), 4); + var categoryWidth = Math.Max(sorted.Max(c => c.Category.Length), 8); + var aliasWidth = Math.Max(sorted.Max(c => string.Join(", ", c.Aliases).Length), 7); + + // Header + Console.WriteLine(string.Format( + CultureInfo.InvariantCulture, + "{0,-" + pathWidth + "} {1,-" + categoryWidth + "} {2,-" + aliasWidth + "} {3}", + "PATH", "CATEGORY", "ALIASES", "DESCRIPTION")); + Console.WriteLine(new string('-', pathWidth + categoryWidth + aliasWidth + 40)); + + // Rows + foreach (var entry in sorted) + { + var aliases = entry.Aliases.Count > 0 ? string.Join(", ", entry.Aliases) : "-"; + Console.WriteLine(string.Format( + CultureInfo.InvariantCulture, + "{0,-" + pathWidth + "} {1,-" + categoryWidth + "} {2,-" + aliasWidth + "} {3}", + entry.Path, + entry.Category, + aliases, + entry.Description)); + } + + Console.WriteLine(); + Console.WriteLine($"Total: {sorted.Count} configuration paths"); + + return Task.FromResult(0); + } + + /// + /// Shows configuration for a specific path. + /// + public static async Task ShowAsync( + IBackendOperationsClient client, + string path, + string format, + bool showSecrets) + { + // Normalize path (. and : interchangeable, case-insensitive) + var normalizedPath = NormalizePath(path); + + // Look up in catalog + var entry = ConfigCatalog.Find(normalizedPath); + if (entry is null) + { + Console.Error.WriteLine($"Unknown configuration path: {path}"); + Console.Error.WriteLine("Run 'stella config list' to see available paths."); + return 1; + } + + // Fetch config (try API first, fall back to local) + Dictionary config; + string source; + try + { + if (entry.ApiEndpoint is not null) + { + config = await FetchFromApiAsync(client, entry.ApiEndpoint); + source = "api"; + } + else + { + config = FetchFromLocal(entry.SectionName); + source = "local"; + } + } + catch (Exception ex) + { + Console.Error.WriteLine($"Failed to fetch configuration: {ex.Message}"); + return 1; + } + + // Redact secrets unless --show-secrets + if (!showSecrets) + { + config = RedactSecrets(config); + } + + // Output with deterministic ordering + switch (format.ToLowerInvariant()) + { + case "json": + OutputJson(config, entry); + break; + case "yaml": + OutputYaml(config, entry); + break; + case "table": + default: + OutputTable(config, entry, source); + break; + } + + return 0; + } + + private static string NormalizePath(string path) + { + // . and : are interchangeable, case-insensitive + return path.Replace(':', '.').ToLowerInvariant(); + } + + private static async Task> FetchFromApiAsync( + IBackendOperationsClient client, + string endpoint) + { + // TODO: Implement actual API call when endpoints are available + // For now, return placeholder + await Task.CompletedTask; + return new Dictionary + { + ["_source"] = "api", + ["_endpoint"] = endpoint, + ["_note"] = "API config fetch not yet implemented" + }; + } + + private static Dictionary FetchFromLocal(string sectionName) + { + // TODO: Read from local appsettings.yaml/json + return new Dictionary + { + ["_source"] = "local", + ["_section"] = sectionName, + ["_note"] = "Local config fetch not yet implemented" + }; + } + + private static Dictionary RedactSecrets(Dictionary config) + { + var redacted = new Dictionary(StringComparer.OrdinalIgnoreCase); + + foreach (var (key, value) in config) + { + if (IsSecretKey(key)) + { + redacted[key] = "[REDACTED]"; + } + else if (value is Dictionary nested) + { + redacted[key] = RedactSecrets(nested); + } + else + { + redacted[key] = value; + } + } + + return redacted; + } + + private static bool IsSecretKey(string key) + { + var lowerKey = key.ToLowerInvariant(); + return lowerKey.Contains("secret") || + lowerKey.Contains("password") || + lowerKey.Contains("apikey") || + lowerKey.Contains("api_key") || + lowerKey.Contains("token") || + lowerKey.Contains("credential") || + lowerKey.Contains("connectionstring") || + lowerKey.Contains("connection_string") || + lowerKey.Contains("privatekey") || + lowerKey.Contains("private_key"); + } + + private static void OutputTable( + Dictionary config, + ConfigCatalogEntry entry, + string source) + { + Console.WriteLine($"Configuration: {entry.Path}"); + Console.WriteLine($"Category: {entry.Category}"); + Console.WriteLine($"Source: {source}"); + Console.WriteLine($"Section: {entry.SectionName}"); + Console.WriteLine(); + + // Deterministic key ordering + var sortedKeys = config.Keys.OrderBy(k => k, StringComparer.OrdinalIgnoreCase).ToList(); + var keyWidth = Math.Max(sortedKeys.Max(k => k.Length), 3); + + Console.WriteLine(string.Format( + CultureInfo.InvariantCulture, + "{0,-" + keyWidth + "} {1}", + "KEY", "VALUE")); + Console.WriteLine(new string('-', keyWidth + 40)); + + foreach (var key in sortedKeys) + { + var value = config[key]; + var valueStr = value switch + { + null => "(null)", + string s => s, + _ => JsonSerializer.Serialize(value) + }; + Console.WriteLine(string.Format( + CultureInfo.InvariantCulture, + "{0,-" + keyWidth + "} {1}", + key, + valueStr)); + } + } + + private static void OutputJson(Dictionary config, ConfigCatalogEntry entry) + { + var output = new Dictionary(StringComparer.Ordinal) + { + ["path"] = entry.Path, + ["category"] = entry.Category, + ["section"] = entry.SectionName, + ["config"] = SortDictionary(config) + }; + + var json = JsonSerializer.Serialize(output, new JsonSerializerOptions + { + WriteIndented = true, + PropertyNamingPolicy = JsonNamingPolicy.SnakeCaseLower + }); + Console.WriteLine(json); + } + + private static void OutputYaml(Dictionary config, ConfigCatalogEntry entry) + { + // Simple YAML output (no external dependency) + Console.WriteLine($"path: {entry.Path}"); + Console.WriteLine($"category: {entry.Category}"); + Console.WriteLine($"section: {entry.SectionName}"); + Console.WriteLine("config:"); + + var sortedKeys = config.Keys.OrderBy(k => k, StringComparer.OrdinalIgnoreCase); + foreach (var key in sortedKeys) + { + var value = config[key]; + var valueStr = value switch + { + null => "null", + string s => s.Contains(' ') ? $"\"{s}\"" : s, + bool b => b.ToString().ToLowerInvariant(), + _ => JsonSerializer.Serialize(value) + }; + Console.WriteLine($" {key}: {valueStr}"); + } + } + + private static Dictionary SortDictionary(Dictionary dict) + { + var sorted = new Dictionary(StringComparer.Ordinal); + foreach (var key in dict.Keys.OrderBy(k => k, StringComparer.OrdinalIgnoreCase)) + { + sorted[key] = dict[key] is Dictionary nested + ? SortDictionary(nested) + : dict[key]; + } + return sorted; + } + } +} diff --git a/src/Cli/StellaOps.Cli/Commands/CommandHandlers.Witness.cs b/src/Cli/StellaOps.Cli/Commands/CommandHandlers.Witness.cs index 331556e44..49065c0ae 100644 --- a/src/Cli/StellaOps.Cli/Commands/CommandHandlers.Witness.cs +++ b/src/Cli/StellaOps.Cli/Commands/CommandHandlers.Witness.cs @@ -2,12 +2,16 @@ // CommandHandlers.Witness.cs // Sprint: SPRINT_3700_0005_0001_witness_ui_cli // Tasks: CLI-001, CLI-002, CLI-003, CLI-004 +// Sprint: SPRINT_20260112_014_CLI_witness_commands (CLI-WIT-002) // Description: Command handlers for reachability witness CLI. // ----------------------------------------------------------------------------- using System.Globalization; using System.Text.Json; +using Microsoft.Extensions.DependencyInjection; using Spectre.Console; +using StellaOps.Cli.Services; +using StellaOps.Cli.Services.Models; namespace StellaOps.Cli.Commands; @@ -21,6 +25,7 @@ internal static partial class CommandHandlers /// /// Handler for `witness show` command. + /// Sprint: SPRINT_20260112_014_CLI_witness_commands (CLI-WIT-002) /// internal static async Task HandleWitnessShowAsync( IServiceProvider services, @@ -38,52 +43,25 @@ internal static partial class CommandHandlers console.MarkupLine($"[dim]Fetching witness: {witnessId}[/]"); } - // TODO: Replace with actual service call when witness API is available - var witness = new WitnessDto + using var scope = services.CreateScope(); + var client = scope.ServiceProvider.GetRequiredService(); + + var response = await client.GetWitnessAsync(witnessId, cancellationToken).ConfigureAwait(false); + + if (response is null) { - WitnessId = witnessId, - WitnessSchema = "stellaops.witness.v1", - CveId = "CVE-2024-12345", - PackageName = "Newtonsoft.Json", - PackageVersion = "12.0.3", - ConfidenceTier = "confirmed", - ObservedAt = DateTimeOffset.UtcNow.AddHours(-2).ToString("O", CultureInfo.InvariantCulture), - Entrypoint = new WitnessEntrypointDto - { - Type = "http", - Route = "GET /api/users/{id}", - Symbol = "UserController.GetUser()", - File = "src/Controllers/UserController.cs", - Line = 42 - }, - Sink = new WitnessSinkDto - { - Symbol = "JsonConvert.DeserializeObject()", - Package = "Newtonsoft.Json", - IsTrigger = true - }, - Path = new[] - { - new PathStepDto { Symbol = "UserController.GetUser()", File = "src/Controllers/UserController.cs", Line = 42 }, - new PathStepDto { Symbol = "UserService.GetUserById()", File = "src/Services/UserService.cs", Line = 88 }, - new PathStepDto { Symbol = "JsonConvert.DeserializeObject()", Package = "Newtonsoft.Json" } - }, - Gates = new[] - { - new GateDto { Type = "authRequired", Detail = "[Authorize] attribute", Confidence = 0.95m } - }, - Evidence = new WitnessEvidenceDto - { - CallgraphDigest = "blake3:a1b2c3d4e5f6...", - SurfaceDigest = "sha256:9f8e7d6c5b4a...", - SignedBy = "attestor-stellaops-ed25519" - } - }; + console.MarkupLine($"[red]Witness not found: {witnessId}[/]"); + Environment.ExitCode = 1; + return; + } + + // Convert API response to internal DTO for display + var witness = ConvertToWitnessDto(response); switch (format) { case "json": - var json = JsonSerializer.Serialize(witness, WitnessJsonOptions); + var json = JsonSerializer.Serialize(response, WitnessJsonOptions); console.WriteLine(json); break; case "yaml": @@ -93,12 +71,11 @@ internal static partial class CommandHandlers WriteWitnessText(console, witness, pathOnly, noColor); break; } - - await Task.CompletedTask; } /// /// Handler for `witness verify` command. + /// Sprint: SPRINT_20260112_014_CLI_witness_commands (CLI-WIT-004) /// internal static async Task HandleWitnessVerifyAsync( IServiceProvider services, @@ -119,30 +96,49 @@ internal static partial class CommandHandlers } } - // TODO: Replace with actual verification when DSSE verification is wired up - await Task.Delay(100, cancellationToken); // Simulate verification - - // Placeholder result - var valid = true; - var keyId = "attestor-stellaops-ed25519"; - var algorithm = "Ed25519"; - - if (valid) + if (offline && publicKeyPath == null) { - console.MarkupLine("[green]✓ Signature VALID[/]"); - console.MarkupLine($" Key ID: {keyId}"); - console.MarkupLine($" Algorithm: {algorithm}"); + console.MarkupLine("[yellow]Warning: Offline mode requires --public-key to verify signatures locally.[/]"); + console.MarkupLine("[dim]Skipping signature verification.[/]"); + return; + } + + using var scope = services.CreateScope(); + var client = scope.ServiceProvider.GetRequiredService(); + + var response = await client.VerifyWitnessAsync(witnessId, cancellationToken).ConfigureAwait(false); + + if (response.Verified) + { + // ASCII-only output per AGENTS.md rules + console.MarkupLine("[green][OK] Signature VALID[/]"); + if (response.Dsse?.SignerIdentities?.Count > 0) + { + console.MarkupLine($" Signers: {string.Join(", ", response.Dsse.SignerIdentities)}"); + } + if (response.Dsse?.PredicateType != null) + { + console.MarkupLine($" Predicate Type: {response.Dsse.PredicateType}"); + } + if (response.ContentHash?.Match == true) + { + console.MarkupLine(" Content Hash: [green]MATCH[/]"); + } } else { - console.MarkupLine("[red]✗ Signature INVALID[/]"); - console.MarkupLine(" Error: Signature verification failed"); + console.MarkupLine("[red][FAIL] Signature INVALID[/]"); + if (response.Message != null) + { + console.MarkupLine($" Error: {response.Message}"); + } Environment.ExitCode = 1; } } /// /// Handler for `witness list` command. + /// Sprint: SPRINT_20260112_014_CLI_witness_commands (CLI-WIT-002) /// internal static async Task HandleWitnessListAsync( IServiceProvider services, @@ -165,45 +161,48 @@ internal static partial class CommandHandlers if (reachableOnly) console.MarkupLine("[dim]Showing reachable witnesses only[/]"); } - // TODO: Replace with actual service call - var witnesses = new[] + using var scope = services.CreateScope(); + var client = scope.ServiceProvider.GetRequiredService(); + + var request = new WitnessListRequest { - new WitnessListItemDto - { - WitnessId = "wit:sha256:abc123", - CveId = "CVE-2024-12345", - PackageName = "Newtonsoft.Json", - ConfidenceTier = "confirmed", - Entrypoint = "GET /api/users/{id}", - Sink = "JsonConvert.DeserializeObject()" - }, - new WitnessListItemDto - { - WitnessId = "wit:sha256:def456", - CveId = "CVE-2024-12346", - PackageName = "lodash", - ConfidenceTier = "likely", - Entrypoint = "POST /api/data", - Sink = "_.template()" - } + ScanId = scanId, + VulnerabilityId = vuln, + Limit = limit }; + var response = await client.ListWitnessesAsync(request, cancellationToken).ConfigureAwait(false); + + // Convert to internal DTOs and apply deterministic ordering + var witnesses = response.Witnesses + .Select(w => new WitnessListItemDto + { + WitnessId = w.WitnessId, + CveId = w.VulnerabilityId ?? "N/A", + PackageName = ExtractPackageName(w.ComponentPurl), + ConfidenceTier = tier ?? "N/A", + Entrypoint = w.Entrypoint ?? "N/A", + Sink = w.Sink ?? "N/A" + }) + .OrderBy(w => w.CveId, StringComparer.Ordinal) + .ThenBy(w => w.WitnessId, StringComparer.Ordinal) + .ToArray(); + switch (format) { case "json": - var json = JsonSerializer.Serialize(new { witnesses, total = witnesses.Length }, WitnessJsonOptions); + var json = JsonSerializer.Serialize(new { witnesses, total = response.TotalCount }, WitnessJsonOptions); console.WriteLine(json); break; default: WriteWitnessListTable(console, witnesses); break; } - - await Task.CompletedTask; } /// /// Handler for `witness export` command. + /// Sprint: SPRINT_20260112_014_CLI_witness_commands (CLI-WIT-003) /// internal static async Task HandleWitnessExportAsync( IServiceProvider services, @@ -222,24 +221,108 @@ internal static partial class CommandHandlers if (outputPath != null) console.MarkupLine($"[dim]Output: {outputPath}[/]"); } - // TODO: Replace with actual witness fetch and export - var exportContent = format switch + using var scope = services.CreateScope(); + var client = scope.ServiceProvider.GetRequiredService(); + + var exportFormat = format switch { - "sarif" => GenerateWitnessSarif(witnessId), - _ => GenerateWitnessJson(witnessId, includeDsse) + "sarif" => WitnessExportFormat.Sarif, + "dsse" => WitnessExportFormat.Dsse, + _ => includeDsse ? WitnessExportFormat.Dsse : WitnessExportFormat.Json }; - if (outputPath != null) + try { - await File.WriteAllTextAsync(outputPath, exportContent, cancellationToken); - console.MarkupLine($"[green]Exported to {outputPath}[/]"); + await using var stream = await client.DownloadWitnessAsync(witnessId, exportFormat, cancellationToken).ConfigureAwait(false); + + if (outputPath != null) + { + await using var fileStream = File.Create(outputPath); + await stream.CopyToAsync(fileStream, cancellationToken).ConfigureAwait(false); + console.MarkupLine($"[green]Exported to {outputPath}[/]"); + } + else + { + using var reader = new StreamReader(stream); + var content = await reader.ReadToEndAsync(cancellationToken).ConfigureAwait(false); + console.WriteLine(content); + } } - else + catch (HttpRequestException ex) { - console.WriteLine(exportContent); + console.MarkupLine($"[red]Export failed: {ex.Message}[/]"); + Environment.ExitCode = 1; } } + private static string ExtractPackageName(string? purl) + { + if (string.IsNullOrEmpty(purl)) return "N/A"; + // Extract name from PURL like pkg:nuget/Newtonsoft.Json@12.0.3 + var parts = purl.Split('/'); + if (parts.Length < 2) return purl; + var nameVersion = parts[^1].Split('@'); + return nameVersion[0]; + } + + private static WitnessDto ConvertToWitnessDto(WitnessDetailResponse response) + { + return new WitnessDto + { + WitnessId = response.WitnessId, + WitnessSchema = response.WitnessSchema ?? "stellaops.witness.v1", + CveId = response.Vuln?.Id ?? "N/A", + PackageName = ExtractPackageName(response.Artifact?.ComponentPurl), + PackageVersion = ExtractPackageVersion(response.Artifact?.ComponentPurl), + ConfidenceTier = "confirmed", // TODO: map from response + ObservedAt = response.ObservedAt.ToString("O", CultureInfo.InvariantCulture), + Entrypoint = new WitnessEntrypointDto + { + Type = response.Entrypoint?.Kind ?? "unknown", + Route = response.Entrypoint?.Name ?? "N/A", + Symbol = response.Entrypoint?.SymbolId ?? "N/A", + File = null, + Line = 0 + }, + Sink = new WitnessSinkDto + { + Symbol = response.Sink?.Symbol ?? "N/A", + Package = ExtractPackageName(response.Artifact?.ComponentPurl), + IsTrigger = true + }, + Path = (response.Path ?? []) + .Select(p => new PathStepDto + { + Symbol = p.Symbol ?? p.SymbolId ?? "N/A", + File = p.File, + Line = p.Line ?? 0, + Package = null + }) + .ToArray(), + Gates = (response.Gates ?? []) + .Select(g => new GateDto + { + Type = g.Type ?? "unknown", + Detail = g.Detail ?? "", + Confidence = (decimal)g.Confidence + }) + .ToArray(), + Evidence = new WitnessEvidenceDto + { + CallgraphDigest = response.Evidence?.CallgraphDigest ?? "N/A", + SurfaceDigest = response.Evidence?.SurfaceDigest ?? "N/A", + SignedBy = response.DsseEnvelope?.Signatures?.FirstOrDefault()?.KeyId ?? "unsigned" + } + }; + } + + private static string ExtractPackageVersion(string? purl) + { + if (string.IsNullOrEmpty(purl)) return "N/A"; + var parts = purl.Split('@'); + return parts.Length > 1 ? parts[^1] : "N/A"; + } + private static void WriteWitnessText(IAnsiConsole console, WitnessDto witness, bool pathOnly, bool noColor) { if (!pathOnly) @@ -381,58 +464,6 @@ internal static partial class CommandHandlers console.Write(table); } - private static string GenerateWitnessJson(string witnessId, bool includeDsse) - { - var witness = new - { - witness_schema = "stellaops.witness.v1", - witness_id = witnessId, - artifact = new { sbom_digest = "sha256:...", component_purl = "pkg:nuget/Newtonsoft.Json@12.0.3" }, - vuln = new { id = "CVE-2024-12345", source = "NVD" }, - entrypoint = new { type = "http", route = "GET /api/users/{id}" }, - path = new[] { new { symbol = "UserController.GetUser" }, new { symbol = "JsonConvert.DeserializeObject" } }, - evidence = new { callgraph_digest = "blake3:...", surface_digest = "sha256:..." } - }; - - return JsonSerializer.Serialize(witness, WitnessJsonOptions); - } - - private static string GenerateWitnessSarif(string witnessId) - { - var sarif = new - { - version = "2.1.0", - schema = "https://json.schemastore.org/sarif-2.1.0.json", - runs = new[] - { - new - { - tool = new - { - driver = new - { - name = "StellaOps Reachability", - version = "1.0.0", - informationUri = "https://stellaops.dev" - } - }, - results = new[] - { - new - { - ruleId = "REACH001", - level = "warning", - message = new { text = "Reachable vulnerability: CVE-2024-12345" }, - properties = new { witnessId } - } - } - } - } - }; - - return JsonSerializer.Serialize(sarif, WitnessJsonOptions); - } - // DTO classes for witness commands private sealed record WitnessDto { diff --git a/src/Cli/StellaOps.Cli/Commands/ConfigCatalog.cs b/src/Cli/StellaOps.Cli/Commands/ConfigCatalog.cs new file mode 100644 index 000000000..c007e1eb2 --- /dev/null +++ b/src/Cli/StellaOps.Cli/Commands/ConfigCatalog.cs @@ -0,0 +1,431 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_014_CLI_config_viewer (CLI-CONFIG-010) +// + +namespace StellaOps.Cli.Commands; + +/// +/// Configuration path catalog entry. +/// +public sealed record ConfigCatalogEntry( + string Path, + string SectionName, + string Category, + string Description, + IReadOnlyList Aliases, + string? ApiEndpoint = null); + +/// +/// Catalog of all StellaOps configuration paths. +/// Derived from SectionName constants across all modules. +/// +public static class ConfigCatalog +{ + private static readonly List Entries = + [ + // Policy module + new("policy.determinization", "Determinization", "Policy", + "Determinization options (entropy thresholds, signal weights, reanalysis triggers)", + ["pol.det", "determinization"], + "/api/policy/config/determinization"), + new("policy.exceptions", "Policy:Exceptions:Approval", "Policy", + "Exception approval settings", + ["pol.exc", "exceptions"]), + new("policy.exceptions.expiry", "Policy:Exceptions:Expiry", "Policy", + "Exception expiry configuration", + ["pol.exc.exp"]), + new("policy.gates", "PolicyGates", "Policy", + "Policy gate configuration", + ["pol.gates", "gates"]), + new("policy.engine", "PolicyEngine", "Policy", + "Policy engine core settings", + ["pol.engine"]), + new("policy.engine.evidenceweighted", "PolicyEngine:EvidenceWeightedScore", "Policy", + "Evidence-weighted score configuration", + ["pol.ews"]), + new("policy.engine.tenancy", "PolicyEngine:Tenancy", "Policy", + "Policy engine tenancy settings", + ["pol.tenancy"]), + new("policy.attestation", "PolicyDecisionAttestation", "Policy", + "Policy decision attestation settings", + ["pol.attest"]), + new("policy.confidenceweights", "ConfidenceWeights", "Policy", + "Confidence weight configuration", + ["pol.cw"]), + new("policy.reachability", "ReachabilitySignals", "Policy", + "Reachability signal settings", + ["pol.reach"]), + new("policy.smartdiff", "SmartDiff:Gates", "Policy", + "SmartDiff gate configuration", + ["pol.smartdiff"]), + new("policy.toollattice", "ToolLattice", "Policy", + "Tool lattice configuration", + ["pol.lattice"]), + new("policy.unknownbudgets", "UnknownBudgets", "Policy", + "Unknown budgets configuration", + ["pol.budgets"]), + new("policy.vexsigning", "VexSigning", "Policy", + "VEX signing configuration", + ["pol.vexsign"]), + new("policy.gatebypass", "Policy:GateBypassAudit", "Policy", + "Gate bypass audit settings", + ["pol.bypass"]), + new("policy.ratelimiting", "RateLimiting", "Policy", + "Rate limiting configuration", + ["pol.rate"]), + + // Scanner module + new("scanner", "scanner", "Scanner", + "Scanner core configuration", + ["scan"]), + new("scanner.epss", "Epss", "Scanner", + "EPSS scoring configuration", + ["scan.epss"]), + new("scanner.epss.enrichment", "Epss:Enrichment", "Scanner", + "EPSS enrichment settings", + ["scan.epss.enrich"]), + new("scanner.epss.ingest", "Epss:Ingest", "Scanner", + "EPSS ingest configuration", + ["scan.epss.ing"]), + new("scanner.epss.signal", "Epss:Signal", "Scanner", + "EPSS signal configuration", + ["scan.epss.sig"]), + new("scanner.reachability", "Scanner:ReachabilitySubgraph", "Scanner", + "Reachability subgraph settings", + ["scan.reach"]), + new("scanner.reachability.witness", "Scanner:ReachabilityWitness", "Scanner", + "Reachability witness configuration", + ["scan.reach.wit"]), + new("scanner.reachability.prgate", "Scanner:Reachability:PrGate", "Scanner", + "PR gate reachability settings", + ["scan.reach.pr"]), + new("scanner.analyzers.native", "Scanner:Analyzers:Native", "Scanner", + "Native analyzer configuration", + ["scan.native"]), + new("scanner.analyzers.secrets", "Scanner:Analyzers:Secrets", "Scanner", + "Secrets analyzer configuration", + ["scan.secrets"]), + new("scanner.analyzers.entrytrace", "Scanner:Analyzers:EntryTrace", "Scanner", + "Entry trace analyzer settings", + ["scan.entry"]), + new("scanner.entrytrace.semantic", "Scanner:EntryTrace:Semantic", "Scanner", + "Semantic entry trace configuration", + ["scan.entry.sem"]), + new("scanner.funcproof", "Scanner:FuncProof:Generation", "Scanner", + "Function proof generation settings", + ["scan.funcproof"]), + new("scanner.funcproof.dsse", "Scanner:FuncProof:Dsse", "Scanner", + "Function proof DSSE configuration", + ["scan.funcproof.dsse"]), + new("scanner.funcproof.oci", "Scanner:FuncProof:Oci", "Scanner", + "Function proof OCI settings", + ["scan.funcproof.oci"]), + new("scanner.funcproof.transparency", "Scanner:FuncProof:Transparency", "Scanner", + "Function proof transparency log settings", + ["scan.funcproof.tlog"]), + new("scanner.idempotency", "Scanner:Idempotency", "Scanner", + "Idempotency configuration", + ["scan.idemp"]), + new("scanner.offlinekit", "Scanner:OfflineKit", "Scanner", + "Offline kit configuration", + ["scan.offline"]), + new("scanner.proofspine", "scanner:proofSpine:dsse", "Scanner", + "Proof spine DSSE settings", + ["scan.spine"]), + new("scanner.worker", "Scanner:Worker", "Scanner", + "Scanner worker configuration", + ["scan.worker"]), + new("scanner.worker.nativeanalyzers", "Scanner:Worker:NativeAnalyzers", "Scanner", + "Worker native analyzer settings", + ["scan.worker.native"]), + new("scanner.concelier", "scanner:concelier", "Scanner", + "Scanner Concelier integration", + ["scan.concel"]), + new("scanner.drift", "DriftAttestation", "Scanner", + "Drift attestation settings", + ["scan.drift"]), + new("scanner.validationgate", "ValidationGate", "Scanner", + "Validation gate configuration", + ["scan.valgate"]), + new("scanner.vexgate", "VexGate", "Scanner", + "VEX gate configuration", + ["scan.vexgate"]), + + // Notifier module + new("notifier", "Notifier:Tenant", "Notifier", + "Notifier tenant configuration", + ["notify", "notif"]), + new("notifier.channels", "ChannelAdapters", "Notifier", + "Channel adapter configuration", + ["notify.chan"]), + new("notifier.inapp", "InAppChannel", "Notifier", + "In-app notification channel settings", + ["notify.inapp"]), + new("notifier.ackbridge", "Notifier:AckBridge", "Notifier", + "Acknowledgment bridge configuration", + ["notify.ack"]), + new("notifier.correlation", "Notifier:Correlation", "Notifier", + "Correlation settings", + ["notify.corr"]), + new("notifier.digest", "Notifier:Digest", "Notifier", + "Digest notification settings", + ["notify.digest"]), + new("notifier.digestschedule", "Notifier:DigestSchedule", "Notifier", + "Digest schedule configuration", + ["notify.digest.sched"]), + new("notifier.fallback", "Notifier:Fallback", "Notifier", + "Fallback channel configuration", + ["notify.fallback"]), + new("notifier.incidentmanager", "Notifier:IncidentManager", "Notifier", + "Incident manager settings", + ["notify.incident"]), + new("notifier.integrations.opsgenie", "Notifier:Integrations:OpsGenie", "Notifier", + "OpsGenie integration settings", + ["notify.opsgenie"]), + new("notifier.integrations.pagerduty", "Notifier:Integrations:PagerDuty", "Notifier", + "PagerDuty integration settings", + ["notify.pagerduty"]), + new("notifier.localization", "Notifier:Localization", "Notifier", + "Localization settings", + ["notify.l10n"]), + new("notifier.quiethours", "Notifier:QuietHours", "Notifier", + "Quiet hours configuration", + ["notify.quiet"]), + new("notifier.stormbreaker", "Notifier:StormBreaker", "Notifier", + "Storm breaker settings", + ["notify.storm"]), + new("notifier.throttler", "Notifier:Throttler", "Notifier", + "Throttler configuration", + ["notify.throttle"]), + new("notifier.template", "TemplateRenderer", "Notifier", + "Template renderer settings", + ["notify.template"]), + + // Concelier module + new("concelier.cache", "Concelier:Cache", "Concelier", + "Concelier cache configuration", + ["concel.cache"]), + new("concelier.epss", "Concelier:Epss", "Concelier", + "Concelier EPSS settings", + ["concel.epss"]), + new("concelier.interest", "Concelier:Interest", "Concelier", + "Interest tracking configuration", + ["concel.interest"]), + new("concelier.federation", "Federation", "Concelier", + "Federation settings", + ["concel.fed"]), + + // Attestor module + new("attestor.binarydiff", "Attestor:BinaryDiff", "Attestor", + "Binary diff attestation settings", + ["attest.bindiff"]), + new("attestor.graphroot", "Attestor:GraphRoot", "Attestor", + "Graph root attestation configuration", + ["attest.graph"]), + new("attestor.rekor", "Attestor:Rekor", "Attestor", + "Rekor transparency log settings", + ["attest.rekor"]), + + // BinaryIndex module + new("binaryindex.builders", "BinaryIndex:Builders", "BinaryIndex", + "Binary index builder configuration", + ["binidx.build"]), + new("binaryindex.funcextraction", "BinaryIndex:FunctionExtraction", "BinaryIndex", + "Function extraction settings", + ["binidx.func"]), + new("binaryindex.goldenset", "BinaryIndex:GoldenSet", "BinaryIndex", + "Golden set configuration", + ["binidx.golden"]), + new("binaryindex.bsim", "BSim", "BinaryIndex", + "BSim configuration", + ["binidx.bsim"]), + new("binaryindex.disassembly", "Disassembly", "BinaryIndex", + "Disassembly settings", + ["binidx.disasm"]), + new("binaryindex.ghidra", "Ghidra", "BinaryIndex", + "Ghidra configuration", + ["binidx.ghidra"]), + new("binaryindex.ghidriff", "Ghidriff", "BinaryIndex", + "Ghidriff settings", + ["binidx.ghidriff"]), + new("binaryindex.resolution", "Resolution", "BinaryIndex", + "Resolution configuration", + ["binidx.res"]), + + // Signals module + new("signals", "Signals", "Signals", + "Signals core configuration", + ["sig"]), + new("signals.evidencenorm", "EvidenceNormalization", "Signals", + "Evidence normalization settings", + ["sig.evnorm"]), + new("signals.evidenceweighted", "EvidenceWeightedScore", "Signals", + "Evidence-weighted score settings", + ["sig.ews"]), + new("signals.retention", "Signals:Retention", "Signals", + "Signal retention configuration", + ["sig.ret"]), + new("signals.unknownsdecay", "Signals:UnknownsDecay", "Signals", + "Unknowns decay settings", + ["sig.decay"]), + new("signals.unknownsrescan", "Signals:UnknownsRescan", "Signals", + "Unknowns rescan configuration", + ["sig.rescan"]), + new("signals.unknownsscoring", "Signals:UnknownsScoring", "Signals", + "Unknowns scoring settings", + ["sig.scoring"]), + + // Signer module + new("signer.keyless", "Signer:Keyless", "Signer", + "Keyless signing configuration", + ["sign.keyless"]), + new("signer.sigstore", "Sigstore", "Signer", + "Sigstore configuration", + ["sign.sigstore"]), + + // AdvisoryAI module + new("advisoryai.chat", "AdvisoryAI:Chat", "AdvisoryAI", + "Chat configuration", + ["ai.chat"]), + new("advisoryai.inference", "AdvisoryAI:Inference:Offline", "AdvisoryAI", + "Offline inference settings", + ["ai.inference"]), + new("advisoryai.llmproviders", "AdvisoryAI:LlmProviders", "AdvisoryAI", + "LLM provider configuration", + ["ai.llm"]), + new("advisoryai.ratelimits", "AdvisoryAI:RateLimits", "AdvisoryAI", + "Rate limits for AI features", + ["ai.rate"]), + + // AirGap module + new("airgap.bundlesigning", "AirGap:BundleSigning", "AirGap", + "Bundle signing configuration", + ["air.sign"]), + new("airgap.quarantine", "AirGap:Quarantine", "AirGap", + "Quarantine settings", + ["air.quar"]), + + // Excititor module + new("excititor.autovex", "AutoVex:Downgrade", "Excititor", + "Auto VEX downgrade settings", + ["exc.autovex"]), + new("excititor.airgap", "Excititor:Airgap", "Excititor", + "Excititor airgap configuration", + ["exc.airgap"]), + new("excititor.evidence", "Excititor:Evidence:Linking", "Excititor", + "Evidence linking settings", + ["exc.evidence"]), + new("excititor.mirror", "Excititor:Mirror", "Excititor", + "Mirror configuration", + ["exc.mirror"]), + new("excititor.vexverify", "VexSignatureVerification", "Excititor", + "VEX signature verification settings", + ["exc.vexverify"]), + + // ExportCenter module + new("exportcenter", "ExportCenter", "ExportCenter", + "Export center core configuration", + ["export"]), + new("exportcenter.trivy", "ExportCenter:Adapters:Trivy", "ExportCenter", + "Trivy adapter settings", + ["export.trivy"]), + new("exportcenter.oci", "ExportCenter:Distribution:Oci", "ExportCenter", + "OCI distribution configuration", + ["export.oci"]), + new("exportcenter.encryption", "ExportCenter:Encryption", "ExportCenter", + "Encryption settings", + ["export.encrypt"]), + + // Orchestrator module + new("orchestrator", "Orchestrator", "Orchestrator", + "Orchestrator core configuration", + ["orch"]), + new("orchestrator.firstsignal", "FirstSignal", "Orchestrator", + "First signal configuration", + ["orch.first"]), + new("orchestrator.incidentmode", "Orchestrator:IncidentMode", "Orchestrator", + "Incident mode settings", + ["orch.incident"]), + new("orchestrator.stream", "Orchestrator:Stream", "Orchestrator", + "Stream processing configuration", + ["orch.stream"]), + + // Scheduler module + new("scheduler.hlc", "Scheduler:HlcOrdering", "Scheduler", + "HLC ordering configuration", + ["sched.hlc"]), + + // VexLens module + new("vexlens", "VexLens", "VexLens", + "VexLens core configuration", + ["lens"]), + new("vexlens.noisegate", "VexLens:NoiseGate", "VexLens", + "Noise gate configuration", + ["lens.noise"]), + + // Zastava module + new("zastava.agent", "zastava:agent", "Zastava", + "Zastava agent configuration", + ["zast.agent"]), + new("zastava.observer", "zastava:observer", "Zastava", + "Observer configuration", + ["zast.obs"]), + new("zastava.runtime", "zastava:runtime", "Zastava", + "Runtime configuration", + ["zast.runtime"]), + new("zastava.webhook", "zastava:webhook", "Zastava", + "Webhook configuration", + ["zast.webhook"]), + + // Platform module + new("platform", "Platform", "Platform", + "Platform core configuration", + ["plat"]), + + // Authority module + new("authority", "Authority", "Authority", + "Authority core configuration", + ["auth"]), + new("authority.plugins", "Authority:Plugins", "Authority", + "Authority plugins configuration", + ["auth.plugins"]), + new("authority.passwordpolicy", "Authority:PasswordPolicy", "Authority", + "Password policy configuration", + ["auth.password"]), + + // Setup prefixes + new("setup.database", "database", "Setup", + "Database connection settings", + ["db"]), + new("setup.cache", "cache", "Setup", + "Cache configuration", + ["cache"]), + new("setup.registry", "registry", "Setup", + "Registry configuration", + ["reg"]) + ]; + + /// + /// Gets all catalog entries. + /// + public static IReadOnlyList GetAll() => Entries; + + /// + /// Finds a catalog entry by path or alias. + /// + public static ConfigCatalogEntry? Find(string pathOrAlias) + { + var normalized = pathOrAlias.Replace(':', '.').ToLowerInvariant(); + + return Entries.FirstOrDefault(e => + e.Path.Equals(normalized, StringComparison.OrdinalIgnoreCase) || + e.Aliases.Any(a => a.Equals(normalized, StringComparison.OrdinalIgnoreCase))); + } + + /// + /// Gets all categories. + /// + public static IReadOnlyList GetCategories() => + Entries.Select(e => e.Category).Distinct().OrderBy(c => c).ToList(); +} diff --git a/src/Cli/StellaOps.Cli/Commands/ConfigCommandGroup.cs b/src/Cli/StellaOps.Cli/Commands/ConfigCommandGroup.cs new file mode 100644 index 000000000..70ba052ec --- /dev/null +++ b/src/Cli/StellaOps.Cli/Commands/ConfigCommandGroup.cs @@ -0,0 +1,54 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_014_CLI_config_viewer (CLI-CONFIG-010, CLI-CONFIG-011) +// + +using System.CommandLine; +using StellaOps.Cli.Services; + +namespace StellaOps.Cli.Commands; + +/// +/// CLI commands for inspecting StellaOps configuration. +/// +public static class ConfigCommandGroup +{ + public static Command Create(IBackendOperationsClient client) + { + var configCommand = new Command("config", "Inspect StellaOps configuration"); + + // stella config list + var listCommand = new Command("list", "List all available configuration paths"); + var categoryOption = new Option( + ["--category", "-c"], + "Filter by category (e.g., policy, scanner, notifier)"); + listCommand.AddOption(categoryOption); + listCommand.SetHandler( + async (string? category) => await CommandHandlers.Config.ListAsync(category), + categoryOption); + + // stella config show + var pathArgument = new Argument("path", "Configuration path (e.g., policy.determinization, scanner.epss)"); + var showCommand = new Command("show", "Show configuration for a specific path"); + showCommand.AddArgument(pathArgument); + var formatOption = new Option( + ["--format", "-f"], + () => "table", + "Output format: table, json, yaml"); + var showSecretsOption = new Option( + "--show-secrets", + () => false, + "Show secret values (default: redacted)"); + showCommand.AddOption(formatOption); + showCommand.AddOption(showSecretsOption); + showCommand.SetHandler( + async (string path, string format, bool showSecrets) => + await CommandHandlers.Config.ShowAsync(client, path, format, showSecrets), + pathArgument, formatOption, showSecretsOption); + + configCommand.AddCommand(listCommand); + configCommand.AddCommand(showCommand); + + return configCommand; + } +} diff --git a/src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs b/src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs index 373ef63e7..363d356ba 100644 --- a/src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs +++ b/src/Cli/StellaOps.Cli/Commands/EvidenceCommandGroup.cs @@ -47,12 +47,141 @@ public static class EvidenceCommandGroup { BuildExportCommand(services, options, verboseOption, cancellationToken), BuildVerifyCommand(services, options, verboseOption, cancellationToken), - BuildStatusCommand(services, options, verboseOption, cancellationToken) + BuildStatusCommand(services, options, verboseOption, cancellationToken), + BuildCardCommand(services, options, verboseOption, cancellationToken) }; return evidence; } + /// + /// Build the card subcommand group for evidence-card operations. + /// Sprint: SPRINT_20260112_011_CLI_evidence_card_remediate_cli (EVPCARD-CLI-001, EVPCARD-CLI-002) + /// + public static Command BuildCardCommand( + IServiceProvider services, + StellaOpsCliOptions options, + Option verboseOption, + CancellationToken cancellationToken) + { + var card = new Command("card", "Single-file evidence card export and verification") + { + BuildCardExportCommand(services, options, verboseOption, cancellationToken), + BuildCardVerifyCommand(services, options, verboseOption, cancellationToken) + }; + + return card; + } + + /// + /// Build the card export command. + /// EVPCARD-CLI-001: stella evidence card export + /// + public static Command BuildCardExportCommand( + IServiceProvider services, + StellaOpsCliOptions options, + Option verboseOption, + CancellationToken cancellationToken) + { + var packIdArg = new Argument("pack-id") + { + Description = "Evidence pack ID to export as card (e.g., evp-2026-01-14-abc123)" + }; + + var outputOption = new Option("--output", ["-o"]) + { + Description = "Output file path (defaults to .evidence-card.json)", + Required = false + }; + + var compactOption = new Option("--compact") + { + Description = "Export compact format without full SBOM excerpt" + }; + + var outputFormatOption = new Option("--format", ["-f"]) + { + Description = "Output format: json (default), yaml" + }; + + var export = new Command("export", "Export evidence pack as single-file evidence card") + { + packIdArg, + outputOption, + compactOption, + outputFormatOption, + verboseOption + }; + + export.SetAction(async (parseResult, _) => + { + var packId = parseResult.GetValue(packIdArg) ?? string.Empty; + var output = parseResult.GetValue(outputOption); + var compact = parseResult.GetValue(compactOption); + var format = parseResult.GetValue(outputFormatOption) ?? "json"; + var verbose = parseResult.GetValue(verboseOption); + + return await HandleCardExportAsync( + services, options, packId, output, compact, format, verbose, cancellationToken); + }); + + return export; + } + + /// + /// Build the card verify command. + /// EVPCARD-CLI-002: stella evidence card verify + /// + public static Command BuildCardVerifyCommand( + IServiceProvider services, + StellaOpsCliOptions options, + Option verboseOption, + CancellationToken cancellationToken) + { + var pathArg = new Argument("path") + { + Description = "Path to evidence card file (.evidence-card.json)" + }; + + var offlineOption = new Option("--offline") + { + Description = "Skip Rekor transparency log verification (for air-gapped environments)" + }; + + var trustRootOption = new Option("--trust-root") + { + Description = "Path to offline trust root bundle for signature verification" + }; + + var outputOption = new Option("--output", ["-o"]) + { + Description = "Output format: table (default), json" + }; + + var verify = new Command("verify", "Verify DSSE signatures and Rekor receipts in an evidence card") + { + pathArg, + offlineOption, + trustRootOption, + outputOption, + verboseOption + }; + + verify.SetAction(async (parseResult, _) => + { + var path = parseResult.GetValue(pathArg) ?? string.Empty; + var offline = parseResult.GetValue(offlineOption); + var trustRoot = parseResult.GetValue(trustRootOption); + var output = parseResult.GetValue(outputOption) ?? "table"; + var verbose = parseResult.GetValue(verboseOption); + + return await HandleCardVerifyAsync( + services, options, path, offline, trustRoot, output, verbose, cancellationToken); + }); + + return verify; + } + /// /// Build the export command. /// T025: stella evidence export --bundle <id> --output <path> @@ -854,4 +983,369 @@ public static class EvidenceCommandGroup } private sealed record VerificationResult(string Check, bool Passed, string Message); + + // ========== Evidence Card Handlers ========== + // Sprint: SPRINT_20260112_011_CLI_evidence_card_remediate_cli (EVPCARD-CLI-001, EVPCARD-CLI-002) + + private static async Task HandleCardExportAsync( + IServiceProvider services, + StellaOpsCliOptions options, + string packId, + string? outputPath, + bool compact, + string format, + bool verbose, + CancellationToken cancellationToken) + { + if (string.IsNullOrEmpty(packId)) + { + AnsiConsole.MarkupLine("[red]Error:[/] Pack ID is required"); + return 1; + } + + var httpClientFactory = services.GetRequiredService(); + var client = httpClientFactory.CreateClient("EvidencePack"); + + var backendUrl = options.BackendUrl + ?? Environment.GetEnvironmentVariable("STELLAOPS_EVIDENCE_URL") + ?? Environment.GetEnvironmentVariable("STELLAOPS_BACKEND_URL") + ?? "http://localhost:5000"; + + if (verbose) + { + AnsiConsole.MarkupLine($"[dim]Backend URL: {backendUrl}[/]"); + } + + var exportFormat = compact ? "card-compact" : "evidence-card"; + var extension = compact ? ".evidence-card-compact.json" : ".evidence-card.json"; + outputPath ??= $"{packId}{extension}"; + + try + { + await AnsiConsole.Status() + .Spinner(Spinner.Known.Dots) + .SpinnerStyle(Style.Parse("yellow")) + .StartAsync("Exporting evidence card...", async ctx => + { + var requestUrl = $"{backendUrl}/v1/evidence-packs/{packId}/export?format={exportFormat}"; + + if (verbose) + { + AnsiConsole.MarkupLine($"[dim]Request: GET {requestUrl}[/]"); + } + + var response = await client.GetAsync(requestUrl, cancellationToken); + + if (!response.IsSuccessStatusCode) + { + var error = await response.Content.ReadAsStringAsync(cancellationToken); + throw new InvalidOperationException($"Export failed: {response.StatusCode} - {error}"); + } + + // Get headers for metadata + var contentDigest = response.Headers.TryGetValues("X-Content-Digest", out var digestValues) + ? digestValues.FirstOrDefault() + : null; + var cardVersion = response.Headers.TryGetValues("X-Evidence-Card-Version", out var versionValues) + ? versionValues.FirstOrDefault() + : null; + var rekorIndex = response.Headers.TryGetValues("X-Rekor-Log-Index", out var rekorValues) + ? rekorValues.FirstOrDefault() + : null; + + ctx.Status("Writing evidence card to disk..."); + + await using var fileStream = File.Create(outputPath); + await response.Content.CopyToAsync(fileStream, cancellationToken); + + // Display export summary + AnsiConsole.MarkupLine($"[green]Success:[/] Evidence card exported to [blue]{outputPath}[/]"); + AnsiConsole.WriteLine(); + + var table = new Table(); + table.AddColumn("Property"); + table.AddColumn("Value"); + table.Border(TableBorder.Rounded); + + table.AddRow("Pack ID", packId); + table.AddRow("Format", compact ? "Compact" : "Full"); + if (cardVersion != null) + table.AddRow("Card Version", cardVersion); + if (contentDigest != null) + table.AddRow("Content Digest", contentDigest); + if (rekorIndex != null) + table.AddRow("Rekor Log Index", rekorIndex); + table.AddRow("Output File", outputPath); + table.AddRow("File Size", FormatSize(new FileInfo(outputPath).Length)); + + AnsiConsole.Write(table); + }); + + return 0; + } + catch (Exception ex) + { + AnsiConsole.MarkupLine($"[red]Error:[/] {ex.Message}"); + return 1; + } + } + + private static async Task HandleCardVerifyAsync( + IServiceProvider services, + StellaOpsCliOptions options, + string path, + bool offline, + string? trustRoot, + string output, + bool verbose, + CancellationToken cancellationToken) + { + if (string.IsNullOrEmpty(path)) + { + AnsiConsole.MarkupLine("[red]Error:[/] Evidence card path is required"); + return 1; + } + + if (!File.Exists(path)) + { + AnsiConsole.MarkupLine($"[red]Error:[/] File not found: {path}"); + return 1; + } + + try + { + var results = new List(); + + await AnsiConsole.Status() + .Spinner(Spinner.Known.Dots) + .SpinnerStyle(Style.Parse("yellow")) + .StartAsync("Verifying evidence card...", async ctx => + { + // Read and parse the evidence card + var content = await File.ReadAllTextAsync(path, cancellationToken); + var card = JsonDocument.Parse(content); + var root = card.RootElement; + + // Verify card structure + ctx.Status("Checking card structure..."); + results.Add(VerifyCardStructure(root)); + + // Verify content digest + ctx.Status("Verifying content digest..."); + results.Add(await VerifyCardDigestAsync(path, root, cancellationToken)); + + // Verify DSSE envelope + ctx.Status("Verifying DSSE envelope..."); + results.Add(VerifyDsseEnvelope(root, verbose)); + + // Verify Rekor receipt (if present and not offline) + if (!offline && root.TryGetProperty("rekorReceipt", out var rekorReceipt)) + { + ctx.Status("Verifying Rekor receipt..."); + results.Add(VerifyRekorReceipt(rekorReceipt, verbose)); + } + else if (offline) + { + results.Add(new CardVerificationResult("Rekor Receipt", true, "Skipped (offline mode)")); + } + else + { + results.Add(new CardVerificationResult("Rekor Receipt", true, "Not present")); + } + + // Verify SBOM excerpt (if present) + if (root.TryGetProperty("sbomExcerpt", out var sbomExcerpt)) + { + ctx.Status("Verifying SBOM excerpt..."); + results.Add(VerifySbomExcerpt(sbomExcerpt, verbose)); + } + }); + + // Output results + var allPassed = results.All(r => r.Passed); + + if (output == "json") + { + var jsonResult = new + { + file = path, + valid = allPassed, + checks = results.Select(r => new + { + check = r.Check, + passed = r.Passed, + message = r.Message + }) + }; + AnsiConsole.WriteLine(JsonSerializer.Serialize(jsonResult, JsonOptions)); + } + else + { + // Table output + var table = new Table(); + table.AddColumn("Check"); + table.AddColumn("Status"); + table.AddColumn("Details"); + table.Border(TableBorder.Rounded); + + foreach (var result in results) + { + var status = result.Passed + ? "[green]PASS[/]" + : "[red]FAIL[/]"; + table.AddRow(result.Check, status, result.Message); + } + + AnsiConsole.Write(table); + AnsiConsole.WriteLine(); + + if (allPassed) + { + AnsiConsole.MarkupLine("[green]All verification checks passed[/]"); + } + else + { + AnsiConsole.MarkupLine("[red]One or more verification checks failed[/]"); + } + } + + return allPassed ? 0 : 1; + } + catch (JsonException ex) + { + AnsiConsole.MarkupLine($"[red]Error:[/] Invalid JSON in evidence card: {ex.Message}"); + return 1; + } + catch (Exception ex) + { + AnsiConsole.MarkupLine($"[red]Error:[/] {ex.Message}"); + return 1; + } + } + + private static CardVerificationResult VerifyCardStructure(JsonElement root) + { + var requiredProps = new[] { "cardId", "version", "packId", "createdAt", "subject", "contentDigest" }; + var missing = requiredProps.Where(p => !root.TryGetProperty(p, out _)).ToList(); + + if (missing.Count > 0) + { + return new CardVerificationResult("Card Structure", false, $"Missing required properties: {string.Join(", ", missing)}"); + } + + var cardId = root.GetProperty("cardId").GetString(); + var version = root.GetProperty("version").GetString(); + + return new CardVerificationResult("Card Structure", true, $"Card {cardId} v{version}"); + } + + private static async Task VerifyCardDigestAsync( + string path, + JsonElement root, + CancellationToken cancellationToken) + { + if (!root.TryGetProperty("contentDigest", out var digestProp)) + { + return new CardVerificationResult("Content Digest", false, "Missing contentDigest property"); + } + + var expectedDigest = digestProp.GetString(); + if (string.IsNullOrEmpty(expectedDigest)) + { + return new CardVerificationResult("Content Digest", false, "Empty contentDigest"); + } + + // Note: The content digest is computed over the payload, not the full file + // For now, just validate the format + if (!expectedDigest.StartsWith("sha256:", StringComparison.OrdinalIgnoreCase)) + { + return new CardVerificationResult("Content Digest", false, $"Invalid digest format: {expectedDigest}"); + } + + return new CardVerificationResult("Content Digest", true, expectedDigest); + } + + private static CardVerificationResult VerifyDsseEnvelope(JsonElement root, bool verbose) + { + if (!root.TryGetProperty("envelope", out var envelope)) + { + return new CardVerificationResult("DSSE Envelope", true, "No envelope present (unsigned)"); + } + + var requiredEnvelopeProps = new[] { "payloadType", "payload", "payloadDigest", "signatures" }; + var missing = requiredEnvelopeProps.Where(p => !envelope.TryGetProperty(p, out _)).ToList(); + + if (missing.Count > 0) + { + return new CardVerificationResult("DSSE Envelope", false, $"Invalid envelope: missing {string.Join(", ", missing)}"); + } + + var payloadType = envelope.GetProperty("payloadType").GetString(); + var signatures = envelope.GetProperty("signatures"); + var sigCount = signatures.GetArrayLength(); + + if (sigCount == 0) + { + return new CardVerificationResult("DSSE Envelope", false, "No signatures in envelope"); + } + + // Validate signature structure + foreach (var sig in signatures.EnumerateArray()) + { + if (!sig.TryGetProperty("keyId", out _) || !sig.TryGetProperty("sig", out _)) + { + return new CardVerificationResult("DSSE Envelope", false, "Invalid signature structure"); + } + } + + return new CardVerificationResult("DSSE Envelope", true, $"Payload type: {payloadType}, {sigCount} signature(s)"); + } + + private static CardVerificationResult VerifyRekorReceipt(JsonElement receipt, bool verbose) + { + if (!receipt.TryGetProperty("logIndex", out var logIndexProp)) + { + return new CardVerificationResult("Rekor Receipt", false, "Missing logIndex"); + } + + if (!receipt.TryGetProperty("logId", out var logIdProp)) + { + return new CardVerificationResult("Rekor Receipt", false, "Missing logId"); + } + + var logIndex = logIndexProp.GetInt64(); + var logId = logIdProp.GetString(); + + // Check for inclusion proof + var hasInclusionProof = receipt.TryGetProperty("inclusionProof", out _); + var hasInclusionPromise = receipt.TryGetProperty("inclusionPromise", out _); + + var proofStatus = hasInclusionProof ? "with inclusion proof" : + hasInclusionPromise ? "with inclusion promise" : + "no proof attached"; + + return new CardVerificationResult("Rekor Receipt", true, $"Log index {logIndex}, {proofStatus}"); + } + + private static CardVerificationResult VerifySbomExcerpt(JsonElement excerpt, bool verbose) + { + if (!excerpt.TryGetProperty("format", out var formatProp)) + { + return new CardVerificationResult("SBOM Excerpt", false, "Missing format"); + } + + var format = formatProp.GetString(); + var componentPurl = excerpt.TryGetProperty("componentPurl", out var purlProp) + ? purlProp.GetString() + : null; + var componentName = excerpt.TryGetProperty("componentName", out var nameProp) + ? nameProp.GetString() + : null; + + var description = componentPurl ?? componentName ?? "no component info"; + + return new CardVerificationResult("SBOM Excerpt", true, $"Format: {format}, Component: {description}"); + } + + private sealed record CardVerificationResult(string Check, bool Passed, string Message); } diff --git a/src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs b/src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs index a8069f422..5609f1c88 100644 --- a/src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs +++ b/src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs @@ -44,6 +44,13 @@ public static class UnknownsCommandGroup unknownsCommand.Add(BuildResolveCommand(services, verboseOption, cancellationToken)); unknownsCommand.Add(BuildBudgetCommand(services, verboseOption, cancellationToken)); + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-001, CLI-UNK-002, CLI-UNK-003) + unknownsCommand.Add(BuildSummaryCommand(services, verboseOption, cancellationToken)); + unknownsCommand.Add(BuildShowCommand(services, verboseOption, cancellationToken)); + unknownsCommand.Add(BuildProofCommand(services, verboseOption, cancellationToken)); + unknownsCommand.Add(BuildExportCommand(services, verboseOption, cancellationToken)); + unknownsCommand.Add(BuildTriageCommand(services, verboseOption, cancellationToken)); + return unknownsCommand; } @@ -274,6 +281,194 @@ public static class UnknownsCommandGroup return escalateCommand; } + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-001) + private static Command BuildSummaryCommand( + IServiceProvider services, + Option verboseOption, + CancellationToken cancellationToken) + { + var formatOption = new Option("--format", new[] { "-f" }) + { + Description = "Output format: table, json" + }; + formatOption.SetDefaultValue("table"); + + var summaryCommand = new Command("summary", "Show unknowns summary by band with counts and fingerprints"); + summaryCommand.Add(formatOption); + summaryCommand.Add(verboseOption); + + summaryCommand.SetAction(async (parseResult, ct) => + { + var format = parseResult.GetValue(formatOption) ?? "table"; + var verbose = parseResult.GetValue(verboseOption); + + return await HandleSummaryAsync(services, format, verbose, cancellationToken); + }); + + return summaryCommand; + } + + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-001) + private static Command BuildShowCommand( + IServiceProvider services, + Option verboseOption, + CancellationToken cancellationToken) + { + var idOption = new Option("--id", new[] { "-i" }) + { + Description = "Unknown ID to show details for", + Required = true + }; + + var formatOption = new Option("--format", new[] { "-f" }) + { + Description = "Output format: table, json" + }; + formatOption.SetDefaultValue("table"); + + var showCommand = new Command("show", "Show detailed unknown info including fingerprint, triggers, and next actions"); + showCommand.Add(idOption); + showCommand.Add(formatOption); + showCommand.Add(verboseOption); + + showCommand.SetAction(async (parseResult, ct) => + { + var id = parseResult.GetValue(idOption) ?? string.Empty; + var format = parseResult.GetValue(formatOption) ?? "table"; + var verbose = parseResult.GetValue(verboseOption); + + return await HandleShowAsync(services, id, format, verbose, cancellationToken); + }); + + return showCommand; + } + + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-002) + private static Command BuildProofCommand( + IServiceProvider services, + Option verboseOption, + CancellationToken cancellationToken) + { + var idOption = new Option("--id", new[] { "-i" }) + { + Description = "Unknown ID to get proof for", + Required = true + }; + + var formatOption = new Option("--format", new[] { "-f" }) + { + Description = "Output format: json, envelope" + }; + formatOption.SetDefaultValue("json"); + + var proofCommand = new Command("proof", "Get evidence proof for an unknown (fingerprint, triggers, evidence refs)"); + proofCommand.Add(idOption); + proofCommand.Add(formatOption); + proofCommand.Add(verboseOption); + + proofCommand.SetAction(async (parseResult, ct) => + { + var id = parseResult.GetValue(idOption) ?? string.Empty; + var format = parseResult.GetValue(formatOption) ?? "json"; + var verbose = parseResult.GetValue(verboseOption); + + return await HandleProofAsync(services, id, format, verbose, cancellationToken); + }); + + return proofCommand; + } + + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-002) + private static Command BuildExportCommand( + IServiceProvider services, + Option verboseOption, + CancellationToken cancellationToken) + { + var bandOption = new Option("--band", new[] { "-b" }) + { + Description = "Filter by band: HOT, WARM, COLD, all" + }; + + var formatOption = new Option("--format", new[] { "-f" }) + { + Description = "Output format: json, csv, ndjson" + }; + formatOption.SetDefaultValue("json"); + + var outputOption = new Option("--output", new[] { "-o" }) + { + Description = "Output file path (default: stdout)" + }; + + var exportCommand = new Command("export", "Export unknowns with fingerprints and triggers for offline analysis"); + exportCommand.Add(bandOption); + exportCommand.Add(formatOption); + exportCommand.Add(outputOption); + exportCommand.Add(verboseOption); + + exportCommand.SetAction(async (parseResult, ct) => + { + var band = parseResult.GetValue(bandOption); + var format = parseResult.GetValue(formatOption) ?? "json"; + var output = parseResult.GetValue(outputOption); + var verbose = parseResult.GetValue(verboseOption); + + return await HandleExportAsync(services, band, format, output, verbose, cancellationToken); + }); + + return exportCommand; + } + + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-003) + private static Command BuildTriageCommand( + IServiceProvider services, + Option verboseOption, + CancellationToken cancellationToken) + { + var idOption = new Option("--id", new[] { "-i" }) + { + Description = "Unknown ID to triage", + Required = true + }; + + var actionOption = new Option("--action", new[] { "-a" }) + { + Description = "Triage action: accept-risk, require-fix, defer, escalate, dispute", + Required = true + }; + + var reasonOption = new Option("--reason", new[] { "-r" }) + { + Description = "Reason for triage decision", + Required = true + }; + + var durationOption = new Option("--duration-days", new[] { "-d" }) + { + Description = "Duration in days for defer/accept-risk actions" + }; + + var triageCommand = new Command("triage", "Apply manual triage decision to an unknown (grey queue adjudication)"); + triageCommand.Add(idOption); + triageCommand.Add(actionOption); + triageCommand.Add(reasonOption); + triageCommand.Add(durationOption); + triageCommand.Add(verboseOption); + + triageCommand.SetAction(async (parseResult, ct) => + { + var id = parseResult.GetValue(idOption) ?? string.Empty; + var action = parseResult.GetValue(actionOption) ?? string.Empty; + var reason = parseResult.GetValue(reasonOption) ?? string.Empty; + var duration = parseResult.GetValue(durationOption); + var verbose = parseResult.GetValue(verboseOption); + + return await HandleTriageAsync(services, id, action, reason, duration, verbose, cancellationToken); + }); + + return triageCommand; + } + private static Command BuildResolveCommand( IServiceProvider services, Option verboseOption, @@ -558,6 +753,452 @@ public static class UnknownsCommandGroup } } + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-001) + private static async Task HandleSummaryAsync( + IServiceProvider services, + string format, + bool verbose, + CancellationToken ct) + { + var loggerFactory = services.GetService(); + var logger = loggerFactory?.CreateLogger(typeof(UnknownsCommandGroup)); + var httpClientFactory = services.GetService(); + + if (httpClientFactory is null) + { + logger?.LogError("HTTP client factory not available"); + return 1; + } + + try + { + if (verbose) + { + logger?.LogDebug("Fetching unknowns summary"); + } + + var client = httpClientFactory.CreateClient("PolicyApi"); + var response = await client.GetAsync("/api/v1/policy/unknowns/summary", ct); + + if (!response.IsSuccessStatusCode) + { + Console.WriteLine($"Error: Failed to fetch summary ({response.StatusCode})"); + return 1; + } + + var summary = await response.Content.ReadFromJsonAsync(JsonOptions, ct); + if (summary is null) + { + Console.WriteLine("Error: Empty response from server"); + return 1; + } + + if (format == "json") + { + Console.WriteLine(JsonSerializer.Serialize(summary, JsonOptions)); + } + else + { + Console.WriteLine("Unknowns Summary"); + Console.WriteLine("================"); + Console.WriteLine($" HOT: {summary.Hot,6}"); + Console.WriteLine($" WARM: {summary.Warm,6}"); + Console.WriteLine($" COLD: {summary.Cold,6}"); + Console.WriteLine($" Resolved: {summary.Resolved,6}"); + Console.WriteLine($" ----------------"); + Console.WriteLine($" Total: {summary.Total,6}"); + } + + return 0; + } + catch (Exception ex) + { + logger?.LogError(ex, "Summary failed unexpectedly"); + Console.WriteLine($"Error: {ex.Message}"); + return 1; + } + } + + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-001) + private static async Task HandleShowAsync( + IServiceProvider services, + string id, + string format, + bool verbose, + CancellationToken ct) + { + var loggerFactory = services.GetService(); + var logger = loggerFactory?.CreateLogger(typeof(UnknownsCommandGroup)); + var httpClientFactory = services.GetService(); + + if (httpClientFactory is null) + { + logger?.LogError("HTTP client factory not available"); + return 1; + } + + try + { + if (verbose) + { + logger?.LogDebug("Fetching unknown {Id}", id); + } + + var client = httpClientFactory.CreateClient("PolicyApi"); + var response = await client.GetAsync($"/api/v1/policy/unknowns/{id}", ct); + + if (!response.IsSuccessStatusCode) + { + Console.WriteLine($"Error: Unknown not found ({response.StatusCode})"); + return 1; + } + + var result = await response.Content.ReadFromJsonAsync(JsonOptions, ct); + if (result?.Unknown is null) + { + Console.WriteLine("Error: Empty response from server"); + return 1; + } + + var unknown = result.Unknown; + + if (format == "json") + { + Console.WriteLine(JsonSerializer.Serialize(unknown, JsonOptions)); + } + else + { + Console.WriteLine($"Unknown: {unknown.Id}"); + Console.WriteLine(new string('=', 60)); + Console.WriteLine($" Package: {unknown.PackageId}@{unknown.PackageVersion}"); + Console.WriteLine($" Band: {unknown.Band}"); + Console.WriteLine($" Score: {unknown.Score:F2}"); + Console.WriteLine($" Reason: {unknown.ReasonCode} ({unknown.ReasonCodeShort})"); + Console.WriteLine($" First Seen: {unknown.FirstSeenAt:u}"); + Console.WriteLine($" Last Evaluated: {unknown.LastEvaluatedAt:u}"); + + if (!string.IsNullOrEmpty(unknown.FingerprintId)) + { + Console.WriteLine(); + Console.WriteLine("Fingerprint"); + Console.WriteLine($" ID: {unknown.FingerprintId}"); + } + + if (unknown.Triggers?.Count > 0) + { + Console.WriteLine(); + Console.WriteLine("Triggers"); + foreach (var trigger in unknown.Triggers) + { + Console.WriteLine($" - {trigger.EventType}@{trigger.EventVersion} ({trigger.ReceivedAt:u})"); + } + } + + if (unknown.NextActions?.Count > 0) + { + Console.WriteLine(); + Console.WriteLine("Next Actions"); + foreach (var action in unknown.NextActions) + { + Console.WriteLine($" - {action}"); + } + } + + if (unknown.ConflictInfo?.HasConflict == true) + { + Console.WriteLine(); + Console.WriteLine("Conflicts"); + Console.WriteLine($" Severity: {unknown.ConflictInfo.Severity:F2}"); + Console.WriteLine($" Suggested Path: {unknown.ConflictInfo.SuggestedPath}"); + foreach (var conflict in unknown.ConflictInfo.Conflicts) + { + Console.WriteLine($" - {conflict.Type}: {conflict.Signal1} vs {conflict.Signal2}"); + } + } + + if (!string.IsNullOrEmpty(unknown.RemediationHint)) + { + Console.WriteLine(); + Console.WriteLine($"Hint: {unknown.RemediationHint}"); + } + } + + return 0; + } + catch (Exception ex) + { + logger?.LogError(ex, "Show failed unexpectedly"); + Console.WriteLine($"Error: {ex.Message}"); + return 1; + } + } + + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-002) + private static async Task HandleProofAsync( + IServiceProvider services, + string id, + string format, + bool verbose, + CancellationToken ct) + { + var loggerFactory = services.GetService(); + var logger = loggerFactory?.CreateLogger(typeof(UnknownsCommandGroup)); + var httpClientFactory = services.GetService(); + + if (httpClientFactory is null) + { + logger?.LogError("HTTP client factory not available"); + return 1; + } + + try + { + if (verbose) + { + logger?.LogDebug("Fetching proof for unknown {Id}", id); + } + + var client = httpClientFactory.CreateClient("PolicyApi"); + var response = await client.GetAsync($"/api/v1/policy/unknowns/{id}", ct); + + if (!response.IsSuccessStatusCode) + { + Console.WriteLine($"Error: Unknown not found ({response.StatusCode})"); + return 1; + } + + var result = await response.Content.ReadFromJsonAsync(JsonOptions, ct); + if (result?.Unknown is null) + { + Console.WriteLine("Error: Empty response from server"); + return 1; + } + + var unknown = result.Unknown; + + // Build proof object with deterministic ordering + var proof = new UnknownProof + { + Id = unknown.Id, + FingerprintId = unknown.FingerprintId, + PackageId = unknown.PackageId, + PackageVersion = unknown.PackageVersion, + Band = unknown.Band, + Score = unknown.Score, + ReasonCode = unknown.ReasonCode, + Triggers = unknown.Triggers?.OrderBy(t => t.ReceivedAt).ToList() ?? [], + EvidenceRefs = unknown.EvidenceRefs?.OrderBy(e => e.Type).ThenBy(e => e.Uri).ToList() ?? [], + ObservationState = unknown.ObservationState, + ConflictInfo = unknown.ConflictInfo + }; + + Console.WriteLine(JsonSerializer.Serialize(proof, JsonOptions)); + return 0; + } + catch (Exception ex) + { + logger?.LogError(ex, "Proof failed unexpectedly"); + Console.WriteLine($"Error: {ex.Message}"); + return 1; + } + } + + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-002) + private static async Task HandleExportAsync( + IServiceProvider services, + string? band, + string format, + string? outputPath, + bool verbose, + CancellationToken ct) + { + var loggerFactory = services.GetService(); + var logger = loggerFactory?.CreateLogger(typeof(UnknownsCommandGroup)); + var httpClientFactory = services.GetService(); + + if (httpClientFactory is null) + { + logger?.LogError("HTTP client factory not available"); + return 1; + } + + try + { + if (verbose) + { + logger?.LogDebug("Exporting unknowns: band={Band}, format={Format}", band ?? "all", format); + } + + var client = httpClientFactory.CreateClient("PolicyApi"); + var url = string.IsNullOrEmpty(band) || band == "all" + ? "/api/v1/policy/unknowns?limit=10000" + : $"/api/v1/policy/unknowns?band={band}&limit=10000"; + + var response = await client.GetAsync(url, ct); + + if (!response.IsSuccessStatusCode) + { + Console.WriteLine($"Error: Failed to fetch unknowns ({response.StatusCode})"); + return 1; + } + + var result = await response.Content.ReadFromJsonAsync(JsonOptions, ct); + if (result?.Items is null) + { + Console.WriteLine("Error: Empty response from server"); + return 1; + } + + // Deterministic ordering by band priority, then score descending + var sorted = result.Items + .OrderBy(u => u.Band switch { "hot" => 0, "warm" => 1, "cold" => 2, _ => 3 }) + .ThenByDescending(u => u.Score) + .ToList(); + + TextWriter writer = outputPath is not null + ? new StreamWriter(outputPath) + : Console.Out; + + try + { + switch (format.ToLowerInvariant()) + { + case "csv": + await WriteCsvAsync(writer, sorted); + break; + case "ndjson": + foreach (var item in sorted) + { + await writer.WriteLineAsync(JsonSerializer.Serialize(item, JsonOptions)); + } + break; + case "json": + default: + await writer.WriteLineAsync(JsonSerializer.Serialize(sorted, JsonOptions)); + break; + } + } + finally + { + if (outputPath is not null) + { + await writer.DisposeAsync(); + } + } + + if (verbose && outputPath is not null) + { + Console.WriteLine($"Exported {sorted.Count} unknowns to {outputPath}"); + } + + return 0; + } + catch (Exception ex) + { + logger?.LogError(ex, "Export failed unexpectedly"); + Console.WriteLine($"Error: {ex.Message}"); + return 1; + } + } + + private static async Task WriteCsvAsync(TextWriter writer, IReadOnlyList items) + { + // CSV header + await writer.WriteLineAsync("id,package_id,package_version,band,score,reason_code,fingerprint_id,first_seen_at,last_evaluated_at"); + + foreach (var item in items) + { + await writer.WriteLineAsync(string.Format( + System.Globalization.CultureInfo.InvariantCulture, + "{0},{1},{2},{3},{4:F2},{5},{6},{7:u},{8:u}", + item.Id, + EscapeCsv(item.PackageId), + EscapeCsv(item.PackageVersion), + item.Band, + item.Score, + item.ReasonCode, + item.FingerprintId ?? "", + item.FirstSeenAt, + item.LastEvaluatedAt)); + } + } + + private static string EscapeCsv(string value) + { + if (value.Contains(',') || value.Contains('"') || value.Contains('\n')) + { + return $"\"{value.Replace("\"", "\"\"")}\""; + } + return value; + } + + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-003) + private static async Task HandleTriageAsync( + IServiceProvider services, + string id, + string action, + string reason, + int? durationDays, + bool verbose, + CancellationToken ct) + { + var loggerFactory = services.GetService(); + var logger = loggerFactory?.CreateLogger(typeof(UnknownsCommandGroup)); + var httpClientFactory = services.GetService(); + + if (httpClientFactory is null) + { + logger?.LogError("HTTP client factory not available"); + return 1; + } + + // Validate action + var validActions = new[] { "accept-risk", "require-fix", "defer", "escalate", "dispute" }; + if (!validActions.Contains(action.ToLowerInvariant())) + { + Console.WriteLine($"Error: Invalid action '{action}'. Valid actions: {string.Join(", ", validActions)}"); + return 1; + } + + try + { + if (verbose) + { + logger?.LogDebug("Triaging unknown {Id} with action {Action}", id, action); + } + + var client = httpClientFactory.CreateClient("PolicyApi"); + var request = new TriageRequest(action, reason, durationDays); + + var response = await client.PostAsJsonAsync( + $"/api/v1/policy/unknowns/{id}/triage", + request, + JsonOptions, + ct); + + if (!response.IsSuccessStatusCode) + { + var error = await response.Content.ReadAsStringAsync(ct); + logger?.LogError("Triage failed: {Status}", response.StatusCode); + Console.WriteLine($"Error: Triage failed ({response.StatusCode})"); + return 1; + } + + Console.WriteLine($"Unknown {id} triaged with action '{action}'."); + if (durationDays.HasValue) + { + Console.WriteLine($"Duration: {durationDays} days"); + } + return 0; + } + catch (Exception ex) + { + logger?.LogError(ex, "Triage failed unexpectedly"); + Console.WriteLine($"Error: {ex.Message}"); + return 1; + } + } + /// /// Handle budget check command. /// Sprint: SPRINT_5100_0004_0001 Task T1 @@ -927,5 +1568,102 @@ public static class UnknownsCommandGroup public IReadOnlyDictionary? ByReasonCode { get; init; } } + // Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-001, CLI-UNK-002, CLI-UNK-003) + private sealed record UnknownsSummaryResponse + { + public int Hot { get; init; } + public int Warm { get; init; } + public int Cold { get; init; } + public int Resolved { get; init; } + public int Total { get; init; } + } + + private sealed record UnknownDetailResponse + { + public UnknownDto? Unknown { get; init; } + } + + private sealed record UnknownsListResponse + { + public IReadOnlyList? Items { get; init; } + public int TotalCount { get; init; } + } + + private sealed record UnknownDto + { + public Guid Id { get; init; } + public string PackageId { get; init; } = string.Empty; + public string PackageVersion { get; init; } = string.Empty; + public string Band { get; init; } = string.Empty; + public decimal Score { get; init; } + public decimal UncertaintyFactor { get; init; } + public decimal ExploitPressure { get; init; } + public DateTimeOffset FirstSeenAt { get; init; } + public DateTimeOffset LastEvaluatedAt { get; init; } + public string? ResolutionReason { get; init; } + public DateTimeOffset? ResolvedAt { get; init; } + public string ReasonCode { get; init; } = string.Empty; + public string ReasonCodeShort { get; init; } = string.Empty; + public string? RemediationHint { get; init; } + public string? DetailedHint { get; init; } + public string? AutomationCommand { get; init; } + public IReadOnlyList? EvidenceRefs { get; init; } + public string? FingerprintId { get; init; } + public IReadOnlyList? Triggers { get; init; } + public IReadOnlyList? NextActions { get; init; } + public ConflictInfoDto? ConflictInfo { get; init; } + public string? ObservationState { get; init; } + } + + private sealed record EvidenceRefDto + { + public string Type { get; init; } = string.Empty; + public string Uri { get; init; } = string.Empty; + public string? Digest { get; init; } + } + + private sealed record TriggerDto + { + public string EventType { get; init; } = string.Empty; + public int EventVersion { get; init; } + public string? Source { get; init; } + public DateTimeOffset ReceivedAt { get; init; } + public string? CorrelationId { get; init; } + } + + private sealed record ConflictInfoDto + { + public bool HasConflict { get; init; } + public double Severity { get; init; } + public string SuggestedPath { get; init; } = string.Empty; + public IReadOnlyList Conflicts { get; init; } = []; + } + + private sealed record ConflictDetailDto + { + public string Signal1 { get; init; } = string.Empty; + public string Signal2 { get; init; } = string.Empty; + public string Type { get; init; } = string.Empty; + public string Description { get; init; } = string.Empty; + public double Severity { get; init; } + } + + private sealed record UnknownProof + { + public Guid Id { get; init; } + public string? FingerprintId { get; init; } + public string PackageId { get; init; } = string.Empty; + public string PackageVersion { get; init; } = string.Empty; + public string Band { get; init; } = string.Empty; + public decimal Score { get; init; } + public string ReasonCode { get; init; } = string.Empty; + public IReadOnlyList Triggers { get; init; } = []; + public IReadOnlyList EvidenceRefs { get; init; } = []; + public string? ObservationState { get; init; } + public ConflictInfoDto? ConflictInfo { get; init; } + } + + private sealed record TriageRequest(string Action, string Reason, int? DurationDays); + #endregion } diff --git a/src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs b/src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs index 5283a6748..3dd5ace75 100644 --- a/src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs +++ b/src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs @@ -4909,4 +4909,98 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient }; } } + + // Sprint: SPRINT_20260112_014_CLI_witness_commands (CLI-WIT-001) + + /// + public async Task ListWitnessesAsync(WitnessListRequest request, CancellationToken cancellationToken) + { + ArgumentNullException.ThrowIfNull(request); + EnsureBackendConfigured(); + + var queryParams = new List(); + if (!string.IsNullOrWhiteSpace(request.ScanId)) + queryParams.Add($"scan_id={Uri.EscapeDataString(request.ScanId)}"); + if (!string.IsNullOrWhiteSpace(request.VulnerabilityId)) + queryParams.Add($"vuln_id={Uri.EscapeDataString(request.VulnerabilityId)}"); + if (!string.IsNullOrWhiteSpace(request.ComponentPurl)) + queryParams.Add($"purl={Uri.EscapeDataString(request.ComponentPurl)}"); + if (!string.IsNullOrWhiteSpace(request.PredicateType)) + queryParams.Add($"predicate_type={Uri.EscapeDataString(request.PredicateType)}"); + if (request.Limit.HasValue) + queryParams.Add($"limit={request.Limit.Value}"); + if (!string.IsNullOrWhiteSpace(request.ContinuationToken)) + queryParams.Add($"continuation={Uri.EscapeDataString(request.ContinuationToken)}"); + + var url = "api/witnesses"; + if (queryParams.Count > 0) + url += "?" + string.Join("&", queryParams); + + using var httpRequest = CreateRequest(HttpMethod.Get, url); + ApplyTenantHeader(httpRequest, request.TenantId); + + var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false); + response.EnsureSuccessStatusCode(); + + return await response.Content.ReadFromJsonAsync(SerializerOptions, cancellationToken).ConfigureAwait(false) + ?? new WitnessListResponse(); + } + + /// + public async Task GetWitnessAsync(string witnessId, CancellationToken cancellationToken) + { + ArgumentException.ThrowIfNullOrWhiteSpace(witnessId); + EnsureBackendConfigured(); + + var url = $"api/witnesses/{Uri.EscapeDataString(witnessId)}"; + using var httpRequest = CreateRequest(HttpMethod.Get, url); + + var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false); + + if (response.StatusCode == HttpStatusCode.NotFound) + return null; + + response.EnsureSuccessStatusCode(); + + return await response.Content.ReadFromJsonAsync(SerializerOptions, cancellationToken).ConfigureAwait(false); + } + + /// + public async Task VerifyWitnessAsync(string witnessId, CancellationToken cancellationToken) + { + ArgumentException.ThrowIfNullOrWhiteSpace(witnessId); + EnsureBackendConfigured(); + + var url = $"api/witnesses/{Uri.EscapeDataString(witnessId)}/verify"; + using var httpRequest = CreateRequest(HttpMethod.Post, url); + + var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false); + response.EnsureSuccessStatusCode(); + + return await response.Content.ReadFromJsonAsync(SerializerOptions, cancellationToken).ConfigureAwait(false) + ?? new WitnessVerifyResponse { Verified = false, Status = "unknown", Message = "Empty response from server" }; + } + + /// + public async Task DownloadWitnessAsync(string witnessId, WitnessExportFormat format, CancellationToken cancellationToken) + { + ArgumentException.ThrowIfNullOrWhiteSpace(witnessId); + EnsureBackendConfigured(); + + var formatParam = format switch + { + WitnessExportFormat.Json => "json", + WitnessExportFormat.Dsse => "dsse", + WitnessExportFormat.Sarif => "sarif", + _ => "json" + }; + + var url = $"api/witnesses/{Uri.EscapeDataString(witnessId)}/export?format={formatParam}"; + using var httpRequest = CreateRequest(HttpMethod.Get, url); + + var response = await _httpClient.SendAsync(httpRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false); + response.EnsureSuccessStatusCode(); + + return await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false); + } } diff --git a/src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs b/src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs index 3aeb3d5e7..156b22543 100644 --- a/src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs +++ b/src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs @@ -136,4 +136,11 @@ internal interface IBackendOperationsClient // SDIFF-BIN-030: SARIF export Task GetScanSarifAsync(string scanId, bool includeHardening, bool includeReachability, string? minSeverity, CancellationToken cancellationToken); + + // Sprint: SPRINT_20260112_014_CLI_witness_commands (CLI-WIT-001) + // Witness operations + Task ListWitnessesAsync(WitnessListRequest request, CancellationToken cancellationToken); + Task GetWitnessAsync(string witnessId, CancellationToken cancellationToken); + Task VerifyWitnessAsync(string witnessId, CancellationToken cancellationToken); + Task DownloadWitnessAsync(string witnessId, WitnessExportFormat format, CancellationToken cancellationToken); } diff --git a/src/Cli/StellaOps.Cli/Services/Models/WitnessModels.cs b/src/Cli/StellaOps.Cli/Services/Models/WitnessModels.cs new file mode 100644 index 000000000..7b683440a --- /dev/null +++ b/src/Cli/StellaOps.Cli/Services/Models/WitnessModels.cs @@ -0,0 +1,468 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_014_CLI_witness_commands (CLI-WIT-001) +// + +using System.Text.Json.Serialization; + +namespace StellaOps.Cli.Services.Models; + +/// +/// Request for listing witnesses. +/// +public sealed record WitnessListRequest +{ + /// + /// Filter by scan ID. + /// + public string? ScanId { get; init; } + + /// + /// Filter by vulnerability ID (e.g., CVE-2024-1234). + /// + public string? VulnerabilityId { get; init; } + + /// + /// Filter by component PURL. + /// + public string? ComponentPurl { get; init; } + + /// + /// Filter by predicate type. + /// + public string? PredicateType { get; init; } + + /// + /// Maximum number of results. + /// + public int? Limit { get; init; } + + /// + /// Continuation token for pagination. + /// + public string? ContinuationToken { get; init; } + + /// + /// Tenant ID. + /// + public string? TenantId { get; init; } +} + +/// +/// Response for listing witnesses. +/// +public sealed record WitnessListResponse +{ + /// + /// List of witness summaries. + /// + [JsonPropertyName("witnesses")] + public IReadOnlyList Witnesses { get; init; } = []; + + /// + /// Continuation token for next page. + /// + [JsonPropertyName("continuation_token")] + public string? ContinuationToken { get; init; } + + /// + /// Total count of matching witnesses. + /// + [JsonPropertyName("total_count")] + public int TotalCount { get; init; } +} + +/// +/// Summary of a witness for list views. +/// +public sealed record WitnessSummary +{ + /// + /// Content-addressed witness ID. + /// + [JsonPropertyName("witness_id")] + public required string WitnessId { get; init; } + + /// + /// Vulnerability ID. + /// + [JsonPropertyName("vulnerability_id")] + public string? VulnerabilityId { get; init; } + + /// + /// Component PURL. + /// + [JsonPropertyName("component_purl")] + public string? ComponentPurl { get; init; } + + /// + /// Entrypoint name. + /// + [JsonPropertyName("entrypoint")] + public string? Entrypoint { get; init; } + + /// + /// Sink symbol. + /// + [JsonPropertyName("sink")] + public string? Sink { get; init; } + + /// + /// Path length. + /// + [JsonPropertyName("path_length")] + public int PathLength { get; init; } + + /// + /// Predicate type URI. + /// + [JsonPropertyName("predicate_type")] + public string? PredicateType { get; init; } + + /// + /// Whether the witness has a valid DSSE signature. + /// + [JsonPropertyName("is_signed")] + public bool IsSigned { get; init; } + + /// + /// When the witness was created. + /// + [JsonPropertyName("created_at")] + public DateTimeOffset CreatedAt { get; init; } +} + +/// +/// Detailed witness response. +/// +public sealed record WitnessDetailResponse +{ + /// + /// Schema version. + /// + [JsonPropertyName("witness_schema")] + public string? WitnessSchema { get; init; } + + /// + /// Content-addressed witness ID. + /// + [JsonPropertyName("witness_id")] + public required string WitnessId { get; init; } + + /// + /// Artifact information. + /// + [JsonPropertyName("artifact")] + public WitnessArtifactInfo? Artifact { get; init; } + + /// + /// Vulnerability information. + /// + [JsonPropertyName("vuln")] + public WitnessVulnInfo? Vuln { get; init; } + + /// + /// Entrypoint information. + /// + [JsonPropertyName("entrypoint")] + public WitnessEntrypointInfo? Entrypoint { get; init; } + + /// + /// Call path from entrypoint to sink. + /// + [JsonPropertyName("path")] + public IReadOnlyList? Path { get; init; } + + /// + /// Sink information. + /// + [JsonPropertyName("sink")] + public WitnessSinkInfo? Sink { get; init; } + + /// + /// Detected gates along the path. + /// + [JsonPropertyName("gates")] + public IReadOnlyList? Gates { get; init; } + + /// + /// Evidence digests. + /// + [JsonPropertyName("evidence")] + public WitnessEvidenceInfo? Evidence { get; init; } + + /// + /// When the witness was observed. + /// + [JsonPropertyName("observed_at")] + public DateTimeOffset ObservedAt { get; init; } + + /// + /// Path hash for deterministic joining. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash + /// + [JsonPropertyName("path_hash")] + public string? PathHash { get; init; } + + /// + /// Top-K node hashes along the path. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash + /// + [JsonPropertyName("node_hashes")] + public IReadOnlyList? NodeHashes { get; init; } + + /// + /// Evidence URIs for traceability. + /// + [JsonPropertyName("evidence_uris")] + public IReadOnlyList? EvidenceUris { get; init; } + + /// + /// Predicate type URI. + /// + [JsonPropertyName("predicate_type")] + public string? PredicateType { get; init; } + + /// + /// DSSE envelope if signed. + /// + [JsonPropertyName("dsse_envelope")] + public WitnessDsseEnvelope? DsseEnvelope { get; init; } +} + +/// +/// Artifact information in a witness. +/// +public sealed record WitnessArtifactInfo +{ + [JsonPropertyName("sbom_digest")] + public string? SbomDigest { get; init; } + + [JsonPropertyName("component_purl")] + public string? ComponentPurl { get; init; } +} + +/// +/// Vulnerability information in a witness. +/// +public sealed record WitnessVulnInfo +{ + [JsonPropertyName("id")] + public string? Id { get; init; } + + [JsonPropertyName("source")] + public string? Source { get; init; } + + [JsonPropertyName("affected_range")] + public string? AffectedRange { get; init; } +} + +/// +/// Entrypoint information in a witness. +/// +public sealed record WitnessEntrypointInfo +{ + [JsonPropertyName("kind")] + public string? Kind { get; init; } + + [JsonPropertyName("name")] + public string? Name { get; init; } + + [JsonPropertyName("symbol_id")] + public string? SymbolId { get; init; } +} + +/// +/// A step in the call path. +/// +public sealed record WitnessPathStep +{ + [JsonPropertyName("symbol")] + public string? Symbol { get; init; } + + [JsonPropertyName("symbol_id")] + public string? SymbolId { get; init; } + + [JsonPropertyName("file")] + public string? File { get; init; } + + [JsonPropertyName("line")] + public int? Line { get; init; } +} + +/// +/// Sink information in a witness. +/// +public sealed record WitnessSinkInfo +{ + [JsonPropertyName("symbol")] + public string? Symbol { get; init; } + + [JsonPropertyName("symbol_id")] + public string? SymbolId { get; init; } + + [JsonPropertyName("sink_type")] + public string? SinkType { get; init; } +} + +/// +/// Gate (guard/control) information in a witness. +/// +public sealed record WitnessGateInfo +{ + [JsonPropertyName("type")] + public string? Type { get; init; } + + [JsonPropertyName("guard_symbol")] + public string? GuardSymbol { get; init; } + + [JsonPropertyName("confidence")] + public double Confidence { get; init; } + + [JsonPropertyName("detail")] + public string? Detail { get; init; } +} + +/// +/// Evidence information in a witness. +/// +public sealed record WitnessEvidenceInfo +{ + [JsonPropertyName("callgraph_digest")] + public string? CallgraphDigest { get; init; } + + [JsonPropertyName("surface_digest")] + public string? SurfaceDigest { get; init; } + + [JsonPropertyName("analysis_config_digest")] + public string? AnalysisConfigDigest { get; init; } + + [JsonPropertyName("build_id")] + public string? BuildId { get; init; } +} + +/// +/// DSSE envelope information. +/// +public sealed record WitnessDsseEnvelope +{ + [JsonPropertyName("payload_type")] + public string? PayloadType { get; init; } + + [JsonPropertyName("payload")] + public string? Payload { get; init; } + + [JsonPropertyName("signatures")] + public IReadOnlyList? Signatures { get; init; } +} + +/// +/// DSSE signature information. +/// +public sealed record WitnessDsseSignature +{ + [JsonPropertyName("keyid")] + public string? KeyId { get; init; } + + [JsonPropertyName("sig")] + public string? Signature { get; init; } +} + +/// +/// Response for witness verification. +/// +public sealed record WitnessVerifyResponse +{ + /// + /// Whether verification succeeded. + /// + [JsonPropertyName("verified")] + public bool Verified { get; init; } + + /// + /// Verification status code. + /// + [JsonPropertyName("status")] + public string? Status { get; init; } + + /// + /// Detailed verification message. + /// + [JsonPropertyName("message")] + public string? Message { get; init; } + + /// + /// DSSE verification details. + /// + [JsonPropertyName("dsse")] + public WitnessDsseVerifyInfo? Dsse { get; init; } + + /// + /// Content hash verification. + /// + [JsonPropertyName("content_hash")] + public WitnessContentHashInfo? ContentHash { get; init; } + + /// + /// Verification timestamp. + /// + [JsonPropertyName("verified_at")] + public DateTimeOffset VerifiedAt { get; init; } +} + +/// +/// DSSE verification details. +/// +public sealed record WitnessDsseVerifyInfo +{ + [JsonPropertyName("envelope_valid")] + public bool EnvelopeValid { get; init; } + + [JsonPropertyName("signature_count")] + public int SignatureCount { get; init; } + + [JsonPropertyName("valid_signatures")] + public int ValidSignatures { get; init; } + + [JsonPropertyName("signer_identities")] + public IReadOnlyList? SignerIdentities { get; init; } + + [JsonPropertyName("predicate_type")] + public string? PredicateType { get; init; } +} + +/// +/// Content hash verification details. +/// +public sealed record WitnessContentHashInfo +{ + [JsonPropertyName("expected")] + public string? Expected { get; init; } + + [JsonPropertyName("actual")] + public string? Actual { get; init; } + + [JsonPropertyName("match")] + public bool Match { get; init; } +} + +/// +/// Export format for witnesses. +/// +public enum WitnessExportFormat +{ + /// + /// Raw JSON witness payload. + /// + Json, + + /// + /// DSSE-signed envelope. + /// + Dsse, + + /// + /// SARIF format. + /// + Sarif +} diff --git a/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ConfigCommandTests.cs b/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ConfigCommandTests.cs new file mode 100644 index 000000000..210dacf30 --- /dev/null +++ b/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ConfigCommandTests.cs @@ -0,0 +1,203 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_014_CLI_config_viewer (CLI-CONFIG-014) +// + +using StellaOps.Cli.Commands; +using StellaOps.TestKit; +using Xunit; + +namespace StellaOps.Cli.Tests.Commands; + +[Trait("Category", TestCategories.Unit)] +public class ConfigCommandTests +{ + [Fact] + public void ConfigCatalog_GetAll_ReturnsNonEmptyList() + { + // Act + var entries = ConfigCatalog.GetAll(); + + // Assert + Assert.NotEmpty(entries); + Assert.True(entries.Count > 50, "Expected at least 50 config entries"); + } + + [Fact] + public void ConfigCatalog_GetAll_EntriesHaveRequiredProperties() + { + // Act + var entries = ConfigCatalog.GetAll(); + + // Assert + foreach (var entry in entries) + { + Assert.False(string.IsNullOrWhiteSpace(entry.Path), "Path should not be empty"); + Assert.False(string.IsNullOrWhiteSpace(entry.SectionName), "SectionName should not be empty"); + Assert.False(string.IsNullOrWhiteSpace(entry.Category), "Category should not be empty"); + Assert.False(string.IsNullOrWhiteSpace(entry.Description), "Description should not be empty"); + Assert.NotNull(entry.Aliases); + } + } + + [Fact] + public void ConfigCatalog_GetAll_PathsAreLowerCase() + { + // Act + var entries = ConfigCatalog.GetAll(); + + // Assert - paths should be lowercase for determinism + foreach (var entry in entries) + { + Assert.Equal(entry.Path.ToLowerInvariant(), entry.Path); + } + } + + [Fact] + public void ConfigCatalog_GetAll_NoDuplicatePaths() + { + // Act + var entries = ConfigCatalog.GetAll(); + var paths = entries.Select(e => e.Path).ToList(); + + // Assert + var duplicates = paths.GroupBy(p => p).Where(g => g.Count() > 1).Select(g => g.Key).ToList(); + Assert.Empty(duplicates); + } + + [Theory] + [InlineData("policy.determinization")] + [InlineData("pol.det")] + [InlineData("determinization")] + [InlineData("scanner")] + [InlineData("scan")] + [InlineData("notifier")] + [InlineData("notify")] + public void ConfigCatalog_Find_ByPathOrAlias_ReturnsEntry(string pathOrAlias) + { + // Act + var entry = ConfigCatalog.Find(pathOrAlias); + + // Assert + Assert.NotNull(entry); + } + + [Theory] + [InlineData("POLICY.DETERMINIZATION")] + [InlineData("Policy.Determinization")] + [InlineData("POL.DET")] + public void ConfigCatalog_Find_IsCaseInsensitive(string pathOrAlias) + { + // Act + var entry = ConfigCatalog.Find(pathOrAlias); + + // Assert + Assert.NotNull(entry); + Assert.Equal("policy.determinization", entry.Path); + } + + [Theory] + [InlineData("policy:determinization")] + [InlineData("policy.determinization")] + public void ConfigCatalog_Find_TreatsColonAndDotAsEquivalent(string pathOrAlias) + { + // Act + var entry = ConfigCatalog.Find(pathOrAlias); + + // Assert + Assert.NotNull(entry); + Assert.Equal("policy.determinization", entry.Path); + } + + [Theory] + [InlineData("nonexistent")] + [InlineData("foo.bar.baz")] + [InlineData("")] + public void ConfigCatalog_Find_UnknownPath_ReturnsNull(string pathOrAlias) + { + // Act + var entry = ConfigCatalog.Find(pathOrAlias); + + // Assert + Assert.Null(entry); + } + + [Fact] + public void ConfigCatalog_GetCategories_ReturnsExpectedCategories() + { + // Act + var categories = ConfigCatalog.GetCategories(); + + // Assert + Assert.Contains("Policy", categories); + Assert.Contains("Scanner", categories); + Assert.Contains("Notifier", categories); + Assert.Contains("Attestor", categories); + } + + [Fact] + public void ConfigCatalog_GetCategories_IsSorted() + { + // Act + var categories = ConfigCatalog.GetCategories(); + + // Assert + var sorted = categories.OrderBy(c => c).ToList(); + Assert.Equal(sorted, categories); + } + + [Fact] + public void ConfigCatalog_PolicyDeterminization_HasApiEndpoint() + { + // Act + var entry = ConfigCatalog.Find("policy.determinization"); + + // Assert + Assert.NotNull(entry); + Assert.NotNull(entry.ApiEndpoint); + Assert.Contains("/api/policy/config/determinization", entry.ApiEndpoint); + } + + [Fact] + public void ConfigCatalog_Entries_HaveConsistentCategoryNaming() + { + // Act + var entries = ConfigCatalog.GetAll(); + var categories = entries.Select(e => e.Category).Distinct().ToList(); + + // Assert - categories should be PascalCase + foreach (var category in categories) + { + Assert.Matches("^[A-Z][a-zA-Z]*$", category); + } + } + + [Fact] + public void ConfigCatalog_AllAliases_AreUnique() + { + // Act + var entries = ConfigCatalog.GetAll(); + var allAliases = entries.SelectMany(e => e.Aliases).ToList(); + + // Assert - aliases should not collide + var duplicates = allAliases + .GroupBy(a => a.ToLowerInvariant()) + .Where(g => g.Count() > 1) + .Select(g => g.Key) + .ToList(); + Assert.Empty(duplicates); + } + + [Fact] + public void ConfigCatalog_AliasesDontOverlapWithPaths() + { + // Act + var entries = ConfigCatalog.GetAll(); + var paths = entries.Select(e => e.Path.ToLowerInvariant()).ToHashSet(); + var aliases = entries.SelectMany(e => e.Aliases.Select(a => a.ToLowerInvariant())).ToList(); + + // Assert - aliases should not match any path (to avoid ambiguity) + var overlaps = aliases.Where(a => paths.Contains(a)).ToList(); + Assert.Empty(overlaps); + } +} diff --git a/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/UnknownsGreyQueueCommandTests.cs b/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/UnknownsGreyQueueCommandTests.cs new file mode 100644 index 000000000..4ff2b98c5 --- /dev/null +++ b/src/Cli/__Tests/StellaOps.Cli.Tests/Commands/UnknownsGreyQueueCommandTests.cs @@ -0,0 +1,341 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_010_CLI_unknowns_grey_queue_cli (CLI-UNK-005) +// + +using System.Net; +using System.Net.Http.Json; +using System.Text.Json; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.Logging.Abstractions; +using Moq; +using Moq.Protected; +using StellaOps.Cli.Commands; +using StellaOps.TestKit; +using Xunit; + +namespace StellaOps.Cli.Tests.Commands; + +[Trait("Category", TestCategories.Unit)] +public class UnknownsGreyQueueCommandTests +{ + private readonly Mock _httpClientFactoryMock; + private readonly Mock _httpHandlerMock; + private readonly IServiceProvider _services; + + public UnknownsGreyQueueCommandTests() + { + _httpHandlerMock = new Mock(); + _httpClientFactoryMock = new Mock(); + + var httpClient = new HttpClient(_httpHandlerMock.Object) + { + BaseAddress = new Uri("http://localhost:8080") + }; + + _httpClientFactoryMock + .Setup(f => f.CreateClient("PolicyApi")) + .Returns(httpClient); + + var services = new ServiceCollection(); + services.AddSingleton(_httpClientFactoryMock.Object); + services.AddSingleton(NullLoggerFactory.Instance); + _services = services.BuildServiceProvider(); + } + + [Fact] + public void UnknownsSummaryResponse_DeserializesCorrectly() + { + // Arrange + var json = """ + { + "hot": 5, + "warm": 10, + "cold": 25, + "resolved": 100, + "total": 140 + } + """; + + // Act + var response = JsonSerializer.Deserialize(json, new JsonSerializerOptions + { + PropertyNameCaseInsensitive = true + }); + + // Assert + Assert.NotNull(response); + Assert.Equal(5, response.Hot); + Assert.Equal(10, response.Warm); + Assert.Equal(25, response.Cold); + Assert.Equal(100, response.Resolved); + Assert.Equal(140, response.Total); + } + + [Fact] + public void UnknownDto_WithGreyQueueFields_DeserializesCorrectly() + { + // Arrange + var json = """ + { + "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "packageId": "pkg:npm/lodash", + "packageVersion": "4.17.21", + "band": "hot", + "score": 85.5, + "uncertaintyFactor": 0.7, + "exploitPressure": 0.9, + "firstSeenAt": "2026-01-10T12:00:00Z", + "lastEvaluatedAt": "2026-01-15T08:00:00Z", + "reasonCode": "Reachability", + "reasonCodeShort": "U-RCH", + "fingerprintId": "sha256:abc123", + "triggers": [ + { + "eventType": "epss.updated", + "eventVersion": 1, + "source": "concelier", + "receivedAt": "2026-01-15T07:00:00Z", + "correlationId": "corr-123" + } + ], + "nextActions": ["request_vex", "verify_reachability"], + "conflictInfo": { + "hasConflict": true, + "severity": 0.8, + "suggestedPath": "RequireManualReview", + "conflicts": [ + { + "signal1": "VEX:not_affected", + "signal2": "Reachability:reachable", + "type": "VexReachabilityContradiction", + "description": "VEX says not affected but reachability shows path", + "severity": 0.8 + } + ] + }, + "observationState": "Disputed" + } + """; + + // Act + var unknown = JsonSerializer.Deserialize(json, new JsonSerializerOptions + { + PropertyNameCaseInsensitive = true + }); + + // Assert + Assert.NotNull(unknown); + Assert.Equal("pkg:npm/lodash", unknown.PackageId); + Assert.Equal("4.17.21", unknown.PackageVersion); + Assert.Equal("hot", unknown.Band); + Assert.Equal(85.5m, unknown.Score); + Assert.Equal("sha256:abc123", unknown.FingerprintId); + Assert.NotNull(unknown.Triggers); + Assert.Single(unknown.Triggers); + Assert.Equal("epss.updated", unknown.Triggers[0].EventType); + Assert.Equal(1, unknown.Triggers[0].EventVersion); + Assert.NotNull(unknown.NextActions); + Assert.Equal(2, unknown.NextActions.Count); + Assert.Contains("request_vex", unknown.NextActions); + Assert.NotNull(unknown.ConflictInfo); + Assert.True(unknown.ConflictInfo.HasConflict); + Assert.Equal(0.8, unknown.ConflictInfo.Severity); + Assert.Equal("RequireManualReview", unknown.ConflictInfo.SuggestedPath); + Assert.Single(unknown.ConflictInfo.Conflicts); + Assert.Equal("Disputed", unknown.ObservationState); + } + + [Fact] + public void UnknownProof_HasDeterministicStructure() + { + // Arrange + var proof = new TestUnknownProof + { + Id = Guid.Parse("a1b2c3d4-e5f6-7890-abcd-ef1234567890"), + FingerprintId = "sha256:abc123", + PackageId = "pkg:npm/lodash", + PackageVersion = "4.17.21", + Band = "hot", + Score = 85.5m, + ReasonCode = "Reachability", + Triggers = new List + { + new() { EventType = "vex.updated", EventVersion = 1, ReceivedAt = DateTimeOffset.Parse("2026-01-15T08:00:00Z") }, + new() { EventType = "epss.updated", EventVersion = 1, ReceivedAt = DateTimeOffset.Parse("2026-01-15T07:00:00Z") } + }, + EvidenceRefs = new List + { + new() { Type = "sbom", Uri = "oci://registry/sbom@sha256:def" }, + new() { Type = "attestation", Uri = "oci://registry/att@sha256:ghi" } + }, + ObservationState = "PendingDeterminization" + }; + + // Act + var json = JsonSerializer.Serialize(proof, new JsonSerializerOptions { WriteIndented = true }); + + // Assert + Assert.Contains("\"fingerprintId\"", json.ToLowerInvariant()); + Assert.Contains("\"triggers\"", json.ToLowerInvariant()); + Assert.Contains("\"evidencerefs\"", json.ToLowerInvariant()); + Assert.Contains("\"observationstate\"", json.ToLowerInvariant()); + } + + [Theory] + [InlineData("accept-risk")] + [InlineData("require-fix")] + [InlineData("defer")] + [InlineData("escalate")] + [InlineData("dispute")] + public void TriageAction_ValidActions_AreRecognized(string action) + { + // Arrange + var validActions = new[] { "accept-risk", "require-fix", "defer", "escalate", "dispute" }; + + // Act & Assert + Assert.Contains(action, validActions); + } + + [Theory] + [InlineData("invalid")] + [InlineData("approve")] + [InlineData("reject")] + [InlineData("")] + public void TriageAction_InvalidActions_AreNotRecognized(string action) + { + // Arrange + var validActions = new[] { "accept-risk", "require-fix", "defer", "escalate", "dispute" }; + + // Act & Assert + Assert.DoesNotContain(action, validActions); + } + + [Fact] + public void TriageRequest_SerializesCorrectly() + { + // Arrange + var request = new TestTriageRequest("accept-risk", "Low priority, mitigated by WAF", 90); + + // Act + var json = JsonSerializer.Serialize(request, new JsonSerializerOptions + { + PropertyNamingPolicy = JsonNamingPolicy.CamelCase + }); + + // Assert + Assert.Contains("\"action\":\"accept-risk\"", json); + Assert.Contains("\"reason\":\"Low priority, mitigated by WAF\"", json); + Assert.Contains("\"durationDays\":90", json); + } + + [Fact] + public void ExportFormat_CsvEscaping_HandlesSpecialCharacters() + { + // Arrange + var testCases = new[] + { + ("simple", "simple"), + ("with,comma", "\"with,comma\""), + ("with\"quote", "\"with\"\"quote\""), + ("with\nnewline", "\"with\nnewline\""), + ("normal-value", "normal-value") + }; + + // Act & Assert + foreach (var (input, expected) in testCases) + { + var result = EscapeCsv(input); + Assert.Equal(expected, result); + } + } + + private static string EscapeCsv(string value) + { + if (value.Contains(',') || value.Contains('"') || value.Contains('\n')) + { + return $"\"{value.Replace("\"", "\"\"")}\""; + } + return value; + } + + // Test DTOs matching the CLI internal types + private sealed record TestUnknownsSummaryResponse + { + public int Hot { get; init; } + public int Warm { get; init; } + public int Cold { get; init; } + public int Resolved { get; init; } + public int Total { get; init; } + } + + private sealed record TestUnknownDto + { + public Guid Id { get; init; } + public string PackageId { get; init; } = string.Empty; + public string PackageVersion { get; init; } = string.Empty; + public string Band { get; init; } = string.Empty; + public decimal Score { get; init; } + public decimal UncertaintyFactor { get; init; } + public decimal ExploitPressure { get; init; } + public DateTimeOffset FirstSeenAt { get; init; } + public DateTimeOffset LastEvaluatedAt { get; init; } + public string ReasonCode { get; init; } = string.Empty; + public string ReasonCodeShort { get; init; } = string.Empty; + public string? FingerprintId { get; init; } + public IReadOnlyList? Triggers { get; init; } + public IReadOnlyList? NextActions { get; init; } + public TestConflictInfoDto? ConflictInfo { get; init; } + public string? ObservationState { get; init; } + } + + private sealed record TestTriggerDto + { + public string EventType { get; init; } = string.Empty; + public int EventVersion { get; init; } + public string? Source { get; init; } + public DateTimeOffset ReceivedAt { get; init; } + public string? CorrelationId { get; init; } + } + + private sealed record TestConflictInfoDto + { + public bool HasConflict { get; init; } + public double Severity { get; init; } + public string SuggestedPath { get; init; } = string.Empty; + public IReadOnlyList Conflicts { get; init; } = []; + } + + private sealed record TestConflictDetailDto + { + public string Signal1 { get; init; } = string.Empty; + public string Signal2 { get; init; } = string.Empty; + public string Type { get; init; } = string.Empty; + public string Description { get; init; } = string.Empty; + public double Severity { get; init; } + } + + private sealed record TestEvidenceRefDto + { + public string Type { get; init; } = string.Empty; + public string Uri { get; init; } = string.Empty; + public string? Digest { get; init; } + } + + private sealed record TestUnknownProof + { + public Guid Id { get; init; } + public string? FingerprintId { get; init; } + public string PackageId { get; init; } = string.Empty; + public string PackageVersion { get; init; } = string.Empty; + public string Band { get; init; } = string.Empty; + public decimal Score { get; init; } + public string ReasonCode { get; init; } = string.Empty; + public IReadOnlyList Triggers { get; init; } = []; + public IReadOnlyList EvidenceRefs { get; init; } = []; + public string? ObservationState { get; init; } + public TestConflictInfoDto? ConflictInfo { get; init; } + } + + private sealed record TestTriageRequest(string Action, string Reason, int? DurationDays); +} diff --git a/src/Cli/__Tests/StellaOps.Cli.Tests/OpenPrCommandTests.cs b/src/Cli/__Tests/StellaOps.Cli.Tests/OpenPrCommandTests.cs new file mode 100644 index 000000000..943e4fc8e --- /dev/null +++ b/src/Cli/__Tests/StellaOps.Cli.Tests/OpenPrCommandTests.cs @@ -0,0 +1,244 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_011_CLI_evidence_card_remediate_cli (REMPR-CLI-003) +// Task: REMPR-CLI-003 - CLI tests for open-pr command + +using System.CommandLine; +using System.CommandLine.Parsing; +using Xunit; +using StellaOps.TestKit; +using StellaOps.Cli.Extensions; + +namespace StellaOps.Cli.Tests; + +/// +/// Tests for the `stella advise open-pr` command argument validation and structure. +/// These tests verify the command structure and argument parsing behavior. +/// +[Trait("Category", TestCategories.Unit)] +public class OpenPrCommandTests +{ + [Fact] + public void OpenPrCommand_ShouldRequirePlanIdArgument() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + + // Act + var result = openPrCommand.Parse(""); + + // Assert + Assert.NotEmpty(result.Errors); + } + + [Fact] + public void OpenPrCommand_ShouldAcceptPlanIdArgument() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + + // Act + var result = openPrCommand.Parse("plan-abc123"); + + // Assert - should have no parse errors + Assert.Empty(result.Errors); + } + + [Fact] + public void OpenPrCommand_ShouldHaveScmTypeOption() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + + // Act - find any option that responds to --scm-type + var result = openPrCommand.Parse("plan-abc123 --scm-type gitlab"); + + // Assert - should parse without errors + Assert.Empty(result.Errors); + } + + [Fact] + public void OpenPrCommand_ShouldDefaultScmTypeToGithub() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + var scmOption = openPrCommand.Options.OfType>().First(o => o.Aliases.Contains("--scm-type")); + + // Act + var result = openPrCommand.Parse("plan-abc123"); + var scmType = result.GetValue(scmOption); + + // Assert + Assert.Equal("github", scmType); + } + + [Fact] + public void OpenPrCommand_ShouldAcceptCustomScmType() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + var scmOption = openPrCommand.Options.OfType>().First(o => o.Aliases.Contains("--scm-type")); + + // Act + var result = openPrCommand.Parse("plan-abc123 --scm-type gitlab"); + var scmType = result.GetValue(scmOption); + + // Assert + Assert.Equal("gitlab", scmType); + } + + [Fact] + public void OpenPrCommand_ShouldAcceptShortScmTypeAlias() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + var scmOption = openPrCommand.Options.OfType>().First(o => o.Aliases.Contains("--scm-type")); + + // Act + var result = openPrCommand.Parse("plan-abc123 -s azure-devops"); + var scmType = result.GetValue(scmOption); + + // Assert + Assert.Equal("azure-devops", scmType); + } + + [Fact] + public void OpenPrCommand_ShouldHaveOutputFormatOption() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + + // Act - find any option that responds to --output + var result = openPrCommand.Parse("plan-abc123 --output json"); + + // Assert - should parse without errors + Assert.Empty(result.Errors); + } + + [Fact] + public void OpenPrCommand_ShouldDefaultOutputFormatToTable() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + var outputOption = openPrCommand.Options.OfType>().First(o => o.Aliases.Contains("--output")); + + // Act + var result = openPrCommand.Parse("plan-abc123"); + var outputFormat = result.GetValue(outputOption); + + // Assert + Assert.Equal("table", outputFormat); + } + + [Fact] + public void OpenPrCommand_ShouldAcceptJsonOutputFormat() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + var outputOption = openPrCommand.Options.OfType>().First(o => o.Aliases.Contains("--output")); + + // Act + var result = openPrCommand.Parse("plan-abc123 --output json"); + var outputFormat = result.GetValue(outputOption); + + // Assert + Assert.Equal("json", outputFormat); + } + + [Fact] + public void OpenPrCommand_ShouldAcceptMarkdownOutputFormat() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + var outputOption = openPrCommand.Options.OfType>().First(o => o.Aliases.Contains("--output")); + + // Act + var result = openPrCommand.Parse("plan-abc123 -o markdown"); + var outputFormat = result.GetValue(outputOption); + + // Assert + Assert.Equal("markdown", outputFormat); + } + + [Fact] + public void OpenPrCommand_ShouldHaveVerboseOption() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + + // Act + var result = openPrCommand.Parse("plan-abc123 --verbose"); + + // Assert + Assert.Empty(result.Errors); + } + + [Fact] + public void OpenPrCommand_ShouldParseAllOptionsCorrectly() + { + // Arrange + var openPrCommand = BuildOpenPrCommand(); + + // Act + var result = openPrCommand.Parse("plan-test-789 --scm-type azure-devops --output json --verbose"); + + // Assert + Assert.Empty(result.Errors); + + var planIdArg = openPrCommand.Arguments.OfType>().First(a => a.Name == "plan-id"); + Assert.NotNull(planIdArg); + Assert.Equal("plan-test-789", result.GetValue(planIdArg)); + + var scmOption = openPrCommand.Options.OfType>().First(o => o.Aliases.Contains("--scm-type")); + Assert.NotNull(scmOption); + Assert.Equal("azure-devops", result.GetValue(scmOption)); + + var outputOption = openPrCommand.Options.OfType>().First(o => o.Aliases.Contains("--output")); + Assert.NotNull(outputOption); + Assert.Equal("json", result.GetValue(outputOption)); + + var verboseOption = openPrCommand.Options.OfType>().First(o => o.Aliases.Contains("--verbose")); + Assert.NotNull(verboseOption); + Assert.True(result.GetValue(verboseOption)); + } + + /// + /// Build the open-pr command structure for testing. + /// This mirrors the structure in CommandFactory.BuildOpenPrCommand. + /// Note: Defaults are verified through the actual parsing behavior, not Option properties. + /// + private static Command BuildOpenPrCommand() + { + var planIdArg = new Argument("plan-id") + { + Description = "Remediation plan ID to apply" + }; + + // Use correct System.CommandLine 2.x constructors + var scmTypeOption = new Option("--scm-type", new[] { "-s" }) + { + Description = "SCM type (github, gitlab, azure-devops, gitea)" + }; + scmTypeOption.SetDefaultValue("github"); + + var outputOption = new Option("--output", new[] { "-o" }) + { + Description = "Output format: table (default), json, markdown" + }; + outputOption.SetDefaultValue("table"); + + var verboseOption = new Option("--verbose", new[] { "-v" }) + { + Description = "Enable verbose output" + }; + + var openPrCommand = new Command("open-pr", "Apply a remediation plan by creating a PR/MR in the target SCM") + { + planIdArg, + scmTypeOption, + outputOption, + verboseOption + }; + + return openPrCommand; + } +} diff --git a/src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj b/src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj index 8c20af8b1..3014117dd 100644 --- a/src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj +++ b/src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj @@ -17,6 +17,7 @@ + runtime; build; native; contentfiles; analyzers; buildtransitive all diff --git a/src/Concelier/seed-data b/src/Concelier/seed-data deleted file mode 120000 index 7929165ea..000000000 --- a/src/Concelier/seed-data +++ /dev/null @@ -1 +0,0 @@ -../../__Tests/__Datasets/seed-data diff --git a/src/Concelier/seed-data b/src/Concelier/seed-data new file mode 100644 index 000000000..7929165ea --- /dev/null +++ b/src/Concelier/seed-data @@ -0,0 +1 @@ +../../__Tests/__Datasets/seed-data diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props index 6f19728e5..5468d7a1f 100644 --- a/src/Directory.Packages.props +++ b/src/Directory.Packages.props @@ -3,7 +3,6 @@ true - @@ -184,4 +183,4 @@ - + \ No newline at end of file diff --git a/src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/Observations/VexStatementChangeEventTests.cs b/src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/Observations/VexStatementChangeEventTests.cs new file mode 100644 index 000000000..1d26479e9 --- /dev/null +++ b/src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/Observations/VexStatementChangeEventTests.cs @@ -0,0 +1,313 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_006_EXCITITOR_vex_change_events (EXC-VEX-004) +// + +using System; +using System.Collections.Immutable; +using StellaOps.Excititor.Core.Observations; +using Xunit; + +namespace StellaOps.Excititor.Core.Tests.Observations; + +[Trait("Category", "Unit")] +public sealed class VexStatementChangeEventTests +{ + private static readonly DateTimeOffset FixedTimestamp = new(2026, 1, 15, 10, 30, 0, TimeSpan.Zero); + + [Fact] + public void CreateStatementAdded_GeneratesDeterministicEventId() + { + // Arrange & Act + var event1 = VexStatementChangeEventFactory.CreateStatementAdded( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "not_affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0001:v1", + occurredAtUtc: FixedTimestamp); + + var event2 = VexStatementChangeEventFactory.CreateStatementAdded( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "not_affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0001:v1", + occurredAtUtc: FixedTimestamp); + + // Assert - Same inputs should produce same event ID + Assert.Equal(event1.EventId, event2.EventId); + Assert.StartsWith("vex-evt-", event1.EventId); + Assert.Equal(VexTimelineEventTypes.StatementAdded, event1.EventType); + } + + [Fact] + public void CreateStatementAdded_DifferentInputsProduceDifferentEventIds() + { + // Arrange & Act + var event1 = VexStatementChangeEventFactory.CreateStatementAdded( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "not_affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0001:v1", + occurredAtUtc: FixedTimestamp); + + var event2 = VexStatementChangeEventFactory.CreateStatementAdded( + tenant: "default", + vulnerabilityId: "CVE-2026-5678", // Different CVE + productKey: "pkg:npm/lodash@4.17.21", + status: "not_affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0002:v1", + occurredAtUtc: FixedTimestamp); + + // Assert - Different inputs should produce different event IDs + Assert.NotEqual(event1.EventId, event2.EventId); + } + + [Fact] + public void CreateStatementSuperseded_IncludesSupersedesReference() + { + // Arrange & Act + var evt = VexStatementChangeEventFactory.CreateStatementSuperseded( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "fixed", + previousStatus: "not_affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0001:v2", + supersedes: ImmutableArray.Create("default:redhat:VEX-2026-0001:v1"), + occurredAtUtc: FixedTimestamp); + + // Assert + Assert.Equal(VexTimelineEventTypes.StatementSuperseded, evt.EventType); + Assert.Equal("fixed", evt.NewStatus); + Assert.Equal("not_affected", evt.PreviousStatus); + Assert.Single(evt.Supersedes); + Assert.Equal("default:redhat:VEX-2026-0001:v1", evt.Supersedes[0]); + } + + [Fact] + public void CreateConflictDetected_IncludesConflictDetails() + { + // Arrange + var conflictingStatuses = ImmutableArray.Create( + new VexConflictingStatus + { + ProviderId = "vendor:redhat", + Status = "not_affected", + Justification = "CODE_NOT_REACHABLE", + TrustScore = 0.95 + }, + new VexConflictingStatus + { + ProviderId = "vendor:ubuntu", + Status = "affected", + Justification = null, + TrustScore = 0.85 + }); + + // Act + var evt = VexStatementChangeEventFactory.CreateConflictDetected( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + conflictType: "status_mismatch", + conflictingStatuses: conflictingStatuses, + occurredAtUtc: FixedTimestamp); + + // Assert + Assert.Equal(VexTimelineEventTypes.StatementConflict, evt.EventType); + Assert.NotNull(evt.ConflictDetails); + Assert.Equal("status_mismatch", evt.ConflictDetails!.ConflictType); + Assert.Equal(2, evt.ConflictDetails.ConflictingStatuses.Length); + Assert.False(evt.ConflictDetails.AutoResolved); + } + + [Fact] + public void ConflictDetails_SortsStatusesByProviderId() + { + // Arrange - Providers in wrong order + var conflictingStatuses = ImmutableArray.Create( + new VexConflictingStatus + { + ProviderId = "vendor:ubuntu", + Status = "affected", + Justification = null, + TrustScore = 0.85 + }, + new VexConflictingStatus + { + ProviderId = "vendor:redhat", + Status = "not_affected", + Justification = "CODE_NOT_REACHABLE", + TrustScore = 0.95 + }); + + // Act + var evt = VexStatementChangeEventFactory.CreateConflictDetected( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + conflictType: "status_mismatch", + conflictingStatuses: conflictingStatuses, + occurredAtUtc: FixedTimestamp); + + // Assert - Should be sorted by provider ID for determinism + Assert.Equal("vendor:redhat", evt.ConflictDetails!.ConflictingStatuses[0].ProviderId); + Assert.Equal("vendor:ubuntu", evt.ConflictDetails.ConflictingStatuses[1].ProviderId); + } + + [Fact] + public void EventId_IsIdempotentAcrossMultipleInvocations() + { + // Arrange + var provenance = new VexStatementProvenance + { + DocumentHash = "sha256:abc123", + DocumentUri = "https://vendor.example.com/vex/VEX-2026-0001.json", + SourceTimestamp = FixedTimestamp.AddHours(-1), + Author = "security@vendor.example.com", + TrustScore = 0.95 + }; + + // Act - Create same event multiple times + var events = new VexStatementChangeEvent[5]; + for (int i = 0; i < 5; i++) + { + events[i] = VexStatementChangeEventFactory.CreateStatementAdded( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "not_affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0001:v1", + occurredAtUtc: FixedTimestamp, + provenance: provenance); + } + + // Assert - All event IDs should be identical + var firstEventId = events[0].EventId; + foreach (var evt in events) + { + Assert.Equal(firstEventId, evt.EventId); + } + } + + [Fact] + public void CreateStatusChanged_TracksStatusTransition() + { + // Arrange & Act + var evt = VexStatementChangeEventFactory.CreateStatusChanged( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + newStatus: "fixed", + previousStatus: "affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0001:v3", + occurredAtUtc: FixedTimestamp); + + // Assert + Assert.Equal(VexTimelineEventTypes.StatusChanged, evt.EventType); + Assert.Equal("fixed", evt.NewStatus); + Assert.Equal("affected", evt.PreviousStatus); + } + + [Fact] + public void EventOrdering_DeterministicByTimestampThenProvider() + { + // Arrange - Create events with same timestamp but different providers + var events = new[] + { + VexStatementChangeEventFactory.CreateStatementAdded( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "not_affected", + providerId: "vendor:ubuntu", + observationId: "default:ubuntu:VEX-2026-0001:v1", + occurredAtUtc: FixedTimestamp), + VexStatementChangeEventFactory.CreateStatementAdded( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0001:v1", + occurredAtUtc: FixedTimestamp), + VexStatementChangeEventFactory.CreateStatementAdded( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "under_investigation", + providerId: "vendor:debian", + observationId: "default:debian:VEX-2026-0001:v1", + occurredAtUtc: FixedTimestamp), + }; + + // Act - Sort by (timestamp, providerId) for deterministic ordering + var sorted = events + .OrderBy(e => e.OccurredAtUtc) + .ThenBy(e => e.ProviderId) + .ToArray(); + + // Assert - Should be sorted by provider ID alphabetically + Assert.Equal("vendor:debian", sorted[0].ProviderId); + Assert.Equal("vendor:redhat", sorted[1].ProviderId); + Assert.Equal("vendor:ubuntu", sorted[2].ProviderId); + } + + [Fact] + public void Provenance_PreservedInEvent() + { + // Arrange + var provenance = new VexStatementProvenance + { + DocumentHash = "sha256:abc123def456", + DocumentUri = "https://vendor.example.com/vex/VEX-2026-0001.json", + SourceTimestamp = new DateTimeOffset(2026, 1, 15, 9, 0, 0, TimeSpan.Zero), + Author = "security@vendor.example.com", + TrustScore = 0.95 + }; + + // Act + var evt = VexStatementChangeEventFactory.CreateStatementAdded( + tenant: "default", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "not_affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0001:v1", + occurredAtUtc: FixedTimestamp, + provenance: provenance); + + // Assert + Assert.NotNull(evt.Provenance); + Assert.Equal("sha256:abc123def456", evt.Provenance!.DocumentHash); + Assert.Equal("https://vendor.example.com/vex/VEX-2026-0001.json", evt.Provenance.DocumentUri); + Assert.Equal(0.95, evt.Provenance.TrustScore); + } + + [Fact] + public void TenantNormalization_LowerCasesAndTrims() + { + // Arrange & Act + var evt = VexStatementChangeEventFactory.CreateStatementAdded( + tenant: " DEFAULT ", + vulnerabilityId: "CVE-2026-1234", + productKey: "pkg:npm/lodash@4.17.21", + status: "not_affected", + providerId: "vendor:redhat", + observationId: "default:redhat:VEX-2026-0001:v1", + occurredAtUtc: FixedTimestamp); + + // Assert - Tenant should be normalized + Assert.Equal("default", evt.Tenant); + } +} diff --git a/src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs b/src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs index 25324532e..8b31272cc 100644 --- a/src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs +++ b/src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs @@ -235,6 +235,7 @@ builder.Services.AddSingleton(); // Evidence-Weighted Score services (SPRINT_8200.0012.0004) builder.Services.AddSingleton(); +builder.Services.AddSingleton(); builder.Services.AddSingleton(); // Webhook services (SPRINT_8200.0012.0004 - Wave 6) diff --git a/src/Findings/StellaOps.Findings.Ledger.WebService/Services/EvidenceGraphBuilder.cs b/src/Findings/StellaOps.Findings.Ledger.WebService/Services/EvidenceGraphBuilder.cs index b3a813edb..1f7f99f98 100644 --- a/src/Findings/StellaOps.Findings.Ledger.WebService/Services/EvidenceGraphBuilder.cs +++ b/src/Findings/StellaOps.Findings.Ledger.WebService/Services/EvidenceGraphBuilder.cs @@ -411,4 +411,16 @@ public sealed record AttestationVerificationResult public DateTimeOffset? SignedAt { get; init; } public string? KeyId { get; init; } public long? RekorLogIndex { get; init; } + + // Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-002) + // Extended anchor metadata fields + + /// Rekor entry ID if transparency-anchored. + public string? RekorEntryId { get; init; } + + /// Predicate type of the attestation. + public string? PredicateType { get; init; } + + /// Scope of the attestation (e.g., finding, package, image). + public string? Scope { get; init; } } diff --git a/src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingEvidenceProvider.cs b/src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingEvidenceProvider.cs new file mode 100644 index 000000000..a5928874b --- /dev/null +++ b/src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingEvidenceProvider.cs @@ -0,0 +1,290 @@ +// Copyright (c) StellaOps. All rights reserved. +// Licensed under AGPL-3.0-or-later. See LICENSE in the project root. +// Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-002) +// Task: Implement IFindingEvidenceProvider to populate anchor metadata + +using System; +using System.Collections.Generic; +using System.Linq; +using System.Threading; +using System.Threading.Tasks; +using Microsoft.Extensions.Logging; +using StellaOps.Signals.EvidenceWeightedScore; +using StellaOps.Signals.EvidenceWeightedScore.Normalizers; + +namespace StellaOps.Findings.Ledger.WebService.Services; + +/// +/// Null implementation of IFindingEvidenceProvider that returns no evidence. +/// Use this as a placeholder until real evidence sources are integrated. +/// +internal sealed class NullFindingEvidenceProvider : IFindingEvidenceProvider +{ + public Task GetEvidenceAsync(string findingId, CancellationToken ct) + => Task.FromResult(null); +} + +/// +/// Evidence provider that aggregates from multiple sources and populates anchor metadata. +/// Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-002) +/// +public sealed class AnchoredFindingEvidenceProvider : IFindingEvidenceProvider +{ + private readonly IEvidenceRepository _evidenceRepository; + private readonly IAttestationVerifier _attestationVerifier; + private readonly ILogger _logger; + + public AnchoredFindingEvidenceProvider( + IEvidenceRepository evidenceRepository, + IAttestationVerifier attestationVerifier, + ILogger logger) + { + _evidenceRepository = evidenceRepository ?? throw new ArgumentNullException(nameof(evidenceRepository)); + _attestationVerifier = attestationVerifier ?? throw new ArgumentNullException(nameof(attestationVerifier)); + _logger = logger ?? throw new ArgumentNullException(nameof(logger)); + } + + public async Task GetEvidenceAsync(string findingId, CancellationToken ct) + { + // Parse finding ID to extract GUID if needed + if (!TryParseGuid(findingId, out var findingGuid)) + { + _logger.LogWarning("Could not parse finding ID {FindingId} as GUID", findingId); + return null; + } + + // Get full evidence from repository + var fullEvidence = await _evidenceRepository.GetFullEvidenceAsync(findingGuid, ct).ConfigureAwait(false); + if (fullEvidence is null) + { + _logger.LogDebug("No evidence found for finding {FindingId}", findingId); + return null; + } + + // Build anchor metadata from various evidence sources + EvidenceAnchor? reachabilityAnchor = null; + EvidenceAnchor? runtimeAnchor = null; + EvidenceAnchor? vexAnchor = null; + EvidenceAnchor? primaryAnchor = null; + + // Check reachability attestation + if (fullEvidence.Reachability?.AttestationDigest is not null) + { + var result = await _attestationVerifier.VerifyAsync(fullEvidence.Reachability.AttestationDigest, ct).ConfigureAwait(false); + reachabilityAnchor = MapToAnchor(result, fullEvidence.Reachability.AttestationDigest); + primaryAnchor ??= reachabilityAnchor; + } + + // Check runtime attestations + var latestRuntime = fullEvidence.RuntimeObservations + .Where(r => r.AttestationDigest is not null) + .OrderByDescending(r => r.Timestamp) + .FirstOrDefault(); + if (latestRuntime?.AttestationDigest is not null) + { + var result = await _attestationVerifier.VerifyAsync(latestRuntime.AttestationDigest, ct).ConfigureAwait(false); + runtimeAnchor = MapToAnchor(result, latestRuntime.AttestationDigest); + primaryAnchor ??= runtimeAnchor; + } + + // Check VEX attestations + var latestVex = fullEvidence.VexStatements + .Where(v => v.AttestationDigest is not null) + .OrderByDescending(v => v.Timestamp) + .FirstOrDefault(); + if (latestVex?.AttestationDigest is not null) + { + var result = await _attestationVerifier.VerifyAsync(latestVex.AttestationDigest, ct).ConfigureAwait(false); + vexAnchor = MapToAnchor(result, latestVex.AttestationDigest); + primaryAnchor ??= vexAnchor; + } + + // Check policy trace attestation + if (primaryAnchor is null && fullEvidence.PolicyTrace?.AttestationDigest is not null) + { + var result = await _attestationVerifier.VerifyAsync(fullEvidence.PolicyTrace.AttestationDigest, ct).ConfigureAwait(false); + primaryAnchor = MapToAnchor(result, fullEvidence.PolicyTrace.AttestationDigest); + } + + return new FindingEvidence + { + FindingId = findingId, + Reachability = MapReachability(fullEvidence, reachabilityAnchor), + Runtime = MapRuntime(fullEvidence, runtimeAnchor), + Backport = null, // Backport evidence not available in FullEvidence yet + Exploit = null, // Exploit evidence not available in FullEvidence yet + SourceTrust = null, // Source trust not available in FullEvidence yet + Mitigations = MapMitigations(fullEvidence), + Anchor = primaryAnchor, + ReachabilityAnchor = reachabilityAnchor, + RuntimeAnchor = runtimeAnchor, + VexAnchor = vexAnchor + }; + } + + private static EvidenceAnchor MapToAnchor(AttestationVerificationResult result, string digest) + { + if (!result.IsValid) + { + return new EvidenceAnchor + { + Anchored = false + }; + } + + return new EvidenceAnchor + { + Anchored = true, + EnvelopeDigest = digest, + PredicateType = result.PredicateType, + RekorLogIndex = result.RekorLogIndex, + RekorEntryId = result.RekorEntryId, + Scope = result.Scope, + Verified = result.IsValid, + AttestedAt = result.SignedAt + }; + } + + private static ReachabilityInput? MapReachability(FullEvidence evidence, EvidenceAnchor? anchor) + { + if (evidence.Reachability is null) + return null; + + // Map state string to enum + var state = evidence.Reachability.State switch + { + "reachable" => ReachabilityState.StaticReachable, + "confirmed_reachable" => ReachabilityState.DynamicReachable, + "potentially_reachable" => ReachabilityState.PotentiallyReachable, + "not_reachable" => ReachabilityState.NotReachable, + "unreachable" => ReachabilityState.NotReachable, + _ => ReachabilityState.Unknown + }; + + // Map anchor to AnchorMetadata if present + AnchorMetadata? anchorMetadata = null; + if (anchor?.Anchored == true) + { + anchorMetadata = new AnchorMetadata + { + IsAnchored = true, + DsseEnvelopeDigest = anchor.EnvelopeDigest, + PredicateType = anchor.PredicateType, + RekorLogIndex = anchor.RekorLogIndex, + RekorEntryId = anchor.RekorEntryId, + AttestationTimestamp = anchor.AttestedAt, + VerificationStatus = anchor.Verified == true ? AnchorVerificationStatus.Verified : AnchorVerificationStatus.Unverified + }; + } + + return new ReachabilityInput + { + State = state, + Confidence = (double)evidence.Reachability.Confidence, + HopCount = 0, // Not available in current FullEvidence + HasInterproceduralFlow = false, + HasTaintTracking = false, + HasDataFlowSensitivity = false, + EvidenceSource = evidence.Reachability.Issuer, + EvidenceTimestamp = evidence.Reachability.Timestamp, + Anchor = anchorMetadata + }; + } + + private static RuntimeInput? MapRuntime(FullEvidence evidence, EvidenceAnchor? anchor) + { + if (evidence.RuntimeObservations.Count == 0) + return null; + + var latest = evidence.RuntimeObservations + .OrderByDescending(r => r.Timestamp) + .First(); + + // Calculate recency factor based on observation age + var age = DateTimeOffset.UtcNow - latest.Timestamp; + var recencyFactor = age.TotalHours <= 24 ? 1.0 : + age.TotalDays <= 7 ? 0.7 : + age.TotalDays <= 30 ? 0.4 : 0.1; + + // Map anchor to AnchorMetadata if present + AnchorMetadata? anchorMetadata = null; + if (anchor?.Anchored == true) + { + anchorMetadata = new AnchorMetadata + { + IsAnchored = true, + DsseEnvelopeDigest = anchor.EnvelopeDigest, + PredicateType = anchor.PredicateType, + RekorLogIndex = anchor.RekorLogIndex, + RekorEntryId = anchor.RekorEntryId, + AttestationTimestamp = anchor.AttestedAt, + VerificationStatus = anchor.Verified == true ? AnchorVerificationStatus.Verified : AnchorVerificationStatus.Unverified + }; + } + + return new RuntimeInput + { + Posture = RuntimePosture.ActiveTracing, + ObservationCount = evidence.RuntimeObservations.Count, + LastObservation = latest.Timestamp, + RecencyFactor = recencyFactor, + DirectPathObserved = latest.ObservationType == "direct", + IsProductionTraffic = true, // Assume production unless specified + EvidenceSource = latest.Issuer, + Anchor = anchorMetadata + }; + } + + private static MitigationInput? MapMitigations(FullEvidence evidence) + { + if (evidence.VexStatements.Count == 0) + return null; + + var mitigations = evidence.VexStatements + .Select(v => new ActiveMitigation + { + Type = MitigationType.Unknown, // VEX is not directly in MitigationType enum + Name = $"VEX: {v.Status}", + Effectiveness = v.Status switch + { + "not_affected" => 1.0, + "fixed" => 0.9, + "under_investigation" => 0.3, + "affected" => 0.0, + _ => 0.5 + }, + Verified = v.AttestationDigest is not null + }) + .OrderByDescending(m => m.Effectiveness) + .ThenBy(m => m.Name ?? string.Empty, StringComparer.Ordinal) + .ToList(); + + var combinedEffectiveness = MitigationInput.CalculateCombinedEffectiveness(mitigations); + var latestVex = evidence.VexStatements.OrderByDescending(v => v.Timestamp).FirstOrDefault(); + + return new MitigationInput + { + ActiveMitigations = mitigations, + CombinedEffectiveness = combinedEffectiveness, + RuntimeVerified = mitigations.Any(m => m.Verified), + EvidenceTimestamp = latestVex?.Timestamp + }; + } + + private static bool TryParseGuid(string input, out Guid result) + { + // Handle CVE@PURL format by extracting the GUID portion if present + if (input.Contains('@')) + { + // Try to find a GUID in the string + var parts = input.Split('@', '/', ':'); + foreach (var part in parts) + { + if (Guid.TryParse(part, out result)) + return true; + } + } + + return Guid.TryParse(input, out result); + } +} diff --git a/src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingScoringService.cs b/src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingScoringService.cs index a896c43fe..99e21e2d7 100644 --- a/src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingScoringService.cs +++ b/src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingScoringService.cs @@ -166,10 +166,13 @@ public sealed class FindingScoringService : IFindingScoringService var now = _timeProvider.GetUtcNow(); var cacheDuration = TimeSpan.FromMinutes(_options.CacheTtlMinutes); - var response = MapToResponse(result, request.IncludeBreakdown, now, cacheDuration); + // Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-003) + // Pass policy and evidence to MapToResponse for reduction profile and anchor metadata + var response = MapToResponse(result, request.IncludeBreakdown, now, cacheDuration, policy, evidence); - // Cache the result - var cacheKey = GetCacheKey(findingId); + // Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-003) + // Use cache key that includes policy digest and reduction profile + var cacheKey = GetCacheKey(findingId, policy.ComputeDigest(), policy.AttestedReduction.Enabled); _cache.Set(cacheKey, response, cacheDuration); // Record in history @@ -363,12 +366,69 @@ public sealed class FindingScoringService : IFindingScoringService private static string GetCacheKey(string findingId) => $"ews:score:{findingId}"; + // Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-003) + // Include policy digest and reduction profile in cache key for determinism + private static string GetCacheKey(string findingId, string policyDigest, bool reductionEnabled) + => $"ews:score:{findingId}:{policyDigest}:{(reductionEnabled ? "reduction" : "standard")}"; + private static EvidenceWeightedScoreResponse MapToResponse( EvidenceWeightedScoreResult result, bool includeBreakdown, DateTimeOffset calculatedAt, - TimeSpan cacheDuration) + TimeSpan cacheDuration, + EvidenceWeightPolicy? policy = null, + FindingEvidence? evidence = null) { + // Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-003) + // Extract reduction profile and hard-fail status from flags + var isAttestedReduction = result.Flags.Contains("attested-reduction"); + var isHardFail = result.Flags.Contains("hard-fail"); + + // Determine short-circuit reason from flags/explanations + string? shortCircuitReason = null; + if (result.Flags.Contains("anchored-vex") && result.Score == 0) + { + shortCircuitReason = "anchored_vex_not_affected"; + } + else if (isHardFail) + { + shortCircuitReason = "anchored_affected_runtime_confirmed"; + } + + // Build reduction profile DTO if policy has attested reduction enabled + // Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-003) + ReductionProfileDto? reductionProfile = null; + if (policy?.AttestedReduction.Enabled == true) + { + var ar = policy.AttestedReduction; + reductionProfile = new ReductionProfileDto + { + Enabled = true, + Mode = ar.HardFailOnAffectedWithRuntime ? "aggressive" : "conservative", + ProfileId = $"attested-{ar.RequiredVerificationStatus.ToString().ToLowerInvariant()}", + MaxReductionPercent = (int)((1.0 - ar.ClampMin) * 100), + RequireVexAnchoring = ar.RequiredVerificationStatus >= AnchorVerificationStatus.Verified, + RequireRekorVerification = ar.RequiredVerificationStatus >= AnchorVerificationStatus.Verified + }; + } + + // Build anchor DTO from evidence if available + EvidenceAnchorDto? anchorDto = null; + if (evidence?.Anchor is not null && evidence.Anchor.Anchored) + { + anchorDto = new EvidenceAnchorDto + { + Anchored = true, + EnvelopeDigest = evidence.Anchor.EnvelopeDigest, + PredicateType = evidence.Anchor.PredicateType, + RekorLogIndex = evidence.Anchor.RekorLogIndex, + RekorEntryId = evidence.Anchor.RekorEntryId, + Scope = evidence.Anchor.Scope, + Verified = evidence.Anchor.Verified, + AttestedAt = evidence.Anchor.AttestedAt + }; + } + return new EvidenceWeightedScoreResponse { FindingId = result.FindingId, @@ -403,7 +463,12 @@ public sealed class FindingScoringService : IFindingScoringService PolicyDigest = result.PolicyDigest, CalculatedAt = calculatedAt, CachedUntil = calculatedAt.Add(cacheDuration), - FromCache = false + FromCache = false, + // Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-003) + ReductionProfile = reductionProfile, + HardFail = isHardFail, + ShortCircuitReason = shortCircuitReason, + Anchor = anchorDto }; } diff --git a/src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Services/FindingScoringServiceTests.cs b/src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Services/FindingScoringServiceTests.cs new file mode 100644 index 000000000..f704c6668 --- /dev/null +++ b/src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Services/FindingScoringServiceTests.cs @@ -0,0 +1,352 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later +// Copyright (c) 2025 StellaOps +// Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-004) +// Task: Unit tests for attested-reduction response fields + +using FluentAssertions; +using Microsoft.Extensions.Caching.Memory; +using Microsoft.Extensions.Logging.Abstractions; +using MsOptions = Microsoft.Extensions.Options; +using Moq; +using StellaOps.Findings.Ledger.WebService.Contracts; +using StellaOps.Findings.Ledger.WebService.Services; +using StellaOps.Signals.EvidenceWeightedScore; +using StellaOps.Signals.EvidenceWeightedScore.Normalizers; +using Xunit; + +namespace StellaOps.Findings.Ledger.Tests.Services; + +[Trait("Category", "Unit")] +public class FindingScoringServiceTests +{ + private readonly Mock _normalizer = new(); + private readonly Mock _calculator = new(); + private readonly Mock _policyProvider = new(); + private readonly Mock _evidenceProvider = new(); + private readonly Mock _historyStore = new(); + private readonly Mock _timeProvider = new(); + private readonly IMemoryCache _cache; + private readonly FindingScoringService _service; + private readonly DateTimeOffset _now = new(2026, 1, 14, 12, 0, 0, TimeSpan.Zero); + + public FindingScoringServiceTests() + { + _cache = new MemoryCache(new MemoryCacheOptions()); + var options = MsOptions.Options.Create(new FindingScoringOptions + { + CacheTtlMinutes = 60, + MaxBatchSize = 100, + MaxConcurrency = 10 + }); + _timeProvider.Setup(tp => tp.GetUtcNow()).Returns(_now); + + _service = new FindingScoringService( + _normalizer.Object, + _calculator.Object, + _policyProvider.Object, + _evidenceProvider.Object, + _historyStore.Object, + _cache, + options, + NullLogger.Instance, + _timeProvider.Object); + } + + #region Attested Reduction Response Fields Tests + + [Fact] + public async Task CalculateScoreAsync_AttestedReductionEnabled_PopulatesReductionProfile() + { + // Arrange + var findingId = "CVE-2024-1234@pkg:npm/lodash@4.17.20"; + var evidence = CreateFindingEvidence(findingId); + var policy = CreateAttestedReductionPolicy(enabled: true); + var input = CreateEvidenceWeightedScoreInput(findingId); + var result = CreateScoreResult(findingId, withAttestedReduction: true); + + SetupMocks(evidence, policy, input, result); + + // Act + var response = await _service.CalculateScoreAsync( + findingId, + new CalculateScoreRequest { IncludeBreakdown = true }, + CancellationToken.None); + + // Assert + response.Should().NotBeNull(); + response!.ReductionProfile.Should().NotBeNull(); + response.ReductionProfile!.Enabled.Should().BeTrue(); + response.ReductionProfile.Mode.Should().NotBeNullOrEmpty(); + response.ReductionProfile.MaxReductionPercent.Should().BeGreaterThan(0); + } + + [Fact] + public async Task CalculateScoreAsync_HardFailTriggered_SetsHardFailTrue() + { + // Arrange + var findingId = "CVE-2024-9999@pkg:npm/critical@1.0.0"; + var evidence = CreateFindingEvidence(findingId); + var policy = CreateAttestedReductionPolicy(enabled: true); + var input = CreateEvidenceWeightedScoreInput(findingId); + var result = CreateScoreResult(findingId, withHardFail: true); + + SetupMocks(evidence, policy, input, result); + + // Act + var response = await _service.CalculateScoreAsync( + findingId, + new CalculateScoreRequest { IncludeBreakdown = true }, + CancellationToken.None); + + // Assert + response.Should().NotBeNull(); + response!.HardFail.Should().BeTrue(); + response.ShortCircuitReason.Should().Be("anchored_affected_runtime_confirmed"); + } + + [Fact] + public async Task CalculateScoreAsync_AnchoredVexNotAffected_SetsShortCircuitReason() + { + // Arrange + var findingId = "CVE-2024-5555@pkg:npm/not-affected@1.0.0"; + var evidence = CreateFindingEvidenceWithAnchor(findingId); + var policy = CreateAttestedReductionPolicy(enabled: true); + var input = CreateEvidenceWeightedScoreInput(findingId); + var result = CreateScoreResult(findingId, withAnchoredVex: true, score: 0); + + SetupMocks(evidence, policy, input, result); + + // Act + var response = await _service.CalculateScoreAsync( + findingId, + new CalculateScoreRequest { IncludeBreakdown = true }, + CancellationToken.None); + + // Assert + response.Should().NotBeNull(); + response!.Score.Should().Be(0); + response.ShortCircuitReason.Should().Be("anchored_vex_not_affected"); + response.HardFail.Should().BeFalse(); + } + + [Fact] + public async Task CalculateScoreAsync_WithAnchor_PopulatesAnchorDto() + { + // Arrange + var findingId = "CVE-2024-1111@pkg:npm/anchored@2.0.0"; + var evidence = CreateFindingEvidenceWithAnchor(findingId); + var policy = CreateAttestedReductionPolicy(enabled: true); + var input = CreateEvidenceWeightedScoreInput(findingId); + var result = CreateScoreResult(findingId); + + SetupMocks(evidence, policy, input, result); + + // Act + var response = await _service.CalculateScoreAsync( + findingId, + new CalculateScoreRequest { IncludeBreakdown = true }, + CancellationToken.None); + + // Assert + response.Should().NotBeNull(); + response!.Anchor.Should().NotBeNull(); + response.Anchor!.Anchored.Should().BeTrue(); + response.Anchor.EnvelopeDigest.Should().Be("sha256:abc123"); + response.Anchor.RekorLogIndex.Should().Be(12345); + } + + [Fact] + public async Task CalculateScoreAsync_NoReductionProfile_ReturnsNullReductionProfile() + { + // Arrange + var findingId = "CVE-2024-2222@pkg:npm/standard@1.0.0"; + var evidence = CreateFindingEvidence(findingId); + var policy = CreateStandardPolicy(); // No attested reduction + var input = CreateEvidenceWeightedScoreInput(findingId); + var result = CreateScoreResult(findingId); + + SetupMocks(evidence, policy, input, result); + + // Act + var response = await _service.CalculateScoreAsync( + findingId, + new CalculateScoreRequest { IncludeBreakdown = true }, + CancellationToken.None); + + // Assert + response.Should().NotBeNull(); + response!.ReductionProfile.Should().BeNull(); + response.HardFail.Should().BeFalse(); + response.ShortCircuitReason.Should().BeNull(); + } + + [Fact] + public async Task CalculateScoreAsync_NoEvidence_ReturnsNull() + { + // Arrange + var findingId = "CVE-2024-0000@pkg:npm/missing@1.0.0"; + + _evidenceProvider.Setup(p => p.GetEvidenceAsync(It.IsAny(), It.IsAny())) + .ReturnsAsync((FindingEvidence?)null); + + // Act + var response = await _service.CalculateScoreAsync( + findingId, + new CalculateScoreRequest(), + CancellationToken.None); + + // Assert + response.Should().BeNull(); + } + + #endregion + + #region Cache Key Tests + + [Fact] + public async Task CalculateScoreAsync_DifferentPolicies_UseDifferentCacheKeys() + { + // Arrange + var findingId = "CVE-2024-3333@pkg:npm/cached@1.0.0"; + var evidence = CreateFindingEvidence(findingId); + var policy1 = CreateAttestedReductionPolicy(enabled: true); + var policy2 = CreateAttestedReductionPolicy(enabled: false); + var input = CreateEvidenceWeightedScoreInput(findingId); + var result1 = CreateScoreResult(findingId, withAttestedReduction: true, score: 25); + var result2 = CreateScoreResult(findingId, score: 75); + + // First call with reduction enabled + SetupMocks(evidence, policy1, input, result1); + var response1 = await _service.CalculateScoreAsync( + findingId, + new CalculateScoreRequest { ForceRecalculate = true }, + CancellationToken.None); + + // Change policy to disabled + SetupMocks(evidence, policy2, input, result2); + var response2 = await _service.CalculateScoreAsync( + findingId, + new CalculateScoreRequest { ForceRecalculate = true }, + CancellationToken.None); + + // Assert - different scores due to different cache keys + response1!.Score.Should().NotBe(response2!.Score); + } + + #endregion + + #region Helper Methods + + private void SetupMocks( + FindingEvidence evidence, + EvidenceWeightPolicy policy, + EvidenceWeightedScoreInput input, + EvidenceWeightedScoreResult result) + { + _evidenceProvider.Setup(p => p.GetEvidenceAsync(It.IsAny(), It.IsAny())) + .ReturnsAsync(evidence); + _policyProvider.Setup(p => p.GetDefaultPolicyAsync(It.IsAny(), It.IsAny())) + .ReturnsAsync(policy); + _normalizer.Setup(n => n.Aggregate(It.IsAny())) + .Returns(input); + _calculator.Setup(c => c.Calculate(It.IsAny(), It.IsAny())) + .Returns(result); + } + + private static FindingEvidence CreateFindingEvidence(string findingId) => new() + { + FindingId = findingId + }; + + private static FindingEvidence CreateFindingEvidenceWithAnchor(string findingId) => new() + { + FindingId = findingId, + Anchor = new EvidenceAnchor + { + Anchored = true, + EnvelopeDigest = "sha256:abc123", + PredicateType = "https://stellaops.io/attestation/vex/v1", + RekorLogIndex = 12345, + RekorEntryId = "entry-123", + Scope = "finding", + Verified = true, + AttestedAt = DateTimeOffset.UtcNow.AddHours(-1) + } + }; + + private static EvidenceWeightedScoreInput CreateEvidenceWeightedScoreInput(string findingId) => new() + { + FindingId = findingId, + Rch = 0.5, + Rts = 0.3, + Bkp = 0.0, + Xpl = 0.4, + Src = 0.6, + Mit = 0.1 + }; + + private static EvidenceWeightPolicy CreateAttestedReductionPolicy(bool enabled) => new() + { + Version = "1.0.0", + Profile = "test", + CreatedAt = DateTimeOffset.UtcNow, + Weights = EvidenceWeights.Default, + Guardrails = GuardrailConfig.Default, + Buckets = BucketThresholds.Default, + AttestedReduction = enabled + ? AttestedReductionConfig.EnabledDefault + : AttestedReductionConfig.Default + }; + + private static EvidenceWeightPolicy CreateStandardPolicy() => new() + { + Version = "1.0.0", + Profile = "standard", + CreatedAt = DateTimeOffset.UtcNow, + Weights = EvidenceWeights.Default, + Guardrails = GuardrailConfig.Default, + Buckets = BucketThresholds.Default, + AttestedReduction = AttestedReductionConfig.Default + }; + + private EvidenceWeightedScoreResult CreateScoreResult( + string findingId, + bool withAttestedReduction = false, + bool withHardFail = false, + bool withAnchoredVex = false, + int score = 50) + { + var flags = new List(); + if (withAttestedReduction) flags.Add("attested-reduction"); + if (withHardFail) + { + flags.Add("hard-fail"); + flags.Add("anchored-vex"); + flags.Add("anchored-runtime"); + } + if (withAnchoredVex) + { + flags.Add("anchored-vex"); + flags.Add("vendor-na"); + } + + return new EvidenceWeightedScoreResult + { + FindingId = findingId, + Score = score, + Bucket = score >= 90 ? ScoreBucket.ActNow : + score >= 70 ? ScoreBucket.ScheduleNext : + score >= 40 ? ScoreBucket.Investigate : ScoreBucket.Watchlist, + Inputs = new EvidenceInputValues(0.5, 0.3, 0.0, 0.4, 0.6, 0.1), + Weights = EvidenceWeights.Default, + Breakdown = [], + Flags = flags, + Explanations = ["Test explanation"], + Caps = AppliedGuardrails.None(score), + PolicyDigest = "sha256:policy123", + CalculatedAt = _now + }; + } + + #endregion +} diff --git a/src/Platform/StellaOps.Platform.WebService/Constants/PlatformPolicies.cs b/src/Platform/StellaOps.Platform.WebService/Constants/PlatformPolicies.cs index 7a6f73428..58e28cc4f 100644 --- a/src/Platform/StellaOps.Platform.WebService/Constants/PlatformPolicies.cs +++ b/src/Platform/StellaOps.Platform.WebService/Constants/PlatformPolicies.cs @@ -12,4 +12,7 @@ public static class PlatformPolicies public const string PreferencesWrite = "platform.preferences.write"; public const string SearchRead = "platform.search.read"; public const string MetadataRead = "platform.metadata.read"; + public const string SetupRead = "platform.setup.read"; + public const string SetupWrite = "platform.setup.write"; + public const string SetupAdmin = "platform.setup.admin"; } diff --git a/src/Platform/StellaOps.Platform.WebService/Constants/PlatformScopes.cs b/src/Platform/StellaOps.Platform.WebService/Constants/PlatformScopes.cs index 81d870744..b50bd1d23 100644 --- a/src/Platform/StellaOps.Platform.WebService/Constants/PlatformScopes.cs +++ b/src/Platform/StellaOps.Platform.WebService/Constants/PlatformScopes.cs @@ -12,4 +12,7 @@ public static class PlatformScopes public const string PreferencesWrite = "ui.preferences.write"; public const string SearchRead = "search.read"; public const string MetadataRead = "platform.metadata.read"; + public const string SetupRead = "platform.setup.read"; + public const string SetupWrite = "platform.setup.write"; + public const string SetupAdmin = "platform.setup.admin"; } diff --git a/src/Platform/StellaOps.Platform.WebService/Contracts/SetupWizardModels.cs b/src/Platform/StellaOps.Platform.WebService/Contracts/SetupWizardModels.cs new file mode 100644 index 000000000..8ca5e5ba7 --- /dev/null +++ b/src/Platform/StellaOps.Platform.WebService/Contracts/SetupWizardModels.cs @@ -0,0 +1,372 @@ +// Copyright (c) StellaOps. All rights reserved. +// Licensed under AGPL-3.0-or-later. See LICENSE in the project root. +// Sprint: SPRINT_20260112_004_PLATFORM_setup_wizard_backend (PLATFORM-SETUP-001) +// Task: Define setup wizard contracts and step definitions + +using System.Collections.Immutable; +using System.Text.Json.Serialization; + +namespace StellaOps.Platform.WebService.Contracts; + +#region Enums + +/// +/// Setup wizard step identifiers aligned to docs/setup/setup-wizard-ux.md. +/// +[JsonConverter(typeof(JsonStringEnumConverter))] +public enum SetupStepId +{ + /// Configure PostgreSQL connection. + Database = 1, + + /// Configure Valkey/Redis caching and message queue. + Valkey = 2, + + /// Apply database schema migrations. + Migrations = 3, + + /// Create administrator account. + Admin = 4, + + /// Configure signing keys and crypto profile. + Crypto = 5, + + /// Configure secrets management (optional). + Vault = 6, + + /// Connect source control (optional). + Scm = 7, + + /// Configure alerts and notifications (optional). + Notifications = 8, + + /// Define deployment environments (optional). + Environments = 9, + + /// Register deployment agents (optional). + Agents = 10 +} + +/// +/// Setup step status aligned to docs/setup/setup-wizard-ux.md. +/// +[JsonConverter(typeof(JsonStringEnumConverter))] +public enum SetupStepStatus +{ + /// Not yet started. + Pending, + + /// Currently active step. + Current, + + /// Completed successfully. + Passed, + + /// Failed validation. + Failed, + + /// Explicitly skipped by user. + Skipped, + + /// Blocked by failed dependency. + Blocked +} + +/// +/// Overall setup session status. +/// +[JsonConverter(typeof(JsonStringEnumConverter))] +public enum SetupSessionStatus +{ + /// Setup not started. + NotStarted, + + /// Setup in progress. + InProgress, + + /// Setup completed successfully. + Completed, + + /// Setup completed with skipped optional steps. + CompletedPartial, + + /// Setup failed due to required step failure. + Failed, + + /// Setup abandoned by user. + Abandoned +} + +/// +/// Doctor check status for step validation. +/// +[JsonConverter(typeof(JsonStringEnumConverter))] +public enum SetupCheckStatus +{ + /// Check passed. + Pass, + + /// Check failed. + Fail, + + /// Check produced a warning. + Warn, + + /// Check not executed. + NotRun +} + +#endregion + +#region Step Definitions + +/// +/// Static definition of a setup wizard step. +/// +public sealed record SetupStepDefinition( + SetupStepId Id, + string Title, + string Subtitle, + int OrderIndex, + bool IsRequired, + ImmutableArray DependsOn, + ImmutableArray DoctorChecks); + +/// +/// Provides the canonical setup wizard step definitions. +/// +public static class SetupStepDefinitions +{ + public static ImmutableArray All { get; } = ImmutableArray.Create( + new SetupStepDefinition( + Id: SetupStepId.Database, + Title: "Database Setup", + Subtitle: "Configure PostgreSQL connection", + OrderIndex: 1, + IsRequired: true, + DependsOn: ImmutableArray.Empty, + DoctorChecks: ImmutableArray.Create( + "check.database.connectivity", + "check.database.permissions", + "check.database.version")), + + new SetupStepDefinition( + Id: SetupStepId.Valkey, + Title: "Valkey/Redis Setup", + Subtitle: "Configure caching and message queue", + OrderIndex: 2, + IsRequired: true, + DependsOn: ImmutableArray.Empty, + DoctorChecks: ImmutableArray.Create( + "check.services.valkey.connectivity")), + + new SetupStepDefinition( + Id: SetupStepId.Migrations, + Title: "Database Migrations", + Subtitle: "Apply schema updates", + OrderIndex: 3, + IsRequired: true, + DependsOn: ImmutableArray.Create(SetupStepId.Database), + DoctorChecks: ImmutableArray.Create( + "check.database.migrations.pending")), + + new SetupStepDefinition( + Id: SetupStepId.Admin, + Title: "Admin Bootstrap", + Subtitle: "Create administrator account", + OrderIndex: 4, + IsRequired: true, + DependsOn: ImmutableArray.Create(SetupStepId.Migrations), + DoctorChecks: ImmutableArray.Create( + "check.authority.admin.exists")), + + new SetupStepDefinition( + Id: SetupStepId.Crypto, + Title: "Crypto Profile", + Subtitle: "Configure signing keys", + OrderIndex: 5, + IsRequired: true, + DependsOn: ImmutableArray.Create(SetupStepId.Admin), + DoctorChecks: ImmutableArray.Create( + "check.crypto.signing.key", + "check.crypto.profile")), + + new SetupStepDefinition( + Id: SetupStepId.Vault, + Title: "Vault Integration", + Subtitle: "Configure secrets management", + OrderIndex: 6, + IsRequired: false, + DependsOn: ImmutableArray.Empty, + DoctorChecks: ImmutableArray.Create( + "check.security.vault.connectivity")), + + new SetupStepDefinition( + Id: SetupStepId.Scm, + Title: "SCM Integration", + Subtitle: "Connect source control", + OrderIndex: 7, + IsRequired: false, + DependsOn: ImmutableArray.Empty, + DoctorChecks: ImmutableArray.Create( + "check.integration.scm.github.auth", + "check.integration.scm.gitlab.auth", + "check.integration.scm.gitea.auth")), + + new SetupStepDefinition( + Id: SetupStepId.Notifications, + Title: "Notification Channels", + Subtitle: "Configure alerts and notifications", + OrderIndex: 8, + IsRequired: false, + DependsOn: ImmutableArray.Empty, + DoctorChecks: ImmutableArray.Create( + "check.notify.email", + "check.notify.slack")), + + new SetupStepDefinition( + Id: SetupStepId.Environments, + Title: "Environment Definition", + Subtitle: "Define deployment environments", + OrderIndex: 9, + IsRequired: false, + DependsOn: ImmutableArray.Create(SetupStepId.Admin), + DoctorChecks: ImmutableArray.Empty), + + new SetupStepDefinition( + Id: SetupStepId.Agents, + Title: "Agent Registration", + Subtitle: "Register deployment agents", + OrderIndex: 10, + IsRequired: false, + DependsOn: ImmutableArray.Create(SetupStepId.Environments), + DoctorChecks: ImmutableArray.Empty) + ); + + /// + /// Gets a step definition by ID. + /// + public static SetupStepDefinition? GetById(SetupStepId id) + { + foreach (var step in All) + { + if (step.Id == id) return step; + } + return null; + } +} + +#endregion + +#region Session State + +/// +/// Setup wizard session state. +/// +public sealed record SetupSession( + string SessionId, + string TenantId, + SetupSessionStatus Status, + ImmutableArray Steps, + string CreatedAtUtc, + string UpdatedAtUtc, + string? CreatedBy, + string? UpdatedBy, + string? DataAsOfUtc); + +/// +/// State of a single setup step within a session. +/// +public sealed record SetupStepState( + SetupStepId StepId, + SetupStepStatus Status, + string? CompletedAtUtc, + string? SkippedAtUtc, + string? SkippedReason, + ImmutableArray CheckResults, + string? ErrorMessage); + +/// +/// Result of a Doctor check during step validation. +/// +public sealed record SetupCheckResult( + string CheckId, + SetupCheckStatus Status, + string? Message, + string? SuggestedFix); + +#endregion + +#region API Requests + +/// +/// Request to create a new setup session. +/// +public sealed record CreateSetupSessionRequest( + string? TenantId = null); + +/// +/// Request to execute a setup step. +/// +public sealed record ExecuteSetupStepRequest( + SetupStepId StepId, + ImmutableDictionary? Configuration = null); + +/// +/// Request to skip a setup step. +/// +public sealed record SkipSetupStepRequest( + SetupStepId StepId, + string? Reason = null); + +/// +/// Request to finalize a setup session. +/// +public sealed record FinalizeSetupSessionRequest( + bool Force = false); + +#endregion + +#region API Responses + +/// +/// Response for setup session operations. +/// +public sealed record SetupSessionResponse( + SetupSession Session); + +/// +/// Response for step execution. +/// +public sealed record ExecuteSetupStepResponse( + SetupStepState StepState, + bool Success, + string? ErrorMessage, + ImmutableArray SuggestedFixes); + +/// +/// Response listing all step definitions. +/// +public sealed record SetupStepDefinitionsResponse( + ImmutableArray Steps); + +/// +/// A suggested fix for a failed step. +/// +public sealed record SetupSuggestedFix( + string Title, + string Description, + string? Command, + string? DocumentationUrl); + +/// +/// Response for session finalization. +/// +public sealed record FinalizeSetupSessionResponse( + SetupSessionStatus FinalStatus, + ImmutableArray CompletedSteps, + ImmutableArray SkippedSteps, + ImmutableArray FailedSteps, + string? ReportPath); + +#endregion diff --git a/src/Platform/StellaOps.Platform.WebService/Endpoints/SetupEndpoints.cs b/src/Platform/StellaOps.Platform.WebService/Endpoints/SetupEndpoints.cs new file mode 100644 index 000000000..febcbab69 --- /dev/null +++ b/src/Platform/StellaOps.Platform.WebService/Endpoints/SetupEndpoints.cs @@ -0,0 +1,288 @@ +// Copyright (c) StellaOps. All rights reserved. +// Licensed under AGPL-3.0-or-later. See LICENSE in the project root. +// Sprint: SPRINT_20260112_004_PLATFORM_setup_wizard_backend (PLATFORM-SETUP-003) +// Task: Add /api/v1/setup/* endpoints with auth policies, request validation, and Problem+JSON errors + +using System; +using System.Threading; +using System.Threading.Tasks; +using Microsoft.AspNetCore.Builder; +using Microsoft.AspNetCore.Http; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Routing; +using Microsoft.Extensions.Logging; +using StellaOps.Platform.WebService.Constants; +using StellaOps.Platform.WebService.Contracts; +using StellaOps.Platform.WebService.Services; + +namespace StellaOps.Platform.WebService.Endpoints; + +/// +/// Setup wizard API endpoints aligned to docs/setup/setup-wizard-ux.md. +/// +public static class SetupEndpoints +{ + public static IEndpointRouteBuilder MapSetupEndpoints(this IEndpointRouteBuilder app) + { + var setup = app.MapGroup("/api/v1/setup") + .WithTags("Setup Wizard"); + + MapSessionEndpoints(setup); + MapStepEndpoints(setup); + MapDefinitionEndpoints(setup); + + return app; + } + + private static void MapSessionEndpoints(IEndpointRouteBuilder setup) + { + var sessions = setup.MapGroup("/sessions").WithTags("Setup Sessions"); + + // GET /api/v1/setup/sessions - Get current session + sessions.MapGet("/", async Task ( + HttpContext context, + PlatformRequestContextResolver resolver, + PlatformSetupService service, + CancellationToken ct) => + { + if (!TryResolveContext(context, resolver, out var requestContext, out var failure)) + { + return failure!; + } + + try + { + var result = await service.GetSessionAsync(requestContext!, ct).ConfigureAwait(false); + if (result is null) + { + return Results.NotFound(CreateProblem( + "Session Not Found", + "No active setup session for this tenant.", + StatusCodes.Status404NotFound)); + } + return Results.Ok(result); + } + catch (InvalidOperationException ex) + { + return Results.BadRequest(CreateProblem("Invalid Operation", ex.Message, StatusCodes.Status400BadRequest)); + } + }).RequireAuthorization(PlatformPolicies.SetupRead) + .WithName("GetSetupSession") + .Produces(StatusCodes.Status200OK) + .Produces(StatusCodes.Status404NotFound); + + // POST /api/v1/setup/sessions - Create new session + sessions.MapPost("/", async Task ( + HttpContext context, + PlatformRequestContextResolver resolver, + PlatformSetupService service, + [FromBody] CreateSetupSessionRequest? request, + CancellationToken ct) => + { + if (!TryResolveContext(context, resolver, out var requestContext, out var failure)) + { + return failure!; + } + + try + { + var result = await service.CreateSessionAsync( + requestContext!, + request ?? new CreateSetupSessionRequest(), + ct).ConfigureAwait(false); + return Results.Created($"/api/v1/setup/sessions", result); + } + catch (InvalidOperationException ex) + { + return Results.BadRequest(CreateProblem("Invalid Operation", ex.Message, StatusCodes.Status400BadRequest)); + } + }).RequireAuthorization(PlatformPolicies.SetupWrite) + .WithName("CreateSetupSession") + .Produces(StatusCodes.Status201Created) + .Produces(StatusCodes.Status400BadRequest); + + // POST /api/v1/setup/sessions/resume - Resume or create session + sessions.MapPost("/resume", async Task ( + HttpContext context, + PlatformRequestContextResolver resolver, + PlatformSetupService service, + CancellationToken ct) => + { + if (!TryResolveContext(context, resolver, out var requestContext, out var failure)) + { + return failure!; + } + + try + { + var result = await service.ResumeOrCreateSessionAsync(requestContext!, ct).ConfigureAwait(false); + return Results.Ok(result); + } + catch (InvalidOperationException ex) + { + return Results.BadRequest(CreateProblem("Invalid Operation", ex.Message, StatusCodes.Status400BadRequest)); + } + }).RequireAuthorization(PlatformPolicies.SetupWrite) + .WithName("ResumeSetupSession") + .Produces(StatusCodes.Status200OK) + .Produces(StatusCodes.Status400BadRequest); + + // POST /api/v1/setup/sessions/finalize - Finalize session + sessions.MapPost("/finalize", async Task ( + HttpContext context, + PlatformRequestContextResolver resolver, + PlatformSetupService service, + [FromBody] FinalizeSetupSessionRequest? request, + CancellationToken ct) => + { + if (!TryResolveContext(context, resolver, out var requestContext, out var failure)) + { + return failure!; + } + + try + { + var result = await service.FinalizeSessionAsync( + requestContext!, + request ?? new FinalizeSetupSessionRequest(), + ct).ConfigureAwait(false); + return Results.Ok(result); + } + catch (InvalidOperationException ex) + { + return Results.BadRequest(CreateProblem("Invalid Operation", ex.Message, StatusCodes.Status400BadRequest)); + } + }).RequireAuthorization(PlatformPolicies.SetupWrite) + .WithName("FinalizeSetupSession") + .Produces(StatusCodes.Status200OK) + .Produces(StatusCodes.Status400BadRequest); + } + + private static void MapStepEndpoints(IEndpointRouteBuilder setup) + { + var steps = setup.MapGroup("/steps").WithTags("Setup Steps"); + + // POST /api/v1/setup/steps/execute - Execute a step + steps.MapPost("/execute", async Task ( + HttpContext context, + PlatformRequestContextResolver resolver, + PlatformSetupService service, + [FromBody] ExecuteSetupStepRequest request, + CancellationToken ct) => + { + if (!TryResolveContext(context, resolver, out var requestContext, out var failure)) + { + return failure!; + } + + if (request is null) + { + return Results.BadRequest(CreateProblem( + "Invalid Request", + "Request body is required with stepId.", + StatusCodes.Status400BadRequest)); + } + + try + { + var result = await service.ExecuteStepAsync(requestContext!, request, ct).ConfigureAwait(false); + return Results.Ok(result); + } + catch (InvalidOperationException ex) + { + return Results.BadRequest(CreateProblem("Invalid Operation", ex.Message, StatusCodes.Status400BadRequest)); + } + }).RequireAuthorization(PlatformPolicies.SetupWrite) + .WithName("ExecuteSetupStep") + .Produces(StatusCodes.Status200OK) + .Produces(StatusCodes.Status400BadRequest); + + // POST /api/v1/setup/steps/skip - Skip a step + steps.MapPost("/skip", async Task ( + HttpContext context, + PlatformRequestContextResolver resolver, + PlatformSetupService service, + [FromBody] SkipSetupStepRequest request, + CancellationToken ct) => + { + if (!TryResolveContext(context, resolver, out var requestContext, out var failure)) + { + return failure!; + } + + if (request is null) + { + return Results.BadRequest(CreateProblem( + "Invalid Request", + "Request body is required with stepId.", + StatusCodes.Status400BadRequest)); + } + + try + { + var result = await service.SkipStepAsync(requestContext!, request, ct).ConfigureAwait(false); + return Results.Ok(result); + } + catch (InvalidOperationException ex) + { + return Results.BadRequest(CreateProblem("Invalid Operation", ex.Message, StatusCodes.Status400BadRequest)); + } + }).RequireAuthorization(PlatformPolicies.SetupWrite) + .WithName("SkipSetupStep") + .Produces(StatusCodes.Status200OK) + .Produces(StatusCodes.Status400BadRequest); + } + + private static void MapDefinitionEndpoints(IEndpointRouteBuilder setup) + { + var definitions = setup.MapGroup("/definitions").WithTags("Setup Definitions"); + + // GET /api/v1/setup/definitions/steps - Get all step definitions + definitions.MapGet("/steps", async Task ( + HttpContext context, + PlatformRequestContextResolver resolver, + PlatformSetupService service, + CancellationToken ct) => + { + if (!TryResolveContext(context, resolver, out var requestContext, out var failure)) + { + return failure!; + } + + var result = await service.GetStepDefinitionsAsync(ct).ConfigureAwait(false); + return Results.Ok(result); + }).RequireAuthorization(PlatformPolicies.SetupRead) + .WithName("GetSetupStepDefinitions") + .Produces(StatusCodes.Status200OK); + } + + private static bool TryResolveContext( + HttpContext context, + PlatformRequestContextResolver resolver, + out PlatformRequestContext? requestContext, + out IResult? failure) + { + if (resolver.TryResolve(context, out requestContext, out var error)) + { + failure = null; + return true; + } + + failure = Results.BadRequest(CreateProblem( + "Context Resolution Failed", + error ?? "Unable to resolve tenant context.", + StatusCodes.Status400BadRequest)); + return false; + } + + private static ProblemDetails CreateProblem(string title, string detail, int statusCode) + { + return new ProblemDetails + { + Title = title, + Detail = detail, + Status = statusCode, + Type = $"https://stella.ops/problems/{title.ToLowerInvariant().Replace(' ', '-')}" + }; + } +} diff --git a/src/Platform/StellaOps.Platform.WebService/Program.cs b/src/Platform/StellaOps.Platform.WebService/Program.cs index b8deee0df..a4fa22381 100644 --- a/src/Platform/StellaOps.Platform.WebService/Program.cs +++ b/src/Platform/StellaOps.Platform.WebService/Program.cs @@ -100,6 +100,9 @@ builder.Services.AddAuthorization(options => options.AddStellaOpsScopePolicy(PlatformPolicies.PreferencesWrite, PlatformScopes.PreferencesWrite); options.AddStellaOpsScopePolicy(PlatformPolicies.SearchRead, PlatformScopes.SearchRead); options.AddStellaOpsScopePolicy(PlatformPolicies.MetadataRead, PlatformScopes.MetadataRead); + options.AddStellaOpsScopePolicy(PlatformPolicies.SetupRead, PlatformScopes.SetupRead); + options.AddStellaOpsScopePolicy(PlatformPolicies.SetupWrite, PlatformScopes.SetupWrite); + options.AddStellaOpsScopePolicy(PlatformPolicies.SetupAdmin, PlatformScopes.SetupAdmin); }); builder.Services.AddSingleton(); @@ -121,6 +124,9 @@ builder.Services.AddSingleton(); builder.Services.AddSingleton(); builder.Services.AddSingleton(); +builder.Services.AddSingleton(); +builder.Services.AddSingleton(); + var routerOptions = builder.Configuration.GetSection("Platform:Router").Get(); builder.Services.TryAddStellaRouter( serviceName: "platform", @@ -145,6 +151,7 @@ app.UseAuthorization(); app.TryUseStellaRouter(routerOptions); app.MapPlatformEndpoints(); +app.MapSetupEndpoints(); app.MapGet("/healthz", () => Results.Ok(new { status = "ok" })) .WithTags("Health") diff --git a/src/Platform/StellaOps.Platform.WebService/Services/PlatformSetupService.cs b/src/Platform/StellaOps.Platform.WebService/Services/PlatformSetupService.cs new file mode 100644 index 000000000..5d382d095 --- /dev/null +++ b/src/Platform/StellaOps.Platform.WebService/Services/PlatformSetupService.cs @@ -0,0 +1,475 @@ +// Copyright (c) StellaOps. All rights reserved. +// Licensed under AGPL-3.0-or-later. See LICENSE in the project root. +// Sprint: SPRINT_20260112_004_PLATFORM_setup_wizard_backend (PLATFORM-SETUP-002) +// Task: Implement PlatformSetupService with tenant scoping, TimeProvider injection, and data-as-of metadata + +using System; +using System.Collections.Concurrent; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Globalization; +using System.Linq; +using System.Threading; +using System.Threading.Tasks; +using Microsoft.Extensions.Logging; +using StellaOps.Platform.WebService.Contracts; + +namespace StellaOps.Platform.WebService.Services; + +/// +/// Service for managing setup wizard sessions with tenant scoping and deterministic state management. +/// +public sealed class PlatformSetupService +{ + private readonly PlatformSetupStore _store; + private readonly TimeProvider _timeProvider; + private readonly ILogger _logger; + + public PlatformSetupService( + PlatformSetupStore store, + TimeProvider timeProvider, + ILogger logger) + { + _store = store ?? throw new ArgumentNullException(nameof(store)); + _timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider)); + _logger = logger ?? throw new ArgumentNullException(nameof(logger)); + } + + /// + /// Creates a new setup session for the tenant. + /// + public Task CreateSessionAsync( + PlatformRequestContext context, + CreateSetupSessionRequest request, + CancellationToken ct) + { + var tenantId = request.TenantId ?? context.TenantId; + var nowUtc = _timeProvider.GetUtcNow(); + var nowIso = FormatIso8601(nowUtc); + + // Check if session already exists + var existing = _store.GetByTenant(tenantId); + if (existing is not null && existing.Status == SetupSessionStatus.InProgress) + { + _logger.LogInformation( + "Returning existing in-progress setup session {SessionId} for tenant {TenantId}.", + existing.SessionId, tenantId); + return Task.FromResult(new SetupSessionResponse(existing)); + } + + var sessionId = GenerateSessionId(tenantId, nowUtc); + var steps = CreateInitialStepStates(); + + var session = new SetupSession( + SessionId: sessionId, + TenantId: tenantId, + Status: SetupSessionStatus.InProgress, + Steps: steps, + CreatedAtUtc: nowIso, + UpdatedAtUtc: nowIso, + CreatedBy: context.ActorId, + UpdatedBy: context.ActorId, + DataAsOfUtc: nowIso); + + _store.Upsert(tenantId, session); + _logger.LogInformation( + "Created setup session {SessionId} for tenant {TenantId}.", + sessionId, tenantId); + + return Task.FromResult(new SetupSessionResponse(session)); + } + + /// + /// Gets the current setup session for the tenant. + /// + public Task GetSessionAsync( + PlatformRequestContext context, + CancellationToken ct) + { + var session = _store.GetByTenant(context.TenantId); + if (session is null) + { + return Task.FromResult(null); + } + + return Task.FromResult(new SetupSessionResponse(session)); + } + + /// + /// Resumes an existing setup session or creates a new one. + /// + public Task ResumeOrCreateSessionAsync( + PlatformRequestContext context, + CancellationToken ct) + { + var existing = _store.GetByTenant(context.TenantId); + if (existing is not null) + { + _logger.LogInformation( + "Resumed setup session {SessionId} for tenant {TenantId}.", + existing.SessionId, context.TenantId); + return Task.FromResult(new SetupSessionResponse(existing)); + } + + return CreateSessionAsync(context, new CreateSetupSessionRequest(), ct); + } + + /// + /// Executes a setup step with validation. + /// + public Task ExecuteStepAsync( + PlatformRequestContext context, + ExecuteSetupStepRequest request, + CancellationToken ct) + { + var session = _store.GetByTenant(context.TenantId); + if (session is null) + { + throw new InvalidOperationException("No active setup session. Create a session first."); + } + + var stepDef = SetupStepDefinitions.GetById(request.StepId); + if (stepDef is null) + { + throw new InvalidOperationException($"Unknown step ID: {request.StepId}"); + } + + // Check dependencies + var blockedByDeps = CheckDependencies(session, stepDef); + if (blockedByDeps.Length > 0) + { + var stepState = GetStepState(session, request.StepId) with + { + Status = SetupStepStatus.Blocked, + ErrorMessage = $"Blocked by incomplete dependencies: {string.Join(", ", blockedByDeps)}" + }; + + return Task.FromResult(new ExecuteSetupStepResponse( + StepState: stepState, + Success: false, + ErrorMessage: stepState.ErrorMessage, + SuggestedFixes: ImmutableArray.Empty)); + } + + var nowUtc = _timeProvider.GetUtcNow(); + var nowIso = FormatIso8601(nowUtc); + + // Run Doctor checks for this step + var checkResults = RunDoctorChecks(stepDef.DoctorChecks); + var allPassed = checkResults.All(c => c.Status == SetupCheckStatus.Pass); + + var newStatus = allPassed ? SetupStepStatus.Passed : SetupStepStatus.Failed; + var errorMessage = allPassed + ? null + : string.Join("; ", checkResults.Where(c => c.Status == SetupCheckStatus.Fail).Select(c => c.Message)); + + var updatedStepState = new SetupStepState( + StepId: request.StepId, + Status: newStatus, + CompletedAtUtc: allPassed ? nowIso : null, + SkippedAtUtc: null, + SkippedReason: null, + CheckResults: checkResults, + ErrorMessage: errorMessage); + + // Update session + var updatedSteps = session.Steps + .Select(s => s.StepId == request.StepId ? updatedStepState : s) + .OrderBy(s => (int)s.StepId) + .ToImmutableArray(); + + var updatedSession = session with + { + Steps = updatedSteps, + UpdatedAtUtc = nowIso, + UpdatedBy = context.ActorId, + DataAsOfUtc = nowIso + }; + + _store.Upsert(context.TenantId, updatedSession); + + _logger.LogInformation( + "Executed step {StepId} for session {SessionId}: {Status}.", + request.StepId, session.SessionId, newStatus); + + var suggestedFixes = allPassed + ? ImmutableArray.Empty + : GenerateSuggestedFixes(stepDef, checkResults); + + return Task.FromResult(new ExecuteSetupStepResponse( + StepState: updatedStepState, + Success: allPassed, + ErrorMessage: errorMessage, + SuggestedFixes: suggestedFixes)); + } + + /// + /// Skips an optional setup step. + /// + public Task SkipStepAsync( + PlatformRequestContext context, + SkipSetupStepRequest request, + CancellationToken ct) + { + var session = _store.GetByTenant(context.TenantId); + if (session is null) + { + throw new InvalidOperationException("No active setup session. Create a session first."); + } + + var stepDef = SetupStepDefinitions.GetById(request.StepId); + if (stepDef is null) + { + throw new InvalidOperationException($"Unknown step ID: {request.StepId}"); + } + + if (stepDef.IsRequired) + { + throw new InvalidOperationException($"Step {request.StepId} is required and cannot be skipped."); + } + + var nowUtc = _timeProvider.GetUtcNow(); + var nowIso = FormatIso8601(nowUtc); + + var updatedStepState = new SetupStepState( + StepId: request.StepId, + Status: SetupStepStatus.Skipped, + CompletedAtUtc: null, + SkippedAtUtc: nowIso, + SkippedReason: request.Reason, + CheckResults: ImmutableArray.Empty, + ErrorMessage: null); + + var updatedSteps = session.Steps + .Select(s => s.StepId == request.StepId ? updatedStepState : s) + .OrderBy(s => (int)s.StepId) + .ToImmutableArray(); + + var updatedSession = session with + { + Steps = updatedSteps, + UpdatedAtUtc = nowIso, + UpdatedBy = context.ActorId, + DataAsOfUtc = nowIso + }; + + _store.Upsert(context.TenantId, updatedSession); + + _logger.LogInformation( + "Skipped step {StepId} for session {SessionId}.", + request.StepId, session.SessionId); + + return Task.FromResult(new SetupSessionResponse(updatedSession)); + } + + /// + /// Finalizes the setup session. + /// + public Task FinalizeSessionAsync( + PlatformRequestContext context, + FinalizeSetupSessionRequest request, + CancellationToken ct) + { + var session = _store.GetByTenant(context.TenantId); + if (session is null) + { + throw new InvalidOperationException("No active setup session."); + } + + var nowUtc = _timeProvider.GetUtcNow(); + var nowIso = FormatIso8601(nowUtc); + + var completedSteps = session.Steps.Where(s => s.Status == SetupStepStatus.Passed).ToImmutableArray(); + var skippedSteps = session.Steps.Where(s => s.Status == SetupStepStatus.Skipped).ToImmutableArray(); + var failedSteps = session.Steps.Where(s => s.Status == SetupStepStatus.Failed).ToImmutableArray(); + + // Check all required steps are completed + var requiredSteps = SetupStepDefinitions.All.Where(d => d.IsRequired).Select(d => d.Id).ToHashSet(); + var incompleteRequired = session.Steps + .Where(s => requiredSteps.Contains(s.StepId) && s.Status != SetupStepStatus.Passed) + .ToList(); + + SetupSessionStatus finalStatus; + if (incompleteRequired.Count > 0 && !request.Force) + { + throw new InvalidOperationException( + $"Cannot finalize: required steps not completed: {string.Join(", ", incompleteRequired.Select(s => s.StepId))}"); + } + else if (incompleteRequired.Count > 0) + { + finalStatus = SetupSessionStatus.Failed; + } + else if (skippedSteps.Length > 0) + { + finalStatus = SetupSessionStatus.CompletedPartial; + } + else + { + finalStatus = SetupSessionStatus.Completed; + } + + var updatedSession = session with + { + Status = finalStatus, + UpdatedAtUtc = nowIso, + UpdatedBy = context.ActorId, + DataAsOfUtc = nowIso + }; + + _store.Upsert(context.TenantId, updatedSession); + + _logger.LogInformation( + "Finalized setup session {SessionId} with status {Status}.", + session.SessionId, finalStatus); + + return Task.FromResult(new FinalizeSetupSessionResponse( + FinalStatus: finalStatus, + CompletedSteps: completedSteps, + SkippedSteps: skippedSteps, + FailedSteps: failedSteps, + ReportPath: null)); + } + + /// + /// Gets all step definitions. + /// + public Task GetStepDefinitionsAsync(CancellationToken ct) + { + return Task.FromResult(new SetupStepDefinitionsResponse(SetupStepDefinitions.All)); + } + + #region Private Helpers + + private static string GenerateSessionId(string tenantId, DateTimeOffset timestamp) + { + var dateStr = timestamp.ToString("yyyyMMddHHmmss", CultureInfo.InvariantCulture); + return $"setup-{tenantId}-{dateStr}"; + } + + private static string FormatIso8601(DateTimeOffset timestamp) + { + return timestamp.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ", CultureInfo.InvariantCulture); + } + + private static ImmutableArray CreateInitialStepStates() + { + return SetupStepDefinitions.All + .Select(def => new SetupStepState( + StepId: def.Id, + Status: def.OrderIndex == 1 ? SetupStepStatus.Current : SetupStepStatus.Pending, + CompletedAtUtc: null, + SkippedAtUtc: null, + SkippedReason: null, + CheckResults: ImmutableArray.Empty, + ErrorMessage: null)) + .OrderBy(s => (int)s.StepId) + .ToImmutableArray(); + } + + private static SetupStepState GetStepState(SetupSession session, SetupStepId stepId) + { + return session.Steps.FirstOrDefault(s => s.StepId == stepId) + ?? new SetupStepState(stepId, SetupStepStatus.Pending, null, null, null, + ImmutableArray.Empty, null); + } + + private static ImmutableArray CheckDependencies(SetupSession session, SetupStepDefinition stepDef) + { + var blocked = new List(); + foreach (var depId in stepDef.DependsOn) + { + var depState = session.Steps.FirstOrDefault(s => s.StepId == depId); + if (depState is null || depState.Status != SetupStepStatus.Passed) + { + blocked.Add(depId); + } + } + return blocked.ToImmutableArray(); + } + + private ImmutableArray RunDoctorChecks(ImmutableArray checkIds) + { + // TODO: Integrate with Doctor service when available + // For now, return mock pass results + return checkIds + .Select(checkId => new SetupCheckResult( + CheckId: checkId, + Status: SetupCheckStatus.Pass, + Message: "Check passed", + SuggestedFix: null)) + .ToImmutableArray(); + } + + private static ImmutableArray GenerateSuggestedFixes( + SetupStepDefinition stepDef, + ImmutableArray checkResults) + { + var fixes = new List(); + foreach (var check in checkResults.Where(c => c.Status == SetupCheckStatus.Fail)) + { + if (check.SuggestedFix is not null) + { + fixes.Add(new SetupSuggestedFix( + Title: $"Fix {check.CheckId}", + Description: check.Message ?? "Check failed", + Command: check.SuggestedFix, + DocumentationUrl: null)); + } + } + return fixes.ToImmutableArray(); + } + + #endregion +} + +/// +/// In-memory store for setup wizard sessions with tenant scoping. +/// +public sealed class PlatformSetupStore +{ + private readonly ConcurrentDictionary _sessions = new(StringComparer.OrdinalIgnoreCase); + + /// + /// Gets a setup session by tenant ID. + /// + public SetupSession? GetByTenant(string tenantId) + { + return _sessions.TryGetValue(tenantId, out var session) ? session : null; + } + + /// + /// Gets a setup session by session ID. + /// + public SetupSession? GetBySessionId(string sessionId) + { + return _sessions.Values.FirstOrDefault(s => + string.Equals(s.SessionId, sessionId, StringComparison.Ordinal)); + } + + /// + /// Upserts a setup session. + /// + public void Upsert(string tenantId, SetupSession session) + { + _sessions[tenantId] = session; + } + + /// + /// Removes a setup session. + /// + public bool Remove(string tenantId) + { + return _sessions.TryRemove(tenantId, out _); + } + + /// + /// Lists all sessions (for admin use). + /// + public ImmutableArray ListAll() + { + return _sessions.Values + .OrderBy(s => s.TenantId, StringComparer.Ordinal) + .ThenBy(s => s.SessionId, StringComparer.Ordinal) + .ToImmutableArray(); + } +} diff --git a/src/Policy/StellaOps.Policy.Engine/Endpoints/DeterminizationConfigEndpoints.cs b/src/Policy/StellaOps.Policy.Engine/Endpoints/DeterminizationConfigEndpoints.cs new file mode 100644 index 000000000..b3bd7dd81 --- /dev/null +++ b/src/Policy/StellaOps.Policy.Engine/Endpoints/DeterminizationConfigEndpoints.cs @@ -0,0 +1,316 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-004) +// + +using System.Security.Claims; +using Microsoft.AspNetCore.Builder; +using Microsoft.AspNetCore.Http; +using Microsoft.AspNetCore.Routing; +using Microsoft.Extensions.Logging; +using StellaOps.Policy.Determinization; + +namespace StellaOps.Policy.Engine.Endpoints; + +/// +/// API endpoints for determinization configuration. +/// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-004) +/// +public static class DeterminizationConfigEndpoints +{ + /// + /// Maps determinization config endpoints. + /// + public static IEndpointRouteBuilder MapDeterminizationConfigEndpoints(this IEndpointRouteBuilder endpoints) + { + var group = endpoints.MapGroup("/api/v1/policy/config/determinization") + .WithTags("Determinization Configuration"); + + // Read endpoints (policy viewer access) + group.MapGet("", GetEffectiveConfig) + .WithName("GetEffectiveDeterminizationConfig") + .WithSummary("Get effective determinization configuration for the current tenant") + .Produces(StatusCodes.Status200OK) + .RequireAuthorization("PolicyViewer"); + + group.MapGet("/defaults", GetDefaultConfig) + .WithName("GetDefaultDeterminizationConfig") + .WithSummary("Get default determinization configuration") + .Produces(StatusCodes.Status200OK) + .RequireAuthorization("PolicyViewer"); + + group.MapGet("/audit", GetAuditHistory) + .WithName("GetDeterminizationConfigAuditHistory") + .WithSummary("Get audit history for determinization configuration changes") + .Produces(StatusCodes.Status200OK) + .RequireAuthorization("PolicyViewer"); + + // Write endpoints (policy admin access) + group.MapPut("", UpdateConfig) + .WithName("UpdateDeterminizationConfig") + .WithSummary("Update determinization configuration for the current tenant") + .Produces(StatusCodes.Status200OK) + .Produces(StatusCodes.Status400BadRequest) + .RequireAuthorization("PolicyAdmin"); + + group.MapPost("/validate", ValidateConfig) + .WithName("ValidateDeterminizationConfig") + .WithSummary("Validate determinization configuration without saving") + .Produces(StatusCodes.Status200OK) + .RequireAuthorization("PolicyViewer"); + + return endpoints; + } + + private static async Task GetEffectiveConfig( + HttpContext context, + IDeterminizationConfigStore configStore, + ILogger logger, + CancellationToken ct) + { + var tenantId = GetTenantId(context); + + logger.LogDebug("Getting effective determinization config for tenant {TenantId}", tenantId); + + var config = await configStore.GetEffectiveConfigAsync(tenantId, ct); + + return Results.Ok(new EffectiveConfigResponse + { + Config = config.Config, + IsDefault = config.IsDefault, + TenantId = config.TenantId, + LastUpdatedAt = config.LastUpdatedAt, + LastUpdatedBy = config.LastUpdatedBy, + Version = config.Version + }); + } + + private static IResult GetDefaultConfig( + ILogger logger) + { + logger.LogDebug("Getting default determinization config"); + return Results.Ok(new DeterminizationOptions()); + } + + private static async Task GetAuditHistory( + HttpContext context, + IDeterminizationConfigStore configStore, + ILogger logger, + int limit = 50, + CancellationToken ct = default) + { + var tenantId = GetTenantId(context); + + logger.LogDebug("Getting audit history for tenant {TenantId}", tenantId); + + var entries = await configStore.GetAuditHistoryAsync(tenantId, limit, ct); + + return Results.Ok(new AuditHistoryResponse + { + Entries = entries.Select(e => new AuditEntryDto + { + Id = e.Id, + ChangedAt = e.ChangedAt, + Actor = e.Actor, + Reason = e.Reason, + Source = e.Source, + Summary = e.Summary + }).ToList() + }); + } + + private static async Task UpdateConfig( + HttpContext context, + IDeterminizationConfigStore configStore, + ILogger logger, + UpdateConfigRequest request, + CancellationToken ct) + { + var tenantId = GetTenantId(context); + var actor = GetActorId(context); + + logger.LogInformation( + "Updating determinization config for tenant {TenantId} by {Actor}: {Reason}", + tenantId, + actor, + request.Reason); + + // Validate config + var validation = ValidateConfigInternal(request.Config); + if (!validation.IsValid) + { + return Results.BadRequest(new { errors = validation.Errors }); + } + + // Save with audit + await configStore.SaveConfigAsync( + tenantId, + request.Config, + new ConfigAuditInfo + { + Actor = actor, + Reason = request.Reason, + Source = "API", + CorrelationId = context.TraceIdentifier + }, + ct); + + // Return updated config + var updated = await configStore.GetEffectiveConfigAsync(tenantId, ct); + + return Results.Ok(new EffectiveConfigResponse + { + Config = updated.Config, + IsDefault = updated.IsDefault, + TenantId = updated.TenantId, + LastUpdatedAt = updated.LastUpdatedAt, + LastUpdatedBy = updated.LastUpdatedBy, + Version = updated.Version + }); + } + + private static IResult ValidateConfig( + ValidateConfigRequest request, + ILogger logger) + { + logger.LogDebug("Validating determinization config"); + + var validation = ValidateConfigInternal(request.Config); + + return Results.Ok(new ValidationResponse + { + IsValid = validation.IsValid, + Errors = validation.Errors, + Warnings = validation.Warnings + }); + } + + private static (bool IsValid, List Errors, List Warnings) ValidateConfigInternal( + DeterminizationOptions config) + { + var errors = new List(); + var warnings = new List(); + + // Validate trigger config + if (config.Triggers.EpssDeltaThreshold < 0 || config.Triggers.EpssDeltaThreshold > 1) + { + errors.Add("EpssDeltaThreshold must be between 0 and 1"); + } + + if (config.Triggers.EpssDeltaThreshold < 0.1) + { + warnings.Add("EpssDeltaThreshold below 0.1 may cause excessive reanalysis"); + } + + // Validate conflict policy + if (config.Conflicts.EscalationSeverityThreshold < 0 || config.Conflicts.EscalationSeverityThreshold > 1) + { + errors.Add("EscalationSeverityThreshold must be between 0 and 1"); + } + + if (config.Conflicts.ConflictTtlHours < 1) + { + errors.Add("ConflictTtlHours must be at least 1"); + } + + // Validate environment thresholds + ValidateThresholds(config.Thresholds.Development, "Development", errors, warnings); + ValidateThresholds(config.Thresholds.Staging, "Staging", errors, warnings); + ValidateThresholds(config.Thresholds.Production, "Production", errors, warnings); + + return (errors.Count == 0, errors, warnings); + } + + private static void ValidateThresholds( + EnvironmentThreshold threshold, + string envName, + List errors, + List warnings) + { + if (threshold.EpssThreshold < 0 || threshold.EpssThreshold > 1) + { + errors.Add($"{envName}.EpssThreshold must be between 0 and 1"); + } + + if (threshold.UncertaintyFactor < 0 || threshold.UncertaintyFactor > 1) + { + errors.Add($"{envName}.UncertaintyFactor must be between 0 and 1"); + } + + if (threshold.MinScore < 0 || threshold.MinScore > 100) + { + errors.Add($"{envName}.MinScore must be between 0 and 100"); + } + + if (threshold.MaxScore < threshold.MinScore) + { + errors.Add($"{envName}.MaxScore must be >= MinScore"); + } + } + + private static string GetTenantId(HttpContext context) + { + return context.User.FindFirstValue("tenant_id") ?? "default"; + } + + private static string GetActorId(HttpContext context) + { + return context.User.FindFirstValue(ClaimTypes.NameIdentifier) + ?? context.User.FindFirstValue("sub") + ?? "system"; + } +} + +// DTOs + +/// Effective config response. +public sealed record EffectiveConfigResponse +{ + public required DeterminizationOptions Config { get; init; } + public required bool IsDefault { get; init; } + public string? TenantId { get; init; } + public DateTimeOffset? LastUpdatedAt { get; init; } + public string? LastUpdatedBy { get; init; } + public int Version { get; init; } +} + +/// Update config request. +public sealed record UpdateConfigRequest +{ + public required DeterminizationOptions Config { get; init; } + public required string Reason { get; init; } +} + +/// Validate config request. +public sealed record ValidateConfigRequest +{ + public required DeterminizationOptions Config { get; init; } +} + +/// Validation response. +public sealed record ValidationResponse +{ + public required bool IsValid { get; init; } + public required List Errors { get; init; } + public required List Warnings { get; init; } +} + +/// Audit history response. +public sealed record AuditHistoryResponse +{ + public required List Entries { get; init; } +} + +/// Audit entry DTO. +public sealed record AuditEntryDto +{ + public required Guid Id { get; init; } + public required DateTimeOffset ChangedAt { get; init; } + public required string Actor { get; init; } + public required string Reason { get; init; } + public string? Source { get; init; } + public string? Summary { get; init; } +} + +/// Logger wrapper for DI. +file class DeterminizationConfigEndpoints { } diff --git a/src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs b/src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs index ec531cf40..8c03aec45 100644 --- a/src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs +++ b/src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs @@ -211,6 +211,29 @@ internal static class UnknownsEndpoints var hint = hintsRegistry.GetHint(u.ReasonCode); var shortCode = ShortCodes.TryGetValue(u.ReasonCode, out var code) ? code : "U-RCH"; + // Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-003) + var triggersDto = u.Triggers.Count > 0 + ? u.Triggers.Select(t => new UnknownTriggerDto( + t.EventType, + t.EventVersion, + t.Source, + t.ReceivedAt, + t.CorrelationId)).ToList() + : null; + + var conflictDto = u.ConflictInfo is { } ci + ? new UnknownConflictInfoDto( + ci.HasConflict, + ci.Severity, + ci.SuggestedPath, + ci.Conflicts.Select(c => new UnknownConflictDetailDto( + c.Signal1, + c.Signal2, + c.Type, + c.Description, + c.Severity)).ToList()) + : null; + return new UnknownDto( u.Id, u.PackageId, @@ -228,7 +251,12 @@ internal static class UnknownsEndpoints u.RemediationHint ?? hint.ShortHint, hint.DetailedHint, hint.AutomationRef, - u.EvidenceRefs.Select(e => new EvidenceRefDto(e.Type, e.Uri, e.Digest)).ToList()); + u.EvidenceRefs.Select(e => new EvidenceRefDto(e.Type, e.Uri, e.Digest)).ToList(), + u.FingerprintId, + triggersDto, + u.NextActions.Count > 0 ? u.NextActions.ToList() : null, + conflictDto, + u.ObservationState); } private static readonly IReadOnlyDictionary ShortCodes = @@ -264,13 +292,50 @@ public sealed record UnknownDto( string? RemediationHint, string? DetailedHint, string? AutomationCommand, - IReadOnlyList EvidenceRefs); + IReadOnlyList EvidenceRefs, + // Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-003) + string? FingerprintId = null, + IReadOnlyList? Triggers = null, + IReadOnlyList? NextActions = null, + UnknownConflictInfoDto? ConflictInfo = null, + string? ObservationState = null); public sealed record EvidenceRefDto( string Type, string Uri, string? Digest); +/// +/// Trigger that caused a reanalysis. +/// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-003) +/// +public sealed record UnknownTriggerDto( + string EventType, + int EventVersion, + string? Source, + DateTimeOffset ReceivedAt, + string? CorrelationId); + +/// +/// Conflict information for an unknown. +/// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-003) +/// +public sealed record UnknownConflictInfoDto( + bool HasConflict, + double Severity, + string SuggestedPath, + IReadOnlyList Conflicts); + +/// +/// Detail of a specific conflict. +/// +public sealed record UnknownConflictDetailDto( + string Signal1, + string Signal2, + string Type, + string Description, + double Severity); + /// Response containing a list of unknowns. public sealed record UnknownsListResponse(IReadOnlyList Items, int TotalCount); diff --git a/src/Policy/StellaOps.Policy.Engine/Gates/Determinization/SignalSnapshotBuilder.cs b/src/Policy/StellaOps.Policy.Engine/Gates/Determinization/SignalSnapshotBuilder.cs index 30661b61b..15a7895da 100644 --- a/src/Policy/StellaOps.Policy.Engine/Gates/Determinization/SignalSnapshotBuilder.cs +++ b/src/Policy/StellaOps.Policy.Engine/Gates/Determinization/SignalSnapshotBuilder.cs @@ -1,4 +1,5 @@ using Microsoft.Extensions.Logging; +using StellaOps.Policy.Determinization.Evidence; using StellaOps.Policy.Determinization.Models; namespace StellaOps.Policy.Engine.Gates.Determinization; @@ -62,14 +63,91 @@ public sealed class SignalSnapshotBuilder : ISignalSnapshotBuilder private static string BuildSubjectKey(string cveId, string componentPurl) => $"{cveId}::{componentPurl}"; + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-002) + // Map signals to snapshot with anchor metadata support private SignalSnapshot ApplySignal(SignalSnapshot snapshot, Signal signal) { - // This is a placeholder implementation - // In a real implementation, this would map Signal objects to SignalState instances - // based on signal type and update the appropriate field in the snapshot + var queriedAt = signal.ObservedAt; + return signal.Type.ToUpperInvariant() switch + { + "VEX" => snapshot with + { + Vex = MapSignalState(signal, queriedAt) + }, + "EPSS" => snapshot with + { + Epss = MapSignalState(signal, queriedAt) + }, + "REACHABILITY" => snapshot with + { + Reachability = MapSignalState(signal, queriedAt) + }, + "RUNTIME" => snapshot with + { + Runtime = MapSignalState(signal, queriedAt) + }, + "BACKPORT" => snapshot with + { + Backport = MapSignalState(signal, queriedAt) + }, + "SBOM" => snapshot with + { + Sbom = MapSignalState(signal, queriedAt) + }, + "CVSS" => snapshot with + { + Cvss = MapSignalState(signal, queriedAt) + }, + _ => HandleUnknownSignalType(snapshot, signal.Type) + }; + } + + private SignalSnapshot HandleUnknownSignalType(SignalSnapshot snapshot, string signalType) + { + _logger.LogWarning("Unknown signal type: {Type}", signalType); return snapshot; } + + /// + /// Maps a raw signal to a typed SignalState with proper evidence casting. + /// Handles anchor metadata propagation from stored evidence. + /// + private static SignalState MapSignalState(Signal signal, DateTimeOffset queriedAt) + { + if (signal.Evidence is null) + { + return SignalState.Queried(default, queriedAt); + } + + // Handle direct type match + if (signal.Evidence is T typedEvidence) + { + return SignalState.Queried(typedEvidence, queriedAt); + } + + // Handle JSON element deserialization (common when evidence comes from storage) + if (signal.Evidence is System.Text.Json.JsonElement jsonElement) + { + try + { + var deserialized = System.Text.Json.JsonSerializer.Deserialize( + jsonElement.GetRawText(), + new System.Text.Json.JsonSerializerOptions + { + PropertyNameCaseInsensitive = true + }); + return SignalState.Queried(deserialized, queriedAt); + } + catch (System.Text.Json.JsonException) + { + return SignalState.Failed($"Failed to deserialize {typeof(T).Name}", queriedAt); + } + } + + // Cannot convert + return SignalState.Failed($"Cannot convert {signal.Evidence.GetType().Name} to {typeof(T).Name}", queriedAt); + } } /// diff --git a/src/Policy/StellaOps.Policy.Engine/Policies/DeterminizationRuleSet.cs b/src/Policy/StellaOps.Policy.Engine/Policies/DeterminizationRuleSet.cs index ff871e306..16c69407b 100644 --- a/src/Policy/StellaOps.Policy.Engine/Policies/DeterminizationRuleSet.cs +++ b/src/Policy/StellaOps.Policy.Engine/Policies/DeterminizationRuleSet.cs @@ -23,6 +23,69 @@ public sealed class DeterminizationRuleSet public static DeterminizationRuleSet Default(DeterminizationOptions options) => new(new List { + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-003) + // Anchored rules have highest priority to short-circuit evaluation + + // Rule 0a: Hard-fail if anchored VEX affected + anchored runtime telemetry confirms + new DeterminizationRule + { + Name = "AnchoredAffectedWithRuntimeHardFail", + Priority = 1, + Condition = (ctx, _) => + ctx.SignalSnapshot.Vex.HasValue && + ctx.SignalSnapshot.Vex.Value!.IsAnchored && + string.Equals(ctx.SignalSnapshot.Vex.Value.Status, "affected", StringComparison.OrdinalIgnoreCase) && + ctx.SignalSnapshot.Runtime.HasValue && + ctx.SignalSnapshot.Runtime.Value!.IsAnchored && + ctx.SignalSnapshot.Runtime.Value.Detected, + Action = (ctx, _) => + DeterminizationResult.Blocked( + "Anchored VEX affected status combined with anchored runtime telemetry confirms active vulnerability - hard fail") + }, + + // Rule 0b: Allow if anchored VEX not_affected + new DeterminizationRule + { + Name = "AnchoredVexNotAffectedAllow", + Priority = 2, + Condition = (ctx, _) => + ctx.SignalSnapshot.Vex.HasValue && + ctx.SignalSnapshot.Vex.Value!.IsAnchored && + (string.Equals(ctx.SignalSnapshot.Vex.Value.Status, "not_affected", StringComparison.OrdinalIgnoreCase) || + string.Equals(ctx.SignalSnapshot.Vex.Value.Status, "fixed", StringComparison.OrdinalIgnoreCase)), + Action = (ctx, _) => + DeterminizationResult.Allowed( + $"Anchored VEX statement indicates {ctx.SignalSnapshot.Vex.Value!.Status} - short-circuit allow") + }, + + // Rule 0c: Allow if anchored backport proof + new DeterminizationRule + { + Name = "AnchoredBackportProofAllow", + Priority = 3, + Condition = (ctx, _) => + ctx.SignalSnapshot.Backport.HasValue && + ctx.SignalSnapshot.Backport.Value!.IsAnchored && + ctx.SignalSnapshot.Backport.Value.Detected, + Action = (ctx, _) => + DeterminizationResult.Allowed( + $"Anchored backport proof confirms patch applied (source: {ctx.SignalSnapshot.Backport.Value!.Source}) - short-circuit allow") + }, + + // Rule 0d: Allow if anchored reachability not_reachable + new DeterminizationRule + { + Name = "AnchoredUnreachableAllow", + Priority = 4, + Condition = (ctx, _) => + ctx.SignalSnapshot.Reachability.HasValue && + ctx.SignalSnapshot.Reachability.Value!.IsAnchored && + !ctx.SignalSnapshot.Reachability.Value.IsReachable, + Action = (ctx, _) => + DeterminizationResult.Allowed( + "Anchored reachability analysis confirms code is unreachable - short-circuit allow") + }, + // Rule 1: Escalate if runtime evidence shows vulnerable code loaded new DeterminizationRule { diff --git a/src/Policy/StellaOps.Policy.Engine/Policies/IDeterminizationPolicy.cs b/src/Policy/StellaOps.Policy.Engine/Policies/IDeterminizationPolicy.cs index 907a75494..e6dbf9d53 100644 --- a/src/Policy/StellaOps.Policy.Engine/Policies/IDeterminizationPolicy.cs +++ b/src/Policy/StellaOps.Policy.Engine/Policies/IDeterminizationPolicy.cs @@ -45,6 +45,11 @@ public sealed record DeterminizationResult public static DeterminizationResult Quarantined(string reason, PolicyVerdictStatus status = PolicyVerdictStatus.Blocked) => new() { Status = status, Reason = reason }; + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-003) + /// Creates a hard-fail blocked result for anchored evidence confirming active vulnerability. + public static DeterminizationResult Blocked(string reason) => + new() { Status = PolicyVerdictStatus.Blocked, Reason = reason, SuggestedState = ObservationState.Disputed }; + public static DeterminizationResult Escalated(string reason, PolicyVerdictStatus status = PolicyVerdictStatus.Escalated) => new() { Status = status, Reason = reason }; diff --git a/src/Policy/StellaOps.Policy.Engine/Subscriptions/DeterminizationEvents.cs b/src/Policy/StellaOps.Policy.Engine/Subscriptions/DeterminizationEvents.cs index 00518baa1..331298ba4 100644 --- a/src/Policy/StellaOps.Policy.Engine/Subscriptions/DeterminizationEvents.cs +++ b/src/Policy/StellaOps.Policy.Engine/Subscriptions/DeterminizationEvents.cs @@ -4,6 +4,7 @@ namespace StellaOps.Policy.Engine.Subscriptions; /// /// Events for signal updates that trigger re-evaluation. +/// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-005) /// public static class DeterminizationEventTypes { @@ -13,20 +14,39 @@ public static class DeterminizationEventTypes public const string RuntimeUpdated = "runtime.updated"; public const string BackportUpdated = "backport.updated"; public const string ObservationStateChanged = "observation.state_changed"; + + // Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-005) + // Additional event types for reanalysis triggers + public const string SbomUpdated = "sbom.updated"; + public const string DsseValidationChanged = "dsse.validation_changed"; + public const string RekorEntryAdded = "rekor.entry_added"; + public const string PatchProofAdded = "patch.proof_added"; + public const string ToolVersionChanged = "tool.version_changed"; } /// /// Event published when a signal is updated. +/// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-005) /// public sealed record SignalUpdatedEvent { public required string EventType { get; init; } + + /// Event schema version (default: 1). + public int EventVersion { get; init; } = 1; + public required string CveId { get; init; } public required string Purl { get; init; } public required DateTimeOffset UpdatedAt { get; init; } public required string Source { get; init; } public object? NewValue { get; init; } public object? PreviousValue { get; init; } + + /// Correlation ID for tracing event chains. + public string? CorrelationId { get; init; } + + /// Additional metadata for event processing. + public IReadOnlyDictionary? Metadata { get; init; } } /// diff --git a/src/Policy/StellaOps.Policy.Engine/Subscriptions/SignalUpdateHandler.cs b/src/Policy/StellaOps.Policy.Engine/Subscriptions/SignalUpdateHandler.cs index 18168c4f5..92806622b 100644 --- a/src/Policy/StellaOps.Policy.Engine/Subscriptions/SignalUpdateHandler.cs +++ b/src/Policy/StellaOps.Policy.Engine/Subscriptions/SignalUpdateHandler.cs @@ -1,36 +1,86 @@ using Microsoft.Extensions.Logging; +using Microsoft.Extensions.Options; +using StellaOps.Policy.Determinization; using StellaOps.Policy.Determinization.Models; using StellaOps.Policy.Engine.Gates; namespace StellaOps.Policy.Engine.Subscriptions; /// -/// Implementation of signal update handling. +/// Implementation of signal update handling with versioned event mapping. +/// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-005) /// public sealed class SignalUpdateHandler : ISignalUpdateSubscription { private readonly IObservationRepository _observations; private readonly IDeterminizationGate _gate; private readonly IEventPublisher _eventPublisher; + private readonly DeterminizationOptions _options; + private readonly TimeProvider _timeProvider; private readonly ILogger _logger; + // Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-005) + // Event version registry for compatibility + private static readonly IReadOnlyDictionary CurrentEventVersions = new Dictionary + { + [DeterminizationEventTypes.EpssUpdated] = 1, + [DeterminizationEventTypes.VexUpdated] = 1, + [DeterminizationEventTypes.ReachabilityUpdated] = 1, + [DeterminizationEventTypes.RuntimeUpdated] = 1, + [DeterminizationEventTypes.BackportUpdated] = 1, + [DeterminizationEventTypes.SbomUpdated] = 1, + [DeterminizationEventTypes.DsseValidationChanged] = 1, + [DeterminizationEventTypes.RekorEntryAdded] = 1, + [DeterminizationEventTypes.PatchProofAdded] = 1, + [DeterminizationEventTypes.ToolVersionChanged] = 1 + }; + public SignalUpdateHandler( IObservationRepository observations, IDeterminizationGate gate, IEventPublisher eventPublisher, + IOptions options, + TimeProvider timeProvider, ILogger logger) { _observations = observations; _gate = gate; _eventPublisher = eventPublisher; + _options = options.Value; + _timeProvider = timeProvider; _logger = logger; } + // Legacy constructor for backward compatibility + public SignalUpdateHandler( + IObservationRepository observations, + IDeterminizationGate gate, + IEventPublisher eventPublisher, + ILogger logger) + : this(observations, gate, eventPublisher, + Options.Create(new DeterminizationOptions()), + TimeProvider.System, + logger) + { + } + public async Task HandleAsync(SignalUpdatedEvent evt, CancellationToken ct = default) { + // Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-005) + // Check if this event type should trigger reanalysis + if (!ShouldTriggerReanalysis(evt)) + { + _logger.LogDebug( + "Event {EventType}@{EventVersion} does not trigger reanalysis per config", + evt.EventType, + evt.EventVersion); + return; + } + _logger.LogInformation( - "Processing signal update: {EventType} for CVE {CveId} on {Purl}", + "Processing signal update: {EventType}@{EventVersion} for CVE {CveId} on {Purl}", evt.EventType, + evt.EventVersion, evt.CveId, evt.Purl); @@ -52,23 +102,107 @@ public sealed class SignalUpdateHandler : ISignalUpdateSubscription } } + /// + /// Determines if an event should trigger reanalysis based on config. + /// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-005) + /// + private bool ShouldTriggerReanalysis(SignalUpdatedEvent evt) + { + var triggers = _options.Triggers; + + return evt.EventType switch + { + DeterminizationEventTypes.EpssUpdated => + triggers.TriggerOnThresholdCrossing && MeetsEpssDeltaThreshold(evt), + + DeterminizationEventTypes.VexUpdated => + triggers.TriggerOnVexStatusChange, + + DeterminizationEventTypes.ReachabilityUpdated or + DeterminizationEventTypes.RuntimeUpdated => + triggers.TriggerOnRuntimeTelemetryChange, + + DeterminizationEventTypes.BackportUpdated or + DeterminizationEventTypes.PatchProofAdded => + triggers.TriggerOnPatchProofAdded, + + DeterminizationEventTypes.DsseValidationChanged => + triggers.TriggerOnDsseValidationChange, + + DeterminizationEventTypes.RekorEntryAdded => + triggers.TriggerOnRekorEntry, + + DeterminizationEventTypes.ToolVersionChanged => + triggers.TriggerOnToolVersionChange, + + DeterminizationEventTypes.SbomUpdated => + true, // Always trigger for SBOM changes + + _ => true // Unknown events default to trigger + }; + } + + /// + /// Check if EPSS delta meets threshold. + /// + private bool MeetsEpssDeltaThreshold(SignalUpdatedEvent evt) + { + if (evt.Metadata is null || + !evt.Metadata.TryGetValue("delta", out var deltaObj) || + deltaObj is not double delta) + { + return true; // If no delta info, trigger anyway + } + + return Math.Abs(delta) >= _options.Triggers.EpssDeltaThreshold; + } + + /// + /// Gets the current version for an event type. + /// + public static int GetCurrentEventVersion(string eventType) => + CurrentEventVersions.TryGetValue(eventType, out var version) ? version : 1; + + /// + /// Checks if an event version is supported. + /// + public static bool IsVersionSupported(string eventType, int version) + { + if (!CurrentEventVersions.TryGetValue(eventType, out var currentVersion)) + { + return true; // Unknown events are allowed + } + return version <= currentVersion; + } + private async Task ReEvaluateObservationAsync( CveObservation obs, SignalUpdatedEvent trigger, CancellationToken ct) { - // This is a placeholder for re-evaluation logic - // In a full implementation, this would: - // 1. Build PolicyGateContext from observation - // 2. Call gate.EvaluateDeterminizationAsync() - // 3. Compare new verdict with old verdict - // 4. Publish ObservationStateChangedEvent if state changed - // 5. Update observation in repository - _logger.LogDebug( - "Re-evaluating observation {ObservationId} after {EventType}", + "Re-evaluating observation {ObservationId} after {EventType}@{EventVersion}", obs.Id, - trigger.EventType); + trigger.EventType, + trigger.EventVersion); + + // Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-005) + // Build reanalysis trigger for fingerprint + var reanalysisTrigger = new ReanalysisTrigger + { + EventType = trigger.EventType, + EventVersion = trigger.EventVersion, + Source = trigger.Source, + ReceivedAt = _timeProvider.GetUtcNow(), + CorrelationId = trigger.CorrelationId + }; + + // TODO: Full implementation would: + // 1. Build PolicyGateContext from observation + // 2. Call gate.EvaluateDeterminizationAsync() with trigger info + // 3. Compare new verdict with old verdict + // 4. If state changed, publish ObservationStateChangedEvent + // 5. Update observation in repository with new fingerprint await Task.CompletedTask; } diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/DeterminizationOptions.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/DeterminizationOptions.cs index 328532374..7d8b37522 100644 --- a/src/Policy/__Libraries/StellaOps.Policy.Determinization/DeterminizationOptions.cs +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/DeterminizationOptions.cs @@ -2,6 +2,7 @@ namespace StellaOps.Policy.Determinization; /// /// Configuration options for the Determinization subsystem. +/// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-001) /// public sealed record DeterminizationOptions { @@ -37,4 +38,174 @@ public sealed record DeterminizationOptions /// Maximum retry attempts for failed signal queries (default: 3). public int MaxSignalQueryRetries { get; init; } = 3; + + // Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-001) + + /// Reanalysis trigger configuration. + public ReanalysisTriggerConfig Triggers { get; init; } = new(); + + /// Conflict handling policy. + public ConflictHandlingPolicy ConflictPolicy { get; init; } = new(); + + /// Per-environment threshold overrides. + public EnvironmentThresholds EnvironmentThresholds { get; init; } = new(); +} + +/// +/// Configuration for reanalysis triggers. +/// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-001) +/// +public sealed record ReanalysisTriggerConfig +{ + /// Trigger on EPSS delta >= this value (default: 0.2). + public double EpssDeltaThreshold { get; init; } = 0.2; + + /// Trigger when entropy crosses threshold (default: true). + public bool TriggerOnThresholdCrossing { get; init; } = true; + + /// Trigger on new Rekor entry (default: true). + public bool TriggerOnRekorEntry { get; init; } = true; + + /// Trigger on OpenVEX status change (default: true). + public bool TriggerOnVexStatusChange { get; init; } = true; + + /// Trigger on runtime telemetry exploit/reachability change (default: true). + public bool TriggerOnRuntimeTelemetryChange { get; init; } = true; + + /// Trigger on binary patch proof added (default: true). + public bool TriggerOnPatchProofAdded { get; init; } = true; + + /// Trigger on DSSE validation state change (default: true). + public bool TriggerOnDsseValidationChange { get; init; } = true; + + /// Trigger on tool version update (default: false). + public bool TriggerOnToolVersionChange { get; init; } = false; + + /// Minimum interval between reanalyses in minutes (default: 15). + public int MinReanalysisIntervalMinutes { get; init; } = 15; + + /// Maximum reanalyses per day per CVE (default: 10). + public int MaxReanalysesPerDayPerCve { get; init; } = 10; +} + +/// +/// Conflict handling policy configuration. +/// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-001) +/// +public sealed record ConflictHandlingPolicy +{ + /// Action to take when VEX/reachability conflict is detected. + public ConflictAction VexReachabilityConflictAction { get; init; } = ConflictAction.RequireManualReview; + + /// Action to take when static/runtime conflict is detected. + public ConflictAction StaticRuntimeConflictAction { get; init; } = ConflictAction.RequireManualReview; + + /// Action to take when multiple VEX sources conflict. + public ConflictAction VexStatusConflictAction { get; init; } = ConflictAction.RequestVendorClarification; + + /// Action to take when backport/status conflict is detected. + public ConflictAction BackportStatusConflictAction { get; init; } = ConflictAction.RequireManualReview; + + /// Severity threshold above which conflicts require escalation (default: 0.85). + public double EscalationSeverityThreshold { get; init; } = 0.85; + + /// Time-to-live for conflicts before auto-escalation in hours (default: 48). + public int ConflictTtlHours { get; init; } = 48; + + /// Enable automatic conflict resolution for low-severity conflicts (default: false). + public bool EnableAutoResolution { get; init; } = false; +} + +/// +/// Action to take when a conflict is detected. +/// +public enum ConflictAction +{ + /// Log and continue with existing verdict. + LogAndContinue, + + /// Require manual security review. + RequireManualReview, + + /// Request clarification from vendor. + RequestVendorClarification, + + /// Escalate to security steering committee. + EscalateToCommittee, + + /// Block release until resolved. + BlockUntilResolved +} + +/// +/// Per-environment threshold configuration. +/// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-001) +/// +public sealed record EnvironmentThresholds +{ + /// Development environment thresholds. + public EnvironmentThresholdValues Development { get; init; } = EnvironmentThresholdValues.Relaxed; + + /// Staging environment thresholds. + public EnvironmentThresholdValues Staging { get; init; } = EnvironmentThresholdValues.Standard; + + /// Production environment thresholds. + public EnvironmentThresholdValues Production { get; init; } = EnvironmentThresholdValues.Strict; + + /// Get thresholds for a named environment. + public EnvironmentThresholdValues GetForEnvironment(string environmentName) + { + return environmentName?.ToUpperInvariant() switch + { + "DEV" or "DEVELOPMENT" => Development, + "STAGE" or "STAGING" or "QA" => Staging, + "PROD" or "PRODUCTION" => Production, + _ => Staging // Default to staging thresholds + }; + } +} + +/// +/// Threshold values for a specific environment. +/// +public sealed record EnvironmentThresholdValues +{ + /// Maximum entropy allowed for pass verdict. + public double MaxPassEntropy { get; init; } + + /// Minimum evidence count required for pass verdict. + public int MinEvidenceCount { get; init; } + + /// Whether DSSE signing is required. + public bool RequireDsseSigning { get; init; } + + /// Whether Rekor transparency is required. + public bool RequireRekorTransparency { get; init; } + + /// Standard thresholds for staging-like environments. + public static EnvironmentThresholdValues Standard => new() + { + MaxPassEntropy = 0.40, + MinEvidenceCount = 2, + RequireDsseSigning = false, + RequireRekorTransparency = false + }; + + /// Relaxed thresholds for development environments. + public static EnvironmentThresholdValues Relaxed => new() + { + MaxPassEntropy = 0.60, + MinEvidenceCount = 1, + RequireDsseSigning = false, + RequireRekorTransparency = false + }; + + /// Strict thresholds for production environments. + public static EnvironmentThresholdValues Strict => new() + { + MaxPassEntropy = 0.25, + MinEvidenceCount = 3, + RequireDsseSigning = true, + RequireRekorTransparency = true + }; } diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/BackportEvidence.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/BackportEvidence.cs index cb8e12e9f..a8909e4c7 100644 --- a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/BackportEvidence.cs +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/BackportEvidence.cs @@ -48,4 +48,18 @@ public sealed record BackportEvidence /// [JsonPropertyName("confidence")] public required double Confidence { get; init; } + + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-002) + + /// + /// Anchor metadata for the backport evidence (DSSE envelope, Rekor, etc.). + /// + [JsonPropertyName("anchor")] + public EvidenceAnchor? Anchor { get; init; } + + /// + /// Whether the backport evidence is anchored (has DSSE/Rekor attestation). + /// + [JsonIgnore] + public bool IsAnchored => Anchor?.Anchored == true; } diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/EvidenceAnchor.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/EvidenceAnchor.cs new file mode 100644 index 000000000..01bc02820 --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/EvidenceAnchor.cs @@ -0,0 +1,94 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later +// Copyright (c) 2025 StellaOps +// Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-002) +// Task: Shared anchor metadata for all evidence types + +using System.Text.Json.Serialization; + +namespace StellaOps.Policy.Determinization.Evidence; + +/// +/// Shared anchor metadata for cryptographically attested evidence. +/// Used across VEX, backport, runtime, and reachability evidence types. +/// +public sealed record EvidenceAnchor +{ + /// + /// Whether the evidence is anchored with attestation. + /// + [JsonPropertyName("anchored")] + public required bool Anchored { get; init; } + + /// + /// DSSE envelope digest (sha256:hex). + /// + [JsonPropertyName("envelope_digest")] + public string? EnvelopeDigest { get; init; } + + /// + /// Predicate type of the attestation. + /// + [JsonPropertyName("predicate_type")] + public string? PredicateType { get; init; } + + /// + /// Rekor log index if transparency-anchored. + /// + [JsonPropertyName("rekor_log_index")] + public long? RekorLogIndex { get; init; } + + /// + /// Rekor entry ID if transparency-anchored. + /// + [JsonPropertyName("rekor_entry_id")] + public string? RekorEntryId { get; init; } + + /// + /// Scope of the attestation (e.g., "finding", "package", "image"). + /// + [JsonPropertyName("scope")] + public string? Scope { get; init; } + + /// + /// Whether the attestation signature has been verified. + /// + [JsonPropertyName("verified")] + public bool? Verified { get; init; } + + /// + /// Timestamp when the attestation was created (UTC). + /// + [JsonPropertyName("attested_at")] + public DateTimeOffset? AttestedAt { get; init; } + + /// + /// Whether the evidence is Rekor-anchored (has log index). + /// + [JsonIgnore] + public bool IsRekorAnchored => RekorLogIndex.HasValue; + + /// + /// Creates an unanchored evidence anchor. + /// + public static EvidenceAnchor Unanchored => new() { Anchored = false }; + + /// + /// Creates an anchored evidence anchor with basic info. + /// + public static EvidenceAnchor CreateAnchored( + string envelopeDigest, + string predicateType, + long? rekorLogIndex = null, + string? rekorEntryId = null, + bool? verified = null, + DateTimeOffset? attestedAt = null) => new() + { + Anchored = true, + EnvelopeDigest = envelopeDigest, + PredicateType = predicateType, + RekorLogIndex = rekorLogIndex, + RekorEntryId = rekorEntryId, + Verified = verified, + AttestedAt = attestedAt + }; +} diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/ReachabilityEvidence.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/ReachabilityEvidence.cs index d05f5f263..c55b431ef 100644 --- a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/ReachabilityEvidence.cs +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/ReachabilityEvidence.cs @@ -54,6 +54,20 @@ public sealed record ReachabilityEvidence /// [JsonIgnore] public bool IsReachable => Status == ReachabilityStatus.Reachable; + + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-002) + + /// + /// Anchor metadata for the reachability evidence (DSSE envelope, Rekor, etc.). + /// + [JsonPropertyName("anchor")] + public EvidenceAnchor? Anchor { get; init; } + + /// + /// Whether the reachability evidence is anchored (has DSSE/Rekor attestation). + /// + [JsonIgnore] + public bool IsAnchored => Anchor?.Anchored == true; } /// diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/RuntimeEvidence.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/RuntimeEvidence.cs index 5e14924ec..f77ef631c 100644 --- a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/RuntimeEvidence.cs +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/RuntimeEvidence.cs @@ -49,4 +49,18 @@ public sealed record RuntimeEvidence /// [JsonIgnore] public bool ObservedLoaded => Detected; + + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-002) + + /// + /// Anchor metadata for the runtime evidence (DSSE envelope, Rekor, etc.). + /// + [JsonPropertyName("anchor")] + public EvidenceAnchor? Anchor { get; init; } + + /// + /// Whether the runtime evidence is anchored (has DSSE/Rekor attestation). + /// + [JsonIgnore] + public bool IsAnchored => Anchor?.Anchored == true; } diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/IDeterminizationConfigStore.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/IDeterminizationConfigStore.cs new file mode 100644 index 000000000..11c4c57dc --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/IDeterminizationConfigStore.cs @@ -0,0 +1,210 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-002) +// + +namespace StellaOps.Policy.Determinization; + +/// +/// Store for per-tenant determinization configuration with audit trail. +/// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-002) +/// +public interface IDeterminizationConfigStore +{ + /// + /// Gets the effective configuration for a tenant. + /// Returns default config if no tenant-specific config exists. + /// + Task GetEffectiveConfigAsync( + string tenantId, + CancellationToken ct = default); + + /// + /// Saves configuration for a tenant with audit information. + /// + Task SaveConfigAsync( + string tenantId, + DeterminizationOptions config, + ConfigAuditInfo auditInfo, + CancellationToken ct = default); + + /// + /// Gets the audit history for a tenant's configuration changes. + /// + Task> GetAuditHistoryAsync( + string tenantId, + int limit = 50, + CancellationToken ct = default); +} + +/// +/// Effective configuration with metadata. +/// +public sealed record EffectiveDeterminizationConfig +{ + /// The active configuration values. + public required DeterminizationOptions Config { get; init; } + + /// Whether this is the default config or tenant-specific. + public required bool IsDefault { get; init; } + + /// Tenant ID (null for default). + public string? TenantId { get; init; } + + /// When the config was last updated. + public DateTimeOffset? LastUpdatedAt { get; init; } + + /// Who last updated the config. + public string? LastUpdatedBy { get; init; } + + /// Configuration version for optimistic concurrency. + public int Version { get; init; } +} + +/// +/// Audit information for config changes. +/// +public sealed record ConfigAuditInfo +{ + /// User or system making the change. + public required string Actor { get; init; } + + /// Reason for the change. + public required string Reason { get; init; } + + /// Source of the change (UI, API, CLI, etc.). + public string? Source { get; init; } + + /// Correlation ID for tracing. + public string? CorrelationId { get; init; } +} + +/// +/// Audit trail entry for config changes. +/// +public sealed record ConfigAuditEntry +{ + /// Unique entry ID. + public required Guid Id { get; init; } + + /// Tenant ID. + public required string TenantId { get; init; } + + /// When the change occurred. + public required DateTimeOffset ChangedAt { get; init; } + + /// User or system making the change. + public required string Actor { get; init; } + + /// Reason for the change. + public required string Reason { get; init; } + + /// Source of the change. + public string? Source { get; init; } + + /// The previous configuration (JSON). + public string? PreviousConfig { get; init; } + + /// The new configuration (JSON). + public required string NewConfig { get; init; } + + /// Change summary. + public string? Summary { get; init; } +} + +/// +/// In-memory implementation of for testing. +/// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-002) +/// +public sealed class InMemoryDeterminizationConfigStore : IDeterminizationConfigStore +{ + private readonly Dictionary _configs = new(); + private readonly List _auditLog = []; + private readonly DeterminizationOptions _defaultConfig = new(); + private readonly object _lock = new(); + + public Task GetEffectiveConfigAsync( + string tenantId, + CancellationToken ct = default) + { + lock (_lock) + { + if (_configs.TryGetValue(tenantId, out var entry)) + { + return Task.FromResult(new EffectiveDeterminizationConfig + { + Config = entry.Config, + IsDefault = false, + TenantId = tenantId, + LastUpdatedAt = entry.UpdatedAt, + LastUpdatedBy = entry.UpdatedBy, + Version = entry.Version + }); + } + + return Task.FromResult(new EffectiveDeterminizationConfig + { + Config = _defaultConfig, + IsDefault = true, + TenantId = null, + LastUpdatedAt = null, + LastUpdatedBy = null, + Version = 0 + }); + } + } + + public Task SaveConfigAsync( + string tenantId, + DeterminizationOptions config, + ConfigAuditInfo auditInfo, + CancellationToken ct = default) + { + lock (_lock) + { + string? previousConfigJson = null; + var version = 1; + + if (_configs.TryGetValue(tenantId, out var existing)) + { + previousConfigJson = System.Text.Json.JsonSerializer.Serialize(existing.Config); + version = existing.Version + 1; + } + + var now = DateTimeOffset.UtcNow; + _configs[tenantId] = (config, version, now, auditInfo.Actor); + + _auditLog.Add(new ConfigAuditEntry + { + Id = Guid.NewGuid(), + TenantId = tenantId, + ChangedAt = now, + Actor = auditInfo.Actor, + Reason = auditInfo.Reason, + Source = auditInfo.Source, + PreviousConfig = previousConfigJson, + NewConfig = System.Text.Json.JsonSerializer.Serialize(config), + Summary = $"Config updated by {auditInfo.Actor}: {auditInfo.Reason}" + }); + } + + return Task.CompletedTask; + } + + public Task> GetAuditHistoryAsync( + string tenantId, + int limit = 50, + CancellationToken ct = default) + { + lock (_lock) + { + var entries = _auditLog + .Where(e => e.TenantId == tenantId) + .OrderByDescending(e => e.ChangedAt) + .Take(limit) + .ToList(); + + return Task.FromResult>(entries); + } + } +} diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/DeterminizationResult.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/DeterminizationResult.cs index eb7bdb22b..5264d3a97 100644 --- a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/DeterminizationResult.cs +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/DeterminizationResult.cs @@ -5,6 +5,7 @@ namespace StellaOps.Policy.Determinization.Models; /// /// Result of determinization evaluation. /// Combines observation state, uncertainty score, and guardrails. +/// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-001) /// public sealed record DeterminizationResult { @@ -50,6 +51,13 @@ public sealed record DeterminizationResult [JsonPropertyName("rationale")] public string? Rationale { get; init; } + /// + /// Reanalysis fingerprint for deterministic replay. + /// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-001) + /// + [JsonPropertyName("fingerprint")] + public ReanalysisFingerprint? Fingerprint { get; init; } + /// /// Creates result for determined observation (low uncertainty). /// diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ReanalysisFingerprint.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ReanalysisFingerprint.cs new file mode 100644 index 000000000..22c7ec5a0 --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ReanalysisFingerprint.cs @@ -0,0 +1,297 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-001) +// + +using System.Security.Cryptography; +using System.Text; +using System.Text.Json; +using System.Text.Json.Serialization; + +namespace StellaOps.Policy.Determinization.Models; + +/// +/// Deterministic fingerprint for reanalysis triggering and replay verification. +/// Content-addressed to enable reproducible policy evaluations. +/// +public sealed record ReanalysisFingerprint +{ + private static readonly JsonSerializerOptions CanonicalOptions = new() + { + PropertyNamingPolicy = JsonNamingPolicy.SnakeCaseLower, + DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull, + WriteIndented = false + }; + + /// + /// Content-addressed fingerprint ID (sha256:...). + /// + [JsonPropertyName("fingerprint_id")] + public required string FingerprintId { get; init; } + + /// + /// DSSE bundle digest for evidence provenance. + /// + [JsonPropertyName("dsse_bundle_digest")] + public string? DsseBundleDigest { get; init; } + + /// + /// Sorted list of evidence digests contributing to this fingerprint. + /// + [JsonPropertyName("evidence_digests")] + public IReadOnlyList EvidenceDigests { get; init; } = []; + + /// + /// Tool versions used for evaluation (deterministic ordering). + /// + [JsonPropertyName("tool_versions")] + public IReadOnlyDictionary ToolVersions { get; init; } = new Dictionary(); + + /// + /// Product version under evaluation. + /// + [JsonPropertyName("product_version")] + public string? ProductVersion { get; init; } + + /// + /// Policy configuration hash at evaluation time. + /// + [JsonPropertyName("policy_config_hash")] + public string? PolicyConfigHash { get; init; } + + /// + /// Signal weights hash for determinism verification. + /// + [JsonPropertyName("signal_weights_hash")] + public string? SignalWeightsHash { get; init; } + + /// + /// When this fingerprint was computed (UTC ISO-8601). + /// + [JsonPropertyName("computed_at")] + public required DateTimeOffset ComputedAt { get; init; } + + /// + /// Triggers that caused this reanalysis. + /// + [JsonPropertyName("triggers")] + public IReadOnlyList Triggers { get; init; } = []; + + /// + /// Suggested next actions based on current state. + /// + [JsonPropertyName("next_actions")] + public IReadOnlyList NextActions { get; init; } = []; +} + +/// +/// Trigger that caused a reanalysis. +/// +public sealed record ReanalysisTrigger +{ + /// + /// Event type that triggered reanalysis (e.g., epss.updated, vex.changed). + /// + [JsonPropertyName("event_type")] + public required string EventType { get; init; } + + /// + /// Event version for schema compatibility. + /// + [JsonPropertyName("event_version")] + public int EventVersion { get; init; } = 1; + + /// + /// Source of the event (e.g., scanner, excititor, signals). + /// + [JsonPropertyName("source")] + public string? Source { get; init; } + + /// + /// When the event was received (UTC). + /// + [JsonPropertyName("received_at")] + public DateTimeOffset ReceivedAt { get; init; } + + /// + /// Event correlation ID for traceability. + /// + [JsonPropertyName("correlation_id")] + public string? CorrelationId { get; init; } +} + +/// +/// Builder for creating deterministic reanalysis fingerprints. +/// +public sealed class ReanalysisFingerprintBuilder +{ + private readonly TimeProvider _timeProvider; + private string? _dsseBundleDigest; + private readonly List _evidenceDigests = []; + private readonly SortedDictionary _toolVersions = new(StringComparer.Ordinal); + private string? _productVersion; + private string? _policyConfigHash; + private string? _signalWeightsHash; + private readonly List _triggers = []; + private readonly List _nextActions = []; + + public ReanalysisFingerprintBuilder(TimeProvider? timeProvider = null) + { + _timeProvider = timeProvider ?? TimeProvider.System; + } + + public ReanalysisFingerprintBuilder WithDsseBundleDigest(string? digest) + { + _dsseBundleDigest = digest; + return this; + } + + public ReanalysisFingerprintBuilder AddEvidenceDigest(string digest) + { + if (!string.IsNullOrWhiteSpace(digest)) + { + _evidenceDigests.Add(digest); + } + return this; + } + + public ReanalysisFingerprintBuilder AddEvidenceDigests(IEnumerable digests) + { + foreach (var digest in digests) + { + AddEvidenceDigest(digest); + } + return this; + } + + public ReanalysisFingerprintBuilder WithToolVersion(string tool, string version) + { + _toolVersions[tool] = version; + return this; + } + + public ReanalysisFingerprintBuilder WithProductVersion(string? version) + { + _productVersion = version; + return this; + } + + public ReanalysisFingerprintBuilder WithPolicyConfigHash(string? hash) + { + _policyConfigHash = hash; + return this; + } + + public ReanalysisFingerprintBuilder WithSignalWeightsHash(string? hash) + { + _signalWeightsHash = hash; + return this; + } + + public ReanalysisFingerprintBuilder AddTrigger(ReanalysisTrigger trigger) + { + _triggers.Add(trigger); + return this; + } + + public ReanalysisFingerprintBuilder AddTrigger(string eventType, int eventVersion = 1, string? source = null, string? correlationId = null) + { + _triggers.Add(new ReanalysisTrigger + { + EventType = eventType, + EventVersion = eventVersion, + Source = source, + ReceivedAt = _timeProvider.GetUtcNow(), + CorrelationId = correlationId + }); + return this; + } + + public ReanalysisFingerprintBuilder AddNextAction(string action) + { + if (!string.IsNullOrWhiteSpace(action)) + { + _nextActions.Add(action); + } + return this; + } + + /// + /// Builds the fingerprint with a deterministic content-addressed ID. + /// + public ReanalysisFingerprint Build() + { + var now = _timeProvider.GetUtcNow(); + + // Sort evidence digests for determinism + var sortedDigests = _evidenceDigests + .Distinct(StringComparer.Ordinal) + .OrderBy(d => d, StringComparer.Ordinal) + .ToList(); + + // Sort triggers by event type then received_at for determinism + var sortedTriggers = _triggers + .OrderBy(t => t.EventType, StringComparer.Ordinal) + .ThenBy(t => t.ReceivedAt) + .ToList(); + + // Sort next actions for determinism + var sortedActions = _nextActions + .Distinct(StringComparer.Ordinal) + .OrderBy(a => a, StringComparer.Ordinal) + .ToList(); + + // Compute content-addressed fingerprint ID + var fingerprintId = ComputeFingerprintId( + _dsseBundleDigest, + sortedDigests, + _toolVersions, + _productVersion, + _policyConfigHash, + _signalWeightsHash); + + return new ReanalysisFingerprint + { + FingerprintId = fingerprintId, + DsseBundleDigest = _dsseBundleDigest, + EvidenceDigests = sortedDigests, + ToolVersions = new Dictionary(_toolVersions), + ProductVersion = _productVersion, + PolicyConfigHash = _policyConfigHash, + SignalWeightsHash = _signalWeightsHash, + ComputedAt = now, + Triggers = sortedTriggers, + NextActions = sortedActions + }; + } + + private static string ComputeFingerprintId( + string? dsseBundleDigest, + IReadOnlyList evidenceDigests, + IReadOnlyDictionary toolVersions, + string? productVersion, + string? policyConfigHash, + string? signalWeightsHash) + { + // Create canonical representation for hashing + var canonical = new + { + dsse = dsseBundleDigest, + evidence = evidenceDigests, + tools = toolVersions, + product = productVersion, + policy = policyConfigHash, + weights = signalWeightsHash + }; + + var json = JsonSerializer.SerializeToUtf8Bytes(canonical, new JsonSerializerOptions + { + PropertyNamingPolicy = JsonNamingPolicy.SnakeCaseLower, + DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull, + WriteIndented = false + }); + + var hash = SHA256.HashData(json); + return "sha256:" + Convert.ToHexStringLower(hash); + } +} diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/SignalConflictExtensions.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/SignalConflictExtensions.cs new file mode 100644 index 000000000..8b67463f2 --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/SignalConflictExtensions.cs @@ -0,0 +1,80 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-002) +// + +using StellaOps.Policy.Determinization.Evidence; + +namespace StellaOps.Policy.Determinization.Models; + +/// +/// Extension methods for signal conflict detection. +/// +public static class SignalConflictExtensions +{ + /// + /// Returns true if VEX status is "not_affected". + /// + public static bool IsNotAffected(this SignalState vex) + { + return vex.HasValue && vex.Value!.IsNotAffected; + } + + /// + /// Returns true if VEX status is "affected". + /// + public static bool IsAffected(this SignalState vex) + { + return vex.HasValue && string.Equals(vex.Value!.Status, "affected", StringComparison.OrdinalIgnoreCase); + } + + /// + /// Returns true if reachability shows exploitable path. + /// + public static bool IsExploitable(this SignalState reachability) + { + return reachability.HasValue && reachability.Value!.IsReachable; + } + + /// + /// Returns true if static analysis shows unreachable. + /// + public static bool IsStaticUnreachable(this SignalState reachability) + { + return reachability.HasValue && reachability.Value!.Status == ReachabilityStatus.Unreachable; + } + + /// + /// Returns true if runtime telemetry detected execution. + /// + public static bool HasExecution(this SignalState runtime) + { + return runtime.HasValue && runtime.Value!.Detected; + } + + /// + /// Returns true if multiple VEX sources exist. + /// + public static bool HasMultipleSources(this SignalState vex) + { + return vex.HasValue && vex.Value!.StatementCount > 1; + } + + /// + /// Returns true if VEX sources have conflicting status. + /// This is determined by low confidence when multiple sources exist. + /// + public static bool HasConflictingStatus(this SignalState vex) + { + // If there are multiple sources and confidence is below 0.7, they likely conflict + return vex.HasValue && vex.Value!.StatementCount > 1 && vex.Value!.Confidence < 0.7; + } + + /// + /// Returns true if backport evidence indicates fix is applied. + /// + public static bool IsBackported(this SignalState backport) + { + return backport.HasValue && backport.Value!.Detected; + } +} diff --git a/src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/ConflictDetector.cs b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/ConflictDetector.cs new file mode 100644 index 000000000..c783b30d9 --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/ConflictDetector.cs @@ -0,0 +1,306 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-002) +// + +using StellaOps.Policy.Determinization.Evidence; +using StellaOps.Policy.Determinization.Models; + +namespace StellaOps.Policy.Determinization.Scoring; + +/// +/// Detects conflicting evidence signals that require manual adjudication. +/// +public interface IConflictDetector +{ + /// + /// Detects conflicts in the signal snapshot. + /// + ConflictDetectionResult Detect(SignalSnapshot snapshot); +} + +/// +/// Result of conflict detection. +/// +public sealed record ConflictDetectionResult +{ + /// + /// Whether any conflicts were detected. + /// + public bool HasConflict { get; init; } + + /// + /// List of detected conflicts. + /// + public IReadOnlyList Conflicts { get; init; } = []; + + /// + /// Overall conflict severity (0.0 = none, 1.0 = critical). + /// + public double Severity { get; init; } + + /// + /// Suggested adjudication path. + /// + public AdjudicationPath SuggestedPath { get; init; } = AdjudicationPath.None; + + public static ConflictDetectionResult NoConflict() => new() + { + HasConflict = false, + Conflicts = [], + Severity = 0.0, + SuggestedPath = AdjudicationPath.None + }; + + public static ConflictDetectionResult WithConflicts( + IReadOnlyList conflicts, + double severity, + AdjudicationPath suggestedPath) => new() + { + HasConflict = conflicts.Count > 0, + Conflicts = conflicts, + Severity = Math.Clamp(severity, 0.0, 1.0), + SuggestedPath = suggestedPath + }; +} + +/// +/// A detected conflict between signals. +/// +public sealed record SignalConflict +{ + /// + /// First signal in the conflict. + /// + public required string Signal1 { get; init; } + + /// + /// Second signal in the conflict. + /// + public required string Signal2 { get; init; } + + /// + /// Type of conflict. + /// + public required ConflictType Type { get; init; } + + /// + /// Human-readable description. + /// + public required string Description { get; init; } + + /// + /// Conflict severity (0.0 = minor, 1.0 = critical). + /// + public double Severity { get; init; } +} + +/// +/// Type of signal conflict. +/// +public enum ConflictType +{ + /// + /// VEX says not_affected but reachability shows exploitable path. + /// + VexReachabilityContradiction, + + /// + /// Static analysis says unreachable but runtime telemetry shows execution. + /// + StaticRuntimeContradiction, + + /// + /// Multiple VEX statements with conflicting status. + /// + VexStatusConflict, + + /// + /// Backport evidence conflicts with vulnerability status. + /// + BackportStatusConflict, + + /// + /// EPSS score conflicts with other risk indicators. + /// + EpssRiskContradiction, + + /// + /// Other conflict type. + /// + Other +} + +/// +/// Suggested adjudication path for conflicts. +/// +public enum AdjudicationPath +{ + /// + /// No adjudication needed. + /// + None, + + /// + /// Automatic resolution possible with additional evidence. + /// + AutoResolvable, + + /// + /// Requires human review by security team. + /// + SecurityTeamReview, + + /// + /// Requires vendor clarification. + /// + VendorClarification, + + /// + /// Escalate to security steering committee. + /// + SteeringCommittee +} + +/// +/// Default implementation of conflict detection. +/// +public sealed class ConflictDetector : IConflictDetector +{ + private readonly ILogger _logger; + + public ConflictDetector(ILogger logger) + { + _logger = logger; + } + + public ConflictDetectionResult Detect(SignalSnapshot snapshot) + { + ArgumentNullException.ThrowIfNull(snapshot); + + var conflicts = new List(); + + // Check VEX vs Reachability contradiction + CheckVexReachabilityConflict(snapshot, conflicts); + + // Check Static vs Runtime contradiction + CheckStaticRuntimeConflict(snapshot, conflicts); + + // Check multiple VEX statements + CheckVexStatusConflict(snapshot, conflicts); + + // Check Backport vs Status conflict + CheckBackportStatusConflict(snapshot, conflicts); + + if (conflicts.Count == 0) + { + return ConflictDetectionResult.NoConflict(); + } + + // Calculate overall severity (max of all conflicts) + var severity = conflicts.Max(c => c.Severity); + + // Determine adjudication path based on conflict types and severity + var suggestedPath = DetermineAdjudicationPath(conflicts, severity); + + _logger.LogWarning( + "Detected {ConflictCount} signal conflicts for CVE {Cve} / PURL {Purl} with severity {Severity:F2}", + conflicts.Count, + snapshot.Cve, + snapshot.Purl, + severity); + + return ConflictDetectionResult.WithConflicts( + conflicts.OrderBy(c => c.Type).ThenByDescending(c => c.Severity).ToList(), + severity, + suggestedPath); + } + + private static void CheckVexReachabilityConflict(SignalSnapshot snapshot, List conflicts) + { + // VEX says not_affected but reachability shows exploitable + if (snapshot.Vex.IsNotAffected && snapshot.Reachability.IsExploitable) + { + conflicts.Add(new SignalConflict + { + Signal1 = "VEX", + Signal2 = "Reachability", + Type = ConflictType.VexReachabilityContradiction, + Description = "VEX status is not_affected but reachability analysis shows exploitable path", + Severity = 0.9 // High severity - needs resolution + }); + } + } + + private static void CheckStaticRuntimeConflict(SignalSnapshot snapshot, List conflicts) + { + // Static says unreachable but runtime shows execution + if (snapshot.Reachability.IsStaticUnreachable && snapshot.Runtime.HasExecution) + { + conflicts.Add(new SignalConflict + { + Signal1 = "StaticReachability", + Signal2 = "RuntimeTelemetry", + Type = ConflictType.StaticRuntimeContradiction, + Description = "Static analysis shows unreachable but runtime telemetry detected execution", + Severity = 0.85 // High severity - static analysis may be incomplete + }); + } + } + + private static void CheckVexStatusConflict(SignalSnapshot snapshot, List conflicts) + { + // Multiple VEX sources with conflicting status + if (snapshot.Vex.HasMultipleSources && snapshot.Vex.HasConflictingStatus) + { + conflicts.Add(new SignalConflict + { + Signal1 = "VEX:Source1", + Signal2 = "VEX:Source2", + Type = ConflictType.VexStatusConflict, + Description = "Multiple VEX statements with conflicting status", + Severity = 0.7 // Medium-high - needs vendor clarification + }); + } + } + + private static void CheckBackportStatusConflict(SignalSnapshot snapshot, List conflicts) + { + // Backport says fixed but vulnerability still active + if (snapshot.Backport.IsBackported && snapshot.Vex.IsAffected) + { + conflicts.Add(new SignalConflict + { + Signal1 = "Backport", + Signal2 = "VEX", + Type = ConflictType.BackportStatusConflict, + Description = "Backport evidence indicates fix applied but VEX status shows affected", + Severity = 0.6 // Medium - may be version mismatch + }); + } + } + + private static AdjudicationPath DetermineAdjudicationPath(IReadOnlyList conflicts, double severity) + { + // Critical conflicts go to steering committee + if (severity >= 0.95) + { + return AdjudicationPath.SteeringCommittee; + } + + // VEX conflicts need vendor clarification + if (conflicts.Any(c => c.Type == ConflictType.VexStatusConflict)) + { + return AdjudicationPath.VendorClarification; + } + + // High severity needs security team review + if (severity >= 0.7) + { + return AdjudicationPath.SecurityTeamReview; + } + + // Lower severity may be auto-resolvable with more evidence + return AdjudicationPath.AutoResolvable; + } +} diff --git a/src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs b/src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs index e0935f858..e582a41fc 100644 --- a/src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs +++ b/src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs @@ -91,8 +91,56 @@ public sealed record Unknown /// Last update timestamp. public required DateTimeOffset UpdatedAt { get; init; } + + // Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-003) + + /// Reanalysis fingerprint ID for deterministic replay. + public string? FingerprintId { get; init; } + + /// Triggers that caused the last reanalysis. + public IReadOnlyList Triggers { get; init; } = []; + + /// Suggested next actions based on current state. + public IReadOnlyList NextActions { get; init; } = []; + + /// Conflict detection result if conflicts exist. + public UnknownConflictInfo? ConflictInfo { get; init; } + + /// Observation state from determinization. + public string? ObservationState { get; init; } } +/// +/// Trigger that caused a reanalysis of an unknown. +/// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-003) +/// +public sealed record UnknownTrigger( + string EventType, + int EventVersion, + string? Source, + DateTimeOffset ReceivedAt, + string? CorrelationId); + +/// +/// Conflict information for an unknown. +/// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-003) +/// +public sealed record UnknownConflictInfo( + bool HasConflict, + double Severity, + string SuggestedPath, + IReadOnlyList Conflicts); + +/// +/// Detail of a specific conflict. +/// +public sealed record UnknownConflictDetail( + string Signal1, + string Signal2, + string Type, + string Description, + double Severity); + /// /// Reference to evidence supporting unknown classification. /// diff --git a/src/Policy/__Libraries/StellaOps.Policy/Gates/CvssThresholdGate.cs b/src/Policy/__Libraries/StellaOps.Policy/Gates/CvssThresholdGate.cs new file mode 100644 index 000000000..900071f88 --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy/Gates/CvssThresholdGate.cs @@ -0,0 +1,349 @@ +// ----------------------------------------------------------------------------- +// CvssThresholdGate.cs +// Sprint: SPRINT_20260112_017_POLICY_cvss_threshold_gate +// Tasks: CVSS-GATE-001 to CVSS-GATE-007 +// Description: Policy gate for CVSS score threshold enforcement. +// ----------------------------------------------------------------------------- + +using System.Collections.Immutable; +using System.Globalization; +using StellaOps.Policy.TrustLattice; + +namespace StellaOps.Policy.Gates; + +/// +/// Configuration options for CVSS threshold gate. +/// +public sealed class CvssThresholdGateOptions +{ + /// + /// Configuration section name. + /// + public const string SectionName = "Policy:Gates:CvssThreshold"; + + /// + /// Whether the gate is enabled. + /// + public bool Enabled { get; init; } = true; + + /// + /// Gate priority (lower = earlier evaluation). + /// + public int Priority { get; init; } = 15; + + /// + /// Default CVSS threshold (used when environment-specific not configured). + /// + public double DefaultThreshold { get; init; } = 7.0; + + /// + /// Per-environment CVSS thresholds. + /// + public IReadOnlyDictionary Thresholds { get; init; } = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["production"] = 7.0, + ["staging"] = 8.0, + ["development"] = 9.0 + }; + + /// + /// Preferred CVSS version for evaluation: "v3.1", "v4.0", or "highest". + /// + public string CvssVersionPreference { get; init; } = "highest"; + + /// + /// CVEs to always allow regardless of score. + /// + public IReadOnlySet Allowlist { get; init; } = new HashSet(StringComparer.OrdinalIgnoreCase); + + /// + /// CVEs to always block regardless of score. + /// + public IReadOnlySet Denylist { get; init; } = new HashSet(StringComparer.OrdinalIgnoreCase); + + /// + /// Whether to fail findings without CVSS scores. + /// + public bool FailOnMissingCvss { get; init; } = false; + + /// + /// Whether to require all CVSS versions to pass (AND) vs any (OR). + /// + public bool RequireAllVersionsPass { get; init; } = false; +} + +/// +/// CVSS score information for a finding. +/// +public sealed record CvssScoreInfo +{ + /// + /// CVSS v3.1 base score (0.0-10.0), null if not available. + /// + public double? CvssV31BaseScore { get; init; } + + /// + /// CVSS v4.0 base score (0.0-10.0), null if not available. + /// + public double? CvssV40BaseScore { get; init; } + + /// + /// CVSS v3.1 vector string. + /// + public string? CvssV31Vector { get; init; } + + /// + /// CVSS v4.0 vector string. + /// + public string? CvssV40Vector { get; init; } +} + +/// +/// Policy gate that enforces CVSS score thresholds. +/// Blocks findings with CVSS scores exceeding configured thresholds. +/// +public sealed class CvssThresholdGate : IPolicyGate +{ + private readonly CvssThresholdGateOptions _options; + private readonly Func _cvssLookup; + + /// + /// Initializes the gate with options and optional CVSS lookup. + /// + /// Gate options. + /// Function to look up CVSS scores by CVE ID. If null, uses context metadata. + public CvssThresholdGate(CvssThresholdGateOptions? options = null, Func? cvssLookup = null) + { + _options = options ?? new CvssThresholdGateOptions(); + _cvssLookup = cvssLookup ?? (_ => null); + } + + /// + public Task EvaluateAsync(MergeResult mergeResult, PolicyGateContext context, CancellationToken ct = default) + { + if (!_options.Enabled) + { + return Task.FromResult(Pass("disabled")); + } + + var cveId = context.CveId; + + // Check denylist first (always block) + if (!string.IsNullOrEmpty(cveId) && _options.Denylist.Contains(cveId)) + { + return Task.FromResult(Fail( + "denylist", + new Dictionary + { + ["cve_id"] = cveId, + ["reason"] = "CVE is on denylist" + })); + } + + // Check allowlist (always pass) + if (!string.IsNullOrEmpty(cveId) && _options.Allowlist.Contains(cveId)) + { + return Task.FromResult(Pass( + "allowlist", + new Dictionary + { + ["cve_id"] = cveId, + ["reason"] = "CVE is on allowlist" + })); + } + + // Get CVSS scores + var cvssInfo = GetCvssScores(cveId, context); + if (cvssInfo is null || (!cvssInfo.CvssV31BaseScore.HasValue && !cvssInfo.CvssV40BaseScore.HasValue)) + { + if (_options.FailOnMissingCvss) + { + return Task.FromResult(Fail( + "missing_cvss", + new Dictionary + { + ["cve_id"] = cveId ?? "(unknown)", + ["reason"] = "No CVSS score available" + })); + } + + return Task.FromResult(Pass( + "no_cvss_available", + new Dictionary + { + ["cve_id"] = cveId ?? "(unknown)" + })); + } + + // Get threshold for environment + var threshold = GetThreshold(context.Environment); + + // Evaluate based on version preference + var (passed, selectedScore, selectedVersion) = EvaluateCvss(cvssInfo, threshold); + + var details = new Dictionary + { + ["threshold"] = threshold, + ["environment"] = context.Environment, + ["cvss_version"] = selectedVersion, + ["cvss_score"] = selectedScore, + ["preference"] = _options.CvssVersionPreference + }; + + if (cvssInfo.CvssV31BaseScore.HasValue) + { + details["cvss_v31_score"] = cvssInfo.CvssV31BaseScore.Value; + } + if (cvssInfo.CvssV40BaseScore.HasValue) + { + details["cvss_v40_score"] = cvssInfo.CvssV40BaseScore.Value; + } + if (!string.IsNullOrEmpty(cveId)) + { + details["cve_id"] = cveId; + } + + if (!passed) + { + return Task.FromResult(Fail( + "cvss_exceeds_threshold", + details)); + } + + return Task.FromResult(Pass("cvss_within_threshold", details)); + } + + private CvssScoreInfo? GetCvssScores(string? cveId, PolicyGateContext context) + { + // Try lookup function first + var fromLookup = _cvssLookup(cveId); + if (fromLookup is not null) + { + return fromLookup; + } + + // Try to extract from context metadata + if (context.Metadata is null) + { + return null; + } + + double? v31Score = null; + double? v40Score = null; + string? v31Vector = null; + string? v40Vector = null; + + if (context.Metadata.TryGetValue("cvss_v31_score", out var v31Str) && + double.TryParse(v31Str, NumberStyles.Float, CultureInfo.InvariantCulture, out var v31)) + { + v31Score = v31; + } + + if (context.Metadata.TryGetValue("cvss_v40_score", out var v40Str) && + double.TryParse(v40Str, NumberStyles.Float, CultureInfo.InvariantCulture, out var v40)) + { + v40Score = v40; + } + + if (context.Metadata.TryGetValue("cvss_v31_vector", out var v31Vec)) + { + v31Vector = v31Vec; + } + + if (context.Metadata.TryGetValue("cvss_v40_vector", out var v40Vec)) + { + v40Vector = v40Vec; + } + + if (!v31Score.HasValue && !v40Score.HasValue) + { + return null; + } + + return new CvssScoreInfo + { + CvssV31BaseScore = v31Score, + CvssV40BaseScore = v40Score, + CvssV31Vector = v31Vector, + CvssV40Vector = v40Vector + }; + } + + private double GetThreshold(string environment) + { + if (_options.Thresholds.TryGetValue(environment, out var threshold)) + { + return threshold; + } + + return _options.DefaultThreshold; + } + + private (bool Passed, double Score, string Version) EvaluateCvss(CvssScoreInfo cvssInfo, double threshold) + { + var v31Score = cvssInfo.CvssV31BaseScore; + var v40Score = cvssInfo.CvssV40BaseScore; + + return _options.CvssVersionPreference.ToLowerInvariant() switch + { + "v3.1" when v31Score.HasValue => (v31Score.Value < threshold, v31Score.Value, "v3.1"), + "v4.0" when v40Score.HasValue => (v40Score.Value < threshold, v40Score.Value, "v4.0"), + "highest" => EvaluateHighest(v31Score, v40Score, threshold), + _ => EvaluateHighest(v31Score, v40Score, threshold) + }; + } + + private (bool Passed, double Score, string Version) EvaluateHighest(double? v31Score, double? v40Score, double threshold) + { + // Use whichever score is available, preferring the higher one for conservative evaluation + if (v31Score.HasValue && v40Score.HasValue) + { + if (_options.RequireAllVersionsPass) + { + // Both must pass + var passed = v31Score.Value < threshold && v40Score.Value < threshold; + var higherScore = Math.Max(v31Score.Value, v40Score.Value); + var version = v31Score.Value >= v40Score.Value ? "v3.1" : "v4.0"; + return (passed, higherScore, $"both ({version} highest)"); + } + else + { + // Use the higher score (more conservative) + if (v31Score.Value >= v40Score.Value) + { + return (v31Score.Value < threshold, v31Score.Value, "v3.1"); + } + return (v40Score.Value < threshold, v40Score.Value, "v4.0"); + } + } + + if (v31Score.HasValue) + { + return (v31Score.Value < threshold, v31Score.Value, "v3.1"); + } + + if (v40Score.HasValue) + { + return (v40Score.Value < threshold, v40Score.Value, "v4.0"); + } + + // No score available - should not reach here if caller checks first + return (true, 0.0, "none"); + } + + private static GateResult Pass(string reason, IDictionary? details = null) => new() + { + GateName = nameof(CvssThresholdGate), + Passed = true, + Reason = reason, + Details = details?.ToImmutableDictionary() ?? ImmutableDictionary.Empty + }; + + private static GateResult Fail(string reason, IDictionary? details = null) => new() + { + GateName = nameof(CvssThresholdGate), + Passed = false, + Reason = reason, + Details = details?.ToImmutableDictionary() ?? ImmutableDictionary.Empty + }; +} diff --git a/src/Policy/__Libraries/StellaOps.Policy/Gates/CvssThresholdGateExtensions.cs b/src/Policy/__Libraries/StellaOps.Policy/Gates/CvssThresholdGateExtensions.cs new file mode 100644 index 000000000..0a6c7e1b0 --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy/Gates/CvssThresholdGateExtensions.cs @@ -0,0 +1,80 @@ +// ----------------------------------------------------------------------------- +// CvssThresholdGateExtensions.cs +// Sprint: SPRINT_20260112_017_POLICY_cvss_threshold_gate +// Tasks: CVSS-GATE-007 +// Description: Extension methods for CVSS threshold gate registration. +// ----------------------------------------------------------------------------- + +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.DependencyInjection.Extensions; + +namespace StellaOps.Policy.Gates; + +/// +/// Extension methods for CVSS threshold gate registration. +/// +public static class CvssThresholdGateExtensions +{ + /// + /// Adds CVSS threshold gate services to the service collection. + /// + /// Service collection. + /// Configuration to bind options from. + /// Service collection for chaining. + public static IServiceCollection AddCvssThresholdGate( + this IServiceCollection services, + IConfiguration configuration) + { + ArgumentNullException.ThrowIfNull(services); + ArgumentNullException.ThrowIfNull(configuration); + + services.Configure( + configuration.GetSection(CvssThresholdGateOptions.SectionName)); + + services.TryAddSingleton(sp => + { + var options = sp.GetService>()?.Value; + return new CvssThresholdGate(options); + }); + + return services; + } + + /// + /// Adds CVSS threshold gate services with explicit options. + /// + /// Service collection. + /// Options configuration action. + /// Service collection for chaining. + public static IServiceCollection AddCvssThresholdGate( + this IServiceCollection services, + Action configureOptions) + { + ArgumentNullException.ThrowIfNull(services); + ArgumentNullException.ThrowIfNull(configureOptions); + + services.Configure(configureOptions); + + services.TryAddSingleton(sp => + { + var options = sp.GetService>()?.Value; + return new CvssThresholdGate(options); + }); + + return services; + } + + /// + /// Registers the CVSS threshold gate with a policy gate registry. + /// + /// Policy gate registry. + /// Registry for chaining. + public static IPolicyGateRegistry RegisterCvssThresholdGate(this IPolicyGateRegistry registry) + { + ArgumentNullException.ThrowIfNull(registry); + + registry.Register(nameof(CvssThresholdGate)); + return registry; + } +} diff --git a/src/Policy/__Libraries/StellaOps.Policy/Gates/SbomPresenceGate.cs b/src/Policy/__Libraries/StellaOps.Policy/Gates/SbomPresenceGate.cs new file mode 100644 index 000000000..a14e3b9bc --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy/Gates/SbomPresenceGate.cs @@ -0,0 +1,470 @@ +// ----------------------------------------------------------------------------- +// SbomPresenceGate.cs +// Sprint: SPRINT_20260112_017_POLICY_sbom_presence_gate +// Tasks: SBOM-GATE-001 to SBOM-GATE-008 +// Description: Policy gate for SBOM presence and format validation. +// ----------------------------------------------------------------------------- + +using System.Collections.Immutable; +using System.Globalization; +using System.Text.Json; +using StellaOps.Policy.TrustLattice; + +namespace StellaOps.Policy.Gates; + +/// +/// Configuration options for SBOM presence gate. +/// +public sealed class SbomPresenceGateOptions +{ + /// + /// Configuration section name. + /// + public const string SectionName = "Policy:Gates:SbomPresence"; + + /// + /// Whether the gate is enabled. + /// + public bool Enabled { get; init; } = true; + + /// + /// Gate priority (lower = earlier evaluation). + /// + public int Priority { get; init; } = 5; + + /// + /// Per-environment enforcement levels. + /// + public IReadOnlyDictionary Enforcement { get; init; } = + new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["production"] = SbomEnforcementLevel.Required, + ["staging"] = SbomEnforcementLevel.Required, + ["development"] = SbomEnforcementLevel.Optional + }; + + /// + /// Default enforcement level for unknown environments. + /// + public SbomEnforcementLevel DefaultEnforcement { get; init; } = SbomEnforcementLevel.Required; + + /// + /// Accepted SBOM formats. + /// + public IReadOnlySet AcceptedFormats { get; init; } = new HashSet(StringComparer.OrdinalIgnoreCase) + { + "spdx-2.2", + "spdx-2.3", + "spdx-3.0.1", + "cyclonedx-1.4", + "cyclonedx-1.5", + "cyclonedx-1.6", + "cyclonedx-1.7" + }; + + /// + /// Minimum number of components required in SBOM. + /// + public int MinimumComponents { get; init; } = 1; + + /// + /// Whether to require SBOM signature. + /// + public bool RequireSignature { get; init; } = false; + + /// + /// Whether to validate SBOM against schema. + /// + public bool SchemaValidation { get; init; } = true; + + /// + /// Whether to require primary component/describes field. + /// + public bool RequirePrimaryComponent { get; init; } = true; +} + +/// +/// SBOM enforcement levels. +/// +public enum SbomEnforcementLevel +{ + /// + /// SBOM is not required (gate passes regardless). + /// + Optional, + + /// + /// SBOM is recommended but not required (warning on missing). + /// + Recommended, + + /// + /// SBOM is required (gate fails if missing). + /// + Required +} + +/// +/// Information about an SBOM for gate evaluation. +/// +public sealed record SbomInfo +{ + /// + /// Whether an SBOM is present. + /// + public bool Present { get; init; } + + /// + /// SBOM format (e.g., "spdx-2.3", "cyclonedx-1.6"). + /// + public string? Format { get; init; } + + /// + /// SBOM format version. + /// + public string? FormatVersion { get; init; } + + /// + /// Number of components in the SBOM. + /// + public int ComponentCount { get; init; } + + /// + /// Whether the SBOM has a signature. + /// + public bool HasSignature { get; init; } + + /// + /// Whether the signature is valid. + /// + public bool? SignatureValid { get; init; } + + /// + /// Whether the SBOM passed schema validation. + /// + public bool? SchemaValid { get; init; } + + /// + /// Schema validation errors if any. + /// + public IReadOnlyList? SchemaErrors { get; init; } + + /// + /// Whether a primary component/describes field is present. + /// + public bool HasPrimaryComponent { get; init; } + + /// + /// SBOM document URI or path. + /// + public string? DocumentUri { get; init; } + + /// + /// SBOM creation timestamp. + /// + public DateTimeOffset? CreatedAt { get; init; } +} + +/// +/// Policy gate that validates SBOM presence and format. +/// +public sealed class SbomPresenceGate : IPolicyGate +{ + private readonly SbomPresenceGateOptions _options; + private readonly Func _sbomLookup; + + /// + /// Initializes the gate with options and optional SBOM lookup. + /// + /// Gate options. + /// Function to look up SBOM info from context. + public SbomPresenceGate(SbomPresenceGateOptions? options = null, Func? sbomLookup = null) + { + _options = options ?? new SbomPresenceGateOptions(); + _sbomLookup = sbomLookup ?? GetSbomFromMetadata; + } + + /// + public Task EvaluateAsync(MergeResult mergeResult, PolicyGateContext context, CancellationToken ct = default) + { + if (!_options.Enabled) + { + return Task.FromResult(Pass("disabled")); + } + + var enforcement = GetEnforcementLevel(context.Environment); + + // If optional, always pass + if (enforcement == SbomEnforcementLevel.Optional) + { + return Task.FromResult(Pass("optional_enforcement", new Dictionary + { + ["environment"] = context.Environment, + ["enforcement"] = enforcement.ToString() + })); + } + + // Get SBOM info + var sbomInfo = _sbomLookup(context); + + // Check presence + if (sbomInfo is null || !sbomInfo.Present) + { + if (enforcement == SbomEnforcementLevel.Recommended) + { + return Task.FromResult(Pass("sbom_missing_recommended", new Dictionary + { + ["environment"] = context.Environment, + ["enforcement"] = enforcement.ToString(), + ["warning"] = "SBOM recommended but not present" + })); + } + + return Task.FromResult(Fail("sbom_missing", new Dictionary + { + ["environment"] = context.Environment, + ["enforcement"] = enforcement.ToString(), + ["reason"] = "SBOM is required but not present" + })); + } + + var details = new Dictionary + { + ["environment"] = context.Environment, + ["enforcement"] = enforcement.ToString(), + ["sbom_present"] = true + }; + + // Validate format + if (!string.IsNullOrEmpty(sbomInfo.Format)) + { + details["format"] = sbomInfo.Format; + + var normalizedFormat = NormalizeFormat(sbomInfo.Format, sbomInfo.FormatVersion); + if (!_options.AcceptedFormats.Contains(normalizedFormat)) + { + details["normalized_format"] = normalizedFormat; + details["accepted_formats"] = string.Join(", ", _options.AcceptedFormats); + return Task.FromResult(Fail("invalid_format", details)); + } + } + + // Validate component count + details["component_count"] = sbomInfo.ComponentCount; + if (sbomInfo.ComponentCount < _options.MinimumComponents) + { + details["minimum_components"] = _options.MinimumComponents; + return Task.FromResult(Fail("insufficient_components", details)); + } + + // Validate schema + if (_options.SchemaValidation && sbomInfo.SchemaValid.HasValue) + { + details["schema_valid"] = sbomInfo.SchemaValid.Value; + if (!sbomInfo.SchemaValid.Value) + { + if (sbomInfo.SchemaErrors is { Count: > 0 }) + { + details["schema_errors"] = string.Join("; ", sbomInfo.SchemaErrors.Take(5)); + } + return Task.FromResult(Fail("schema_validation_failed", details)); + } + } + + // Validate signature requirement + if (_options.RequireSignature) + { + details["has_signature"] = sbomInfo.HasSignature; + if (!sbomInfo.HasSignature) + { + return Task.FromResult(Fail("signature_missing", details)); + } + + if (sbomInfo.SignatureValid.HasValue) + { + details["signature_valid"] = sbomInfo.SignatureValid.Value; + if (!sbomInfo.SignatureValid.Value) + { + return Task.FromResult(Fail("signature_invalid", details)); + } + } + } + + // Validate primary component + if (_options.RequirePrimaryComponent) + { + details["has_primary_component"] = sbomInfo.HasPrimaryComponent; + if (!sbomInfo.HasPrimaryComponent) + { + return Task.FromResult(Fail("primary_component_missing", details)); + } + } + + // Add optional metadata + if (!string.IsNullOrEmpty(sbomInfo.DocumentUri)) + { + details["document_uri"] = sbomInfo.DocumentUri; + } + if (sbomInfo.CreatedAt.HasValue) + { + details["created_at"] = sbomInfo.CreatedAt.Value.ToString("o", CultureInfo.InvariantCulture); + } + + return Task.FromResult(Pass("sbom_valid", details)); + } + + private SbomEnforcementLevel GetEnforcementLevel(string environment) + { + if (_options.Enforcement.TryGetValue(environment, out var level)) + { + return level; + } + return _options.DefaultEnforcement; + } + + private static string NormalizeFormat(string format, string? version) + { + // Normalize format string to match accepted formats + var normalizedFormat = format.ToLowerInvariant().Trim(); + + // Handle various format representations + if (normalizedFormat.StartsWith("spdx", StringComparison.Ordinal)) + { + // Extract version from format or use provided version + var spdxVersion = ExtractVersion(normalizedFormat, "spdx") ?? version; + if (!string.IsNullOrEmpty(spdxVersion)) + { + return $"spdx-{spdxVersion}"; + } + return normalizedFormat; + } + + if (normalizedFormat.StartsWith("cyclonedx", StringComparison.Ordinal) || + normalizedFormat.StartsWith("cdx", StringComparison.Ordinal)) + { + var cdxVersion = ExtractVersion(normalizedFormat, "cyclonedx") ?? + ExtractVersion(normalizedFormat, "cdx") ?? + version; + if (!string.IsNullOrEmpty(cdxVersion)) + { + return $"cyclonedx-{cdxVersion}"; + } + return normalizedFormat.Replace("cdx", "cyclonedx"); + } + + return normalizedFormat; + } + + private static string? ExtractVersion(string format, string prefix) + { + // Try to extract version from format like "spdx-2.3" or "spdx2.3" or "spdx 2.3" + var withoutPrefix = format + .Replace(prefix, string.Empty, StringComparison.OrdinalIgnoreCase) + .TrimStart('-', ' ', '_'); + + if (string.IsNullOrEmpty(withoutPrefix)) + { + return null; + } + + // Check if remaining string looks like a version + if (char.IsDigit(withoutPrefix[0])) + { + // Take until non-version character + var versionEnd = 0; + while (versionEnd < withoutPrefix.Length && + (char.IsDigit(withoutPrefix[versionEnd]) || withoutPrefix[versionEnd] == '.')) + { + versionEnd++; + } + return withoutPrefix[..versionEnd]; + } + + return null; + } + + private static SbomInfo? GetSbomFromMetadata(PolicyGateContext context) + { + if (context.Metadata is null) + { + return null; + } + + var present = context.Metadata.TryGetValue("sbom_present", out var presentStr) && + bool.TryParse(presentStr, out var p) && p; + + if (!present) + { + return new SbomInfo { Present = false }; + } + + context.Metadata.TryGetValue("sbom_format", out var format); + context.Metadata.TryGetValue("sbom_format_version", out var formatVersion); + + var componentCount = 0; + if (context.Metadata.TryGetValue("sbom_component_count", out var countStr) && + int.TryParse(countStr, NumberStyles.Integer, CultureInfo.InvariantCulture, out var count)) + { + componentCount = count; + } + + var hasSignature = context.Metadata.TryGetValue("sbom_has_signature", out var sigStr) && + bool.TryParse(sigStr, out var sig) && sig; + + bool? signatureValid = null; + if (context.Metadata.TryGetValue("sbom_signature_valid", out var sigValidStr) && + bool.TryParse(sigValidStr, out var sv)) + { + signatureValid = sv; + } + + bool? schemaValid = null; + if (context.Metadata.TryGetValue("sbom_schema_valid", out var schemaValidStr) && + bool.TryParse(schemaValidStr, out var schv)) + { + schemaValid = schv; + } + + var hasPrimaryComponent = context.Metadata.TryGetValue("sbom_has_primary_component", out var pcStr) && + bool.TryParse(pcStr, out var pc) && pc; + + context.Metadata.TryGetValue("sbom_document_uri", out var documentUri); + + DateTimeOffset? createdAt = null; + if (context.Metadata.TryGetValue("sbom_created_at", out var createdStr) && + DateTimeOffset.TryParse(createdStr, CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind, out var created)) + { + createdAt = created; + } + + return new SbomInfo + { + Present = true, + Format = format, + FormatVersion = formatVersion, + ComponentCount = componentCount, + HasSignature = hasSignature, + SignatureValid = signatureValid, + SchemaValid = schemaValid, + HasPrimaryComponent = hasPrimaryComponent, + DocumentUri = documentUri, + CreatedAt = createdAt + }; + } + + private static GateResult Pass(string reason, IDictionary? details = null) => new() + { + GateName = nameof(SbomPresenceGate), + Passed = true, + Reason = reason, + Details = details?.ToImmutableDictionary() ?? ImmutableDictionary.Empty + }; + + private static GateResult Fail(string reason, IDictionary? details = null) => new() + { + GateName = nameof(SbomPresenceGate), + Passed = false, + Reason = reason, + Details = details?.ToImmutableDictionary() ?? ImmutableDictionary.Empty + }; +} diff --git a/src/Policy/__Libraries/StellaOps.Policy/Gates/SbomPresenceGateExtensions.cs b/src/Policy/__Libraries/StellaOps.Policy/Gates/SbomPresenceGateExtensions.cs new file mode 100644 index 000000000..fcbbd05bc --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy/Gates/SbomPresenceGateExtensions.cs @@ -0,0 +1,80 @@ +// ----------------------------------------------------------------------------- +// SbomPresenceGateExtensions.cs +// Sprint: SPRINT_20260112_017_POLICY_sbom_presence_gate +// Tasks: SBOM-GATE-008 +// Description: Extension methods for SBOM presence gate registration. +// ----------------------------------------------------------------------------- + +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.DependencyInjection.Extensions; + +namespace StellaOps.Policy.Gates; + +/// +/// Extension methods for SBOM presence gate registration. +/// +public static class SbomPresenceGateExtensions +{ + /// + /// Adds SBOM presence gate services to the service collection. + /// + /// Service collection. + /// Configuration to bind options from. + /// Service collection for chaining. + public static IServiceCollection AddSbomPresenceGate( + this IServiceCollection services, + IConfiguration configuration) + { + ArgumentNullException.ThrowIfNull(services); + ArgumentNullException.ThrowIfNull(configuration); + + services.Configure( + configuration.GetSection(SbomPresenceGateOptions.SectionName)); + + services.TryAddSingleton(sp => + { + var options = sp.GetService>()?.Value; + return new SbomPresenceGate(options); + }); + + return services; + } + + /// + /// Adds SBOM presence gate services with explicit options. + /// + /// Service collection. + /// Options configuration action. + /// Service collection for chaining. + public static IServiceCollection AddSbomPresenceGate( + this IServiceCollection services, + Action configureOptions) + { + ArgumentNullException.ThrowIfNull(services); + ArgumentNullException.ThrowIfNull(configureOptions); + + services.Configure(configureOptions); + + services.TryAddSingleton(sp => + { + var options = sp.GetService>()?.Value; + return new SbomPresenceGate(options); + }); + + return services; + } + + /// + /// Registers the SBOM presence gate with a policy gate registry. + /// + /// Policy gate registry. + /// Registry for chaining. + public static IPolicyGateRegistry RegisterSbomPresenceGate(this IPolicyGateRegistry registry) + { + ArgumentNullException.ThrowIfNull(registry); + + registry.Register(nameof(SbomPresenceGate)); + return registry; + } +} diff --git a/src/Policy/__Libraries/StellaOps.Policy/Gates/SignatureRequiredGate.cs b/src/Policy/__Libraries/StellaOps.Policy/Gates/SignatureRequiredGate.cs new file mode 100644 index 000000000..8ca459538 --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy/Gates/SignatureRequiredGate.cs @@ -0,0 +1,501 @@ +// ----------------------------------------------------------------------------- +// SignatureRequiredGate.cs +// Sprint: SPRINT_20260112_017_POLICY_signature_required_gate +// Tasks: SIG-GATE-001 to SIG-GATE-008 +// Description: Policy gate for signature verification on evidence artifacts. +// ----------------------------------------------------------------------------- + +using System.Collections.Immutable; +using System.Globalization; +using System.Text.RegularExpressions; +using StellaOps.Policy.TrustLattice; + +namespace StellaOps.Policy.Gates; + +/// +/// Configuration options for signature required gate. +/// +public sealed class SignatureRequiredGateOptions +{ + /// + /// Configuration section name. + /// + public const string SectionName = "Policy:Gates:SignatureRequired"; + + /// + /// Whether the gate is enabled. + /// + public bool Enabled { get; init; } = true; + + /// + /// Gate priority (lower = earlier evaluation). + /// + public int Priority { get; init; } = 3; + + /// + /// Per-evidence-type signature requirements. + /// + public IReadOnlyDictionary EvidenceTypes { get; init; } = + new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig { Required = true }, + ["vex"] = new EvidenceSignatureConfig { Required = true }, + ["attestation"] = new EvidenceSignatureConfig { Required = true } + }; + + /// + /// Per-environment override for signature requirements. + /// + public IReadOnlyDictionary Environments { get; init; } = + new Dictionary(StringComparer.OrdinalIgnoreCase); + + /// + /// Default behavior for unknown evidence types. + /// + public bool RequireUnknownTypes { get; init; } = false; + + /// + /// Whether to support keyless (Fulcio) verification. + /// + public bool EnableKeylessVerification { get; init; } = true; + + /// + /// Fulcio root certificate paths (bundled). + /// + public IReadOnlyList FulcioRoots { get; init; } = Array.Empty(); + + /// + /// Rekor transparency log URL for keyless verification. + /// + public string? RekorUrl { get; init; } + + /// + /// Whether to require transparency log inclusion for keyless signatures. + /// + public bool RequireTransparencyLogInclusion { get; init; } = true; +} + +/// +/// Configuration for a specific evidence type. +/// +public sealed class EvidenceSignatureConfig +{ + /// + /// Whether signature is required for this evidence type. + /// + public bool Required { get; init; } = true; + + /// + /// Trusted issuers (email identities). Supports wildcards (*@domain.com). + /// + public IReadOnlySet TrustedIssuers { get; init; } = new HashSet(StringComparer.OrdinalIgnoreCase); + + /// + /// Trusted key IDs (for non-keyless verification). + /// + public IReadOnlySet TrustedKeyIds { get; init; } = new HashSet(StringComparer.OrdinalIgnoreCase); + + /// + /// Accepted signature algorithms. + /// + public IReadOnlySet AcceptedAlgorithms { get; init; } = new HashSet(StringComparer.OrdinalIgnoreCase) + { + "ES256", "ES384", "ES512", // ECDSA + "RS256", "RS384", "RS512", // RSA + "EdDSA", "Ed25519" // Edwards curves + }; + + /// + /// Whether to allow self-signed certificates. + /// + public bool AllowSelfSigned { get; init; } = false; +} + +/// +/// Per-environment signature configuration override. +/// +public sealed class EnvironmentSignatureConfig +{ + /// + /// Override required flag for this environment. + /// + public bool? RequiredOverride { get; init; } + + /// + /// Additional trusted issuers for this environment. + /// + public IReadOnlySet? AdditionalIssuers { get; init; } + + /// + /// Evidence types to skip in this environment. + /// + public IReadOnlySet? SkipEvidenceTypes { get; init; } +} + +/// +/// Information about a signature for gate evaluation. +/// +public sealed record SignatureInfo +{ + /// + /// Evidence type (sbom, vex, attestation, etc.). + /// + public required string EvidenceType { get; init; } + + /// + /// Whether the evidence has a signature. + /// + public bool HasSignature { get; init; } + + /// + /// Whether the signature is valid. + /// + public bool? SignatureValid { get; init; } + + /// + /// Signature algorithm used. + /// + public string? Algorithm { get; init; } + + /// + /// Signer identity (email for keyless). + /// + public string? SignerIdentity { get; init; } + + /// + /// Key ID for non-keyless signatures. + /// + public string? KeyId { get; init; } + + /// + /// Whether the signature is keyless (Fulcio). + /// + public bool IsKeyless { get; init; } + + /// + /// Whether the signature has transparency log inclusion. + /// + public bool? HasTransparencyLogInclusion { get; init; } + + /// + /// Transparency log entry ID. + /// + public string? TransparencyLogEntryId { get; init; } + + /// + /// DSSE payload type. + /// + public string? DssePayloadType { get; init; } + + /// + /// Certificate chain validity. + /// + public bool? CertificateChainValid { get; init; } + + /// + /// Certificate expiration (for keyless). + /// + public DateTimeOffset? CertificateExpiry { get; init; } + + /// + /// Verification errors if any. + /// + public IReadOnlyList? VerificationErrors { get; init; } +} + +/// +/// Policy gate that enforces signature requirements on evidence artifacts. +/// +public sealed class SignatureRequiredGate : IPolicyGate +{ + private readonly SignatureRequiredGateOptions _options; + private readonly Func> _signatureLookup; + + /// + /// Initializes the gate with options and optional signature lookup. + /// + /// Gate options. + /// Function to look up signature info from context. + public SignatureRequiredGate( + SignatureRequiredGateOptions? options = null, + Func>? signatureLookup = null) + { + _options = options ?? new SignatureRequiredGateOptions(); + _signatureLookup = signatureLookup ?? GetSignaturesFromMetadata; + } + + /// + public Task EvaluateAsync(MergeResult mergeResult, PolicyGateContext context, CancellationToken ct = default) + { + if (!_options.Enabled) + { + return Task.FromResult(Pass("disabled")); + } + + var signatures = _signatureLookup(context); + var envConfig = GetEnvironmentConfig(context.Environment); + + var failures = new List(); + var details = new Dictionary + { + ["environment"] = context.Environment, + ["signatures_evaluated"] = signatures.Count + }; + + // Check each configured evidence type + foreach (var (evidenceType, config) in _options.EvidenceTypes) + { + // Check if skipped for this environment + if (envConfig?.SkipEvidenceTypes?.Contains(evidenceType) == true) + { + continue; + } + + var isRequired = envConfig?.RequiredOverride ?? config.Required; + if (!isRequired) + { + continue; + } + + var matchingSignatures = signatures.Where(s => + string.Equals(s.EvidenceType, evidenceType, StringComparison.OrdinalIgnoreCase)).ToList(); + + if (matchingSignatures.Count == 0) + { + failures.Add($"{evidenceType}: signature missing"); + continue; + } + + foreach (var sig in matchingSignatures) + { + var validationResult = ValidateSignature(sig, config, envConfig); + if (!validationResult.Valid) + { + failures.Add($"{evidenceType}: {validationResult.Error}"); + } + } + } + + // Check for any signatures on unknown types if configured + if (_options.RequireUnknownTypes) + { + var knownTypes = _options.EvidenceTypes.Keys.ToHashSet(StringComparer.OrdinalIgnoreCase); + var unknownSigs = signatures.Where(s => !knownTypes.Contains(s.EvidenceType)); + foreach (var sig in unknownSigs) + { + if (!sig.HasSignature || sig.SignatureValid != true) + { + failures.Add($"{sig.EvidenceType}: unknown type requires valid signature"); + } + } + } + + if (failures.Count > 0) + { + details["failures"] = failures.ToArray(); + return Task.FromResult(Fail("signature_validation_failed", details)); + } + + details["all_signatures_valid"] = true; + return Task.FromResult(Pass("signatures_verified", details)); + } + + private (bool Valid, string? Error) ValidateSignature( + SignatureInfo sig, + EvidenceSignatureConfig config, + EnvironmentSignatureConfig? envConfig) + { + // Check if signature is present + if (!sig.HasSignature) + { + return (false, "signature not present"); + } + + // Check if signature is valid + if (sig.SignatureValid != true) + { + var errors = sig.VerificationErrors is { Count: > 0 } + ? string.Join("; ", sig.VerificationErrors.Take(3)) + : "signature verification failed"; + return (false, errors); + } + + // Check algorithm + if (!string.IsNullOrEmpty(sig.Algorithm) && !config.AcceptedAlgorithms.Contains(sig.Algorithm)) + { + return (false, $"algorithm '{sig.Algorithm}' not accepted"); + } + + // Validate issuer/identity + if (!string.IsNullOrEmpty(sig.SignerIdentity)) + { + var trustedIssuers = new HashSet(config.TrustedIssuers, StringComparer.OrdinalIgnoreCase); + if (envConfig?.AdditionalIssuers is not null) + { + trustedIssuers.UnionWith(envConfig.AdditionalIssuers); + } + + if (trustedIssuers.Count > 0 && !IsIssuerTrusted(sig.SignerIdentity, trustedIssuers)) + { + return (false, $"issuer '{sig.SignerIdentity}' not trusted"); + } + } + + // Validate key ID for non-keyless + if (!sig.IsKeyless && !string.IsNullOrEmpty(sig.KeyId)) + { + if (config.TrustedKeyIds.Count > 0 && !config.TrustedKeyIds.Contains(sig.KeyId)) + { + return (false, $"key '{sig.KeyId}' not trusted"); + } + } + + // Keyless-specific validation + if (sig.IsKeyless) + { + if (!_options.EnableKeylessVerification) + { + return (false, "keyless verification disabled"); + } + + if (_options.RequireTransparencyLogInclusion && sig.HasTransparencyLogInclusion != true) + { + return (false, "transparency log inclusion required"); + } + + if (sig.CertificateChainValid == false) + { + return (false, "certificate chain invalid"); + } + } + + return (true, null); + } + + private static bool IsIssuerTrusted(string issuer, ISet trustedIssuers) + { + // Direct match + if (trustedIssuers.Contains(issuer)) + { + return true; + } + + // Wildcard match (*@domain.com) + foreach (var trusted in trustedIssuers) + { + if (trusted.StartsWith("*@", StringComparison.Ordinal)) + { + var domain = trusted[2..]; + if (issuer.EndsWith($"@{domain}", StringComparison.OrdinalIgnoreCase)) + { + return true; + } + } + else if (trusted.Contains('*')) + { + // General wildcard pattern + var pattern = "^" + Regex.Escape(trusted).Replace("\\*", ".*") + "$"; + if (Regex.IsMatch(issuer, pattern, RegexOptions.IgnoreCase, TimeSpan.FromMilliseconds(100))) + { + return true; + } + } + } + + return false; + } + + private EnvironmentSignatureConfig? GetEnvironmentConfig(string environment) + { + if (_options.Environments.TryGetValue(environment, out var config)) + { + return config; + } + return null; + } + + private static IReadOnlyList GetSignaturesFromMetadata(PolicyGateContext context) + { + if (context.Metadata is null) + { + return Array.Empty(); + } + + var signatures = new List(); + + // Parse signature info from metadata + // Expected keys: sig__present, sig__valid, sig__identity, etc. + var types = new HashSet(StringComparer.OrdinalIgnoreCase); + + foreach (var key in context.Metadata.Keys) + { + if (key.StartsWith("sig_", StringComparison.OrdinalIgnoreCase) && key.Contains('_')) + { + var parts = key.Split('_'); + if (parts.Length >= 3) + { + types.Add(parts[1]); + } + } + } + + foreach (var type in types) + { + var prefix = $"sig_{type}_"; + + var hasSignature = context.Metadata.TryGetValue($"{prefix}present", out var presentStr) && + bool.TryParse(presentStr, out var present) && present; + + bool? signatureValid = null; + if (context.Metadata.TryGetValue($"{prefix}valid", out var validStr) && + bool.TryParse(validStr, out var valid)) + { + signatureValid = valid; + } + + context.Metadata.TryGetValue($"{prefix}algorithm", out var algorithm); + context.Metadata.TryGetValue($"{prefix}identity", out var identity); + context.Metadata.TryGetValue($"{prefix}keyid", out var keyId); + + var isKeyless = context.Metadata.TryGetValue($"{prefix}keyless", out var keylessStr) && + bool.TryParse(keylessStr, out var keyless) && keyless; + + bool? hasLogInclusion = null; + if (context.Metadata.TryGetValue($"{prefix}log_inclusion", out var logStr) && + bool.TryParse(logStr, out var log)) + { + hasLogInclusion = log; + } + + signatures.Add(new SignatureInfo + { + EvidenceType = type, + HasSignature = hasSignature, + SignatureValid = signatureValid, + Algorithm = algorithm, + SignerIdentity = identity, + KeyId = keyId, + IsKeyless = isKeyless, + HasTransparencyLogInclusion = hasLogInclusion + }); + } + + return signatures; + } + + private static GateResult Pass(string reason, IDictionary? details = null) => new() + { + GateName = nameof(SignatureRequiredGate), + Passed = true, + Reason = reason, + Details = details?.ToImmutableDictionary() ?? ImmutableDictionary.Empty + }; + + private static GateResult Fail(string reason, IDictionary? details = null) => new() + { + GateName = nameof(SignatureRequiredGate), + Passed = false, + Reason = reason, + Details = details?.ToImmutableDictionary() ?? ImmutableDictionary.Empty + }; +} diff --git a/src/Policy/__Libraries/StellaOps.Policy/Gates/SignatureRequiredGateExtensions.cs b/src/Policy/__Libraries/StellaOps.Policy/Gates/SignatureRequiredGateExtensions.cs new file mode 100644 index 000000000..18542e0ff --- /dev/null +++ b/src/Policy/__Libraries/StellaOps.Policy/Gates/SignatureRequiredGateExtensions.cs @@ -0,0 +1,80 @@ +// ----------------------------------------------------------------------------- +// SignatureRequiredGateExtensions.cs +// Sprint: SPRINT_20260112_017_POLICY_signature_required_gate +// Tasks: SIG-GATE-008 +// Description: Extension methods for signature required gate registration. +// ----------------------------------------------------------------------------- + +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.DependencyInjection.Extensions; + +namespace StellaOps.Policy.Gates; + +/// +/// Extension methods for signature required gate registration. +/// +public static class SignatureRequiredGateExtensions +{ + /// + /// Adds signature required gate services to the service collection. + /// + /// Service collection. + /// Configuration to bind options from. + /// Service collection for chaining. + public static IServiceCollection AddSignatureRequiredGate( + this IServiceCollection services, + IConfiguration configuration) + { + ArgumentNullException.ThrowIfNull(services); + ArgumentNullException.ThrowIfNull(configuration); + + services.Configure( + configuration.GetSection(SignatureRequiredGateOptions.SectionName)); + + services.TryAddSingleton(sp => + { + var options = sp.GetService>()?.Value; + return new SignatureRequiredGate(options); + }); + + return services; + } + + /// + /// Adds signature required gate services with explicit options. + /// + /// Service collection. + /// Options configuration action. + /// Service collection for chaining. + public static IServiceCollection AddSignatureRequiredGate( + this IServiceCollection services, + Action configureOptions) + { + ArgumentNullException.ThrowIfNull(services); + ArgumentNullException.ThrowIfNull(configureOptions); + + services.Configure(configureOptions); + + services.TryAddSingleton(sp => + { + var options = sp.GetService>()?.Value; + return new SignatureRequiredGate(options); + }); + + return services; + } + + /// + /// Registers the signature required gate with a policy gate registry. + /// + /// Policy gate registry. + /// Registry for chaining. + public static IPolicyGateRegistry RegisterSignatureRequiredGate(this IPolicyGateRegistry registry) + { + ArgumentNullException.ThrowIfNull(registry); + + registry.Register(nameof(SignatureRequiredGate)); + return registry; + } +} diff --git a/src/Policy/__Libraries/StellaOps.Policy/Gates/VexProofGate.cs b/src/Policy/__Libraries/StellaOps.Policy/Gates/VexProofGate.cs index e481c2092..83796d3a9 100644 --- a/src/Policy/__Libraries/StellaOps.Policy/Gates/VexProofGate.cs +++ b/src/Policy/__Libraries/StellaOps.Policy/Gates/VexProofGate.cs @@ -62,6 +62,41 @@ public sealed record VexProofGateOptions ["staging"] = "medium", ["development"] = "low", }; + + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-004) + + /// + /// Whether anchor-aware mode is enabled. + /// When enabled, additional validation requirements are enforced. + /// + public bool AnchorAwareMode { get; init; } = false; + + /// + /// When anchor-aware mode is enabled, require VEX statements to have DSSE anchoring. + /// + public bool RequireVexAnchoring { get; init; } = false; + + /// + /// When anchor-aware mode is enabled, require Rekor transparency verification. + /// + public bool RequireRekorVerification { get; init; } = false; + + /// + /// Creates strict anchor-aware options for production use. + /// + public static VexProofGateOptions StrictAnchorAware => new() + { + Enabled = true, + MinimumConfidenceTier = "high", + RequireProofForNotAffected = true, + RequireProofForFixed = true, + RequireSignedStatements = true, + AnchorAwareMode = true, + RequireVexAnchoring = true, + RequireRekorVerification = true, + MaxAllowedConflicts = 0, + MaxProofAgeHours = 72 // 3 days for strict mode + }; } /// @@ -96,6 +131,20 @@ public sealed record VexProofGateContext /// Consensus outcome from the proof. public string? ConsensusOutcome { get; init; } + + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-004) + + /// Whether the VEX proof is anchored with DSSE attestation. + public bool? IsAnchored { get; init; } + + /// DSSE envelope digest if anchored. + public string? EnvelopeDigest { get; init; } + + /// Whether the proof has Rekor transparency. + public bool? HasRekorVerification { get; init; } + + /// Rekor log index if verified. + public long? RekorLogIndex { get; init; } } /// @@ -225,6 +274,51 @@ public sealed class VexProofGate : IPolicyGate details["consensusOutcome"] = proofContext.ConsensusOutcome; } + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-004) + // Anchor-aware mode validations + if (_options.AnchorAwareMode) + { + details["anchorAwareMode"] = true; + + // Validate VEX anchoring if required + if (_options.RequireVexAnchoring) + { + details["requireVexAnchoring"] = true; + details["isAnchored"] = proofContext.IsAnchored ?? false; + + if (proofContext.IsAnchored != true) + { + return Task.FromResult(Fail("vex_not_anchored", + details.ToImmutableDictionary(), + "VEX proof requires DSSE anchoring in anchor-aware mode")); + } + + if (!string.IsNullOrEmpty(proofContext.EnvelopeDigest)) + { + details["envelopeDigest"] = proofContext.EnvelopeDigest; + } + } + + // Validate Rekor verification if required + if (_options.RequireRekorVerification) + { + details["requireRekorVerification"] = true; + details["hasRekorVerification"] = proofContext.HasRekorVerification ?? false; + + if (proofContext.HasRekorVerification != true) + { + return Task.FromResult(Fail("rekor_verification_missing", + details.ToImmutableDictionary(), + "VEX proof requires Rekor transparency verification in anchor-aware mode")); + } + + if (proofContext.RekorLogIndex.HasValue) + { + details["rekorLogIndex"] = proofContext.RekorLogIndex.Value; + } + } + } + return Task.FromResult(new GateResult { GateName = nameof(VexProofGate), @@ -291,6 +385,14 @@ public sealed class VexProofGate : IPolicyGate ProofComputedAt = context.Metadata.TryGetValue("vex_proof_computed_at", out var timeStr) && DateTimeOffset.TryParse(timeStr, out var time) ? time : null, ConsensusOutcome = context.Metadata.GetValueOrDefault("vex_proof_consensus_outcome"), + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-004) + IsAnchored = context.Metadata.TryGetValue("vex_proof_anchored", out var anchoredStr) && + bool.TryParse(anchoredStr, out var anchored) ? anchored : null, + EnvelopeDigest = context.Metadata.GetValueOrDefault("vex_proof_envelope_digest"), + HasRekorVerification = context.Metadata.TryGetValue("vex_proof_rekor_verified", out var rekorStr) && + bool.TryParse(rekorStr, out var rekorVerified) ? rekorVerified : null, + RekorLogIndex = context.Metadata.TryGetValue("vex_proof_rekor_log_index", out var rekorIdxStr) && + long.TryParse(rekorIdxStr, out var rekorIdx) ? rekorIdx : null, }; } @@ -309,4 +411,13 @@ public sealed class VexProofGate : IPolicyGate Reason = reason, Details = details ?? ImmutableDictionary.Empty, }; + + // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-004) + private static GateResult Fail(string reason, ImmutableDictionary? details, string message) => new() + { + GateName = nameof(VexProofGate), + Passed = false, + Reason = reason, + Details = (details ?? ImmutableDictionary.Empty).Add("message", message), + }; } diff --git a/src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/DeterminizationOptionsTests.cs b/src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/DeterminizationOptionsTests.cs new file mode 100644 index 000000000..da231c705 --- /dev/null +++ b/src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/DeterminizationOptionsTests.cs @@ -0,0 +1,216 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_012_POLICY_determinization_reanalysis_config (POLICY-CONFIG-005) +// + +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.Options; +using StellaOps.TestKit; +using Xunit; + +namespace StellaOps.Policy.Determinization.Tests; + +[Trait("Category", TestCategories.Unit)] +public class DeterminizationOptionsTests +{ + [Fact] + public void Defaults_HaveExpectedValues() + { + // Arrange & Act + var options = new DeterminizationOptions(); + + // Assert - base options + Assert.Equal(14.0, options.ConfidenceHalfLifeDays); + Assert.Equal(0.1, options.ConfidenceFloor); + Assert.Equal(0.60, options.ManualReviewEntropyThreshold); + Assert.Equal(0.40, options.RefreshEntropyThreshold); + Assert.Equal(30.0, options.StaleObservationDays); + Assert.False(options.EnableDetailedLogging); + Assert.True(options.EnableAutoRefresh); + Assert.Equal(3, options.MaxSignalQueryRetries); + + // Assert - reanalysis triggers (POLICY-CONFIG-001) + Assert.Equal(0.2, options.Triggers.EpssDeltaThreshold); + Assert.True(options.Triggers.TriggerOnThresholdCrossing); + Assert.True(options.Triggers.TriggerOnRekorEntry); + Assert.True(options.Triggers.TriggerOnVexStatusChange); + Assert.True(options.Triggers.TriggerOnRuntimeTelemetryChange); + Assert.True(options.Triggers.TriggerOnPatchProofAdded); + Assert.True(options.Triggers.TriggerOnDsseValidationChange); + Assert.False(options.Triggers.TriggerOnToolVersionChange); // Disabled by default + Assert.Equal(15, options.Triggers.MinReanalysisIntervalMinutes); + Assert.Equal(10, options.Triggers.MaxReanalysesPerDayPerCve); + + // Assert - conflict policy + Assert.Equal(ConflictAction.RequireManualReview, options.ConflictPolicy.VexReachabilityConflictAction); + Assert.Equal(ConflictAction.RequireManualReview, options.ConflictPolicy.StaticRuntimeConflictAction); + Assert.Equal(ConflictAction.RequestVendorClarification, options.ConflictPolicy.VexStatusConflictAction); + Assert.Equal(ConflictAction.RequireManualReview, options.ConflictPolicy.BackportStatusConflictAction); + Assert.Equal(0.85, options.ConflictPolicy.EscalationSeverityThreshold); + Assert.Equal(48, options.ConflictPolicy.ConflictTtlHours); + Assert.False(options.ConflictPolicy.EnableAutoResolution); + } + + [Fact] + public void EnvironmentThresholds_Development_IsRelaxed() + { + // Arrange + var options = new DeterminizationOptions(); + + // Act + var dev = options.EnvironmentThresholds.Development; + + // Assert + Assert.Equal(0.60, dev.MaxPassEntropy); + Assert.Equal(1, dev.MinEvidenceCount); + Assert.False(dev.RequireDsseSigning); + Assert.False(dev.RequireRekorTransparency); + } + + [Fact] + public void EnvironmentThresholds_Staging_IsStandard() + { + // Arrange + var options = new DeterminizationOptions(); + + // Act + var staging = options.EnvironmentThresholds.Staging; + + // Assert + Assert.Equal(0.40, staging.MaxPassEntropy); + Assert.Equal(2, staging.MinEvidenceCount); + Assert.False(staging.RequireDsseSigning); + Assert.False(staging.RequireRekorTransparency); + } + + [Fact] + public void EnvironmentThresholds_Production_IsStrict() + { + // Arrange + var options = new DeterminizationOptions(); + + // Act + var prod = options.EnvironmentThresholds.Production; + + // Assert + Assert.Equal(0.25, prod.MaxPassEntropy); + Assert.Equal(3, prod.MinEvidenceCount); + Assert.True(prod.RequireDsseSigning); + Assert.True(prod.RequireRekorTransparency); + } + + [Theory] + [InlineData("dev", 0.60)] + [InlineData("DEV", 0.60)] + [InlineData("development", 0.60)] + [InlineData("DEVELOPMENT", 0.60)] + [InlineData("stage", 0.40)] + [InlineData("STAGE", 0.40)] + [InlineData("staging", 0.40)] + [InlineData("qa", 0.40)] + [InlineData("QA", 0.40)] + [InlineData("prod", 0.25)] + [InlineData("PROD", 0.25)] + [InlineData("production", 0.25)] + [InlineData("PRODUCTION", 0.25)] + [InlineData("unknown", 0.40)] // Falls back to staging + [InlineData("", 0.40)] + public void GetForEnvironment_ReturnsCorrectThresholds(string envName, double expectedMaxEntropy) + { + // Arrange + var options = new DeterminizationOptions(); + + // Act + var thresholds = options.EnvironmentThresholds.GetForEnvironment(envName); + + // Assert + Assert.Equal(expectedMaxEntropy, thresholds.MaxPassEntropy); + } + + [Fact] + public void BindFromConfiguration_LoadsAllSections() + { + // Arrange + var config = new ConfigurationBuilder() + .AddInMemoryCollection(new Dictionary + { + ["Determinization:ConfidenceHalfLifeDays"] = "21", + ["Determinization:ConfidenceFloor"] = "0.15", + ["Determinization:ManualReviewEntropyThreshold"] = "0.65", + ["Determinization:Triggers:EpssDeltaThreshold"] = "0.3", + ["Determinization:Triggers:TriggerOnToolVersionChange"] = "true", + ["Determinization:Triggers:MinReanalysisIntervalMinutes"] = "30", + ["Determinization:ConflictPolicy:EscalationSeverityThreshold"] = "0.9", + ["Determinization:ConflictPolicy:ConflictTtlHours"] = "72", + ["Determinization:EnvironmentThresholds:Production:MaxPassEntropy"] = "0.20", + ["Determinization:EnvironmentThresholds:Production:MinEvidenceCount"] = "4" + }) + .Build(); + + var services = new ServiceCollection(); + services.AddOptions() + .Bind(config.GetSection(DeterminizationOptions.SectionName)); + + var provider = services.BuildServiceProvider(); + + // Act + var options = provider.GetRequiredService>().Value; + + // Assert - base options + Assert.Equal(21.0, options.ConfidenceHalfLifeDays); + Assert.Equal(0.15, options.ConfidenceFloor); + Assert.Equal(0.65, options.ManualReviewEntropyThreshold); + + // Assert - triggers + Assert.Equal(0.3, options.Triggers.EpssDeltaThreshold); + Assert.True(options.Triggers.TriggerOnToolVersionChange); + Assert.Equal(30, options.Triggers.MinReanalysisIntervalMinutes); + + // Assert - conflict policy + Assert.Equal(0.9, options.ConflictPolicy.EscalationSeverityThreshold); + Assert.Equal(72, options.ConflictPolicy.ConflictTtlHours); + + // Assert - environment thresholds + Assert.Equal(0.20, options.EnvironmentThresholds.Production.MaxPassEntropy); + Assert.Equal(4, options.EnvironmentThresholds.Production.MinEvidenceCount); + } + + [Fact] + public void ConflictAction_AllValuesAreDefined() + { + // Arrange & Act + var values = Enum.GetValues(); + + // Assert - ensure all expected values exist + Assert.Contains(ConflictAction.LogAndContinue, values); + Assert.Contains(ConflictAction.RequireManualReview, values); + Assert.Contains(ConflictAction.RequestVendorClarification, values); + Assert.Contains(ConflictAction.EscalateToCommittee, values); + Assert.Contains(ConflictAction.BlockUntilResolved, values); + } + + [Fact] + public void EnvironmentThresholdValues_Presets_AreDeterministic() + { + // Verify presets don't change between calls (important for determinism) + var relaxed1 = EnvironmentThresholdValues.Relaxed; + var relaxed2 = EnvironmentThresholdValues.Relaxed; + + var standard1 = EnvironmentThresholdValues.Standard; + var standard2 = EnvironmentThresholdValues.Standard; + + var strict1 = EnvironmentThresholdValues.Strict; + var strict2 = EnvironmentThresholdValues.Strict; + + // Records should be equal by value + Assert.Equal(relaxed1, relaxed2); + Assert.Equal(standard1, standard2); + Assert.Equal(strict1, strict2); + + // Different presets should not be equal + Assert.NotEqual(relaxed1, standard1); + Assert.NotEqual(standard1, strict1); + Assert.NotEqual(relaxed1, strict1); + } +} diff --git a/src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/Models/ReanalysisFingerprintTests.cs b/src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/Models/ReanalysisFingerprintTests.cs new file mode 100644 index 000000000..cc816232a --- /dev/null +++ b/src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/Models/ReanalysisFingerprintTests.cs @@ -0,0 +1,181 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-006) +// + +using Microsoft.Extensions.Time.Testing; +using StellaOps.Policy.Determinization.Models; +using StellaOps.TestKit; +using Xunit; + +namespace StellaOps.Policy.Determinization.Tests.Models; + +[Trait("Category", TestCategories.Unit)] +public class ReanalysisFingerprintTests +{ + private readonly FakeTimeProvider _timeProvider; + + public ReanalysisFingerprintTests() + { + _timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 1, 15, 12, 0, 0, TimeSpan.Zero)); + } + + [Fact] + public void Build_WithAllInputs_GeneratesDeterministicFingerprint() + { + // Arrange + var builder1 = new ReanalysisFingerprintBuilder(_timeProvider) + .WithDsseBundleDigest("sha256:bundle123") + .AddEvidenceDigest("sha256:evidence1") + .AddEvidenceDigest("sha256:evidence2") + .WithToolVersion("scanner", "1.0.0") + .WithToolVersion("policy-engine", "2.0.0") + .WithProductVersion("myapp@1.2.3") + .WithPolicyConfigHash("sha256:config456") + .WithSignalWeightsHash("sha256:weights789"); + + var builder2 = new ReanalysisFingerprintBuilder(_timeProvider) + .WithDsseBundleDigest("sha256:bundle123") + .AddEvidenceDigest("sha256:evidence1") + .AddEvidenceDigest("sha256:evidence2") + .WithToolVersion("scanner", "1.0.0") + .WithToolVersion("policy-engine", "2.0.0") + .WithProductVersion("myapp@1.2.3") + .WithPolicyConfigHash("sha256:config456") + .WithSignalWeightsHash("sha256:weights789"); + + // Act + var fingerprint1 = builder1.Build(); + var fingerprint2 = builder2.Build(); + + // Assert - same inputs produce same fingerprint ID + Assert.Equal(fingerprint1.FingerprintId, fingerprint2.FingerprintId); + Assert.StartsWith("sha256:", fingerprint1.FingerprintId); + } + + [Fact] + public void Build_WithDifferentInputs_GeneratesDifferentFingerprint() + { + // Arrange + var builder1 = new ReanalysisFingerprintBuilder(_timeProvider) + .WithDsseBundleDigest("sha256:bundle123") + .WithProductVersion("myapp@1.2.3"); + + var builder2 = new ReanalysisFingerprintBuilder(_timeProvider) + .WithDsseBundleDigest("sha256:bundle456") // Different + .WithProductVersion("myapp@1.2.3"); + + // Act + var fingerprint1 = builder1.Build(); + var fingerprint2 = builder2.Build(); + + // Assert - different inputs produce different fingerprint IDs + Assert.NotEqual(fingerprint1.FingerprintId, fingerprint2.FingerprintId); + } + + [Fact] + public void Build_EvidenceDigests_AreSortedDeterministically() + { + // Arrange - add in random order + var builder = new ReanalysisFingerprintBuilder(_timeProvider) + .AddEvidenceDigest("sha256:zzz") + .AddEvidenceDigest("sha256:aaa") + .AddEvidenceDigest("sha256:mmm"); + + // Act + var fingerprint = builder.Build(); + + // Assert - sorted alphabetically + Assert.Equal(3, fingerprint.EvidenceDigests.Count); + Assert.Equal("sha256:aaa", fingerprint.EvidenceDigests[0]); + Assert.Equal("sha256:mmm", fingerprint.EvidenceDigests[1]); + Assert.Equal("sha256:zzz", fingerprint.EvidenceDigests[2]); + } + + [Fact] + public void Build_ToolVersions_AreSortedDeterministically() + { + // Arrange - add in random order + var builder = new ReanalysisFingerprintBuilder(_timeProvider) + .WithToolVersion("zebra-tool", "1.0.0") + .WithToolVersion("alpha-tool", "2.0.0") + .WithToolVersion("mike-tool", "3.0.0"); + + // Act + var fingerprint = builder.Build(); + + // Assert - sorted by key + var keys = fingerprint.ToolVersions.Keys.ToList(); + Assert.Equal("alpha-tool", keys[0]); + Assert.Equal("mike-tool", keys[1]); + Assert.Equal("zebra-tool", keys[2]); + } + + [Fact] + public void Build_Triggers_AreSortedByEventTypeThenTime() + { + // Arrange + var builder = new ReanalysisFingerprintBuilder(_timeProvider) + .AddTrigger("vex.changed", 1, "excititor") + .AddTrigger("epss.updated", 1, "signals") + .AddTrigger("runtime.detected", 1, "zastava"); + + // Act + var fingerprint = builder.Build(); + + // Assert - sorted by event type + Assert.Equal(3, fingerprint.Triggers.Count); + Assert.Equal("epss.updated", fingerprint.Triggers[0].EventType); + Assert.Equal("runtime.detected", fingerprint.Triggers[1].EventType); + Assert.Equal("vex.changed", fingerprint.Triggers[2].EventType); + } + + [Fact] + public void Build_DuplicateEvidenceDigests_AreDeduped() + { + // Arrange + var builder = new ReanalysisFingerprintBuilder(_timeProvider) + .AddEvidenceDigest("sha256:abc") + .AddEvidenceDigest("sha256:abc") // duplicate + .AddEvidenceDigest("sha256:def"); + + // Act + var fingerprint = builder.Build(); + + // Assert + Assert.Equal(2, fingerprint.EvidenceDigests.Count); + } + + [Fact] + public void Build_NextActions_AreSortedAndDeduped() + { + // Arrange + var builder = new ReanalysisFingerprintBuilder(_timeProvider) + .AddNextAction("rescan") + .AddNextAction("notify") + .AddNextAction("rescan") // duplicate + .AddNextAction("adjudicate"); + + // Act + var fingerprint = builder.Build(); + + // Assert + Assert.Equal(3, fingerprint.NextActions.Count); + Assert.Equal("adjudicate", fingerprint.NextActions[0]); + Assert.Equal("notify", fingerprint.NextActions[1]); + Assert.Equal("rescan", fingerprint.NextActions[2]); + } + + [Fact] + public void Build_SetsComputedAtFromTimeProvider() + { + // Arrange + var builder = new ReanalysisFingerprintBuilder(_timeProvider); + + // Act + var fingerprint = builder.Build(); + + // Assert + Assert.Equal(_timeProvider.GetUtcNow(), fingerprint.ComputedAt); + } +} diff --git a/src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/Scoring/ConflictDetectorTests.cs b/src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/Scoring/ConflictDetectorTests.cs new file mode 100644 index 000000000..0e1cda547 --- /dev/null +++ b/src/Policy/__Tests/StellaOps.Policy.Determinization.Tests/Scoring/ConflictDetectorTests.cs @@ -0,0 +1,239 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_004_POLICY_unknowns_determinization_greyqueue (POLICY-UNK-006) +// + +using Microsoft.Extensions.Logging.Abstractions; +using StellaOps.Policy.Determinization.Evidence; +using StellaOps.Policy.Determinization.Models; +using StellaOps.Policy.Determinization.Scoring; +using StellaOps.TestKit; +using Xunit; + +namespace StellaOps.Policy.Determinization.Tests.Scoring; + +[Trait("Category", TestCategories.Unit)] +public class ConflictDetectorTests +{ + private readonly ConflictDetector _detector; + private readonly DateTimeOffset _now = new(2026, 1, 15, 12, 0, 0, TimeSpan.Zero); + + public ConflictDetectorTests() + { + _detector = new ConflictDetector(NullLogger.Instance); + } + + [Fact] + public void Detect_NoConflicts_ReturnsNoConflictResult() + { + // Arrange - consistent signals + var snapshot = CreateSnapshot( + vexStatus: "affected", + vexConfidence: 0.9, + reachable: true, + runtimeDetected: true, + backportDetected: false); + + // Act + var result = _detector.Detect(snapshot); + + // Assert + Assert.False(result.HasConflict); + Assert.Empty(result.Conflicts); + Assert.Equal(AdjudicationPath.None, result.SuggestedPath); + } + + [Fact] + public void Detect_VexNotAffectedButReachable_DetectsConflict() + { + // Arrange - VEX says not_affected but reachability shows exploitable + var snapshot = CreateSnapshot( + vexStatus: "not_affected", + vexConfidence: 0.9, + reachable: true, + runtimeDetected: false, + backportDetected: false); + + // Act + var result = _detector.Detect(snapshot); + + // Assert + Assert.True(result.HasConflict); + Assert.Single(result.Conflicts); + Assert.Equal(ConflictType.VexReachabilityContradiction, result.Conflicts[0].Type); + Assert.Equal(0.9, result.Conflicts[0].Severity); + } + + [Fact] + public void Detect_StaticUnreachableButRuntimeDetected_DetectsConflict() + { + // Arrange - static analysis says unreachable but runtime shows execution + var snapshot = CreateSnapshot( + vexStatus: "affected", + vexConfidence: 0.9, + reachable: false, + reachabilityStatus: ReachabilityStatus.Unreachable, + runtimeDetected: true, + backportDetected: false); + + // Act + var result = _detector.Detect(snapshot); + + // Assert + Assert.True(result.HasConflict); + Assert.Contains(result.Conflicts, c => c.Type == ConflictType.StaticRuntimeContradiction); + } + + [Fact] + public void Detect_MultipleVexWithLowConfidence_DetectsConflict() + { + // Arrange - multiple VEX sources with conflicting status (low confidence) + var snapshot = CreateSnapshot( + vexStatus: "affected", + vexConfidence: 0.5, // Low confidence indicates conflict + vexStatementCount: 3, + reachable: true, + runtimeDetected: false, + backportDetected: false); + + // Act + var result = _detector.Detect(snapshot); + + // Assert + Assert.True(result.HasConflict); + Assert.Contains(result.Conflicts, c => c.Type == ConflictType.VexStatusConflict); + Assert.Equal(AdjudicationPath.VendorClarification, result.SuggestedPath); + } + + [Fact] + public void Detect_BackportedButVexAffected_DetectsConflict() + { + // Arrange - backport evidence says fixed but VEX still says affected + var snapshot = CreateSnapshot( + vexStatus: "affected", + vexConfidence: 0.9, + reachable: false, + runtimeDetected: false, + backportDetected: true); + + // Act + var result = _detector.Detect(snapshot); + + // Assert + Assert.True(result.HasConflict); + Assert.Contains(result.Conflicts, c => c.Type == ConflictType.BackportStatusConflict); + } + + [Fact] + public void Detect_MultipleConflicts_ReturnsSeverityBasedPath() + { + // Arrange - multiple conflicts + var snapshot = CreateSnapshot( + vexStatus: "not_affected", + vexConfidence: 0.5, + vexStatementCount: 2, + reachable: true, + runtimeDetected: false, + backportDetected: false); + + // Act + var result = _detector.Detect(snapshot); + + // Assert + Assert.True(result.HasConflict); + Assert.True(result.Conflicts.Count >= 2); + Assert.True(result.Severity >= 0.7); + Assert.Equal(AdjudicationPath.SecurityTeamReview, result.SuggestedPath); + } + + [Fact] + public void Detect_ConflictsAreSortedByTypeThenSeverity() + { + // Arrange - multiple conflicts of different types + var snapshot = CreateSnapshot( + vexStatus: "not_affected", + vexConfidence: 0.5, + vexStatementCount: 2, + reachable: true, + runtimeDetected: false, + backportDetected: true); + + // Act + var result = _detector.Detect(snapshot); + + // Assert - conflicts are sorted by type then severity descending + for (int i = 1; i < result.Conflicts.Count; i++) + { + var prev = result.Conflicts[i - 1]; + var curr = result.Conflicts[i]; + Assert.True( + prev.Type < curr.Type || + (prev.Type == curr.Type && prev.Severity >= curr.Severity), + "Conflicts should be sorted by type then severity descending"); + } + } + + private SignalSnapshot CreateSnapshot( + string vexStatus, + double vexConfidence, + bool reachable, + bool runtimeDetected, + bool backportDetected, + ReachabilityStatus? reachabilityStatus = null, + int vexStatementCount = 1) + { + return new SignalSnapshot + { + Cve = "CVE-2024-12345", + Purl = "pkg:nuget/Test@1.0.0", + SnapshotAt = _now, + Epss = SignalState.Queried( + new EpssEvidence + { + Probability = 0.5, + Percentile = 0.7, + Model = "epss-v3", + FetchedAt = _now + }, + _now), + Vex = SignalState.Queried( + new VexClaimSummary + { + Status = vexStatus, + Confidence = vexConfidence, + StatementCount = vexStatementCount, + ComputedAt = _now + }, + _now), + Reachability = SignalState.Queried( + new ReachabilityEvidence + { + Status = reachabilityStatus ?? (reachable ? ReachabilityStatus.Reachable : ReachabilityStatus.NotAnalyzed), + AnalyzedAt = _now, + Confidence = 0.95 + }, + _now), + Runtime = SignalState.Queried( + new RuntimeEvidence + { + Detected = runtimeDetected, + Source = "tracer", + ObservationStart = _now.AddDays(-7), + ObservationEnd = _now, + Confidence = 0.9 + }, + _now), + Backport = SignalState.Queried( + new BackportEvidence + { + Detected = backportDetected, + Source = "vendor-advisory", + DetectedAt = _now, + Confidence = 0.85 + }, + _now), + Sbom = SignalState.NotQueried(), + Cvss = SignalState.NotQueried() + }; + } +} diff --git a/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/CvssThresholdGateTests.cs b/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/CvssThresholdGateTests.cs new file mode 100644 index 000000000..12066a99f --- /dev/null +++ b/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/CvssThresholdGateTests.cs @@ -0,0 +1,347 @@ +// ----------------------------------------------------------------------------- +// CvssThresholdGateTests.cs +// Sprint: SPRINT_20260112_017_POLICY_cvss_threshold_gate +// Tasks: CVSS-GATE-008, CVSS-GATE-009 +// Description: Unit tests for CVSS threshold gate. +// ----------------------------------------------------------------------------- + +using System.Collections.Immutable; +using StellaOps.Policy.Confidence.Models; +using StellaOps.Policy.Gates; +using StellaOps.Policy.TrustLattice; +using Xunit; + +namespace StellaOps.Policy.Tests.Gates; + +[Trait("Category", "Unit")] +public sealed class CvssThresholdGateTests +{ + private static MergeResult CreateMergeResult() => new() + { + Status = VexStatus.Affected, + Confidence = 0.8, + HasConflicts = false, + AllClaims = ImmutableArray.Empty, + WinningClaim = new ScoredClaim + { + SourceId = "test", + Status = VexStatus.Affected, + OriginalScore = 0.8, + AdjustedScore = 0.8, + ScopeSpecificity = 1, + Accepted = true, + Reason = "test" + }, + Conflicts = ImmutableArray.Empty + }; + + private static PolicyGateContext CreateContext( + string environment = "production", + string? cveId = null, + Dictionary? metadata = null) => new() + { + Environment = environment, + CveId = cveId, + Metadata = metadata + }; + + [Fact] + public async Task EvaluateAsync_Disabled_ReturnsPass() + { + var options = new CvssThresholdGateOptions { Enabled = false }; + var gate = new CvssThresholdGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + Assert.Equal("disabled", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_CveOnDenylist_ReturnsFail() + { + var options = new CvssThresholdGateOptions + { + Denylist = new HashSet(StringComparer.OrdinalIgnoreCase) { "CVE-2024-12345" } + }; + var gate = new CvssThresholdGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-12345")); + + Assert.False(result.Passed); + Assert.Equal("denylist", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_CveOnAllowlist_ReturnsPass() + { + var options = new CvssThresholdGateOptions + { + Allowlist = new HashSet(StringComparer.OrdinalIgnoreCase) { "CVE-2024-99999" } + }; + var gate = new CvssThresholdGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-99999")); + + Assert.True(result.Passed); + Assert.Equal("allowlist", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_DenylistTakesPrecedenceOverAllowlist() + { + var options = new CvssThresholdGateOptions + { + Allowlist = new HashSet(StringComparer.OrdinalIgnoreCase) { "CVE-2024-12345" }, + Denylist = new HashSet(StringComparer.OrdinalIgnoreCase) { "CVE-2024-12345" } + }; + var gate = new CvssThresholdGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-12345")); + + Assert.False(result.Passed); + Assert.Equal("denylist", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_NoCvssScore_FailOnMissingFalse_ReturnsPass() + { + var options = new CvssThresholdGateOptions { FailOnMissingCvss = false }; + var gate = new CvssThresholdGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-00001")); + + Assert.True(result.Passed); + Assert.Equal("no_cvss_available", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_NoCvssScore_FailOnMissingTrue_ReturnsFail() + { + var options = new CvssThresholdGateOptions { FailOnMissingCvss = true }; + var gate = new CvssThresholdGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-00001")); + + Assert.False(result.Passed); + Assert.Equal("missing_cvss", result.Reason); + } + + [Theory] + [InlineData(6.9, true)] // Below threshold + [InlineData(7.0, false)] // At threshold (fails - must be strictly below) + [InlineData(7.1, false)] // Above threshold + [InlineData(9.9, false)] // Well above threshold + public async Task EvaluateAsync_V31Score_DefaultThreshold_ReturnsExpected(double score, bool expectedPass) + { + var options = new CvssThresholdGateOptions + { + DefaultThreshold = 7.0, + CvssVersionPreference = "v3.1" + }; + var lookup = (string? _) => new CvssScoreInfo { CvssV31BaseScore = score }; + var gate = new CvssThresholdGate(options, lookup); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-00001")); + + Assert.Equal(expectedPass, result.Passed); + } + + [Theory] + [InlineData(7.9, true)] // Below staging threshold + [InlineData(8.0, false)] // At staging threshold + [InlineData(8.5, false)] // Above staging threshold + public async Task EvaluateAsync_StagingEnvironment_UsesStagingThreshold(double score, bool expectedPass) + { + var options = new CvssThresholdGateOptions + { + Thresholds = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["production"] = 7.0, + ["staging"] = 8.0, + ["development"] = 9.0 + }, + CvssVersionPreference = "v3.1" + }; + var lookup = (string? _) => new CvssScoreInfo { CvssV31BaseScore = score }; + var gate = new CvssThresholdGate(options, lookup); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: "staging", cveId: "CVE-2024-00001")); + + Assert.Equal(expectedPass, result.Passed); + } + + [Theory] + [InlineData(8.9, true)] // Below development threshold + [InlineData(9.0, false)] // At development threshold + [InlineData(9.5, false)] // Above development threshold + public async Task EvaluateAsync_DevelopmentEnvironment_UsesDevelopmentThreshold(double score, bool expectedPass) + { + var options = new CvssThresholdGateOptions + { + Thresholds = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["production"] = 7.0, + ["staging"] = 8.0, + ["development"] = 9.0 + }, + CvssVersionPreference = "v3.1" + }; + var lookup = (string? _) => new CvssScoreInfo { CvssV31BaseScore = score }; + var gate = new CvssThresholdGate(options, lookup); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: "development", cveId: "CVE-2024-00001")); + + Assert.Equal(expectedPass, result.Passed); + } + + [Fact] + public async Task EvaluateAsync_UnknownEnvironment_UsesDefaultThreshold() + { + var options = new CvssThresholdGateOptions + { + DefaultThreshold = 5.0, + Thresholds = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["production"] = 7.0 + }, + CvssVersionPreference = "v3.1" + }; + var lookup = (string? _) => new CvssScoreInfo { CvssV31BaseScore = 5.5 }; + var gate = new CvssThresholdGate(options, lookup); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: "qa", cveId: "CVE-2024-00001")); + + Assert.False(result.Passed); + Assert.Equal("cvss_exceeds_threshold", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_V40Score_UsesV40WhenPreferred() + { + var options = new CvssThresholdGateOptions + { + DefaultThreshold = 7.0, + CvssVersionPreference = "v4.0" + }; + var lookup = (string? _) => new CvssScoreInfo + { + CvssV31BaseScore = 8.0, // Would fail + CvssV40BaseScore = 6.0 // Would pass + }; + var gate = new CvssThresholdGate(options, lookup); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-00001")); + + Assert.True(result.Passed); + Assert.Equal("v4.0", result.Details["cvss_version"]); + } + + [Fact] + public async Task EvaluateAsync_HighestPreference_UsesHigherScore() + { + var options = new CvssThresholdGateOptions + { + DefaultThreshold = 7.5, + CvssVersionPreference = "highest" + }; + var lookup = (string? _) => new CvssScoreInfo + { + CvssV31BaseScore = 7.0, // Would pass alone + CvssV40BaseScore = 8.0 // Would fail, and is higher + }; + var gate = new CvssThresholdGate(options, lookup); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-00001")); + + Assert.False(result.Passed); + Assert.Equal(8.0, (double)result.Details["cvss_score"]); + } + + [Fact] + public async Task EvaluateAsync_RequireAllVersionsPass_BothMustPass() + { + var options = new CvssThresholdGateOptions + { + DefaultThreshold = 7.5, + CvssVersionPreference = "highest", + RequireAllVersionsPass = true + }; + var lookup = (string? _) => new CvssScoreInfo + { + CvssV31BaseScore = 7.0, // Would pass + CvssV40BaseScore = 8.0 // Would fail + }; + var gate = new CvssThresholdGate(options, lookup); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-00001")); + + Assert.False(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_RequireAllVersionsPass_BothPass() + { + var options = new CvssThresholdGateOptions + { + DefaultThreshold = 8.5, + CvssVersionPreference = "highest", + RequireAllVersionsPass = true + }; + var lookup = (string? _) => new CvssScoreInfo + { + CvssV31BaseScore = 7.0, + CvssV40BaseScore = 8.0 + }; + var gate = new CvssThresholdGate(options, lookup); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-00001")); + + Assert.True(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_MetadataFallback_ExtractsFromContext() + { + var options = new CvssThresholdGateOptions + { + DefaultThreshold = 7.0, + CvssVersionPreference = "v3.1" + }; + var metadata = new Dictionary + { + ["cvss_v31_score"] = "6.5" + }; + var gate = new CvssThresholdGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-00001", metadata: metadata)); + + Assert.True(result.Passed); + Assert.Equal(6.5, (double)result.Details["cvss_score"]); + } + + [Fact] + public async Task EvaluateAsync_CaseInsensitiveCveMatch() + { + var options = new CvssThresholdGateOptions + { + Allowlist = new HashSet(StringComparer.OrdinalIgnoreCase) { "cve-2024-12345" } + }; + var gate = new CvssThresholdGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(cveId: "CVE-2024-12345")); + + Assert.True(result.Passed); + Assert.Equal("allowlist", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_IncludesAllDetailsInResult() + { + var options = new CvssThresholdGateOptions + { + DefaultThreshold = 7.0, + CvssVersionPreference = "v3.1" + }; + var lookup = (string? _) => new CvssScoreInfo + { + CvssV31BaseScore = 8.5, + CvssV40BaseScore = 7.2 + }; + var gate = new CvssThresholdGate(options, lookup); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: "production", cveId: "CVE-2024-00001")); + + Assert.False(result.Passed); + Assert.Equal(7.0, (double)result.Details["threshold"]); + Assert.Equal("production", result.Details["environment"]); + Assert.Equal("v3.1", result.Details["cvss_version"]); + Assert.Equal(8.5, (double)result.Details["cvss_score"]); + Assert.Equal(8.5, (double)result.Details["cvss_v31_score"]); + Assert.Equal(7.2, (double)result.Details["cvss_v40_score"]); + Assert.Equal("CVE-2024-00001", result.Details["cve_id"]); + } +} diff --git a/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/SbomPresenceGateTests.cs b/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/SbomPresenceGateTests.cs new file mode 100644 index 000000000..ef166b135 --- /dev/null +++ b/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/SbomPresenceGateTests.cs @@ -0,0 +1,384 @@ +// ----------------------------------------------------------------------------- +// SbomPresenceGateTests.cs +// Sprint: SPRINT_20260112_017_POLICY_sbom_presence_gate +// Tasks: SBOM-GATE-009 +// Description: Unit tests for SBOM presence gate. +// ----------------------------------------------------------------------------- + +using System.Collections.Immutable; +using StellaOps.Policy.Confidence.Models; +using StellaOps.Policy.Gates; +using StellaOps.Policy.TrustLattice; +using Xunit; + +namespace StellaOps.Policy.Tests.Gates; + +[Trait("Category", "Unit")] +public sealed class SbomPresenceGateTests +{ + private static MergeResult CreateMergeResult() => new() + { + Status = VexStatus.Affected, + Confidence = 0.8, + HasConflicts = false, + AllClaims = ImmutableArray.Empty, + WinningClaim = new ScoredClaim + { + SourceId = "test", + Status = VexStatus.Affected, + OriginalScore = 0.8, + AdjustedScore = 0.8, + ScopeSpecificity = 1, + Accepted = true, + Reason = "test" + }, + Conflicts = ImmutableArray.Empty + }; + + private static PolicyGateContext CreateContext( + string environment = "production", + Dictionary? metadata = null) => new() + { + Environment = environment, + Metadata = metadata + }; + + [Fact] + public async Task EvaluateAsync_Disabled_ReturnsPass() + { + var options = new SbomPresenceGateOptions { Enabled = false }; + var gate = new SbomPresenceGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + Assert.Equal("disabled", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_OptionalEnforcement_ReturnsPass() + { + var options = new SbomPresenceGateOptions + { + Enforcement = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["development"] = SbomEnforcementLevel.Optional + } + }; + var gate = new SbomPresenceGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: "development")); + + Assert.True(result.Passed); + Assert.Equal("optional_enforcement", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_MissingSbom_RequiredEnforcement_ReturnsFail() + { + var options = new SbomPresenceGateOptions(); + var gate = new SbomPresenceGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + Assert.Equal("sbom_missing", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_MissingSbom_RecommendedEnforcement_ReturnsPassWithWarning() + { + var options = new SbomPresenceGateOptions + { + Enforcement = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["staging"] = SbomEnforcementLevel.Recommended + } + }; + var gate = new SbomPresenceGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: "staging")); + + Assert.True(result.Passed); + Assert.Equal("sbom_missing_recommended", result.Reason); + Assert.Contains("warning", result.Details.Keys); + } + + [Fact] + public async Task EvaluateAsync_ValidSbom_ReturnsPass() + { + var options = new SbomPresenceGateOptions(); + var sbomInfo = new SbomInfo + { + Present = true, + Format = "spdx-2.3", + ComponentCount = 10, + HasPrimaryComponent = true, + SchemaValid = true + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + Assert.Equal("sbom_valid", result.Reason); + } + + [Theory] + [InlineData("spdx-2.2")] + [InlineData("spdx-2.3")] + [InlineData("spdx-3.0.1")] + [InlineData("cyclonedx-1.4")] + [InlineData("cyclonedx-1.5")] + [InlineData("cyclonedx-1.6")] + [InlineData("cyclonedx-1.7")] + public async Task EvaluateAsync_AcceptedFormats_ReturnsPass(string format) + { + var options = new SbomPresenceGateOptions(); + var sbomInfo = new SbomInfo + { + Present = true, + Format = format, + ComponentCount = 5, + HasPrimaryComponent = true + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + } + + [Theory] + [InlineData("unknown-1.0")] + [InlineData("custom-format")] + [InlineData("spdx-1.0")] + public async Task EvaluateAsync_InvalidFormat_ReturnsFail(string format) + { + var options = new SbomPresenceGateOptions(); + var sbomInfo = new SbomInfo + { + Present = true, + Format = format, + ComponentCount = 5, + HasPrimaryComponent = true + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + Assert.Equal("invalid_format", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_InsufficientComponents_ReturnsFail() + { + var options = new SbomPresenceGateOptions { MinimumComponents = 5 }; + var sbomInfo = new SbomInfo + { + Present = true, + Format = "spdx-2.3", + ComponentCount = 3, + HasPrimaryComponent = true + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + Assert.Equal("insufficient_components", result.Reason); + Assert.Equal(5, (int)result.Details["minimum_components"]); + Assert.Equal(3, (int)result.Details["component_count"]); + } + + [Fact] + public async Task EvaluateAsync_SchemaValidationFailed_ReturnsFail() + { + var options = new SbomPresenceGateOptions { SchemaValidation = true }; + var sbomInfo = new SbomInfo + { + Present = true, + Format = "spdx-2.3", + ComponentCount = 5, + HasPrimaryComponent = true, + SchemaValid = false, + SchemaErrors = new[] { "Missing required field 'name'", "Invalid date format" } + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + Assert.Equal("schema_validation_failed", result.Reason); + Assert.Contains("schema_errors", result.Details.Keys); + } + + [Fact] + public async Task EvaluateAsync_SignatureRequired_MissingSignature_ReturnsFail() + { + var options = new SbomPresenceGateOptions { RequireSignature = true }; + var sbomInfo = new SbomInfo + { + Present = true, + Format = "spdx-2.3", + ComponentCount = 5, + HasPrimaryComponent = true, + HasSignature = false + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + Assert.Equal("signature_missing", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_SignatureRequired_InvalidSignature_ReturnsFail() + { + var options = new SbomPresenceGateOptions { RequireSignature = true }; + var sbomInfo = new SbomInfo + { + Present = true, + Format = "spdx-2.3", + ComponentCount = 5, + HasPrimaryComponent = true, + HasSignature = true, + SignatureValid = false + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + Assert.Equal("signature_invalid", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_SignatureRequired_ValidSignature_ReturnsPass() + { + var options = new SbomPresenceGateOptions { RequireSignature = true }; + var sbomInfo = new SbomInfo + { + Present = true, + Format = "spdx-2.3", + ComponentCount = 5, + HasPrimaryComponent = true, + HasSignature = true, + SignatureValid = true + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_PrimaryComponentRequired_Missing_ReturnsFail() + { + var options = new SbomPresenceGateOptions { RequirePrimaryComponent = true }; + var sbomInfo = new SbomInfo + { + Present = true, + Format = "spdx-2.3", + ComponentCount = 5, + HasPrimaryComponent = false + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + Assert.Equal("primary_component_missing", result.Reason); + } + + [Theory] + [InlineData("production", SbomEnforcementLevel.Required)] + [InlineData("staging", SbomEnforcementLevel.Required)] + [InlineData("development", SbomEnforcementLevel.Optional)] + public async Task EvaluateAsync_EnvironmentEnforcement_UsesCorrectLevel(string environment, SbomEnforcementLevel expectedLevel) + { + var options = new SbomPresenceGateOptions + { + Enforcement = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["production"] = SbomEnforcementLevel.Required, + ["staging"] = SbomEnforcementLevel.Required, + ["development"] = SbomEnforcementLevel.Optional + } + }; + var gate = new SbomPresenceGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: environment)); + + Assert.Equal(expectedLevel.ToString(), result.Details["enforcement"]); + } + + [Fact] + public async Task EvaluateAsync_UnknownEnvironment_UsesDefaultEnforcement() + { + var options = new SbomPresenceGateOptions + { + DefaultEnforcement = SbomEnforcementLevel.Recommended, + Enforcement = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["production"] = SbomEnforcementLevel.Required + } + }; + var gate = new SbomPresenceGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: "qa")); + + Assert.Equal(SbomEnforcementLevel.Recommended.ToString(), result.Details["enforcement"]); + } + + [Fact] + public async Task EvaluateAsync_MetadataFallback_ParsesSbomInfo() + { + var options = new SbomPresenceGateOptions(); + var metadata = new Dictionary + { + ["sbom_present"] = "true", + ["sbom_format"] = "cyclonedx-1.6", + ["sbom_component_count"] = "25", + ["sbom_has_primary_component"] = "true" + }; + var gate = new SbomPresenceGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(metadata: metadata)); + + Assert.True(result.Passed); + Assert.Equal("cyclonedx-1.6", result.Details["format"]); + Assert.Equal(25, (int)result.Details["component_count"]); + } + + [Theory] + [InlineData("SPDX-2.3", "spdx-2.3")] + [InlineData("CycloneDX-1.6", "cyclonedx-1.6")] + [InlineData("spdx 2.3", "spdx-2.3")] + [InlineData("cdx-1.5", "cyclonedx-1.5")] + public async Task EvaluateAsync_FormatNormalization_HandlesVariations(string inputFormat, string normalizedExpected) + { + var options = new SbomPresenceGateOptions(); + var sbomInfo = new SbomInfo + { + Present = true, + Format = inputFormat, + ComponentCount = 5, + HasPrimaryComponent = true + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + // If format was accepted, it was normalized correctly + Assert.True(result.Passed, $"Format '{inputFormat}' should normalize to '{normalizedExpected}' and be accepted"); + } + + [Fact] + public async Task EvaluateAsync_IncludesOptionalMetadata() + { + var options = new SbomPresenceGateOptions(); + var createdAt = new DateTimeOffset(2026, 1, 15, 10, 30, 0, TimeSpan.Zero); + var sbomInfo = new SbomInfo + { + Present = true, + Format = "spdx-2.3", + ComponentCount = 10, + HasPrimaryComponent = true, + DocumentUri = "urn:sbom:example:12345", + CreatedAt = createdAt + }; + var gate = new SbomPresenceGate(options, _ => sbomInfo); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + Assert.Equal("urn:sbom:example:12345", result.Details["document_uri"]); + Assert.Contains("2026-01-15", (string)result.Details["created_at"]); + } +} diff --git a/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/SignatureRequiredGateTests.cs b/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/SignatureRequiredGateTests.cs new file mode 100644 index 000000000..9bd4d1326 --- /dev/null +++ b/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/SignatureRequiredGateTests.cs @@ -0,0 +1,450 @@ +// ----------------------------------------------------------------------------- +// SignatureRequiredGateTests.cs +// Sprint: SPRINT_20260112_017_POLICY_signature_required_gate +// Tasks: SIG-GATE-009 +// Description: Unit tests for signature required gate. +// ----------------------------------------------------------------------------- + +using System.Collections.Immutable; +using StellaOps.Policy.Confidence.Models; +using StellaOps.Policy.Gates; +using StellaOps.Policy.TrustLattice; +using Xunit; + +namespace StellaOps.Policy.Tests.Gates; + +[Trait("Category", "Unit")] +public sealed class SignatureRequiredGateTests +{ + private static MergeResult CreateMergeResult() => new() + { + Status = VexStatus.Affected, + Confidence = 0.8, + HasConflicts = false, + AllClaims = ImmutableArray.Empty, + WinningClaim = new ScoredClaim + { + SourceId = "test", + Status = VexStatus.Affected, + OriginalScore = 0.8, + AdjustedScore = 0.8, + ScopeSpecificity = 1, + Accepted = true, + Reason = "test" + }, + Conflicts = ImmutableArray.Empty + }; + + private static PolicyGateContext CreateContext(string environment = "production") => new() + { + Environment = environment + }; + + [Fact] + public async Task EvaluateAsync_Disabled_ReturnsPass() + { + var options = new SignatureRequiredGateOptions { Enabled = false }; + var gate = new SignatureRequiredGate(options); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + Assert.Equal("disabled", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_MissingSignature_ReturnsFail() + { + var options = new SignatureRequiredGateOptions(); + var signatures = new List(); // No signatures + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + Assert.Equal("signature_validation_failed", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_AllValidSignatures_ReturnsPass() + { + var options = new SignatureRequiredGateOptions(); + var signatures = new List + { + new() { EvidenceType = "sbom", HasSignature = true, SignatureValid = true }, + new() { EvidenceType = "vex", HasSignature = true, SignatureValid = true }, + new() { EvidenceType = "attestation", HasSignature = true, SignatureValid = true } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + Assert.Equal("signatures_verified", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_InvalidSignature_ReturnsFail() + { + var options = new SignatureRequiredGateOptions(); + var signatures = new List + { + new() { EvidenceType = "sbom", HasSignature = true, SignatureValid = false, VerificationErrors = new[] { "Invalid hash" } }, + new() { EvidenceType = "vex", HasSignature = true, SignatureValid = true }, + new() { EvidenceType = "attestation", HasSignature = true, SignatureValid = true } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + Assert.Contains("failures", result.Details.Keys); + } + + [Fact] + public async Task EvaluateAsync_NotRequiredType_PassesWithoutSignature() + { + var options = new SignatureRequiredGateOptions + { + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig { Required = false }, + ["vex"] = new EvidenceSignatureConfig { Required = true }, + ["attestation"] = new EvidenceSignatureConfig { Required = true } + } + }; + var signatures = new List + { + // No SBOM signature - but it's not required + new() { EvidenceType = "vex", HasSignature = true, SignatureValid = true }, + new() { EvidenceType = "attestation", HasSignature = true, SignatureValid = true } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + } + + [Theory] + [InlineData("build@company.com", new[] { "build@company.com" }, true)] + [InlineData("release@company.com", new[] { "*@company.com" }, true)] + [InlineData("external@other.com", new[] { "*@company.com" }, false)] + [InlineData("build@company.com", new[] { "other@company.com" }, false)] + public async Task EvaluateAsync_IssuerValidation_EnforcesConstraints( + string signerIdentity, + string[] trustedIssuers, + bool expectedPass) + { + var options = new SignatureRequiredGateOptions + { + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig + { + Required = true, + TrustedIssuers = new HashSet(trustedIssuers, StringComparer.OrdinalIgnoreCase) + }, + ["vex"] = new EvidenceSignatureConfig { Required = false }, + ["attestation"] = new EvidenceSignatureConfig { Required = false } + } + }; + var signatures = new List + { + new() + { + EvidenceType = "sbom", + HasSignature = true, + SignatureValid = true, + SignerIdentity = signerIdentity + } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.Equal(expectedPass, result.Passed); + } + + [Theory] + [InlineData("ES256", true)] + [InlineData("RS256", true)] + [InlineData("EdDSA", true)] + [InlineData("UNKNOWN", false)] + public async Task EvaluateAsync_AlgorithmValidation_EnforcesAccepted(string algorithm, bool expectedPass) + { + var options = new SignatureRequiredGateOptions + { + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig { Required = true }, + ["vex"] = new EvidenceSignatureConfig { Required = false }, + ["attestation"] = new EvidenceSignatureConfig { Required = false } + } + }; + var signatures = new List + { + new() + { + EvidenceType = "sbom", + HasSignature = true, + SignatureValid = true, + Algorithm = algorithm + } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.Equal(expectedPass, result.Passed); + } + + [Fact] + public async Task EvaluateAsync_KeyIdValidation_EnforcesConstraints() + { + var options = new SignatureRequiredGateOptions + { + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig + { + Required = true, + TrustedKeyIds = new HashSet(StringComparer.OrdinalIgnoreCase) { "key-001", "key-002" } + }, + ["vex"] = new EvidenceSignatureConfig { Required = false }, + ["attestation"] = new EvidenceSignatureConfig { Required = false } + } + }; + var signatures = new List + { + new() + { + EvidenceType = "sbom", + HasSignature = true, + SignatureValid = true, + KeyId = "key-999", + IsKeyless = false + } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_KeylessSignature_ValidWithTransparencyLog() + { + var options = new SignatureRequiredGateOptions + { + EnableKeylessVerification = true, + RequireTransparencyLogInclusion = true, + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig { Required = true }, + ["vex"] = new EvidenceSignatureConfig { Required = false }, + ["attestation"] = new EvidenceSignatureConfig { Required = false } + } + }; + var signatures = new List + { + new() + { + EvidenceType = "sbom", + HasSignature = true, + SignatureValid = true, + IsKeyless = true, + HasTransparencyLogInclusion = true, + CertificateChainValid = true + } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_KeylessSignature_FailsWithoutTransparencyLog() + { + var options = new SignatureRequiredGateOptions + { + EnableKeylessVerification = true, + RequireTransparencyLogInclusion = true, + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig { Required = true }, + ["vex"] = new EvidenceSignatureConfig { Required = false }, + ["attestation"] = new EvidenceSignatureConfig { Required = false } + } + }; + var signatures = new List + { + new() + { + EvidenceType = "sbom", + HasSignature = true, + SignatureValid = true, + IsKeyless = true, + HasTransparencyLogInclusion = false + } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_KeylessDisabled_FailsKeylessSignature() + { + var options = new SignatureRequiredGateOptions + { + EnableKeylessVerification = false, + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig { Required = true }, + ["vex"] = new EvidenceSignatureConfig { Required = false }, + ["attestation"] = new EvidenceSignatureConfig { Required = false } + } + }; + var signatures = new List + { + new() + { + EvidenceType = "sbom", + HasSignature = true, + SignatureValid = true, + IsKeyless = true + } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_EnvironmentOverride_SkipsTypes() + { + var options = new SignatureRequiredGateOptions + { + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig { Required = true }, + ["vex"] = new EvidenceSignatureConfig { Required = true }, + ["attestation"] = new EvidenceSignatureConfig { Required = true } + }, + Environments = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["development"] = new EnvironmentSignatureConfig + { + SkipEvidenceTypes = new HashSet(StringComparer.OrdinalIgnoreCase) { "sbom", "vex" } + } + } + }; + var signatures = new List + { + // Only attestation signature in development + new() { EvidenceType = "attestation", HasSignature = true, SignatureValid = true } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: "development")); + + Assert.True(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_EnvironmentOverride_AddsIssuers() + { + var options = new SignatureRequiredGateOptions + { + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig + { + Required = true, + TrustedIssuers = new HashSet(StringComparer.OrdinalIgnoreCase) { "prod@company.com" } + }, + ["vex"] = new EvidenceSignatureConfig { Required = false }, + ["attestation"] = new EvidenceSignatureConfig { Required = false } + }, + Environments = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["staging"] = new EnvironmentSignatureConfig + { + AdditionalIssuers = new HashSet(StringComparer.OrdinalIgnoreCase) { "staging@company.com" } + } + } + }; + var signatures = new List + { + new() + { + EvidenceType = "sbom", + HasSignature = true, + SignatureValid = true, + SignerIdentity = "staging@company.com" + } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext(environment: "staging")); + + Assert.True(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_InvalidCertificateChain_Fails() + { + var options = new SignatureRequiredGateOptions + { + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig { Required = true }, + ["vex"] = new EvidenceSignatureConfig { Required = false }, + ["attestation"] = new EvidenceSignatureConfig { Required = false } + } + }; + var signatures = new List + { + new() + { + EvidenceType = "sbom", + HasSignature = true, + SignatureValid = true, + IsKeyless = true, + HasTransparencyLogInclusion = true, + CertificateChainValid = false + } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.False(result.Passed); + } + + [Fact] + public async Task EvaluateAsync_WildcardIssuerMatch_MatchesSubdomains() + { + var options = new SignatureRequiredGateOptions + { + EvidenceTypes = new Dictionary(StringComparer.OrdinalIgnoreCase) + { + ["sbom"] = new EvidenceSignatureConfig + { + Required = true, + TrustedIssuers = new HashSet(StringComparer.OrdinalIgnoreCase) { "*@*.company.com" } + }, + ["vex"] = new EvidenceSignatureConfig { Required = false }, + ["attestation"] = new EvidenceSignatureConfig { Required = false } + } + }; + var signatures = new List + { + new() + { + EvidenceType = "sbom", + HasSignature = true, + SignatureValid = true, + SignerIdentity = "build@ci.company.com" + } + }; + var gate = new SignatureRequiredGate(options, _ => signatures); + var result = await gate.EvaluateAsync(CreateMergeResult(), CreateContext()); + + Assert.True(result.Passed); + } +} diff --git a/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/VexProofGateTests.cs b/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/VexProofGateTests.cs new file mode 100644 index 000000000..b2bd6caa4 --- /dev/null +++ b/src/Policy/__Tests/StellaOps.Policy.Tests/Gates/VexProofGateTests.cs @@ -0,0 +1,268 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later +// Copyright (c) 2025 StellaOps +// Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-004) +// Task: Unit tests for VexProofGate anchor-aware mode + +using System.Collections.Immutable; +using StellaOps.Policy.Gates; +using StellaOps.Policy.TrustLattice; +using VexStatus = StellaOps.Policy.Confidence.Models.VexStatus; +using Xunit; + +namespace StellaOps.Policy.Tests.Gates; + +public class VexProofGateTests +{ + private static readonly DateTimeOffset FixedTime = new(2026, 1, 14, 12, 0, 0, TimeSpan.Zero); + + private static MergeResult CreateMergeResult(VexStatus status) => + new() + { + Status = status, + Confidence = 0.9, + HasConflicts = false, + AllClaims = ImmutableArray.Empty, + WinningClaim = new ScoredClaim + { + SourceId = "test", + Status = status, + OriginalScore = 0.9, + AdjustedScore = 0.9, + ScopeSpecificity = 1, + Accepted = true, + Reason = "Test claim" + }, + Conflicts = ImmutableArray.Empty + }; + + [Fact] + public async Task EvaluateAsync_WhenDisabled_ReturnsPass() + { + // Arrange + var options = new VexProofGateOptions { Enabled = false }; + var gate = new VexProofGate(options); + var mergeResult = CreateMergeResult(VexStatus.NotAffected); + var context = new PolicyGateContext { Environment = "production" }; + + // Act + var result = await gate.EvaluateAsync(mergeResult, context); + + // Assert + Assert.True(result.Passed); + Assert.Equal("disabled", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_WhenAnchorAwareModeEnabled_RequiresAnchoring() + { + // Arrange + var options = new VexProofGateOptions + { + Enabled = true, + RequireProofForNotAffected = true, + AnchorAwareMode = true, + RequireVexAnchoring = true + }; + var gate = new VexProofGate(options); + var mergeResult = CreateMergeResult(VexStatus.NotAffected); + var context = new PolicyGateContext + { + Environment = "production", + Metadata = new Dictionary + { + ["vex_proof_id"] = "proof-123", + ["vex_proof_confidence_tier"] = "high", + ["vex_proof_anchored"] = "false" // Not anchored + } + }; + + // Act + var result = await gate.EvaluateAsync(mergeResult, context); + + // Assert + Assert.False(result.Passed); + Assert.Equal("vex_not_anchored", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_WhenAnchorAwareModeEnabled_PassesWithAnchoring() + { + // Arrange + var options = new VexProofGateOptions + { + Enabled = true, + RequireProofForNotAffected = true, + AnchorAwareMode = true, + RequireVexAnchoring = true, + RequireRekorVerification = false + }; + var gate = new VexProofGate(options); + var mergeResult = CreateMergeResult(VexStatus.NotAffected); + var context = new PolicyGateContext + { + Environment = "production", + Metadata = new Dictionary + { + ["vex_proof_id"] = "proof-123", + ["vex_proof_confidence_tier"] = "high", + ["vex_proof_anchored"] = "true", + ["vex_proof_envelope_digest"] = "sha256:abc123" + } + }; + + // Act + var result = await gate.EvaluateAsync(mergeResult, context); + + // Assert + Assert.True(result.Passed); + Assert.Equal("proof_valid", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_WhenRekorRequired_FailsWithoutRekor() + { + // Arrange + var options = new VexProofGateOptions + { + Enabled = true, + RequireProofForNotAffected = true, + AnchorAwareMode = true, + RequireVexAnchoring = true, + RequireRekorVerification = true + }; + var gate = new VexProofGate(options); + var mergeResult = CreateMergeResult(VexStatus.NotAffected); + var context = new PolicyGateContext + { + Environment = "production", + Metadata = new Dictionary + { + ["vex_proof_id"] = "proof-123", + ["vex_proof_confidence_tier"] = "high", + ["vex_proof_anchored"] = "true", + ["vex_proof_rekor_verified"] = "false" + } + }; + + // Act + var result = await gate.EvaluateAsync(mergeResult, context); + + // Assert + Assert.False(result.Passed); + Assert.Equal("rekor_verification_missing", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_WhenRekorRequired_PassesWithRekor() + { + // Arrange + var options = new VexProofGateOptions + { + Enabled = true, + RequireProofForNotAffected = true, + AnchorAwareMode = true, + RequireVexAnchoring = true, + RequireRekorVerification = true + }; + var gate = new VexProofGate(options); + var mergeResult = CreateMergeResult(VexStatus.NotAffected); + var context = new PolicyGateContext + { + Environment = "production", + Metadata = new Dictionary + { + ["vex_proof_id"] = "proof-123", + ["vex_proof_confidence_tier"] = "high", + ["vex_proof_anchored"] = "true", + ["vex_proof_envelope_digest"] = "sha256:abc123", + ["vex_proof_rekor_verified"] = "true", + ["vex_proof_rekor_log_index"] = "12345678" + } + }; + + // Act + var result = await gate.EvaluateAsync(mergeResult, context); + + // Assert + Assert.True(result.Passed); + Assert.Equal("proof_valid", result.Reason); + Assert.True(result.Details.ContainsKey("rekorLogIndex")); + } + + [Fact] + public async Task EvaluateAsync_StrictAnchorAware_EnforcesAllRequirements() + { + // Arrange + var options = VexProofGateOptions.StrictAnchorAware; + var gate = new VexProofGate(options); + var mergeResult = CreateMergeResult(VexStatus.NotAffected); + var context = new PolicyGateContext + { + Environment = "production", + Metadata = new Dictionary + { + ["vex_proof_id"] = "proof-123", + ["vex_proof_confidence_tier"] = "high", + ["vex_proof_all_signed"] = "true", + ["vex_proof_anchored"] = "true", + ["vex_proof_envelope_digest"] = "sha256:abc123", + ["vex_proof_rekor_verified"] = "true", + ["vex_proof_rekor_log_index"] = "12345678" + } + }; + + // Act + var result = await gate.EvaluateAsync(mergeResult, context); + + // Assert + Assert.True(result.Passed); + Assert.Equal("proof_valid", result.Reason); + } + + [Fact] + public async Task EvaluateAsync_StrictAnchorAware_FailsWithoutSignedStatements() + { + // Arrange + var options = VexProofGateOptions.StrictAnchorAware; + var gate = new VexProofGate(options); + var mergeResult = CreateMergeResult(VexStatus.NotAffected); + var context = new PolicyGateContext + { + Environment = "production", + Metadata = new Dictionary + { + ["vex_proof_id"] = "proof-123", + ["vex_proof_confidence_tier"] = "high", + ["vex_proof_all_signed"] = "false", // Not signed + ["vex_proof_anchored"] = "true", + ["vex_proof_rekor_verified"] = "true" + } + }; + + // Act + var result = await gate.EvaluateAsync(mergeResult, context); + + // Assert + Assert.False(result.Passed); + Assert.Equal("unsigned_statements", result.Reason); + } + + [Fact] + public void StrictAnchorAware_HasExpectedDefaults() + { + // Act + var options = VexProofGateOptions.StrictAnchorAware; + + // Assert + Assert.True(options.Enabled); + Assert.Equal("high", options.MinimumConfidenceTier); + Assert.True(options.RequireProofForNotAffected); + Assert.True(options.RequireProofForFixed); + Assert.True(options.RequireSignedStatements); + Assert.True(options.AnchorAwareMode); + Assert.True(options.RequireVexAnchoring); + Assert.True(options.RequireRekorVerification); + Assert.Equal(0, options.MaxAllowedConflicts); + Assert.Equal(72, options.MaxProofAgeHours); + } +} diff --git a/src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs b/src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs index 0bbe50994..3112324af 100644 --- a/src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs +++ b/src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs @@ -269,6 +269,9 @@ public sealed class EvidenceBundleExporter : IEvidenceBundleExporter sb.AppendLine(" │ ├── manifest.json"); sb.AppendLine(" │ ├── sbom.cdx.json"); sb.AppendLine(" │ ├── reachability.json"); + sb.AppendLine(" │ ├── binary-diff.json # Binary diff evidence"); + sb.AppendLine(" │ ├── binary-diff.dsse.json # Signed binary diff (if attested)"); + sb.AppendLine(" │ ├── delta-proof.json # Semantic diff summary"); sb.AppendLine(" │ ├── vex/"); sb.AppendLine(" │ ├── attestations/"); sb.AppendLine(" │ ├── policy/"); @@ -359,6 +362,42 @@ public sealed class EvidenceBundleExporter : IEvidenceBundleExporter .ConfigureAwait(false); } + // Binary diff evidence - Sprint: SPRINT_20260112_009_SCANNER_binary_diff_bundle_export (BINDIFF-SCAN-002) + if (evidence.BinaryDiff is not null) + { + await AddJsonFileAsync("binary-diff.json", evidence.BinaryDiff, streams, entries, ct) + .ConfigureAwait(false); + + // Add DSSE-signed binary diff if attestation refs are present + if (evidence.BinaryDiff.AttestationRef is not null) + { + var dsseWrapper = new + { + payloadType = "application/vnd.stellaops.binary-diff+json", + payload = evidence.BinaryDiff, + attestationRef = evidence.BinaryDiff.AttestationRef + }; + await AddJsonFileAsync("binary-diff.dsse.json", dsseWrapper, streams, entries, ct) + .ConfigureAwait(false); + } + + // Add delta proof summary for semantic fingerprint changes + if (evidence.BinaryDiff.SemanticDiff is not null) + { + var deltaProof = new + { + previousFingerprint = evidence.BinaryDiff.SemanticDiff.PreviousFingerprint, + currentFingerprint = evidence.BinaryDiff.SemanticDiff.CurrentFingerprint, + similarityScore = evidence.BinaryDiff.SemanticDiff.SimilarityScore, + semanticChanges = evidence.BinaryDiff.SemanticDiff.SemanticChanges, + functionChangeCount = evidence.BinaryDiff.FunctionChangeCount, + securityChangeCount = evidence.BinaryDiff.SecurityChangeCount + }; + await AddJsonFileAsync("delta-proof.json", deltaProof, streams, entries, ct) + .ConfigureAwait(false); + } + } + // Policy evidence if (evidence.Policy is not null) { diff --git a/src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationService.cs b/src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationService.cs index 0e17e9553..483c31f3f 100644 --- a/src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationService.cs +++ b/src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationService.cs @@ -1,8 +1,10 @@ // ----------------------------------------------------------------------------- // PrAnnotationService.cs // Sprint: SPRINT_3700_0005_0001_witness_ui_cli -// Tasks: PR-001, PR-002 +// Sprint: SPRINT_20260112_007_SCANNER_pr_mr_annotations (SCANNER-PR-002) +// Tasks: PR-001, PR-002, SCANNER-PR-002 // Description: Service for generating PR annotations with reachability state flips. +// Updated: ASCII-only output, evidence anchors (attestation digest, witness id, policy verdict) // ----------------------------------------------------------------------------- using StellaOps.Scanner.Reachability; @@ -114,6 +116,47 @@ public sealed record StateFlipSummary /// Individual state flips. /// public required IReadOnlyList Flips { get; init; } + + // Sprint: SPRINT_20260112_007_SCANNER_pr_mr_annotations (SCANNER-PR-002) + // Evidence anchor fields + + /// + /// DSSE attestation digest for the head scan. + /// + public string? AttestationDigest { get; init; } + + /// + /// Policy verdict for the PR (pass/fail/warn). + /// + public string? PolicyVerdict { get; init; } + + /// + /// Policy verdict reason code. + /// + public string? PolicyReasonCode { get; init; } + + /// + /// Verify command for reproducibility. + /// + public string? VerifyCommand { get; init; } +} + /// + public required int NetChange { get; init; } + + /// + /// Whether this PR should be blocked based on policy. + /// + public required bool ShouldBlockPr { get; init; } + + /// + /// Human-readable summary. + /// + public required string Summary { get; init; } + + /// + /// Individual state flips. + /// + public required IReadOnlyList Flips { get; init; } } /// @@ -321,29 +364,57 @@ public sealed class PrAnnotationService : IPrAnnotationService { var sb = new System.Text.StringBuilder(); - // Header - sb.AppendLine("## 🔍 Reachability Analysis"); + // Sprint: SPRINT_20260112_007_SCANNER_pr_mr_annotations (SCANNER-PR-002) + // ASCII-only output with evidence anchors + + // Header (ASCII-only) + sb.AppendLine("## Reachability Analysis"); sb.AppendLine(); - // Status badge + // Status badge (ASCII-only) if (summary.ShouldBlockPr) { - sb.AppendLine("⛔ **Status: BLOCKING** - New reachable vulnerabilities detected"); + sb.AppendLine("[BLOCKING] **Status: BLOCKING** - New reachable vulnerabilities detected"); } else if (summary.NewRiskCount > 0) { - sb.AppendLine("⚠️ **Status: WARNING** - Reachability changes detected"); + sb.AppendLine("[WARNING] **Status: WARNING** - Reachability changes detected"); } else if (summary.MitigatedCount > 0) { - sb.AppendLine("✅ **Status: IMPROVED** - Vulnerabilities became unreachable"); + sb.AppendLine("[OK] **Status: IMPROVED** - Vulnerabilities became unreachable"); } else { - sb.AppendLine("✅ **Status: NO CHANGE** - No reachability changes"); + sb.AppendLine("[OK] **Status: NO CHANGE** - No reachability changes"); } sb.AppendLine(); + // Evidence anchors section (SCANNER-PR-002) + if (!string.IsNullOrEmpty(summary.AttestationDigest) || + !string.IsNullOrEmpty(summary.PolicyVerdict) || + !string.IsNullOrEmpty(summary.VerifyCommand)) + { + sb.AppendLine("### Evidence"); + sb.AppendLine(); + if (!string.IsNullOrEmpty(summary.AttestationDigest)) + { + sb.AppendLine($"- **Attestation**: `{summary.AttestationDigest}`"); + } + if (!string.IsNullOrEmpty(summary.PolicyVerdict)) + { + var reasonPart = !string.IsNullOrEmpty(summary.PolicyReasonCode) + ? $" ({summary.PolicyReasonCode})" + : ""; + sb.AppendLine($"- **Policy Verdict**: {summary.PolicyVerdict}{reasonPart}"); + } + if (!string.IsNullOrEmpty(summary.VerifyCommand)) + { + sb.AppendLine($"- **Verify**: `{summary.VerifyCommand}`"); + } + sb.AppendLine(); + } + // Summary stats sb.AppendLine("### Summary"); sb.AppendLine($"| Metric | Count |"); @@ -353,7 +424,7 @@ public sealed class PrAnnotationService : IPrAnnotationService sb.AppendLine($"| Net Change | {(summary.NetChange >= 0 ? "+" : "")}{summary.NetChange} |"); sb.AppendLine(); - // Flips table + // Flips table (ASCII-only, deterministic ordering) if (summary.Flips.Count > 0) { sb.AppendLine("### State Flips"); @@ -361,22 +432,29 @@ public sealed class PrAnnotationService : IPrAnnotationService sb.AppendLine("| CVE | Package | Change | Confidence | Witness |"); sb.AppendLine("|-----|---------|--------|------------|---------|"); - foreach (var flip in summary.Flips.Take(20)) // Limit to 20 entries + // Deterministic ordering: became reachable first, then by CVE ID + var orderedFlips = summary.Flips + .OrderByDescending(f => f.FlipType == StateFlipType.BecameReachable) + .ThenBy(f => f.CveId, StringComparer.Ordinal) + .Take(20); + + foreach (var flip in orderedFlips) { - var changeIcon = flip.FlipType switch + // ASCII-only change indicators + var changeText = flip.FlipType switch { - StateFlipType.BecameReachable => "🔴 Became Reachable", - StateFlipType.BecameUnreachable => "🟢 Became Unreachable", - StateFlipType.TierIncreased => "🟡 Tier ↑", - StateFlipType.TierDecreased => "🟢 Tier ↓", - _ => "?" + StateFlipType.BecameReachable => "[+] Became Reachable", + StateFlipType.BecameUnreachable => "[-] Became Unreachable", + StateFlipType.TierIncreased => "[^] Tier Increased", + StateFlipType.TierDecreased => "[v] Tier Decreased", + _ => "[?]" }; var witnessLink = !string.IsNullOrEmpty(flip.WitnessId) ? $"[View](?witness={flip.WitnessId})" : "-"; - sb.AppendLine($"| {flip.CveId} | `{TruncatePurl(flip.Purl)}` | {changeIcon} | {flip.NewTier} | {witnessLink} |"); + sb.AppendLine($"| {flip.CveId} | `{TruncatePurl(flip.Purl)}` | {changeText} | {flip.NewTier} | {witnessLink} |"); } if (summary.Flips.Count > 20) @@ -454,7 +532,15 @@ public sealed class PrAnnotationService : IPrAnnotationService { var annotations = new List(); - foreach (var flip in flips.Where(f => !string.IsNullOrEmpty(f.FilePath) && f.LineNumber > 0)) + // Sprint: SPRINT_20260112_007_SCANNER_pr_mr_annotations (SCANNER-PR-002) + // Deterministic ordering and ASCII-only output + var orderedFlips = flips + .Where(f => !string.IsNullOrEmpty(f.FilePath) && f.LineNumber > 0) + .OrderByDescending(f => f.FlipType == StateFlipType.BecameReachable) + .ThenBy(f => f.FilePath, StringComparer.Ordinal) + .ThenBy(f => f.LineNumber); + + foreach (var flip in orderedFlips) { var level = flip.FlipType switch { @@ -465,17 +551,18 @@ public sealed class PrAnnotationService : IPrAnnotationService _ => AnnotationLevel.Notice }; + // ASCII-only titles (no emoji) var title = flip.FlipType switch { - StateFlipType.BecameReachable => $"🔴 {flip.CveId} is now reachable", - StateFlipType.BecameUnreachable => $"🟢 {flip.CveId} is no longer reachable", - StateFlipType.TierIncreased => $"🟡 {flip.CveId} reachability increased", - StateFlipType.TierDecreased => $"🟢 {flip.CveId} reachability decreased", + StateFlipType.BecameReachable => $"[+] {flip.CveId} is now reachable", + StateFlipType.BecameUnreachable => $"[-] {flip.CveId} is no longer reachable", + StateFlipType.TierIncreased => $"[^] {flip.CveId} reachability increased", + StateFlipType.TierDecreased => $"[v] {flip.CveId} reachability decreased", _ => flip.CveId }; var message = $"Package: {flip.Purl}\n" + - $"Confidence: {flip.PreviousTier ?? "N/A"} → {flip.NewTier}\n" + + $"Confidence: {flip.PreviousTier ?? "N/A"} -> {flip.NewTier}\n" + (flip.Entrypoint != null ? $"Entrypoint: {flip.Entrypoint}\n" : "") + (flip.WitnessId != null ? $"Witness: {flip.WitnessId}" : ""); diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs b/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs index a94dba19e..f6b5574bb 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs @@ -2,6 +2,38 @@ using System.Text.Json.Serialization; namespace StellaOps.Scanner.Reachability.Witnesses; +/// +/// Well-known predicate types for path witness attestations. +/// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-003) +/// +public static class WitnessPredicateTypes +{ + /// + /// Canonical path witness predicate type URI. + /// + public const string PathWitnessCanonical = "https://stella.ops/predicates/path-witness/v1"; + + /// + /// Alias 1: stella.ops format for backward compatibility. + /// + public const string PathWitnessAlias1 = "stella.ops/pathWitness@v1"; + + /// + /// Alias 2: HTTPS URL format variant. + /// + public const string PathWitnessAlias2 = "https://stella.ops/pathWitness/v1"; + + /// + /// Returns true if the predicate type is a recognized path witness type. + /// + public static bool IsPathWitnessType(string predicateType) + { + return predicateType == PathWitnessCanonical + || predicateType == PathWitnessAlias1 + || predicateType == PathWitnessAlias2; + } +} + /// /// A DSSE-signable path witness documenting the call path from entrypoint to vulnerable sink. /// Conforms to stellaops.witness.v1 schema. @@ -67,6 +99,34 @@ public sealed record PathWitness /// [JsonPropertyName("observed_at")] public required DateTimeOffset ObservedAt { get; init; } + + /// + /// Canonical path hash computed from node hashes along the path. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-003) + /// + [JsonPropertyName("path_hash")] + public string? PathHash { get; init; } + + /// + /// Top-K node hashes along the path (deterministically ordered). + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-003) + /// + [JsonPropertyName("node_hashes")] + public IReadOnlyList? NodeHashes { get; init; } + + /// + /// Evidence URIs for tracing back to source artifacts. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-003) + /// + [JsonPropertyName("evidence_uris")] + public IReadOnlyList? EvidenceUris { get; init; } + + /// + /// Canonical predicate type URI for this witness. + /// Default: https://stella.ops/predicates/path-witness/v1 + /// + [JsonPropertyName("predicate_type")] + public string PredicateType { get; init; } = WitnessPredicateTypes.PathWitnessCanonical; } /// diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitnessBuilder.cs b/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitnessBuilder.cs index 93d26550f..11104060d 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitnessBuilder.cs +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitnessBuilder.cs @@ -62,6 +62,13 @@ public sealed class PathWitnessBuilder : IPathWitnessBuilder var sinkNode = request.CallGraph.Nodes?.FirstOrDefault(n => n.SymbolId == request.SinkSymbolId); var sinkSymbol = sinkNode?.Display ?? sinkNode?.Symbol?.Demangled ?? request.SinkSymbolId; + // Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-003) + // Compute node hashes and path hash for deterministic joining with runtime evidence + var (nodeHashes, pathHash) = ComputePathHashes(request.ComponentPurl, path); + + // Build evidence URIs for traceability + var evidenceUris = BuildEvidenceUris(request); + // Build the witness var witness = new PathWitness { @@ -98,7 +105,12 @@ public sealed class PathWitnessBuilder : IPathWitnessBuilder AnalysisConfigDigest = request.AnalysisConfigDigest, BuildId = request.BuildId }, - ObservedAt = _timeProvider.GetUtcNow() + ObservedAt = _timeProvider.GetUtcNow(), + // PW-SCN-003: Add node hashes and path hash + NodeHashes = nodeHashes, + PathHash = pathHash, + EvidenceUris = evidenceUris, + PredicateType = WitnessPredicateTypes.PathWitnessCanonical }; // Compute witness ID from canonical content @@ -480,4 +492,108 @@ public sealed class PathWitnessBuilder : IPathWitnessBuilder return $"{WitnessSchema.WitnessIdPrefix}{hash}"; } + + /// + /// Computes node hashes and combined path hash for the witness path. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-003) + /// + /// Component PURL for hash computation. + /// Path steps from entrypoint to sink. + /// Tuple of (top-K node hashes, combined path hash). + private static (IReadOnlyList nodeHashes, string pathHash) ComputePathHashes( + string componentPurl, + IReadOnlyList path) + { + const int TopK = 10; // Return top-K node hashes + + // Compute node hash for each step in the path + var allNodeHashes = new List(); + foreach (var step in path) + { + // Use SymbolId as the FQN for hash computation + var nodeHash = ComputeNodeHash(componentPurl, step.SymbolId); + allNodeHashes.Add(nodeHash); + } + + // Deduplicate and sort for deterministic ordering + var uniqueHashes = allNodeHashes + .Distinct(StringComparer.Ordinal) + .Order(StringComparer.Ordinal) + .ToList(); + + // Select top-K hashes + var topKHashes = uniqueHashes.Take(TopK).ToList(); + + // Compute combined path hash from all node hashes + var pathHash = ComputeCombinedPathHash(allNodeHashes); + + return (topKHashes, pathHash); + } + + /// + /// Computes a canonical node hash from PURL and symbol FQN. + /// Uses SHA-256 for compatibility with NodeHashRecipe in StellaOps.Reachability.Core. + /// + private static string ComputeNodeHash(string purl, string symbolFqn) + { + // Normalize inputs + var normalizedPurl = purl?.Trim().ToLowerInvariant() ?? string.Empty; + var normalizedSymbol = symbolFqn?.Trim() ?? string.Empty; + + var input = $"{normalizedPurl}:{normalizedSymbol}"; + var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(input)); + + return "sha256:" + Convert.ToHexStringLower(hashBytes); + } + + /// + /// Computes a combined path hash from ordered node hashes. + /// + private static string ComputeCombinedPathHash(IReadOnlyList nodeHashes) + { + // Extract hex parts and concatenate in order + var hexParts = nodeHashes + .Select(h => h.StartsWith("sha256:", StringComparison.OrdinalIgnoreCase) ? h[7..] : h) + .ToList(); + + var combined = string.Join(":", hexParts); + var hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(combined)); + + return "path:sha256:" + Convert.ToHexStringLower(hashBytes); + } + + /// + /// Builds evidence URIs for traceability. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-003) + /// + private static IReadOnlyList BuildEvidenceUris(PathWitnessRequest request) + { + var uris = new List(); + + // Add callgraph evidence URI + if (!string.IsNullOrWhiteSpace(request.CallgraphDigest)) + { + uris.Add($"evidence:callgraph:{request.CallgraphDigest}"); + } + + // Add SBOM evidence URI + if (!string.IsNullOrWhiteSpace(request.SbomDigest)) + { + uris.Add($"evidence:sbom:{request.SbomDigest}"); + } + + // Add surface evidence URI + if (!string.IsNullOrWhiteSpace(request.SurfaceDigest)) + { + uris.Add($"evidence:surface:{request.SurfaceDigest}"); + } + + // Add build evidence URI + if (!string.IsNullOrWhiteSpace(request.BuildId)) + { + uris.Add($"evidence:build:{request.BuildId}"); + } + + return uris; + } } diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Sarif.Tests/SarifExportServiceTests.cs b/src/Scanner/__Libraries/StellaOps.Scanner.Sarif.Tests/SarifExportServiceTests.cs index 31a01956e..2b253b23e 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Sarif.Tests/SarifExportServiceTests.cs +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Sarif.Tests/SarifExportServiceTests.cs @@ -460,4 +460,114 @@ public class SarifExportServiceTests result.Properties.Should().ContainKey("github/alertCategory"); result.Properties!["github/alertCategory"].Should().Be("security"); } + + /// + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + /// + [Fact] + public async Task ExportAsync_WithNodeHash_IncludesHashMetadata() + { + // Arrange + var findings = new[] + { + new FindingInput + { + Type = FindingType.Vulnerability, + Title = "Test Vulnerability", + VulnerabilityId = "CVE-2026-1234", + Severity = Severity.High, + NodeHash = "sha256:abc123def456", + PathHash = "path:sha256:789xyz", + PathNodeHashes = new[] { "sha256:node1", "sha256:node2", "sha256:node3" }, + Reachability = ReachabilityStatus.StaticReachable + } + }; + + var options = new SarifExportOptions + { + ToolVersion = "1.0.0", + IncludeReachability = true + }; + + // Act + var log = await _service.ExportAsync(findings, options, TestContext.Current.CancellationToken); + + // Assert + var result = log.Runs[0].Results[0]; + result.Properties.Should().ContainKey("stellaops/node/hash"); + result.Properties!["stellaops/node/hash"].Should().Be("sha256:abc123def456"); + result.Properties.Should().ContainKey("stellaops/path/hash"); + result.Properties!["stellaops/path/hash"].Should().Be("path:sha256:789xyz"); + result.Properties.Should().ContainKey("stellaops/path/nodeHashes"); + } + + /// + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + /// + [Fact] + public async Task ExportAsync_WithFunctionSignature_IncludesFunctionMetadata() + { + // Arrange + var findings = new[] + { + new FindingInput + { + Type = FindingType.Vulnerability, + Title = "Test Vulnerability", + VulnerabilityId = "CVE-2026-5678", + Severity = Severity.Critical, + FunctionSignature = "void ProcessInput(string data)", + FunctionName = "ProcessInput", + FunctionNamespace = "MyApp.Controllers.UserController" + } + }; + + var options = new SarifExportOptions { ToolVersion = "1.0.0" }; + + // Act + var log = await _service.ExportAsync(findings, options, TestContext.Current.CancellationToken); + + // Assert + var result = log.Runs[0].Results[0]; + result.Properties.Should().ContainKey("stellaops/function/signature"); + result.Properties!["stellaops/function/signature"].Should().Be("void ProcessInput(string data)"); + result.Properties.Should().ContainKey("stellaops/function/name"); + result.Properties!["stellaops/function/name"].Should().Be("ProcessInput"); + result.Properties.Should().ContainKey("stellaops/function/namespace"); + result.Properties!["stellaops/function/namespace"].Should().Be("MyApp.Controllers.UserController"); + } + + /// + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + /// + [Fact] + public async Task ExportAsync_NodeHashWithoutReachabilityFlag_ExcludesHashes() + { + // Arrange + var findings = new[] + { + new FindingInput + { + Type = FindingType.Vulnerability, + Title = "Test Vulnerability", + Severity = Severity.Medium, + NodeHash = "sha256:abc123def456", + PathHash = "path:sha256:789xyz" + } + }; + + var options = new SarifExportOptions + { + ToolVersion = "1.0.0", + IncludeReachability = false // Hashes should only appear with reachability enabled + }; + + // Act + var log = await _service.ExportAsync(findings, options, TestContext.Current.CancellationToken); + + // Assert + var result = log.Runs[0].Results[0]; + result.Properties.Should().NotContainKey("stellaops/node/hash"); + result.Properties.Should().NotContainKey("stellaops/path/hash"); + } } diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Sarif/FindingInput.cs b/src/Scanner/__Libraries/StellaOps.Scanner.Sarif/FindingInput.cs index d5d115b1c..bcaa80d90 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Sarif/FindingInput.cs +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Sarif/FindingInput.cs @@ -139,6 +139,42 @@ public sealed record FindingInput /// Gets custom properties to include. /// public IReadOnlyDictionary? Properties { get; init; } + + /// + /// Gets the canonical node hash for the finding location. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + /// + public string? NodeHash { get; init; } + + /// + /// Gets the combined path hash if this finding has a reachability path. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + /// + public string? PathHash { get; init; } + + /// + /// Gets the top-K node hashes along the reachability path. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + /// + public IReadOnlyList? PathNodeHashes { get; init; } + + /// + /// Gets the function signature at the finding location. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + /// + public string? FunctionSignature { get; init; } + + /// + /// Gets the fully qualified function name. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + /// + public string? FunctionName { get; init; } + + /// + /// Gets the namespace or module of the function. + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + /// + public string? FunctionNamespace { get; init; } } /// diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Sarif/SarifExportService.cs b/src/Scanner/__Libraries/StellaOps.Scanner.Sarif/SarifExportService.cs index 32a479ab3..374c034cd 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Sarif/SarifExportService.cs +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Sarif/SarifExportService.cs @@ -315,6 +315,43 @@ public sealed class SarifExportService : ISarifExportService props["stellaops/attestation"] = finding.AttestationDigests; } + // Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + // Node hash and path hash for reachability evidence joining + if (options.IncludeReachability) + { + if (!string.IsNullOrEmpty(finding.NodeHash)) + { + props["stellaops/node/hash"] = finding.NodeHash; + } + + if (!string.IsNullOrEmpty(finding.PathHash)) + { + props["stellaops/path/hash"] = finding.PathHash; + } + + if (finding.PathNodeHashes?.Count > 0) + { + props["stellaops/path/nodeHashes"] = finding.PathNodeHashes; + } + } + + // Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-004) + // Function signature metadata + if (!string.IsNullOrEmpty(finding.FunctionSignature)) + { + props["stellaops/function/signature"] = finding.FunctionSignature; + } + + if (!string.IsNullOrEmpty(finding.FunctionName)) + { + props["stellaops/function/name"] = finding.FunctionName; + } + + if (!string.IsNullOrEmpty(finding.FunctionNamespace)) + { + props["stellaops/function/namespace"] = finding.FunctionNamespace; + } + // Category if (!string.IsNullOrEmpty(options.Category)) { diff --git a/src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Epss/EpssChangeEventDeterminismTests.cs b/src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Epss/EpssChangeEventDeterminismTests.cs new file mode 100644 index 000000000..028c73c4f --- /dev/null +++ b/src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Epss/EpssChangeEventDeterminismTests.cs @@ -0,0 +1,486 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later +// Copyright (c) 2025 StellaOps +// Sprint: SPRINT_20260112_005_SCANNER_epss_reanalysis_events (SCAN-EPSS-004) +// Task: Tests for EPSS event payload determinism and idempotency keys + +using StellaOps.Scanner.Core.Epss; +using Xunit; + +namespace StellaOps.Scanner.Core.Tests.Epss; + +/// +/// Tests for EPSS change event determinism and idempotency. +/// +[Trait("Category", "Unit")] +public class EpssChangeEventDeterminismTests +{ + private static readonly DateTimeOffset FixedTime = new(2026, 1, 14, 12, 0, 0, TimeSpan.Zero); + private static readonly DateOnly ModelDate = new(2026, 1, 14); + private static readonly DateOnly PreviousModelDate = new(2026, 1, 13); + + [Fact] + public void Create_SameInputs_ProducesSameEventId() + { + // Arrange + var tenant = "test-tenant"; + var cveId = "CVE-2024-1234"; + + var current = new EpssEvidence + { + Score = 0.75, + Percentile = 0.95, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = cveId, + Source = "first.ai" + }; + + // Act + var event1 = EpssChangeEventFactory.Create( + tenant, cveId, null, current, FixedTime); + + var event2 = EpssChangeEventFactory.Create( + tenant, cveId, null, current, FixedTime); + + // Assert - same inputs must produce same event ID + Assert.Equal(event1.EventId, event2.EventId); + } + + [Fact] + public void Create_DifferentScore_ProducesDifferentEventId() + { + // Arrange + var tenant = "test-tenant"; + var cveId = "CVE-2024-1234"; + + var current1 = new EpssEvidence + { + Score = 0.75, + Percentile = 0.95, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = cveId, + Source = "first.ai" + }; + + var current2 = new EpssEvidence + { + Score = 0.80, + Percentile = 0.95, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = cveId, + Source = "first.ai" + }; + + // Act + var event1 = EpssChangeEventFactory.Create( + tenant, cveId, null, current1, FixedTime); + + var event2 = EpssChangeEventFactory.Create( + tenant, cveId, null, current2, FixedTime); + + // Assert - different scores must produce different event IDs + Assert.NotEqual(event1.EventId, event2.EventId); + } + + [Fact] + public void Create_DifferentModelDate_ProducesDifferentEventId() + { + // Arrange + var tenant = "test-tenant"; + var cveId = "CVE-2024-1234"; + + var current1 = new EpssEvidence + { + Score = 0.75, + Percentile = 0.95, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = cveId, + Source = "first.ai" + }; + + var current2 = new EpssEvidence + { + Score = 0.75, + Percentile = 0.95, + ModelDate = PreviousModelDate, + CapturedAt = FixedTime, + CveId = cveId, + Source = "first.ai" + }; + + // Act + var event1 = EpssChangeEventFactory.Create( + tenant, cveId, null, current1, FixedTime); + + var event2 = EpssChangeEventFactory.Create( + tenant, cveId, null, current2, FixedTime); + + // Assert - different model dates must produce different event IDs + Assert.NotEqual(event1.EventId, event2.EventId); + } + + [Fact] + public void Create_DifferentCveId_ProducesDifferentEventId() + { + // Arrange + var tenant = "test-tenant"; + + var current = new EpssEvidence + { + Score = 0.75, + Percentile = 0.95, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + // Act + var event1 = EpssChangeEventFactory.Create( + tenant, "CVE-2024-1234", null, current, FixedTime); + + var event2 = EpssChangeEventFactory.Create( + tenant, "CVE-2024-5678", null, current with { CveId = "CVE-2024-5678" }, FixedTime); + + // Assert - different CVE IDs must produce different event IDs + Assert.NotEqual(event1.EventId, event2.EventId); + } + + [Fact] + public void Create_EventIdFormat_IsCorrect() + { + // Arrange + var current = new EpssEvidence + { + Score = 0.75, + Percentile = 0.95, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + // Act + var evt = EpssChangeEventFactory.Create( + "test-tenant", "CVE-2024-1234", null, current, FixedTime); + + // Assert - event ID should follow epss-evt-{16-char-hex} format + Assert.StartsWith("epss-evt-", evt.EventId); + Assert.Equal(25, evt.EventId.Length); // "epss-evt-" (9) + 16 hex chars + Assert.Matches("^epss-evt-[0-9a-f]{16}$", evt.EventId); + } + + [Fact] + public void Create_DifferentTimestamp_ProducesSameEventId() + { + // Arrange - timestamps should NOT affect event ID (idempotency) + var current = new EpssEvidence + { + Score = 0.75, + Percentile = 0.95, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + // Act + var event1 = EpssChangeEventFactory.Create( + "test-tenant", "CVE-2024-1234", null, current, FixedTime); + + var event2 = EpssChangeEventFactory.Create( + "test-tenant", "CVE-2024-1234", null, current, FixedTime.AddHours(1)); + + // Assert - event ID should be idempotent based on CVE + model date + score + Assert.Equal(event1.EventId, event2.EventId); + } + + [Fact] + public void Create_ScoreExceedsThreshold_SetsExceedsThreshold() + { + // Arrange + var previous = new EpssEvidence + { + Score = 0.30, + Percentile = 0.70, + ModelDate = PreviousModelDate, + CapturedAt = FixedTime.AddDays(-1), + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + var current = new EpssEvidence + { + Score = 0.55, // Delta = 0.25 > 0.2 threshold + Percentile = 0.85, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + // Act + var evt = EpssChangeEventFactory.Create( + "test-tenant", "CVE-2024-1234", previous, current, FixedTime); + + // Assert + Assert.True(evt.ExceedsThreshold); + Assert.Equal(0.2, evt.ThresholdExceeded); + Assert.Equal(EpssEventTypes.DeltaExceeded, evt.EventType); + } + + [Fact] + public void Create_ScoreBelowThreshold_DoesNotExceedThreshold() + { + // Arrange + var previous = new EpssEvidence + { + Score = 0.30, + Percentile = 0.70, + ModelDate = PreviousModelDate, + CapturedAt = FixedTime.AddDays(-1), + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + var current = new EpssEvidence + { + Score = 0.35, // Delta = 0.05 < 0.2 threshold + Percentile = 0.72, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + // Act + var evt = EpssChangeEventFactory.Create( + "test-tenant", "CVE-2024-1234", previous, current, FixedTime); + + // Assert + Assert.False(evt.ExceedsThreshold); + Assert.Null(evt.ThresholdExceeded); + Assert.Equal(EpssEventTypes.Updated, evt.EventType); + } + + [Fact] + public void Create_NewCve_SetsCorrectEventType() + { + // Arrange + var current = new EpssEvidence + { + Score = 0.40, + Percentile = 0.80, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + // Act - no previous means new CVE + var evt = EpssChangeEventFactory.Create( + "test-tenant", "CVE-2024-1234", null, current, FixedTime); + + // Assert + Assert.Equal(EpssEventTypes.NewCve, evt.EventType); + } + + [Fact] + public void Create_HighPriorityScore_ExceedsThreshold() + { + // Arrange - score above 0.7 threshold triggers regardless of delta + var previous = new EpssEvidence + { + Score = 0.65, + Percentile = 0.90, + ModelDate = PreviousModelDate, + CapturedAt = FixedTime.AddDays(-1), + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + var current = new EpssEvidence + { + Score = 0.72, // Delta = 0.07 < 0.2, but score > 0.7 + Percentile = 0.92, + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + // Act + var evt = EpssChangeEventFactory.Create( + "test-tenant", "CVE-2024-1234", previous, current, FixedTime); + + // Assert + Assert.True(evt.ExceedsThreshold); + } + + [Fact] + public void Create_BandChange_ExceedsThreshold() + { + // Arrange - band change triggers reanalysis + var previous = new EpssEvidence + { + Score = 0.45, + Percentile = 0.74, // medium band (< 0.75) + ModelDate = PreviousModelDate, + CapturedAt = FixedTime.AddDays(-1), + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + var current = new EpssEvidence + { + Score = 0.48, // Delta = 0.03 < 0.2 + Percentile = 0.76, // high band (>= 0.75) + ModelDate = ModelDate, + CapturedAt = FixedTime, + CveId = "CVE-2024-1234", + Source = "first.ai" + }; + + // Act + var evt = EpssChangeEventFactory.Create( + "test-tenant", "CVE-2024-1234", previous, current, FixedTime); + + // Assert + Assert.True(evt.BandChanged); + Assert.True(evt.ExceedsThreshold); + Assert.Equal("low", evt.PreviousBand); + Assert.Equal("medium", evt.NewBand); + } + + [Fact] + public void CreateBatch_ProducesDeterministicBatchId() + { + // Arrange + var changes = CreateTestChanges(); + + // Act + var batch1 = EpssChangeEventFactory.CreateBatch( + "test-tenant", ModelDate, changes, FixedTime); + + var batch2 = EpssChangeEventFactory.CreateBatch( + "test-tenant", ModelDate, changes, FixedTime); + + // Assert - same inputs produce same batch ID + Assert.Equal(batch1.BatchId, batch2.BatchId); + } + + [Fact] + public void CreateBatch_DifferentTenant_ProducesDifferentBatchId() + { + // Arrange + var changes = CreateTestChanges(); + + // Act + var batch1 = EpssChangeEventFactory.CreateBatch( + "tenant-a", ModelDate, changes, FixedTime); + + var batch2 = EpssChangeEventFactory.CreateBatch( + "tenant-b", ModelDate, changes, FixedTime); + + // Assert + Assert.NotEqual(batch1.BatchId, batch2.BatchId); + } + + [Fact] + public void CreateBatch_OnlyIncludesThresholdChanges() + { + // Arrange - mix of threshold and non-threshold changes + var allChanges = new[] + { + CreateChangeEvent("CVE-2024-0001", exceedsThreshold: true), + CreateChangeEvent("CVE-2024-0002", exceedsThreshold: false), + CreateChangeEvent("CVE-2024-0003", exceedsThreshold: true), + CreateChangeEvent("CVE-2024-0004", exceedsThreshold: false), + }; + + // Act + var batch = EpssChangeEventFactory.CreateBatch( + "test-tenant", ModelDate, allChanges, FixedTime); + + // Assert + Assert.Equal(4, batch.TotalProcessed); + Assert.Equal(2, batch.ChangesExceedingThreshold); + Assert.Equal(2, batch.Changes.Length); + Assert.All(batch.Changes, c => Assert.True(c.ExceedsThreshold)); + } + + [Fact] + public void CreateBatch_ChangesOrderedByCveId() + { + // Arrange - unordered input + var allChanges = new[] + { + CreateChangeEvent("CVE-2024-0003", exceedsThreshold: true), + CreateChangeEvent("CVE-2024-0001", exceedsThreshold: true), + CreateChangeEvent("CVE-2024-0002", exceedsThreshold: true), + }; + + // Act + var batch = EpssChangeEventFactory.CreateBatch( + "test-tenant", ModelDate, allChanges, FixedTime); + + // Assert - changes should be ordered by CVE ID + Assert.Equal("CVE-2024-0001", batch.Changes[0].CveId); + Assert.Equal("CVE-2024-0002", batch.Changes[1].CveId); + Assert.Equal("CVE-2024-0003", batch.Changes[2].CveId); + } + + [Fact] + public void CreateBatch_BatchIdFormat_IsCorrect() + { + // Arrange + var changes = CreateTestChanges(); + + // Act + var batch = EpssChangeEventFactory.CreateBatch( + "test-tenant", ModelDate, changes, FixedTime); + + // Assert - batch ID should follow epss-batch-{16-char-hex} format + Assert.StartsWith("epss-batch-", batch.BatchId); + Assert.Matches("^epss-batch-[0-9a-f]{16}$", batch.BatchId); + } + + private static IEnumerable CreateTestChanges() + { + return new[] + { + CreateChangeEvent("CVE-2024-0001", exceedsThreshold: true), + CreateChangeEvent("CVE-2024-0002", exceedsThreshold: true), + }; + } + + private static EpssChangeEvent CreateChangeEvent(string cveId, bool exceedsThreshold) + { + return new EpssChangeEvent + { + EventId = $"epss-evt-{cveId.GetHashCode():x16}", + EventType = exceedsThreshold ? EpssEventTypes.DeltaExceeded : EpssEventTypes.Updated, + Tenant = "test-tenant", + CveId = cveId, + PreviousScore = 0.30, + NewScore = exceedsThreshold ? 0.55 : 0.32, + ScoreDelta = exceedsThreshold ? 0.25 : 0.02, + PreviousPercentile = 0.70, + NewPercentile = exceedsThreshold ? 0.85 : 0.71, + PercentileDelta = exceedsThreshold ? 0.15 : 0.01, + PreviousBand = "low", + NewBand = exceedsThreshold ? "medium" : "low", + BandChanged = exceedsThreshold, + ModelDate = ModelDate.ToString("yyyy-MM-dd", System.Globalization.CultureInfo.InvariantCulture), + PreviousModelDate = PreviousModelDate.ToString("yyyy-MM-dd", System.Globalization.CultureInfo.InvariantCulture), + ExceedsThreshold = exceedsThreshold, + ThresholdExceeded = exceedsThreshold ? 0.2 : null, + Source = "first.ai", + CreatedAtUtc = FixedTime, + TraceId = null + }; + } +} diff --git a/src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PathWitnessBuilderTests.cs b/src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PathWitnessBuilderTests.cs index 13fcfdf50..22bbe5448 100644 --- a/src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PathWitnessBuilderTests.cs +++ b/src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PathWitnessBuilderTests.cs @@ -542,5 +542,200 @@ public class PathWitnessBuilderTests Assert.Null(w.Path[1].File); } + /// + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005) + /// Verify witness outputs include node hashes and path hash. + /// + [Trait("Category", TestCategories.Unit)] + [Fact] + public async Task BuildAsync_IncludesNodeHashesAndPathHash() + { + // Arrange + var graph = CreateSimpleGraph(); + var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider); + + var request = new PathWitnessRequest + { + SbomDigest = "sha256:abc123", + ComponentPurl = "pkg:nuget/Newtonsoft.Json@12.0.3", + VulnId = "CVE-2024-12345", + VulnSource = "NVD", + AffectedRange = "<=12.0.3", + EntrypointSymbolId = "sym:entry1", + EntrypointKind = "http", + EntrypointName = "GET /api/test", + SinkSymbolId = "sym:sink1", + SinkType = "deserialization", + CallGraph = graph, + CallgraphDigest = "blake3:abc123" + }; + + // Act + var result = await builder.BuildAsync(request, TestCancellationToken); + + // Assert + Assert.NotNull(result); + Assert.NotNull(result.NodeHashes); + Assert.NotEmpty(result.NodeHashes); + Assert.All(result.NodeHashes, h => Assert.StartsWith("sha256:", h)); + Assert.NotNull(result.PathHash); + Assert.StartsWith("path:sha256:", result.PathHash); + } + + /// + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005) + /// Verify witness outputs include evidence URIs. + /// + [Trait("Category", TestCategories.Unit)] + [Fact] + public async Task BuildAsync_IncludesEvidenceUris() + { + // Arrange + var graph = CreateSimpleGraph(); + var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider); + + var request = new PathWitnessRequest + { + SbomDigest = "sha256:sbom123", + ComponentPurl = "pkg:nuget/Test@1.0.0", + VulnId = "CVE-2024-12345", + VulnSource = "NVD", + AffectedRange = "<=1.0.0", + EntrypointSymbolId = "sym:entry1", + EntrypointKind = "http", + EntrypointName = "GET /api/test", + SinkSymbolId = "sym:sink1", + SinkType = "deserialization", + CallGraph = graph, + CallgraphDigest = "blake3:graph456", + SurfaceDigest = "sha256:surface789", + BuildId = "build-001" + }; + + // Act + var result = await builder.BuildAsync(request, TestCancellationToken); + + // Assert + Assert.NotNull(result); + Assert.NotNull(result.EvidenceUris); + Assert.Contains(result.EvidenceUris, u => u.StartsWith("evidence:callgraph:")); + Assert.Contains(result.EvidenceUris, u => u.StartsWith("evidence:sbom:")); + Assert.Contains(result.EvidenceUris, u => u.StartsWith("evidence:surface:")); + Assert.Contains(result.EvidenceUris, u => u.StartsWith("evidence:build:")); + } + + /// + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005) + /// Verify witness uses canonical predicate type. + /// + [Trait("Category", TestCategories.Unit)] + [Fact] + public async Task BuildAsync_UsesCanonicalPredicateType() + { + // Arrange + var graph = CreateSimpleGraph(); + var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider); + + var request = new PathWitnessRequest + { + SbomDigest = "sha256:abc123", + ComponentPurl = "pkg:nuget/Test@1.0.0", + VulnId = "CVE-2024-12345", + VulnSource = "NVD", + AffectedRange = "<=1.0.0", + EntrypointSymbolId = "sym:entry1", + EntrypointKind = "http", + EntrypointName = "GET /api/test", + SinkSymbolId = "sym:sink1", + SinkType = "deserialization", + CallGraph = graph, + CallgraphDigest = "blake3:graph456" + }; + + // Act + var result = await builder.BuildAsync(request, TestCancellationToken); + + // Assert + Assert.NotNull(result); + Assert.Equal(WitnessPredicateTypes.PathWitnessCanonical, result.PredicateType); + } + + /// + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005) + /// Verify DSSE payload determinism - same inputs produce same hashes. + /// + [Trait("Category", TestCategories.Unit)] + [Fact] + public async Task BuildAsync_ProducesDeterministicPathHash() + { + // Arrange + var graph = CreateSimpleGraph(); + var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider); + + var request = new PathWitnessRequest + { + SbomDigest = "sha256:abc123", + ComponentPurl = "pkg:nuget/Test@1.0.0", + VulnId = "CVE-2024-12345", + VulnSource = "NVD", + AffectedRange = "<=1.0.0", + EntrypointSymbolId = "sym:entry1", + EntrypointKind = "http", + EntrypointName = "GET /api/test", + SinkSymbolId = "sym:sink1", + SinkType = "deserialization", + CallGraph = graph, + CallgraphDigest = "blake3:graph456" + }; + + // Act + var result1 = await builder.BuildAsync(request, TestCancellationToken); + var result2 = await builder.BuildAsync(request, TestCancellationToken); + + // Assert - same inputs should produce identical hashes + Assert.NotNull(result1); + Assert.NotNull(result2); + Assert.Equal(result1.PathHash, result2.PathHash); + Assert.Equal(result1.NodeHashes, result2.NodeHashes); + } + + /// + /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005) + /// Verify node hashes are deterministically sorted. + /// + [Trait("Category", TestCategories.Unit)] + [Fact] + public async Task BuildAsync_NodeHashesAreSorted() + { + // Arrange + var graph = CreateSimpleGraph(); + var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider); + + var request = new PathWitnessRequest + { + SbomDigest = "sha256:abc123", + ComponentPurl = "pkg:nuget/Test@1.0.0", + VulnId = "CVE-2024-12345", + VulnSource = "NVD", + AffectedRange = "<=1.0.0", + EntrypointSymbolId = "sym:entry1", + EntrypointKind = "http", + EntrypointName = "GET /api/test", + SinkSymbolId = "sym:sink1", + SinkType = "deserialization", + CallGraph = graph, + CallgraphDigest = "blake3:graph456" + }; + + // Act + var result = await builder.BuildAsync(request, TestCancellationToken); + + // Assert - node hashes should be in sorted order + Assert.NotNull(result); + Assert.NotNull(result.NodeHashes); + var sorted = result.NodeHashes.OrderBy(h => h, StringComparer.Ordinal).ToList(); + Assert.Equal(sorted, result.NodeHashes); + } + #endregion } diff --git a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/EvidenceBundleExporterBinaryDiffTests.cs b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/EvidenceBundleExporterBinaryDiffTests.cs new file mode 100644 index 000000000..06326d1eb --- /dev/null +++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/EvidenceBundleExporterBinaryDiffTests.cs @@ -0,0 +1,234 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_009_SCANNER_binary_diff_bundle_export (BINDIFF-SCAN-004) +// + +using System.IO.Compression; +using System.Text.Json; +using Microsoft.Extensions.Time.Testing; +using StellaOps.Scanner.WebService.Contracts; +using StellaOps.Scanner.WebService.Services; +using StellaOps.TestKit; +using Xunit; + +namespace StellaOps.Scanner.WebService.Tests; + +/// +/// Tests for binary diff evidence export in EvidenceBundleExporter. +/// Sprint: SPRINT_20260112_009_SCANNER_binary_diff_bundle_export (BINDIFF-SCAN-004) +/// +[Trait("Category", TestCategories.Unit)] +public sealed class EvidenceBundleExporterBinaryDiffTests +{ + private static readonly DateTimeOffset FixedTime = new(2026, 1, 15, 10, 30, 0, TimeSpan.Zero); + private readonly EvidenceBundleExporter _exporter; + + public EvidenceBundleExporterBinaryDiffTests() + { + var timeProvider = new FakeTimeProvider(FixedTime); + _exporter = new EvidenceBundleExporter(timeProvider); + } + + [Fact] + public async Task ExportAsync_WithBinaryDiff_IncludesBinaryDiffJson() + { + // Arrange + var evidence = CreateEvidenceWithBinaryDiff(); + + // Act + var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip); + + // Assert + using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read); + var binaryDiffEntry = archive.Entries.FirstOrDefault(e => e.Name == "binary-diff.json"); + Assert.NotNull(binaryDiffEntry); + + using var reader = new StreamReader(binaryDiffEntry.Open()); + var content = await reader.ReadToEndAsync(); + Assert.Contains("semantic", content.ToLowerInvariant()); + } + + [Fact] + public async Task ExportAsync_WithBinaryDiffAttestation_IncludesDsseJson() + { + // Arrange + var evidence = CreateEvidenceWithBinaryDiffAndAttestation(); + + // Act + var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip); + + // Assert + using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read); + var dsseEntry = archive.Entries.FirstOrDefault(e => e.Name == "binary-diff.dsse.json"); + Assert.NotNull(dsseEntry); + + using var reader = new StreamReader(dsseEntry.Open()); + var content = await reader.ReadToEndAsync(); + Assert.Contains("payloadType", content); + Assert.Contains("attestationRef", content); + } + + [Fact] + public async Task ExportAsync_WithSemanticDiff_IncludesDeltaProofJson() + { + // Arrange + var evidence = CreateEvidenceWithSemanticDiff(); + + // Act + var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip); + + // Assert + using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read); + var deltaProofEntry = archive.Entries.FirstOrDefault(e => e.Name == "delta-proof.json"); + Assert.NotNull(deltaProofEntry); + + using var reader = new StreamReader(deltaProofEntry.Open()); + var content = await reader.ReadToEndAsync(); + Assert.Contains("previousFingerprint", content); + Assert.Contains("currentFingerprint", content); + Assert.Contains("similarityScore", content); + } + + [Fact] + public async Task ExportAsync_WithoutBinaryDiff_DoesNotIncludeBinaryDiffFiles() + { + // Arrange + var evidence = CreateMinimalEvidence(); + + // Act + var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip); + + // Assert + using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read); + Assert.DoesNotContain(archive.Entries, e => e.Name == "binary-diff.json"); + Assert.DoesNotContain(archive.Entries, e => e.Name == "binary-diff.dsse.json"); + Assert.DoesNotContain(archive.Entries, e => e.Name == "delta-proof.json"); + } + + [Fact] + public async Task ExportAsync_BinaryDiffFilesInManifest() + { + // Arrange + var evidence = CreateEvidenceWithBinaryDiffAndAttestation(); + + // Act + var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip); + + // Assert + Assert.NotNull(result.Manifest); + var filePaths = result.Manifest.Files.Select(f => f.Path).ToList(); + Assert.Contains("binary-diff.json", filePaths); + Assert.Contains("binary-diff.dsse.json", filePaths); + } + + [Fact] + public async Task ExportAsync_BinaryDiffFileHashes_AreDeterministic() + { + // Arrange + var evidence = CreateEvidenceWithBinaryDiff(); + + // Act + var result1 = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip); + var result2 = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip); + + // Assert - Same input should produce same file hashes + var hash1 = result1.Manifest!.Files.First(f => f.Path == "binary-diff.json").Sha256; + var hash2 = result2.Manifest!.Files.First(f => f.Path == "binary-diff.json").Sha256; + Assert.Equal(hash1, hash2); + } + + [Fact] + public async Task ExportAsync_BinaryDiffOrdering_IsDeterministic() + { + // Arrange + var evidence = CreateEvidenceWithBinaryDiffAndAttestation(); + + // Act + var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip); + + // Assert - Files should appear in consistent order + using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read); + var fileNames = archive.Entries.Select(e => e.Name).ToList(); + + // binary-diff.json should appear before binary-diff.dsse.json + var binaryDiffIndex = fileNames.IndexOf("binary-diff.json"); + var dsseIndex = fileNames.IndexOf("binary-diff.dsse.json"); + Assert.True(binaryDiffIndex < dsseIndex, + "binary-diff.json should appear before binary-diff.dsse.json for deterministic ordering"); + } + + [Fact] + public async Task ExportAsync_TarGzFormat_IncludesBinaryDiffFiles() + { + // Arrange + var evidence = CreateEvidenceWithBinaryDiff(); + + // Act + var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.TarGz); + + // Assert + Assert.Equal("application/gzip", result.ContentType); + Assert.EndsWith(".tar.gz", result.FileName); + Assert.NotNull(result.Manifest); + Assert.Contains(result.Manifest.Files, f => f.Path == "binary-diff.json"); + } + + private static UnifiedEvidenceResponseDto CreateMinimalEvidence() + { + return new UnifiedEvidenceResponseDto + { + FindingId = "finding-001", + CveId = "CVE-2026-1234", + ComponentPurl = "pkg:npm/lodash@4.17.21", + CacheKey = "cache-key-001", + Manifests = new ManifestsDto + { + ArtifactDigest = "sha256:abc123", + ManifestHash = "sha256:manifest", + FeedSnapshotHash = "sha256:feed", + PolicyHash = "sha256:policy" + } + }; + } + + private static UnifiedEvidenceResponseDto CreateEvidenceWithBinaryDiff() + { + var evidence = CreateMinimalEvidence(); + evidence.BinaryDiff = new BinaryDiffEvidenceDto + { + Status = "available", + DiffType = "semantic", + PreviousBinaryDigest = "sha256:old123", + CurrentBinaryDigest = "sha256:new456", + SimilarityScore = 0.95, + FunctionChangeCount = 3, + SecurityChangeCount = 1 + }; + return evidence; + } + + private static UnifiedEvidenceResponseDto CreateEvidenceWithBinaryDiffAndAttestation() + { + var evidence = CreateEvidenceWithBinaryDiff(); + evidence.BinaryDiff!.AttestationRef = new AttestationRefDto + { + Id = "attest-12345", + RekorLogIndex = 123456789, + BundleDigest = "sha256:bundle123" + }; + return evidence; + } + + private static UnifiedEvidenceResponseDto CreateEvidenceWithSemanticDiff() + { + var evidence = CreateEvidenceWithBinaryDiff(); + evidence.BinaryDiff!.SemanticDiff = new BinarySemanticDiffDto + { + PreviousFingerprint = "fp:abc123", + CurrentFingerprint = "fp:def456", + SimilarityScore = 0.92, + SemanticChanges = new List { "control_flow_modified", "data_flow_changed" } + }; + return evidence; + } +} diff --git a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PrAnnotationServiceTests.cs b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PrAnnotationServiceTests.cs new file mode 100644 index 000000000..10f686f88 --- /dev/null +++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PrAnnotationServiceTests.cs @@ -0,0 +1,274 @@ +// ----------------------------------------------------------------------------- +// PrAnnotationServiceTests.cs +// Sprint: SPRINT_20260112_007_SCANNER_pr_mr_annotations (SCANNER-PR-004) +// Description: Tests for PR annotation service with ASCII-only output and evidence anchors. +// ----------------------------------------------------------------------------- + +using Microsoft.Extensions.Time.Testing; +using StellaOps.Scanner.Reachability; +using StellaOps.Scanner.WebService.Services; + +namespace StellaOps.Scanner.WebService.Tests; + +public sealed class PrAnnotationServiceTests +{ + private readonly FakeTimeProvider _timeProvider; + private readonly PrAnnotationService _service; + + public PrAnnotationServiceTests() + { + _timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 1, 15, 10, 0, 0, TimeSpan.Zero)); + _service = new PrAnnotationService( + new FakeReachabilityQueryService(), + _timeProvider); + } + + [Fact] + public void FormatAsComment_NoFlips_ReturnsAsciiOnlyOutput() + { + // Arrange + var summary = CreateSummary(newRiskCount: 0, mitigatedCount: 0, flips: []); + + // Act + var comment = _service.FormatAsComment(summary); + + // Assert + Assert.DoesNotContain("\u2705", comment); // No checkmark emoji + Assert.DoesNotContain("\u26d4", comment); // No stop sign emoji + Assert.DoesNotContain("\u26a0", comment); // No warning sign emoji + Assert.DoesNotContain("\u2192", comment); // No arrow + Assert.Contains("[OK]", comment); + Assert.Contains("NO CHANGE", comment); + } + + [Fact] + public void FormatAsComment_WithNewRisks_ReturnsBlockingStatus() + { + // Arrange + var flips = new List + { + new StateFlip + { + FlipType = StateFlipType.BecameReachable, + CveId = "CVE-2026-0001", + Purl = "pkg:npm/lodash@4.17.21", + NewTier = "confirmed", + WitnessId = "witness-123" + } + }; + var summary = CreateSummary(newRiskCount: 1, mitigatedCount: 0, flips: flips, shouldBlock: true); + + // Act + var comment = _service.FormatAsComment(summary); + + // Assert + Assert.Contains("[BLOCKING]", comment); + Assert.Contains("[+] Became Reachable", comment); + Assert.DoesNotContain("\ud83d\udd34", comment); // No red circle emoji + } + + [Fact] + public void FormatAsComment_WithMitigatedRisks_ReturnsImprovedStatus() + { + // Arrange + var flips = new List + { + new StateFlip + { + FlipType = StateFlipType.BecameUnreachable, + CveId = "CVE-2026-0002", + Purl = "pkg:npm/express@4.18.0", + PreviousTier = "likely", + NewTier = "unreachable" + } + }; + var summary = CreateSummary(newRiskCount: 0, mitigatedCount: 1, flips: flips); + + // Act + var comment = _service.FormatAsComment(summary); + + // Assert + Assert.Contains("[OK]", comment); + Assert.Contains("IMPROVED", comment); + Assert.Contains("[-] Became Unreachable", comment); + Assert.DoesNotContain("\ud83d\udfe2", comment); // No green circle emoji + } + + [Fact] + public void FormatAsComment_WithEvidenceAnchors_IncludesEvidenceSection() + { + // Arrange + var summary = CreateSummary( + newRiskCount: 0, + mitigatedCount: 0, + flips: [], + attestationDigest: "sha256:abc123def456", + policyVerdict: "PASS", + policyReasonCode: "NO_BLOCKERS", + verifyCommand: "stella scan verify --digest sha256:abc123def456"); + + // Act + var comment = _service.FormatAsComment(summary); + + // Assert + Assert.Contains("### Evidence", comment); + Assert.Contains("sha256:abc123def456", comment); + Assert.Contains("PASS", comment); + Assert.Contains("NO_BLOCKERS", comment); + Assert.Contains("stella scan verify", comment); + } + + [Fact] + public void FormatAsComment_DeterministicOrdering_SortsByFlipTypeThenCveId() + { + // Arrange + var flips = new List + { + new StateFlip { FlipType = StateFlipType.BecameUnreachable, CveId = "CVE-2026-0001", Purl = "pkg:a", NewTier = "unreachable" }, + new StateFlip { FlipType = StateFlipType.BecameReachable, CveId = "CVE-2026-0003", Purl = "pkg:b", NewTier = "confirmed" }, + new StateFlip { FlipType = StateFlipType.BecameReachable, CveId = "CVE-2026-0002", Purl = "pkg:c", NewTier = "likely" }, + }; + var summary = CreateSummary(newRiskCount: 2, mitigatedCount: 1, flips: flips); + + // Act + var comment = _service.FormatAsComment(summary); + + // Assert - BecameReachable should come first, then sorted by CVE ID + var cve0002Pos = comment.IndexOf("CVE-2026-0002"); + var cve0003Pos = comment.IndexOf("CVE-2026-0003"); + var cve0001Pos = comment.IndexOf("CVE-2026-0001"); + + // BecameReachable CVEs first (0002, 0003), then BecameUnreachable (0001) + Assert.True(cve0002Pos < cve0001Pos, "CVE-2026-0002 (reachable) should appear before CVE-2026-0001 (unreachable)"); + Assert.True(cve0003Pos < cve0001Pos, "CVE-2026-0003 (reachable) should appear before CVE-2026-0001 (unreachable)"); + // Within reachable, sorted by CVE ID + Assert.True(cve0002Pos < cve0003Pos, "CVE-2026-0002 should appear before CVE-2026-0003 (alphabetical)"); + } + + [Fact] + public void FormatAsComment_TierChanges_UsesAsciiIndicators() + { + // Arrange + var flips = new List + { + new StateFlip { FlipType = StateFlipType.TierIncreased, CveId = "CVE-2026-0001", Purl = "pkg:a", PreviousTier = "present", NewTier = "likely" }, + new StateFlip { FlipType = StateFlipType.TierDecreased, CveId = "CVE-2026-0002", Purl = "pkg:b", PreviousTier = "likely", NewTier = "present" }, + }; + var summary = CreateSummary(newRiskCount: 0, mitigatedCount: 0, flips: flips); + + // Act + var comment = _service.FormatAsComment(summary); + + // Assert + Assert.Contains("[^] Tier Increased", comment); + Assert.Contains("[v] Tier Decreased", comment); + Assert.DoesNotContain("\u2191", comment); // No up arrow + Assert.DoesNotContain("\u2193", comment); // No down arrow + } + + [Fact] + public void FormatAsComment_LimitedTo20Flips_ShowsMoreIndicator() + { + // Arrange + var flips = Enumerable.Range(1, 25) + .Select(i => new StateFlip + { + FlipType = StateFlipType.BecameReachable, + CveId = $"CVE-2026-{i:D4}", + Purl = $"pkg:test/package-{i}", + NewTier = "likely" + }) + .ToList(); + var summary = CreateSummary(newRiskCount: 25, mitigatedCount: 0, flips: flips); + + // Act + var comment = _service.FormatAsComment(summary); + + // Assert + Assert.Contains("... and 5 more flips", comment); + } + + [Fact] + public void FormatAsComment_TimestampIsIso8601() + { + // Arrange + var summary = CreateSummary(newRiskCount: 0, mitigatedCount: 0, flips: []); + + // Act + var comment = _service.FormatAsComment(summary); + + // Assert + Assert.Contains("2026-01-15T10:00:00", comment); + } + + [Fact] + public void FormatAsComment_NoNonAsciiCharacters() + { + // Arrange + var flips = new List + { + new StateFlip { FlipType = StateFlipType.BecameReachable, CveId = "CVE-2026-0001", Purl = "pkg:test", NewTier = "confirmed" }, + new StateFlip { FlipType = StateFlipType.BecameUnreachable, CveId = "CVE-2026-0002", Purl = "pkg:test2", NewTier = "unreachable" }, + new StateFlip { FlipType = StateFlipType.TierIncreased, CveId = "CVE-2026-0003", Purl = "pkg:test3", NewTier = "likely" }, + new StateFlip { FlipType = StateFlipType.TierDecreased, CveId = "CVE-2026-0004", Purl = "pkg:test4", NewTier = "present" }, + }; + var summary = CreateSummary( + newRiskCount: 1, + mitigatedCount: 1, + flips: flips, + shouldBlock: true, + attestationDigest: "sha256:test", + policyVerdict: "FAIL"); + + // Act + var comment = _service.FormatAsComment(summary); + + // Assert - Check all characters are ASCII (0-127) + foreach (var ch in comment) + { + Assert.True(ch <= 127, $"Non-ASCII character found: U+{(int)ch:X4} '{ch}'"); + } + } + + private static StateFlipSummary CreateSummary( + int newRiskCount, + int mitigatedCount, + IReadOnlyList flips, + bool shouldBlock = false, + string? attestationDigest = null, + string? policyVerdict = null, + string? policyReasonCode = null, + string? verifyCommand = null) + { + return new StateFlipSummary + { + BaseScanId = "base-scan-123", + HeadScanId = "head-scan-456", + HasFlips = flips.Count > 0, + NewRiskCount = newRiskCount, + MitigatedCount = mitigatedCount, + NetChange = newRiskCount - mitigatedCount, + ShouldBlockPr = shouldBlock, + Summary = $"Test summary: {newRiskCount} new, {mitigatedCount} mitigated", + Flips = flips, + AttestationDigest = attestationDigest, + PolicyVerdict = policyVerdict, + PolicyReasonCode = policyReasonCode, + VerifyCommand = verifyCommand + }; + } + + /// + /// Fake reachability query service for testing. + /// + private sealed class FakeReachabilityQueryService : IReachabilityQueryService + { + public Task> GetReachabilityStatesAsync( + string graphId, + CancellationToken cancellationToken = default) + { + return Task.FromResult>( + new Dictionary()); + } + } +} diff --git a/src/Signals/StellaOps.Signals/EvidenceWeightedScore/Normalizers/INormalizerAggregator.cs b/src/Signals/StellaOps.Signals/EvidenceWeightedScore/Normalizers/INormalizerAggregator.cs index 7458507ee..d694d881a 100644 --- a/src/Signals/StellaOps.Signals/EvidenceWeightedScore/Normalizers/INormalizerAggregator.cs +++ b/src/Signals/StellaOps.Signals/EvidenceWeightedScore/Normalizers/INormalizerAggregator.cs @@ -1,8 +1,46 @@ // SPDX-License-Identifier: AGPL-3.0-or-later // Copyright (c) 2025 StellaOps +using StellaOps.Signals.EvidenceWeightedScore; + namespace StellaOps.Signals.EvidenceWeightedScore.Normalizers; +/// +/// Anchor metadata for evidence attestation. +/// Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-002) +/// +public sealed record EvidenceAnchor +{ + /// Whether the evidence is anchored (has attestation). + public required bool Anchored { get; init; } + + /// DSSE envelope digest if anchored. + public string? EnvelopeDigest { get; init; } + + /// Predicate type of the attestation. + public string? PredicateType { get; init; } + + /// Rekor log index if transparency-anchored. + public long? RekorLogIndex { get; init; } + + /// Rekor entry ID if transparency-anchored. + public string? RekorEntryId { get; init; } + + /// Scope of the attestation (e.g., finding, package, image). + public string? Scope { get; init; } + + /// Verification status of the anchor. + public bool? Verified { get; init; } + + /// When the attestation was created. + public DateTimeOffset? AttestedAt { get; init; } + + /// + /// Creates an unanchored evidence anchor. + /// + public static EvidenceAnchor Unanchored => new() { Anchored = false }; +} + /// /// Aggregated evidence from all sources for a single finding. /// Used as input to the normalizer aggregator. @@ -31,6 +69,29 @@ public sealed record FindingEvidence /// Active mitigations evidence (maps to MitigationInput). public MitigationInput? Mitigations { get; init; } + // Sprint: SPRINT_20260112_004_BE_findings_scoring_attested_reduction (EWS-API-002) + + /// + /// Anchor metadata for the primary evidence source. + /// Populated when evidence has attestation/DSSE anchoring. + /// + public EvidenceAnchor? Anchor { get; init; } + + /// + /// Anchor metadata for reachability evidence. + /// + public EvidenceAnchor? ReachabilityAnchor { get; init; } + + /// + /// Anchor metadata for runtime evidence. + /// + public EvidenceAnchor? RuntimeAnchor { get; init; } + + /// + /// Anchor metadata for VEX/mitigation evidence. + /// + public EvidenceAnchor? VexAnchor { get; init; } + /// /// Creates FindingEvidence from an existing EvidenceWeightedScoreInput. /// Extracts the detailed input records if present. diff --git a/src/Signals/StellaOps.Signals/Services/IEventsPublisher.cs b/src/Signals/StellaOps.Signals/Services/IEventsPublisher.cs index 11e45147f..9f8a7809e 100644 --- a/src/Signals/StellaOps.Signals/Services/IEventsPublisher.cs +++ b/src/Signals/StellaOps.Signals/Services/IEventsPublisher.cs @@ -1,9 +1,16 @@ using System.Threading; using System.Threading.Tasks; +using StellaOps.Signals.Models; namespace StellaOps.Signals.Services; public interface IEventsPublisher { Task PublishFactUpdatedAsync(global::StellaOps.Signals.Models.ReachabilityFactDocument fact, CancellationToken cancellationToken); + + /// + /// Publishes a runtime.updated event when runtime observations change. + /// Sprint: SPRINT_20260112_008_SIGNALS_runtime_telemetry_events (SIG-RUN-002) + /// + Task PublishRuntimeUpdatedAsync(RuntimeUpdatedEvent runtimeEvent, CancellationToken cancellationToken); } diff --git a/src/Signals/StellaOps.Signals/Services/InMemoryEventsPublisher.cs b/src/Signals/StellaOps.Signals/Services/InMemoryEventsPublisher.cs index 97374d340..ccd18c907 100644 --- a/src/Signals/StellaOps.Signals/Services/InMemoryEventsPublisher.cs +++ b/src/Signals/StellaOps.Signals/Services/InMemoryEventsPublisher.cs @@ -36,4 +36,14 @@ internal sealed class InMemoryEventsPublisher : IEventsPublisher logger.LogInformation(json); return Task.CompletedTask; } + + /// + public Task PublishRuntimeUpdatedAsync(RuntimeUpdatedEvent runtimeEvent, CancellationToken cancellationToken) + { + ArgumentNullException.ThrowIfNull(runtimeEvent); + + var json = JsonSerializer.Serialize(runtimeEvent, SerializerOptions); + logger.LogInformation("RuntimeUpdated: {Json}", json); + return Task.CompletedTask; + } } diff --git a/src/Signals/StellaOps.Signals/Services/MessagingEventsPublisher.cs b/src/Signals/StellaOps.Signals/Services/MessagingEventsPublisher.cs index 0a1bc62e0..f4e85feb2 100644 --- a/src/Signals/StellaOps.Signals/Services/MessagingEventsPublisher.cs +++ b/src/Signals/StellaOps.Signals/Services/MessagingEventsPublisher.cs @@ -146,4 +146,25 @@ internal sealed class MessagingEventsPublisher : IEventsPublisher _logger.LogWarning(ex, "Failed to publish reachability event to DLQ stream {Stream}.", _options.DeadLetterStream); } } + + /// + public Task PublishRuntimeUpdatedAsync(RuntimeUpdatedEvent runtimeEvent, CancellationToken cancellationToken) + { + ArgumentNullException.ThrowIfNull(runtimeEvent); + cancellationToken.ThrowIfCancellationRequested(); + + if (!_options.Enabled) + { + return Task.CompletedTask; + } + + // For now, log the event. Full stream publishing will be added when runtime event stream is provisioned. + _logger.LogInformation( + "RuntimeUpdatedEvent: Subject={SubjectKey}, Type={UpdateType}, TriggerReanalysis={TriggerReanalysis}", + runtimeEvent.SubjectKey, + runtimeEvent.UpdateType, + runtimeEvent.TriggerReanalysis); + + return Task.CompletedTask; + } } diff --git a/src/Signals/StellaOps.Signals/Services/NullEventsPublisher.cs b/src/Signals/StellaOps.Signals/Services/NullEventsPublisher.cs index fdf1c5ff9..6e4a2c29c 100644 --- a/src/Signals/StellaOps.Signals/Services/NullEventsPublisher.cs +++ b/src/Signals/StellaOps.Signals/Services/NullEventsPublisher.cs @@ -2,9 +2,13 @@ using System.Threading; using System.Threading.Tasks; using StellaOps.Signals.Models; +using StellaOps.Signals.Models; + namespace StellaOps.Signals.Services; internal sealed class NullEventsPublisher : IEventsPublisher { public Task PublishFactUpdatedAsync(ReachabilityFactDocument fact, CancellationToken cancellationToken) => Task.CompletedTask; + + public Task PublishRuntimeUpdatedAsync(RuntimeUpdatedEvent runtimeEvent, CancellationToken cancellationToken) => Task.CompletedTask; } diff --git a/src/Signals/StellaOps.Signals/Services/RedisEventsPublisher.cs b/src/Signals/StellaOps.Signals/Services/RedisEventsPublisher.cs index cdf960686..d7ba8daf0 100644 --- a/src/Signals/StellaOps.Signals/Services/RedisEventsPublisher.cs +++ b/src/Signals/StellaOps.Signals/Services/RedisEventsPublisher.cs @@ -157,6 +157,53 @@ internal sealed class RedisEventsPublisher : IEventsPublisher, IAsyncDisposable } } + /// + public async Task PublishRuntimeUpdatedAsync(RuntimeUpdatedEvent runtimeEvent, CancellationToken cancellationToken) + { + ArgumentNullException.ThrowIfNull(runtimeEvent); + cancellationToken.ThrowIfCancellationRequested(); + + if (!options.Enabled) + { + return; + } + + var json = JsonSerializer.Serialize(runtimeEvent, SerializerOptions); + + try + { + var database = await GetDatabaseAsync(cancellationToken).ConfigureAwait(false); + + var entries = new[] + { + new NameValueEntry("event", json), + new NameValueEntry("event_id", runtimeEvent.EventId), + new NameValueEntry("event_type", RuntimeEventTypes.Updated), + new NameValueEntry("subject_key", runtimeEvent.SubjectKey), + new NameValueEntry("evidence_digest", runtimeEvent.EvidenceDigest), + new NameValueEntry("trigger_reanalysis", runtimeEvent.TriggerReanalysis.ToString(CultureInfo.InvariantCulture)) + }; + + var streamName = options.Stream + ":runtime"; + var publishTask = maxStreamLength.HasValue + ? database.StreamAddAsync(streamName, entries, maxLength: maxStreamLength, useApproximateMaxLength: true) + : database.StreamAddAsync(streamName, entries); + + if (publishTimeout > TimeSpan.Zero) + { + await publishTask.WaitAsync(publishTimeout, cancellationToken).ConfigureAwait(false); + } + else + { + await publishTask.ConfigureAwait(false); + } + } + catch (Exception ex) + { + logger.LogError(ex, "Failed to publish runtime.updated event to Redis stream."); + } + } + public async ValueTask DisposeAsync() { if (disposed) diff --git a/src/Signals/StellaOps.Signals/Services/RouterEventsPublisher.cs b/src/Signals/StellaOps.Signals/Services/RouterEventsPublisher.cs index 4984163ee..a3c4f80a7 100644 --- a/src/Signals/StellaOps.Signals/Services/RouterEventsPublisher.cs +++ b/src/Signals/StellaOps.Signals/Services/RouterEventsPublisher.cs @@ -94,6 +94,61 @@ internal sealed class RouterEventsPublisher : IEventsPublisher } } + /// + public async Task PublishRuntimeUpdatedAsync(RuntimeUpdatedEvent runtimeEvent, CancellationToken cancellationToken) + { + ArgumentNullException.ThrowIfNull(runtimeEvent); + cancellationToken.ThrowIfCancellationRequested(); + + var json = JsonSerializer.Serialize(runtimeEvent, SerializerOptions); + + try + { + using var request = new HttpRequestMessage(HttpMethod.Post, options.Events.Router.Path); + request.Content = new StringContent(json, Encoding.UTF8, "application/json"); + request.Headers.TryAddWithoutValidation("X-Signals-Topic", RuntimeEventTypes.Updated); + request.Headers.TryAddWithoutValidation("X-Signals-Tenant", runtimeEvent.Tenant); + request.Headers.TryAddWithoutValidation("X-Signals-Pipeline", options.Events.Pipeline); + + if (!string.IsNullOrWhiteSpace(options.Events.Router.ApiKey)) + { + request.Headers.TryAddWithoutValidation( + string.IsNullOrWhiteSpace(options.Events.Router.ApiKeyHeader) + ? "X-API-Key" + : options.Events.Router.ApiKeyHeader, + options.Events.Router.ApiKey); + } + + foreach (var header in options.Events.Router.Headers) + { + request.Headers.TryAddWithoutValidation(header.Key, header.Value); + } + + using var response = await httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false); + if (!response.IsSuccessStatusCode) + { + var body = response.Content is null + ? string.Empty + : await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false); + logger.LogError( + "Router publish failed for {Topic} with status {StatusCode}: {Body}", + RuntimeEventTypes.Updated, + (int)response.StatusCode, + Truncate(body, 256)); + } + else + { + logger.LogInformation( + "Router publish succeeded for runtime.updated ({StatusCode})", + (int)response.StatusCode); + } + } + catch (Exception ex) when (ex is not OperationCanceledException) + { + logger.LogError(ex, "Router publish failed for runtime.updated"); + } + } + private static string Truncate(string value, int maxLength) { if (string.IsNullOrEmpty(value) || value.Length <= maxLength) diff --git a/src/Signals/StellaOps.Signals/Services/RuntimeFactsIngestionService.cs b/src/Signals/StellaOps.Signals/Services/RuntimeFactsIngestionService.cs index 7653cf4f1..0b882de40 100644 --- a/src/Signals/StellaOps.Signals/Services/RuntimeFactsIngestionService.cs +++ b/src/Signals/StellaOps.Signals/Services/RuntimeFactsIngestionService.cs @@ -94,6 +94,15 @@ public sealed class RuntimeFactsIngestionService : IRuntimeFactsIngestionService await cache.SetAsync(persisted, cancellationToken).ConfigureAwait(false); await eventsPublisher.PublishFactUpdatedAsync(persisted, cancellationToken).ConfigureAwait(false); + // Sprint: SPRINT_20260112_008_SIGNALS_runtime_telemetry_events (SIG-RUN-002) + // Emit runtime.updated event for policy reanalysis + await EmitRuntimeUpdatedEventAsync( + persisted, + existing, + aggregated, + request, + cancellationToken).ConfigureAwait(false); + await RecomputeReachabilityAsync(persisted, aggregated, request, cancellationToken).ConfigureAwait(false); logger.LogInformation( @@ -636,4 +645,119 @@ public sealed class RuntimeFactsIngestionService : IRuntimeFactsIngestionService return hash.ToHashCode(); } } + + /// + /// Emits a runtime.updated event when runtime observations change. + /// Sprint: SPRINT_20260112_008_SIGNALS_runtime_telemetry_events (SIG-RUN-002) + /// + private async Task EmitRuntimeUpdatedEventAsync( + ReachabilityFactDocument persisted, + ReachabilityFactDocument? existing, + IReadOnlyList aggregated, + RuntimeFactsIngestRequest request, + CancellationToken cancellationToken) + { + // Determine update type based on existing state + var updateType = DetermineUpdateType(existing, aggregated); + + // Extract node hashes from runtime facts + var observedNodeHashes = aggregated + .Where(f => !string.IsNullOrWhiteSpace(f.SymbolDigest)) + .Select(f => f.SymbolDigest!) + .Distinct(StringComparer.Ordinal) + .OrderBy(h => h, StringComparer.Ordinal) + .ToList(); + + // Compute evidence digest from the persisted document + var evidenceDigest = ComputeEvidenceDigest(persisted); + + // Determine previous and new state + var previousState = existing?.RuntimeFacts?.Any() == true ? "observed" : null; + var newState = "observed"; + + // Extract tenant from metadata + var tenant = request.Metadata?.TryGetValue("tenant_id", out var t) == true ? t ?? "default" : "default"; + + // Compute confidence based on hit counts + var totalHits = aggregated.Sum(f => f.HitCount); + var confidence = Math.Min(1.0, 0.5 + (totalHits * 0.01)); // Base 0.5, +0.01 per hit, max 1.0 + + var runtimeEvent = RuntimeUpdatedEventFactory.Create( + tenant: tenant, + subjectKey: persisted.SubjectKey, + evidenceDigest: evidenceDigest, + updateType: updateType, + newState: newState, + confidence: confidence, + fromRuntime: true, + occurredAtUtc: timeProvider.GetUtcNow(), + cveId: request.Subject.CveId, + purl: request.Subject.Purl, + callgraphId: request.CallgraphId, + previousState: previousState, + runtimeMethod: request.Metadata?.TryGetValue("source", out var src) == true ? src : "ebpf", + observedNodeHashes: observedNodeHashes, + pathHash: null, + traceId: request.Metadata?.TryGetValue("trace_id", out var traceId) == true ? traceId : null); + + await eventsPublisher.PublishRuntimeUpdatedAsync(runtimeEvent, cancellationToken).ConfigureAwait(false); + + if (runtimeEvent.TriggerReanalysis) + { + logger.LogInformation( + "Emitted runtime.updated event for {SubjectKey} with reanalysis trigger: {Reason}", + persisted.SubjectKey, + runtimeEvent.ReanalysisReason); + } + } + + private static RuntimeUpdateType DetermineUpdateType( + ReachabilityFactDocument? existing, + IReadOnlyList newFacts) + { + if (existing?.RuntimeFacts is null || existing.RuntimeFacts.Count == 0) + { + return RuntimeUpdateType.NewObservation; + } + + var existingSymbols = existing.RuntimeFacts + .Select(f => f.SymbolId) + .ToHashSet(StringComparer.Ordinal); + + var newSymbols = newFacts + .Select(f => f.SymbolId) + .Where(s => !existingSymbols.Contains(s)) + .ToList(); + + if (newSymbols.Count > 0) + { + return RuntimeUpdateType.NewCallPath; + } + + // Check for confidence increase (more hits) + var existingTotalHits = existing.RuntimeFacts.Sum(f => f.HitCount); + var newTotalHits = newFacts.Sum(f => f.HitCount); + + if (newTotalHits > existingTotalHits) + { + return RuntimeUpdateType.ConfidenceIncrease; + } + + return RuntimeUpdateType.StateChange; + } + + private static string ComputeEvidenceDigest(ReachabilityFactDocument document) + { + // Create a deterministic digest from key fields + var content = string.Join("|", + document.SubjectKey ?? string.Empty, + document.CallgraphId ?? string.Empty, + document.RuntimeFacts?.Count.ToString(CultureInfo.InvariantCulture) ?? "0", + document.RuntimeFacts?.Sum(f => f.HitCount).ToString(CultureInfo.InvariantCulture) ?? "0", + document.ComputedAt.ToString("O", CultureInfo.InvariantCulture)); + + using var sha256 = System.Security.Cryptography.SHA256.Create(); + var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(content)); + return "sha256:" + Convert.ToHexStringLower(hash); + } } diff --git a/src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/RuntimeNodeHashTests.cs b/src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/RuntimeNodeHashTests.cs new file mode 100644 index 000000000..422a38281 --- /dev/null +++ b/src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/RuntimeNodeHashTests.cs @@ -0,0 +1,286 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_005_SIGNALS_runtime_nodehash (PW-SIG-003) +// + +namespace StellaOps.Signals.Ebpf.Tests; + +using StellaOps.Signals.Ebpf.Schema; +using Xunit; + +/// +/// Tests for node hash emission and callstack hash determinism. +/// Sprint: SPRINT_20260112_005_SIGNALS_runtime_nodehash (PW-SIG-003) +/// +[Trait("Category", "Unit")] +public sealed class RuntimeNodeHashTests +{ + [Fact] + public void RuntimeCallEvent_NodeHashFields_HaveCorrectDefaults() + { + // Arrange & Act + var evt = new RuntimeCallEvent + { + EventId = Guid.NewGuid(), + ContainerId = "container-123", + Pid = 1234, + Tid = 5678, + TimestampNs = 1000000000, + Symbol = "vulnerable_func", + }; + + // Assert - New fields should be null by default + Assert.Null(evt.FunctionSignature); + Assert.Null(evt.BinaryDigest); + Assert.Null(evt.BinaryOffset); + Assert.Null(evt.NodeHash); + Assert.Null(evt.CallstackHash); + } + + [Fact] + public void RuntimeCallEvent_WithNodeHashFields_PreservesValues() + { + // Arrange & Act + var evt = new RuntimeCallEvent + { + EventId = Guid.NewGuid(), + ContainerId = "container-123", + Pid = 1234, + Tid = 5678, + TimestampNs = 1000000000, + Symbol = "vulnerable_func", + Purl = "pkg:npm/lodash@4.17.21", + FunctionSignature = "lodash.merge(object, ...sources)", + BinaryDigest = "sha256:abc123def456", + BinaryOffset = 0x1234, + NodeHash = "sha256:nodehash123", + CallstackHash = "sha256:callstackhash456" + }; + + // Assert + Assert.Equal("lodash.merge(object, ...sources)", evt.FunctionSignature); + Assert.Equal("sha256:abc123def456", evt.BinaryDigest); + Assert.Equal((ulong)0x1234, evt.BinaryOffset); + Assert.Equal("sha256:nodehash123", evt.NodeHash); + Assert.Equal("sha256:callstackhash456", evt.CallstackHash); + } + + [Fact] + public void ObservedCallPath_NodeHashFields_HaveCorrectDefaults() + { + // Arrange & Act + var path = new ObservedCallPath + { + Symbols = ["main", "processRequest", "vulnerable_func"], + ObservationCount = 100, + Purl = "pkg:npm/lodash@4.17.21", + }; + + // Assert - New fields should be null/empty by default + Assert.Null(path.NodeHashes); + Assert.Null(path.PathHash); + Assert.Null(path.CallstackHash); + Assert.Null(path.FunctionSignatures); + Assert.Null(path.BinaryDigests); + Assert.Null(path.BinaryOffsets); + } + + [Fact] + public void ObservedCallPath_WithNodeHashes_PreservesValues() + { + // Arrange + var nodeHashes = new List { "sha256:hash1", "sha256:hash2", "sha256:hash3" }; + var functionSignatures = new List { "main()", "process(req)", "vuln(data)" }; + var binaryDigests = new List { "sha256:bin1", "sha256:bin2", "sha256:bin3" }; + var binaryOffsets = new List { 0x1000, 0x2000, 0x3000 }; + + // Act + var path = new ObservedCallPath + { + Symbols = ["main", "process", "vuln"], + ObservationCount = 50, + Purl = "pkg:golang/example.com/pkg@1.0.0", + NodeHashes = nodeHashes, + PathHash = "sha256:pathhash123", + CallstackHash = "sha256:callstackhash456", + FunctionSignatures = functionSignatures, + BinaryDigests = binaryDigests, + BinaryOffsets = binaryOffsets + }; + + // Assert + Assert.Equal(3, path.NodeHashes!.Count); + Assert.Equal("sha256:hash1", path.NodeHashes[0]); + Assert.Equal("sha256:pathhash123", path.PathHash); + Assert.Equal("sha256:callstackhash456", path.CallstackHash); + Assert.Equal(3, path.FunctionSignatures!.Count); + Assert.Equal(3, path.BinaryDigests!.Count); + Assert.Equal(3, path.BinaryOffsets!.Count); + } + + [Fact] + public void RuntimeSignalSummary_NodeHashFields_HaveCorrectDefaults() + { + // Arrange & Act + var summary = new RuntimeSignalSummary + { + ContainerId = "container-456", + StartedAt = DateTimeOffset.UtcNow.AddMinutes(-5), + StoppedAt = DateTimeOffset.UtcNow, + TotalEvents = 1000, + }; + + // Assert + Assert.Null(summary.ObservedNodeHashes); + Assert.Null(summary.ObservedPathHashes); + Assert.Null(summary.CombinedPathHash); + } + + [Fact] + public void RuntimeSignalSummary_WithNodeHashes_PreservesValues() + { + // Arrange + var observedNodeHashes = new List { "sha256:node1", "sha256:node2" }; + var observedPathHashes = new List { "sha256:path1", "sha256:path2" }; + + // Act + var summary = new RuntimeSignalSummary + { + ContainerId = "container-456", + StartedAt = DateTimeOffset.UtcNow.AddMinutes(-5), + StoppedAt = DateTimeOffset.UtcNow, + TotalEvents = 1000, + ObservedNodeHashes = observedNodeHashes, + ObservedPathHashes = observedPathHashes, + CombinedPathHash = "sha256:combinedhash" + }; + + // Assert + Assert.Equal(2, summary.ObservedNodeHashes!.Count); + Assert.Equal(2, summary.ObservedPathHashes!.Count); + Assert.Equal("sha256:combinedhash", summary.CombinedPathHash); + } + + [Fact] + public void NodeHashes_AreDeterministicallySorted() + { + // Arrange - Create hashes in unsorted order + var unsortedHashes = new List + { + "sha256:zzz", + "sha256:aaa", + "sha256:mmm" + }; + + // Act - Sort for determinism + var sortedHashes = unsortedHashes.Order().ToList(); + + // Assert - Should be sorted alphabetically + Assert.Equal("sha256:aaa", sortedHashes[0]); + Assert.Equal("sha256:mmm", sortedHashes[1]); + Assert.Equal("sha256:zzz", sortedHashes[2]); + } + + [Fact] + public void CallstackHash_DeterminismTest() + { + // Arrange - Same symbols should produce same path + var path1 = new ObservedCallPath + { + Symbols = ["main", "process", "vulnerable_func"], + Purl = "pkg:npm/lodash@4.17.21" + }; + + var path2 = new ObservedCallPath + { + Symbols = ["main", "process", "vulnerable_func"], + Purl = "pkg:npm/lodash@4.17.21" + }; + + // Assert - Both paths have identical structure + Assert.Equal(path1.Symbols.Count, path2.Symbols.Count); + for (int i = 0; i < path1.Symbols.Count; i++) + { + Assert.Equal(path1.Symbols[i], path2.Symbols[i]); + } + Assert.Equal(path1.Purl, path2.Purl); + } + + [Fact] + public void NodeHash_MissingPurl_HandledGracefully() + { + // Arrange & Act + var evt = new RuntimeCallEvent + { + EventId = Guid.NewGuid(), + ContainerId = "container-123", + Pid = 1234, + Tid = 5678, + TimestampNs = 1000000000, + Symbol = "unknown_func", + Purl = null, // Missing PURL + FunctionSignature = "unknown_func()", + }; + + // Assert - Should not throw, node hash will be null + Assert.Null(evt.Purl); + Assert.NotNull(evt.FunctionSignature); + } + + [Fact] + public void NodeHash_MissingSymbol_HandledGracefully() + { + // Arrange & Act + var evt = new RuntimeCallEvent + { + EventId = Guid.NewGuid(), + ContainerId = "container-123", + Pid = 1234, + Tid = 5678, + TimestampNs = 1000000000, + Symbol = null, // Missing symbol + Purl = "pkg:npm/lodash@4.17.21", + }; + + // Assert - Should not throw + Assert.Null(evt.Symbol); + Assert.NotNull(evt.Purl); + } + + [Fact] + public void RuntimeType_AllValuesSupported() + { + // Arrange & Act - Test all runtime types + var runtimeTypes = Enum.GetValues(); + + // Assert + Assert.Contains(RuntimeType.Unknown, runtimeTypes); + Assert.Contains(RuntimeType.Native, runtimeTypes); + Assert.Contains(RuntimeType.Jvm, runtimeTypes); + Assert.Contains(RuntimeType.Node, runtimeTypes); + Assert.Contains(RuntimeType.Python, runtimeTypes); + Assert.Contains(RuntimeType.DotNet, runtimeTypes); + Assert.Contains(RuntimeType.Go, runtimeTypes); + Assert.Contains(RuntimeType.Ruby, runtimeTypes); + } + + [Fact] + public void PathHash_DifferentSymbolOrder_DifferentHash() + { + // Arrange - Same symbols but different order + var path1 = new ObservedCallPath + { + Symbols = ["main", "process", "vulnerable_func"], + PathHash = "sha256:path1hash" + }; + + var path2 = new ObservedCallPath + { + Symbols = ["vulnerable_func", "process", "main"], + PathHash = "sha256:path2hash" + }; + + // Assert - Different order should produce different hash + Assert.NotEqual(path1.PathHash, path2.PathHash); + } +} diff --git a/src/Signals/__Tests/StellaOps.Signals.Tests/RuntimeUpdatedEventTests.cs b/src/Signals/__Tests/StellaOps.Signals.Tests/RuntimeUpdatedEventTests.cs new file mode 100644 index 000000000..7bcbc97a7 --- /dev/null +++ b/src/Signals/__Tests/StellaOps.Signals.Tests/RuntimeUpdatedEventTests.cs @@ -0,0 +1,270 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_008_SIGNALS_runtime_telemetry_events (SIG-RUN-004) +// + +using StellaOps.Signals.Models; +using StellaOps.TestKit; +using Xunit; + +namespace StellaOps.Signals.Tests; + +/// +/// Tests for runtime updated event generation, idempotency, and ordering. +/// Sprint: SPRINT_20260112_008_SIGNALS_runtime_telemetry_events (SIG-RUN-004) +/// +[Trait("Category", TestCategories.Unit)] +public sealed class RuntimeUpdatedEventTests +{ + private static readonly DateTimeOffset FixedTime = new(2026, 1, 15, 10, 30, 0, TimeSpan.Zero); + + [Fact] + public void Factory_CreatesEventWithDeterministicId() + { + // Arrange & Act + var event1 = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "cve:CVE-2026-1234|purl:pkg:npm/lodash@4.17.21", + evidenceDigest: "sha256:abc123", + updateType: RuntimeUpdateType.NewObservation, + newState: "observed", + confidence: 0.85, + fromRuntime: true, + occurredAtUtc: FixedTime); + + var event2 = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "cve:CVE-2026-1234|purl:pkg:npm/lodash@4.17.21", + evidenceDigest: "sha256:abc123", + updateType: RuntimeUpdateType.NewObservation, + newState: "observed", + confidence: 0.85, + fromRuntime: true, + occurredAtUtc: FixedTime); + + // Assert - Same inputs should produce same event ID + Assert.Equal(event1.EventId, event2.EventId); + } + + [Fact] + public void Factory_DifferentEvidenceDigest_ProducesDifferentId() + { + // Arrange & Act + var event1 = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "cve:CVE-2026-1234|purl:pkg:npm/lodash@4.17.21", + evidenceDigest: "sha256:abc123", + updateType: RuntimeUpdateType.NewObservation, + newState: "observed", + confidence: 0.85, + fromRuntime: true, + occurredAtUtc: FixedTime); + + var event2 = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "cve:CVE-2026-1234|purl:pkg:npm/lodash@4.17.21", + evidenceDigest: "sha256:different", + updateType: RuntimeUpdateType.NewObservation, + newState: "observed", + confidence: 0.85, + fromRuntime: true, + occurredAtUtc: FixedTime); + + // Assert + Assert.NotEqual(event1.EventId, event2.EventId); + } + + [Fact] + public void Factory_ExploitTelemetry_AlwaysTriggersReanalysis() + { + // Arrange & Act + var evt = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "test-subject", + evidenceDigest: "sha256:abc123", + updateType: RuntimeUpdateType.ExploitTelemetry, + newState: "exploited", + confidence: 0.5, + fromRuntime: true, + occurredAtUtc: FixedTime); + + // Assert + Assert.True(evt.TriggerReanalysis); + Assert.NotNull(evt.ReanalysisReason); + } + + [Fact] + public void Factory_StateChange_TriggersReanalysis() + { + // Arrange & Act + var evt = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "test-subject", + evidenceDigest: "sha256:abc123", + updateType: RuntimeUpdateType.StateChange, + newState: "confirmed", + confidence: 0.7, + fromRuntime: true, + occurredAtUtc: FixedTime, + previousState: "suspected"); + + // Assert + Assert.True(evt.TriggerReanalysis); + } + + [Fact] + public void Factory_HighConfidenceRuntime_TriggersReanalysis() + { + // Arrange & Act + var evt = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "test-subject", + evidenceDigest: "sha256:abc123", + updateType: RuntimeUpdateType.ConfidenceIncrease, + newState: "observed", + confidence: 0.95, + fromRuntime: true, + occurredAtUtc: FixedTime, + previousState: "observed"); + + // Assert + Assert.True(evt.TriggerReanalysis); + } + + [Fact] + public void Factory_LowConfidence_DoesNotTriggerReanalysis() + { + // Arrange & Act + var evt = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "test-subject", + evidenceDigest: "sha256:abc123", + updateType: RuntimeUpdateType.ConfidenceIncrease, + newState: "observed", + confidence: 0.3, + fromRuntime: true, + occurredAtUtc: FixedTime, + previousState: "observed"); + + // Assert - Low confidence state change without state change shouldn't trigger + Assert.False(evt.TriggerReanalysis); + } + + [Fact] + public void Factory_ObservedNodeHashes_PreservedInOrder() + { + // Arrange + var nodeHashes = new List { "sha256:zzz", "sha256:aaa", "sha256:mmm" }; + + // Act + var evt = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "test-subject", + evidenceDigest: "sha256:abc123", + updateType: RuntimeUpdateType.NewObservation, + newState: "observed", + confidence: 0.85, + fromRuntime: true, + occurredAtUtc: FixedTime, + observedNodeHashes: nodeHashes); + + // Assert - Hashes should be preserved as provided + Assert.Equal(3, evt.ObservedNodeHashes.Length); + Assert.Equal("sha256:zzz", evt.ObservedNodeHashes[0]); + Assert.Equal("sha256:aaa", evt.ObservedNodeHashes[1]); + Assert.Equal("sha256:mmm", evt.ObservedNodeHashes[2]); + } + + [Fact] + public void Factory_AllFieldsPopulated() + { + // Arrange & Act + var evt = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "cve:CVE-2026-1234|purl:pkg:npm/lodash@4.17.21", + evidenceDigest: "sha256:abc123", + updateType: RuntimeUpdateType.NewCallPath, + newState: "observed", + confidence: 0.85, + fromRuntime: true, + occurredAtUtc: FixedTime, + cveId: "CVE-2026-1234", + purl: "pkg:npm/lodash@4.17.21", + callgraphId: "cg-scan-001", + previousState: "suspected", + runtimeMethod: "ebpf", + observedNodeHashes: new List { "sha256:node1" }, + pathHash: "sha256:path1", + traceId: "trace-001"); + + // Assert + Assert.Equal("test-tenant", evt.Tenant); + Assert.Equal("CVE-2026-1234", evt.CveId); + Assert.Equal("pkg:npm/lodash@4.17.21", evt.Purl); + Assert.Equal("cg-scan-001", evt.CallgraphId); + Assert.Equal("suspected", evt.PreviousState); + Assert.Equal("observed", evt.NewState); + Assert.Equal("ebpf", evt.RuntimeMethod); + Assert.Equal("sha256:path1", evt.PathHash); + Assert.Equal("trace-001", evt.TraceId); + Assert.Equal(RuntimeEventTypes.Updated, evt.EventType); + Assert.Equal("1.0.0", evt.Version); + } + + [Fact] + public void RuntimeEventTypes_HasCorrectConstants() + { + // Assert + Assert.Equal("runtime.updated", RuntimeEventTypes.Updated); + Assert.Equal("runtime.updated@1", RuntimeEventTypes.UpdatedV1); + Assert.Equal("runtime.ingested", RuntimeEventTypes.Ingested); + Assert.Equal("runtime.confirmed", RuntimeEventTypes.Confirmed); + Assert.Equal("runtime.exploit_detected", RuntimeEventTypes.ExploitDetected); + } + + [Theory] + [InlineData(RuntimeUpdateType.NewObservation)] + [InlineData(RuntimeUpdateType.StateChange)] + [InlineData(RuntimeUpdateType.ConfidenceIncrease)] + [InlineData(RuntimeUpdateType.NewCallPath)] + [InlineData(RuntimeUpdateType.ExploitTelemetry)] + public void Factory_AllUpdateTypes_CreateValidEvents(RuntimeUpdateType updateType) + { + // Arrange & Act + var evt = RuntimeUpdatedEventFactory.Create( + tenant: "test-tenant", + subjectKey: "test-subject", + evidenceDigest: "sha256:abc123", + updateType: updateType, + newState: "observed", + confidence: 0.85, + fromRuntime: true, + occurredAtUtc: FixedTime); + + // Assert + Assert.NotNull(evt); + Assert.NotEmpty(evt.EventId); + Assert.Equal(updateType, evt.UpdateType); + } + + [Fact] + public void Event_IdempotencyKey_IsDeterministic() + { + // Arrange - Create same event multiple times with same inputs + var events = Enumerable.Range(0, 5) + .Select(_ => RuntimeUpdatedEventFactory.Create( + tenant: "tenant-1", + subjectKey: "subject-1", + evidenceDigest: "sha256:evidence1", + updateType: RuntimeUpdateType.NewObservation, + newState: "observed", + confidence: 0.9, + fromRuntime: true, + occurredAtUtc: FixedTime)) + .ToList(); + + // Assert - All events should have the same ID + var distinctIds = events.Select(e => e.EventId).Distinct().ToList(); + Assert.Single(distinctIds); + } +} diff --git a/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyAuditEvents.cs b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyAuditEvents.cs new file mode 100644 index 000000000..772f1d789 --- /dev/null +++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyAuditEvents.cs @@ -0,0 +1,233 @@ +// ----------------------------------------------------------------------------- +// CeremonyAuditEvents.cs +// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies +// Tasks: DUAL-008 +// Description: Audit event definitions for dual-control ceremonies. +// ----------------------------------------------------------------------------- + +using System; + +namespace StellaOps.Signer.Core.Ceremonies; + +/// +/// Audit event types for ceremonies. +/// +public static class CeremonyAuditEvents +{ + /// + /// Ceremony was created. + /// + public const string Initiated = "signer.ceremony.initiated"; + + /// + /// Approval was submitted. + /// + public const string Approved = "signer.ceremony.approved"; + + /// + /// Threshold was reached. + /// + public const string ThresholdReached = "signer.ceremony.threshold_reached"; + + /// + /// Operation was executed. + /// + public const string Executed = "signer.ceremony.executed"; + + /// + /// Ceremony expired. + /// + public const string Expired = "signer.ceremony.expired"; + + /// + /// Ceremony was cancelled. + /// + public const string Cancelled = "signer.ceremony.cancelled"; + + /// + /// Approval was rejected (invalid signature, unauthorized, etc.). + /// + public const string ApprovalRejected = "signer.ceremony.approval_rejected"; +} + +/// +/// Base audit event for ceremonies. +/// +public abstract record CeremonyAuditEvent +{ + /// + /// Event type. + /// + public required string EventType { get; init; } + + /// + /// Ceremony ID. + /// + public required Guid CeremonyId { get; init; } + + /// + /// Operation type. + /// + public required CeremonyOperationType OperationType { get; init; } + + /// + /// Event timestamp (UTC). + /// + public required DateTimeOffset Timestamp { get; init; } + + /// + /// Actor identity. + /// + public required string Actor { get; init; } + + /// + /// Tenant ID. + /// + public string? TenantId { get; init; } + + /// + /// Request trace ID. + /// + public string? TraceId { get; init; } +} + +/// +/// Audit event for ceremony initiation. +/// +public sealed record CeremonyInitiatedEvent : CeremonyAuditEvent +{ + /// + /// Threshold required. + /// + public required int ThresholdRequired { get; init; } + + /// + /// Expiration time. + /// + public required DateTimeOffset ExpiresAt { get; init; } + + /// + /// Operation description. + /// + public string? Description { get; init; } +} + +/// +/// Audit event for ceremony approval. +/// +public sealed record CeremonyApprovedEvent : CeremonyAuditEvent +{ + /// + /// Approver identity. + /// + public required string Approver { get; init; } + + /// + /// Current approval count. + /// + public required int ApprovalCount { get; init; } + + /// + /// Required threshold. + /// + public required int ThresholdRequired { get; init; } + + /// + /// Approval reason. + /// + public string? ApprovalReason { get; init; } + + /// + /// Whether threshold was reached with this approval. + /// + public required bool ThresholdReached { get; init; } +} + +/// +/// Audit event for ceremony execution. +/// +public sealed record CeremonyExecutedEvent : CeremonyAuditEvent +{ + /// + /// Executor identity. + /// + public required string Executor { get; init; } + + /// + /// Total approvals. + /// + public required int TotalApprovals { get; init; } + + /// + /// Execution result. + /// + public required bool Success { get; init; } + + /// + /// Error message if failed. + /// + public string? Error { get; init; } + + /// + /// Result payload (key ID, etc.). + /// + public string? ResultPayload { get; init; } +} + +/// +/// Audit event for ceremony expiration. +/// +public sealed record CeremonyExpiredEvent : CeremonyAuditEvent +{ + /// + /// Approvals received before expiration. + /// + public required int ApprovalsReceived { get; init; } + + /// + /// Threshold that was required. + /// + public required int ThresholdRequired { get; init; } +} + +/// +/// Audit event for ceremony cancellation. +/// +public sealed record CeremonyCancelledEvent : CeremonyAuditEvent +{ + /// + /// Cancellation reason. + /// + public string? Reason { get; init; } + + /// + /// State at time of cancellation. + /// + public required CeremonyState StateAtCancellation { get; init; } + + /// + /// Approvals received before cancellation. + /// + public required int ApprovalsReceived { get; init; } +} + +/// +/// Audit event for rejected approval. +/// +public sealed record CeremonyApprovalRejectedEvent : CeremonyAuditEvent +{ + /// + /// Attempted approver. + /// + public required string AttemptedApprover { get; init; } + + /// + /// Rejection reason. + /// + public required string RejectionReason { get; init; } + + /// + /// Error code. + /// + public required CeremonyErrorCode ErrorCode { get; init; } +} diff --git a/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyModels.cs b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyModels.cs new file mode 100644 index 000000000..c810654b4 --- /dev/null +++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyModels.cs @@ -0,0 +1,375 @@ +// ----------------------------------------------------------------------------- +// CeremonyModels.cs +// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies +// Tasks: DUAL-001, DUAL-003, DUAL-004 +// Description: Models for M-of-N dual-control signing ceremonies. +// ----------------------------------------------------------------------------- + +using System; +using System.Collections.Generic; + +namespace StellaOps.Signer.Core.Ceremonies; + +/// +/// State of a signing ceremony. +/// +public enum CeremonyState +{ + /// + /// Ceremony created, awaiting approvals. + /// + Pending, + + /// + /// Some approvals received, but threshold not yet reached. + /// + PartiallyApproved, + + /// + /// Threshold reached, operation approved for execution. + /// + Approved, + + /// + /// Operation executed successfully. + /// + Executed, + + /// + /// Ceremony expired before threshold was reached. + /// + Expired, + + /// + /// Ceremony cancelled by initiator or admin. + /// + Cancelled +} + +/// +/// Type of key operation requiring ceremony approval. +/// +public enum CeremonyOperationType +{ + /// + /// Generate a new signing key. + /// + KeyGeneration, + + /// + /// Rotate an existing key. + /// + KeyRotation, + + /// + /// Revoke a key. + /// + KeyRevocation, + + /// + /// Export a key (for escrow or backup). + /// + KeyExport, + + /// + /// Import a key from escrow or backup. + /// + KeyImport, + + /// + /// Emergency key recovery. + /// + KeyRecovery +} + +/// +/// A signing ceremony requiring M-of-N approvals. +/// +public sealed record Ceremony +{ + /// + /// Unique ceremony identifier. + /// + public required Guid CeremonyId { get; init; } + + /// + /// Type of operation being approved. + /// + public required CeremonyOperationType OperationType { get; init; } + + /// + /// Operation-specific payload (key ID, parameters, etc.). + /// + public required CeremonyOperationPayload Payload { get; init; } + + /// + /// Number of approvals required (M in M-of-N). + /// + public required int ThresholdRequired { get; init; } + + /// + /// Current number of approvals received. + /// + public required int ThresholdReached { get; init; } + + /// + /// Current ceremony state. + /// + public required CeremonyState State { get; init; } + + /// + /// Identity of the ceremony initiator. + /// + public required string InitiatedBy { get; init; } + + /// + /// When the ceremony was initiated (UTC). + /// + public required DateTimeOffset InitiatedAt { get; init; } + + /// + /// When the ceremony expires (UTC). + /// + public required DateTimeOffset ExpiresAt { get; init; } + + /// + /// When the operation was executed (UTC), if executed. + /// + public DateTimeOffset? ExecutedAt { get; init; } + + /// + /// Collected approvals. + /// + public IReadOnlyList Approvals { get; init; } = []; + + /// + /// Human-readable description of the ceremony. + /// + public string? Description { get; init; } + + /// + /// Tenant ID if multi-tenant. + /// + public string? TenantId { get; init; } +} + +/// +/// Operation-specific payload for a ceremony. +/// +public sealed record CeremonyOperationPayload +{ + /// + /// Key identifier (for rotation, revocation, export). + /// + public string? KeyId { get; init; } + + /// + /// Key algorithm (for generation). + /// + public string? Algorithm { get; init; } + + /// + /// Key size in bits (for generation). + /// + public int? KeySize { get; init; } + + /// + /// Key usage constraints. + /// + public IReadOnlyList? KeyUsages { get; init; } + + /// + /// Reason for the operation. + /// + public string? Reason { get; init; } + + /// + /// Additional metadata. + /// + public IReadOnlyDictionary? Metadata { get; init; } +} + +/// +/// An approval for a ceremony. +/// +public sealed record CeremonyApproval +{ + /// + /// Unique approval identifier. + /// + public required Guid ApprovalId { get; init; } + + /// + /// Ceremony being approved. + /// + public required Guid CeremonyId { get; init; } + + /// + /// Identity of the approver. + /// + public required string ApproverIdentity { get; init; } + + /// + /// When the approval was given (UTC). + /// + public required DateTimeOffset ApprovedAt { get; init; } + + /// + /// Cryptographic signature over the ceremony details. + /// + public required byte[] ApprovalSignature { get; init; } + + /// + /// Optional reason or comment for approval. + /// + public string? ApprovalReason { get; init; } + + /// + /// Key ID used for signing the approval. + /// + public string? SigningKeyId { get; init; } + + /// + /// Signature algorithm used. + /// + public string? SignatureAlgorithm { get; init; } +} + +/// +/// Request to create a new ceremony. +/// +public sealed record CreateCeremonyRequest +{ + /// + /// Type of operation. + /// + public required CeremonyOperationType OperationType { get; init; } + + /// + /// Operation payload. + /// + public required CeremonyOperationPayload Payload { get; init; } + + /// + /// Override threshold (uses config default if null). + /// + public int? ThresholdOverride { get; init; } + + /// + /// Override expiration minutes (uses config default if null). + /// + public int? ExpirationMinutesOverride { get; init; } + + /// + /// Human-readable description. + /// + public string? Description { get; init; } +} + +/// +/// Request to approve a ceremony. +/// +public sealed record ApproveCeremonyRequest +{ + /// + /// Ceremony to approve. + /// + public required Guid CeremonyId { get; init; } + + /// + /// Cryptographic signature over ceremony details. + /// + public required byte[] ApprovalSignature { get; init; } + + /// + /// Optional reason for approval. + /// + public string? ApprovalReason { get; init; } + + /// + /// Key ID used for signing. + /// + public string? SigningKeyId { get; init; } + + /// + /// Signature algorithm. + /// + public string? SignatureAlgorithm { get; init; } +} + +/// +/// Result of a ceremony operation. +/// +public sealed record CeremonyResult +{ + /// + /// Whether the operation succeeded. + /// + public required bool Success { get; init; } + + /// + /// Updated ceremony state. + /// + public Ceremony? Ceremony { get; init; } + + /// + /// Error message if failed. + /// + public string? Error { get; init; } + + /// + /// Error code if failed. + /// + public CeremonyErrorCode? ErrorCode { get; init; } +} + +/// +/// Ceremony error codes. +/// +public enum CeremonyErrorCode +{ + /// + /// Ceremony not found. + /// + NotFound, + + /// + /// Ceremony has expired. + /// + Expired, + + /// + /// Ceremony already executed. + /// + AlreadyExecuted, + + /// + /// Ceremony was cancelled. + /// + Cancelled, + + /// + /// Approver has already approved this ceremony. + /// + DuplicateApproval, + + /// + /// Approver is not authorized for this operation. + /// + UnauthorizedApprover, + + /// + /// Invalid approval signature. + /// + InvalidSignature, + + /// + /// Threshold configuration error. + /// + InvalidThreshold, + + /// + /// Internal error. + /// + InternalError +} diff --git a/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOptions.cs b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOptions.cs new file mode 100644 index 000000000..a22de0f66 --- /dev/null +++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOptions.cs @@ -0,0 +1,159 @@ +// ----------------------------------------------------------------------------- +// CeremonyOptions.cs +// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies +// Tasks: DUAL-001 +// Description: Configuration options for dual-control ceremonies. +// ----------------------------------------------------------------------------- + +using System; +using System.Collections.Generic; +using System.ComponentModel.DataAnnotations; + +namespace StellaOps.Signer.Core.Ceremonies; + +/// +/// Configuration for dual-control signing ceremonies. +/// +public sealed class CeremonyOptions +{ + /// + /// Configuration section name. + /// + public const string SectionName = "Signer:Ceremonies"; + + /// + /// Whether ceremony support is enabled. + /// + public bool Enabled { get; set; } = true; + + /// + /// Default approval threshold (M in M-of-N). + /// + [Range(1, 10)] + public int DefaultThreshold { get; set; } = 2; + + /// + /// Default ceremony expiration in minutes. + /// + [Range(5, 1440)] + public int ExpirationMinutes { get; set; } = 60; + + /// + /// Per-operation configuration. + /// + public Dictionary Operations { get; set; } = new(); + + /// + /// Notification configuration. + /// + public CeremonyNotificationConfig Notifications { get; set; } = new(); + + /// + /// Gets the threshold for a specific operation type. + /// + public int GetThreshold(CeremonyOperationType operationType) + { + var key = operationType.ToString().ToLowerInvariant(); + if (Operations.TryGetValue(key, out var config) && config.Threshold.HasValue) + { + return config.Threshold.Value; + } + return DefaultThreshold; + } + + /// + /// Gets the expiration minutes for a specific operation type. + /// + public int GetExpirationMinutes(CeremonyOperationType operationType) + { + var key = operationType.ToString().ToLowerInvariant(); + if (Operations.TryGetValue(key, out var config) && config.ExpirationMinutes.HasValue) + { + return config.ExpirationMinutes.Value; + } + return ExpirationMinutes; + } + + /// + /// Gets the required roles for a specific operation type. + /// + public IReadOnlyList GetRequiredRoles(CeremonyOperationType operationType) + { + var key = operationType.ToString().ToLowerInvariant(); + if (Operations.TryGetValue(key, out var config) && config.RequiredRoles is { Count: > 0 }) + { + return config.RequiredRoles; + } + return Array.Empty(); + } +} + +/// +/// Per-operation ceremony configuration. +/// +public sealed class OperationCeremonyConfig +{ + /// + /// Approval threshold override. + /// + [Range(1, 10)] + public int? Threshold { get; set; } + + /// + /// Expiration minutes override. + /// + [Range(5, 1440)] + public int? ExpirationMinutes { get; set; } + + /// + /// Roles required to approve this operation. + /// + public List RequiredRoles { get; set; } = []; + + /// + /// Whether this operation requires a ceremony (false to bypass). + /// + public bool RequiresCeremony { get; set; } = true; +} + +/// +/// Notification configuration for ceremonies. +/// +public sealed class CeremonyNotificationConfig +{ + /// + /// Notification channels to use. + /// + public List Channels { get; set; } = ["email"]; + + /// + /// Whether to notify on ceremony creation. + /// + public bool NotifyOnCreate { get; set; } = true; + + /// + /// Whether to notify on each approval. + /// + public bool NotifyOnApproval { get; set; } = true; + + /// + /// Whether to notify on threshold reached. + /// + public bool NotifyOnThresholdReached { get; set; } = true; + + /// + /// Whether to notify on execution. + /// + public bool NotifyOnExecution { get; set; } = true; + + /// + /// Whether to notify on expiration warning. + /// + public bool NotifyOnExpirationWarning { get; set; } = true; + + /// + /// Minutes before expiration to send warning. + /// + [Range(5, 60)] + public int ExpirationWarningMinutes { get; set; } = 15; +} diff --git a/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOrchestrator.cs b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOrchestrator.cs new file mode 100644 index 000000000..b1ac955a0 --- /dev/null +++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOrchestrator.cs @@ -0,0 +1,549 @@ +// ----------------------------------------------------------------------------- +// CeremonyOrchestrator.cs +// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies +// Tasks: DUAL-005, DUAL-006, DUAL-007 +// Description: Implementation of M-of-N dual-control ceremony orchestration. +// ----------------------------------------------------------------------------- + +using System; +using System.Collections.Generic; +using System.Globalization; +using System.Threading; +using System.Threading.Tasks; +using Microsoft.Extensions.Logging; +using Microsoft.Extensions.Options; + +namespace StellaOps.Signer.Core.Ceremonies; + +/// +/// Orchestrates M-of-N dual-control signing ceremonies. +/// +public sealed class CeremonyOrchestrator : ICeremonyOrchestrator +{ + private readonly ICeremonyRepository _repository; + private readonly ICeremonyAuditSink _auditSink; + private readonly ICeremonyApproverValidator _approverValidator; + private readonly TimeProvider _timeProvider; + private readonly CeremonyOptions _options; + private readonly ILogger _logger; + + public CeremonyOrchestrator( + ICeremonyRepository repository, + ICeremonyAuditSink auditSink, + ICeremonyApproverValidator approverValidator, + TimeProvider timeProvider, + IOptions options, + ILogger logger) + { + _repository = repository ?? throw new ArgumentNullException(nameof(repository)); + _auditSink = auditSink ?? throw new ArgumentNullException(nameof(auditSink)); + _approverValidator = approverValidator ?? throw new ArgumentNullException(nameof(approverValidator)); + _timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider)); + _options = options?.Value ?? throw new ArgumentNullException(nameof(options)); + _logger = logger ?? throw new ArgumentNullException(nameof(logger)); + } + + public async Task CreateCeremonyAsync( + CreateCeremonyRequest request, + string initiator, + CancellationToken cancellationToken = default) + { + ArgumentNullException.ThrowIfNull(request); + ArgumentException.ThrowIfNullOrWhiteSpace(initiator); + + if (!_options.Enabled) + { + return new CeremonyResult + { + Success = false, + Error = "Ceremonies are disabled", + ErrorCode = CeremonyErrorCode.InternalError + }; + } + + var now = _timeProvider.GetUtcNow(); + var threshold = request.ThresholdOverride ?? _options.GetThreshold(request.OperationType); + var expirationMinutes = request.ExpirationMinutesOverride ?? _options.GetExpirationMinutes(request.OperationType); + + if (threshold < 1) + { + return new CeremonyResult + { + Success = false, + Error = "Invalid threshold: must be at least 1", + ErrorCode = CeremonyErrorCode.InvalidThreshold + }; + } + + var ceremony = new Ceremony + { + CeremonyId = Guid.NewGuid(), + OperationType = request.OperationType, + Payload = request.Payload, + ThresholdRequired = threshold, + ThresholdReached = 0, + State = CeremonyState.Pending, + InitiatedBy = initiator, + InitiatedAt = now, + ExpiresAt = now.AddMinutes(expirationMinutes), + Description = request.Description, + Approvals = [] + }; + + var created = await _repository.CreateAsync(ceremony, cancellationToken); + + await _auditSink.WriteAsync(new CeremonyInitiatedEvent + { + EventType = CeremonyAuditEvents.Initiated, + CeremonyId = created.CeremonyId, + OperationType = created.OperationType, + Timestamp = now, + Actor = initiator, + ThresholdRequired = threshold, + ExpiresAt = created.ExpiresAt, + Description = request.Description + }, cancellationToken); + + _logger.LogInformation( + "Ceremony {CeremonyId} created for {OperationType} by {Initiator}, threshold {Threshold}, expires {ExpiresAt}", + created.CeremonyId, + created.OperationType, + initiator, + threshold, + created.ExpiresAt.ToString("o", CultureInfo.InvariantCulture)); + + return new CeremonyResult + { + Success = true, + Ceremony = created + }; + } + + public async Task ApproveCeremonyAsync( + ApproveCeremonyRequest request, + string approver, + CancellationToken cancellationToken = default) + { + ArgumentNullException.ThrowIfNull(request); + ArgumentException.ThrowIfNullOrWhiteSpace(approver); + + var now = _timeProvider.GetUtcNow(); + + var ceremony = await _repository.GetByIdAsync(request.CeremonyId, cancellationToken); + if (ceremony is null) + { + return new CeremonyResult + { + Success = false, + Error = "Ceremony not found", + ErrorCode = CeremonyErrorCode.NotFound + }; + } + + // Check expiration + if (now >= ceremony.ExpiresAt) + { + await _auditSink.WriteAsync(new CeremonyApprovalRejectedEvent + { + EventType = CeremonyAuditEvents.ApprovalRejected, + CeremonyId = ceremony.CeremonyId, + OperationType = ceremony.OperationType, + Timestamp = now, + Actor = approver, + AttemptedApprover = approver, + RejectionReason = "Ceremony has expired", + ErrorCode = CeremonyErrorCode.Expired + }, cancellationToken); + + return new CeremonyResult + { + Success = false, + Error = "Ceremony has expired", + ErrorCode = CeremonyErrorCode.Expired + }; + } + + // Check state allows approval + if (!CeremonyStateMachine.CanAcceptApproval(ceremony.State)) + { + var errorCode = ceremony.State switch + { + CeremonyState.Executed => CeremonyErrorCode.AlreadyExecuted, + CeremonyState.Expired => CeremonyErrorCode.Expired, + CeremonyState.Cancelled => CeremonyErrorCode.Cancelled, + _ => CeremonyErrorCode.InternalError + }; + + return new CeremonyResult + { + Success = false, + Error = $"Ceremony cannot accept approvals in state {ceremony.State}", + ErrorCode = errorCode + }; + } + + // Check for duplicate approval + if (await _repository.HasApprovedAsync(request.CeremonyId, approver, cancellationToken)) + { + await _auditSink.WriteAsync(new CeremonyApprovalRejectedEvent + { + EventType = CeremonyAuditEvents.ApprovalRejected, + CeremonyId = ceremony.CeremonyId, + OperationType = ceremony.OperationType, + Timestamp = now, + Actor = approver, + AttemptedApprover = approver, + RejectionReason = "Approver has already approved this ceremony", + ErrorCode = CeremonyErrorCode.DuplicateApproval + }, cancellationToken); + + return new CeremonyResult + { + Success = false, + Error = "You have already approved this ceremony", + ErrorCode = CeremonyErrorCode.DuplicateApproval + }; + } + + // Validate approver authorization + var validationResult = await _approverValidator.ValidateApproverAsync( + approver, + ceremony.OperationType, + request.ApprovalSignature, + cancellationToken); + + if (!validationResult.IsValid) + { + await _auditSink.WriteAsync(new CeremonyApprovalRejectedEvent + { + EventType = CeremonyAuditEvents.ApprovalRejected, + CeremonyId = ceremony.CeremonyId, + OperationType = ceremony.OperationType, + Timestamp = now, + Actor = approver, + AttemptedApprover = approver, + RejectionReason = validationResult.Error ?? "Approver validation failed", + ErrorCode = validationResult.ErrorCode ?? CeremonyErrorCode.UnauthorizedApprover + }, cancellationToken); + + return new CeremonyResult + { + Success = false, + Error = validationResult.Error ?? "Approver validation failed", + ErrorCode = validationResult.ErrorCode ?? CeremonyErrorCode.UnauthorizedApprover + }; + } + + // Add approval + var approval = new CeremonyApproval + { + ApprovalId = Guid.NewGuid(), + CeremonyId = request.CeremonyId, + ApproverIdentity = approver, + ApprovedAt = now, + ApprovalSignature = request.ApprovalSignature, + ApprovalReason = request.ApprovalReason, + SigningKeyId = request.SigningKeyId, + SignatureAlgorithm = request.SignatureAlgorithm + }; + + await _repository.AddApprovalAsync(approval, cancellationToken); + + // Compute new state + var newThresholdReached = ceremony.ThresholdReached + 1; + var newState = CeremonyStateMachine.ComputeStateAfterApproval( + ceremony.State, + ceremony.ThresholdRequired, + newThresholdReached); + + var updated = await _repository.UpdateStateAsync( + ceremony.CeremonyId, + newState, + newThresholdReached, + cancellationToken: cancellationToken); + + var thresholdReached = newThresholdReached >= ceremony.ThresholdRequired; + + await _auditSink.WriteAsync(new CeremonyApprovedEvent + { + EventType = CeremonyAuditEvents.Approved, + CeremonyId = ceremony.CeremonyId, + OperationType = ceremony.OperationType, + Timestamp = now, + Actor = approver, + Approver = approver, + ApprovalCount = newThresholdReached, + ThresholdRequired = ceremony.ThresholdRequired, + ApprovalReason = request.ApprovalReason, + ThresholdReached = thresholdReached + }, cancellationToken); + + if (thresholdReached) + { + await _auditSink.WriteAsync(new CeremonyApprovedEvent + { + EventType = CeremonyAuditEvents.ThresholdReached, + CeremonyId = ceremony.CeremonyId, + OperationType = ceremony.OperationType, + Timestamp = now, + Actor = approver, + Approver = approver, + ApprovalCount = newThresholdReached, + ThresholdRequired = ceremony.ThresholdRequired, + ThresholdReached = true + }, cancellationToken); + + _logger.LogInformation( + "Ceremony {CeremonyId} reached threshold {Threshold}, ready for execution", + ceremony.CeremonyId, + ceremony.ThresholdRequired); + } + + _logger.LogInformation( + "Ceremony {CeremonyId} approved by {Approver}, {Current}/{Required} approvals", + ceremony.CeremonyId, + approver, + newThresholdReached, + ceremony.ThresholdRequired); + + return new CeremonyResult + { + Success = true, + Ceremony = updated + }; + } + + public async Task GetCeremonyAsync( + Guid ceremonyId, + CancellationToken cancellationToken = default) + { + return await _repository.GetByIdAsync(ceremonyId, cancellationToken); + } + + public async Task> ListCeremoniesAsync( + CeremonyFilter? filter = null, + CancellationToken cancellationToken = default) + { + return await _repository.ListAsync(filter, cancellationToken); + } + + public async Task ExecuteCeremonyAsync( + Guid ceremonyId, + string executor, + CancellationToken cancellationToken = default) + { + ArgumentException.ThrowIfNullOrWhiteSpace(executor); + + var now = _timeProvider.GetUtcNow(); + + var ceremony = await _repository.GetByIdAsync(ceremonyId, cancellationToken); + if (ceremony is null) + { + return new CeremonyResult + { + Success = false, + Error = "Ceremony not found", + ErrorCode = CeremonyErrorCode.NotFound + }; + } + + if (!CeremonyStateMachine.CanExecute(ceremony.State)) + { + return new CeremonyResult + { + Success = false, + Error = $"Ceremony cannot be executed in state {ceremony.State}", + ErrorCode = ceremony.State == CeremonyState.Executed + ? CeremonyErrorCode.AlreadyExecuted + : CeremonyErrorCode.InternalError + }; + } + + // Check expiration + if (now >= ceremony.ExpiresAt) + { + return new CeremonyResult + { + Success = false, + Error = "Ceremony execution window has expired", + ErrorCode = CeremonyErrorCode.Expired + }; + } + + var updated = await _repository.UpdateStateAsync( + ceremonyId, + CeremonyState.Executed, + ceremony.ThresholdReached, + now, + cancellationToken); + + await _auditSink.WriteAsync(new CeremonyExecutedEvent + { + EventType = CeremonyAuditEvents.Executed, + CeremonyId = ceremonyId, + OperationType = ceremony.OperationType, + Timestamp = now, + Actor = executor, + Executor = executor, + TotalApprovals = ceremony.ThresholdReached, + Success = true + }, cancellationToken); + + _logger.LogInformation( + "Ceremony {CeremonyId} executed by {Executor}", + ceremonyId, + executor); + + return new CeremonyResult + { + Success = true, + Ceremony = updated + }; + } + + public async Task CancelCeremonyAsync( + Guid ceremonyId, + string canceller, + string? reason = null, + CancellationToken cancellationToken = default) + { + ArgumentException.ThrowIfNullOrWhiteSpace(canceller); + + var now = _timeProvider.GetUtcNow(); + + var ceremony = await _repository.GetByIdAsync(ceremonyId, cancellationToken); + if (ceremony is null) + { + return new CeremonyResult + { + Success = false, + Error = "Ceremony not found", + ErrorCode = CeremonyErrorCode.NotFound + }; + } + + if (!CeremonyStateMachine.CanCancel(ceremony.State)) + { + return new CeremonyResult + { + Success = false, + Error = $"Ceremony cannot be cancelled in state {ceremony.State}", + ErrorCode = CeremonyErrorCode.InternalError + }; + } + + var previousState = ceremony.State; + + var updated = await _repository.UpdateStateAsync( + ceremonyId, + CeremonyState.Cancelled, + ceremony.ThresholdReached, + cancellationToken: cancellationToken); + + await _auditSink.WriteAsync(new CeremonyCancelledEvent + { + EventType = CeremonyAuditEvents.Cancelled, + CeremonyId = ceremonyId, + OperationType = ceremony.OperationType, + Timestamp = now, + Actor = canceller, + Reason = reason, + StateAtCancellation = previousState, + ApprovalsReceived = ceremony.ThresholdReached + }, cancellationToken); + + _logger.LogInformation( + "Ceremony {CeremonyId} cancelled by {Canceller}: {Reason}", + ceremonyId, + canceller, + reason ?? "(no reason provided)"); + + return new CeremonyResult + { + Success = true, + Ceremony = updated + }; + } + + public async Task ProcessExpiredCeremoniesAsync( + CancellationToken cancellationToken = default) + { + var now = _timeProvider.GetUtcNow(); + + var expired = await _repository.GetExpiredCeremoniesAsync(now, cancellationToken); + if (expired.Count == 0) + { + return 0; + } + + var ids = new List(expired.Count); + foreach (var ceremony in expired) + { + ids.Add(ceremony.CeremonyId); + + await _auditSink.WriteAsync(new CeremonyExpiredEvent + { + EventType = CeremonyAuditEvents.Expired, + CeremonyId = ceremony.CeremonyId, + OperationType = ceremony.OperationType, + Timestamp = now, + Actor = "system", + ApprovalsReceived = ceremony.ThresholdReached, + ThresholdRequired = ceremony.ThresholdRequired + }, cancellationToken); + } + + var count = await _repository.MarkExpiredAsync(ids, cancellationToken); + + _logger.LogInformation("Marked {Count} ceremonies as expired", count); + + return count; + } +} + +/// +/// Interface for ceremony audit logging. +/// +public interface ICeremonyAuditSink +{ + /// + /// Writes an audit event. + /// + Task WriteAsync(CeremonyAuditEvent auditEvent, CancellationToken cancellationToken = default); +} + +/// +/// Interface for validating ceremony approvers. +/// +public interface ICeremonyApproverValidator +{ + /// + /// Validates an approver for a ceremony operation. + /// + Task ValidateApproverAsync( + string approverIdentity, + CeremonyOperationType operationType, + byte[] signature, + CancellationToken cancellationToken = default); +} + +/// +/// Result of approver validation. +/// +public sealed record ApproverValidationResult +{ + /// + /// Whether the approver is valid. + /// + public required bool IsValid { get; init; } + + /// + /// Error message if invalid. + /// + public string? Error { get; init; } + + /// + /// Error code if invalid. + /// + public CeremonyErrorCode? ErrorCode { get; init; } +} diff --git a/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyStateMachine.cs b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyStateMachine.cs new file mode 100644 index 000000000..3164260f4 --- /dev/null +++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyStateMachine.cs @@ -0,0 +1,140 @@ +// ----------------------------------------------------------------------------- +// CeremonyStateMachine.cs +// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies +// Tasks: DUAL-003 +// Description: State machine for ceremony lifecycle management. +// ----------------------------------------------------------------------------- + +using System; + +namespace StellaOps.Signer.Core.Ceremonies; + +/// +/// Manages ceremony state transitions. +/// +public static class CeremonyStateMachine +{ + /// + /// Determines if a state transition is valid. + /// + /// Current ceremony state. + /// Target state. + /// True if transition is valid. + public static bool IsValidTransition(CeremonyState currentState, CeremonyState targetState) + { + return (currentState, targetState) switch + { + // From Pending + (CeremonyState.Pending, CeremonyState.PartiallyApproved) => true, + (CeremonyState.Pending, CeremonyState.Approved) => true, // Direct approval if threshold = 1 + (CeremonyState.Pending, CeremonyState.Expired) => true, + (CeremonyState.Pending, CeremonyState.Cancelled) => true, + + // From PartiallyApproved + (CeremonyState.PartiallyApproved, CeremonyState.PartiallyApproved) => true, // More approvals + (CeremonyState.PartiallyApproved, CeremonyState.Approved) => true, + (CeremonyState.PartiallyApproved, CeremonyState.Expired) => true, + (CeremonyState.PartiallyApproved, CeremonyState.Cancelled) => true, + + // From Approved + (CeremonyState.Approved, CeremonyState.Executed) => true, + (CeremonyState.Approved, CeremonyState.Expired) => true, // Execution window expired + (CeremonyState.Approved, CeremonyState.Cancelled) => true, + + // Terminal states - no transitions + (CeremonyState.Executed, _) => false, + (CeremonyState.Expired, _) => false, + (CeremonyState.Cancelled, _) => false, + + // Same state is not a transition + _ when currentState == targetState => false, + + // All other transitions are invalid + _ => false + }; + } + + /// + /// Computes the next state after an approval. + /// + /// Current ceremony state. + /// Number of approvals required. + /// Number of approvals received (after this approval). + /// Next state. + public static CeremonyState ComputeStateAfterApproval( + CeremonyState currentState, + int thresholdRequired, + int thresholdReached) + { + if (currentState is CeremonyState.Executed or CeremonyState.Expired or CeremonyState.Cancelled) + { + throw new InvalidOperationException($"Cannot approve ceremony in state {currentState}"); + } + + if (thresholdReached >= thresholdRequired) + { + return CeremonyState.Approved; + } + + return CeremonyState.PartiallyApproved; + } + + /// + /// Checks if a ceremony can accept approvals. + /// + /// Current ceremony state. + /// True if approvals can be added. + public static bool CanAcceptApproval(CeremonyState state) + { + return state is CeremonyState.Pending or CeremonyState.PartiallyApproved; + } + + /// + /// Checks if a ceremony can be executed. + /// + /// Current ceremony state. + /// True if the ceremony can be executed. + public static bool CanExecute(CeremonyState state) + { + return state == CeremonyState.Approved; + } + + /// + /// Checks if a ceremony can be cancelled. + /// + /// Current ceremony state. + /// True if the ceremony can be cancelled. + public static bool CanCancel(CeremonyState state) + { + return state is CeremonyState.Pending or CeremonyState.PartiallyApproved or CeremonyState.Approved; + } + + /// + /// Checks if a ceremony is in a terminal state. + /// + /// Current ceremony state. + /// True if the ceremony is in a terminal state. + public static bool IsTerminalState(CeremonyState state) + { + return state is CeremonyState.Executed or CeremonyState.Expired or CeremonyState.Cancelled; + } + + /// + /// Gets a human-readable description of the state. + /// + /// Ceremony state. + /// Human-readable description. + public static string GetStateDescription(CeremonyState state) + { + return state switch + { + CeremonyState.Pending => "Awaiting approvals", + CeremonyState.PartiallyApproved => "Some approvals received, awaiting more", + CeremonyState.Approved => "All approvals received, ready for execution", + CeremonyState.Executed => "Operation executed successfully", + CeremonyState.Expired => "Ceremony expired before completion", + CeremonyState.Cancelled => "Ceremony was cancelled", + _ => "Unknown state" + }; + } +} diff --git a/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyOrchestrator.cs b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyOrchestrator.cs new file mode 100644 index 000000000..fe15d0e50 --- /dev/null +++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyOrchestrator.cs @@ -0,0 +1,153 @@ +// ----------------------------------------------------------------------------- +// ICeremonyOrchestrator.cs +// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies +// Tasks: DUAL-002 +// Description: Interface for M-of-N dual-control ceremony orchestration. +// ----------------------------------------------------------------------------- + +using System; +using System.Collections.Generic; +using System.Threading; +using System.Threading.Tasks; + +namespace StellaOps.Signer.Core.Ceremonies; + +/// +/// Orchestrates M-of-N dual-control signing ceremonies. +/// +public interface ICeremonyOrchestrator +{ + /// + /// Creates a new ceremony for the specified operation. + /// + /// Ceremony creation request. + /// Identity of the ceremony initiator. + /// Cancellation token. + /// Result containing the created ceremony or error. + Task CreateCeremonyAsync( + CreateCeremonyRequest request, + string initiator, + CancellationToken cancellationToken = default); + + /// + /// Submits an approval for a ceremony. + /// + /// Approval request. + /// Identity of the approver. + /// Cancellation token. + /// Result containing the updated ceremony or error. + Task ApproveCeremonyAsync( + ApproveCeremonyRequest request, + string approver, + CancellationToken cancellationToken = default); + + /// + /// Gets a ceremony by ID. + /// + /// Ceremony identifier. + /// Cancellation token. + /// The ceremony or null if not found. + Task GetCeremonyAsync( + Guid ceremonyId, + CancellationToken cancellationToken = default); + + /// + /// Lists ceremonies with optional filters. + /// + /// Optional filter criteria. + /// Cancellation token. + /// List of ceremonies matching the filter. + Task> ListCeremoniesAsync( + CeremonyFilter? filter = null, + CancellationToken cancellationToken = default); + + /// + /// Executes an approved ceremony. + /// + /// Ceremony to execute. + /// Identity of the executor. + /// Cancellation token. + /// Result of the execution. + Task ExecuteCeremonyAsync( + Guid ceremonyId, + string executor, + CancellationToken cancellationToken = default); + + /// + /// Cancels a pending ceremony. + /// + /// Ceremony to cancel. + /// Identity of the canceller. + /// Reason for cancellation. + /// Cancellation token. + /// Result of the cancellation. + Task CancelCeremonyAsync( + Guid ceremonyId, + string canceller, + string? reason = null, + CancellationToken cancellationToken = default); + + /// + /// Processes expired ceremonies (background task). + /// + /// Cancellation token. + /// Number of ceremonies marked as expired. + Task ProcessExpiredCeremoniesAsync( + CancellationToken cancellationToken = default); +} + +/// +/// Filter criteria for listing ceremonies. +/// +public sealed record CeremonyFilter +{ + /// + /// Filter by state. + /// + public CeremonyState? State { get; init; } + + /// + /// Filter by operation type. + /// + public CeremonyOperationType? OperationType { get; init; } + + /// + /// Filter by initiator. + /// + public string? InitiatedBy { get; init; } + + /// + /// Filter by pending approver (shows ceremonies the user can approve). + /// + public string? PendingApprover { get; init; } + + /// + /// Filter ceremonies initiated after this time. + /// + public DateTimeOffset? InitiatedAfter { get; init; } + + /// + /// Filter ceremonies initiated before this time. + /// + public DateTimeOffset? InitiatedBefore { get; init; } + + /// + /// Include expired ceremonies. + /// + public bool IncludeExpired { get; init; } + + /// + /// Maximum number of results. + /// + public int? Limit { get; init; } + + /// + /// Offset for pagination. + /// + public int? Offset { get; init; } + + /// + /// Tenant ID filter. + /// + public string? TenantId { get; init; } +} diff --git a/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyRepository.cs b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyRepository.cs new file mode 100644 index 000000000..c1627115b --- /dev/null +++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyRepository.cs @@ -0,0 +1,117 @@ +// ----------------------------------------------------------------------------- +// ICeremonyRepository.cs +// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies +// Tasks: DUAL-009 +// Description: Repository interface for ceremony persistence. +// ----------------------------------------------------------------------------- + +using System; +using System.Collections.Generic; +using System.Threading; +using System.Threading.Tasks; + +namespace StellaOps.Signer.Core.Ceremonies; + +/// +/// Repository for ceremony persistence. +/// +public interface ICeremonyRepository +{ + /// + /// Creates a new ceremony. + /// + /// Ceremony to create. + /// Cancellation token. + /// Created ceremony with generated ID. + Task CreateAsync( + Ceremony ceremony, + CancellationToken cancellationToken = default); + + /// + /// Gets a ceremony by ID. + /// + /// Ceremony ID. + /// Cancellation token. + /// The ceremony or null if not found. + Task GetByIdAsync( + Guid ceremonyId, + CancellationToken cancellationToken = default); + + /// + /// Updates a ceremony's state and threshold. + /// + /// Ceremony ID. + /// New state. + /// New threshold reached count. + /// Execution timestamp if executed. + /// Cancellation token. + /// Updated ceremony. + Task UpdateStateAsync( + Guid ceremonyId, + CeremonyState newState, + int thresholdReached, + DateTimeOffset? executedAt = null, + CancellationToken cancellationToken = default); + + /// + /// Adds an approval to a ceremony. + /// + /// Approval to add. + /// Cancellation token. + /// Created approval. + Task AddApprovalAsync( + CeremonyApproval approval, + CancellationToken cancellationToken = default); + + /// + /// Checks if an approver has already approved a ceremony. + /// + /// Ceremony ID. + /// Approver identity. + /// Cancellation token. + /// True if already approved. + Task HasApprovedAsync( + Guid ceremonyId, + string approverIdentity, + CancellationToken cancellationToken = default); + + /// + /// Gets approvals for a ceremony. + /// + /// Ceremony ID. + /// Cancellation token. + /// List of approvals. + Task> GetApprovalsAsync( + Guid ceremonyId, + CancellationToken cancellationToken = default); + + /// + /// Lists ceremonies matching a filter. + /// + /// Filter criteria. + /// Cancellation token. + /// List of ceremonies. + Task> ListAsync( + CeremonyFilter? filter = null, + CancellationToken cancellationToken = default); + + /// + /// Gets ceremonies that have expired but are not yet marked as expired. + /// + /// Time to check expiration against. + /// Cancellation token. + /// List of expired ceremonies. + Task> GetExpiredCeremoniesAsync( + DateTimeOffset asOf, + CancellationToken cancellationToken = default); + + /// + /// Marks ceremonies as expired in bulk. + /// + /// Ceremony IDs to expire. + /// Cancellation token. + /// Number of ceremonies updated. + Task MarkExpiredAsync( + IEnumerable ceremonyIds, + CancellationToken cancellationToken = default); +} diff --git a/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Ceremonies/CeremonyStateMachineTests.cs b/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Ceremonies/CeremonyStateMachineTests.cs new file mode 100644 index 000000000..df4dcc68a --- /dev/null +++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Ceremonies/CeremonyStateMachineTests.cs @@ -0,0 +1,154 @@ +// ----------------------------------------------------------------------------- +// CeremonyStateMachineTests.cs +// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies +// Tasks: DUAL-011 +// Description: Unit tests for ceremony state machine. +// ----------------------------------------------------------------------------- + +using StellaOps.Signer.Core.Ceremonies; +using Xunit; + +namespace StellaOps.Signer.Tests.Ceremonies; + +[Trait("Category", "Unit")] +public sealed class CeremonyStateMachineTests +{ + [Theory] + [InlineData(CeremonyState.Pending, CeremonyState.PartiallyApproved, true)] + [InlineData(CeremonyState.Pending, CeremonyState.Approved, true)] + [InlineData(CeremonyState.Pending, CeremonyState.Expired, true)] + [InlineData(CeremonyState.Pending, CeremonyState.Cancelled, true)] + [InlineData(CeremonyState.Pending, CeremonyState.Executed, false)] + [InlineData(CeremonyState.PartiallyApproved, CeremonyState.PartiallyApproved, true)] + [InlineData(CeremonyState.PartiallyApproved, CeremonyState.Approved, true)] + [InlineData(CeremonyState.PartiallyApproved, CeremonyState.Expired, true)] + [InlineData(CeremonyState.PartiallyApproved, CeremonyState.Cancelled, true)] + [InlineData(CeremonyState.PartiallyApproved, CeremonyState.Pending, false)] + [InlineData(CeremonyState.Approved, CeremonyState.Executed, true)] + [InlineData(CeremonyState.Approved, CeremonyState.Expired, true)] + [InlineData(CeremonyState.Approved, CeremonyState.Cancelled, true)] + [InlineData(CeremonyState.Approved, CeremonyState.Pending, false)] + [InlineData(CeremonyState.Approved, CeremonyState.PartiallyApproved, false)] + [InlineData(CeremonyState.Executed, CeremonyState.Pending, false)] + [InlineData(CeremonyState.Executed, CeremonyState.Cancelled, false)] + [InlineData(CeremonyState.Expired, CeremonyState.Pending, false)] + [InlineData(CeremonyState.Expired, CeremonyState.Approved, false)] + [InlineData(CeremonyState.Cancelled, CeremonyState.Pending, false)] + [InlineData(CeremonyState.Cancelled, CeremonyState.Approved, false)] + public void IsValidTransition_ReturnsExpectedResult( + CeremonyState currentState, + CeremonyState targetState, + bool expected) + { + var result = CeremonyStateMachine.IsValidTransition(currentState, targetState); + Assert.Equal(expected, result); + } + + [Fact] + public void IsValidTransition_SameState_ReturnsFalse() + { + foreach (var state in Enum.GetValues()) + { + Assert.False(CeremonyStateMachine.IsValidTransition(state, state)); + } + } + + [Theory] + [InlineData(CeremonyState.Pending, 2, 1, CeremonyState.PartiallyApproved)] + [InlineData(CeremonyState.Pending, 2, 2, CeremonyState.Approved)] + [InlineData(CeremonyState.Pending, 1, 1, CeremonyState.Approved)] + [InlineData(CeremonyState.PartiallyApproved, 3, 2, CeremonyState.PartiallyApproved)] + [InlineData(CeremonyState.PartiallyApproved, 3, 3, CeremonyState.Approved)] + [InlineData(CeremonyState.PartiallyApproved, 2, 3, CeremonyState.Approved)] // Over threshold + public void ComputeStateAfterApproval_ReturnsExpectedState( + CeremonyState currentState, + int thresholdRequired, + int thresholdReached, + CeremonyState expectedState) + { + var result = CeremonyStateMachine.ComputeStateAfterApproval( + currentState, + thresholdRequired, + thresholdReached); + + Assert.Equal(expectedState, result); + } + + [Theory] + [InlineData(CeremonyState.Executed)] + [InlineData(CeremonyState.Expired)] + [InlineData(CeremonyState.Cancelled)] + public void ComputeStateAfterApproval_TerminalState_ThrowsException(CeremonyState state) + { + Assert.Throws(() => + CeremonyStateMachine.ComputeStateAfterApproval(state, 2, 1)); + } + + [Theory] + [InlineData(CeremonyState.Pending, true)] + [InlineData(CeremonyState.PartiallyApproved, true)] + [InlineData(CeremonyState.Approved, false)] + [InlineData(CeremonyState.Executed, false)] + [InlineData(CeremonyState.Expired, false)] + [InlineData(CeremonyState.Cancelled, false)] + public void CanAcceptApproval_ReturnsExpectedResult(CeremonyState state, bool expected) + { + Assert.Equal(expected, CeremonyStateMachine.CanAcceptApproval(state)); + } + + [Theory] + [InlineData(CeremonyState.Pending, false)] + [InlineData(CeremonyState.PartiallyApproved, false)] + [InlineData(CeremonyState.Approved, true)] + [InlineData(CeremonyState.Executed, false)] + [InlineData(CeremonyState.Expired, false)] + [InlineData(CeremonyState.Cancelled, false)] + public void CanExecute_ReturnsExpectedResult(CeremonyState state, bool expected) + { + Assert.Equal(expected, CeremonyStateMachine.CanExecute(state)); + } + + [Theory] + [InlineData(CeremonyState.Pending, true)] + [InlineData(CeremonyState.PartiallyApproved, true)] + [InlineData(CeremonyState.Approved, true)] + [InlineData(CeremonyState.Executed, false)] + [InlineData(CeremonyState.Expired, false)] + [InlineData(CeremonyState.Cancelled, false)] + public void CanCancel_ReturnsExpectedResult(CeremonyState state, bool expected) + { + Assert.Equal(expected, CeremonyStateMachine.CanCancel(state)); + } + + [Theory] + [InlineData(CeremonyState.Pending, false)] + [InlineData(CeremonyState.PartiallyApproved, false)] + [InlineData(CeremonyState.Approved, false)] + [InlineData(CeremonyState.Executed, true)] + [InlineData(CeremonyState.Expired, true)] + [InlineData(CeremonyState.Cancelled, true)] + public void IsTerminalState_ReturnsExpectedResult(CeremonyState state, bool expected) + { + Assert.Equal(expected, CeremonyStateMachine.IsTerminalState(state)); + } + + [Fact] + public void GetStateDescription_ReturnsNonEmptyString() + { + foreach (var state in Enum.GetValues()) + { + var description = CeremonyStateMachine.GetStateDescription(state); + Assert.False(string.IsNullOrWhiteSpace(description)); + } + } + + [Theory] + [InlineData(CeremonyState.Pending, "Awaiting approvals")] + [InlineData(CeremonyState.Approved, "All approvals received, ready for execution")] + [InlineData(CeremonyState.Executed, "Operation executed successfully")] + [InlineData(CeremonyState.Expired, "Ceremony expired before completion")] + public void GetStateDescription_ReturnsExpectedDescription(CeremonyState state, string expected) + { + Assert.Equal(expected, CeremonyStateMachine.GetStateDescription(state)); + } +} diff --git a/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Contract/PredicateTypesTests.cs b/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Contract/PredicateTypesTests.cs new file mode 100644 index 000000000..67b2130c1 --- /dev/null +++ b/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Contract/PredicateTypesTests.cs @@ -0,0 +1,181 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_015_SIGNER_path_witness_predicate (SIGNER-PW-002) +// + +using FluentAssertions; +using StellaOps.Signer.Core; +using StellaOps.TestKit; +using Xunit; + +namespace StellaOps.Signer.Tests.Contract; + +/// +/// Tests for PredicateTypes classification and allowlist behavior. +/// Sprint: SPRINT_20260112_015_SIGNER_path_witness_predicate (SIGNER-PW-002) +/// +[Trait("Category", TestCategories.Unit)] +public sealed class PredicateTypesTests +{ + [Theory] + [InlineData(PredicateTypes.PathWitnessCanonical)] + [InlineData(PredicateTypes.PathWitnessAlias1)] + [InlineData(PredicateTypes.PathWitnessAlias2)] + [InlineData(PredicateTypes.StellaOpsPathWitness)] + public void IsPathWitnessType_ReturnsTrueForAllPathWitnessTypes(string predicateType) + { + // Act + var result = PredicateTypes.IsPathWitnessType(predicateType); + + // Assert + result.Should().BeTrue($"{predicateType} should be recognized as a path witness type"); + } + + [Theory] + [InlineData(PredicateTypes.StellaOpsSbom)] + [InlineData(PredicateTypes.StellaOpsVex)] + [InlineData(PredicateTypes.StellaOpsPolicy)] + [InlineData(PredicateTypes.SlsaProvenanceV1)] + [InlineData("some-unknown-type")] + public void IsPathWitnessType_ReturnsFalseForNonPathWitnessTypes(string predicateType) + { + // Act + var result = PredicateTypes.IsPathWitnessType(predicateType); + + // Assert + result.Should().BeFalse($"{predicateType} should not be recognized as a path witness type"); + } + + [Theory] + [InlineData(PredicateTypes.PathWitnessCanonical)] + [InlineData(PredicateTypes.PathWitnessAlias1)] + [InlineData(PredicateTypes.PathWitnessAlias2)] + [InlineData(PredicateTypes.StellaOpsPathWitness)] + public void IsReachabilityRelatedType_ReturnsTrueForPathWitnessTypes(string predicateType) + { + // Act + var result = PredicateTypes.IsReachabilityRelatedType(predicateType); + + // Assert + result.Should().BeTrue($"{predicateType} should be classified as reachability-related"); + } + + [Theory] + [InlineData(PredicateTypes.StellaOpsCallGraph)] + [InlineData(PredicateTypes.StellaOpsReachability)] + [InlineData(PredicateTypes.StellaOpsRuntimeSignals)] + public void IsReachabilityRelatedType_ReturnsTrueForOtherReachabilityTypes(string predicateType) + { + // Act + var result = PredicateTypes.IsReachabilityRelatedType(predicateType); + + // Assert + result.Should().BeTrue($"{predicateType} should be classified as reachability-related"); + } + + [Fact] + public void GetAllowedPredicateTypes_ContainsAllPathWitnessTypes() + { + // Act + var allowedTypes = PredicateTypes.GetAllowedPredicateTypes().ToList(); + + // Assert + allowedTypes.Should().Contain(PredicateTypes.PathWitnessCanonical); + allowedTypes.Should().Contain(PredicateTypes.PathWitnessAlias1); + allowedTypes.Should().Contain(PredicateTypes.PathWitnessAlias2); + allowedTypes.Should().Contain(PredicateTypes.StellaOpsPathWitness); + } + + [Theory] + [InlineData(PredicateTypes.PathWitnessCanonical)] + [InlineData(PredicateTypes.PathWitnessAlias1)] + [InlineData(PredicateTypes.PathWitnessAlias2)] + [InlineData(PredicateTypes.StellaOpsPathWitness)] + public void IsAllowedPredicateType_ReturnsTrueForPathWitnessTypes(string predicateType) + { + // Act + var result = PredicateTypes.IsAllowedPredicateType(predicateType); + + // Assert + result.Should().BeTrue($"{predicateType} should be in the allowed predicate list"); + } + + [Theory] + [InlineData("https://stella.ops/predicates/path-witness/v1")] + [InlineData("https://stella.ops/pathWitness/v1")] + [InlineData("https://stella.ops/other/predicate")] + [InlineData("https://stella-ops.org/predicates/test")] + public void IsStellaOpsType_RecognizesStellaOpsUriPrefixes(string predicateType) + { + // Act + var result = PredicateTypes.IsStellaOpsType(predicateType); + + // Assert + result.Should().BeTrue($"{predicateType} should be recognized as a StellaOps type"); + } + + [Theory] + [InlineData("stella.ops/pathWitness@v1")] + [InlineData("stella.ops/sbom@v1")] + [InlineData("stella.ops/vex@v1")] + public void IsStellaOpsType_RecognizesStellaOpsDotSyntax(string predicateType) + { + // Act + var result = PredicateTypes.IsStellaOpsType(predicateType); + + // Assert + result.Should().BeTrue($"{predicateType} should be recognized as a StellaOps type"); + } + + [Theory] + [InlineData("https://slsa.dev/provenance/v1")] + [InlineData("https://in-toto.io/Statement/v1")] + [InlineData("https://example.com/custom-predicate")] + public void IsStellaOpsType_ReturnsFalseForNonStellaOpsTypes(string predicateType) + { + // Act + var result = PredicateTypes.IsStellaOpsType(predicateType); + + // Assert + result.Should().BeFalse($"{predicateType} should not be recognized as a StellaOps type"); + } + + [Fact] + public void PathWitnessConstants_HaveCorrectValues() + { + // Assert + PredicateTypes.PathWitnessCanonical.Should().Be("https://stella.ops/predicates/path-witness/v1"); + PredicateTypes.PathWitnessAlias1.Should().Be("stella.ops/pathWitness@v1"); + PredicateTypes.PathWitnessAlias2.Should().Be("https://stella.ops/pathWitness/v1"); + PredicateTypes.StellaOpsPathWitness.Should().Be("stella.ops/pathWitness@v1"); + } + + [Fact] + public void PathWitnessAlias1_EqualsLegacyStellaOpsPathWitness() + { + // The alias should equal the legacy constant for backward compatibility + PredicateTypes.PathWitnessAlias1.Should().Be(PredicateTypes.StellaOpsPathWitness); + } + + [Fact] + public void AllowedTypes_NoDuplicates() + { + // Act + var allowedTypes = PredicateTypes.GetAllowedPredicateTypes().ToList(); + var distinctTypes = allowedTypes.Distinct().ToList(); + + // Assert + allowedTypes.Count.Should().Be(distinctTypes.Count, "allowed types should not have duplicates"); + } + + [Fact] + public void AllowedTypes_IsDeterministicallyOrdered() + { + // Act + var types1 = PredicateTypes.GetAllowedPredicateTypes().ToList(); + var types2 = PredicateTypes.GetAllowedPredicateTypes().ToList(); + + // Assert - Same order on multiple calls + types1.Should().BeEquivalentTo(types2, options => options.WithStrictOrdering()); + } +} diff --git a/src/Web/StellaOps.Web/src/app/core/api/advisory-ai.client.ts b/src/Web/StellaOps.Web/src/app/core/api/advisory-ai.client.ts index 7e5ed7fc6..75f503cc7 100644 --- a/src/Web/StellaOps.Web/src/app/core/api/advisory-ai.client.ts +++ b/src/Web/StellaOps.Web/src/app/core/api/advisory-ai.client.ts @@ -22,6 +22,11 @@ import { AiJustifyResponse, AiRateLimitInfo, AiQueryOptions, + // Sprint: SPRINT_20260112_012_FE_remediation_pr_ui_wiring (REMPR-FE-001) + RemediationPrCreateRequest, + RemediationPrCreateResponse, + ScmConnectionInfo, + RemediationPrSettings, } from './advisory-ai.models'; export interface AdvisoryAiApi { @@ -32,6 +37,11 @@ export interface AdvisoryAiApi { remediate(request: AiRemediateRequest, options?: AiQueryOptions): Observable; justify(request: AiJustifyRequest, options?: AiQueryOptions): Observable; getRateLimits(options?: AiQueryOptions): Observable; + + // Sprint: SPRINT_20260112_012_FE_remediation_pr_ui_wiring (REMPR-FE-001) + createRemediationPr(request: RemediationPrCreateRequest, options?: AiQueryOptions): Observable; + getScmConnections(options?: AiQueryOptions): Observable; + getRemediationPrSettings(options?: AiQueryOptions): Observable; } export const ADVISORY_AI_API = new InjectionToken('ADVISORY_AI_API'); @@ -92,6 +102,32 @@ export class AdvisoryAiApiHttpClient implements AdvisoryAiApi { ); } + // Sprint: SPRINT_20260112_012_FE_remediation_pr_ui_wiring (REMPR-FE-001) + createRemediationPr(request: RemediationPrCreateRequest, options: AiQueryOptions = {}): Observable { + const traceId = options.traceId ?? generateTraceId(); + return this.http.post( + `${this.baseUrl}/remediate/${request.remediationId}/pr`, + request, + { headers: this.buildHeaders(traceId) } + ).pipe( + catchError((err) => throwError(() => this.mapError(err, traceId))) + ); + } + + getScmConnections(options: AiQueryOptions = {}): Observable { + const traceId = options.traceId ?? generateTraceId(); + return this.http.get(`${this.baseUrl}/scm-connections`, { headers: this.buildHeaders(traceId) }).pipe( + catchError((err) => throwError(() => this.mapError(err, traceId))) + ); + } + + getRemediationPrSettings(options: AiQueryOptions = {}): Observable { + const traceId = options.traceId ?? generateTraceId(); + return this.http.get(`${this.baseUrl}/remediation-pr/settings`, { headers: this.buildHeaders(traceId) }).pipe( + catchError((err) => throwError(() => this.mapError(err, traceId))) + ); + } + private buildHeaders(traceId: string): HttpHeaders { const tenant = this.authSession.getActiveTenantId() || ''; return new HttpHeaders({ @@ -182,4 +218,65 @@ export class MockAdvisoryAiClient implements AdvisoryAiApi { { feature: 'justify', limit: 3, remaining: 3, resetsAt: new Date(Date.now() + 60000).toISOString() }, ]).pipe(delay(50)); } + + // Sprint: SPRINT_20260112_012_FE_remediation_pr_ui_wiring (REMPR-FE-001) + createRemediationPr(request: RemediationPrCreateRequest): Observable { + if (request.dryRun) { + return of({ + success: true, + prInfo: { + prId: `pr-dry-run-${Date.now()}`, + prNumber: 0, + prUrl: '', + branch: `remediation/${request.remediationId}`, + status: 'draft' as const, + createdAt: new Date().toISOString(), + }, + }).pipe(delay(500)); + } + return of({ + success: true, + prInfo: { + prId: `pr-${Date.now()}`, + prNumber: Math.floor(Math.random() * 1000) + 100, + prUrl: `https://github.com/example/repo/pull/${Math.floor(Math.random() * 1000) + 100}`, + branch: `remediation/${request.remediationId}`, + status: 'open' as const, + createdAt: new Date().toISOString(), + ciStatus: 'pending' as const, + }, + evidenceCardId: request.attachEvidenceCard ? `ec-${Date.now()}` : undefined, + }).pipe(delay(2000)); + } + + getScmConnections(): Observable { + return of([ + { + connectionId: 'conn-github-1', + provider: 'github' as const, + displayName: 'GitHub (Organization)', + organization: 'example-org', + isDefault: true, + capabilities: { + canCreatePr: true, + canAddReviewers: true, + canAddLabels: true, + canAddAssignees: true, + canAttachFiles: false, + supportsEvidenceCards: true, + }, + }, + ]).pipe(delay(100)); + } + + getRemediationPrSettings(): Observable { + return of({ + enabled: true, + defaultAttachEvidenceCard: true, + defaultAddPrComment: true, + requireApproval: false, + defaultLabels: ['security', 'remediation'], + defaultReviewers: [], + }).pipe(delay(50)); + } } diff --git a/src/Web/StellaOps.Web/src/app/core/api/advisory-ai.models.ts b/src/Web/StellaOps.Web/src/app/core/api/advisory-ai.models.ts index 07ad5cb0a..af732cbce 100644 --- a/src/Web/StellaOps.Web/src/app/core/api/advisory-ai.models.ts +++ b/src/Web/StellaOps.Web/src/app/core/api/advisory-ai.models.ts @@ -1,6 +1,8 @@ /** * Advisory AI models for AI-assisted vulnerability analysis. * Implements VEX-AI-007 through VEX-AI-010. + * Sprint: SPRINT_20260112_012_FE_remediation_pr_ui_wiring (REMPR-FE-001) + * Updated: Added PR creation fields to remediation response */ // AI Consent @@ -80,6 +82,34 @@ export interface AiRemediateResponse { modelVersion: string; generatedAt: string; traceId?: string; + + // Sprint: SPRINT_20260112_012_FE_remediation_pr_ui_wiring (REMPR-FE-001) + // PR creation fields + + /** Whether PR creation is available for this remediation */ + prCreationAvailable?: boolean; + + /** Active PR if one was created from this remediation */ + activePr?: RemediationPrInfo; + + /** Evidence card ID if attached to a PR */ + evidenceCardId?: string; +} + +/** + * PR info specific to remediation context. + * Sprint: SPRINT_20260112_012_FE_remediation_pr_ui_wiring (REMPR-FE-001) + */ +export interface RemediationPrInfo { + prId: string; + prNumber: number; + prUrl: string; + branch: string; + status: PullRequestStatus; + createdAt: string; + updatedAt?: string; + ciStatus?: CiCheckStatus; + evidenceCardId?: string; } export interface AiRemediationStep { @@ -129,3 +159,177 @@ export interface AiQueryOptions { traceId?: string; timeout?: number; } + +// Pull Request Types - Support for remediation PR generation + +export type PullRequestStatus = + | 'draft' + | 'open' + | 'review_requested' + | 'approved' + | 'changes_requested' + | 'merged' + | 'closed'; + +export type CiCheckStatus = 'pending' | 'running' | 'success' | 'failure' | 'skipped'; + +export interface CiCheck { + name: string; + status: CiCheckStatus; + conclusion?: string; + url?: string; + startedAt?: string; + completedAt?: string; +} + +export interface PullRequestReviewer { + username: string; + avatarUrl?: string; + status: 'pending' | 'approved' | 'changes_requested' | 'commented'; + reviewedAt?: string; +} + +export interface PullRequestInfo { + prId: string; + prNumber: number; + title: string; + description?: string; + status: PullRequestStatus; + prUrl: string; + sourceBranch: string; + targetBranch: string; + createdAt: string; + updatedAt?: string; + mergedAt?: string; + closedAt?: string; + authorUsername: string; + authorAvatarUrl?: string; + ciChecks?: CiCheck[]; + reviewers?: PullRequestReviewer[]; + labels?: string[]; + commitSha?: string; + additions?: number; + deletions?: number; + changedFiles?: number; +} + +// PR Generation Request/Response types + +export interface PrGenerationRequest { + planId: string; + repository: string; + organization: string; + scmType: 'github' | 'gitlab' | 'bitbucket' | 'azure'; + targetBranch?: string; + title?: string; + labels?: string[]; + assignees?: string[]; + reviewers?: string[]; + dryRun?: boolean; +} + +export interface PrGenerationResponse { + prId: string; + prNumber: number; + prUrl: string; + title: string; + body: string; + status: PullRequestStatus; + sourceBranch: string; + targetBranch: string; + createdAt: string; + dryRun: boolean; +} + +// PR list request +export interface PrListRequest { + repository?: string; + organization?: string; + status?: PullRequestStatus; + planId?: string; + limit?: number; + offset?: number; +} + +// Sprint: SPRINT_20260112_012_FE_remediation_pr_ui_wiring (REMPR-FE-001) +// Remediation-specific PR creation models + +/** + * Request to create a PR from remediation guidance. + */ +export interface RemediationPrCreateRequest { + remediationId: string; + scmConnectionId: string; + repository: string; + targetBranch?: string; + title?: string; + description?: string; + labels?: string[]; + assignees?: string[]; + reviewers?: string[]; + attachEvidenceCard?: boolean; + addPrComment?: boolean; + dryRun?: boolean; +} + +/** + * Response from remediation PR creation. + */ +export interface RemediationPrCreateResponse { + success: boolean; + prInfo?: RemediationPrInfo; + evidenceCardId?: string; + error?: string; + errorCode?: RemediationPrErrorCode; +} + +/** + * Error codes for remediation PR creation. + */ +export type RemediationPrErrorCode = + | 'no_scm_connection' + | 'scm_auth_failed' + | 'repository_not_found' + | 'branch_conflict' + | 'rate_limited' + | 'remediation_expired' + | 'pr_already_exists' + | 'insufficient_permissions' + | 'internal_error'; + +/** + * SCM connection info for PR creation. + */ +export interface ScmConnectionInfo { + connectionId: string; + provider: 'github' | 'gitlab' | 'bitbucket' | 'azure'; + displayName: string; + organization?: string; + isDefault: boolean; + lastUsedAt?: string; + capabilities: ScmCapabilities; +} + +/** + * SCM provider capabilities. + */ +export interface ScmCapabilities { + canCreatePr: boolean; + canAddReviewers: boolean; + canAddLabels: boolean; + canAddAssignees: boolean; + canAttachFiles: boolean; + supportsEvidenceCards: boolean; +} + +/** + * Remediation PR settings. + */ +export interface RemediationPrSettings { + enabled: boolean; + defaultAttachEvidenceCard: boolean; + defaultAddPrComment: boolean; + requireApproval: boolean; + defaultLabels: string[]; + defaultReviewers: string[]; +} diff --git a/src/Web/StellaOps.Web/src/app/core/api/determinization-config.client.ts b/src/Web/StellaOps.Web/src/app/core/api/determinization-config.client.ts new file mode 100644 index 000000000..4ab58a3b3 --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/core/api/determinization-config.client.ts @@ -0,0 +1,161 @@ +// Sprint: SPRINT_20260112_013_FE_determinization_config_pane (FE-CONFIG-001) +// Determinization Config API Client and Models + +import { Injectable, inject } from '@angular/core'; +import { HttpClient } from '@angular/common/http'; +import { Observable } from 'rxjs'; + +// Sprint: SPRINT_20260112_013_FE_determinization_config_pane (FE-CONFIG-001) +// Determinization Configuration Models + +export interface ReanalysisTriggerConfig { + epssDeltaThreshold: number; + triggerOnThresholdCrossing: boolean; + triggerOnRekorEntry: boolean; + triggerOnVexStatusChange: boolean; + triggerOnRuntimeTelemetryChange: boolean; + triggerOnPatchProofAdded: boolean; + triggerOnDsseValidationChange: boolean; + triggerOnToolVersionChange: boolean; +} + +export interface ConflictHandlingPolicy { + vexReachabilityContradiction: ConflictAction; + staticRuntimeMismatch: ConflictAction; + backportStatusAmbiguity: ConflictAction; + vexStatusConflict: ConflictAction; + escalationSeverityThreshold: number; + conflictTtlHours: number; +} + +export type ConflictAction = + | 'RequireManualReview' + | 'AutoAcceptLowerSeverity' + | 'AutoRejectHigherSeverity' + | 'Escalate' + | 'DeferToNextReanalysis' + | 'RequestVendorClarification'; + +export interface EnvironmentThreshold { + epssThreshold: number; + uncertaintyFactor: number; + exploitPressureWeight: number; + reachabilityWeight: number; + minScore: number; + maxScore: number; +} + +export interface EnvironmentThresholds { + development: EnvironmentThreshold; + staging: EnvironmentThreshold; + production: EnvironmentThreshold; +} + +export interface DeterminizationConfig { + triggers: ReanalysisTriggerConfig; + conflicts: ConflictHandlingPolicy; + thresholds: EnvironmentThresholds; +} + +export interface EffectiveConfigResponse { + config: DeterminizationConfig; + isDefault: boolean; + tenantId?: string; + lastUpdatedAt?: string; + lastUpdatedBy?: string; + version: number; +} + +export interface UpdateConfigRequest { + config: DeterminizationConfig; + reason: string; +} + +export interface ValidationResponse { + isValid: boolean; + errors: string[]; + warnings: string[]; +} + +export interface AuditEntry { + id: string; + changedAt: string; + actor: string; + reason: string; + source?: string; + summary?: string; +} + +export interface AuditHistoryResponse { + entries: AuditEntry[]; +} + +// Default values for UI +export const DEFAULT_TRIGGER_CONFIG: ReanalysisTriggerConfig = { + epssDeltaThreshold: 0.2, + triggerOnThresholdCrossing: true, + triggerOnRekorEntry: true, + triggerOnVexStatusChange: true, + triggerOnRuntimeTelemetryChange: true, + triggerOnPatchProofAdded: true, + triggerOnDsseValidationChange: true, + triggerOnToolVersionChange: false, +}; + +export const CONFLICT_ACTION_LABELS: Record = { + RequireManualReview: 'Require Manual Review', + AutoAcceptLowerSeverity: 'Auto-Accept (Lower Severity)', + AutoRejectHigherSeverity: 'Auto-Reject (Higher Severity)', + Escalate: 'Escalate', + DeferToNextReanalysis: 'Defer to Next Reanalysis', + RequestVendorClarification: 'Request Vendor Clarification', +}; + +export const ENVIRONMENT_LABELS: Record = { + development: 'Development', + staging: 'Staging', + production: 'Production', +}; + +@Injectable({ providedIn: 'root' }) +export class DeterminizationConfigClient { + private readonly http = inject(HttpClient); + private readonly baseUrl = '/api/v1/policy/config/determinization'; + + /** + * Get effective determinization configuration for the current tenant. + */ + getEffectiveConfig(): Observable { + return this.http.get(this.baseUrl); + } + + /** + * Get default determinization configuration. + */ + getDefaultConfig(): Observable { + return this.http.get(`${this.baseUrl}/defaults`); + } + + /** + * Update determinization configuration (admin only). + */ + updateConfig(request: UpdateConfigRequest): Observable { + return this.http.put(this.baseUrl, request); + } + + /** + * Validate configuration without saving. + */ + validateConfig(config: DeterminizationConfig): Observable { + return this.http.post(`${this.baseUrl}/validate`, { config }); + } + + /** + * Get audit history for configuration changes. + */ + getAuditHistory(limit = 50): Observable { + return this.http.get(`${this.baseUrl}/audit`, { + params: { limit: limit.toString() }, + }); + } +} diff --git a/src/Web/StellaOps.Web/src/app/core/api/evidence-pack.models.ts b/src/Web/StellaOps.Web/src/app/core/api/evidence-pack.models.ts index 23d755bb9..b4b2bbb0c 100644 --- a/src/Web/StellaOps.Web/src/app/core/api/evidence-pack.models.ts +++ b/src/Web/StellaOps.Web/src/app/core/api/evidence-pack.models.ts @@ -131,7 +131,18 @@ export interface EvidencePackVerificationResult { // ========== Export ========== -export type EvidencePackExportFormat = 'Json' | 'SignedJson' | 'Markdown' | 'Html' | 'Pdf'; +/** + * Evidence pack export formats. + * Sprint: SPRINT_20260112_006_FE_evidence_card_ui (EVPCARD-FE-001) + */ +export type EvidencePackExportFormat = + | 'Json' + | 'SignedJson' + | 'Markdown' + | 'Html' + | 'Pdf' + | 'EvidenceCard' + | 'EvidenceCardCompact'; export interface EvidencePackExport { packId: string; @@ -141,6 +152,62 @@ export interface EvidencePackExport { fileName: string; } +// ========== Evidence Card ========== + +/** + * Evidence card models for single-file export with SBOM excerpt and Rekor receipt. + * Sprint: SPRINT_20260112_006_FE_evidence_card_ui (EVPCARD-FE-001) + */ +export interface EvidenceCard { + cardId: string; + version: string; + packId: string; + createdAt: string; + subject: EvidenceCardSubject; + envelope?: DsseEnvelope; + sbomExcerpt?: SbomExcerpt; + rekorReceipt?: RekorReceipt; + contentDigest: string; +} + +export interface EvidenceCardSubject { + type: EvidenceSubjectType; + findingId?: string; + cveId?: string; + component?: string; + imageDigest?: string; +} + +export interface SbomExcerpt { + format: 'spdx-2.2' | 'spdx-2.3' | 'cyclonedx-1.5' | 'cyclonedx-1.6'; + componentName?: string; + componentVersion?: string; + componentPurl?: string; + licenses?: string[]; + vulnerabilities?: string[]; +} + +export interface RekorReceipt { + logIndex: number; + logId: string; + integratedTime: number; + inclusionProof?: InclusionProof; + inclusionPromise?: SignedEntryTimestamp; +} + +export interface InclusionProof { + logIndex: number; + rootHash: string; + treeSize: number; + hashes: string[]; +} + +export interface SignedEntryTimestamp { + logId: string; + integratedTime: number; + signature: string; +} + // ========== API Request/Response ========== export interface CreateEvidencePackRequest { diff --git a/src/Web/StellaOps.Web/src/app/core/api/scoring.models.ts b/src/Web/StellaOps.Web/src/app/core/api/scoring.models.ts index 2c9195959..e3b03b52c 100644 --- a/src/Web/StellaOps.Web/src/app/core/api/scoring.models.ts +++ b/src/Web/StellaOps.Web/src/app/core/api/scoring.models.ts @@ -1,6 +1,8 @@ /** * Evidence-Weighted Score (EWS) models. * Based on API endpoints from Sprint 8200.0012.0004. + * Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) + * Updated: Added reduction profile, hard-fail, and anchor fields */ /** @@ -11,13 +13,39 @@ export type ScoreBucket = 'ActNow' | 'ScheduleNext' | 'Investigate' | 'Watchlist /** * Score flags indicating evidence characteristics. */ -export type ScoreFlag = 'live-signal' | 'proven-path' | 'vendor-na' | 'speculative'; +export type ScoreFlag = 'live-signal' | 'proven-path' | 'vendor-na' | 'speculative' | 'anchored' | 'hard-fail'; /** * Trigger types for score changes. */ export type ScoreChangeTrigger = 'evidence_update' | 'policy_change' | 'scheduled'; +/** + * Reduction mode for attested score reduction. + * Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) + */ +export type ReductionMode = 'none' | 'light' | 'standard' | 'aggressive' | 'custom'; + +/** + * Short-circuit reason for score calculation. + * Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) + */ +export type ShortCircuitReason = + | 'none' + | 'hard_fail_kev' + | 'hard_fail_exploited' + | 'hard_fail_critical_reachable' + | 'not_affected_vendor' + | 'not_affected_vex' + | 'runtime_confirmed' + | 'anchor_verified'; + +/** + * Hard-fail status for score outcomes. + * Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) + */ +export type HardFailStatus = 'none' | 'kev' | 'exploited' | 'critical_reachable' | 'policy_override'; + /** * Evidence dimension inputs (0.0 - 1.0 normalized). */ @@ -66,6 +94,52 @@ export interface AppliedGuardrails { runtimeFloor: boolean; } +/** + * Reduction profile metadata for attested score reduction. + * Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) + */ +export interface ReductionProfile { + /** Reduction mode applied */ + mode: ReductionMode; + /** Original score before reduction */ + originalScore: number; + /** Reduction amount applied */ + reductionAmount: number; + /** Reduction factor (0.0-1.0) */ + reductionFactor: number; + /** Evidence types that contributed to reduction */ + contributingEvidence: string[]; + /** Whether reduction was capped by policy */ + cappedByPolicy: boolean; + /** Policy max reduction percentage */ + maxReductionPercent?: number; +} + +/** + * Proof anchor for score attestation. + * Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) + */ +export interface ScoreProofAnchor { + /** Whether the score has a valid anchor */ + anchored: boolean; + /** DSSE envelope digest (sha256:...) */ + dsseDigest?: string; + /** Rekor transparency log index */ + rekorLogIndex?: number; + /** Rekor entry ID */ + rekorEntryId?: string; + /** Rekor log ID (tree hash) */ + rekorLogId?: string; + /** URI to full attestation */ + attestationUri?: string; + /** Anchor verification timestamp */ + verifiedAt?: string; + /** Anchor verification status */ + verificationStatus?: 'verified' | 'pending' | 'failed' | 'offline'; + /** Verification error if failed */ + verificationError?: string; +} + /** * Full evidence-weighted score result from API. */ @@ -92,6 +166,24 @@ export interface EvidenceWeightedScoreResult { calculatedAt: string; /** Cache expiry (optional) */ cachedUntil?: string; + + // Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) + // Reduction profile, hard-fail, and anchor fields + + /** Reduction profile metadata (if reduction was applied) */ + reductionProfile?: ReductionProfile; + + /** Short-circuit reason (if calculation was short-circuited) */ + shortCircuitReason?: ShortCircuitReason; + + /** Hard-fail status (if hard-fail triggered) */ + hardFailStatus?: HardFailStatus; + + /** Whether this is a hard-fail outcome */ + isHardFail?: boolean; + + /** Proof anchor for score attestation */ + proofAnchor?: ScoreProofAnchor; } /** @@ -398,13 +490,14 @@ export interface FlagDisplayInfo { /** * Default flag display configuration. + * Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) - Added anchored and hard-fail flags */ export const FLAG_DISPLAY: Record = { 'live-signal': { flag: 'live-signal', label: 'Live Signal', description: 'Active runtime signals detected from deployed environments', - icon: '\u{1F7E2}', // green circle + icon: '[R]', backgroundColor: '#059669', // emerald-600 textColor: '#FFFFFF', }, @@ -412,7 +505,7 @@ export const FLAG_DISPLAY: Record = { flag: 'proven-path', label: 'Proven Path', description: 'Verified reachability path to vulnerable code', - icon: '\u2713', // checkmark + icon: '[P]', backgroundColor: '#2563EB', // blue-600 textColor: '#FFFFFF', }, @@ -420,7 +513,7 @@ export const FLAG_DISPLAY: Record = { flag: 'vendor-na', label: 'Vendor N/A', description: 'Vendor has marked this as not affected', - icon: '\u2298', // circled division slash + icon: '[NA]', backgroundColor: '#6B7280', // gray-500 textColor: '#FFFFFF', }, @@ -428,8 +521,113 @@ export const FLAG_DISPLAY: Record = { flag: 'speculative', label: 'Speculative', description: 'Evidence is speculative or unconfirmed', - icon: '?', + icon: '[?]', backgroundColor: '#F97316', // orange-500 textColor: '#000000', }, + // Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) + anchored: { + flag: 'anchored', + label: 'Anchored', + description: 'Score is anchored with DSSE attestation and/or Rekor transparency log', + icon: '[A]', + backgroundColor: '#7C3AED', // violet-600 + textColor: '#FFFFFF', + }, + 'hard-fail': { + flag: 'hard-fail', + label: 'Hard Fail', + description: 'Policy hard-fail triggered - requires immediate remediation', + icon: '[!]', + backgroundColor: '#DC2626', // red-600 + textColor: '#FFFFFF', + }, }; + +// Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-001) +// Display helpers for reduction mode and short-circuit reasons + +/** + * Reduction mode display labels. + */ +export const REDUCTION_MODE_LABELS: Record = { + none: 'No Reduction', + light: 'Light Reduction', + standard: 'Standard Reduction', + aggressive: 'Aggressive Reduction', + custom: 'Custom Reduction', +}; + +/** + * Short-circuit reason display labels. + */ +export const SHORT_CIRCUIT_LABELS: Record = { + none: 'No Short-Circuit', + hard_fail_kev: 'KEV Hard Fail', + hard_fail_exploited: 'Exploited Hard Fail', + hard_fail_critical_reachable: 'Critical Reachable Hard Fail', + not_affected_vendor: 'Vendor Not Affected', + not_affected_vex: 'VEX Not Affected', + runtime_confirmed: 'Runtime Confirmed', + anchor_verified: 'Anchor Verified', +}; + +/** + * Hard-fail status display labels. + */ +export const HARD_FAIL_LABELS: Record = { + none: 'None', + kev: 'Known Exploited Vulnerability', + exploited: 'Actively Exploited', + critical_reachable: 'Critical and Reachable', + policy_override: 'Policy Override', +}; + +/** + * Anchor verification status display labels. + */ +export const ANCHOR_VERIFICATION_LABELS: Record = { + verified: 'Verified', + pending: 'Pending Verification', + failed: 'Verification Failed', + offline: 'Offline (Cannot Verify)', +}; + +/** + * Helper to check if score has anchored evidence. + */ +export function isAnchored(score: EvidenceWeightedScoreResult): boolean { + return score.proofAnchor?.anchored === true; +} + +/** + * Helper to check if score is a hard-fail outcome. + */ +export function isHardFail(score: EvidenceWeightedScoreResult): boolean { + return score.isHardFail === true || (score.hardFailStatus !== undefined && score.hardFailStatus !== 'none'); +} + +/** + * Helper to check if score was short-circuited. + */ +export function wasShortCircuited(score: EvidenceWeightedScoreResult): boolean { + return score.shortCircuitReason !== undefined && score.shortCircuitReason !== 'none'; +} + +/** + * Helper to check if score has reduction applied. + */ +export function hasReduction(score: EvidenceWeightedScoreResult): boolean { + return score.reductionProfile !== undefined && score.reductionProfile.mode !== 'none'; +} + +/** + * Helper to get reduction percentage. + */ +export function getReductionPercent(score: EvidenceWeightedScoreResult): number { + if (!score.reductionProfile || score.reductionProfile.originalScore === 0) { + return 0; + } + return Math.round((score.reductionProfile.reductionAmount / score.reductionProfile.originalScore) * 100); +} + diff --git a/src/Web/StellaOps.Web/src/app/core/api/unknowns.client.ts b/src/Web/StellaOps.Web/src/app/core/api/unknowns.client.ts index bebaee9cb..afb1a5508 100644 --- a/src/Web/StellaOps.Web/src/app/core/api/unknowns.client.ts +++ b/src/Web/StellaOps.Web/src/app/core/api/unknowns.client.ts @@ -1,4 +1,5 @@ // Sprint: SPRINT_20251229_033_FE - Unknowns Tracking UI +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) import { Injectable, inject } from '@angular/core'; import { HttpClient, HttpParams } from '@angular/common/http'; import { Observable } from 'rxjs'; @@ -10,12 +11,27 @@ import { UnknownFilter, IdentifyRequest, IdentifyResponse, + PolicyUnknown, + PolicyUnknownsSummary, + TriageRequest, + UnknownBand, } from './unknowns.models'; +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +export interface PolicyUnknownsListResponse { + items: PolicyUnknown[]; + totalCount: number; +} + +export interface PolicyUnknownDetailResponse { + unknown: PolicyUnknown; +} + @Injectable({ providedIn: 'root' }) export class UnknownsClient { private readonly http = inject(HttpClient); private readonly baseUrl = '/api/v1/scanner/unknowns'; + private readonly policyBaseUrl = '/api/v1/policy/unknowns'; list(filter?: UnknownFilter, limit = 50, cursor?: string): Observable { let params = new HttpParams().set('limit', limit.toString()); @@ -50,4 +66,60 @@ export class UnknownsClient { if (filter?.status) params = params.set('status', filter.status); return this.http.get(`${this.baseUrl}/export`, { params, responseType: 'blob' }); } + + // Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) + // Policy unknowns grey queue methods + + /** + * List policy unknowns with grey queue fields. + */ + listPolicyUnknowns( + band?: UnknownBand, + limit = 50, + offset = 0 + ): Observable { + let params = new HttpParams() + .set('limit', limit.toString()) + .set('offset', offset.toString()); + if (band) params = params.set('band', band); + return this.http.get(this.policyBaseUrl, { params }); + } + + /** + * Get policy unknown detail with fingerprint, triggers, and conflict info. + */ + getPolicyUnknownDetail(id: string): Observable { + return this.http.get(`${this.policyBaseUrl}/${id}`); + } + + /** + * Get unknowns summary by band. + */ + getPolicyUnknownsSummary(): Observable { + return this.http.get(`${this.policyBaseUrl}/summary`); + } + + /** + * Apply triage action to an unknown (grey queue adjudication). + */ + triageUnknown(id: string, request: TriageRequest): Observable { + return this.http.post(`${this.policyBaseUrl}/${id}/triage`, request); + } + + /** + * Escalate an unknown for immediate attention. + */ + escalateUnknown(id: string, reason?: string): Observable { + return this.http.post(`${this.policyBaseUrl}/${id}/escalate`, { reason }); + } + + /** + * Resolve an unknown. + */ + resolveUnknown(id: string, resolution: string, note?: string): Observable { + return this.http.post(`${this.policyBaseUrl}/${id}/resolve`, { + resolution, + note, + }); + } } diff --git a/src/Web/StellaOps.Web/src/app/core/api/unknowns.models.ts b/src/Web/StellaOps.Web/src/app/core/api/unknowns.models.ts index 3965f42f7..4b110bcdb 100644 --- a/src/Web/StellaOps.Web/src/app/core/api/unknowns.models.ts +++ b/src/Web/StellaOps.Web/src/app/core/api/unknowns.models.ts @@ -1,9 +1,21 @@ // Sprint: SPRINT_20251229_033_FE - Unknowns Tracking UI +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) export type UnknownType = 'binary' | 'symbol' | 'package' | 'file' | 'license'; export type UnknownStatus = 'open' | 'pending' | 'resolved' | 'unresolvable'; export type ConfidenceLevel = 'very_low' | 'low' | 'medium' | 'high'; +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +// Grey queue types for determinization +export type UnknownBand = 'hot' | 'warm' | 'cold'; +export type ObservationState = + | 'PendingDeterminization' + | 'DeterminedPass' + | 'DeterminedFail' + | 'Disputed' + | 'ManualReviewRequired'; +export type TriageAction = 'accept-risk' | 'require-fix' | 'defer' | 'escalate' | 'dispute'; + export interface Unknown { id: string; type: UnknownType; @@ -22,6 +34,83 @@ export interface Unknown { resolution?: UnknownResolution; } +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +// Extended unknown for grey queue with determinization fields +export interface PolicyUnknown { + id: string; + packageId: string; + packageVersion: string; + band: UnknownBand; + score: number; + uncertaintyFactor: number; + exploitPressure: number; + firstSeenAt: string; + lastEvaluatedAt: string; + resolutionReason?: string; + resolvedAt?: string; + reasonCode: string; + reasonCodeShort: string; + remediationHint?: string; + detailedHint?: string; + automationCommand?: string; + evidenceRefs?: EvidenceRef[]; + // Grey queue determinization fields + fingerprintId?: string; + triggers?: ReanalysisTrigger[]; + nextActions?: string[]; + conflictInfo?: ConflictInfo; + observationState?: ObservationState; +} + +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +export interface EvidenceRef { + type: string; + uri: string; + digest?: string; +} + +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +export interface ReanalysisTrigger { + eventType: string; + eventVersion: number; + source?: string; + receivedAt: string; + correlationId?: string; +} + +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +export interface ConflictInfo { + hasConflict: boolean; + severity: number; + suggestedPath: string; + conflicts: ConflictDetail[]; +} + +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +export interface ConflictDetail { + signal1: string; + signal2: string; + type: string; + description: string; + severity: number; +} + +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +export interface PolicyUnknownsSummary { + hot: number; + warm: number; + cold: number; + resolved: number; + total: number; +} + +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +export interface TriageRequest { + action: TriageAction; + reason: string; + durationDays?: number; +} + export interface UnknownResolution { purl?: string; cpe?: string; @@ -134,3 +223,69 @@ export function getConfidenceColor(confidence: number): string { if (confidence >= 50) return 'text-yellow-600'; return 'text-red-600'; } + +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-001) +// Grey queue UI helpers + +export const BAND_COLORS: Record = { + hot: 'bg-red-100 text-red-800 border-red-300', + warm: 'bg-orange-100 text-orange-800 border-orange-300', + cold: 'bg-blue-100 text-blue-800 border-blue-300', +}; + +export const BAND_LABELS: Record = { + hot: 'HOT', + warm: 'WARM', + cold: 'COLD', +}; + +export const OBSERVATION_STATE_COLORS: Record = { + PendingDeterminization: 'bg-yellow-100 text-yellow-800', + DeterminedPass: 'bg-green-100 text-green-800', + DeterminedFail: 'bg-red-100 text-red-800', + Disputed: 'bg-purple-100 text-purple-800', + ManualReviewRequired: 'bg-orange-100 text-orange-800', +}; + +export const OBSERVATION_STATE_LABELS: Record = { + PendingDeterminization: 'Pending', + DeterminedPass: 'Pass', + DeterminedFail: 'Fail', + Disputed: 'Disputed', + ManualReviewRequired: 'Review Required', +}; + +export const TRIAGE_ACTION_LABELS: Record = { + 'accept-risk': 'Accept Risk', + 'require-fix': 'Require Fix', + defer: 'Defer', + escalate: 'Escalate', + dispute: 'Dispute', +}; + +export function getBandPriority(band: UnknownBand): number { + switch (band) { + case 'hot': + return 0; + case 'warm': + return 1; + case 'cold': + return 2; + default: + return 3; + } +} + +export function isGreyQueueState(state?: ObservationState): boolean { + return state === 'Disputed' || state === 'ManualReviewRequired'; +} + +export function hasConflicts(unknown: PolicyUnknown): boolean { + return unknown.conflictInfo?.hasConflict === true; +} + +export function getConflictSeverityColor(severity: number): string { + if (severity >= 0.8) return 'text-red-600'; + if (severity >= 0.5) return 'text-orange-600'; + return 'text-yellow-600'; +} diff --git a/src/Web/StellaOps.Web/src/app/core/api/witness.models.ts b/src/Web/StellaOps.Web/src/app/core/api/witness.models.ts index 74281b6fd..852aaee20 100644 --- a/src/Web/StellaOps.Web/src/app/core/api/witness.models.ts +++ b/src/Web/StellaOps.Web/src/app/core/api/witness.models.ts @@ -1,6 +1,8 @@ /** * Witness API models for reachability evidence. * Sprint: SPRINT_3700_0005_0001_witness_ui_cli (UI-005) + * Sprint: SPRINT_20260112_013_FE_witness_ui_wiring (FE-WIT-002) + * Updated: Added node_hashes, path_hash, evidence URIs, runtime evidence metadata */ /** @@ -53,6 +55,50 @@ export interface ReachabilityWitness { /** VEX recommendation based on reachability. */ vexRecommendation?: string; + + // Sprint: SPRINT_20260112_013_FE_witness_ui_wiring (FE-WIT-002) + // Path witness node hashes and path hash fields + + /** + * Hashes of individual nodes in the call path. + * Each hash is prefixed with algorithm (e.g., "sha256:abc123"). + */ + nodeHashes?: string[]; + + /** + * Hash of the complete path for deduplication and verification. + * Prefixed with algorithm (e.g., "blake3:def456"). + */ + pathHash?: string; + + /** + * Runtime evidence metadata (if available from dynamic analysis). + */ + runtimeEvidence?: RuntimeEvidenceMetadata; +} + +/** + * Runtime evidence metadata for dynamic analysis results. + * Sprint: SPRINT_20260112_013_FE_witness_ui_wiring (FE-WIT-002) + */ +export interface RuntimeEvidenceMetadata { + /** Whether runtime data is available. */ + available: boolean; + + /** Source of runtime data (e.g., "opentelemetry", "profiler", "tracer"). */ + source?: string; + + /** Timestamp of last runtime observation. */ + lastObservedAt?: string; + + /** Number of runtime invocations observed. */ + invocationCount?: number; + + /** Whether runtime data confirms static analysis. */ + confirmsStatic?: boolean; + + /** URI to full runtime trace if available. */ + traceUri?: string; } /** @@ -112,6 +158,24 @@ export interface WitnessEvidence { /** Additional evidence artifacts. */ artifacts?: EvidenceArtifact[]; + + // Sprint: SPRINT_20260112_013_FE_witness_ui_wiring (FE-WIT-002) + // Evidence URIs for linking to external artifacts + + /** URI to DSSE envelope if signed. */ + dsseUri?: string; + + /** URI to Rekor transparency log entry. */ + rekorUri?: string; + + /** URI to SBOM used for analysis. */ + sbomUri?: string; + + /** URI to call graph artifact. */ + callGraphUri?: string; + + /** URI to attestation bundle. */ + attestationUri?: string; } /** diff --git a/src/Web/StellaOps.Web/src/app/features/evidence-pack/evidence-pack-viewer.component.spec.ts b/src/Web/StellaOps.Web/src/app/features/evidence-pack/evidence-pack-viewer.component.spec.ts new file mode 100644 index 000000000..53adeb8bb --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/features/evidence-pack/evidence-pack-viewer.component.spec.ts @@ -0,0 +1,221 @@ +/** + * Evidence Pack Viewer Component Tests + * Sprint: SPRINT_20260112_006_FE_evidence_card_ui (EVPCARD-FE-003) + * + * Tests for evidence pack viewer including evidence-card export functionality. + */ + +import { ComponentFixture, TestBed, fakeAsync, tick } from '@angular/core/testing'; +import { RouterTestingModule } from '@angular/router/testing'; +import { of, throwError } from 'rxjs'; + +import { EVIDENCE_PACK_API, type EvidencePackApi } from '../../core/api/evidence-pack.client'; +import { EvidencePackViewerComponent } from './evidence-pack-viewer.component'; +import type { EvidencePack, EvidencePackExportFormat } from '../../core/api/evidence-pack.models'; + +describe('EvidencePackViewerComponent', () => { + let fixture: ComponentFixture; + let component: EvidencePackViewerComponent; + let api: jasmine.SpyObj; + + const mockPack: EvidencePack = { + packId: 'pack-123', + version: '1.0.0', + createdAt: '2026-01-14T12:00:00Z', + tenantId: 'test-tenant', + subject: { + type: 'Finding', + findingId: 'FIND-001', + cveId: 'CVE-2024-1234', + component: 'pkg:npm/lodash@4.17.20', + }, + claims: [ + { + claimId: 'claim-001', + text: 'Vulnerability is not reachable', + type: 'Reachability', + status: 'not_affected', + confidence: 0.85, + evidenceIds: ['ev-001'], + source: 'system', + }, + ], + evidence: [ + { + evidenceId: 'ev-001', + type: 'Reachability', + uri: 'stellaops://reachability/FIND-001', + digest: 'sha256:abc123', + collectedAt: '2026-01-14T11:00:00Z', + snapshot: { type: 'reachability', data: { status: 'unreachable' } }, + }, + ], + contentDigest: 'sha256:def456', + }; + + beforeEach(async () => { + api = jasmine.createSpyObj('EvidencePackApi', [ + 'get', + 'list', + 'sign', + 'verify', + 'export', + 'create', + 'listByRun', + ]); + api.get.and.returnValue(of(mockPack)); + api.export.and.returnValue(of(new Blob(['{}'], { type: 'application/json' }))); + + await TestBed.configureTestingModule({ + imports: [RouterTestingModule, EvidencePackViewerComponent], + providers: [{ provide: EVIDENCE_PACK_API, useValue: api }], + }).compileComponents(); + + fixture = TestBed.createComponent(EvidencePackViewerComponent); + component = fixture.componentInstance; + }); + + it('creates the component', () => { + expect(component).toBeTruthy(); + }); + + describe('export menu', () => { + beforeEach(fakeAsync(() => { + component.packId = 'pack-123'; + fixture.detectChanges(); + tick(); + })); + + it('renders export menu with evidence card options', () => { + // Open the export menu + component.toggleExportMenu(); + fixture.detectChanges(); + + const exportMenu = fixture.nativeElement.querySelector('.export-menu'); + expect(exportMenu).toBeTruthy(); + + const buttons = exportMenu.querySelectorAll('button'); + const buttonTexts = Array.from(buttons).map((b: HTMLButtonElement) => b.textContent?.trim()); + + expect(buttonTexts).toContain('JSON'); + expect(buttonTexts).toContain('Signed JSON'); + expect(buttonTexts).toContain('Markdown'); + expect(buttonTexts).toContain('HTML'); + expect(buttonTexts).toContain('Evidence Card'); + expect(buttonTexts).toContain('Evidence Card (Compact)'); + }); + + it('renders export divider before evidence card options', () => { + component.toggleExportMenu(); + fixture.detectChanges(); + + const divider = fixture.nativeElement.querySelector('.export-divider'); + expect(divider).toBeTruthy(); + }); + + it('calls export API with EvidenceCard format', fakeAsync(() => { + component.onExport('EvidenceCard'); + tick(); + + expect(api.export).toHaveBeenCalledWith('pack-123', 'EvidenceCard', jasmine.any(Object)); + })); + + it('calls export API with EvidenceCardCompact format', fakeAsync(() => { + component.onExport('EvidenceCardCompact'); + tick(); + + expect(api.export).toHaveBeenCalledWith('pack-123', 'EvidenceCardCompact', jasmine.any(Object)); + })); + + it('triggers download for evidence card export', fakeAsync(() => { + const mockBlob = new Blob(['{"cardId":"card-123"}'], { + type: 'application/vnd.stellaops.evidence-card+json', + }); + api.export.and.returnValue(of(mockBlob)); + + // Spy on URL.createObjectURL and link creation + const createObjectURLSpy = spyOn(URL, 'createObjectURL').and.returnValue('blob:test'); + const revokeObjectURLSpy = spyOn(URL, 'revokeObjectURL'); + + component.onExport('EvidenceCard'); + tick(); + + expect(createObjectURLSpy).toHaveBeenCalled(); + expect(revokeObjectURLSpy).toHaveBeenCalled(); + })); + }); + + describe('export formats', () => { + const exportFormats: EvidencePackExportFormat[] = [ + 'Json', + 'SignedJson', + 'Markdown', + 'Html', + 'EvidenceCard', + 'EvidenceCardCompact', + ]; + + beforeEach(fakeAsync(() => { + component.packId = 'pack-123'; + fixture.detectChanges(); + tick(); + })); + + exportFormats.forEach((format) => { + it(`exports ${format} format successfully`, fakeAsync(() => { + const mockBlob = new Blob(['test'], { type: 'application/octet-stream' }); + api.export.and.returnValue(of(mockBlob)); + + component.onExport(format); + tick(); + + expect(api.export).toHaveBeenCalledWith('pack-123', format, jasmine.any(Object)); + })); + }); + }); + + describe('evidence card button styling', () => { + beforeEach(fakeAsync(() => { + component.packId = 'pack-123'; + fixture.detectChanges(); + tick(); + })); + + it('evidence card buttons have correct class', () => { + component.toggleExportMenu(); + fixture.detectChanges(); + + const evidenceCardBtns = fixture.nativeElement.querySelectorAll('.evidence-card-btn'); + expect(evidenceCardBtns.length).toBe(2); + }); + + it('evidence card buttons have icons', () => { + component.toggleExportMenu(); + fixture.detectChanges(); + + const evidenceCardBtns = fixture.nativeElement.querySelectorAll('.evidence-card-btn'); + evidenceCardBtns.forEach((btn: HTMLButtonElement) => { + const icon = btn.querySelector('.card-icon'); + expect(icon).toBeTruthy(); + }); + }); + }); + + describe('error handling', () => { + beforeEach(fakeAsync(() => { + component.packId = 'pack-123'; + fixture.detectChanges(); + tick(); + })); + + it('handles export error gracefully', fakeAsync(() => { + api.export.and.returnValue(throwError(() => new Error('Export failed'))); + + // Should not throw + expect(() => { + component.onExport('EvidenceCard'); + tick(); + }).not.toThrow(); + })); + }); +}); diff --git a/src/Web/StellaOps.Web/src/app/features/evidence-pack/evidence-pack-viewer.component.ts b/src/Web/StellaOps.Web/src/app/features/evidence-pack/evidence-pack-viewer.component.ts index 089cb62e9..4d49753a6 100644 --- a/src/Web/StellaOps.Web/src/app/features/evidence-pack/evidence-pack-viewer.component.ts +++ b/src/Web/StellaOps.Web/src/app/features/evidence-pack/evidence-pack-viewer.component.ts @@ -94,6 +94,21 @@ import { EVIDENCE_PACK_API } from '../../core/api/evidence-pack.client'; +
+ + } @@ -458,6 +473,25 @@ import { EVIDENCE_PACK_API } from '../../core/api/evidence-pack.client'; background: var(--bg-hover, #f3f4f6); } + /* Sprint: SPRINT_20260112_006_FE_evidence_card_ui (EVPCARD-FE-002) */ + .export-divider { + margin: 0.25rem 0; + border: none; + border-top: 1px solid var(--border-color, #e0e0e0); + } + + .evidence-card-btn { + display: flex !important; + align-items: center; + gap: 0.5rem; + } + + .evidence-card-btn .card-icon { + width: 16px; + height: 16px; + flex-shrink: 0; + } + .pack-section { padding: 1rem 1.5rem; border-bottom: 1px solid var(--border-color, #e0e0e0); diff --git a/src/Web/StellaOps.Web/src/app/features/settings/determinization-config-pane.component.spec.ts b/src/Web/StellaOps.Web/src/app/features/settings/determinization-config-pane.component.spec.ts new file mode 100644 index 000000000..5943402d9 --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/features/settings/determinization-config-pane.component.spec.ts @@ -0,0 +1,256 @@ +// Sprint: SPRINT_20260112_013_FE_determinization_config_pane (FE-CONFIG-004) +// Determinization Configuration Pane Component Tests + +import { ComponentFixture, TestBed } from '@angular/core/testing'; +import { provideHttpClient } from '@angular/common/http'; +import { provideHttpClientTesting } from '@angular/common/http/testing'; +import { DeterminizationConfigPaneComponent } from './determinization-config-pane.component'; +import { + DeterminizationConfig, + EffectiveConfigResponse, + CONFLICT_ACTION_LABELS, + ENVIRONMENT_LABELS, +} from '../../core/api/determinization-config.client'; + +describe('DeterminizationConfigPaneComponent', () => { + let component: DeterminizationConfigPaneComponent; + let fixture: ComponentFixture; + + const mockConfig: DeterminizationConfig = { + triggers: { + epssDeltaThreshold: 0.2, + triggerOnThresholdCrossing: true, + triggerOnRekorEntry: true, + triggerOnVexStatusChange: true, + triggerOnRuntimeTelemetryChange: true, + triggerOnPatchProofAdded: true, + triggerOnDsseValidationChange: true, + triggerOnToolVersionChange: false, + }, + conflicts: { + vexReachabilityContradiction: 'RequireManualReview', + staticRuntimeMismatch: 'RequireManualReview', + backportStatusAmbiguity: 'RequireManualReview', + vexStatusConflict: 'RequestVendorClarification', + escalationSeverityThreshold: 0.85, + conflictTtlHours: 48, + }, + thresholds: { + development: { + epssThreshold: 0.7, + uncertaintyFactor: 0.8, + exploitPressureWeight: 0.3, + reachabilityWeight: 0.4, + minScore: 0, + maxScore: 100, + }, + staging: { + epssThreshold: 0.5, + uncertaintyFactor: 0.5, + exploitPressureWeight: 0.5, + reachabilityWeight: 0.5, + minScore: 0, + maxScore: 100, + }, + production: { + epssThreshold: 0.2, + uncertaintyFactor: 0.2, + exploitPressureWeight: 0.8, + reachabilityWeight: 0.7, + minScore: 0, + maxScore: 100, + }, + }, + }; + + const mockEffectiveConfig: EffectiveConfigResponse = { + config: mockConfig, + isDefault: false, + tenantId: 'test-tenant', + lastUpdatedAt: '2026-01-15T10:00:00Z', + lastUpdatedBy: 'admin@example.com', + version: 3, + }; + + beforeEach(async () => { + await TestBed.configureTestingModule({ + imports: [DeterminizationConfigPaneComponent], + providers: [provideHttpClient(), provideHttpClientTesting()], + }).compileComponents(); + + fixture = TestBed.createComponent(DeterminizationConfigPaneComponent); + component = fixture.componentInstance; + // Manually set config for testing + component['effectiveConfig'].set(mockEffectiveConfig); + component['loading'].set(false); + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); + + describe('config display', () => { + it('should display custom config badge when not default', () => { + expect(component.effectiveConfig()?.isDefault).toBe(false); + }); + + it('should display default config badge when using defaults', () => { + component['effectiveConfig'].set({ ...mockEffectiveConfig, isDefault: true }); + fixture.detectChanges(); + expect(component.effectiveConfig()?.isDefault).toBe(true); + }); + + it('should display EPSS delta threshold', () => { + expect(component.config()?.triggers.epssDeltaThreshold).toBe(0.2); + }); + + it('should display trigger toggle states', () => { + const triggers = component.config()?.triggers; + expect(triggers?.triggerOnThresholdCrossing).toBe(true); + expect(triggers?.triggerOnToolVersionChange).toBe(false); + }); + }); + + describe('edit mode', () => { + it('should not be in edit mode by default', () => { + expect(component.editMode()).toBe(false); + }); + + it('should enter edit mode when toggled', () => { + component.toggleEditMode(); + expect(component.editMode()).toBe(true); + expect(component.editConfig()).toBeTruthy(); + }); + + it('should deep clone config when entering edit mode', () => { + component.toggleEditMode(); + const editCfg = component.editConfig(); + expect(editCfg).not.toBe(component.config()); + expect(editCfg?.triggers.epssDeltaThreshold).toBe(0.2); + }); + + it('should cancel edit mode and clear edits', () => { + component.toggleEditMode(); // Enter + component.editConfig()!.triggers.epssDeltaThreshold = 0.5; + component.toggleEditMode(); // Cancel + expect(component.editMode()).toBe(false); + expect(component.editConfig()).toBeNull(); + // Original should be unchanged + expect(component.config()?.triggers.epssDeltaThreshold).toBe(0.2); + }); + + it('should only show edit button for admins', () => { + component.isAdmin.set(true); + fixture.detectChanges(); + expect(component.isAdmin()).toBe(true); + + component.isAdmin.set(false); + fixture.detectChanges(); + expect(component.isAdmin()).toBe(false); + }); + }); + + describe('conflict action labels', () => { + it('should return correct labels for conflict actions', () => { + expect(component.getConflictActionLabel('RequireManualReview')).toBe('Require Manual Review'); + expect(component.getConflictActionLabel('Escalate')).toBe('Escalate'); + expect(component.getConflictActionLabel('RequestVendorClarification')).toBe( + 'Request Vendor Clarification' + ); + }); + + it('should have labels for all conflict actions', () => { + const actions = component.conflictActions; + actions.forEach((action) => { + expect(CONFLICT_ACTION_LABELS[action]).toBeTruthy(); + }); + }); + }); + + describe('environment labels', () => { + it('should return correct labels for environments', () => { + expect(component.getEnvironmentLabel('development')).toBe('Development'); + expect(component.getEnvironmentLabel('staging')).toBe('Staging'); + expect(component.getEnvironmentLabel('production')).toBe('Production'); + }); + + it('should have labels for all environments', () => { + const envs = component.environments; + envs.forEach((env) => { + expect(ENVIRONMENT_LABELS[env]).toBeTruthy(); + }); + }); + }); + + describe('validation', () => { + it('should display validation errors when present', () => { + component['validationErrors'].set(['EPSS threshold must be between 0 and 1']); + fixture.detectChanges(); + expect(component.validationErrors().length).toBe(1); + }); + + it('should display validation warnings when present', () => { + component['validationWarnings'].set(['Low EPSS threshold may cause excessive reanalysis']); + fixture.detectChanges(); + expect(component.validationWarnings().length).toBe(1); + }); + + it('should clear validation state when canceling edit', () => { + component.toggleEditMode(); + component['validationErrors'].set(['Error']); + component['validationWarnings'].set(['Warning']); + component.toggleEditMode(); // Cancel + expect(component.validationErrors().length).toBe(0); + expect(component.validationWarnings().length).toBe(0); + }); + }); + + describe('deterministic rendering', () => { + it('should render trigger fields in consistent order', () => { + const fieldKeys = component.triggerFields.map((f) => f.key); + expect(fieldKeys).toEqual([ + 'triggerOnThresholdCrossing', + 'triggerOnRekorEntry', + 'triggerOnVexStatusChange', + 'triggerOnRuntimeTelemetryChange', + 'triggerOnPatchProofAdded', + 'triggerOnDsseValidationChange', + 'triggerOnToolVersionChange', + ]); + }); + + it('should render conflict fields in consistent order', () => { + const fieldKeys = component.conflictFields.map((f) => f.key); + expect(fieldKeys).toEqual([ + 'vexReachabilityContradiction', + 'staticRuntimeMismatch', + 'backportStatusAmbiguity', + 'vexStatusConflict', + ]); + }); + + it('should render environments in consistent order', () => { + expect(component.environments).toEqual(['development', 'staging', 'production']); + }); + + it('should render conflict actions in consistent order', () => { + expect(component.conflictActions).toEqual([ + 'RequireManualReview', + 'AutoAcceptLowerSeverity', + 'AutoRejectHigherSeverity', + 'Escalate', + 'DeferToNextReanalysis', + 'RequestVendorClarification', + ]); + }); + }); + + describe('metadata display', () => { + it('should display last updated info', () => { + expect(component.effectiveConfig()?.lastUpdatedAt).toBe('2026-01-15T10:00:00Z'); + expect(component.effectiveConfig()?.lastUpdatedBy).toBe('admin@example.com'); + expect(component.effectiveConfig()?.version).toBe(3); + }); + }); +}); diff --git a/src/Web/StellaOps.Web/src/app/features/settings/determinization-config-pane.component.ts b/src/Web/StellaOps.Web/src/app/features/settings/determinization-config-pane.component.ts new file mode 100644 index 000000000..9e55e42f5 --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/features/settings/determinization-config-pane.component.ts @@ -0,0 +1,465 @@ +// Sprint: SPRINT_20260112_013_FE_determinization_config_pane (FE-CONFIG-002, FE-CONFIG-003) +// Determinization Configuration Pane Component + +import { Component, OnInit, inject, signal, computed } from '@angular/core'; +import { CommonModule, DatePipe } from '@angular/common'; +import { FormsModule } from '@angular/forms'; +import { + DeterminizationConfigClient, + DeterminizationConfig, + EffectiveConfigResponse, + ReanalysisTriggerConfig, + ConflictHandlingPolicy, + EnvironmentThreshold, + ConflictAction, + ValidationResponse, + AuditEntry, + CONFLICT_ACTION_LABELS, + ENVIRONMENT_LABELS, + DEFAULT_TRIGGER_CONFIG, +} from '../../core/api/determinization-config.client'; + +@Component({ + selector: 'stella-determinization-config-pane', + standalone: true, + imports: [CommonModule, DatePipe, FormsModule], + template: ` +
+ +
+
+

Determinization Configuration

+

+ Configure reanalysis triggers, conflict handling, and environment thresholds +

+
+
+ @if (effectiveConfig()?.isDefault) { + Using Defaults + } @else { + Custom Config + } + @if (isAdmin()) { + + } +
+
+ + @if (loading()) { +
+
+
+ } @else if (error()) { +
+ {{ error() }} +
+ } @else if (config()) { + + @if (validationErrors().length > 0) { +
+

Validation Errors

+
    + @for (err of validationErrors(); track err) { +
  • {{ err }}
    • + } +
+
+ } + + @if (validationWarnings().length > 0) { +
+

Warnings

+
    + @for (warn of validationWarnings(); track warn) { +
  • {{ warn }}
    • + } +
+
+ } + + +
+

Reanalysis Triggers

+
+ +
+ + @if (editMode()) { + + } @else { + + {{ config()!.triggers.epssDeltaThreshold | number:'1.2-2' }} + + } +

Minimum EPSS change to trigger reanalysis

+
+ + + @for (trigger of triggerFields; track trigger.key) { +
+ {{ trigger.label }} + @if (editMode()) { + + } @else { + + {{ config()!.triggers[trigger.key] ? 'Enabled' : 'Disabled' }} + + } +
+ } +
+
+ + +
+

Conflict Handling Policy

+
+ @for (conflict of conflictFields; track conflict.key) { +
+ + @if (editMode()) { + + } @else { + + {{ getConflictActionLabel(config()!.conflicts[conflict.key]) }} + + } +
+ } + + +
+ + @if (editMode()) { + + } @else { + + {{ config()!.conflicts.escalationSeverityThreshold | number:'1.2-2' }} + + } +
+ + +
+ + @if (editMode()) { + + } @else { + + {{ config()!.conflicts.conflictTtlHours }} hours + + } +
+
+
+ + +
+

Environment Thresholds

+
+ + + + + + + + + + + + @for (env of environments; track env) { + + + + + + + + } + +
EnvironmentEPSS ThresholdUncertaintyMin ScoreMax Score
{{ getEnvironmentLabel(env) }} + @if (editMode()) { + + } @else { + {{ config()!.thresholds[env].epssThreshold | number:'1.2-2' }} + } + + @if (editMode()) { + + } @else { + {{ config()!.thresholds[env].uncertaintyFactor | number:'1.1-1' }} + } + + @if (editMode()) { + + } @else { + {{ config()!.thresholds[env].minScore }} + } + + @if (editMode()) { + + } @else { + {{ config()!.thresholds[env].maxScore }} + } +
+
+
+ + + @if (editMode()) { +
+
+ +
+ + +
+ } + + + @if (effectiveConfig()?.lastUpdatedAt) { +
+ Last updated: {{ effectiveConfig()!.lastUpdatedAt | date:'medium' }} + by {{ effectiveConfig()!.lastUpdatedBy || 'system' }} + (version {{ effectiveConfig()!.version }}) +
+ } + } +
+ `, + styles: [ + ` + .determinization-config-pane { + max-width: 900px; + } + `, + ], +}) +export class DeterminizationConfigPaneComponent implements OnInit { + private readonly client = inject(DeterminizationConfigClient); + + readonly loading = signal(true); + readonly saving = signal(false); + readonly error = signal(null); + readonly effectiveConfig = signal(null); + readonly editMode = signal(false); + readonly editConfig = signal(null); + readonly validationErrors = signal([]); + readonly validationWarnings = signal([]); + + saveReason = ''; + + readonly config = computed(() => this.effectiveConfig()?.config); + + // For admin check - in real app would come from auth service + isAdmin = signal(true); + + readonly triggerFields = [ + { key: 'triggerOnThresholdCrossing' as const, label: 'Threshold Crossing' }, + { key: 'triggerOnRekorEntry' as const, label: 'New Rekor Entry' }, + { key: 'triggerOnVexStatusChange' as const, label: 'VEX Status Change' }, + { key: 'triggerOnRuntimeTelemetryChange' as const, label: 'Runtime Telemetry Change' }, + { key: 'triggerOnPatchProofAdded' as const, label: 'Patch Proof Added' }, + { key: 'triggerOnDsseValidationChange' as const, label: 'DSSE Validation Change' }, + { key: 'triggerOnToolVersionChange' as const, label: 'Tool Version Change' }, + ]; + + readonly conflictFields = [ + { key: 'vexReachabilityContradiction' as const, label: 'VEX/Reachability Contradiction' }, + { key: 'staticRuntimeMismatch' as const, label: 'Static/Runtime Mismatch' }, + { key: 'backportStatusAmbiguity' as const, label: 'Backport Status Ambiguity' }, + { key: 'vexStatusConflict' as const, label: 'VEX Status Conflict' }, + ]; + + readonly conflictActions: ConflictAction[] = [ + 'RequireManualReview', + 'AutoAcceptLowerSeverity', + 'AutoRejectHigherSeverity', + 'Escalate', + 'DeferToNextReanalysis', + 'RequestVendorClarification', + ]; + + readonly environments: Array<'development' | 'staging' | 'production'> = [ + 'development', + 'staging', + 'production', + ]; + + ngOnInit(): void { + this.loadConfig(); + } + + loadConfig(): void { + this.loading.set(true); + this.error.set(null); + + this.client.getEffectiveConfig().subscribe({ + next: (response) => { + this.effectiveConfig.set(response); + this.loading.set(false); + }, + error: (err) => { + this.error.set(err.message || 'Failed to load configuration'); + this.loading.set(false); + }, + }); + } + + toggleEditMode(): void { + if (this.editMode()) { + // Cancel edit + this.editMode.set(false); + this.editConfig.set(null); + this.validationErrors.set([]); + this.validationWarnings.set([]); + this.saveReason = ''; + } else { + // Enter edit mode - deep clone config + this.editConfig.set(JSON.parse(JSON.stringify(this.config()))); + this.editMode.set(true); + } + } + + validateBeforeSave(): void { + const cfg = this.editConfig(); + if (!cfg) return; + + this.client.validateConfig(cfg).subscribe({ + next: (response) => { + this.validationErrors.set(response.errors); + this.validationWarnings.set(response.warnings); + if (response.isValid) { + alert('Configuration is valid!'); + } + }, + error: (err) => { + this.validationErrors.set([err.message || 'Validation failed']); + }, + }); + } + + saveConfig(): void { + const cfg = this.editConfig(); + if (!cfg || !this.saveReason) return; + + this.saving.set(true); + + this.client + .updateConfig({ + config: cfg, + reason: this.saveReason, + }) + .subscribe({ + next: (response) => { + this.effectiveConfig.set(response); + this.editMode.set(false); + this.editConfig.set(null); + this.validationErrors.set([]); + this.validationWarnings.set([]); + this.saveReason = ''; + this.saving.set(false); + alert('Configuration saved successfully!'); + }, + error: (err) => { + this.error.set(err.message || 'Failed to save configuration'); + this.saving.set(false); + }, + }); + } + + getConflictActionLabel(action: ConflictAction): string { + return CONFLICT_ACTION_LABELS[action] || action; + } + + getEnvironmentLabel(env: string): string { + return ENVIRONMENT_LABELS[env as keyof typeof ENVIRONMENT_LABELS] || env; + } +} diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.spec.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.spec.ts index b8557c223..a5125fb0f 100644 --- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.spec.ts +++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.spec.ts @@ -1,19 +1,152 @@ /** * @file setup-wizard-api.service.spec.ts - * @sprint Sprint 5: UI Integrations + Settings Store - * @description Unit tests for SetupWizardApiService + * @sprint SPRINT_20260112_005_FE_setup_wizard_ui_wiring + * @tasks FE-SETUP-003 + * @description Unit tests for SetupWizardApiService with deterministic fixtures */ import { TestBed } from '@angular/core/testing'; import { provideHttpClient } from '@angular/common/http'; import { HttpTestingController, provideHttpClientTesting } from '@angular/common/http/testing'; -import { SetupWizardApiService } from './setup-wizard-api.service'; -import { ExecuteStepRequest, SkipStepRequest } from '../models/setup-wizard.models'; +import { HttpErrorResponse } from '@angular/common/http'; +import { + SetupWizardApiService, + ApiResponse, + SetupSessionResponse, + ExecuteStepResponse, + ValidationCheckResponse, + ConnectionTestResponse, + FinalizeSetupResponse, + ProblemDetails, + SetupApiError, +} from './setup-wizard-api.service'; +import { ExecuteStepRequest, SkipStepRequest, SetupStep, SetupStepId } from '../models/setup-wizard.models'; + +// ───────────────────────────────────────────────────────────────────────────── +// Deterministic Test Fixtures +// ───────────────────────────────────────────────────────────────────────────── + +const FIXTURE_SESSION_ID = 'test-session-12345'; +const FIXTURE_TIMESTAMP = '2026-01-15T10:00:00.000Z'; + +const createSessionFixture = (): ApiResponse => ({ + data: { + sessionId: FIXTURE_SESSION_ID, + startedAt: FIXTURE_TIMESTAMP, + completedSteps: [], + skippedSteps: [], + configValues: {}, + }, + dataAsOf: FIXTURE_TIMESTAMP, +}); + +const createStepsFixture = (): ApiResponse => ({ + data: [ + { + id: 'database', + name: 'PostgreSQL Database', + description: 'Configure the database connection', + category: 'Infrastructure', + order: 1, + isRequired: true, + isSkippable: false, + dependencies: [], + validationChecks: ['check.database.connectivity', 'check.database.migrations'], + status: 'pending', + }, + { + id: 'cache', + name: 'Valkey/Redis Cache', + description: 'Configure the cache connection', + category: 'Infrastructure', + order: 2, + isRequired: true, + isSkippable: false, + dependencies: [], + validationChecks: ['check.cache.connectivity'], + status: 'pending', + }, + ], + dataAsOf: FIXTURE_TIMESTAMP, +}); + +const createExecuteStepFixture = (stepId: SetupStepId, dryRun: boolean): ApiResponse => ({ + data: { + stepId, + status: 'completed', + message: dryRun ? `[DRY RUN] Step ${stepId} would be configured` : `Step ${stepId} configured successfully`, + appliedConfig: { [`${stepId}.host`]: 'localhost' }, + canRetry: true, + executionDurationMs: 1500, + }, + dataAsOf: FIXTURE_TIMESTAMP, +}); + +const createValidationChecksFixture = (): ApiResponse => ({ + data: [ + { + checkId: 'check.database.connectivity', + name: 'Database Connectivity', + description: 'Verify connection to the PostgreSQL database', + status: 'passed', + severity: 'info', + message: 'Connected to PostgreSQL 16.2', + executedAt: FIXTURE_TIMESTAMP, + durationMs: 250, + }, + { + checkId: 'check.database.migrations', + name: 'Database Migrations', + description: 'Check that database migrations are up to date', + status: 'passed', + severity: 'info', + message: 'All migrations applied', + executedAt: FIXTURE_TIMESTAMP, + durationMs: 100, + }, + ], + dataAsOf: FIXTURE_TIMESTAMP, +}); + +const createConnectionTestFixture = (success: boolean): ApiResponse => ({ + data: { + success, + message: success ? 'Connection successful' : 'Connection failed', + latencyMs: success ? 45 : undefined, + serverVersion: success ? '16.2' : undefined, + }, + dataAsOf: FIXTURE_TIMESTAMP, +}); + +const createFinalizeFixture = (): ApiResponse => ({ + data: { + success: true, + message: 'Setup completed successfully. Please restart the services to apply configuration.', + restartRequired: true, + nextSteps: ['Restart services', 'Run stella doctor'], + }, + dataAsOf: FIXTURE_TIMESTAMP, +}); + +const createProblemDetailsFixture = ( + status: number, + title: string, + detail?: string +): ProblemDetails => ({ + type: 'urn:stellaops:error:validation', + title, + status, + detail, + traceId: 'trace-12345', +}); describe('SetupWizardApiService', () => { let service: SetupWizardApiService; let httpMock: HttpTestingController; + const setupBaseUrl = '/api/v1/setup'; + const onboardingBaseUrl = '/api/v1/platform/onboarding'; + beforeEach(() => { TestBed.configureTestingModule({ providers: [ @@ -34,72 +167,142 @@ describe('SetupWizardApiService', () => { expect(service).toBeTruthy(); }); + // ═══════════════════════════════════════════════════════════════════════════ + // Session Management Tests + // ═══════════════════════════════════════════════════════════════════════════ + describe('createSession', () => { - it('should create a new session', (done) => { + it('should create a new session via POST', (done) => { service.createSession().subscribe((session) => { - expect(session).toBeTruthy(); - expect(session.sessionId).toBeTruthy(); - expect(session.startedAt).toBeTruthy(); + expect(session.sessionId).toBe(FIXTURE_SESSION_ID); + expect(session.startedAt).toBe(FIXTURE_TIMESTAMP); expect(session.completedSteps).toEqual([]); expect(session.skippedSteps).toEqual([]); - expect(session.configValues).toEqual({}); done(); }); + + const req = httpMock.expectOne(`${setupBaseUrl}/sessions`); + expect(req.request.method).toBe('POST'); + req.flush(createSessionFixture()); + }); + + it('should handle network error', (done) => { + service.createSession().subscribe({ + error: (error: SetupApiError) => { + expect(error.code).toBe('NETWORK_ERROR'); + expect(error.retryable).toBeTrue(); + done(); + }, + }); + + const req = httpMock.expectOne(`${setupBaseUrl}/sessions`); + req.error(new ProgressEvent('Network error')); }); }); describe('resumeSession', () => { - it('should return null for non-existent session', (done) => { - service.resumeSession('non-existent-id').subscribe((session) => { + it('should get existing session via GET', (done) => { + service.resumeSession(FIXTURE_SESSION_ID).subscribe((session) => { + expect(session).toBeTruthy(); + expect(session?.sessionId).toBe(FIXTURE_SESSION_ID); + done(); + }); + + const req = httpMock.expectOne(`${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}`); + expect(req.request.method).toBe('GET'); + req.flush(createSessionFixture()); + }); + + it('should return null for 404', (done) => { + service.resumeSession('non-existent').subscribe((session) => { expect(session).toBeNull(); done(); }); + + const req = httpMock.expectOne(`${setupBaseUrl}/sessions/non-existent`); + req.flush(null, { status: 404, statusText: 'Not Found' }); }); }); + describe('getCurrentSession', () => { + it('should get current session via GET /current', (done) => { + service.getCurrentSession().subscribe((session) => { + expect(session?.sessionId).toBe(FIXTURE_SESSION_ID); + done(); + }); + + const req = httpMock.expectOne(`${setupBaseUrl}/sessions/current`); + expect(req.request.method).toBe('GET'); + req.flush(createSessionFixture()); + }); + }); + + // ═══════════════════════════════════════════════════════════════════════════ + // Step Management Tests + // ═══════════════════════════════════════════════════════════════════════════ + describe('getSteps', () => { - it('should return default steps', (done) => { + it('should get all steps via GET', (done) => { service.getSteps().subscribe((steps) => { - expect(steps.length).toBe(6); + expect(steps.length).toBe(2); expect(steps[0].id).toBe('database'); expect(steps[1].id).toBe('cache'); done(); }); + + const req = httpMock.expectOne(`${setupBaseUrl}/steps`); + expect(req.request.method).toBe('GET'); + req.flush(createStepsFixture()); }); }); describe('getStep', () => { - it('should return specific step', (done) => { + it('should get specific step via GET', (done) => { service.getStep('database').subscribe((step) => { - expect(step).toBeTruthy(); expect(step?.id).toBe('database'); expect(step?.name).toBe('PostgreSQL Database'); done(); }); + + const req = httpMock.expectOne(`${setupBaseUrl}/steps/database`); + expect(req.request.method).toBe('GET'); + req.flush({ data: createStepsFixture().data[0] }); }); - it('should return null for non-existent step', (done) => { - service.getStep('nonexistent' as any).subscribe((step) => { + it('should return null for 404', (done) => { + service.getStep('nonexistent' as SetupStepId).subscribe((step) => { expect(step).toBeNull(); done(); }); + + const req = httpMock.expectOne(`${setupBaseUrl}/steps/nonexistent`); + req.flush(null, { status: 404, statusText: 'Not Found' }); }); }); describe('checkPrerequisites', () => { - it('should return met=true for valid config', (done) => { - service.checkPrerequisites('session-id', 'database', {}).subscribe((result) => { + it('should check prerequisites via POST', (done) => { + service.checkPrerequisites(FIXTURE_SESSION_ID, 'database', {}).subscribe((result) => { expect(result.met).toBeTrue(); - expect(result.missingPrerequisites).toEqual([]); done(); }); + + const req = httpMock.expectOne( + `${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}/steps/database/prerequisites` + ); + expect(req.request.method).toBe('POST'); + req.flush({ data: { met: true, missingPrerequisites: [] } }); }); }); + // ═══════════════════════════════════════════════════════════════════════════ + // Step Execution Tests + // ═══════════════════════════════════════════════════════════════════════════ + describe('executeStep', () => { - it('should return completed status for successful execution', (done) => { + it('should execute step via POST', (done) => { const request: ExecuteStepRequest = { - sessionId: 'session-id', + sessionId: FIXTURE_SESSION_ID, stepId: 'database', configValues: { 'database.host': 'localhost' }, dryRun: false, @@ -108,15 +311,22 @@ describe('SetupWizardApiService', () => { service.executeStep(request).subscribe((result) => { expect(result.stepId).toBe('database'); expect(result.status).toBe('completed'); - expect(result.appliedConfig).toEqual(request.configValues); expect(result.canRetry).toBeTrue(); done(); }); + + const req = httpMock.expectOne( + `${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}/steps/database/execute` + ); + expect(req.request.method).toBe('POST'); + expect(req.request.body.configValues).toEqual({ 'database.host': 'localhost' }); + expect(req.request.body.dryRun).toBeFalse(); + req.flush(createExecuteStepFixture('database', false)); }); - it('should indicate dry run in message', (done) => { + it('should include dryRun flag in request', (done) => { const request: ExecuteStepRequest = { - sessionId: 'session-id', + sessionId: FIXTURE_SESSION_ID, stepId: 'database', configValues: {}, dryRun: true, @@ -126,13 +336,19 @@ describe('SetupWizardApiService', () => { expect(result.message).toContain('DRY RUN'); done(); }); + + const req = httpMock.expectOne( + `${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}/steps/database/execute` + ); + expect(req.request.body.dryRun).toBeTrue(); + req.flush(createExecuteStepFixture('database', true)); }); }); describe('skipStep', () => { - it('should return skipped status', (done) => { + it('should skip step via POST', (done) => { const request: SkipStepRequest = { - sessionId: 'session-id', + sessionId: FIXTURE_SESSION_ID, stepId: 'vault', reason: 'Not needed', }; @@ -140,68 +356,230 @@ describe('SetupWizardApiService', () => { service.skipStep(request).subscribe((result) => { expect(result.stepId).toBe('vault'); expect(result.status).toBe('skipped'); - expect(result.message).toContain('Not needed'); - expect(result.canRetry).toBeFalse(); done(); }); + + const req = httpMock.expectOne( + `${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}/steps/vault/skip` + ); + expect(req.request.method).toBe('POST'); + expect(req.request.body.reason).toBe('Not needed'); + req.flush({ + data: { + stepId: 'vault', + status: 'skipped', + message: 'Skipped: Not needed', + canRetry: false, + }, + }); + }); + }); + + // ═══════════════════════════════════════════════════════════════════════════ + // Validation Check Tests + // ═══════════════════════════════════════════════════════════════════════════ + + describe('getValidationChecks', () => { + it('should get checks via GET', (done) => { + service.getValidationChecks(FIXTURE_SESSION_ID, 'database').subscribe((checks) => { + expect(checks.length).toBe(2); + expect(checks[0].checkId).toBe('check.database.connectivity'); + done(); + }); + + const req = httpMock.expectOne( + `${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}/steps/database/checks` + ); + expect(req.request.method).toBe('GET'); + req.flush(createValidationChecksFixture()); }); }); describe('runValidationChecks', () => { - it('should return validation checks for step', (done) => { - service.runValidationChecks('session-id', 'database').subscribe((checks) => { - expect(checks.length).toBeGreaterThan(0); - expect(checks[0].checkId).toContain('database'); - expect(checks[0].status).toBe('pending'); + it('should run all checks via POST', (done) => { + service.runValidationChecks(FIXTURE_SESSION_ID, 'database').subscribe((checks) => { + expect(checks.length).toBe(2); + expect(checks.every(c => c.status === 'passed')).toBeTrue(); done(); }); - }); - it('should return empty for non-existent step', (done) => { - service.runValidationChecks('session-id', 'nonexistent' as any).subscribe((checks) => { - expect(checks).toEqual([]); - done(); - }); + const req = httpMock.expectOne( + `${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}/steps/database/checks/run` + ); + expect(req.request.method).toBe('POST'); + req.flush(createValidationChecksFixture()); }); }); describe('runValidationCheck', () => { - it('should return passed check', (done) => { - service.runValidationCheck('session-id', 'check.database.connectivity', {}).subscribe((check) => { - expect(check.checkId).toBe('check.database.connectivity'); - expect(check.status).toBe('passed'); - expect(check.message).toBe('Check passed successfully'); - done(); - }); + it('should run specific check via POST', (done) => { + service + .runValidationCheck(FIXTURE_SESSION_ID, 'check.database.connectivity', {}) + .subscribe((check) => { + expect(check.checkId).toBe('check.database.connectivity'); + expect(check.status).toBe('passed'); + done(); + }); + + const req = httpMock.expectOne( + `${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}/checks/check.database.connectivity/run` + ); + expect(req.request.method).toBe('POST'); + req.flush({ data: createValidationChecksFixture().data[0] }); }); }); + // ═══════════════════════════════════════════════════════════════════════════ + // Connection Testing Tests + // ═══════════════════════════════════════════════════════════════════════════ + describe('testConnection', () => { - it('should return success for valid config', (done) => { + it('should test connection via POST', (done) => { service.testConnection('database', { 'database.host': 'localhost' }).subscribe((result) => { expect(result.success).toBeTrue(); - expect(result.message).toBe('Connection successful'); + expect(result.latencyMs).toBe(45); done(); }); + + const req = httpMock.expectOne(`${setupBaseUrl}/steps/database/test-connection`); + expect(req.request.method).toBe('POST'); + req.flush(createConnectionTestFixture(true)); + }); + + it('should handle failed connection', (done) => { + service.testConnection('database', { 'database.host': 'bad-host' }).subscribe((result) => { + expect(result.success).toBeFalse(); + expect(result.message).toBe('Connection failed'); + done(); + }); + + const req = httpMock.expectOne(`${setupBaseUrl}/steps/database/test-connection`); + req.flush(createConnectionTestFixture(false)); }); }); + // ═══════════════════════════════════════════════════════════════════════════ + // Configuration & Finalization Tests + // ═══════════════════════════════════════════════════════════════════════════ + describe('saveConfiguration', () => { - it('should return success', (done) => { - service.saveConfiguration('session-id', { key: 'value' }).subscribe((result) => { + it('should save config via PUT', (done) => { + service.saveConfiguration(FIXTURE_SESSION_ID, { key: 'value' }).subscribe((result) => { expect(result.success).toBeTrue(); done(); }); + + const req = httpMock.expectOne(`${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}/config`); + expect(req.request.method).toBe('PUT'); + expect(req.request.body.configValues).toEqual({ key: 'value' }); + req.flush({ data: { saved: true } }); }); }); describe('finalizeSetup', () => { - it('should return success with restart message', (done) => { - service.finalizeSetup('session-id').subscribe((result) => { + it('should finalize via POST', (done) => { + service.finalizeSetup(FIXTURE_SESSION_ID).subscribe((result) => { expect(result.success).toBeTrue(); - expect(result.message).toContain('restart'); + expect(result.restartRequired).toBeTrue(); + expect(result.nextSteps?.length).toBe(2); done(); }); + + const req = httpMock.expectOne(`${setupBaseUrl}/sessions/${FIXTURE_SESSION_ID}/finalize`); + expect(req.request.method).toBe('POST'); + req.flush(createFinalizeFixture()); + }); + }); + + // ═══════════════════════════════════════════════════════════════════════════ + // Onboarding Integration Tests + // ═══════════════════════════════════════════════════════════════════════════ + + describe('getOnboardingStatus', () => { + it('should get status via GET', (done) => { + service.getOnboardingStatus().subscribe((result) => { + expect(result.status).toBe('in_progress'); + expect(result.completedSteps).toContain('welcome'); + done(); + }); + + const req = httpMock.expectOne(`${onboardingBaseUrl}/status`); + expect(req.request.method).toBe('GET'); + req.flush({ + status: 'in_progress', + currentStep: 'connect-registry', + steps: [ + { id: 'welcome', completed: true }, + { id: 'connect-registry', completed: false }, + ], + }); + }); + }); + + describe('completeOnboardingStep', () => { + it('should complete step via POST', (done) => { + service.completeOnboardingStep('connect-registry').subscribe((result) => { + expect(result.success).toBeTrue(); + done(); + }); + + const req = httpMock.expectOne(`${onboardingBaseUrl}/complete/connect-registry`); + expect(req.request.method).toBe('POST'); + req.flush({ status: 'in_progress' }); + }); + }); + + // ═══════════════════════════════════════════════════════════════════════════ + // Error Handling Tests + // ═══════════════════════════════════════════════════════════════════════════ + + describe('parseError', () => { + it('should parse Problem+JSON error', () => { + const httpError = new HttpErrorResponse({ + error: createProblemDetailsFixture(400, 'Validation Failed', 'Invalid host format'), + status: 400, + statusText: 'Bad Request', + }); + + const parsed = service.parseError(httpError); + expect(parsed.code).toBe('VALIDATION'); + expect(parsed.message).toBe('Validation Failed'); + expect(parsed.detail).toBe('Invalid host format'); + expect(parsed.retryable).toBeFalse(); + }); + + it('should mark 5xx errors as retryable', () => { + const httpError = new HttpErrorResponse({ + error: createProblemDetailsFixture(503, 'Service Unavailable'), + status: 503, + statusText: 'Service Unavailable', + }); + + const parsed = service.parseError(httpError); + expect(parsed.retryable).toBeTrue(); + }); + + it('should mark 429 as retryable', () => { + const httpError = new HttpErrorResponse({ + error: createProblemDetailsFixture(429, 'Too Many Requests'), + status: 429, + statusText: 'Too Many Requests', + }); + + const parsed = service.parseError(httpError); + expect(parsed.retryable).toBeTrue(); + }); + + it('should handle generic errors', () => { + const httpError = new HttpErrorResponse({ + error: 'Internal error', + status: 500, + statusText: 'Internal Server Error', + }); + + const parsed = service.parseError(httpError); + expect(parsed.code).toBe('HTTP_500'); + expect(parsed.message).toBe('Server error'); }); }); }); diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.ts index 4dbdf9ad1..61e21f3d8 100644 --- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.ts +++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-api.service.ts @@ -1,12 +1,17 @@ /** * @file setup-wizard-api.service.ts - * @sprint Sprint 4: UI Wizard Core + * @sprint SPRINT_20260112_005_FE_setup_wizard_ui_wiring + * @tasks FE-SETUP-001 * @description API service for setup wizard backend communication + * + * Replaces mock calls with real HttpClient calls to: + * - /api/v1/setup/* - Setup wizard endpoints + * - /api/v1/platform/onboarding/* - Onboarding endpoints */ import { Injectable, inject } from '@angular/core'; -import { HttpClient } from '@angular/common/http'; -import { Observable, of, delay } from 'rxjs'; +import { HttpClient, HttpErrorResponse } from '@angular/common/http'; +import { Observable, of, catchError, map, throwError, retry, timer } from 'rxjs'; import { SetupStep, SetupStepId, @@ -16,223 +21,587 @@ import { SkipStepRequest, ValidationCheck, PrerequisiteResult, - DEFAULT_SETUP_STEPS, + CheckStatus, + CheckSeverity, } from '../models/setup-wizard.models'; -/** API response wrapper */ -interface ApiResponse { - success: boolean; - data?: T; - error?: string; +// ───────────────────────────────────────────────────────────────────────────── +// API Response Types (Problem+JSON aligned) +// ───────────────────────────────────────────────────────────────────────────── + +/** RFC 7807 Problem+JSON error response */ +export interface ProblemDetails { + type?: string; + title: string; + status: number; + detail?: string; + instance?: string; + traceId?: string; + errors?: Record; } +/** API response wrapper with timestamp metadata */ +export interface ApiResponse { + data: T; + dataAsOf?: string; + cacheHit?: boolean; +} + +/** Setup session response from backend */ +export interface SetupSessionResponse { + sessionId: string; + startedAt: string; + expiresAt?: string; + completedSteps: SetupStepId[]; + skippedSteps: SetupStepId[]; + configValues: Record; + currentStep?: SetupStepId; + metadata?: Record; +} + +/** Step execution response from backend */ +export interface ExecuteStepResponse { + stepId: SetupStepId; + status: 'completed' | 'failed' | 'skipped'; + message: string; + appliedConfig?: Record; + outputValues?: Record; + error?: string; + canRetry: boolean; + validationResults?: ValidationCheckResponse[]; + executionDurationMs?: number; +} + +/** Validation check response from backend */ +export interface ValidationCheckResponse { + checkId: string; + name: string; + description: string; + status: CheckStatus; + severity: CheckSeverity; + message?: string; + remediation?: string; + executedAt?: string; + durationMs?: number; +} + +/** Connection test response */ +export interface ConnectionTestResponse { + success: boolean; + message: string; + latencyMs?: number; + serverVersion?: string; + capabilities?: string[]; +} + +/** Finalize setup response */ +export interface FinalizeSetupResponse { + success: boolean; + message: string; + restartRequired: boolean; + configFilePath?: string; + nextSteps?: string[]; +} + +// ───────────────────────────────────────────────────────────────────────────── +// UI Error Model +// ───────────────────────────────────────────────────────────────────────────── + +/** Parsed error for UI display */ +export interface SetupApiError { + code: string; + message: string; + detail?: string; + field?: string; + retryable: boolean; + suggestedFixes?: string[]; +} + +// ───────────────────────────────────────────────────────────────────────────── +// Service Implementation +// ───────────────────────────────────────────────────────────────────────────── + /** * API service for setup wizard operations. - * Communicates with the CLI/Platform backend for setup operations. + * Communicates with the Platform backend for setup and onboarding operations. */ @Injectable() export class SetupWizardApiService { private readonly http = inject(HttpClient); - private readonly baseUrl = '/api/v1/setup'; + private readonly setupBaseUrl = '/api/v1/setup'; + private readonly onboardingBaseUrl = '/api/v1/platform/onboarding'; + + /** Retry configuration for transient failures */ + private readonly retryConfig = { + count: 2, + delay: 1000, + }; + + // ═══════════════════════════════════════════════════════════════════════════ + // Session Management + // ═══════════════════════════════════════════════════════════════════════════ /** - * Create a new setup session + * Create a new setup session. */ createSession(): Observable { - // For now, return a mock session - // TODO: Replace with actual API call when backend is ready - const session: SetupSession = { - sessionId: crypto.randomUUID(), - startedAt: new Date().toISOString(), - completedSteps: [], - skippedSteps: [], - configValues: {}, - }; - return of(session).pipe(delay(300)); + return this.http + .post>(`${this.setupBaseUrl}/sessions`, {}) + .pipe( + map(response => this.mapSessionResponse(response.data)), + catchError(error => this.handleError(error)) + ); } /** - * Resume an existing setup session + * Resume an existing setup session. */ resumeSession(sessionId: string): Observable { - // TODO: Replace with actual API call - return of(null).pipe(delay(300)); + return this.http + .get>(`${this.setupBaseUrl}/sessions/${sessionId}`) + .pipe( + map(response => this.mapSessionResponse(response.data)), + catchError(error => { + if (error.status === 404) { + return of(null); + } + return this.handleError(error); + }) + ); } /** - * Get all available setup steps + * Get the current active session (if any). + */ + getCurrentSession(): Observable { + return this.http + .get>(`${this.setupBaseUrl}/sessions/current`) + .pipe( + map(response => this.mapSessionResponse(response.data)), + catchError(error => { + if (error.status === 404) { + return of(null); + } + return this.handleError(error); + }) + ); + } + + // ═══════════════════════════════════════════════════════════════════════════ + // Step Management + // ═══════════════════════════════════════════════════════════════════════════ + + /** + * Get all available setup steps. */ getSteps(): Observable { - // TODO: Replace with actual API call - return of([...DEFAULT_SETUP_STEPS]).pipe(delay(200)); + return this.http + .get>(`${this.setupBaseUrl}/steps`) + .pipe( + map(response => response.data), + retry({ + count: this.retryConfig.count, + delay: () => timer(this.retryConfig.delay), + }), + catchError(error => this.handleError(error)) + ); } /** - * Get a specific setup step + * Get a specific setup step. */ getStep(stepId: SetupStepId): Observable { - const step = DEFAULT_SETUP_STEPS.find(s => s.id === stepId); - return of(step ?? null).pipe(delay(100)); + return this.http + .get>(`${this.setupBaseUrl}/steps/${stepId}`) + .pipe( + map(response => response.data), + catchError(error => { + if (error.status === 404) { + return of(null); + } + return this.handleError(error); + }) + ); } /** - * Check prerequisites for a step + * Check prerequisites for a step. */ checkPrerequisites( sessionId: string, stepId: SetupStepId, configValues: Record ): Observable { - // TODO: Replace with actual API call - // Mock: always return met for now - return of({ met: true, missingPrerequisites: [] }).pipe(delay(500)); + return this.http + .post>( + `${this.setupBaseUrl}/sessions/${sessionId}/steps/${stepId}/prerequisites`, + { configValues } + ) + .pipe( + map(response => response.data), + catchError(error => this.handleError(error)) + ); } + // ═══════════════════════════════════════════════════════════════════════════ + // Step Execution + // ═══════════════════════════════════════════════════════════════════════════ + /** - * Execute a setup step + * Execute a setup step. */ executeStep(request: ExecuteStepRequest): Observable { - // TODO: Replace with actual API call - // Mock successful execution - const result: SetupStepResult = { - stepId: request.stepId, - status: 'completed', - message: request.dryRun - ? `[DRY RUN] Step ${request.stepId} would be configured` - : `Step ${request.stepId} configured successfully`, - appliedConfig: request.configValues, - canRetry: true, - }; - return of(result).pipe(delay(1500)); + return this.http + .post>( + `${this.setupBaseUrl}/sessions/${request.sessionId}/steps/${request.stepId}/execute`, + { + configValues: request.configValues, + dryRun: request.dryRun, + } + ) + .pipe( + map(response => this.mapStepResult(response.data)), + catchError(error => this.handleError(error)) + ); } /** - * Skip a setup step + * Skip a setup step. */ skipStep(request: SkipStepRequest): Observable { - const result: SetupStepResult = { - stepId: request.stepId, - status: 'skipped', - message: `Step ${request.stepId} skipped: ${request.reason}`, - canRetry: false, - }; - return of(result).pipe(delay(300)); + return this.http + .post>( + `${this.setupBaseUrl}/sessions/${request.sessionId}/steps/${request.stepId}/skip`, + { reason: request.reason } + ) + .pipe( + map(response => this.mapStepResult(response.data)), + catchError(error => this.handleError(error)) + ); + } + + // ═══════════════════════════════════════════════════════════════════════════ + // Validation Checks + // ═══════════════════════════════════════════════════════════════════════════ + + /** + * Get validation checks for a step. + */ + getValidationChecks( + sessionId: string, + stepId: SetupStepId + ): Observable { + return this.http + .get>( + `${this.setupBaseUrl}/sessions/${sessionId}/steps/${stepId}/checks` + ) + .pipe( + map(response => response.data.map(c => this.mapValidationCheck(c))), + catchError(error => this.handleError(error)) + ); } /** - * Run validation checks for a step + * Run all validation checks for a step. */ runValidationChecks( sessionId: string, stepId: SetupStepId ): Observable { - // TODO: Replace with actual API call - // Mock validation checks based on step - const step = DEFAULT_SETUP_STEPS.find(s => s.id === stepId); - if (!step) return of([]); - - const checks: ValidationCheck[] = step.validationChecks.map(checkId => ({ - checkId, - name: this.getCheckName(checkId), - description: this.getCheckDescription(checkId), - status: 'pending', - severity: 'info', - })); - - return of(checks).pipe(delay(200)); + return this.http + .post>( + `${this.setupBaseUrl}/sessions/${sessionId}/steps/${stepId}/checks/run`, + {} + ) + .pipe( + map(response => response.data.map(c => this.mapValidationCheck(c))), + catchError(error => this.handleError(error)) + ); } /** - * Run a specific validation check + * Run a specific validation check. */ runValidationCheck( sessionId: string, checkId: string, configValues: Record ): Observable { - // TODO: Replace with actual API call - // Mock: simulate check running and passing - const check: ValidationCheck = { - checkId, - name: this.getCheckName(checkId), - description: this.getCheckDescription(checkId), - status: 'passed', - severity: 'info', - message: 'Check passed successfully', - }; - return of(check).pipe(delay(800 + Math.random() * 400)); + return this.http + .post>( + `${this.setupBaseUrl}/sessions/${sessionId}/checks/${checkId}/run`, + { configValues } + ) + .pipe( + map(response => this.mapValidationCheck(response.data)), + catchError(error => this.handleError(error)) + ); } + // ═══════════════════════════════════════════════════════════════════════════ + // Connection Testing + // ═══════════════════════════════════════════════════════════════════════════ + /** - * Test connection for a step configuration + * Test connection for a step configuration. */ testConnection( stepId: SetupStepId, configValues: Record - ): Observable<{ success: boolean; message: string }> { - // TODO: Replace with actual API call - // Mock successful connection - return of({ - success: true, - message: 'Connection successful', - }).pipe(delay(1000)); + ): Observable<{ success: boolean; message: string; latencyMs?: number }> { + return this.http + .post>( + `${this.setupBaseUrl}/steps/${stepId}/test-connection`, + { configValues } + ) + .pipe( + map(response => ({ + success: response.data.success, + message: response.data.message, + latencyMs: response.data.latencyMs, + })), + catchError(error => this.handleError(error)) + ); } + // ═══════════════════════════════════════════════════════════════════════════ + // Configuration & Finalization + // ═══════════════════════════════════════════════════════════════════════════ + /** - * Save the completed setup configuration + * Save configuration values to the session. */ saveConfiguration( sessionId: string, configValues: Record ): Observable<{ success: boolean }> { - // TODO: Replace with actual API call - return of({ success: true }).pipe(delay(500)); + return this.http + .put>( + `${this.setupBaseUrl}/sessions/${sessionId}/config`, + { configValues } + ) + .pipe( + map(response => ({ success: response.data.saved })), + catchError(error => this.handleError(error)) + ); } /** - * Finalize the setup wizard + * Finalize the setup wizard and apply configuration. */ - finalizeSetup(sessionId: string): Observable<{ success: boolean; message: string }> { - // TODO: Replace with actual API call - return of({ - success: true, - message: 'Setup completed successfully. Please restart the services to apply configuration.', - }).pipe(delay(1000)); + finalizeSetup(sessionId: string): Observable<{ + success: boolean; + message: string; + restartRequired?: boolean; + nextSteps?: string[]; + }> { + return this.http + .post>( + `${this.setupBaseUrl}/sessions/${sessionId}/finalize`, + {} + ) + .pipe( + map(response => ({ + success: response.data.success, + message: response.data.message, + restartRequired: response.data.restartRequired, + nextSteps: response.data.nextSteps, + })), + catchError(error => this.handleError(error)) + ); } - // === Helper Methods === + // ═══════════════════════════════════════════════════════════════════════════ + // Onboarding Integration + // ═══════════════════════════════════════════════════════════════════════════ - private getCheckName(checkId: string): string { - const names: Record = { - 'check.database.connectivity': 'Database Connectivity', - 'check.database.migrations': 'Database Migrations', - 'check.cache.connectivity': 'Cache Connectivity', - 'check.cache.persistence': 'Cache Persistence', - 'check.integration.vault.connectivity': 'Vault Connectivity', - 'check.integration.vault.auth': 'Vault Authentication', - 'check.integration.settingsstore.connectivity': 'Settings Store Connectivity', - 'check.integration.settingsstore.auth': 'Settings Store Authentication', - 'check.integration.registry.connectivity': 'Registry Connectivity', - 'check.integration.registry.auth': 'Registry Authentication', - 'check.telemetry.otlp.connectivity': 'OTLP Endpoint Connectivity', - }; - return names[checkId] ?? checkId; + /** + * Get onboarding status. + */ + getOnboardingStatus(): Observable<{ + status: string; + currentStep: string; + completedSteps: string[]; + }> { + return this.http + .get<{ status: string; currentStep: string; steps: { id: string; completed: boolean }[] }>( + `${this.onboardingBaseUrl}/status` + ) + .pipe( + map(response => ({ + status: response.status, + currentStep: response.currentStep, + completedSteps: response.steps.filter(s => s.completed).map(s => s.id), + })), + catchError(error => this.handleError(error)) + ); } - private getCheckDescription(checkId: string): string { - const descriptions: Record = { - 'check.database.connectivity': 'Verify connection to the PostgreSQL database', - 'check.database.migrations': 'Check that database migrations are up to date', - 'check.cache.connectivity': 'Verify connection to the cache server', - 'check.cache.persistence': 'Check cache persistence configuration', - 'check.integration.vault.connectivity': 'Verify connection to the secrets vault', - 'check.integration.vault.auth': 'Verify vault authentication credentials', - 'check.integration.settingsstore.connectivity': 'Verify connection to the settings store', - 'check.integration.settingsstore.auth': 'Verify settings store authentication', - 'check.integration.registry.connectivity': 'Verify connection to the container registry', - 'check.integration.registry.auth': 'Verify registry authentication credentials', - 'check.telemetry.otlp.connectivity': 'Verify connection to the OTLP endpoint', + /** + * Mark an onboarding step as complete. + */ + completeOnboardingStep(stepId: string): Observable<{ success: boolean }> { + return this.http + .post<{ status: string }>(`${this.onboardingBaseUrl}/complete/${stepId}`, {}) + .pipe( + map(() => ({ success: true })), + catchError(error => this.handleError(error)) + ); + } + + // ═══════════════════════════════════════════════════════════════════════════ + // Helper Methods + // ═══════════════════════════════════════════════════════════════════════════ + + private mapSessionResponse(response: SetupSessionResponse): SetupSession { + return { + sessionId: response.sessionId, + startedAt: response.startedAt, + completedSteps: response.completedSteps, + skippedSteps: response.skippedSteps, + configValues: response.configValues, + currentStep: response.currentStep, }; - return descriptions[checkId] ?? 'Validation check'; + } + + private mapStepResult(response: ExecuteStepResponse): SetupStepResult { + return { + stepId: response.stepId, + status: response.status, + message: response.message, + appliedConfig: response.appliedConfig, + outputValues: response.outputValues, + error: response.error, + canRetry: response.canRetry, + }; + } + + private mapValidationCheck(response: ValidationCheckResponse): ValidationCheck { + return { + checkId: response.checkId, + name: response.name, + description: response.description, + status: response.status, + severity: response.severity, + message: response.message, + remediation: response.remediation, + }; + } + + /** + * Handle HTTP errors and convert to SetupApiError. + */ + private handleError(error: HttpErrorResponse): Observable { + const apiError = this.parseError(error); + console.error('[SetupWizardApiService] Error:', apiError); + return throwError(() => apiError); + } + + /** + * Parse HTTP error into SetupApiError. + * Handles Problem+JSON (RFC 7807) responses. + */ + parseError(error: HttpErrorResponse): SetupApiError { + // Network or client-side error + if (error.error instanceof ErrorEvent) { + return { + code: 'NETWORK_ERROR', + message: 'Unable to connect to the server', + detail: error.error.message, + retryable: true, + suggestedFixes: [ + 'Check your network connection', + 'Verify the server is running', + 'Check firewall settings', + ], + }; + } + + // Server returned Problem+JSON + if (this.isProblemDetails(error.error)) { + const problem = error.error as ProblemDetails; + return { + code: this.extractErrorCode(problem), + message: problem.title, + detail: problem.detail, + retryable: this.isRetryable(error.status), + suggestedFixes: this.getSuggestedFixes(problem), + }; + } + + // Generic server error + return { + code: `HTTP_${error.status}`, + message: this.getStatusMessage(error.status), + detail: error.message, + retryable: this.isRetryable(error.status), + }; + } + + private isProblemDetails(error: unknown): error is ProblemDetails { + return ( + typeof error === 'object' && + error !== null && + 'title' in error && + 'status' in error + ); + } + + private extractErrorCode(problem: ProblemDetails): string { + if (problem.type) { + // Extract code from URI type like "urn:stellaops:error:validation" + const parts = problem.type.split(':'); + return parts[parts.length - 1].toUpperCase(); + } + return `HTTP_${problem.status}`; + } + + private isRetryable(status: number): boolean { + // 5xx errors and some 4xx are retryable + return status >= 500 || status === 408 || status === 429; + } + + private getStatusMessage(status: number): string { + const messages: Record = { + 400: 'Invalid request', + 401: 'Authentication required', + 403: 'Access denied', + 404: 'Resource not found', + 408: 'Request timeout', + 409: 'Conflict with current state', + 422: 'Validation failed', + 429: 'Too many requests', + 500: 'Server error', + 502: 'Service unavailable', + 503: 'Service temporarily unavailable', + 504: 'Gateway timeout', + }; + return messages[status] ?? `Error (${status})`; + } + + private getSuggestedFixes(problem: ProblemDetails): string[] | undefined { + // Map common error types to suggested fixes + const fixesByType: Record = { + 'urn:stellaops:error:validation': [ + 'Check required fields are filled', + 'Verify input format matches expected pattern', + ], + 'urn:stellaops:error:connection': [ + 'Verify the service is running', + 'Check network connectivity', + 'Verify credentials are correct', + ], + 'urn:stellaops:error:timeout': [ + 'The operation took too long', + 'Try again with a shorter timeout', + 'Check if the target service is responding', + ], + }; + + if (problem.type && fixesByType[problem.type]) { + return fixesByType[problem.type]; + } + + return undefined; } } diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.spec.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.spec.ts index 1e42eb1f8..c683278dc 100644 --- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.spec.ts +++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.spec.ts @@ -1,16 +1,17 @@ /** * @file setup-wizard-state.service.spec.ts - * @sprint Sprint 5: UI Integrations + Settings Store - * @description Unit tests for SetupWizardStateService + * @sprint SPRINT_20260112_005_FE_setup_wizard_ui_wiring + * @tasks FE-SETUP-003 + * @description Unit tests for SetupWizardStateService with retry and data freshness */ import { TestBed } from '@angular/core/testing'; import { SetupWizardStateService } from './setup-wizard-state.service'; import { SetupSession, - SetupStep, DEFAULT_SETUP_STEPS, } from '../models/setup-wizard.models'; +import { SetupApiError } from './setup-wizard-api.service'; describe('SetupWizardStateService', () => { let service: SetupWizardStateService; @@ -54,6 +55,24 @@ describe('SetupWizardStateService', () => { it('should have 0% progress initially', () => { expect(service.progressPercent()).toBe(0); }); + + it('should have no step error initially', () => { + expect(service.stepError()).toBeNull(); + }); + + it('should have initial retry state', () => { + const retry = service.retryState(); + expect(retry.attemptCount).toBe(0); + expect(retry.maxAttempts).toBe(3); + expect(retry.canRetry).toBeTrue(); + }); + + it('should have null data freshness initially', () => { + const freshness = service.dataFreshness(); + expect(freshness.dataAsOf).toBeNull(); + expect(freshness.isCached).toBeFalse(); + expect(freshness.isStale).toBeFalse(); + }); }); describe('initializeSession', () => { @@ -239,6 +258,36 @@ describe('SetupWizardStateService', () => { service.currentStepId.set('vault'); expect(service.canSkipCurrentStep()).toBeTrue(); }); + + it('should compute failedChecks', () => { + service.setValidationChecks([ + { checkId: 'check1', name: 'C1', description: '', status: 'passed', severity: 'info' }, + { checkId: 'check2', name: 'C2', description: '', status: 'failed', severity: 'error' }, + ]); + expect(service.failedChecks().length).toBe(1); + expect(service.failedChecks()[0].checkId).toBe('check2'); + }); + + it('should compute allChecksPassed', () => { + service.setValidationChecks([ + { checkId: 'check1', name: 'C1', description: '', status: 'passed', severity: 'info' }, + { checkId: 'check2', name: 'C2', description: '', status: 'passed', severity: 'info' }, + ]); + expect(service.allChecksPassed()).toBeTrue(); + + service.updateValidationCheck('check2', { status: 'failed' }); + expect(service.allChecksPassed()).toBeFalse(); + }); + + it('should compute checksRunning', () => { + service.setValidationChecks([ + { checkId: 'check1', name: 'C1', description: '', status: 'pending', severity: 'info' }, + ]); + expect(service.checksRunning()).toBeFalse(); + + service.updateValidationCheck('check1', { status: 'running' }); + expect(service.checksRunning()).toBeTrue(); + }); }); describe('validation checks', () => { @@ -262,13 +311,162 @@ describe('SetupWizardStateService', () => { }); }); + // ═══════════════════════════════════════════════════════════════════════════ + // Retry Management Tests + // ═══════════════════════════════════════════════════════════════════════════ + + describe('retry management', () => { + it('should record retry attempts', () => { + expect(service.retryState().attemptCount).toBe(0); + + service.recordRetryAttempt(); + expect(service.retryState().attemptCount).toBe(1); + expect(service.retryState().lastAttemptAt).not.toBeNull(); + + service.recordRetryAttempt(); + expect(service.retryState().attemptCount).toBe(2); + }); + + it('should disable retry after max attempts', () => { + service.recordRetryAttempt(); + service.recordRetryAttempt(); + expect(service.retryState().canRetry).toBeTrue(); + + service.recordRetryAttempt(); + expect(service.retryState().canRetry).toBeFalse(); + }); + + it('should reset retry state', () => { + service.recordRetryAttempt(); + service.recordRetryAttempt(); + expect(service.retryState().attemptCount).toBe(2); + + service.resetRetryState(); + expect(service.retryState().attemptCount).toBe(0); + expect(service.retryState().canRetry).toBeTrue(); + expect(service.retryState().lastAttemptAt).toBeNull(); + }); + + it('should set step error with retry context', () => { + const error: SetupApiError = { + code: 'CONNECTION_FAILED', + message: 'Connection failed', + retryable: true, + }; + + service.setStepError(error); + expect(service.stepError()?.error).toEqual(error); + expect(service.stepError()?.retryState.canRetry).toBeTrue(); + }); + + it('should set non-retryable error', () => { + const error: SetupApiError = { + code: 'VALIDATION_FAILED', + message: 'Invalid input', + retryable: false, + }; + + service.setStepError(error, false); + expect(service.stepError()?.retryState.canRetry).toBeFalse(); + }); + + it('should clear error', () => { + service.setStepError({ code: 'ERR', message: 'Test', retryable: true }); + expect(service.stepError()).not.toBeNull(); + + service.clearError(); + expect(service.stepError()).toBeNull(); + expect(service.error()).toBeNull(); + }); + + it('should track retrying check', () => { + service.setValidationChecks([ + { checkId: 'check1', name: 'C1', description: '', status: 'failed', severity: 'error' }, + ]); + + service.setRetryingCheck('check1'); + expect(service.retryingCheckId()).toBe('check1'); + expect(service.validationChecks()[0].status).toBe('running'); + + service.setRetryingCheck(null); + expect(service.retryingCheckId()).toBeNull(); + }); + }); + + // ═══════════════════════════════════════════════════════════════════════════ + // Data Freshness Tests + // ═══════════════════════════════════════════════════════════════════════════ + + describe('data freshness', () => { + it('should update data freshness from timestamp', () => { + const timestamp = new Date().toISOString(); + service.updateDataFreshness(timestamp, false); + + const freshness = service.dataFreshness(); + expect(freshness.dataAsOf).not.toBeNull(); + expect(freshness.isCached).toBeFalse(); + expect(freshness.isStale).toBeFalse(); + }); + + it('should mark cached data', () => { + service.updateDataFreshness(new Date().toISOString(), true); + expect(service.dataFreshness().isCached).toBeTrue(); + }); + + it('should mark stale data (older than 5 minutes)', () => { + const oldTimestamp = new Date(Date.now() - 6 * 60 * 1000).toISOString(); + service.updateDataFreshness(oldTimestamp, false); + expect(service.dataFreshness().isStale).toBeTrue(); + }); + + it('should not mark recent data as stale', () => { + const recentTimestamp = new Date(Date.now() - 2 * 60 * 1000).toISOString(); + service.updateDataFreshness(recentTimestamp, false); + expect(service.dataFreshness().isStale).toBeFalse(); + }); + + it('should compute showStaleBanner', () => { + expect(service.showStaleBanner()).toBeFalse(); + + const oldTimestamp = new Date(Date.now() - 10 * 60 * 1000).toISOString(); + service.updateDataFreshness(oldTimestamp, false); + expect(service.showStaleBanner()).toBeTrue(); + }); + + it('should compute dataAsOfDisplay for recent data', () => { + service.updateDataFreshness(new Date().toISOString(), false); + expect(service.dataAsOfDisplay()).toBe('Just now'); + }); + + it('should compute dataAsOfDisplay for minutes ago', () => { + const fiveMinAgo = new Date(Date.now() - 5 * 60 * 1000).toISOString(); + service.updateDataFreshness(fiveMinAgo, false); + expect(service.dataAsOfDisplay()).toContain('5 minutes ago'); + }); + + it('should mark refreshing state', () => { + service.markRefreshing(); + expect(service.loading()).toBeTrue(); + }); + + it('should mark refreshed state', () => { + service.markRefreshing(); + service.markRefreshed(); + expect(service.loading()).toBeFalse(); + expect(service.dataFreshness().isStale).toBeFalse(); + }); + }); + describe('reset', () => { - it('should reset all state', () => { + it('should reset all state including retry and freshness', () => { // Set some state service.currentStepId.set('database'); service.setConfigValue('key', 'value'); service.loading.set(true); service.error.set('Some error'); + service.recordRetryAttempt(); + service.updateDataFreshness(new Date().toISOString(), true); + service.setStepError({ code: 'ERR', message: 'Test', retryable: true }); // Reset service.reset(); @@ -278,6 +476,10 @@ describe('SetupWizardStateService', () => { expect(service.configValues()).toEqual({}); expect(service.loading()).toBeFalse(); expect(service.error()).toBeNull(); + expect(service.stepError()).toBeNull(); + expect(service.retryState().attemptCount).toBe(0); + expect(service.dataFreshness().dataAsOf).toBeNull(); + expect(service.retryingCheckId()).toBeNull(); }); }); }); diff --git a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.ts b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.ts index d40295067..43425eb03 100644 --- a/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.ts +++ b/src/Web/StellaOps.Web/src/app/features/setup-wizard/services/setup-wizard-state.service.ts @@ -1,7 +1,13 @@ /** * @file setup-wizard-state.service.ts - * @sprint Sprint 4: UI Wizard Core + * @sprint SPRINT_20260112_005_FE_setup_wizard_ui_wiring + * @tasks FE-SETUP-002 * @description State management service for the setup wizard using Angular signals + * + * Updated to handle: + * - Validation checks with retry support + * - "Data as of" banners with metadata timestamps + * - Step ID alignment with backend contract */ import { Injectable, computed, signal } from '@angular/core'; @@ -12,8 +18,10 @@ import { SetupSession, WizardMode, ValidationCheck, + CheckStatus, DEFAULT_SETUP_STEPS, } from '../models/setup-wizard.models'; +import { SetupApiError } from './setup-wizard-api.service'; /** Wizard navigation state */ interface WizardNavigation { @@ -23,6 +31,29 @@ interface WizardNavigation { canComplete: boolean; } +/** Data freshness metadata for cache/stale data display */ +export interface DataFreshness { + dataAsOf: Date | null; + isCached: boolean; + isStale: boolean; +} + +/** Retry state for step operations */ +export interface RetryState { + attemptCount: number; + maxAttempts: number; + lastAttemptAt: Date | null; + canRetry: boolean; + retryAfterMs: number | null; +} + +/** Step error with retry context */ +export interface StepError { + error: SetupApiError | Error; + retryState: RetryState; + dismissable: boolean; +} + /** * State service for the setup wizard. * Uses Angular signals for reactive state management. @@ -55,12 +86,37 @@ export class SetupWizardStateService { /** Whether a step is executing */ readonly executing = signal(false); - /** Global error message */ + /** Global error message (deprecated - use stepError for structured errors) */ readonly error = signal(null); + /** Structured error with retry context */ + readonly stepError = signal(null); + /** Whether dry-run mode is enabled */ readonly dryRunMode = signal(true); + /** Data freshness metadata for current view */ + readonly dataFreshness = signal({ + dataAsOf: null, + isCached: false, + isStale: false, + }); + + /** Per-step retry state */ + readonly retryState = signal({ + attemptCount: 0, + maxAttempts: 3, + lastAttemptAt: null, + canRetry: true, + retryAfterMs: null, + }); + + /** Whether a retry operation is pending */ + readonly retryPending = signal(false); + + /** Validation check being retried (by checkId) */ + readonly retryingCheckId = signal(null); + // === Computed Signals === /** Current step object */ @@ -118,7 +174,6 @@ export class SetupWizardStateService { readonly navigation = computed(() => { const index = this.currentStepIndex(); const ordered = this.orderedSteps(); - const current = this.currentStep(); return { currentStepIndex: index, @@ -148,6 +203,46 @@ export class SetupWizardStateService { return step.dependencies.every(depId => completedIds.has(depId)); }); + /** Validation checks that failed and can be retried */ + readonly failedChecks = computed(() => { + return this.validationChecks().filter(c => c.status === 'failed'); + }); + + /** Whether all validation checks passed */ + readonly allChecksPassed = computed(() => { + const checks = this.validationChecks(); + return checks.length > 0 && checks.every(c => c.status === 'passed' || c.status === 'skipped'); + }); + + /** Whether there are checks currently running */ + readonly checksRunning = computed(() => { + return this.validationChecks().some(c => c.status === 'running'); + }); + + /** Whether data is stale and should show refresh banner */ + readonly showStaleBanner = computed(() => { + const freshness = this.dataFreshness(); + return freshness.isStale && freshness.dataAsOf !== null; + }); + + /** Formatted "data as of" timestamp for display */ + readonly dataAsOfDisplay = computed(() => { + const freshness = this.dataFreshness(); + if (!freshness.dataAsOf) return null; + + const now = new Date(); + const diff = now.getTime() - freshness.dataAsOf.getTime(); + const minutes = Math.floor(diff / 60000); + + if (minutes < 1) return 'Just now'; + if (minutes < 60) return `${minutes} minute${minutes === 1 ? '' : 's'} ago`; + + const hours = Math.floor(minutes / 60); + if (hours < 24) return `${hours} hour${hours === 1 ? '' : 's'} ago`; + + return freshness.dataAsOf.toLocaleString(); + }); + // === State Mutation Methods === /** @@ -344,6 +439,116 @@ export class SetupWizardStateService { this.loading.set(false); this.executing.set(false); this.error.set(null); + this.stepError.set(null); + this.dataFreshness.set({ dataAsOf: null, isCached: false, isStale: false }); + this.retryState.set({ + attemptCount: 0, + maxAttempts: 3, + lastAttemptAt: null, + canRetry: true, + retryAfterMs: null, + }); + this.retryPending.set(false); + this.retryingCheckId.set(null); + } + + // === Retry Management Methods === + + /** + * Record a retry attempt + */ + recordRetryAttempt(): void { + this.retryState.update(state => ({ + ...state, + attemptCount: state.attemptCount + 1, + lastAttemptAt: new Date(), + canRetry: state.attemptCount + 1 < state.maxAttempts, + })); + } + + /** + * Reset retry state (e.g., after successful operation) + */ + resetRetryState(): void { + this.retryState.set({ + attemptCount: 0, + maxAttempts: 3, + lastAttemptAt: null, + canRetry: true, + retryAfterMs: null, + }); + this.retryPending.set(false); + this.retryingCheckId.set(null); + } + + /** + * Set error with retry context + */ + setStepError(error: SetupApiError | Error, canRetry: boolean = true): void { + const current = this.retryState(); + this.stepError.set({ + error, + retryState: { + ...current, + canRetry: canRetry && current.attemptCount < current.maxAttempts, + }, + dismissable: true, + }); + } + + /** + * Clear current error + */ + clearError(): void { + this.error.set(null); + this.stepError.set(null); + } + + /** + * Mark a specific validation check as retrying + */ + setRetryingCheck(checkId: string | null): void { + this.retryingCheckId.set(checkId); + if (checkId) { + this.updateValidationCheck(checkId, { status: 'running' }); + } + } + + // === Data Freshness Methods === + + /** + * Update data freshness metadata from API response + */ + updateDataFreshness(dataAsOf: string | undefined, isCached: boolean = false): void { + const timestamp = dataAsOf ? new Date(dataAsOf) : new Date(); + const now = new Date(); + const ageMs = now.getTime() - timestamp.getTime(); + const staleThresholdMs = 5 * 60 * 1000; // 5 minutes + + this.dataFreshness.set({ + dataAsOf: timestamp, + isCached, + isStale: ageMs > staleThresholdMs, + }); + } + + /** + * Mark data as refreshing + */ + markRefreshing(): void { + this.loading.set(true); + } + + /** + * Mark data as refreshed + */ + markRefreshed(): void { + this.loading.set(false); + this.dataFreshness.update(f => ({ + ...f, + dataAsOf: new Date(), + isStale: false, + })); } // === Private Helper Methods === diff --git a/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.spec.ts b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.spec.ts new file mode 100644 index 000000000..216c14b23 --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.spec.ts @@ -0,0 +1,213 @@ +// Sprint: SPRINT_20260112_011_FE_policy_unknowns_queue_integration (FE-UNK-008) +// Determinization Review Component Tests + +import { ComponentFixture, TestBed } from '@angular/core/testing'; +import { provideRouter, ActivatedRoute } from '@angular/router'; +import { provideHttpClient } from '@angular/common/http'; +import { provideHttpClientTesting } from '@angular/common/http/testing'; +import { of } from 'rxjs'; +import { DeterminizationReviewComponent } from './determinization-review.component'; +import { + PolicyUnknown, + BAND_COLORS, + OBSERVATION_STATE_COLORS, + hasConflicts, + getConflictSeverityColor, +} from '../../core/api/unknowns.models'; + +describe('DeterminizationReviewComponent', () => { + let component: DeterminizationReviewComponent; + let fixture: ComponentFixture; + + const mockUnknown: PolicyUnknown = { + id: 'test-unknown-123', + packageId: 'pkg:npm/lodash', + packageVersion: '4.17.21', + band: 'hot', + score: 85.5, + uncertaintyFactor: 0.7, + exploitPressure: 0.9, + firstSeenAt: '2026-01-10T12:00:00Z', + lastEvaluatedAt: '2026-01-15T08:00:00Z', + reasonCode: 'Reachability', + reasonCodeShort: 'U-RCH', + fingerprintId: 'sha256:abc123def456', + triggers: [ + { + eventType: 'epss.updated', + eventVersion: 1, + source: 'concelier', + receivedAt: '2026-01-15T07:00:00Z', + correlationId: 'corr-123', + }, + { + eventType: 'vex.updated', + eventVersion: 1, + source: 'excititor', + receivedAt: '2026-01-15T08:00:00Z', + correlationId: 'corr-456', + }, + ], + nextActions: ['request_vex', 'verify_reachability'], + conflictInfo: { + hasConflict: true, + severity: 0.8, + suggestedPath: 'RequireManualReview', + conflicts: [ + { + signal1: 'VEX:not_affected', + signal2: 'Reachability:reachable', + type: 'VexReachabilityContradiction', + description: 'VEX says not affected but reachability shows path', + severity: 0.8, + }, + ], + }, + observationState: 'Disputed', + evidenceRefs: [ + { type: 'sbom', uri: 'oci://registry/sbom@sha256:abc', digest: 'sha256:abc' }, + { type: 'attestation', uri: 'oci://registry/att@sha256:def', digest: 'sha256:def' }, + ], + }; + + beforeEach(async () => { + await TestBed.configureTestingModule({ + imports: [DeterminizationReviewComponent], + providers: [ + provideRouter([]), + provideHttpClient(), + provideHttpClientTesting(), + { + provide: ActivatedRoute, + useValue: { + snapshot: { + paramMap: { + get: (key: string) => (key === 'unknownId' ? 'test-unknown-123' : null), + }, + }, + }, + }, + ], + }).compileComponents(); + + fixture = TestBed.createComponent(DeterminizationReviewComponent); + component = fixture.componentInstance; + // Manually set unknown for testing + component['unknown'].set(mockUnknown); + component['unknownId'].set('test-unknown-123'); + component['loading'].set(false); + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); + + describe('triggers sorting', () => { + it('should sort triggers by receivedAt descending (most recent first)', () => { + const sorted = component.sortedTriggers(); + expect(sorted.length).toBe(2); + // vex.updated at 08:00 should be first + expect(sorted[0].eventType).toBe('vex.updated'); + // epss.updated at 07:00 should be second + expect(sorted[1].eventType).toBe('epss.updated'); + }); + + it('should handle empty triggers', () => { + component['unknown'].set({ ...mockUnknown, triggers: [] }); + fixture.detectChanges(); + expect(component.sortedTriggers().length).toBe(0); + }); + + it('should handle undefined triggers', () => { + component['unknown'].set({ ...mockUnknown, triggers: undefined }); + fixture.detectChanges(); + expect(component.sortedTriggers().length).toBe(0); + }); + + it('should maintain stable order across renders', () => { + const order1 = component.sortedTriggers().map((t) => t.eventType); + fixture.detectChanges(); + const order2 = component.sortedTriggers().map((t) => t.eventType); + expect(order1).toEqual(order2); + }); + }); + + describe('band display', () => { + it('should return correct band color for HOT', () => { + expect(component.getBandColor()).toBe(BAND_COLORS['hot']); + }); + + it('should return correct band label', () => { + expect(component.getBandLabel()).toBe('HOT'); + }); + }); + + describe('observation state', () => { + it('should return correct state color', () => { + expect(component.getObservationStateColor()).toBe(OBSERVATION_STATE_COLORS['Disputed']); + }); + + it('should return correct state label', () => { + expect(component.getObservationStateLabel()).toBe('Disputed'); + }); + + it('should identify grey queue state', () => { + expect(component.isInGreyQueue()).toBe(true); + }); + + it('should not identify non-grey queue state', () => { + component['unknown'].set({ ...mockUnknown, observationState: 'DeterminedPass' }); + fixture.detectChanges(); + expect(component.isInGreyQueue()).toBe(false); + }); + }); + + describe('conflict handling', () => { + it('should detect conflicts', () => { + expect(component.hasConflicts()).toBe(true); + }); + + it('should return correct conflict severity color', () => { + expect(component.getConflictSeverityColor()).toBe('text-red-600'); + }); + + it('should handle no conflicts', () => { + component['unknown'].set({ ...mockUnknown, conflictInfo: undefined }); + fixture.detectChanges(); + expect(component.hasConflicts()).toBe(false); + }); + }); + + describe('export proof', () => { + it('should generate proof object with all required fields', () => { + // Test the proof structure without actually triggering download + const u = component['unknown'](); + expect(u).toBeTruthy(); + expect(u!.id).toBe('test-unknown-123'); + expect(u!.fingerprintId).toBe('sha256:abc123def456'); + expect(u!.triggers?.length).toBe(2); + expect(u!.evidenceRefs?.length).toBe(2); + }); + }); +}); + +describe('Conflict Severity Color Helper', () => { + it('should return red for high severity (>= 0.8)', () => { + expect(getConflictSeverityColor(0.8)).toBe('text-red-600'); + expect(getConflictSeverityColor(0.9)).toBe('text-red-600'); + expect(getConflictSeverityColor(1.0)).toBe('text-red-600'); + }); + + it('should return orange for medium severity (>= 0.5, < 0.8)', () => { + expect(getConflictSeverityColor(0.5)).toBe('text-orange-600'); + expect(getConflictSeverityColor(0.6)).toBe('text-orange-600'); + expect(getConflictSeverityColor(0.79)).toBe('text-orange-600'); + }); + + it('should return yellow for low severity (< 0.5)', () => { + expect(getConflictSeverityColor(0.1)).toBe('text-yellow-600'); + expect(getConflictSeverityColor(0.3)).toBe('text-yellow-600'); + expect(getConflictSeverityColor(0.49)).toBe('text-yellow-600'); + }); +}); diff --git a/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts new file mode 100644 index 000000000..f07384d6d --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/determinization-review.component.ts @@ -0,0 +1,392 @@ +// Sprint: SPRINT_20260112_011_FE_policy_unknowns_queue_integration (FE-UNK-007) +// Determinization Review Component - provides context for grey queue items + +import { Component, OnInit, inject, signal, computed } from '@angular/core'; +import { CommonModule, DatePipe } from '@angular/common'; +import { ActivatedRoute, Router, RouterLink } from '@angular/router'; +import { UnknownsClient, PolicyUnknownDetailResponse } from '../../core/api/unknowns.client'; +import { + PolicyUnknown, + TriageAction, + TriageRequest, + BAND_COLORS, + BAND_LABELS, + OBSERVATION_STATE_COLORS, + OBSERVATION_STATE_LABELS, + TRIAGE_ACTION_LABELS, + isGreyQueueState, + hasConflicts, + getConflictSeverityColor, +} from '../../core/api/unknowns.models'; +import { GreyQueuePanelComponent } from '../unknowns/grey-queue-panel.component'; + +@Component({ + selector: 'app-determinization-review', + standalone: true, + imports: [CommonModule, DatePipe, RouterLink, GreyQueuePanelComponent], + template: ` +
+ + + + @if (loading()) { +
+
+ Loading determinization context... +
+ } @else if (error()) { +
+ {{ error() }} +
+ } @else if (unknown()) { +
+ +
+ +
+
+
+

+ Determinization Review +

+

+ {{ unknown()!.packageId }}@{{ unknown()!.packageVersion }} +

+
+
+ + {{ getBandLabel() }} + + @if (unknown()!.observationState) { + + {{ getObservationStateLabel() }} + + } +
+
+
+ + + @if (unknown()!.fingerprintId) { +
+

Fingerprint Details

+
+
+
Fingerprint ID
+
+ + {{ unknown()!.fingerprintId }} + +
+
+
+
Score
+
+ {{ unknown()!.score | number:'1.1-1' }} +
+
+
+
Uncertainty Factor
+
{{ unknown()!.uncertaintyFactor | percent:'1.0-0' }}
+
+
+
Exploit Pressure
+
{{ unknown()!.exploitPressure | percent:'1.0-0' }}
+
+
+
+ } + + + @if (hasConflicts()) { +
+

+ + Conflict Analysis +

+
+
+ + {{ unknown()!.conflictInfo!.conflicts.length }} conflict(s) detected + + + Severity: {{ unknown()!.conflictInfo!.severity | number:'1.2-2' }} + +
+
+
+ @for (conflict of unknown()!.conflictInfo!.conflicts; track $index) { +
+
{{ conflict.type }}
+
+ {{ conflict.signal1 }} + vs + {{ conflict.signal2 }} +
+ @if (conflict.description) { +

{{ conflict.description }}

+ } +
+ } +
+ @if (unknown()!.conflictInfo!.suggestedPath) { +
+ + Suggested Resolution: {{ unknown()!.conflictInfo!.suggestedPath }} + +
+ } +
+ } + + + @if (unknown()!.triggers && unknown()!.triggers!.length > 0) { +
+

Reanalysis Trigger History

+
+ + + + + + + + + + + @for (trigger of sortedTriggers(); track trigger.receivedAt) { + + + + + + + } + +
EventVersionSourceReceived
{{ trigger.eventType }}v{{ trigger.eventVersion }}{{ trigger.source || '-' }}{{ trigger.receivedAt | date:'medium' }}
+
+
+ } + + + @if (unknown()!.evidenceRefs && unknown()!.evidenceRefs!.length > 0) { +
+

Evidence References

+
+ @for (ref of unknown()!.evidenceRefs; track ref.uri) { +
+
+ {{ ref.type }} +
{{ ref.uri }}
+
+ @if (ref.digest) { + {{ ref.digest | slice:0:16 }}... + } +
+ } +
+
+ } +
+ + +
+ + + + +
+

Quick Actions

+
+ + + + Back to Unknown Detail + +
+
+
+
+ } +
+ `, + styles: [ + ` + .determinization-review { + min-height: 100vh; + } + `, + ], +}) +export class DeterminizationReviewComponent implements OnInit { + private readonly route = inject(ActivatedRoute); + private readonly router = inject(Router); + private readonly client = inject(UnknownsClient); + + readonly unknownId = signal(''); + readonly unknown = signal(null); + readonly loading = signal(true); + readonly error = signal(null); + + readonly sortedTriggers = computed(() => { + const triggers = this.unknown()?.triggers; + if (!triggers) return []; + return [...triggers].sort( + (a, b) => new Date(b.receivedAt).getTime() - new Date(a.receivedAt).getTime() + ); + }); + + ngOnInit(): void { + const id = this.route.snapshot.paramMap.get('unknownId'); + if (!id) { + this.error.set('Unknown ID not provided'); + this.loading.set(false); + return; + } + + this.unknownId.set(id); + this.loadUnknown(id); + } + + private loadUnknown(id: string): void { + this.loading.set(true); + this.error.set(null); + + this.client.getPolicyUnknownDetail(id).subscribe({ + next: (response) => { + this.unknown.set(response.unknown); + this.loading.set(false); + }, + error: (err) => { + this.error.set(err.message || 'Failed to load unknown details'); + this.loading.set(false); + }, + }); + } + + getBandColor(): string { + const band = this.unknown()?.band; + if (!band) return ''; + return BAND_COLORS[band] || 'bg-gray-100 text-gray-800'; + } + + getBandLabel(): string { + const band = this.unknown()?.band; + if (!band) return ''; + return BAND_LABELS[band] || band.toUpperCase(); + } + + getObservationStateColor(): string { + const state = this.unknown()?.observationState; + if (!state) return ''; + return OBSERVATION_STATE_COLORS[state] || ''; + } + + getObservationStateLabel(): string { + const state = this.unknown()?.observationState; + if (!state) return ''; + return OBSERVATION_STATE_LABELS[state] || state; + } + + isInGreyQueue(): boolean { + return isGreyQueueState(this.unknown()?.observationState); + } + + hasConflicts(): boolean { + const u = this.unknown(); + return u ? hasConflicts(u) : false; + } + + getConflictSeverityColor(): string { + const severity = this.unknown()?.conflictInfo?.severity; + if (severity === undefined) return ''; + return getConflictSeverityColor(severity); + } + + onTriageAction(event: { unknownId: string; action: TriageAction }): void { + const reason = prompt(`Enter reason for ${TRIAGE_ACTION_LABELS[event.action]}:`); + if (!reason) return; + + const request: TriageRequest = { + action: event.action, + reason, + }; + + this.client.triageUnknown(event.unknownId, request).subscribe({ + next: (updated) => { + this.unknown.set(updated); + alert(`Triage action '${event.action}' applied successfully.`); + }, + error: (err) => { + alert(`Failed to apply triage action: ${err.message}`); + }, + }); + } + + copyFingerprintId(): void { + const fingerprintId = this.unknown()?.fingerprintId; + if (fingerprintId) { + navigator.clipboard.writeText(fingerprintId); + alert('Fingerprint ID copied to clipboard'); + } + } + + exportProof(): void { + const u = this.unknown(); + if (!u) return; + + const proof = { + id: u.id, + fingerprintId: u.fingerprintId, + packageId: u.packageId, + packageVersion: u.packageVersion, + band: u.band, + score: u.score, + reasonCode: u.reasonCode, + triggers: u.triggers, + evidenceRefs: u.evidenceRefs, + observationState: u.observationState, + conflictInfo: u.conflictInfo, + exportedAt: new Date().toISOString(), + }; + + const blob = new Blob([JSON.stringify(proof, null, 2)], { type: 'application/json' }); + const url = URL.createObjectURL(blob); + const a = document.createElement('a'); + a.href = url; + a.download = `unknown-proof-${u.id}.json`; + a.click(); + URL.revokeObjectURL(url); + } +} diff --git a/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.spec.ts b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.spec.ts new file mode 100644 index 000000000..977074e05 --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.spec.ts @@ -0,0 +1,221 @@ +// Sprint: SPRINT_20260112_011_FE_policy_unknowns_queue_integration (FE-UNK-008) +// Grey Queue Dashboard Component Tests + +import { ComponentFixture, TestBed } from '@angular/core/testing'; +import { provideRouter } from '@angular/router'; +import { provideHttpClient } from '@angular/common/http'; +import { provideHttpClientTesting } from '@angular/common/http/testing'; +import { GreyQueueDashboardComponent } from './grey-queue-dashboard.component'; +import { + PolicyUnknown, + BAND_COLORS, + BAND_LABELS, + getBandPriority, + isGreyQueueState, +} from '../../core/api/unknowns.models'; + +describe('GreyQueueDashboardComponent', () => { + let component: GreyQueueDashboardComponent; + let fixture: ComponentFixture; + + const mockItems: PolicyUnknown[] = [ + { + id: 'item-1', + packageId: 'pkg:npm/lodash', + packageVersion: '4.17.21', + band: 'hot', + score: 85, + uncertaintyFactor: 0.7, + exploitPressure: 0.9, + firstSeenAt: '2026-01-10T12:00:00Z', + lastEvaluatedAt: '2026-01-15T08:00:00Z', + reasonCode: 'Reachability', + reasonCodeShort: 'U-RCH', + observationState: 'Disputed', + conflictInfo: { + hasConflict: true, + severity: 0.8, + suggestedPath: 'RequireManualReview', + conflicts: [{ signal1: 'a', signal2: 'b', type: 'Test', description: '', severity: 0.8 }], + }, + }, + { + id: 'item-2', + packageId: 'pkg:npm/express', + packageVersion: '4.18.0', + band: 'warm', + score: 65, + uncertaintyFactor: 0.5, + exploitPressure: 0.6, + firstSeenAt: '2026-01-11T12:00:00Z', + lastEvaluatedAt: '2026-01-15T09:00:00Z', + reasonCode: 'VEX', + reasonCodeShort: 'U-VEX', + observationState: 'ManualReviewRequired', + }, + { + id: 'item-3', + packageId: 'pkg:npm/axios', + packageVersion: '1.0.0', + band: 'cold', + score: 30, + uncertaintyFactor: 0.3, + exploitPressure: 0.2, + firstSeenAt: '2026-01-12T12:00:00Z', + lastEvaluatedAt: '2026-01-15T10:00:00Z', + reasonCode: 'Static', + reasonCodeShort: 'U-STA', + observationState: 'DeterminedPass', // Not grey queue + }, + { + id: 'item-4', + packageId: 'pkg:npm/react', + packageVersion: '18.0.0', + band: 'hot', + score: 90, + uncertaintyFactor: 0.8, + exploitPressure: 0.95, + firstSeenAt: '2026-01-13T12:00:00Z', + lastEvaluatedAt: '2026-01-15T11:00:00Z', + reasonCode: 'Reachability', + reasonCodeShort: 'U-RCH', + observationState: 'Disputed', + }, + ]; + + beforeEach(async () => { + await TestBed.configureTestingModule({ + imports: [GreyQueueDashboardComponent], + providers: [provideRouter([]), provideHttpClient(), provideHttpClientTesting()], + }).compileComponents(); + + fixture = TestBed.createComponent(GreyQueueDashboardComponent); + component = fixture.componentInstance; + // Manually set items for testing + component['items'].set(mockItems); + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); + + describe('grey queue filtering', () => { + it('should only include grey queue items in filteredItems', () => { + const filtered = component.filteredItems(); + // item-3 (DeterminedPass) should be excluded + expect(filtered.length).toBe(3); + expect(filtered.every((i) => isGreyQueueState(i.observationState))).toBe(true); + }); + + it('should count grey queue items correctly', () => { + expect(component.greyQueueCount()).toBe(3); + }); + + it('should filter by band', () => { + component['bandFilter'].set('hot'); + fixture.detectChanges(); + const filtered = component.filteredItems(); + expect(filtered.length).toBe(2); + expect(filtered.every((i) => i.band === 'hot')).toBe(true); + }); + + it('should filter by observation state', () => { + component['stateFilter'].set('Disputed'); + fixture.detectChanges(); + const filtered = component.filteredItems(); + expect(filtered.length).toBe(2); + expect(filtered.every((i) => i.observationState === 'Disputed')).toBe(true); + }); + + it('should combine band and state filters', () => { + component['bandFilter'].set('hot'); + component['stateFilter'].set('Disputed'); + fixture.detectChanges(); + const filtered = component.filteredItems(); + expect(filtered.length).toBe(2); + }); + }); + + describe('deterministic ordering', () => { + it('should order by band priority first (HOT < WARM < COLD)', () => { + const filtered = component.filteredItems(); + const bands = filtered.map((i) => i.band); + // HOT items first, then WARM + expect(bands[0]).toBe('hot'); + expect(bands[1]).toBe('hot'); + expect(bands[2]).toBe('warm'); + }); + + it('should order by score descending within same band', () => { + const filtered = component.filteredItems(); + const hotItems = filtered.filter((i) => i.band === 'hot'); + expect(hotItems.length).toBe(2); + // Higher score first + expect(hotItems[0].score).toBeGreaterThan(hotItems[1].score); + }); + + it('should maintain stable order across renders', () => { + const order1 = component.filteredItems().map((i) => i.id); + fixture.detectChanges(); + const order2 = component.filteredItems().map((i) => i.id); + expect(order1).toEqual(order2); + }); + }); + + describe('band priority helper', () => { + it('should return correct priority values', () => { + expect(getBandPriority('hot')).toBe(0); + expect(getBandPriority('warm')).toBe(1); + expect(getBandPriority('cold')).toBe(2); + }); + }); + + describe('grey queue state helper', () => { + it('should identify Disputed as grey queue', () => { + expect(isGreyQueueState('Disputed')).toBe(true); + }); + + it('should identify ManualReviewRequired as grey queue', () => { + expect(isGreyQueueState('ManualReviewRequired')).toBe(true); + }); + + it('should not identify DeterminedPass as grey queue', () => { + expect(isGreyQueueState('DeterminedPass')).toBe(false); + }); + + it('should not identify DeterminedFail as grey queue', () => { + expect(isGreyQueueState('DeterminedFail')).toBe(false); + }); + + it('should handle undefined', () => { + expect(isGreyQueueState(undefined)).toBe(false); + }); + }); + + describe('color helpers', () => { + it('should return correct band colors', () => { + expect(component.getBandColor('hot')).toBe(BAND_COLORS['hot']); + expect(component.getBandColor('warm')).toBe(BAND_COLORS['warm']); + expect(component.getBandColor('cold')).toBe(BAND_COLORS['cold']); + }); + + it('should return correct band labels', () => { + expect(component.getBandLabel('hot')).toBe(BAND_LABELS['hot']); + expect(component.getBandLabel('warm')).toBe(BAND_LABELS['warm']); + expect(component.getBandLabel('cold')).toBe(BAND_LABELS['cold']); + }); + }); + + describe('conflict detection', () => { + it('should detect items with conflicts', () => { + const itemWithConflict = mockItems.find((i) => i.id === 'item-1')!; + expect(component.hasConflicts(itemWithConflict)).toBe(true); + }); + + it('should handle items without conflicts', () => { + const itemWithoutConflict = mockItems.find((i) => i.id === 'item-2')!; + expect(component.hasConflicts(itemWithoutConflict)).toBe(false); + }); + }); +}); diff --git a/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts new file mode 100644 index 000000000..b2245af4a --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/grey-queue-dashboard.component.ts @@ -0,0 +1,294 @@ +// Sprint: SPRINT_20260112_011_FE_policy_unknowns_queue_integration (FE-UNK-007) +// Grey Queue Dashboard Component - dedicated view for grey queue items + +import { Component, OnInit, inject, signal, computed } from '@angular/core'; +import { CommonModule, DatePipe } from '@angular/common'; +import { RouterLink } from '@angular/router'; +import { UnknownsClient, PolicyUnknownsListResponse } from '../../core/api/unknowns.client'; +import { + PolicyUnknown, + PolicyUnknownsSummary, + UnknownBand, + BAND_COLORS, + BAND_LABELS, + OBSERVATION_STATE_COLORS, + OBSERVATION_STATE_LABELS, + isGreyQueueState, + hasConflicts, + getBandPriority, +} from '../../core/api/unknowns.models'; + +@Component({ + selector: 'app-grey-queue-dashboard', + standalone: true, + imports: [CommonModule, DatePipe, RouterLink], + template: ` +
+ +
+ +

Grey Queue Dashboard

+

+ Items requiring manual review due to conflicting signals or disputed evidence +

+
+ + + @if (summary()) { +
+
+
Total Grey Queue
+
{{ greyQueueCount() }}
+
+
+
HOT
+
{{ summary()!.hot }}
+
+
+
WARM
+
{{ summary()!.warm }}
+
+
+
COLD
+
{{ summary()!.cold }}
+
+
+ } + + +
+
+
+ + +
+
+ + +
+
+ +
+
+ + + @if (loading()) { +
+
+ Loading grey queue items... +
+ } + + + @if (error()) { +
+ {{ error() }} +
+ } + + + @if (!loading() && !error()) { +
+ + + + + + + + + + + + + + + @for (item of filteredItems(); track item.id) { + + + + + + + + + + + } @empty { + + + + } + +
PackageBandStateScoreConflictsTriggersLast EvaluatedActions
+
{{ item.packageId }}
+
{{ item.packageVersion }}
+ 		+ + {{ getBandLabel(item.band) }} + + + @if (item.observationState) { + + {{ getStateLabel(item.observationState) }} + + } + + {{ item.score | number:'1.1-1' }} + + @if (hasConflicts(item)) { + + {{ item.conflictInfo!.conflicts.length }} + + } @else { + - + } + + {{ item.triggers?.length || 0 }} + + {{ item.lastEvaluatedAt | date:'short' }} + + + Review + +
+ No grey queue items found matching the current filters. +
+
+ } +
+ `, + styles: [ + ` + .grey-queue-dashboard { + min-height: 100vh; + } + `, + ], +}) +export class GreyQueueDashboardComponent implements OnInit { + private readonly client = inject(UnknownsClient); + + readonly items = signal([]); + readonly summary = signal(null); + readonly loading = signal(true); + readonly error = signal(null); + + readonly bandFilter = signal(null); + readonly stateFilter = signal(null); + + readonly greyQueueCount = computed(() => { + return this.items().filter( + (i) => isGreyQueueState(i.observationState) + ).length; + }); + + readonly filteredItems = computed(() => { + let result = this.items().filter((i) => isGreyQueueState(i.observationState)); + + const band = this.bandFilter(); + if (band) { + result = result.filter((i) => i.band === band); + } + + const state = this.stateFilter(); + if (state) { + result = result.filter((i) => i.observationState === state); + } + + // Deterministic ordering: band priority, then score descending + return result.sort((a, b) => { + const bandDiff = getBandPriority(a.band) - getBandPriority(b.band); + if (bandDiff !== 0) return bandDiff; + return b.score - a.score; + }); + }); + + ngOnInit(): void { + this.loadData(); + } + + loadData(): void { + this.loading.set(true); + this.error.set(null); + + // Load summary + this.client.getPolicyUnknownsSummary().subscribe({ + next: (summary) => this.summary.set(summary), + error: () => {}, // Non-critical + }); + + // Load items + this.client.listPolicyUnknowns(undefined, 500).subscribe({ + next: (response) => { + this.items.set(response.items); + this.loading.set(false); + }, + error: (err) => { + this.error.set(err.message || 'Failed to load grey queue items'); + this.loading.set(false); + }, + }); + } + + refresh(): void { + this.loadData(); + } + + onBandFilterChange(event: Event): void { + const value = (event.target as HTMLSelectElement).value; + this.bandFilter.set(value ? (value as UnknownBand) : null); + } + + onStateFilterChange(event: Event): void { + const value = (event.target as HTMLSelectElement).value; + this.stateFilter.set(value || null); + } + + getBandColor(band: UnknownBand): string { + return BAND_COLORS[band] || 'bg-gray-100 text-gray-800'; + } + + getBandLabel(band: UnknownBand): string { + return BAND_LABELS[band] || band.toUpperCase(); + } + + getStateColor(state: string): string { + return OBSERVATION_STATE_COLORS[state as keyof typeof OBSERVATION_STATE_COLORS] || ''; + } + + getStateLabel(state: string): string { + return OBSERVATION_STATE_LABELS[state as keyof typeof OBSERVATION_STATE_LABELS] || state; + } + + hasConflicts(item: PolicyUnknown): boolean { + return hasConflicts(item); + } +} diff --git a/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/unknowns.routes.ts b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/unknowns.routes.ts index a42c2ce5d..1d7132290 100644 --- a/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/unknowns.routes.ts +++ b/src/Web/StellaOps.Web/src/app/features/unknowns-tracking/unknowns.routes.ts @@ -1,4 +1,5 @@ // Sprint: SPRINT_20251229_033_FE - Unknowns Tracking UI +// Sprint: SPRINT_20260112_011_FE_policy_unknowns_queue_integration (FE-UNK-007) import { Routes } from '@angular/router'; export const unknownsRoutes: Routes = [ @@ -12,4 +13,16 @@ export const unknownsRoutes: Routes = [ loadComponent: () => import('./unknown-detail.component').then((m) => m.UnknownDetailComponent), }, + // Sprint: SPRINT_20260112_011_FE_policy_unknowns_queue_integration (FE-UNK-007) + // Grey queue navigation routes + { + path: ':unknownId/determinization', + loadComponent: () => + import('./determinization-review.component').then((m) => m.DeterminizationReviewComponent), + }, + { + path: 'queue/grey', + loadComponent: () => + import('./grey-queue-dashboard.component').then((m) => m.GreyQueueDashboardComponent), + }, ]; diff --git a/src/Web/StellaOps.Web/src/app/features/unknowns/grey-queue-panel.component.spec.ts b/src/Web/StellaOps.Web/src/app/features/unknowns/grey-queue-panel.component.spec.ts new file mode 100644 index 000000000..0dc7ebc7b --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/features/unknowns/grey-queue-panel.component.spec.ts @@ -0,0 +1,211 @@ +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-003) +// Grey Queue Panel Component Tests + +import { ComponentFixture, TestBed } from '@angular/core/testing'; +import { GreyQueuePanelComponent } from './grey-queue-panel.component'; +import { + PolicyUnknown, + BAND_COLORS, + OBSERVATION_STATE_COLORS, +} from '../../core/api/unknowns.models'; + +describe('GreyQueuePanelComponent', () => { + let component: GreyQueuePanelComponent; + let fixture: ComponentFixture; + + const mockUnknown: PolicyUnknown = { + id: 'test-id-123', + packageId: 'pkg:npm/lodash', + packageVersion: '4.17.21', + band: 'hot', + score: 85.5, + uncertaintyFactor: 0.7, + exploitPressure: 0.9, + firstSeenAt: '2026-01-10T12:00:00Z', + lastEvaluatedAt: '2026-01-15T08:00:00Z', + reasonCode: 'Reachability', + reasonCodeShort: 'U-RCH', + fingerprintId: 'sha256:abc123def456', + triggers: [ + { + eventType: 'epss.updated', + eventVersion: 1, + source: 'concelier', + receivedAt: '2026-01-15T07:00:00Z', + correlationId: 'corr-123', + }, + { + eventType: 'vex.updated', + eventVersion: 1, + source: 'excititor', + receivedAt: '2026-01-15T08:00:00Z', + correlationId: 'corr-456', + }, + ], + nextActions: ['request_vex', 'verify_reachability'], + conflictInfo: { + hasConflict: true, + severity: 0.8, + suggestedPath: 'RequireManualReview', + conflicts: [ + { + signal1: 'VEX:not_affected', + signal2: 'Reachability:reachable', + type: 'VexReachabilityContradiction', + description: 'VEX says not affected but reachability shows path', + severity: 0.8, + }, + ], + }, + observationState: 'Disputed', + }; + + beforeEach(async () => { + await TestBed.configureTestingModule({ + imports: [GreyQueuePanelComponent], + }).compileComponents(); + + fixture = TestBed.createComponent(GreyQueuePanelComponent); + component = fixture.componentInstance; + component.unknown = mockUnknown; + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); + + describe('band display', () => { + it('should display HOT band with correct color', () => { + expect(component.getBandColor()).toBe(BAND_COLORS['hot']); + expect(component.getBandLabel()).toBe('HOT'); + }); + + it('should display WARM band with correct color', () => { + component.unknown = { ...mockUnknown, band: 'warm' }; + fixture.detectChanges(); + expect(component.getBandColor()).toBe(BAND_COLORS['warm']); + expect(component.getBandLabel()).toBe('WARM'); + }); + + it('should display COLD band with correct color', () => { + component.unknown = { ...mockUnknown, band: 'cold' }; + fixture.detectChanges(); + expect(component.getBandColor()).toBe(BAND_COLORS['cold']); + expect(component.getBandLabel()).toBe('COLD'); + }); + }); + + describe('observation state', () => { + it('should display Disputed state', () => { + expect(component.getObservationStateLabel()).toBe('Disputed'); + expect(component.isInGreyQueue()).toBe(true); + }); + + it('should display ManualReviewRequired state as grey queue', () => { + component.unknown = { ...mockUnknown, observationState: 'ManualReviewRequired' }; + fixture.detectChanges(); + expect(component.getObservationStateLabel()).toBe('Review Required'); + expect(component.isInGreyQueue()).toBe(true); + }); + + it('should not show grey queue for DeterminedPass', () => { + component.unknown = { ...mockUnknown, observationState: 'DeterminedPass' }; + fixture.detectChanges(); + expect(component.isInGreyQueue()).toBe(false); + }); + }); + + describe('triggers', () => { + it('should sort triggers by receivedAt descending', () => { + const sorted = component.sortedTriggers(); + expect(sorted.length).toBe(2); + // Most recent first (vex.updated at 08:00) + expect(sorted[0].eventType).toBe('vex.updated'); + expect(sorted[1].eventType).toBe('epss.updated'); + }); + + it('should handle empty triggers', () => { + component.unknown = { ...mockUnknown, triggers: [] }; + fixture.detectChanges(); + expect(component.sortedTriggers().length).toBe(0); + }); + + it('should handle undefined triggers', () => { + component.unknown = { ...mockUnknown, triggers: undefined }; + fixture.detectChanges(); + expect(component.sortedTriggers().length).toBe(0); + }); + }); + + describe('conflicts', () => { + it('should show conflicts when present', () => { + expect(component.showConflicts()).toBe(true); + }); + + it('should not show conflicts when hasConflict is false', () => { + component.unknown = { + ...mockUnknown, + conflictInfo: { ...mockUnknown.conflictInfo!, hasConflict: false }, + }; + fixture.detectChanges(); + expect(component.showConflicts()).toBe(false); + }); + + it('should not show conflicts when conflictInfo is undefined', () => { + component.unknown = { ...mockUnknown, conflictInfo: undefined }; + fixture.detectChanges(); + expect(component.showConflicts()).toBe(false); + }); + + it('should return correct severity color for high severity', () => { + expect(component.getConflictSeverityColor()).toBe('text-red-600'); + }); + + it('should return correct severity color for medium severity', () => { + component.unknown = { + ...mockUnknown, + conflictInfo: { ...mockUnknown.conflictInfo!, severity: 0.6 }, + }; + fixture.detectChanges(); + expect(component.getConflictSeverityColor()).toBe('text-orange-600'); + }); + }); + + describe('next actions', () => { + it('should format action names correctly', () => { + expect(component.formatAction('request_vex')).toBe('Request Vex'); + expect(component.formatAction('verify_reachability')).toBe('Verify Reachability'); + }); + }); + + describe('triage actions', () => { + it('should emit triage action when button clicked', () => { + component.showTriageActions = true; + fixture.detectChanges(); + + const emitSpy = jest.spyOn(component.triageAction, 'emit'); + component.onTriage('accept-risk'); + + expect(emitSpy).toHaveBeenCalledWith({ + unknownId: 'test-id-123', + action: 'accept-risk', + }); + }); + + it('should not show triage buttons by default', () => { + expect(component.showTriageActions).toBe(false); + }); + }); + + describe('deterministic ordering', () => { + it('should maintain stable trigger order across renders', () => { + const triggers1 = component.sortedTriggers(); + fixture.detectChanges(); + const triggers2 = component.sortedTriggers(); + + // Same order on multiple renders + expect(triggers1.map(t => t.eventType)).toEqual(triggers2.map(t => t.eventType)); + }); + }); +}); diff --git a/src/Web/StellaOps.Web/src/app/features/unknowns/grey-queue-panel.component.ts b/src/Web/StellaOps.Web/src/app/features/unknowns/grey-queue-panel.component.ts new file mode 100644 index 000000000..998472e53 --- /dev/null +++ b/src/Web/StellaOps.Web/src/app/features/unknowns/grey-queue-panel.component.ts @@ -0,0 +1,239 @@ +// Sprint: SPRINT_20260112_009_FE_unknowns_queue_ui (FE-UNK-002) +// Grey Queue Panel Component - displays fingerprint, triggers, and manual adjudication state + +import { Component, Input, Output, EventEmitter, computed } from '@angular/core'; +import { CommonModule, DatePipe } from '@angular/common'; +import { + PolicyUnknown, + ReanalysisTrigger, + ConflictInfo, + TriageAction, + BAND_COLORS, + BAND_LABELS, + OBSERVATION_STATE_COLORS, + OBSERVATION_STATE_LABELS, + TRIAGE_ACTION_LABELS, + isGreyQueueState, + hasConflicts, + getConflictSeverityColor, +} from '../../core/api/unknowns.models'; + +@Component({ + selector: 'stella-grey-queue-panel', + standalone: true, + imports: [CommonModule, DatePipe], + template: ` +
+ +
+
+ + {{ getBandLabel() }} + + @if (unknown.observationState) { + + {{ getObservationStateLabel() }} + + } + @if (isInGreyQueue()) { + + Grey Queue + + } +
+
+ Score: {{ unknown.score | number: '1.1-1' }} +
+
+ + + @if (unknown.fingerprintId) { +
+

Fingerprint

+ + {{ unknown.fingerprintId }} + +
+ } + + + @if (unknown.triggers && unknown.triggers.length > 0) { +
+

+ Triggers ({{ unknown.triggers.length }}) +

+
+ @for (trigger of sortedTriggers(); track trigger.receivedAt) { +
+ + {{ trigger.eventType }}@{{ trigger.eventVersion }} + + + {{ trigger.receivedAt | date: 'short' }} + +
+ } +
+
+ } + + + @if (showConflicts()) { +
+

+ ! + Conflicts + + (Severity: {{ unknown.conflictInfo!.severity | number: '1.2-2' }}) + +

+
+ @for (conflict of unknown.conflictInfo!.conflicts; track $index) { +
+
{{ conflict.type }}
+
+ {{ conflict.signal1 }} vs {{ conflict.signal2 }} +
+ @if (conflict.description) { +
{{ conflict.description }}
+ } +
+ } + @if (unknown.conflictInfo!.suggestedPath) { +
+ Suggested: {{ unknown.conflictInfo!.suggestedPath }} +
+ } +
+
+ } + + + @if (unknown.nextActions && unknown.nextActions.length > 0) { +
+

Next Actions

+
+ @for (action of unknown.nextActions; track action) { + + {{ formatAction(action) }} + + } +
+
+ } + + + @if (showTriageActions) { +
+

Triage Actions

+
+ + + + + +
+
+ } +
+ `, + styles: [ + ` + .grey-queue-panel { + min-width: 320px; + } + `, + ], +}) +export class GreyQueuePanelComponent { + @Input({ required: true }) unknown!: PolicyUnknown; + @Input() showTriageActions = false; + + @Output() triageAction = new EventEmitter<{ + unknownId: string; + action: TriageAction; + }>(); + + // Computed: sort triggers by receivedAt descending (most recent first) + sortedTriggers = computed(() => { + if (!this.unknown.triggers) return []; + return [...this.unknown.triggers].sort( + (a, b) => new Date(b.receivedAt).getTime() - new Date(a.receivedAt).getTime() + ); + }); + + getBandColor(): string { + return BAND_COLORS[this.unknown.band] || 'bg-gray-100 text-gray-800'; + } + + getBandLabel(): string { + return BAND_LABELS[this.unknown.band] || this.unknown.band.toUpperCase(); + } + + getObservationStateColor(): string { + if (!this.unknown.observationState) return ''; + return OBSERVATION_STATE_COLORS[this.unknown.observationState] || ''; + } + + getObservationStateLabel(): string { + if (!this.unknown.observationState) return ''; + return OBSERVATION_STATE_LABELS[this.unknown.observationState] || this.unknown.observationState; + } + + isInGreyQueue(): boolean { + return isGreyQueueState(this.unknown.observationState); + } + + showConflicts(): boolean { + return hasConflicts(this.unknown); + } + + getConflictSeverityColor(): string { + if (!this.unknown.conflictInfo) return ''; + return getConflictSeverityColor(this.unknown.conflictInfo.severity); + } + + formatAction(action: string): string { + // Convert snake_case to Title Case + return action + .split('_') + .map(word => word.charAt(0).toUpperCase() + word.slice(1)) + .join(' '); + } + + onTriage(action: TriageAction): void { + this.triageAction.emit({ + unknownId: this.unknown.id, + action, + }); + } +} diff --git a/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.html b/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.html index e9c0b9913..2f16aa816 100644 --- a/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.html +++ b/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.html @@ -90,6 +90,118 @@ } + + + @if (isHardFailOutcome()) { +
+

[!] Hard Fail

+
+ {{ hardFailLabel() }} + @if (shortCircuitLabel()) { + Reason: {{ shortCircuitLabel() }} + } +
+
+ } + + + @if (hasReductionApplied()) { +
+

Reduction Profile

+ @if (reductionDetails(); as rd) { +
+
+ Mode: + {{ rd.modeLabel }} +
+
+ Original Score: + {{ rd.originalScore }} +
+
+ Reduction: + -{{ rd.reductionAmount }} ({{ rd.reductionPercent }}%) +
+ @if (rd.contributingEvidence.length > 0) { +
+ Contributing Evidence: +
    + @for (ev of rd.contributingEvidence; track ev) { +
  • {{ ev }}
    • + } +
+
+ } + @if (rd.cappedByPolicy) { +
+ [Capped by Policy] +
+ } +
+ } +
+ } + + + @if (wasShortCircuited() && !isHardFailOutcome()) { +
+

Short-Circuited

+
+ {{ shortCircuitLabel() }} +
+
+ } + + + @if (hasAnchoredEvidence()) { +
+

[A] Anchored Evidence

+ @if (anchorDetails(); as anchor) { +
+ @if (anchor.dsseDigest) { +
+ DSSE Digest: + + {{ anchor.dsseDigest }} + +
+ } + @if (anchor.rekorLogIndex !== undefined) { +
+ Rekor Log Index: + {{ anchor.rekorLogIndex }} +
+ } + @if (anchor.rekorEntryId) { +
+ Rekor Entry ID: + {{ anchor.rekorEntryId }} +
+ } + @if (anchor.verificationStatus) { +
+ Status: + {{ anchor.verificationStatus }} +
+ } + @if (anchor.verificationError) { +
+ Error: + {{ anchor.verificationError }} +
+ } + @if (anchor.attestationUri) { +
+ + View Full Attestation + +
+ } +
+ } +
+ } + @if (scoreResult().explanations.length > 0) {
diff --git a/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.scss b/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.scss index d216e4aae..25831b906 100644 --- a/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.scss +++ b/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.scss @@ -386,3 +386,181 @@ font-size: 28px; } } + +// Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-002) +// Styles for reduction profile, hard-fail, and anchor sections + +.hard-fail-section { + padding: 12px 16px; + border-bottom: 1px solid #e5e7eb; + background-color: #fef2f2; +} + +.hard-fail-alert { + display: flex; + flex-direction: column; + gap: 4px; + padding: 8px 12px; + background-color: #dc2626; + color: #ffffff; + border-radius: 4px; +} + +.hard-fail-label { + font-weight: 600; +} + +.short-circuit-reason { + font-size: 12px; + opacity: 0.9; +} + +.reduction-section { + padding: 12px 16px; + border-bottom: 1px solid #e5e7eb; +} + +.reduction-details { + display: flex; + flex-direction: column; + gap: 6px; +} + +.reduction-row { + display: flex; + justify-content: space-between; + align-items: center; +} + +.reduction-label { + color: #6b7280; + font-size: 12px; +} + +.reduction-value { + font-weight: 500; + font-variant-numeric: tabular-nums; +} + +.reduction-evidence { + margin-top: 4px; +} + +.evidence-list { + margin: 4px 0 0 16px; + padding: 0; + font-size: 12px; + color: #4b5563; + list-style-type: disc; +} + +.reduction-capped { + margin-top: 4px; +} + +.capped-indicator { + display: inline-block; + padding: 2px 8px; + font-size: 11px; + font-weight: 500; + color: #92400e; + background-color: #fef3c7; + border-radius: 4px; +} + +.short-circuit-section { + padding: 12px 16px; + border-bottom: 1px solid #e5e7eb; + background-color: #fefce8; +} + +.short-circuit-info { + padding: 8px 12px; + background-color: #f59e0b; + color: #000000; + border-radius: 4px; +} + +.short-circuit-label { + font-weight: 500; +} + +.anchor-section { + padding: 12px 16px; + border-bottom: 1px solid #e5e7eb; + background-color: #f5f3ff; +} + +.anchor-details { + display: flex; + flex-direction: column; + gap: 8px; +} + +.anchor-row { + display: flex; + flex-direction: column; + gap: 2px; +} + +.anchor-label { + color: #6b7280; + font-size: 11px; + text-transform: uppercase; + letter-spacing: 0.5px; +} + +.anchor-value { + font-weight: 500; + word-break: break-all; + + &.mono { + font-family: 'SF Mono', 'Consolas', 'Monaco', monospace; + font-size: 12px; + } + + &.verification-status { + color: #059669; + } +} + +.anchor-error { + padding: 8px; + background-color: #fef2f2; + border-radius: 4px; +} + +.error-label { + color: #dc2626; + font-size: 11px; + font-weight: 600; +} + +.error-message { + display: block; + margin-top: 2px; + color: #7f1d1d; + font-size: 12px; +} + +.attestation-link { + display: inline-block; + padding: 6px 12px; + font-size: 12px; + font-weight: 500; + color: #7c3aed; + background-color: #ede9fe; + border-radius: 4px; + text-decoration: none; + transition: background-color 0.15s; + + &:hover { + background-color: #ddd6fe; + } + + &:focus-visible { + outline: 2px solid #7c3aed; + outline-offset: 2px; + } +} + diff --git a/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.ts b/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.ts index 07297465e..14fbe1a51 100644 --- a/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.ts +++ b/src/Web/StellaOps.Web/src/app/shared/components/score/score-breakdown-popover.component.ts @@ -18,6 +18,16 @@ import { FLAG_DISPLAY, getBucketForScore, ScoreFlag, + // Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-002) + REDUCTION_MODE_LABELS, + SHORT_CIRCUIT_LABELS, + HARD_FAIL_LABELS, + ANCHOR_VERIFICATION_LABELS, + isAnchored, + isHardFail, + wasShortCircuited, + hasReduction, + getReductionPercent, } from '../../../core/api/scoring.models'; /** @@ -115,6 +125,76 @@ export class ScoreBreakdownPopoverComponent { return guardrails; }); + // Sprint: SPRINT_20260112_004_FE_attested_score_ui (FE-ATT-002) + // Reduction profile and anchor computed properties + + /** Whether score has reduction applied */ + readonly hasReductionApplied = computed(() => hasReduction(this.scoreResult())); + + /** Reduction profile details */ + readonly reductionDetails = computed(() => { + const score = this.scoreResult(); + if (!score.reductionProfile) return null; + + const profile = score.reductionProfile; + return { + modeLabel: REDUCTION_MODE_LABELS[profile.mode], + originalScore: profile.originalScore, + reductionAmount: profile.reductionAmount, + reductionPercent: getReductionPercent(score), + contributingEvidence: profile.contributingEvidence, + cappedByPolicy: profile.cappedByPolicy, + }; + }); + + /** Whether score was short-circuited */ + readonly wasShortCircuited = computed(() => wasShortCircuited(this.scoreResult())); + + /** Short-circuit reason label */ + readonly shortCircuitLabel = computed(() => { + const reason = this.scoreResult().shortCircuitReason; + return reason ? SHORT_CIRCUIT_LABELS[reason] : null; + }); + + /** Whether score is a hard-fail outcome */ + readonly isHardFailOutcome = computed(() => isHardFail(this.scoreResult())); + + /** Hard-fail status label */ + readonly hardFailLabel = computed(() => { + const status = this.scoreResult().hardFailStatus; + return status ? HARD_FAIL_LABELS[status] : null; + }); + + /** Whether score has anchored evidence */ + readonly hasAnchoredEvidence = computed(() => isAnchored(this.scoreResult())); + + /** Proof anchor details */ + readonly anchorDetails = computed(() => { + const anchor = this.scoreResult().proofAnchor; + if (!anchor || !anchor.anchored) return null; + + return { + dsseDigest: anchor.dsseDigest ? this.truncateDigest(anchor.dsseDigest) : null, + fullDsseDigest: anchor.dsseDigest, + rekorLogIndex: anchor.rekorLogIndex, + rekorEntryId: anchor.rekorEntryId, + attestationUri: anchor.attestationUri, + verificationStatus: anchor.verificationStatus + ? ANCHOR_VERIFICATION_LABELS[anchor.verificationStatus] + : null, + verificationError: anchor.verificationError, + verifiedAt: anchor.verifiedAt, + }; + }); + + /** Truncate digest for display */ + private truncateDigest(digest: string): string { + if (digest.length <= 24) return digest; + const prefix = digest.substring(0, 16); + const suffix = digest.substring(digest.length - 8); + return `${prefix}...${suffix}`; + } + constructor() { // Update position when anchor changes effect(() => { diff --git a/src/__Tests/StellaOps.Evidence.Bundle.Tests/BinaryDiffEvidenceTests.cs b/src/__Tests/StellaOps.Evidence.Bundle.Tests/BinaryDiffEvidenceTests.cs new file mode 100644 index 000000000..df6933724 --- /dev/null +++ b/src/__Tests/StellaOps.Evidence.Bundle.Tests/BinaryDiffEvidenceTests.cs @@ -0,0 +1,305 @@ +// +// SPDX-License-Identifier: AGPL-3.0-or-later +// Sprint: SPRINT_20260112_008_LB_binary_diff_evidence_models (BINDIFF-LB-004) +// + +using System; +using System.Collections.Immutable; +using Microsoft.Extensions.Time.Testing; +using StellaOps.TestKit; +using Xunit; + +namespace StellaOps.Evidence.Bundle.Tests; + +[Trait("Category", TestCategories.Unit)] +public sealed class BinaryDiffEvidenceTests +{ + private readonly FakeTimeProvider _timeProvider = new(new DateTimeOffset(2026, 1, 15, 10, 30, 0, TimeSpan.Zero)); + + [Fact] + public void Builder_WithBinaryDiff_IncludesInBundle() + { + // Arrange + var binaryDiff = new BinaryDiffEvidence + { + Status = EvidenceStatus.Available, + Hash = "sha256:abc123", + PreviousBinaryDigest = "sha256:old123", + CurrentBinaryDigest = "sha256:new456", + DiffType = BinaryDiffType.Semantic, + SimilarityScore = 0.95 + }; + + // Act + var bundle = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-001") + .WithArtifactId("sha256:abc123") + .WithBinaryDiff(binaryDiff) + .Build(); + + // Assert + Assert.NotNull(bundle.BinaryDiff); + Assert.Equal(EvidenceStatus.Available, bundle.BinaryDiff.Status); + Assert.Equal("sha256:abc123", bundle.BinaryDiff.Hash); + Assert.Equal(0.95, bundle.BinaryDiff.SimilarityScore); + } + + [Fact] + public void ComputeCompletenessScore_WithBinaryDiff_IncreasesScore() + { + // Arrange & Act - Bundle without binary diff + var bundleWithout = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-001") + .WithArtifactId("sha256:abc123") + .WithReachability(new ReachabilityEvidence { Status = EvidenceStatus.Available }) + .Build(); + + // Bundle with binary diff + var bundleWith = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-002") + .WithArtifactId("sha256:abc123") + .WithReachability(new ReachabilityEvidence { Status = EvidenceStatus.Available }) + .WithBinaryDiff(new BinaryDiffEvidence { Status = EvidenceStatus.Available }) + .Build(); + + // Assert + Assert.True(bundleWith.ComputeCompletenessScore() > bundleWithout.ComputeCompletenessScore()); + } + + [Fact] + public void StatusSummary_IncludesBinaryDiffStatus() + { + // Arrange + var binaryDiff = new BinaryDiffEvidence + { + Status = EvidenceStatus.Available, + DiffType = BinaryDiffType.Semantic + }; + + // Act + var bundle = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-001") + .WithArtifactId("sha256:abc123") + .WithBinaryDiff(binaryDiff) + .Build(); + + // Assert + var summary = bundle.CreateStatusSummary(); + Assert.Equal(EvidenceStatus.Available, summary.BinaryDiff); + } + + [Fact] + public void BinaryDiff_FunctionChanges_PreservesDeterministicOrder() + { + // Arrange - Create function changes in unsorted order + var functionChanges = ImmutableArray.Create( + new BinaryFunctionDiff + { + FunctionName = "z_function", + Operation = BinaryDiffOperation.Modified, + PreviousHash = "sha256:old1", + CurrentHash = "sha256:new1" + }, + new BinaryFunctionDiff + { + FunctionName = "a_function", + Operation = BinaryDiffOperation.Added, + CurrentHash = "sha256:new2" + }, + new BinaryFunctionDiff + { + FunctionName = "m_function", + Operation = BinaryDiffOperation.Removed, + PreviousHash = "sha256:old3" + } + ); + + var binaryDiff = new BinaryDiffEvidence + { + Status = EvidenceStatus.Available, + FunctionChanges = functionChanges.Sort((a, b) => + string.Compare(a.FunctionName, b.FunctionName, StringComparison.Ordinal)) + }; + + // Act + var bundle = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-001") + .WithArtifactId("sha256:abc123") + .WithBinaryDiff(binaryDiff) + .Build(); + + // Assert - Should be sorted alphabetically + Assert.Equal("a_function", bundle.BinaryDiff!.FunctionChanges[0].FunctionName); + Assert.Equal("m_function", bundle.BinaryDiff.FunctionChanges[1].FunctionName); + Assert.Equal("z_function", bundle.BinaryDiff.FunctionChanges[2].FunctionName); + } + + [Fact] + public void BinaryDiff_SecurityChanges_CapturesMitigationChanges() + { + // Arrange + var securityChanges = ImmutableArray.Create( + new BinarySecurityChange + { + ChangeType = BinarySecurityChangeType.MitigationAdded, + Description = "Stack canaries enabled", + AffectedSymbols = ImmutableArray.Create("main", "process_input"), + Severity = "info" + }, + new BinarySecurityChange + { + ChangeType = BinarySecurityChangeType.MitigationRemoved, + Description = "ASLR disabled", + Severity = "high" + } + ); + + var binaryDiff = new BinaryDiffEvidence + { + Status = EvidenceStatus.Available, + SecurityChanges = securityChanges + }; + + // Act + var bundle = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-001") + .WithArtifactId("sha256:abc123") + .WithBinaryDiff(binaryDiff) + .Build(); + + // Assert + Assert.Equal(2, bundle.BinaryDiff!.SecurityChanges.Length); + Assert.Contains(bundle.BinaryDiff.SecurityChanges, + c => c.ChangeType == BinarySecurityChangeType.MitigationAdded); + Assert.Contains(bundle.BinaryDiff.SecurityChanges, + c => c.ChangeType == BinarySecurityChangeType.MitigationRemoved); + } + + [Fact] + public void BinaryDiff_SemanticDiff_CapturesFingerprints() + { + // Arrange + var semanticDiff = new BinarySemanticDiff + { + PreviousFingerprint = "fp:abc123", + CurrentFingerprint = "fp:def456", + SimilarityScore = 0.87, + SemanticChanges = ImmutableArray.Create("control_flow_modified", "data_flow_changed") + }; + + var binaryDiff = new BinaryDiffEvidence + { + Status = EvidenceStatus.Available, + SemanticDiff = semanticDiff + }; + + // Act + var bundle = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-001") + .WithArtifactId("sha256:abc123") + .WithBinaryDiff(binaryDiff) + .Build(); + + // Assert + Assert.NotNull(bundle.BinaryDiff!.SemanticDiff); + Assert.Equal(0.87, bundle.BinaryDiff.SemanticDiff.SimilarityScore); + Assert.Equal(2, bundle.BinaryDiff.SemanticDiff.SemanticChanges.Length); + } + + [Fact] + public void BinaryDiff_Unavailable_CapturesReason() + { + // Arrange + var binaryDiff = new BinaryDiffEvidence + { + Status = EvidenceStatus.Unavailable, + UnavailableReason = "No previous scan available for comparison" + }; + + // Act + var bundle = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-001") + .WithArtifactId("sha256:abc123") + .WithBinaryDiff(binaryDiff) + .Build(); + + // Assert + Assert.Equal(EvidenceStatus.Unavailable, bundle.BinaryDiff!.Status); + Assert.Equal("No previous scan available for comparison", bundle.BinaryDiff.UnavailableReason); + } + + [Fact] + public void Hashes_IncludesBinaryDiffHash() + { + // Arrange + var binaryDiff = new BinaryDiffEvidence + { + Status = EvidenceStatus.Available, + Hash = "binarydiffhash123" + }; + + // Act + var bundle = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-001") + .WithArtifactId("sha256:abc123") + .WithBinaryDiff(binaryDiff) + .Build(); + + // Assert + Assert.Contains(bundle.Hashes.Hashes, h => h.Value == "binarydiffhash123"); + } + + [Fact] + public void BinaryDiff_DiffTypes_AllSupported() + { + // Arrange & Act - Test all diff types + var diffTypes = new[] + { + BinaryDiffType.None, + BinaryDiffType.Structural, + BinaryDiffType.Semantic, + BinaryDiffType.Full + }; + + foreach (var diffType in diffTypes) + { + var binaryDiff = new BinaryDiffEvidence + { + Status = EvidenceStatus.Available, + DiffType = diffType + }; + + var bundle = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId($"ALERT-{diffType}") + .WithArtifactId("sha256:abc123") + .WithBinaryDiff(binaryDiff) + .Build(); + + // Assert + Assert.Equal(diffType, bundle.BinaryDiff!.DiffType); + } + } + + [Fact] + public void SchemaVersion_UpdatedForBinaryDiff() + { + // Arrange + var binaryDiff = new BinaryDiffEvidence + { + Status = EvidenceStatus.Available + }; + + // Act + var bundle = new EvidenceBundleBuilder(_timeProvider) + .WithAlertId("ALERT-001") + .WithArtifactId("sha256:abc123") + .WithBinaryDiff(binaryDiff) + .Build(); + + // Assert - Schema version should be 1.1 or higher when binary diff is included + Assert.True( + bundle.SchemaVersion == "1.1" || + Version.Parse(bundle.SchemaVersion) >= Version.Parse("1.1"), + $"Expected schema version >= 1.1, got {bundle.SchemaVersion}"); + } +}