docs consolidation
This commit is contained in:
StellaOps Bot
@@ -53,7 +53,7 @@
|
||||
| **PERF** | | | | | |
|
||||
| 23 | SCANNER-5100-023 | DONE | None | Scanner Guild | Add perf smoke tests for reachability calculation (2× regression gate). |
|
||||
| 24 | SCANNER-5100-024 | DONE | None | Scanner Guild | Add perf smoke tests for smart diff (2× regression gate). |
|
||||
| 25 | SCANNER-5100-025 | DOING | None | Scanner Guild | Add perf smoke tests for canonical serialization (2× regression gate). |
|
||||
| 25 | SCANNER-5100-025 | DONE | None | Scanner Guild | Add perf smoke tests for canonical serialization (2× regression gate). |
|
||||
|
||||
## Wave Coordination
|
||||
- **Wave 1 (L0 + Determinism):** Tasks 1-10.
|
||||
@@ -121,3 +121,6 @@
|
||||
| 2025-12-24 | Task 20 (SCANNER-5100-020) DONE: Created `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/Integration/EndToEndJobFlowTests.cs` with 5 test methods. Tests cover: basic job flow (enqueue → process → complete), multiple sequential jobs, stage event emission, telemetry recording (job_duration_ms), heartbeat renewal during long-running jobs. Uses in-memory mocks (FakeTimeProvider, ControlledDelayScheduler, RecordingAnalyzerDispatcher, EventRecorder). Also fixed pre-existing build error in WorkerEndToEndJobTests.cs (StartedAtUtc → StartUtc). All 5 tests passing. | Implementer |
|
||||
| 2025-12-24 | Task 21 (SCANNER-5100-021) DONE: Created `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/Integration/WorkerRetryTests.cs` with 8 test methods. Tests cover: transient failure on first attempt abandons for retry, permanent failure after max attempts poisons, second attempt under max abandons, maxAttempts=1 immediately poisons, host stopping abandons gracefully, successful job completes normally, retry boundary theory tests (5 variations). Uses TrackingJobLease with WasCompleted/WasAbandoned/WasPoisoned tracking. | Implementer |
|
||||
| 2025-12-24 | Task 22 (SCANNER-5100-022) DONE: Created `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/Integration/WorkerIdempotencyTests.cs` with 6 test methods. Tests cover: same job ID processed twice no duplicate results, different job IDs same scan ID single evidence, concurrent jobs same scan ID only one stored, exact same job ID second is no-op, distinct scan IDs each gets own evidence, idempotency with deterministic hash verification. Uses IdempotentEvidenceStore with processing count tracking and HashTrackingEvidenceStore for hash verification. | Implementer |
|
||||
| 2025-12-24 | Task 23 (SCANNER-5100-023) DONE: Created `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/Perf/ReachabilityPerfSmokeTests.cs` with 12 test methods implementing 2× regression gate. Tests cover: graph construction (small/medium/large), graph ordering (deterministic, idempotent), subgraph extraction (single vuln, batch), path finding (entry-to-sink, scaling), memory efficiency (<100MB for 10K nodes). Uses FakeTimeProvider-like synthetic graphs with configurable node/edge counts. Baseline thresholds defined for each test. | Implementer |
|
||||
| 2025-12-24 | Task 24 (SCANNER-5100-024) DONE: Created `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/Benchmarks/SmartDiffPerfSmokeTests.cs` with 12 test methods implementing 2× regression gate. Tests cover: diff computation (small/medium/large/XLarge), SARIF generation, scoring (single/batch), scaling behavior (linear), reachability flip handling, memory efficiency (<50MB). Baseline thresholds: small=25ms, medium=100ms, large=500ms, XLarge=2000ms. | Implementer |
|
||||
| 2025-12-24 | Task 25 (SCANNER-5100-025) DONE: Created `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Perf/CanonicalSerializationPerfSmokeTests.cs` with 14 test methods implementing 2× regression gate. Tests cover: serialization (small/medium/large/XLarge objects), digest computation (SHA-256), serialize+digest combined, batch operations (100 objects), dictionary ordering determinism, scaling behavior (linear), memory efficiency (<20MB), determinism verification (same input→same output, parallel safety). Baseline thresholds: small=1ms, medium=5ms, large=20ms, XLarge=100ms. | Implementer |
|
||||
|
||||
@@ -24,33 +24,33 @@
|
||||
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| **C1 Connectors (CSAF/OpenVEX)** | | | | | |
|
||||
| 1 | EXCITITOR-5100-001 | TODO | Connector fixtures | Excititor Guild | Set up fixture folders for CSAF connector: `Fixtures/csaf/<case>.json` (raw), `Expected/<case>.canonical.json` (normalized VEX claim). |
|
||||
| 2 | EXCITITOR-5100-002 | TODO | Task 1 | Excititor Guild | Add parser tests for CSAF connector: fixture → parse → assert canonical JSON snapshot. |
|
||||
| 3 | EXCITITOR-5100-003 | TODO | Task 1 | Excititor Guild | Add resilience tests: multiple product branches, status transitions, "not affected" with justification evidence. |
|
||||
| 4 | EXCITITOR-5100-004 | TODO | Task 1 | Excititor Guild | Add security tests: URL allowlist, redirect handling, max payload size. |
|
||||
| 5 | EXCITITOR-5100-005 | TODO | Connector fixtures | Excititor Guild | Repeat fixture setup for OpenVEX connector (Tasks 1-4 pattern). |
|
||||
| 1 | EXCITITOR-5100-001 | DONE | Connector fixtures | Excititor Guild | Set up fixture folders for CSAF connector: `Fixtures/csaf/<case>.json` (raw), `Expected/<case>.canonical.json` (normalized VEX claim). |
|
||||
| 2 | EXCITITOR-5100-002 | DONE | Task 1 | Excititor Guild | Add parser tests for CSAF connector: fixture → parse → assert canonical JSON snapshot. |
|
||||
| 3 | EXCITITOR-5100-003 | DONE | Task 1 | Excititor Guild | Add resilience tests: multiple product branches, status transitions, "not affected" with justification evidence. |
|
||||
| 4 | EXCITITOR-5100-004 | DONE | Task 1 | Excititor Guild | Add security tests: URL allowlist, redirect handling, max payload size. |
|
||||
| 5 | EXCITITOR-5100-005 | DONE | Connector fixtures | Excititor Guild | Repeat fixture setup for OpenVEX connector (Tasks 1-4 pattern). |
|
||||
| **L0 Formats/Export** | | | | | |
|
||||
| 6 | EXCITITOR-5100-006 | TODO | TestKit | Excititor Guild | Add snapshot tests for OpenVEX export (Formats.OpenVEX) — canonical JSON. |
|
||||
| 7 | EXCITITOR-5100-007 | TODO | TestKit | Excititor Guild | Add snapshot tests for CSAF export (Formats.CSAF) — canonical JSON. |
|
||||
| 8 | EXCITITOR-5100-008 | TODO | TestKit | Excititor Guild | Add snapshot tests for CycloneDX VEX export (Formats.CycloneDX) — canonical JSON. |
|
||||
| 6 | EXCITITOR-5100-006 | DONE | TestKit | Excititor Guild | Add snapshot tests for OpenVEX export (Formats.OpenVEX) — canonical JSON. |
|
||||
| 7 | EXCITITOR-5100-007 | DONE | TestKit | Excititor Guild | Add snapshot tests for CSAF export (Formats.CSAF) — canonical JSON. |
|
||||
| 8 | EXCITITOR-5100-008 | DONE | TestKit | Excititor Guild | Add snapshot tests for CycloneDX VEX export (Formats.CycloneDX) — canonical JSON. |
|
||||
| **"Preserve Prune Source" Tests (Mandatory)** | | | | | |
|
||||
| 9 | EXCITITOR-5100-009 | TODO | TestKit | Excititor Guild | Add preserve-prune test: input VEX with prune markers → output preserves source references. |
|
||||
| 10 | EXCITITOR-5100-010 | TODO | TestKit | Excititor Guild | Add preserve-prune test: input VEX with pruning rationale → output preserves rationale. |
|
||||
| 11 | EXCITITOR-5100-011 | TODO | TestKit | Excititor Guild | Add negative test: Excititor does not compute lattice decisions (only preserves and transports). |
|
||||
| 9 | EXCITITOR-5100-009 | DONE | TestKit | Excititor Guild | Add preserve-prune test: input VEX with prune markers → output preserves source references. |
|
||||
| 10 | EXCITITOR-5100-010 | DONE | TestKit | Excititor Guild | Add preserve-prune test: input VEX with pruning rationale → output preserves rationale. |
|
||||
| 11 | EXCITITOR-5100-011 | DONE | TestKit | Excititor Guild | Add negative test: Excititor does not compute lattice decisions (only preserves and transports). |
|
||||
| **S1 Storage** | | | | | |
|
||||
| 12 | EXCITITOR-5100-012 | DONE | Storage harness | Excititor Guild | Add migration tests for Excititor.Storage (apply from scratch, apply from N-1). |
|
||||
| 13 | EXCITITOR-5100-013 | DONE | Storage harness | Excititor Guild | Add idempotency tests: same VEX claim ID, same source snapshot → no duplicates. |
|
||||
| 14 | EXCITITOR-5100-014 | DONE | Storage harness | Excititor Guild | Add query determinism tests (explicit ORDER BY checks). |
|
||||
| **W1 WebService** | | | | | |
|
||||
| 15 | EXCITITOR-5100-015 | TODO | WebService fixture | Excititor Guild | Add contract tests for Excititor.WebService endpoints (VEX ingest, export) — OpenAPI snapshot. |
|
||||
| 16 | EXCITITOR-5100-016 | TODO | WebService fixture | Excititor Guild | Add auth tests (deny-by-default, token expiry, scope enforcement). |
|
||||
| 17 | EXCITITOR-5100-017 | TODO | WebService fixture | Excititor Guild | Add OTel trace assertions (verify vex_claim_id, source_id tags). |
|
||||
| 15 | EXCITITOR-5100-015 | DONE | WebService fixture | Excititor Guild | Add contract tests for Excititor.WebService endpoints (VEX ingest, export) — OpenAPI snapshot. |
|
||||
| 16 | EXCITITOR-5100-016 | DONE | WebService fixture | Excititor Guild | Add auth tests (deny-by-default, token expiry, scope enforcement). |
|
||||
| 17 | EXCITITOR-5100-017 | DONE | WebService fixture | Excititor Guild | Add OTel trace assertions (verify vex_claim_id, source_id tags). |
|
||||
| **WK1 Worker** | | | | | |
|
||||
| 18 | EXCITITOR-5100-018 | TODO | Storage harness | Excititor Guild | Add end-to-end ingest job test: enqueue VEX ingest → worker processes → claim stored → events emitted. |
|
||||
| 19 | EXCITITOR-5100-019 | TODO | Storage harness | Excititor Guild | Add retry tests: transient failure uses backoff; permanent failure routes to poison. |
|
||||
| 20 | EXCITITOR-5100-020 | TODO | Storage harness | Excititor Guild | Add OTel correlation tests: verify trace spans across job lifecycle. |
|
||||
| 18 | EXCITITOR-5100-018 | DONE | Storage harness | Excititor Guild | Add end-to-end ingest job test: enqueue VEX ingest → worker processes → claim stored → events emitted. |
|
||||
| 19 | EXCITITOR-5100-019 | DONE | Storage harness | Excititor Guild | Add retry tests: transient failure uses backoff; permanent failure routes to poison. |
|
||||
| 20 | EXCITITOR-5100-020 | DONE | Storage harness | Excititor Guild | Add OTel correlation tests: verify trace spans across job lifecycle. |
|
||||
| **Architecture Enforcement** | | | | | |
|
||||
| 21 | EXCITITOR-5100-021 | TODO | Architecture tests | Excititor Guild | Add architecture test: Excititor assemblies must not reference Scanner lattice engine assemblies. |
|
||||
| 21 | EXCITITOR-5100-021 | DONE | Architecture tests | Excititor Guild | Add architecture test: Excititor assemblies must not reference Scanner lattice engine assemblies. |
|
||||
|
||||
## Wave Coordination
|
||||
- **Wave 1 (Connectors):** Tasks 1-5.
|
||||
@@ -105,3 +105,4 @@
|
||||
| --- | --- | --- |
|
||||
| 2025-12-23 | Sprint created for Excititor module test implementation based on advisory Section 3.3 and TEST_CATALOG.yml. | Project Mgmt |
|
||||
| 2025-12-24 | Tasks 12-14 DONE: Added S1 Storage tests. Task 12: `ExcititorMigrationTests.cs` (7 tests: from scratch, N-1, idempotency, schema integrity, FK constraints, VEX tables). Task 13: `VexStatementIdempotencyTests.cs` (8 tests: append dedupe, batch dedupe, disagreement idempotency, tenant isolation). Task 14: `VexQueryDeterminismTests.cs` (9 tests: mutation log ordering, conflict queries, observation ordering, concurrent queries). | Implementer |
|
||||
| 2025-12-24 | Tasks 18-21 DONE: Added Worker and Architecture tests. Task 18: `EndToEndIngestJobTests.cs` (5 E2E tests). Task 19: `WorkerRetryPolicyTests.cs` (8 retry/backoff tests). Task 20: `WorkerOTelCorrelationTests.cs` (10 OTel correlation tests). Task 21: `ExcititorAssemblyDependencyTests.cs` (9 architecture constraint tests). Sprint 5100.0009.0003 COMPLETE. | Implementer |
|
||||
|
||||
@@ -29,20 +29,20 @@
|
||||
| 4 | AUTHORITY-5100-004 | DONE | TestKit | Authority Guild | Add unit tests for tenant isolation: token for tenant A cannot access tenant B resources. |
|
||||
| 5 | AUTHORITY-5100-005 | DONE | TestKit | Authority Guild | Add unit tests for role-based access: role permissions correctly enforced. |
|
||||
| **C1 Auth Provider Connectors** | | | | | |
|
||||
| 6 | AUTHORITY-5100-006 | TODO | Connector fixtures | Authority Guild | Set up fixture folders for OIDC connector: `Fixtures/oidc/<case>.json` (raw), `Expected/<case>.canonical.json` (normalized). |
|
||||
| 7 | AUTHORITY-5100-007 | TODO | Task 6 | Authority Guild | Add parser tests for OIDC connector: fixture → parse → assert canonical JSON snapshot. |
|
||||
| 8 | AUTHORITY-5100-008 | TODO | Task 6 | Authority Guild | Add resilience tests: missing fields, invalid token formats, malformed claims. |
|
||||
| 9 | AUTHORITY-5100-009 | TODO | Task 6 | Authority Guild | Add security tests: token replay protection, CSRF protection, redirect URI validation. |
|
||||
| 10 | AUTHORITY-5100-010 | TODO | Connector fixtures | Authority Guild | Repeat fixture setup for SAML connector (Tasks 6-9 pattern). |
|
||||
| 11 | AUTHORITY-5100-011 | TODO | Connector fixtures | Authority Guild | Repeat fixture setup for LDAP connector (Tasks 6-9 pattern). |
|
||||
| 6 | AUTHORITY-5100-006 | BLOCKED | Connector fixtures | Authority Guild | Set up fixture folders for OIDC connector: `Fixtures/oidc/<case>.json` (raw), `Expected/<case>.canonical.json` (normalized). **BLOCKED: No OIDC plugin exists in Authority module. Need StellaOps.Authority.Plugin.Oidc implementation first.** |
|
||||
| 7 | AUTHORITY-5100-007 | BLOCKED | Task 6 | Authority Guild | Add parser tests for OIDC connector: fixture → parse → assert canonical JSON snapshot. **BLOCKED: Depends on Task 6.** |
|
||||
| 8 | AUTHORITY-5100-008 | BLOCKED | Task 6 | Authority Guild | Add resilience tests: missing fields, invalid token formats, malformed claims. **BLOCKED: Depends on Task 6.** |
|
||||
| 9 | AUTHORITY-5100-009 | BLOCKED | Task 6 | Authority Guild | Add security tests: token replay protection, CSRF protection, redirect URI validation. **BLOCKED: Depends on Task 6.** |
|
||||
| 10 | AUTHORITY-5100-010 | BLOCKED | Connector fixtures | Authority Guild | Repeat fixture setup for SAML connector (Tasks 6-9 pattern). **BLOCKED: No SAML plugin exists in Authority module.** |
|
||||
| 11 | AUTHORITY-5100-011 | DONE | Connector fixtures | Authority Guild | Repeat fixture setup for LDAP connector (Tasks 6-9 pattern). **LDAP plugin exists; can proceed.** |
|
||||
| **W1 WebService** | | | | | |
|
||||
| 12 | AUTHORITY-5100-012 | TODO | WebService fixture | Authority Guild | Add contract tests for Authority.WebService endpoints (token issuance, token validation, user management) — OpenAPI snapshot. |
|
||||
| 13 | AUTHORITY-5100-013 | TODO | WebService fixture | Authority Guild | Add auth tests: test auth bypass attempts (missing tokens, invalid signatures, expired tokens). |
|
||||
| 14 | AUTHORITY-5100-014 | TODO | WebService fixture | Authority Guild | Add OTel trace assertions (verify user_id, tenant_id, scope tags). |
|
||||
| 15 | AUTHORITY-5100-015 | TODO | WebService fixture | Authority Guild | Add negative tests: unsupported grant types, malformed requests, rate limiting. |
|
||||
| 12 | AUTHORITY-5100-012 | DONE | WebService fixture | Authority Guild | Add contract tests for Authority.WebService endpoints (token issuance, token validation, user management) — OpenAPI snapshot. |
|
||||
| 13 | AUTHORITY-5100-013 | DONE | WebService fixture | Authority Guild | Add auth tests: test auth bypass attempts (missing tokens, invalid signatures, expired tokens). |
|
||||
| 14 | AUTHORITY-5100-014 | DONE | WebService fixture | Authority Guild | Add OTel trace assertions (verify user_id, tenant_id, scope tags). |
|
||||
| 15 | AUTHORITY-5100-015 | DONE | WebService fixture | Authority Guild | Add negative tests: unsupported grant types, malformed requests, rate limiting. |
|
||||
| **Sign/Verify Integration** | | | | | |
|
||||
| 16 | AUTHORITY-5100-016 | TODO | TestKit | Authority Guild | Add sign/verify roundtrip tests: token signed with private key → verified with public key. |
|
||||
| 17 | AUTHORITY-5100-017 | TODO | TestKit | Authority Guild | Add error classification tests: key not present, provider unavailable → deterministic error codes. |
|
||||
| 16 | AUTHORITY-5100-016 | DONE | TestKit | Authority Guild | Add sign/verify roundtrip tests: token signed with private key → verified with public key. |
|
||||
| 17 | AUTHORITY-5100-017 | DONE | TestKit | Authority Guild | Add error classification tests: key not present, provider unavailable → deterministic error codes. |
|
||||
|
||||
## Wave Coordination
|
||||
- **Wave 1 (L0 Core Logic):** Tasks 1-5.
|
||||
@@ -90,3 +90,7 @@
|
||||
| 2025-12-23 | Sprint created for Authority module test implementation based on advisory Section 3.5 (partial) and TEST_CATALOG.yml. | Project Mgmt |
|
||||
| 2025-12-24 | Tasks 1-4 DONE: Added L0 Core Auth Logic tests. Task 1: Added 5 token issuance tests to `StellaOpsTokenClientTests.cs` (client credentials flow, custom scopes, missing client ID, additional parameters). Task 2: Added 4 token validation tests (server error handling, missing access_token, default token type, default expiry). Tasks 3-4: Existing `StellaOpsScopeAuthorizationHandlerTests.cs` already covers scope enforcement (15+ tests) and tenant isolation (`HandleRequirement_Fails_WhenTenantMismatch`). | Implementer |
|
||||
| 2025-12-24 | Task 5 DONE: Created `RoleBasedAccessTests.cs` with 13 comprehensive RBAC tests covering: user-role assignment (5 tests: permissions via roles, deny-by-default, expired roles, future expiry, permanent roles), multiple roles (4 tests: accumulated permissions, overlapping permissions, partial expiry), role removal (2 tests: removing role removes permissions, removing permission affects all users), and role permission enforcement (2 tests: assigned-only permissions, system roles). Wave 1 complete. | Implementer |
|
||||
| 2025-12-24 | Tasks 6-10 BLOCKED: OIDC and SAML plugins do not exist in Authority module. Cannot create connector fixtures until `StellaOps.Authority.Plugin.Oidc` and `StellaOps.Authority.Plugin.Saml` are implemented. | Implementer |
|
||||
| 2025-12-24 | Task 11 DONE: Created LDAP connector fixture tests. Added: `Fixtures/ldap/` folder with 5 fixtures (basic-user, minimal-user, multi-valued-user, service-account, user-not-found). Added `Expected/ldap/` with matching canonical JSON outputs. Created `LdapConnectorSnapshotTests.cs` (fixture-based snapshot tests), `LdapConnectorResilienceTests.cs` (12 resilience tests: missing attrs, invalid formats, connection failures, Unicode), `LdapConnectorSecurityTests.cs` (12 security tests: LDAP injection prevention, bind DN security, TLS enforcement, credential exposure prevention). | Implementer |
|
||||
| 2025-12-24 | Tasks 12-15 DONE: Created W1 WebService tests. `AuthorityContractSnapshotTests.cs` (OpenAPI contract tests for token endpoints, security schemes, /.well-known). `AuthorityAuthBypassTests.cs` (15+ auth bypass prevention tests: missing tokens, invalid signatures, expired tokens, alg:none attacks). `AuthorityOTelTraceTests.cs` (OTel trace assertion tests for user_id, tenant_id, scope tags). `AuthorityNegativeTests.cs` (negative tests: unsupported grant types, malformed requests, size limits, method mismatch, error response format). | Implementer |
|
||||
| 2025-12-24 | Tasks 16-17 DONE: Created Sign/Verify Integration tests. `TokenSignVerifyRoundtripTests.cs` (11 tests: RSA sign/verify, ECDSA sign/verify, HMAC sign/verify, multiple algorithms RS256/RS384/RS512, claims preservation, wrong public key rejection, tampered payload rejection, key rotation scenarios). `KeyErrorClassificationTests.cs` (12+ error classification tests: missing signing key, empty key collection, key ID mismatch, expired token, not-yet-valid token, issuer/audience mismatch, deterministic error code mapping). Wave 3 complete. **SPRINT COMPLETE** (all unblocked tasks done; Tasks 6-10 remain BLOCKED pending OIDC/SAML plugin implementations). | Implementer |
|
||||
|
||||
@@ -28,7 +28,7 @@
|
||||
| 2 | SIGNER-5100-002 | DONE | TestKit | Crypto Guild | Add stable digest computation tests: same input → same SHA-256 hash. |
|
||||
| 3 | SIGNER-5100-003 | DONE | Determinism gate | Crypto Guild | Add determinism test: canonical payload hash stable across runs. |
|
||||
| **C1 Crypto Plugin Tests** | | | | | |
|
||||
| 4 | SIGNER-5100-004 | TODO | Connector fixtures | Crypto Guild | Add capability detection tests for BouncyCastle plugin: enumerate supported algorithms. |
|
||||
| 4 | SIGNER-5100-004 | DOING | Connector fixtures | Crypto Guild | Add capability detection tests for BouncyCastle plugin: enumerate supported algorithms. |
|
||||
| 5 | SIGNER-5100-005 | TODO | Task 4 | Crypto Guild | Add sign/verify roundtrip tests for BouncyCastle: sign with private key → verify with public key. |
|
||||
| 6 | SIGNER-5100-006 | TODO | Task 4 | Crypto Guild | Add error classification tests for BouncyCastle: key not present → deterministic error code. |
|
||||
| 7 | SIGNER-5100-007 | TODO | Connector fixtures | Crypto Guild | Repeat plugin tests for CryptoPro (GOST) plugin (Tasks 4-6 pattern). |
|
||||
|
||||
Reference in New Issue
Block a user