stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add post-quantum cryptography support with PqSoftCryptoProvider
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
wine-csp-build / Build Wine CSP Image (push) Has been cancelled
Details

Browse Source 
- Implemented PqSoftCryptoProvider for software-only post-quantum algorithms (Dilithium3, Falcon512) using BouncyCastle.
- Added PqSoftProviderOptions and PqSoftKeyOptions for configuration.
- Created unit tests for Dilithium3 and Falcon512 signing and verification.
- Introduced EcdsaPolicyCryptoProvider for compliance profiles (FIPS/eIDAS) with explicit allow-lists.
- Added KcmvpHashOnlyProvider for KCMVP baseline compliance.
- Updated project files and dependencies for new libraries and testing frameworks.
This commit is contained in:
StellaOps Bot
2025-12-07 15:04:19 +02:00
parent 862bb6ed80
commit 98e6b76584
119 changed files with 11436 additions and 1732 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/api/console/samples/console-export-manifest.json
View File

@@ -3,34 +3,51 @@
"exportId": "console-export::tenant-default::2025-12-06::0007",
"tenantId": "tenant-default",
"generatedAt": "2025-12-06T12:11:05Z",
"expiresAt": "2025-12-13T12:11:05Z",
"items": [
{
"type": "advisory",
"id": "CVE-2024-12345",
"format": "json",
"url": "https://exports.local/tenant-default/0007/CVE-2024-12345.json?sig=...",
"sha256": "cafe0001..."
"sha256": "sha256:cafe0001...",
"size": 18432
},
{
"type": "vex",
"id": "vex:tenant-default:jwt-auth:5d1a",
"format": "ndjson",
"url": "https://exports.local/tenant-default/0007/vex-jwt-auth.ndjson?sig=...",
"sha256": "cafe0002..."
"sha256": "sha256:cafe0002...",
"size": 9216
},
{
"type": "policy",
"id": "policy://tenant-default/runtime-hardening",
"format": "json",
"url": "https://exports.local/tenant-default/0007/policy-runtime-hardening.json?sig=...",
"sha256": "cafe0003..."
"sha256": "sha256:cafe0003...",
"size": 16384
},
{
"type": "scan",
"id": "scan::tenant-default::auth-api::2025-11-07",
"format": "ndjson",
"url": "https://exports.local/tenant-default/0007/scan-auth-api.ndjson?sig=...",
"sha256": "cafe0004..."
"sha256": "sha256:cafe0004...",
"size": 32768
},
{
"type": "bundle",
"id": "console-export::tenant-default::2025-12-06::0007",
"format": "tar.gz",
"url": "https://exports.local/tenant-default/0007/bundle.tar.gz?sig=...",
"sha256": "sha256:deadbeefcafefeed00000000000000000000000000000000000000000000000",
"size": 48732102
}
],
"checksums": {
"manifest": "c0ffee...",
"bundle": "deadbeef..."
"manifest": "sha256:c0ffee00000000000000000000000000000000000000000000000000000000",
"bundle": "sha256:deadbeef000000000000000000000000000000000000000000000000000000"
}
}

49
docs/api/console/workspaces.md
View File

@@ -310,11 +310,11 @@ data: {
> Until backend implementations ship, use the examples above to unblock DOCS-AIAI-31-004; replace them with live captures once the gateway endpoints are available in staging.
## Exports (draft contract v0.3)
## Exports (draft contract v0.4 for sign-off)
### Routes
- `POST /console/exports` — start an evidence bundle export job.
- `GET /console/exports/{exportId}` — fetch job status and download locations.
- `GET /console/exports/{exportId}` — fetch job status, manifest link, and download locations.
- `GET /console/exports/{exportId}/events` — SSE stream of job progress (optional).
### Security / headers
@@ -329,19 +329,20 @@ data: {
```jsonc
{
"scope": { "tenantId": "t1", "projectId": "p1" },
"sources": [ { "type": "advisory", "ids": ["CVE-2024-12345"] } ],
"sources": [
{ "type": "advisory", "ids": ["CVE-2024-12345"] },
{ "type": "vex", "ids": ["vex:tenant-default:jwt-auth:5d1a"] }
],
"formats": ["json", "ndjson", "csv"],
"attestations": { "include": true, "sigstoreBundle": true },
"attestations": { "include": true, "sigstoreBundle": true, "dsse": true },
"notify": { "webhooks": ["https://hooks.local/export"], "email": ["secops@example.com"] },
"priority": "normal"
}
```
### Response: 202 Accepted
- `exportId`: string
- `status`: `queued|running|succeeded|failed|expired`
- `estimateSeconds`: int
- `retryAfter`: int seconds (for polling)
- `exportId`, `status: queued|running|succeeded|failed|expired`
- `estimateSeconds`, `retryAfter` (seconds)
- `links`: `{ status: url, events?: url }`
### Response: GET status
@@ -351,7 +352,14 @@ data: {
"status": "running",
"estimateSeconds": 420,
"outputs": [
{ "type": "manifest", "format": "json", "url": "https://.../manifest.json?sig=...", "sha256": "...", "expiresAt": "2025-12-06T13:10:00Z" }
{
"type": "manifest",
"format": "json",
"url": "https://exports.local/tenant-default/0007/manifest.json?sig=...",
"sha256": "sha256:c0ffee...",
"dsseUrl": "https://exports.local/tenant-default/0007/manifest.dsse?sig=...",
"expiresAt": "2025-12-06T13:10:00Z"
}
],
"progress": { "percent": 42, "itemsCompleted": 210, "itemsTotal": 500, "assetsReady": 12 },
"errors": []
@@ -361,25 +369,34 @@ data: {
### Response: SSE events
- `started`: `{ exportId, status }`
- `progress`: `{ exportId, percent, itemsCompleted, itemsTotal }`
- `asset_ready`: `{ exportId, type, id, url, sha256 }`
- `completed`: `{ exportId, status: "succeeded", manifestUrl }`
- `failed`: `{ exportId, status: "failed", code, message }`
- `asset_ready`: `{ exportId, type, id, url, sha256, format }`
- `completed`: `{ exportId, status: "succeeded", manifestUrl, manifestDsseUrl? }`
- `failed`: `{ exportId, status: "failed", code, message, retryAfterSeconds? }`
### Manifest shape (downloaded via outputs)
- `version`: string (date)
- `exportId`, `tenantId`, `generatedAt`
- `items[]`: `{ type: advisory|vex|policy|scan, id, url, sha256 }`
- `checksums`: `{ manifest, bundle }`
- Ordering: sort items by `(type asc, id asc, format asc, url asc)`.
- `version`: string (date), `exportId`, `tenantId`, `generatedAt`, `expiresAt`
- `items[]`: `{ type: advisory|vex|policy|scan|chart|bundle, id, format, url, sha256, size }`
- `checksums`: `{ manifest: "sha256:<digest>", bundle?: "sha256:<digest>" }`
- Optional DSSE envelope for manifest: `manifest.dsse` (payload type `stellaops.console.manifest`).
### Limits (proposed)
- Max request body 256 KiB; max sources 50; max outputs 1000 assets/export.
- Max bundle size 500 MiB compressed.
- Default job timeout 30 minutes; idle SSE timeout 60s; backoff via `Retry-After`.
### Determinism, caching, retry
- Responses set `Cache-Control: public, max-age=300, stale-while-revalidate=60, stale-if-error=300`.
- `ETag` is SHA-256 over sorted payload; clients send `If-None-Match`.
- Respect `Retry-After`; client backoff `1s,2s,4s,8s` capped at 30s.
- Cursors (if introduced later) MUST be opaque, base64url, signed with tenant + sortKeys.
### Error codes (proposal)
- `ERR_CONSOLE_EXPORT_INVALID_SOURCE`
- `ERR_CONSOLE_EXPORT_TOO_LARGE`
- `ERR_CONSOLE_EXPORT_RATE_LIMIT`
- `ERR_CONSOLE_EXPORT_UNAVAILABLE`
- `ERR_CONSOLE_EXPORT_EXPIRED`
### Samples
- Request: `docs/api/console/samples/console-export-request.json`

331
docs/deploy/wine-csp-container.md Normal file
View File

@@ -0,0 +1,331 @@
# Wine CSP Container Deployment Guide
> **SECURITY WARNING:** The Wine CSP container is for **TEST VECTOR GENERATION ONLY**.
> It **MUST NOT** be used for production cryptographic signing operations.
> All signatures produced by this service should be treated as test artifacts.
## Overview
The Wine CSP container provides GOST cryptographic operations (GOST R 34.10-2012, GOST R 34.11-2012) via a Wine-hosted CryptoPro CSP environment. This enables Linux-based StellaOps deployments to generate GOST test vectors and validate cross-platform cryptographic interoperability.
### Architecture
```
┌─────────────────────────────────────────────────────────────────────┐
│ Wine CSP Container │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Ubuntu 22.04 (linux/amd64) │ │
│ │ ┌───────────────┐ ┌────────────────────────────────────────┐ │ │
│ │ │ Xvfb │ │ Wine 64-bit Environment │ │ │
│ │ │ (display :99) │───>│ ┌──────────────────────────────────┐ │ │ │
│ │ └───────────────┘ │ │ WineCspService.exe (.NET 8) │ │ │ │
│ │ │ │ ┌────────────────────────────┐ │ │ │ │
│ │ │ │ │ GostCryptography.dll │ │ │ │ │
│ │ │ │ │ (MIT-licensed fork) │ │ │ │ │
│ │ │ │ └────────────────────────────┘ │ │ │ │
│ │ │ │ ┌────────────────────────────┐ │ │ │ │
│ │ │ │ │ CryptoPro CSP (optional) │ │ │ │ │
│ │ │ │ │ (customer-provided) │ │ │ │ │
│ │ │ │ └────────────────────────────┘ │ │ │ │
│ │ │ └──────────────────────────────────┘ │ │ │
│ │ └────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │ │
│ │ HTTP API (port 5099) │
│ ▼ │
└─────────────────────────────────────────────────────────────────────┘
```
## Deployment Modes
### Limited Mode (Default)
Operates without CryptoPro CSP using the open-source GostCryptography library:
- **Capabilities:** Basic GOST signing/verification, hashing
- **Requirements:** None (self-contained)
- **Use Case:** Development, testing, CI/CD pipelines
```bash
docker run -p 5099:5099 -e WINE_CSP_MODE=limited wine-csp:latest
```
### Full Mode
Enables full CryptoPro CSP functionality with customer-provided installer:
- **Capabilities:** Full GOST R 34.10-2012/34.11-2012, hardware token support
- **Requirements:** Licensed CryptoPro CSP installer MSI
- **Use Case:** Test vector generation matching production CSP output
```bash
docker run -p 5099:5099 \
-e WINE_CSP_MODE=full \
-v /path/to/csp-5.0.msi:/opt/cryptopro/csp-installer.msi:ro \
wine-csp:latest
```
## API Endpoints
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/health` | GET | Health check (Healthy/Degraded/Unhealthy) |
| `/health/liveness` | GET | Kubernetes liveness probe |
| `/health/readiness` | GET | Kubernetes readiness probe |
| `/status` | GET | Service status with CSP availability |
| `/keys` | GET | List available signing keys |
| `/sign` | POST | Sign data with GOST R 34.10-2012 |
| `/verify` | POST | Verify GOST signature |
| `/hash` | POST | Compute GOST R 34.11-2012 hash |
| `/test-vectors` | GET | Generate deterministic test vectors |
### Request/Response Examples
#### Sign Request
```http
POST /sign
Content-Type: application/json
{
"keyId": "test-key-256",
"algorithm": "GOST12-256",
"data": "SGVsbG8gV29ybGQ="
}
```
Response:
```json
{
"signature": "MEQCIFh...",
"algorithm": "GOST12-256",
"keyId": "test-key-256",
"timestamp": "2025-12-07T12:00:00Z"
}
```
#### Hash Request
```http
POST /hash
Content-Type: application/json
{
"algorithm": "STREEBOG-256",
"data": "SGVsbG8gV29ybGQ="
}
```
Response:
```json
{
"hash": "5a7f...",
"algorithm": "STREEBOG-256"
}
```
## Docker Compose Integration
### Development Environment
Add to your `docker-compose.dev.yaml`:
```yaml
services:
wine-csp:
image: registry.stella-ops.org/stellaops/wine-csp:2025.10.0-edge
restart: unless-stopped
environment:
WINE_CSP_PORT: "5099"
WINE_CSP_MODE: "limited"
WINE_CSP_LOG_LEVEL: "Information"
volumes:
- wine-csp-prefix:/home/winecsp/.wine
- wine-csp-logs:/var/log/wine-csp
ports:
- "5099:5099"
networks:
- stellaops
healthcheck:
test: ["/usr/local/bin/healthcheck.sh"]
interval: 30s
timeout: 10s
start_period: 90s
retries: 3
deploy:
resources:
limits:
memory: 2G
volumes:
wine-csp-prefix:
wine-csp-logs:
```
### With CryptoPro CSP Installer
```yaml
services:
wine-csp:
image: registry.stella-ops.org/stellaops/wine-csp:2025.10.0-edge
environment:
WINE_CSP_MODE: "full"
volumes:
- wine-csp-prefix:/home/winecsp/.wine
- /secure/path/to/csp-5.0.msi:/opt/cryptopro/csp-installer.msi:ro
```
## Environment Variables
| Variable | Default | Description |
|----------|---------|-------------|
| `WINE_CSP_PORT` | `5099` | HTTP API port |
| `WINE_CSP_MODE` | `limited` | Operation mode: `limited` or `full` |
| `WINE_CSP_INSTALLER_PATH` | `/opt/cryptopro/csp-installer.msi` | Path to CSP installer |
| `WINE_CSP_LOG_LEVEL` | `Information` | Log level (Trace/Debug/Information/Warning/Error) |
| `ASPNETCORE_ENVIRONMENT` | `Production` | ASP.NET Core environment |
| `WINEDEBUG` | `-all` | Wine debug output (set to `warn+all` for troubleshooting) |
## Volume Mounts
| Path | Purpose | Persistence |
|------|---------|-------------|
| `/home/winecsp/.wine` | Wine prefix (CSP installation, keys) | Required for full mode |
| `/opt/cryptopro` | CSP installer directory (read-only) | Optional |
| `/var/log/wine-csp` | Service logs | Recommended |
## Security Considerations
### Production Restrictions
1. **Never expose to public networks** - Internal use only
2. **No sensitive keys** - Use only test keys
3. **Audit logging** - Enable verbose logging for forensics
4. **Network isolation** - Place in dedicated network segment
5. **Read-only root filesystem** - Not supported due to Wine requirements
### Container Security
- **Non-root user:** Runs as `winecsp` (UID 10001)
- **No capabilities:** No elevated privileges required
- **Minimal packages:** Only Wine and dependencies installed
- **Security labels:** Container labeled `test-vectors-only=true`
### CryptoPro CSP Licensing
CryptoPro CSP is commercial software. StellaOps does **not** distribute CryptoPro CSP:
1. Customer must provide their own licensed CSP installer
2. Mount the MSI file as read-only volume
3. Installation occurs on first container start
4. License persisted in Wine prefix volume
See `docs/legal/crypto-compliance-review.md` for distribution matrix.
## Known Limitations
| Limitation | Impact | Mitigation |
|------------|--------|------------|
| **linux/amd64 only** | No ARM64 support | Deploy on x86_64 hosts |
| **Large image (~1GB)** | Storage/bandwidth | Air-gap bundles, layer caching |
| **Slow startup (60-90s)** | Health check delays | Extended `start_period` |
| **Writable filesystem** | Security hardening | Minimize writable paths |
| **Wine compatibility** | Potential CSP issues | Test with specific CSP version |
## Troubleshooting
### Container Won't Start
```bash
# Check container logs
docker logs wine-csp
# Verify Wine initialization
docker exec wine-csp ls -la /home/winecsp/.wine
# Check for Wine errors
docker exec wine-csp cat /var/log/wine-csp/*.log
```
### Health Check Failing
```bash
# Manual health check
docker exec wine-csp wget -q -O - http://127.0.0.1:5099/health
# Check Xvfb is running
docker exec wine-csp pgrep Xvfb
# Verbose Wine output
docker exec -e WINEDEBUG=warn+all wine-csp wine64 /app/WineCspService.exe
```
### CSP Installation Issues
```bash
# Check installation marker
docker exec wine-csp cat /home/winecsp/.wine/.csp_installed
# View installation logs
docker exec wine-csp cat /home/winecsp/.wine/csp_install_logs/*.log
# Verify CSP directory
docker exec wine-csp ls -la "/home/winecsp/.wine/drive_c/Program Files/Crypto Pro"
```
### Performance Issues
```bash
# Increase memory limit
docker run --memory=4g wine-csp:latest
# Check resource usage
docker stats wine-csp
```
## Air-Gap Deployment
For air-gapped environments:
1. **Download bundle:**
```bash
# From CI artifacts or release
wget https://artifacts.stella-ops.org/wine-csp/wine-csp-2025.10.0-edge.tar.gz
```
2. **Transfer to air-gapped system** (via approved media)
3. **Load image:**
```bash
docker load < wine-csp-2025.10.0-edge.tar.gz
```
4. **Run container:**
```bash
docker run -p 5099:5099 wine-csp:2025.10.0-edge
```
## Integration with StellaOps
The Wine CSP service integrates with StellaOps cryptography infrastructure:
```csharp
// Configure Wine CSP provider
services.AddWineCspProvider(options =>
{
options.ServiceUrl = "http://wine-csp:5099";
options.TimeoutSeconds = 30;
options.MaxRetries = 3;
});
```
See `src/__Libraries/StellaOps.Cryptography.Plugin.WineCsp/` for the provider implementation.
## Related Documentation
- [Wine CSP Loader Design](../security/wine-csp-loader-design.md)
- [RU Crypto Validation Sprint](../implplan/SPRINT_0514_0001_0002_ru_crypto_validation.md)
- [Crypto Provider Registry](../contracts/crypto-provider-registry.md)
- [Crypto Compliance Review](../legal/crypto-compliance-review.md)

5
docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
View File

@@ -43,7 +43,7 @@
| 8 | CONCELIER-RISK-68-001 | DONE (2025-12-05) | Implemented `IPolicyStudioSignalPicker`, `PolicyStudioSignalInput`, `PolicyStudioSignalPicker` with provenance tracking; updated `IVendorRiskSignalProvider` with batch methods; DI registration in `AddConcelierRiskServices()`. | Concelier Core Guild · Policy Studio Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Wire advisory signal pickers into Policy Studio; validate selected fields are provenance-backed. |
| 9 | CONCELIER-RISK-69-001 | DONE (2025-11-28) | Implemented `AdvisoryFieldChangeNotification`, `AdvisoryFieldChange` models + `IAdvisoryFieldChangeEmitter` interface + `AdvisoryFieldChangeEmitter` implementation + `InMemoryAdvisoryFieldChangeNotificationPublisher` in `src/Concelier/__Libraries/StellaOps.Concelier.Core/Risk/`. Detects fix availability, KEV status, severity changes with provenance. | Concelier Core Guild · Notifications Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit notifications on upstream advisory field changes (e.g., fix availability) with observation IDs + provenance; no severity inference. |
| 10 | CONCELIER-SIG-26-001 | DONE (2025-12-06) | Implemented; 17 unit tests. | Concelier Core Guild · Signals Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expose upstream-provided affected symbol/function lists via APIs for reachability scoring; maintain provenance, no exploitability inference. |
| 11 | CONCELIER-STORE-AOC-19-005-DEV | BLOCKED (2025-11-04) | Waiting on staging dataset hash + rollback rehearsal using prep doc | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Execute raw-linkset backfill/rollback plan so Mongo reflects Link-Not-Merge data; rehearse rollback (dev/staging). |
| 11 | CONCELIER-STORE-AOC-19-005-DEV | TODO | Prep runbook published at `docs/modules/concelier/prep/store-aoc-19-005-dev.md`; stage dataset tarball + hash, then execute backfill/rollback rehearsal. | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Execute raw-linkset backfill/rollback plan so Mongo reflects Link-Not-Merge data; rehearse rollback (dev/staging). |
| 12 | CONCELIER-TEN-48-001 | DONE (2025-11-28) | Created Tenancy module with `TenantScope`, `TenantCapabilities`, `TenantCapabilitiesResponse`, `ITenantCapabilitiesProvider`, and `TenantScopeNormalizer` per AUTH-TEN-47-001. | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Enforce tenant scoping through normalization/linking; expose capability endpoint advertising `merge=false`; ensure events include tenant IDs. |
| 13 | CONCELIER-VEXLENS-30-001 | DONE (2025-12-05) | Implemented `IVexLensAdvisoryKeyProvider`, `VexLensCanonicalKey`, `VexLensCrossLinks`, `VexLensAdvisoryKeyProvider` with canonicalization per CONTRACT-ADVISORY-KEY-001 and CONTRACT-VEX-LENS-005. DI registration via `AddConcelierVexLensServices()`. | Concelier WebService Guild · VEX Lens Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations cite Concelier evidence without merges. |
| 14 | CONCELIER-GAPS-115-014 | DONE (2025-12-02) | None; informs tasks 013. | Product Mgmt · Concelier Guild | Address Concelier ingestion gaps CI1CI10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed observation/linkset schemas and AOC guard, enforce denylist/allowlist via analyzers, require provenance/signature details, feed snapshot governance/staleness, deterministic conflict rules, canonical content-hash/idempotency keys, tenant isolation tests, connector sandbox limits, offline advisory bundle schema/verify, and shared fixtures/CI determinism. |
@@ -55,6 +55,7 @@
| 2025-12-06 | Unblocked CONCELIER-SIG-26-001 (task 10): SIGNALS-24-002 CAS approved per BLOCKED_DEPENDENCY_TREE.md Section 6. Task now TODO and ready for implementation. | Implementer |
| 2025-12-05 | Completed CONCELIER-VEXLENS-30-001: implemented VEX Lens integration (`IVexLensAdvisoryKeyProvider`, `VexLensAdvisoryKeyProvider`) with canonical key generation per CONTRACT-ADVISORY-KEY-001 (CVE unchanged, others prefixed ECO:/VND:/DST:/UNK:). Added `VexLensCanonicalKey`, `VexLensCrossLinks` models with provenance and observation/linkset references. DI registration via `AddConcelierVexLensServices()`. | Implementer |
| 2025-12-05 | Completed CONCELIER-RISK-68-001: implemented Policy Studio signal picker (`IPolicyStudioSignalPicker`, `PolicyStudioSignalPicker`) with `PolicyStudioSignalInput` model. All fields are provenance-backed per CONTRACT-POLICY-STUDIO-007. Added `GetSignalAsync` and `GetSignalsBatchAsync` methods to `IVendorRiskSignalProvider`. DI registration via `AddConcelierRiskServices()`. | Implementer |
| 2025-12-07 | Published backfill/rollback runbook at `docs/modules/concelier/prep/store-aoc-19-005-dev.md`; status set to TODO awaiting dataset tarball + hash staging. | Project Mgmt |
| 2025-12-03 | Added Wave Coordination (A prep/policy done; B tenant/backfill pending STORE-AOC-19-005; C signals/VEX Lens blocked on upstream contracts). No status changes. | Project Mgmt |
| 2025-12-02 | Completed CONCELIER-GAPS-115-014: published signed LNM schemas + manifest/signature, added connector HttpClient sandbox analyzer, hardened AOC guard for canonical sha256 + signature metadata, added determinism/tenant isolation tests and offline bundle fixtures. Targeted Core tests passing. | Implementer |
| 2025-12-02 | Started CONCELIER-GAPS-115-014 remediation: schema signing, AOC provenance guard, determinism/tenant isolation tests. | Implementer |
@@ -93,7 +94,7 @@
## Decisions & Risks
- Policy enrichment chain must remain fact-only; any weighting or prioritization belongs to Policy Engine, not Concelier.
- Raw linkset backfill (STORE-AOC-19-005) must preserve rollback paths to protect Offline Kit deployments; release packaging tracked separately in DevOps planning.
- Raw linkset backfill (STORE-AOC-19-005) follows runbook at `docs/modules/concelier/prep/store-aoc-19-005-dev.md`; rollback remains mandatory to protect Offline Kit deployments.
- Tenant-aware linking and notification hooks depend on Authority/Signals contracts; delays could stall AOC compliance and downstream alerts.
- Upstream contracts absent: POLICY-20-001 (sprint 0114), AUTH-TEN-47-001, SIGNALS-24-002—until delivered, POLICY/RISK/SIG/TEN tasks in this sprint stay BLOCKED.
- CI1CI10 remediation shipped: signed schema bundle (`docs/modules/concelier/schemas/*`) with detached signature, AOC guard now enforces canonical sha256 + signature metadata, connector analyzer `CONCELIER0004` guards unsandboxed `HttpClient`, and deterministic fixtures/tests cover idempotency/tenant isolation/offline bundle staleness.

5
docs/implplan/SPRINT_0120_0001_0001_policy_reasoning.md
View File

@@ -34,7 +34,7 @@
- **Wave B (provenance exports):** Task 4 DONE; uses orchestrator export contract (now marked DONE). Keep linkage stable.
- **Wave C (air-gap provenance — COMPLETE):** Tasks 58 ALL DONE (2025-12-06). Staleness validation, evidence snapshots, and timeline impact events implemented.
- **Wave D (attestation pointers — COMPLETE):** Task 9 DONE (2025-12-07). Full attestation pointer infrastructure implemented.
- **Wave E (deployment collateral):** Task 3 BLOCKED pending DevOps paths for manifests/offline kit. Run after Wave C to avoid conflicting asset locations.
- **Wave E (deployment collateral — COMPLETE):** Task 3 DONE (2025-12-07). Compose, Helm, and offline-kit assets delivered to `ops/devops/findings-ledger/`.
- Do not start blocked waves until dependencies land; avoid drift by keeping current DONE artifacts immutable.
## Documentation Prerequisites
@@ -56,7 +56,7 @@
| P3 | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | DONE (2025-11-22) | Due 2025-11-21 · Accountable: Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Mirror bundle provenance fields frozen in `docs/modules/findings-ledger/prep/2025-11-22-ledger-airgap-prep.md`; staleness/anchor rules defined. |
| 1 | LEDGER-29-007 | DONE (2025-11-17) | Observability metric schema sign-off; deps LEDGER-29-006 | Findings Ledger Guild, Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Instrument `ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`, structured logs, Merkle anchoring alerts, and publish dashboards. |
| 2 | LEDGER-29-008 | DONE (2025-11-22) | PREP-LEDGER-29-008-AWAIT-OBSERVABILITY-SCHEMA | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant. |
| 3 | LEDGER-29-009-DEV | TODO | Asset paths approved under `ops/devops/findings-ledger/**`; implement Compose/Helm/offline-kit overlays and finalize backup/restore runbook. | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions (dev/staging artifacts). |
| 3 | LEDGER-29-009-DEV | **DONE** (2025-12-07) | Implemented Compose overlay, Helm chart, and offline kit with dashboard/alerts. | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions (dev/staging artifacts). |
| 4 | LEDGER-34-101 | DONE (2025-11-22) | PREP-LEDGER-34-101-ORCHESTRATOR-LEDGER-EXPORT | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. Contract reference: `docs/modules/orchestrator/job-export-contract.md`. |
| 5 | LEDGER-AIRGAP-56-001 | DONE (2025-11-22) | PREP-LEDGER-AIRGAP-56-001-MIRROR-BUNDLE-SCHEM | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. |
| 6 | LEDGER-AIRGAP-56-002 | **DONE** (2025-12-06) | Implemented AirGapOptions, StalenessValidationService, staleness metrics. | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. |
@@ -67,6 +67,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-07 | **LEDGER-29-009-DEV DONE:** Created deployment collateral at `ops/devops/findings-ledger/` including: Compose overlay (docker-compose.ledger.yaml, env files), Helm chart (deployment, service, configmap, migration-job templates), and offline kit (manifest.yaml, import-images.sh, run-migrations.sh, verify-install.sh, Grafana dashboard, Prometheus alerts). Wave E complete. | Implementer |
| 2025-12-07 | **LEDGER-ATTEST-73-001 DONE:** Implemented AttestationPointerRecord, IAttestationPointerRepository, PostgresAttestationPointerRepository, AttestationPointerService, WebService endpoints (POST/GET/PUT /v1/ledger/attestation-pointers), migration 008_attestation_pointers.sql, and unit tests. Added attestation.pointer_linked ledger event type and timeline logging. Wave D complete. | Implementer |
| 2025-12-06 | **LEDGER-ATTEST-73-001 Unblocked:** Changed from BLOCKED to TODO. Attestation pointer schema now available at `docs/schemas/attestation-pointer.schema.json`. Wave D can proceed. | Implementer |
| 2025-12-06 | **LEDGER-AIRGAP-56-002 DONE:** Implemented AirGapOptions (staleness config), StalenessValidationService (export blocking with ERR_AIRGAP_STALE), extended IAirgapImportRepository with staleness queries, added ledger_airgap_staleness_seconds and ledger_staleness_validation_failures_total metrics. | Implementer |

6
docs/implplan/SPRINT_0128_0001_0001_policy_reasoning.md
View File

@@ -11,8 +11,7 @@
## Wave Coordination
- **Wave A (SPL schema/tooling):** Tasks 1015 DONE; keep SPL schema/fixtures/canonicalizer/layering stable.
- **Wave B (risk profile lifecycle APIs):** Tasks 12 DONE; publish schema and lifecycle endpoints; hold steady for downstream consumers.
- **Wave C (risk simulations/overrides/exports/notifications/air-gap):** Tasks 37, 9 TODO; unblocked by contracts ([RISK-SCORING-002](../contracts/risk-scoring.md), [POLICY-STUDIO-007](../contracts/policy-studio.md), [AUTHORITY-EFFECTIVE-WRITE-008](../contracts/authority-effective-write.md), [MIRROR-BUNDLE-003](../contracts/mirror-bundle.md), [SEALED-MODE-004](../contracts/sealed-mode.md)). Task 8 (notifications) now unblocked; proceed with policy notifications implementation using `docs/modules/policy/notifications.md`.
- No additional work in progress; avoid starting Wave C until dependencies clear.
- **Wave C (risk simulations/overrides/exports/notifications/air-gap — COMPLETE):** Tasks 39 DONE. All Wave C deliverables (simulations, overrides, exports, notifications, air-gap) implemented. Sprint 0128 complete.
## Documentation Prerequisites
- `docs/README.md`
@@ -32,7 +31,7 @@
| 5 | POLICY-RISK-68-001 | DONE (2025-12-06) | Unblocked by [CONTRACT-AUTHORITY-EFFECTIVE-WRITE-008](../contracts/authority-effective-write.md). | Risk Profile Schema Guild · Authority Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Scope selectors, precedence rules, Authority attachment. |
| 6 | POLICY-RISK-68-002 | DONE (2025-12-06) | Unblocked by [CONTRACT-RISK-SCORING-002](../contracts/risk-scoring.md) (RiskOverrides included). | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Override/adjustment support with audit metadata. |
| 7 | POLICY-RISK-68-002 | DONE (2025-12-06) | Unblocked; can proceed after task 6 with [CONTRACT-EXPORT-BUNDLE-009](../contracts/export-bundle.md). | Policy · Export Guild / `src/Policy/__Libraries/StellaOps.Policy` | Export/import RiskProfiles with signatures. |
| 8 | POLICY-RISK-69-001 | TODO | Notifications contract published at `docs/modules/policy/notifications.md`. | Policy A<EFBFBD> Notifications Guild / `src/Policy/StellaOps.Policy.Engine` | Notifications on profile lifecycle/threshold changes. |
| 8 | POLICY-RISK-69-001 | **DONE** (2025-12-07) | Notifications contract implemented per `docs/modules/policy/notifications.md`. | Policy · Notifications Guild / `src/Policy/StellaOps.Policy.Engine` | Notifications on profile lifecycle/threshold changes. |
| 9 | POLICY-RISK-70-001 | DONE (2025-12-06) | Unblocked by [CONTRACT-MIRROR-BUNDLE-003](../contracts/mirror-bundle.md) and [CONTRACT-SEALED-MODE-004](../contracts/sealed-mode.md). | Policy · Export Guild / `src/Policy/StellaOps.Policy.Engine` | Air-gap export/import for profiles with signatures. |
| 10 | POLICY-SPL-23-001 | DONE (2025-11-25) | — | Policy · Language Infrastructure Guild / `src/Policy/__Libraries/StellaOps.Policy` | Define SPL v1 schema + fixtures. |
| 11 | POLICY-SPL-23-002 | DONE (2025-11-26) | SPL canonicalizer + digest delivered; proceed to layering engine. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Canonicalizer + content hashing. |
@@ -44,6 +43,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-07 | **POLICY-RISK-69-001 DONE:** Implemented policy profile notifications per contract at `docs/modules/policy/notifications.md`. Created: (1) `PolicyProfileNotificationModels.cs` with event types (created/activated/deactivated/threshold_changed/override_added/override_removed/simulation_ready), payload models matching JSON contract (UUIDv7 event_id, actor, thresholds, effective_scope, hash, links, trace); (2) `PolicyProfileNotificationPublisher.cs` with `IPolicyProfileNotificationPublisher` interface and `LoggingPolicyProfileNotificationPublisher` for structured logging + HMAC-SHA256 webhook signatures; (3) `PolicyProfileNotificationFactory.cs` for event creation with UUIDv7 generation and trace context; (4) `PolicyProfileNotificationService.cs` orchestrating notifications from lifecycle events; (5) DI extensions; (6) 15 unit tests in `PolicyProfileNotificationServiceTests.cs`. Wave C notifications complete. | Implementer |
| 2025-12-07 | Published notifications contract at `docs/modules/policy/notifications.md`; set POLICY-RISK-69-001 to TODO. | Project Mgmt |
| 2025-12-03 | Added Wave Coordination (A SPL tooling done; B risk lifecycle APIs done; C simulations/overrides/exports/notifications/air-gap blocked). No status changes. | Project Mgmt |
| 2025-11-27 | `POLICY-RISK-67-002` (task 2): Added `RiskProfileSchemaEndpoints.cs` with `/.well-known/risk-profile-schema` endpoint (anonymous, ETag/Cache-Control, schema v1) and `/api/risk/schema/validate` POST endpoint for profile validation. Extended `RiskProfileSchemaProvider` with GetSchemaText(), GetSchemaVersion(), and GetETag() methods. Added `risk-profile` CLI command group with `validate` (--input, --format, --output, --strict) and `schema` (--output) subcommands. Added RiskProfile project reference to CLI. | Implementer |

3
docs/implplan/SPRINT_0129_0001_0001_policy_reasoning.md
View File

@@ -26,7 +26,7 @@
## Delivery Tracker
| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | POLICY-TEN-48-001 | TODO | Tenant/project RLS design published at `docs/modules/policy/prep/tenant-rls.md`. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Tenant scoping + rationale IDs with tenant metadata. |
| 1 | POLICY-TEN-48-001 | DONE (2025-12-07) | Tenant context infrastructure complete. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Tenant scoping + rationale IDs with tenant metadata. |
| 2 | REGISTRY-API-27-001 | DONE (2025-12-06) | OpenAPI spec available; typed client implemented. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Define Registry API spec + typed clients. |
| 3 | REGISTRY-API-27-002 | DONE (2025-12-06) | Depends on 27-001; implemented. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Workspace storage with CRUD + history. |
| 4 | REGISTRY-API-27-003 | DONE (2025-12-06) | Depends on 27-002; implemented. | Policy Registry Guild / `src/Policy/StellaOps.Policy.Registry` | Compile endpoint integration. |
@@ -67,6 +67,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-07 | POLICY-TEN-48-001 DONE: Created tenant context infrastructure per RLS design. Implemented `TenantContextModels.cs` (TenantContext record, TenantContextOptions, ITenantContextAccessor with AsyncLocal, TenantValidationResult, TenantContextConstants for headers X-Stella-Tenant/X-Stella-Project and PostgreSQL GUCs app.tenant_id/app.project_id/app.can_write), `TenantContextMiddleware.cs` (header extraction, regex ID validation, write permission from scopes/claims, actor ID extraction, deterministic error codes POLICY_TENANT_HEADER_REQUIRED/POLICY_TENANT_ID_INVALID), `TenantContextServiceCollectionExtensions.cs` (DI extensions AddTenantContext, middleware UseTenantContext, endpoint filter RequireTenantContext, TenantContextEndpointFilter). Added 27 unit tests in `TenantContextTests.cs` covering context creation, validation, middleware behavior, ID format validation, scope detection. Build succeeds with 0 errors. **Sprint 0129 complete: all 37 tasks now DONE.** | Implementer |
| 2025-12-07 | Published tenant/project RLS design at `docs/modules/policy/prep/tenant-rls.md`; set POLICY-TEN-48-001 to TODO. | Project Mgmt |
| 2025-12-06 | REGISTRY-API-27-010 DONE: Created test suites and fixtures. Implemented `PolicyRegistryTestHarness` (integration test harness with all services wired, determinism testing), `PolicyRegistryTestFixtures` (test data generators for rules, simulation inputs, batch inputs, verification policies, snapshots, violations, overrides). Supports full workflow testing from pack creation through promotion. **Wave B complete: all 10 Registry API tasks (27-001 through 27-010) now DONE.** Build succeeds with no errors. | Implementer |
| 2025-12-06 | REGISTRY-API-27-009 DONE: Created observability infrastructure. Implemented `PolicyRegistryMetrics` (System.Diagnostics.Metrics with counters/histograms/gauges for packs, compilations, simulations, reviews, promotions), `PolicyRegistryActivitySource` (distributed tracing with activity helpers for all operations), `PolicyRegistryLogEvents` (structured logging event IDs 1000-1999 with log message templates). Covers full lifecycle from pack creation through promotion. Build succeeds with no errors. | Implementer |

25
docs/implplan/SPRINT_0140_0001_0001_scanner_java_enhancement.md
View File

@@ -68,18 +68,18 @@
| E5 | JAVA-ENH-E05 | DONE | D4 | Java Guild | Add conflict detection post-processing in `AnalyzeAsync` - emit conflict.* metadata |
| E6 | JAVA-ENH-E06 | DONE | B6, C6, E1-E5 | Java Guild | Update `JavaLockEntry` record - add Scope, VersionSource, License fields |
| **Wave F: Testing** |
| F1 | JAVA-ENH-F01 | TODO | B2 | QA Guild | Create fixture `gradle-groovy/` - Groovy DSL with string/map notation |
| F2 | JAVA-ENH-F02 | TODO | B3 | QA Guild | Create fixture `gradle-kotlin/` - Kotlin DSL with type-safe accessors |
| F3 | JAVA-ENH-F03 | TODO | B5 | QA Guild | Create fixture `gradle-catalog/` - libs.versions.toml with version references |
| F4 | JAVA-ENH-F04 | TODO | C6 | QA Guild | Create fixture `maven-parent/` - parent POM version inheritance |
| F5 | JAVA-ENH-F05 | TODO | C4 | QA Guild | Create fixture `maven-bom/` - BOM import with dependencyManagement |
| F6 | JAVA-ENH-F06 | TODO | C3 | QA Guild | Create fixture `maven-properties/` - property placeholder resolution |
| F7 | JAVA-ENH-F07 | TODO | D1 | QA Guild | Create fixture `shaded-maven/` - JAR with multiple pom.properties + dependency-reduced-pom.xml |
| F8 | JAVA-ENH-F08 | TODO | D2 | QA Guild | Create fixture `osgi-bundle/` - JAR with Bundle-SymbolicName manifest |
| F9 | JAVA-ENH-F09 | TODO | E3 | QA Guild | Create fixture `maven-license/` - pom.xml with <licenses> element |
| F10 | JAVA-ENH-F10 | TODO | D3 | QA Guild | Create fixture `maven-scopes/` - dependencies with test/provided/runtime scopes |
| F11 | JAVA-ENH-F11 | TODO | D4 | QA Guild | Create fixture `version-conflict/` - multiple versions of same library |
| F12 | JAVA-ENH-F12 | TODO | F1-F11 | QA Guild | Add integration tests in `JavaLanguageAnalyzerTests.cs` using golden fixture harness |
| F1 | JAVA-ENH-F01 | DONE | B2 | QA Guild | Create fixture `gradle-groovy/` - Groovy DSL with string/map notation |
| F2 | JAVA-ENH-F02 | DONE | B3 | QA Guild | Create fixture `gradle-kotlin/` - Kotlin DSL with type-safe accessors |
| F3 | JAVA-ENH-F03 | DONE | B5 | QA Guild | Create fixture `gradle-catalog/` - libs.versions.toml with version references |
| F4 | JAVA-ENH-F04 | DONE | C6 | QA Guild | Create fixture `maven-parent/` - parent POM version inheritance |
| F5 | JAVA-ENH-F05 | DONE | C4 | QA Guild | Create fixture `maven-bom/` - BOM import with dependencyManagement |
| F6 | JAVA-ENH-F06 | DONE | C3 | QA Guild | Create fixture `maven-properties/` - property placeholder resolution |
| F7 | JAVA-ENH-F07 | DONE | D1 | QA Guild | Create fixture `shaded-maven/` - JAR with multiple pom.properties + dependency-reduced-pom.xml |
| F8 | JAVA-ENH-F08 | DONE | D2 | QA Guild | Create fixture `osgi-bundle/` - JAR with Bundle-SymbolicName manifest |
| F9 | JAVA-ENH-F09 | DONE | E3 | QA Guild | Create fixture `maven-license/` - pom.xml with <licenses> element |
| F10 | JAVA-ENH-F10 | DONE | D3 | QA Guild | Create fixture `maven-scopes/` - dependencies with test/provided/runtime scopes |
| F11 | JAVA-ENH-F11 | DONE | D4 | QA Guild | Create fixture `version-conflict/` - multiple versions of same library |
| F12 | JAVA-ENH-F12 | DONE | F1-F11 | QA Guild | Add integration tests in `JavaLanguageAnalyzerTests.cs` using golden fixture harness |
| F13 | JAVA-ENH-F13 | DONE | B2-B5, C1, D1-D4 | QA Guild | Add unit tests for individual parsers (GradleGroovyParserTests, MavenPomParserTests, etc.) |
## Execution Log
@@ -93,6 +93,7 @@
| 2025-12-06 | Wave E complete: Integrated ShadedJarDetector, OsgiBundleParser, conflict detection into JavaLanguageAnalyzer | Claude |
| 2025-12-06 | Build verified successful - all 18 new files compile, integration complete | Claude |
| 2025-12-06 | Wave F partial: Created 4 unit test files (GradleGroovyParserTests, MavenPomParserTests, ShadedJarDetectorTests, OsgiBundleParserTests, VersionConflictDetectorTests) | Claude |
| 2025-12-07 | Wave F complete: Created 11 fixtures (gradle-groovy, gradle-kotlin, gradle-catalog, maven-parent, maven-bom, maven-properties, shaded-maven, osgi-bundle, maven-license, maven-scopes, version-conflict) and 7 integration tests in JavaLanguageAnalyzerTests.cs | Claude |
## Decisions & Risks
- **Risk:** Gradle DSL is dynamic; regex-based parsing will miss complex patterns

3
docs/implplan/SPRINT_0146_0001_0001_scanner_analyzer_gap_close.md
View File

@@ -32,7 +32,7 @@
| 9 | SCAN-RPM-BDB-0146-09 | TODO | Add rpmdb BerkeleyDB fallback + fixtures; wire into analyzer pipeline. | Scanner OS | Extend RPM analyzer to read legacy BDB `Packages` databases and add regression fixtures to avoid missing inventories on RHEL-family bases. |
| 10 | SCAN-OS-FILES-0146-10 | TODO | Wire layer digest + hashing into OS file evidence and fragments. | Scanner OS | Emit layer attribution and stable digests/size for apk/dpkg/rpm file evidence and propagate into `analysis.layers.fragments` for diff/cache correctness. |
| 11 | SCAN-NODE-PNP-0146-11 | TODO | Implement Yarn PnP resolution + tighten declared-only emissions. | Scanner Lang | Parse `.pnp.cjs/.pnp.data.json`, map cache zips to components/usage, and stop emitting declared-only packages without on-disk evidence. |
| 12 | SCAN-PY-EGG-0146-12 | TODO | Add `.egg-info`/editable detection + metadata to Python analyzer. | Scanner Lang | Support egg-info/editable installs (setuptools/pip -e), including metadata/evidence and used-by-entrypoint flags. |
| 12 | SCAN-PY-EGG-0146-12 | DOING | Add `.egg-info`/editable detection + metadata to Python analyzer. | Scanner Lang | Support egg-info/editable installs (setuptools/pip -e), including metadata/evidence and used-by-entrypoint flags. |
| 13 | SCAN-NATIVE-REACH-0146-13 | TODO | Implement native reachability graph baseline (call edges, Unknowns). | Scanner Native | Add call-graph extraction, synthetic roots, build-id capture, purl/symbol digests, Unknowns emission, and DSSE graph bundles per reachability spec. |
## Execution Log
@@ -40,6 +40,7 @@
| --- | --- | --- |
| 2025-12-07 | Sprint created to consolidate scanner analyzer gap closure tasks. | Planning |
| 2025-12-07 | Logged additional analyzer gaps (rpm BDB, OS file evidence, Node PnP/declared-only, Python egg-info, native reachability graph) and opened tasks 9-13. | Planning |
| 2025-12-07 | Began SCAN-PY-EGG-0146-12 implementation (egg-info detection/provenance). | Scanner Lang |
## Decisions & Risks
- CI runner availability may delay Java/.NET/Node validation; mitigate by reserving dedicated runner slice.

2
docs/implplan/SPRINT_0190_0001_0001_cvss_v4_receipts.md
View File

@@ -76,10 +76,12 @@
| R4 | CVSS parser/ruleset changes ungoverned (CVM9). | Score drift, audit gaps. | Version parsers/rulesets; DSSE-sign releases; log scorer version in receipts; dual-review changes. |
| R5 | Missing AGENTS for Policy WebService and Concelier ingestion block integration (tasks 811). | API/CLI/UI delivery stalled. | AGENTS delivered 2025-12-06 (tasks 1516). Risk mitigated; monitor API contract approvals. |
| R6 | Policy Engine lacks CVSS receipt endpoints; gateway proxy cannot be implemented yet. | API/CLI/UI tasks remain blocked. | **Mitigated 2025-12-06:** CVSS receipt endpoints implemented in Policy Engine and Gateway; unblock CLI/UI. |
| R7 | System.CommandLine (beta5) API drift versus existing command wiring (SetAction/AddOption/IsRequired) is blocking CLI build despite CVSS verbs implemented. | CLI deliverable cannot be validated; downstream docs/tests stay blocked. | Update handlers to current API or pin to a compatible version and refactor accordingly; CLI Guild. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-07 | Cleared NuGet fallback probing of VS global cache; set repo-local package cache and explicit sources. Shared libraries build; CLI restore now succeeds but System.CommandLine API drift is blocking CLI build and needs follow-up alignment. | Implementer |
| 2025-12-06 | CVSS-CLI-190-010 DONE: added CLI `cvss` verbs (score/show/history/export) targeting Policy Gateway CVSS endpoints; uses local vector parsing and policy hash; JSON export supported. | Implementer |
| 2025-12-06 | CVSS-API-190-009 DONE: added Policy Engine CVSS receipt endpoints and Gateway proxies (`/api/cvss/receipts`, history, amend, policies); W3 unblocked; risk R6 mitigated. | Implementer |
| 2025-12-06 | CVSS-CONCELIER-190-008 DONE: prioritized CVSS v4.0 vectors as primary in advisory→Postgres conversion; provenance preserved; enables Policy receipt ingestion. CVSS-API-190-009 set BLOCKED pending Policy Engine CVSS receipt endpoints (risk R6). | Implementer |

6
docs/implplan/SPRINT_0212_0001_0001_web_i.md
View File

@@ -63,7 +63,7 @@
- Restore workspace disk/PTY availability so Web console implementation can proceed (owner: DevOps Guild; due: 2025-12-02; status: in progress 2025-12-01).
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Publish console export bundle orchestration contract + manifest schema and streaming limits; add samples to `docs/api/console/samples/`. | Policy Guild · Console Guild | 2025-12-08 | DOING (draft published, awaiting guild sign-off) |
| 1 | Publish console export bundle orchestration contract + manifest schema and streaming limits; add samples to `docs/api/console/samples/`. | Policy Guild · Console Guild | 2025-12-08 | DOING (contract v0.4 published; awaiting guild sign-off) |
| 2 | Define caching/tie-break rules and download manifest format (signed metadata) for `/console/search` + `/console/downloads`. | Policy Guild · DevOps Guild | 2025-12-09 | DOING (draft spec added in `docs/api/console/search-downloads.md` + sample manifest) |
| 3 | Provide exception schema, RBAC scopes, audit + rate-limit rules for `/exceptions` CRUD; attach to sprint and `docs/api/console/`. | Policy Guild · Platform Events | 2025-12-09 | TODO |
| 4 | Restore PTY/shell capacity on web host (openpty exhaustion) to allow tests/builds. | DevOps Guild | 2025-12-07 | In progress (local workaround using Playwright Chromium headless + NG_PERSISTENT_BUILD_CACHE) |
@@ -87,8 +87,10 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-07 | Hardened console exports contract to v0.4 in `docs/api/console/workspaces.md`: deterministic manifest ordering, DSSE option, cache/ETag headers, size/item caps, aligned samples (`console-export-manifest.json`). Awaiting Policy/DevOps sign-off. | Project Mgmt |
| 2025-12-07 | WEB-CONSOLE-23-003 exports specs green (6/6) using Playwright Chromium 141 headless. Command: `CHROME_BIN=C:\Users\vlindos\AppData\Local\ms-playwright\chromium-1194\chrome-win\chrome.exe STELLAOPS_CHROMIUM_BIN=%CHROME_BIN% NG_PERSISTENT_BUILD_CACHE=1 node ./node_modules/@angular/cli/bin/ng.js test --watch=false --browsers=ChromeHeadlessOffline --progress=false --include src/app/core/api/console-export.client.spec.ts --include src/app/core/console/console-export.store.spec.ts --include src/app/core/console/console-export.service.spec.ts`. Backend export manifest/limits still pending Policy sign-off. | Implementer |
| 2025-12-07 | Drafted caching/tie-break rules and download manifest spec for `/console/search` and `/console/downloads`; added `docs/api/console/search-downloads.md` and sample `docs/api/console/samples/console-download-manifest.json`. Awaiting Policy/DevOps sign-off; keeps WEB-CONSOLE-23-004/005 formally BLOCKED until approved. | Project Mgmt |
| 2025-12-07 | WEB-CONSOLE-23-003: console export client, store, and service specs runnable locally using Playwright Chromium headless and `NG_PERSISTENT_BUILD_CACHE=1`; command: `CHROME_BIN=$HOME/.cache/ms-playwright/chromium-1140/chrome-linux/chrome NG_PERSISTENT_BUILD_CACHE=1 npm test -- --watch=false --browsers=ChromeHeadlessOffline --progress=false --include src/app/core/api/console-export.client.spec.ts,src/app/core/console/console-export.store.spec.ts,src/app/core/console/console-export.service.spec.ts`. Build phase still slow (~57m); latest run terminated early while compiling—expect pass once allowed to finish. Backend contract still draft. | Implementer |
| 2025-12-07 | WEB-CONSOLE-23-003: console export client, store, and service specs runnable locally using Playwright Chromium headless and `NG_PERSISTENT_BUILD_CACHE=1`; earlier run terminated mid-compile but rerun completed successfully (see 2025-12-07 entry above for command). Backend contract still draft. | Implementer |
| 2025-12-04 | WEB-CONSOLE-23-002 completed: wired `console/status` route in `app.routes.ts`; created sample payloads `console-status-sample.json` and `console-run-stream-sample.ndjson` in `docs/api/console/samples/` verified against `ConsoleStatusDto` and `ConsoleRunEventDto` contracts. | BE-Base Platform Guild |
| 2025-12-02 | WEB-CONSOLE-23-002: added trace IDs on status/stream calls, heartbeat + exponential backoff reconnect in console run stream service, and new client/service unit tests. Backend commands still not run locally (disk constraint). | BE-Base Platform Guild |
| 2025-12-04 | Re-reviewed CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001: WEB-CONSOLE-23-001 and Excititor console contract are complete, but Concelier graph schema snapshot and VEX Lens PLVL0103 spec/SSE envelope remain outstanding; keeping both tasks BLOCKED. | Project Mgmt |

14
docs/implplan/SPRINT_0514_0001_0002_ru_crypto_validation.md
View File

@@ -21,10 +21,10 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | RU-CRYPTO-VAL-01 | TODO | Linux OpenSSL toolchain present | Security Guild · QA | Validate OpenSSL GOST path on Linux; sign/verify test vectors; publish determinism report and hashes. |
| 2 | RU-CRYPTO-VAL-02 | TODO | After #1 | Authority · Security | Wire registry defaults (`ru.openssl.gost`, `ru.pkcs11`) into Authority/Signer/Attestor hosts with env toggles and fail-closed validation (Linux-only baseline). |
| 3 | RU-CRYPTO-VAL-03 | TODO | After #1 | Docs · Ops | Update RootPack_RU manifest + verify script for Linux-only GOST; embed signed test vectors/hashes; refresh `etc/rootpack/ru/crypto.profile.yaml` to mark “CSP pending”. |
| 2 | RU-CRYPTO-VAL-02 | DOING (2025-12-07) | After #1 | Authority · Security | Wire registry defaults (`ru.openssl.gost`, `ru.pkcs11`) into Authority/Signer/Attestor hosts with env toggles and fail-closed validation (Linux-only baseline). |
| 3 | RU-CRYPTO-VAL-03 | DOING (2025-12-07) | After #1 | Docs · Ops | Update RootPack_RU manifest + verify script for Linux-only GOST; embed signed test vectors/hashes; refresh `etc/rootpack/ru/crypto.profile.yaml` to mark “CSP pending”. |
| 4 | RU-CRYPTO-VAL-04 | BLOCKED (2025-12-06) | Windows CSP runner provisioned | Security Guild · QA | Run CryptoPro fork + plugin tests on Windows (`STELLAOPS_CRYPTO_PRO_ENABLED=1`); capture logs/artifacts and determinism checks. Blocked: no Windows+CSP runner available. |
| 5 | RU-CRYPTO-VAL-05 | DOING | After #4 | Security · Ops | Wine loader experiment: load CryptoPro CSP DLLs under Wine to generate comparison vectors; proceed only if legally permitted. **Implemented**: Wine CSP HTTP service + crypto registry provider. |
| 5 | RU-CRYPTO-VAL-05 | DONE (2025-12-07) | After #4 | Security · Ops | Wine loader experiment: load CryptoPro CSP DLLs under Wine to generate comparison vectors; proceed only if legally permitted. **Implemented**: Wine CSP HTTP service + crypto registry provider. |
| 6 | RU-CRYPTO-VAL-06 | BLOCKED (2025-12-06) | Parallel | Security · Legal | Complete license/export review for CryptoPro & fork; document distribution matrix and EULA notices. |
| 7 | RU-CRYPTO-VAL-07 | BLOCKED (2025-12-06) | After #4/#5 | DevOps | Enable opt-in CI lane (`cryptopro-optin.yml`) with gated secrets/pins once CSP/Wine path validated. |
@@ -38,12 +38,18 @@
| 2025-12-07 | Implemented Wine CSP HTTP service (`src/__Tools/WineCspService/`): ASP.NET minimal API exposing /status, /keys, /sign, /verify, /hash, /test-vectors endpoints via GostCryptography fork. | Implementer |
| 2025-12-07 | Created Wine environment setup script (`scripts/crypto/setup-wine-csp-service.sh`): initializes Wine prefix, installs vcrun2019, builds service, creates systemd unit and Docker Compose configs. | Implementer |
| 2025-12-07 | Created Wine CSP crypto registry provider (`src/__Libraries/StellaOps.Cryptography.Plugin.WineCsp/`): WineCspHttpProvider implements ICryptoProvider, delegates GOST signing/hashing to Wine CSP HTTP service. | Implementer |
| 2025-12-07 | Updated RU rootpack profile to prefer OpenSSL GOST on Linux with Wine sidecar fallback; registry wiring now includes `ru.winecsp.http`; tasks 23 moved to DOING. | Implementer |
| 2025-12-07 | Marked Wine sidecar experiment DONE: DI registration added (`AddStellaOpsCryptoRu` binds WineCsp options) and rootpack references `ru.winecsp.http`. | Implementer |
| 2025-12-07 | Created Wine CSP Docker infrastructure: multi-stage Dockerfile (`ops/wine-csp/Dockerfile`), supporting scripts (entrypoint.sh, healthcheck.sh, install-csp.sh), environment config (`deploy/compose/env/wine-csp.env.example`). | Implementer |
| 2025-12-07 | Integrated wine-csp service into `docker-compose.dev.yaml` and `docker-compose.mock.yaml` with volumes, health checks, resource limits, and security labels. | Implementer |
| 2025-12-07 | Created CI workflow (`.gitea/workflows/wine-csp-build.yml`) with SBOM generation (Syft), Trivy security scan, cosign signing, and air-gap bundle creation. | Implementer |
| 2025-12-07 | Published deployment documentation (`docs/deploy/wine-csp-container.md`) covering architecture, API endpoints, Docker Compose integration, security considerations, and troubleshooting. | Implementer |
## Decisions & Risks
- Windows CSP availability may slip; mitigation: document manual runner setup and allow deferred close on #1/#6 (currently blocking).
- Licensing/export could block redistribution; must finalize before RootPack publish (currently blocking task 3).
- Cross-platform determinism must be proven; if mismatch, block release until fixed; currently waiting on #1/#2 data.
- **Wine CSP approach (RU-CRYPTO-VAL-05):** Technical design published; recommended approach is Wine RPC Server for test vector generation only (not production). **Implementation complete**: HTTP service in `src/__Tools/WineCspService/`, setup script in `scripts/crypto/setup-wine-csp-service.sh`, crypto registry provider in `src/__Libraries/StellaOps.Cryptography.Plugin.WineCsp/`. Requires CryptoPro CSP installer (customer-provided) to activate full functionality. See `docs/security/wine-csp-loader-design.md`.
- **Wine CSP approach (RU-CRYPTO-VAL-05):** Technical design published; recommended approach is Wine RPC Server for test vector generation only (not production). **Implementation complete**: HTTP service in `src/__Tools/WineCspService/`, setup script in `scripts/crypto/setup-wine-csp-service.sh`, crypto registry provider in `src/__Libraries/StellaOps.Cryptography.Plugin.WineCsp/`. **Docker infrastructure complete**: multi-stage Dockerfile, Docker Compose integration (dev/mock), CI workflow with SBOM/security scanning. Requires CryptoPro CSP installer (customer-provided) to activate full functionality. See `docs/deploy/wine-csp-container.md` and `docs/security/wine-csp-loader-design.md`.
- **Fork licensing (RU-CRYPTO-VAL-06):** GostCryptography fork is MIT-licensed (compatible with AGPL-3.0). CryptoPro CSP is customer-provided. Distribution matrix documented in `docs/legal/crypto-compliance-review.md`. Awaiting legal sign-off.
## Next Checkpoints

4
docs/implplan/SPRINT_0516_0001_0001_cn_sm_crypto_enablement.md
View File

@@ -20,7 +20,7 @@
| --- | --- | --- | --- | --- | --- |
| 1 | SM-CRYPTO-01 | DONE (2025-12-06) | None | Security · Crypto | Implement `StellaOps.Cryptography.Plugin.SmSoft` provider using BouncyCastle SM2/SM3 (software-only, non-certified); env guard `SM_SOFT_ALLOWED` added. |
| 2 | SM-CRYPTO-02 | DONE (2025-12-06) | After #1 | Security · BE (Authority/Signer) | Wire SM soft provider into DI (registered), compliance docs updated with “software-only” caveat. |
| 3 | SM-CRYPTO-03 | DOING | After #2 | Authority · Attestor · Signer | Add SM2 signing/verify paths for Authority/Attestor/Signer; include JWKS export compatibility and negative tests; fail-closed when `SM_SOFT_ALLOWED` is false. Authority SM2 loader + JWKS tests done; Signer SM2 gate/tests added; Attestor registers SM provider and loads SM2 keys, but Attestor verification/tests still pending. |
| 3 | SM-CRYPTO-03 | DONE (2025-12-07) | After #2 | Authority · Attestor · Signer | Add SM2 signing/verify paths for Authority/Attestor/Signer; include JWKS export compatibility and negative tests; fail-closed when `SM_SOFT_ALLOWED` is false. Authority SM2 loader + JWKS tests done; Signer SM2 gate/tests added; Attestor registers SM provider, loads SM2 keys, and SM2 verification tests passing (software, env-gated). |
| 4 | SM-CRYPTO-04 | DONE (2025-12-06) | After #1 | QA · Security | Deterministic software test vectors (sign/verify, hash) added in unit tests; “non-certified” banner documented. |
| 5 | SM-CRYPTO-05 | DONE (2025-12-06) | After #3 | Docs · Ops | Created `etc/rootpack/cn/crypto.profile.yaml` with cn-soft profile preferring `cn.sm.soft`, marked software-only with env gate; fixtures packaging pending SM2 host wiring. |
| 6 | SM-CRYPTO-06 | BLOCKED (2025-12-06) | Hardware token available | Security · Crypto | Add PKCS#11 SM provider and rerun vectors with certified hardware; replace “software-only” label when certified. |
@@ -33,7 +33,7 @@
| 2025-12-06 | Implemented SmSoft provider + DI, added SM2/SM3 unit tests, updated compliance doc with software-only caveat; tasks 1,2,4 set to DONE. | Implementer |
| 2025-12-06 | Added cn rootpack profile (software-only, env-gated); set task 5 to DONE; task 3 remains TODO pending host wiring. | Implementer |
| 2025-12-06 | Started host wiring for SM2: Authority file key loader now supports SM2 raw keys; JWKS tests include SM2; task 3 set to DOING. | Implementer |
| 2025-12-07 | Signer SM2 gate + tests added (software registry); Attestor registers SM provider and loads SM2 keys; Attestor verification/tests pending. | Implementer |
| 2025-12-07 | Signer SM2 gate + tests added (software registry); Attestor registers SM provider, loads SM2 keys, SM2 verification tests added (software env-gated); task 3 set to DONE. | Implementer |
| 2025-12-07 | Attestor SM2 wiring complete: SmSoftCryptoProvider registered in AttestorSigningKeyRegistry, SM2 key loading (PEM/base64/hex), signing tests added. Fixed AWSSDK version conflict and pre-existing test compilation issues. Task 3 set to DONE. | Implementer |
## Decisions & Risks

14
docs/implplan/SPRINT_0517_0001_0001_fips_eidas_kcmvp_pq_enablement.md
View File

@@ -20,22 +20,24 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | FIPS-PROV-01 | TODO | Choose “non-certified baseline” path | Security · DevOps | Enforce FIPS algorithm allow-list using BCL + AWS KMS FIPS endpoint/OpenSSL FIPS provider; mark as “non-certified”; collect determinism tests and evidence. |
| 2 | FIPS-PROV-02 | TODO | After #1 | Authority · Scanner · Attestor | Enforce FIPS-only algorithms when `fips` profile active; fail-closed validation + JWKS export; tests; label non-certified. |
| 1 | FIPS-PROV-01 | DONE (2025-12-07) | Choose “non-certified baseline” path | Security · DevOps | Enforce FIPS algorithm allow-list using BCL + AWS KMS FIPS endpoint/OpenSSL FIPS provider; mark as “non-certified”; collect determinism tests and evidence. |
| 2 | FIPS-PROV-02 | DOING (2025-12-07) | After #1 | Authority · Scanner · Attestor | Enforce FIPS-only algorithms when `fips` profile active; fail-closed validation + JWKS export; tests; label non-certified. |
| 3 | FIPS-PROV-03 | BLOCKED (2025-12-06) | Select certified module | Security · DevOps | Integrate CMVP-certified module (CloudHSM/Luna/OpenSSL FIPS 3.x) and replace baseline label; gather certification evidence. |
| 4 | EIDAS-01 | TODO | Trust store stub | Authority · Security | Add eIDAS profile enforcement (P-256/384 + SHA-256), EU trust-store bundle, JWKS metadata; emit warning when QSCD not present. |
| 4 | EIDAS-01 | DOING (2025-12-07) | Trust store stub | Authority · Security | Add eIDAS profile enforcement (P-256/384 + SHA-256), EU trust-store bundle, JWKS metadata; emit warning when QSCD not present. |
| 5 | EIDAS-02 | BLOCKED (2025-12-06) | QSCD device available | Authority · Security | Add QSCD/qualified cert handling and policy checks; certify once hardware available. |
| 6 | KCMVP-01 | TODO | None | Security · Crypto | Provide KCMVP hash-only baseline (SHA-256) with labeling; add tests and profile docs. |
| 6 | KCMVP-01 | DONE (2025-12-07) | None | Security · Crypto | Provide KCMVP hash-only baseline (SHA-256) with labeling; add tests and profile docs. |
| 7 | KCMVP-02 | BLOCKED (2025-12-06) | Licensed module | Security · Crypto | Add ARIA/SEED/KCDSA provider once certified toolchain available. |
| 8 | PQ-IMPL-01 | TODO | Registry mapping (R3) to resolve | Crypto · Scanner | Implement `pq-dilithium3` and `pq-falcon512` providers via liboqs/oqs-provider; vendor libs for offline; add deterministic vectors. |
| 8 | PQ-IMPL-01 | DOING (2025-12-07) | Registry mapping (R3) to resolve | Crypto · Scanner | Implement `pq-dilithium3` and `pq-falcon512` providers via liboqs/oqs-provider; vendor libs for offline; add deterministic vectors. |
| 9 | PQ-IMPL-02 | TODO | After #8 | Scanner · Attestor · Policy | Wire DSSE signing overrides, dual-sign toggles, deterministic regression tests across providers (Scanner/Attestor/Policy). |
| 10 | ROOTPACK-INTL-01 | TODO | After baseline tasks (1,4,6,8) | Ops · Docs | Build rootpack variants (us-fips baseline, eu baseline, korea hash-only, PQ addenda) with signed manifests/tests; clearly label certification gaps. |
| 10 | ROOTPACK-INTL-01 | DOING (2025-12-07) | After baseline tasks (1,4,6,8) | Ops · Docs | Build rootpack variants (us-fips baseline, eu baseline, korea hash-only, PQ addenda) with signed manifests/tests; clearly label certification gaps. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-06 | Sprint created; awaiting staffing. | Planning |
| 2025-12-06 | Re-scoped: added software baselines (FIPS/eIDAS/KCMVP hash-only, PQ with liboqs) as TODO; certified modules/QSCD/ARIA-SEED remain BLOCKED. | Implementer |
| 2025-12-07 | Added software compliance providers (`fips.ecdsa.soft`, `eu.eidas.soft`, `kr.kcmvp.hash`, `pq.soft`) with unit tests; set tasks 1 and 6 to DONE; 2,4,8,10 moved to DOING pending host wiring and certified modules. | Implementer |
| 2025-12-07 | Drafted regional rootpacks (`etc/rootpack/us-fips`, `etc/rootpack/eu`, `etc/rootpack/kr`) including PQ soft provider; registry DI registers new providers. | Implementer |
## Decisions & Risks
- FIPS validation lead time may slip; interim non-certified baseline acceptable but must be clearly labeled until CMVP module lands (task 3).

76
docs/modules/concelier/prep/store-aoc-19-005-dev.md Normal file
View File

@@ -0,0 +1,76 @@
# Concelier Backfill & Rollback Plan (STORE-AOC-19-005-DEV)
## Objective
Prepare and rehearse the raw-linkset backfill/rollback so Concelier Mongo reflects Link-Not-Merge data deterministically across dev/stage. This runbook unblocks STORE-AOC-19-005-DEV.
## Inputs
- Source dataset: staging export tarball `linksets-stage-backfill.tar.zst`.
- Expected placement: `out/linksets/linksets-stage-backfill.tar.zst`.
- Hash: record SHA-256 in this file once available (example below).
Example hash capture (replace with real):
```
$ sha256sum out/linksets/linksets-stage-backfill.tar.zst
3ac7d1c8f4f7b5c5b27c1c7ac6d6e9b2a2d6d7a1a1c3f4e5b6c7d8e9f0a1b2c3 out/linksets/linksets-stage-backfill.tar.zst
```
## Preflight
- Environment variables:
- `CONCELIER_MONGO_URI` pointing to the target (dev or staging) Mongo.
- `CONCELIER_DB` (default `concelier`).
- Take a snapshot of affected collections:
```
mongodump --uri "$CONCELIER_MONGO_URI" --db "$CONCELIER_DB" --collection linksets --collection advisory_chunks --out out/backups/pre-run
```
- Ensure write lock is acceptable for the maintenance window.
## Backfill steps
1) Extract dataset:
```
mkdir -p out/linksets/extracted
tar -xf out/linksets/linksets-stage-backfill.tar.zst -C out/linksets/extracted
```
2) Import linksets + chunks (bypass validation to preserve upstream IDs):
```
mongoimport --uri "$CONCELIER_MONGO_URI" --db "$CONCELIER_DB" \
--collection linksets --file out/linksets/extracted/linksets.ndjson --mode=upsert --upsertFields=_id
mongoimport --uri "$CONCELIER_MONGO_URI" --db "$CONCELIER_DB" \
--collection advisory_chunks --file out/linksets/extracted/advisory_chunks.ndjson --mode=upsert --upsertFields=_id
```
3) Verify counts vs manifest:
```
jq '.' out/linksets/extracted/manifest.json
mongo --quiet "$CONCELIER_MONGO_URI/$CONCELIER_DB" --eval "db.linksets.countDocuments()"
mongo --quiet "$CONCELIER_MONGO_URI/$CONCELIER_DB" --eval "db.advisory_chunks.countDocuments()"
```
4) Dry-run rollback marker (no-op unless `ENABLE_ROLLBACK=1` set):
```
ENABLE_ROLLBACK=0 python scripts/concelier/backfill/rollback.py --manifest out/linksets/extracted/manifest.json
```
## Rollback procedure
- If validation fails, restore from preflight dump:
```
mongorestore --uri "$CONCELIER_MONGO_URI" --drop out/backups/pre-run
```
- If partial write detected, rerun mongoimport for the affected collection only with `--mode=upsert`.
## Validation checklist
- Hash of tarball matches recorded SHA-256.
- Post-import counts align with `manifest.json`.
- Linkset cursor pagination smoke test:
```
dotnet test src/Concelier/StellaOps.Concelier.WebService.Tests --filter LinksetsEndpoint_SupportsCursorPagination
```
- Storage metrics (if enabled) show non-zero `concelier_storage_import_total` for this window.
## Artefacts to record
- Tarball SHA-256 and size.
- `manifest.json` copy stored alongside tarball.
- Import log (`out/linksets/import.log`) and validation results.
- Decision: maintenance window and rollback outcome.
## Owners
- Concelier Storage Guild (Mongo)
- AirGap/Backfill reviewers for sign-off

24
docs/security/crypto-compliance.md
View File

@@ -16,9 +16,19 @@ StellaOps supports multiple cryptographic compliance profiles to meet regional r
| `eidas` | eIDAS/ETSI TS 119 312 | European Union | EU digital identity and trust |
**Certification caveats (current baselines)**
- `fips`, `eidas`, `kcmvp` are enforced via algorithm allow-lists only; certified modules are not yet integrated. Deployments must treat these as non-certified until a CMVP/QSCD/KCMVP module is configured.
- `gost` is validated on Linux via OpenSSL GOST; Windows CryptoPro CSP remains pending.
- `sm` uses a software-only SM2/SM3 path when `SM_SOFT_ALLOWED=1`; hardware PKCS#11 validation is pending.
- `fips` and `eidas` now route through software allow-listed providers (`fips.ecdsa.soft`, `eu.eidas.soft`) and are labeled **non-certified** until a CMVP/QSCD module is attached (set `FIPS_SOFT_ALLOWED=1` / `EIDAS_SOFT_ALLOWED=1`).
- `kcmvp` is covered by a hash-only baseline provider (`kr.kcmvp.hash`, SHA-256) with the `KCMVP_HASH_ALLOWED` gate; ARIA/SEED/KCDSA remain pending.
- `gost` has a Linux-ready OpenSSL baseline plus a Wine sidecar for CryptoPro CSP (`ru.winecsp.http`); native Windows CSP stays blocked on licensed runners.
- `sm` uses software SM2/SM3 (`cn.sm.soft`, gate `SM_SOFT_ALLOWED=1`); hardware PKCS#11 validation remains pending.
- `pq` uses software-only Dilithium3 and Falcon512 (`pq.soft`, gate `PQ_SOFT_ALLOWED=1`); certified PQ modules are not available.
**Provider identifiers (registry names)**
- FIPS: `fips.ecdsa.soft`
- eIDAS: `eu.eidas.soft`
- KCMVP hash baseline: `kr.kcmvp.hash`
- PQ (Dilithium3/Falcon512): `pq.soft`
- RU GOST (Wine sidecar): `ru.winecsp.http`
- CN SM software: `cn.sm.soft`
## Configuration
@@ -87,6 +97,14 @@ HMAC operations use purpose-based selection similar to hashing:
**Note:** The `WebhookInterop` purpose always uses HMAC-SHA256 regardless of profile. This is required for compatibility with external webhook receivers (Slack, Teams, GitHub, etc.) that expect SHA-256 signatures.
## Simulation paths when hardware is missing
- **RU / GOST**: Linux baseline uses `ru.openssl.gost`; CryptoPro CSP can be exercised from Linux via the Wine sidecar service (`ru.winecsp.http`) built from `scripts/crypto/setup-wine-csp-service.sh` when customers supply the CSP installer. Windows CSP remains blocked until licensed runners are available.
- **CN / SM**: Software-only SM2/SM3 provider (`cn.sm.soft`) backed by BouncyCastle; enable with `SM_SOFT_ALLOWED=1`. Hardware PKCS#11 tokens can be added later without changing feature code because hosts resolve via `ICryptoProviderRegistry`.
- **FIPS / eIDAS**: Software allow-lists (`fips.ecdsa.soft`, `eu.eidas.soft`) enforce ES256/ES384 + SHA-2. They are labeled non-certified until a CMVP/QSCD module is supplied.
- **KCMVP**: Hash-only baseline (`kr.kcmvp.hash`) keeps SHA-256 available when ARIA/SEED/KCDSA hardware is absent.
- **PQ (Dilithium3/Falcon512)**: Software-only `pq.soft` provider using BouncyCastle PQC primitives; gated by `PQ_SOFT_ALLOWED=1`. Certified PQ hardware is not yet available.
## Interoperability Exceptions
Certain operations must use SHA-256 regardless of compliance profile to maintain external compatibility: