stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

notify doctors work, audit work, new product advisory sprints

Browse Source
This commit is contained in:
master
2026-01-13 08:36:29 +02:00
parent b8868a5f13
commit 9ca7cb183e
343 changed files with 24492 additions and 3544 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/Policy/StellaOps.Policy.Engine/Attestation/RvaBuilder.cs
View File

@@ -1,4 +1,4 @@
using System.Text.Json;
using StellaOps.Canonical.Json;
using StellaOps.Cryptography;
namespace StellaOps.Policy.Engine.Attestation;
@@ -191,10 +191,8 @@ public sealed class RvaBuilder
private string ComputeAttestationId(RiskVerdictAttestation attestation)
{
var json = JsonSerializer.Serialize(attestation with { AttestationId = "" },
RvaSerializerOptions.Canonical);
var hash = _cryptoHash.ComputeHashHex(System.Text.Encoding.UTF8.GetBytes(json), "SHA256");
var canonical = CanonJson.Canonicalize(attestation with { AttestationId = "" });
var hash = _cryptoHash.ComputeHashHex(canonical, "SHA256");
return $"rva:sha256:{hash}";
}
@@ -208,19 +206,3 @@ public sealed class RvaBuilder
}
}
/// <summary>
/// Centralized JSON serializer options for RVA.
/// </summary>
internal static class RvaSerializerOptions
{
/// <summary>
/// Canonical JSON options for deterministic serialization.
/// </summary>
public static JsonSerializerOptions Canonical { get; } = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = false,
DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull,
Encoder = System.Text.Encodings.Web.JavaScriptEncoder.UnsafeRelaxedJsonEscaping
};
}

13
src/Policy/StellaOps.Policy.Engine/Attestation/RvaVerifier.cs
View File

@@ -1,8 +1,8 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.Logging;
using StellaOps.Attestor.Envelope;
using StellaOps.Canonical.Json;
using StellaOps.Cryptography;
using StellaOps.Policy.Snapshots;
@@ -272,16 +272,15 @@ public sealed class RvaVerifier : IRvaVerifier
private static bool VerifyAttestationId(RiskVerdictAttestation attestation)
{
var json = JsonSerializer.Serialize(attestation with { AttestationId = "" },
RvaSerializerOptions.Canonical);
var expectedId = $"rva:sha256:{ComputeSha256(json)}";
var canonical = CanonJson.Canonicalize(attestation with { AttestationId = "" });
var expectedId = $"rva:sha256:{ComputeSha256(canonical)}";
return attestation.AttestationId == expectedId;
}
private static string ComputeSha256(string input)
private static string ComputeSha256(ReadOnlySpan<byte> input)
{
var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(input));
return Convert.ToHexString(bytes).ToLowerInvariant();
var bytes = SHA256.HashData(input);
return Convert.ToHexStringLower(bytes);
}
}

4
src/Policy/StellaOps.Policy.Engine/Attestation/VerdictEvidenceWeightedScore.cs
View File

@@ -326,6 +326,8 @@ public sealed record VerdictAppliedGuardrails
/// </summary>
public sealed record VerdictScoringProof
{
private const string DefaultCalculatorVersion = "1.0.0";
/// <summary>
/// Creates a new VerdictScoringProof.
/// </summary>
@@ -382,7 +384,7 @@ public sealed record VerdictScoringProof
inputs: VerdictEvidenceInputs.FromEvidenceInputValues(ewsResult.Inputs),
weights: VerdictEvidenceWeights.FromEvidenceWeights(ewsResult.Weights),
policyDigest: ewsResult.PolicyDigest,
calculatorVersion: "1.0.0", // TODO: Get from calculator metadata
calculatorVersion: DefaultCalculatorVersion,
calculatedAt: ewsResult.CalculatedAt
);
}

3
src/Policy/StellaOps.Policy.Engine/Attestation/VerdictPredicateBuilder.cs
View File

@@ -203,8 +203,7 @@ public sealed class VerdictPredicateBuilder
return null;
}
// TODO: Extract full reachability paths from trace or evidence
// For now, return basic reachability status
// Reachability paths are not yet supplied; emit status-only until trace evidence expands.
return new VerdictReachability(
status: reachabilityStatus,
paths: null