stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/modules/telemetry/architecture.md
View File

@@ -102,3 +102,42 @@ Verification coverage:
- Full telemetry core test suite pass (`262` tests) remains green after integration.
Refer to the module README and implementation plan for immediate context, and update this document once component boundaries and data flows are finalised.
## 8) Federation DSSE Security Posture (Updated 2026-03-04)
Status:
- Advisory gap `TEL-001` is closed. Federation consent and bundle paths now emit signed DSSE envelopes instead of payload passthrough placeholders.
Implemented contract:
- Consent and bundle envelopes now use explicit DSSE JSON structure: `payloadType`, base64 `payload`, and `signatures[]` (`keyid`, `sig`).
- Consent proofs and bundle summaries carry signer identity metadata (`SignerKeyId`) for auditability.
- Bundle payload canonicalization is deterministic for identical logical inputs:
- bucket ordering: `cveId` (ordinal), then `noisyCount` (descending), `artifactCount`, `observationCount`
- deterministic bundle ID derivation from canonical payload seed + fixed clock input
- Bundle verification enforces:
- envelope digest integrity (`sha256:` over envelope bytes)
- payload type match
- trusted-key signature verification
- consent digest linkage (`consentDigest` in payload must match `ConsentDsseDigest`)
Signer/verifier integration and fallback:
- Federation now uses explicit abstractions:
- `IFederationDsseEnvelopeSigner`
- `IFederationDsseEnvelopeVerifier`
- Default adapter: `HmacFederationDsseEnvelopeService` (offline-safe HMAC-SHA256 DSSE sign/verify using local trusted key map in `FederatedTelemetryOptions`).
- Failure mode is deterministic and auditable:
- signing failures throw `FederationSignatureException` with stable error codes (for example `federation.dsse.sign_failed`, `federation.dsse.signer_unavailable`)
- optional unsigned fallback (`AllowUnsignedDsseFallback`) emits envelopes tagged with `offline-unsigned-fallback` for explicit operator visibility.
Verification evidence:
- `dotnet test src/Telemetry/StellaOps.Telemetry.Federation.Tests/StellaOps.Telemetry.Federation.Tests.csproj -m:1 -v minimal`
- Result: `47` passed, `0` failed.
- Coverage includes payload tamper, signature tamper, wrong-key verification failure, consent expiry + signature validity combination, and deterministic replay digest checks.
Tracking sprint:
- `docs/implplan/SPRINT_20260304_307_Telemetry_federation_dsse_bundle_hardening.md`