stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

UI work to fill SBOM sourcing management gap. UI planning remaining functionality exposure. Work on CI/Tests stabilization

Browse Source 
Introduces CGS determinism test runs to CI workflows for Windows, macOS, Linux, Alpine, and Debian, fulfilling CGS-008 cross-platform requirements. Updates local-ci scripts to support new smoke steps, test timeouts, progress intervals, and project slicing for improved test isolation and diagnostics.
This commit is contained in:
master
2025-12-29 19:12:38 +02:00
parent 41552d26ec
commit a4badc275e
286 changed files with 50918 additions and 992 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/__Libraries/StellaOps.Canonical.Json/CanonJson.cs
View File

@@ -1,5 +1,6 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.Encodings.Web;
using System.Text.Json;
namespace StellaOps.Canonical.Json;
@@ -19,6 +20,12 @@ namespace StellaOps.Canonical.Json;
/// </remarks>
public static class CanonJson
{
private static readonly JsonWriterOptions CanonWriterOptions = new()
{
Indented = false,
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
};
/// <summary>
/// Serializes an object to a canonical JSON string.
/// Object keys are recursively sorted using Ordinal comparison.
@@ -58,12 +65,13 @@ public static class CanonJson
var json = JsonSerializer.SerializeToUtf8Bytes(obj, new JsonSerializerOptions
{
WriteIndented = false,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
});
using var doc = JsonDocument.Parse(json);
using var ms = new MemoryStream();
using var writer = new Utf8JsonWriter(ms, new JsonWriterOptions { Indented = false });
using var writer = new Utf8JsonWriter(ms, CanonWriterOptions);
WriteElementSorted(doc.RootElement, writer);
writer.Flush();
@@ -84,7 +92,7 @@ public static class CanonJson
using var doc = JsonDocument.Parse(json);
using var ms = new MemoryStream();
using var writer = new Utf8JsonWriter(ms, new JsonWriterOptions { Indented = false });
using var writer = new Utf8JsonWriter(ms, CanonWriterOptions);
WriteElementSorted(doc.RootElement, writer);
writer.Flush();
@@ -101,7 +109,7 @@ public static class CanonJson
{
using var doc = JsonDocument.Parse(jsonBytes.ToArray());
using var ms = new MemoryStream();
using var writer = new Utf8JsonWriter(ms, new JsonWriterOptions { Indented = false });
using var writer = new Utf8JsonWriter(ms, CanonWriterOptions);
WriteElementSorted(doc.RootElement, writer);
writer.Flush();
@@ -193,12 +201,13 @@ public static class CanonJson
var json = JsonSerializer.SerializeToUtf8Bytes(obj, new JsonSerializerOptions
{
WriteIndented = false,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
});
using var doc = JsonDocument.Parse(json);
using var ms = new MemoryStream();
using var writer = new Utf8JsonWriter(ms, new JsonWriterOptions { Indented = false });
using var writer = new Utf8JsonWriter(ms, CanonWriterOptions);
WriteElementVersioned(doc.RootElement, writer, version);
writer.Flush();
@@ -221,7 +230,7 @@ public static class CanonJson
using var doc = JsonDocument.Parse(json);
using var ms = new MemoryStream();
using var writer = new Utf8JsonWriter(ms, new JsonWriterOptions { Indented = false });
using var writer = new Utf8JsonWriter(ms, CanonWriterOptions);
WriteElementVersioned(doc.RootElement, writer, version);
writer.Flush();

30
src/__Libraries/StellaOps.Verdict/Api/VerdictContracts.cs
View File

@@ -1,7 +1,34 @@
using StellaOps.Policy;
using StellaOps.Verdict.Services;
namespace StellaOps.Verdict.Api;
namespace StellaOps.Verdict.Api
{
// -----------------------------------------------------------------------------
// CGS-specific contracts (SPRINT_20251229_001_001_BE_cgs_infrastructure)
// -----------------------------------------------------------------------------
/// <summary>
/// Request to build a deterministic verdict.
/// </summary>
public sealed record BuildVerdictRequest
{
public required EvidencePack Evidence { get; init; }
public required PolicyLock PolicyLock { get; init; }
}
/// <summary>
/// Request to compute verdict delta.
/// </summary>
public sealed record VerdictDiffRequest
{
public required string FromCgs { get; init; }
public required string ToCgs { get; init; }
}
// -----------------------------------------------------------------------------
// Existing contracts
// -----------------------------------------------------------------------------
/// <summary>
/// Request to create a new verdict.
@@ -157,3 +184,4 @@ public sealed record ExpiredDeleteResponse
/// Generic error response.
/// </summary>
public sealed record ErrorResponse(string Message);
}

115
src/__Libraries/StellaOps.Verdict/Api/VerdictEndpoints.cs
View File

@@ -56,6 +56,27 @@ public static class VerdictEndpoints
.Produces<VerdictQueryResponse>(StatusCodes.Status200OK)
.RequireAuthorization();
// POST /v1/verdicts/build - Build deterministic verdict with CGS (CGS-003)
group.MapPost("/build", HandleBuild)
.WithName("verdict.build")
.Produces<CgsVerdictResult>(StatusCodes.Status200OK)
.Produces<ErrorResponse>(StatusCodes.Status400BadRequest)
.RequireAuthorization();
// GET /v1/verdicts/cgs/{cgsHash} - Replay verdict by CGS hash (CGS-004)
group.MapGet("/cgs/{cgsHash}", HandleReplay)
.WithName("verdict.replay")
.Produces<CgsVerdictResult>(StatusCodes.Status200OK)
.Produces(StatusCodes.Status404NotFound)
.RequireAuthorization();
// POST /v1/verdicts/diff - Compute verdict delta (CGS-005)
group.MapPost("/diff", HandleDiff)
.WithName("verdict.diff")
.Produces<VerdictDelta>(StatusCodes.Status200OK)
.Produces<ErrorResponse>(StatusCodes.Status400BadRequest)
.RequireAuthorization();
// POST /v1/verdicts/{id}/verify - Verify verdict signature
group.MapPost("/{id}/verify", HandleVerify)
.WithName("verdict.verify")
@@ -318,6 +339,100 @@ public static class VerdictEndpoints
return Json(new ExpiredDeleteResponse { DeletedCount = deletedCount }, StatusCodes.Status200OK);
}
// -----------------------------------------------------------------------------
// CGS-specific handlers (SPRINT_20251229_001_001_BE_cgs_infrastructure)
// -----------------------------------------------------------------------------
private static async Task<IResult> HandleBuild(
BuildVerdictRequest request,
IVerdictBuilder verdictBuilder,
HttpContext context,
ILogger<VerdictEndpointsLogger> logger,
CancellationToken cancellationToken)
{
if (request is null || request.Evidence is null || request.PolicyLock is null)
{
return Results.BadRequest(new ErrorResponse("Evidence and PolicyLock are required"));
}
try
{
var result = await verdictBuilder.BuildAsync(request.Evidence, request.PolicyLock, cancellationToken);
logger.LogInformation(
"Verdict built successfully: cgs={CgsHash}, status={Status}",
result.CgsHash,
result.Verdict.Status);
return Json(result, StatusCodes.Status200OK);
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to build verdict");
return Results.BadRequest(new ErrorResponse($"Failed to build verdict: {ex.Message}"));
}
}
private static async Task<IResult> HandleReplay(
string cgsHash,
IVerdictBuilder verdictBuilder,
ILogger<VerdictEndpointsLogger> logger,
CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(cgsHash))
{
return Results.BadRequest(new ErrorResponse("CGS hash is required"));
}
try
{
var result = await verdictBuilder.ReplayAsync(cgsHash, cancellationToken);
if (result is null)
{
logger.LogWarning("Verdict not found for CGS hash: {CgsHash}", cgsHash);
return Results.NotFound();
}
return Json(result, StatusCodes.Status200OK);
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to replay verdict for cgs={CgsHash}", cgsHash);
return Results.BadRequest(new ErrorResponse($"Failed to replay verdict: {ex.Message}"));
}
}
private static async Task<IResult> HandleDiff(
VerdictDiffRequest request,
IVerdictBuilder verdictBuilder,
ILogger<VerdictEndpointsLogger> logger,
CancellationToken cancellationToken)
{
if (request is null || string.IsNullOrWhiteSpace(request.FromCgs) || string.IsNullOrWhiteSpace(request.ToCgs))
{
return Results.BadRequest(new ErrorResponse("FromCgs and ToCgs are required"));
}
try
{
var delta = await verdictBuilder.DiffAsync(request.FromCgs, request.ToCgs, cancellationToken);
logger.LogInformation(
"Verdict diff computed: from={From}, to={To}, changes={ChangeCount}",
request.FromCgs,
request.ToCgs,
delta.Changes.Count);
return Json(delta, StatusCodes.Status200OK);
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to diff verdicts: from={From}, to={To}", request.FromCgs, request.ToCgs);
return Results.BadRequest(new ErrorResponse($"Failed to diff verdicts: {ex.Message}"));
}
}
private static Guid GetTenantId(HttpContext context)
{
// Try to get tenant ID from claims or header

56
src/__Libraries/StellaOps.Verdict/IPolicyLockGenerator.cs Normal file
View File

@@ -0,0 +1,56 @@
// -----------------------------------------------------------------------------
// IPolicyLockGenerator.cs
// Sprint: SPRINT_20251229_001_001_BE_cgs_infrastructure (CGS-006)
// Task: Implement PolicyLock generator
// -----------------------------------------------------------------------------
namespace StellaOps.Verdict;
/// <summary>
/// Generator for frozen policy locks ensuring deterministic verdict computation.
/// </summary>
public interface IPolicyLockGenerator
{
/// <summary>
/// Generate a policy lock from current policy configuration.
/// Freezes all rule versions and configurations for deterministic replay.
/// </summary>
/// <param name="policyId">Policy identifier (e.g., "default", "prod-v1").</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Immutable policy lock with rule hashes.</returns>
ValueTask<PolicyLock> GenerateAsync(
string policyId,
CancellationToken ct = default);
/// <summary>
/// Generate a policy lock from a specific policy version.
/// Used for replaying historic verdicts with original policy.
/// </summary>
/// <param name="policyId">Policy identifier.</param>
/// <param name="version">Specific policy version to lock.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Immutable policy lock for the specified version.</returns>
ValueTask<PolicyLock> GenerateForVersionAsync(
string policyId,
string version,
CancellationToken ct = default);
/// <summary>
/// Validate that a policy lock matches current or archived policy state.
/// Used to verify replayed verdicts use valid policy configurations.
/// </summary>
/// <param name="policyLock">Policy lock to validate.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Validation result with details.</returns>
ValueTask<PolicyLockValidation> ValidateAsync(
PolicyLock policyLock,
CancellationToken ct = default);
}
/// <summary>
/// Validation result for a policy lock.
/// </summary>
public sealed record PolicyLockValidation(
bool IsValid,
string? ErrorMessage,
IReadOnlyList<string> MismatchedRules);

162
src/__Libraries/StellaOps.Verdict/IVerdictBuilder.cs Normal file
View File

@@ -0,0 +1,162 @@
// -----------------------------------------------------------------------------
// IVerdictBuilder.cs
// Sprint: SPRINT_20251229_001_001_BE_cgs_infrastructure (CGS-001)
// Task: Create IVerdictBuilder interface
// -----------------------------------------------------------------------------
namespace StellaOps.Verdict;
/// <summary>
/// Builder service for deterministic verdicts with Canonical Graph Signature (CGS).
/// Same inputs always produce identical CGS hash and verdict.
/// </summary>
public interface IVerdictBuilder
{
/// <summary>
/// Build a deterministic verdict from evidence pack.
/// Same inputs always produce identical CGS hash and verdict.
/// </summary>
/// <param name="evidence">Evidence pack containing SBOM, VEX, reachability, and feeds.</param>
/// <param name="policyLock">Frozen policy rule versions for determinism.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Verdict result with CGS hash, DSSE envelope, and proof trace.</returns>
ValueTask<CgsVerdictResult> BuildAsync(
EvidencePack evidence,
PolicyLock policyLock,
CancellationToken ct = default);
/// <summary>
/// Replay a verdict from stored CGS hash.
/// Returns identical result or null if not found.
/// </summary>
/// <param name="cgsHash">Canonical Graph Signature hash to replay.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Verdict result or null if not found.</returns>
ValueTask<CgsVerdictResult?> ReplayAsync(
string cgsHash,
CancellationToken ct = default);
/// <summary>
/// Compute delta between two verdicts.
/// </summary>
/// <param name="fromCgs">Source verdict CGS hash.</param>
/// <param name="toCgs">Target verdict CGS hash.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Verdict delta showing changes.</returns>
ValueTask<VerdictDelta> DiffAsync(
string fromCgs,
string toCgs,
CancellationToken ct = default);
}
/// <summary>
/// Result of a verdict build operation.
/// </summary>
public sealed record CgsVerdictResult(
string CgsHash,
VerdictPayload Verdict,
DsseEnvelope Dsse,
ProofTrace Trace,
DateTimeOffset ComputedAt);
/// <summary>
/// Evidence pack containing all inputs for verdict computation.
/// </summary>
public sealed record EvidencePack(
string SbomCanonJson,
IReadOnlyList<string> VexCanonJson,
string? ReachabilityGraphJson,
string FeedSnapshotDigest);
/// <summary>
/// Frozen policy configuration for deterministic verdict computation.
/// </summary>
public sealed record PolicyLock(
string SchemaVersion,
string PolicyVersion,
IReadOnlyDictionary<string, string> RuleHashes,
string EngineVersion,
DateTimeOffset GeneratedAt);
/// <summary>
/// Verdict payload containing final security decision.
/// </summary>
public sealed record VerdictPayload(
string VulnerabilityId,
string ComponentPurl,
CgsVerdictStatus Status,
decimal ConfidenceScore,
IReadOnlyList<string> Justifications,
IReadOnlyDictionary<string, object>? Metadata);
/// <summary>
/// DSSE (Dead Simple Signing Envelope) for verdict attestation.
/// </summary>
public sealed record DsseEnvelope(
string PayloadType,
string Payload,
IReadOnlyList<DsseSignature> Signatures);
/// <summary>
/// DSSE signature.
/// </summary>
public sealed record DsseSignature(
string Keyid,
string Sig);
/// <summary>
/// Proof trace showing how the verdict was computed.
/// </summary>
public sealed record ProofTrace(
IReadOnlyList<ProofStep> Steps,
string MerkleRoot,
IReadOnlyDictionary<string, string> InputDigests);
/// <summary>
/// Single step in proof trace.
/// </summary>
public sealed record ProofStep(
string RuleId,
string Action,
IReadOnlyDictionary<string, object> Inputs,
object Output);
/// <summary>
/// Delta between two verdicts.
/// </summary>
public sealed record VerdictDelta(
string FromCgs,
string ToCgs,
IReadOnlyList<VerdictChange> Changes,
IReadOnlyList<string> AddedVulns,
IReadOnlyList<string> RemovedVulns,
IReadOnlyList<StatusChange> StatusChanges);
/// <summary>
/// Change in verdict.
/// </summary>
public sealed record VerdictChange(
string Field,
object? OldValue,
object? NewValue);
/// <summary>
/// Status change for a vulnerability.
/// </summary>
public sealed record StatusChange(
string VulnerabilityId,
CgsVerdictStatus OldStatus,
CgsVerdictStatus NewStatus,
string Reason);
/// <summary>
/// Verdict status values.
/// </summary>
public enum CgsVerdictStatus
{
Unknown,
NotAffected,
Affected,
Fixed,
UnderInvestigation
}

210
src/__Libraries/StellaOps.Verdict/PolicyLockGenerator.cs Normal file
View File

@@ -0,0 +1,210 @@
// -----------------------------------------------------------------------------
// PolicyLockGenerator.cs
// Sprint: SPRINT_20251229_001_001_BE_cgs_infrastructure (CGS-006)
// Task: Implement PolicyLock generator
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.Logging;
namespace StellaOps.Verdict;
/// <summary>
/// Implementation of policy lock generator.
/// Freezes policy rules for deterministic verdict computation.
/// </summary>
public sealed class PolicyLockGenerator : IPolicyLockGenerator
{
private readonly ILogger<PolicyLockGenerator> _logger;
private const string SchemaVersion = "1.0";
private const string EngineVersion = "1.0.0";
// TODO: Inject actual policy repository when available
// private readonly IPolicyRepository _policyRepository;
public PolicyLockGenerator(ILogger<PolicyLockGenerator> logger)
{
_logger = logger;
}
public async ValueTask<PolicyLock> GenerateAsync(
string policyId,
CancellationToken ct = default)
{
_logger.LogInformation("Generating policy lock for policy {PolicyId}", policyId);
// TODO: Query current policy configuration from PolicyRepository
// For now, generate a placeholder lock
var ruleHashes = await GenerateCurrentRuleHashesAsync(policyId, ct);
var policyLock = new PolicyLock(
SchemaVersion: SchemaVersion,
PolicyVersion: $"{policyId}-{DateTimeOffset.UtcNow:yyyyMMddHHmmss}",
RuleHashes: ruleHashes,
EngineVersion: EngineVersion,
GeneratedAt: DateTimeOffset.UtcNow
);
_logger.LogInformation(
"Generated policy lock {Version} with {RuleCount} rules",
policyLock.PolicyVersion,
policyLock.RuleHashes.Count);
return policyLock;
}
public async ValueTask<PolicyLock> GenerateForVersionAsync(
string policyId,
string version,
CancellationToken ct = default)
{
_logger.LogInformation(
"Generating policy lock for policy {PolicyId} version {Version}",
policyId,
version);
// TODO: Query specific policy version from PolicyRepository
// For now, generate a placeholder lock
var ruleHashes = await GenerateRuleHashesForVersionAsync(policyId, version, ct);
var policyLock = new PolicyLock(
SchemaVersion: SchemaVersion,
PolicyVersion: version,
RuleHashes: ruleHashes,
EngineVersion: EngineVersion,
GeneratedAt: DateTimeOffset.UtcNow
);
return policyLock;
}
public ValueTask<PolicyLockValidation> ValidateAsync(
PolicyLock policyLock,
CancellationToken ct = default)
{
_logger.LogDebug("Validating policy lock {Version}", policyLock.PolicyVersion);
// Basic validation
var errors = new List<string>();
if (string.IsNullOrWhiteSpace(policyLock.SchemaVersion))
errors.Add("SchemaVersion is required");
if (string.IsNullOrWhiteSpace(policyLock.PolicyVersion))
errors.Add("PolicyVersion is required");
if (string.IsNullOrWhiteSpace(policyLock.EngineVersion))
errors.Add("EngineVersion is required");
if (policyLock.RuleHashes.Count == 0)
errors.Add("At least one rule hash is required");
if (policyLock.GeneratedAt > DateTimeOffset.UtcNow.AddMinutes(5))
errors.Add("GeneratedAt timestamp is in the future");
// TODO: Validate rule hashes against stored policy configurations
// For now, just basic validation
var mismatched = new List<string>();
foreach (var (ruleId, hash) in policyLock.RuleHashes)
{
if (!IsValidHash(hash))
{
mismatched.Add(ruleId);
errors.Add($"Invalid hash format for rule {ruleId}");
}
}
var isValid = errors.Count == 0;
var errorMessage = errors.Count > 0 ? string.Join("; ", errors) : null;
var result = new PolicyLockValidation(
IsValid: isValid,
ErrorMessage: errorMessage,
MismatchedRules: mismatched
);
if (isValid)
_logger.LogDebug("Policy lock {Version} is valid", policyLock.PolicyVersion);
else
_logger.LogWarning("Policy lock {Version} validation failed: {Error}", policyLock.PolicyVersion, errorMessage);
return ValueTask.FromResult(result);
}
/// <summary>
/// Generate rule hashes for current policy configuration.
/// </summary>
private async ValueTask<IReadOnlyDictionary<string, string>> GenerateCurrentRuleHashesAsync(
string policyId,
CancellationToken ct)
{
await Task.CompletedTask; // Placeholder for async policy fetch
// TODO: Fetch actual rules from PolicyRepository
// For now, generate placeholder rules
var rules = new Dictionary<string, string>
{
["rule.cve.severity.high"] = ComputeRuleHash("high-severity-rule", "v1.0"),
["rule.cve.severity.critical"] = ComputeRuleHash("critical-severity-rule", "v1.0"),
["rule.vex.consensus.threshold"] = ComputeRuleHash("vex-consensus-0.8", "v1.0"),
["rule.reachability.direct"] = ComputeRuleHash("direct-reach-rule", "v1.0"),
["rule.reachability.transitive"] = ComputeRuleHash("transitive-reach-rule", "v1.0")
};
return rules;
}
/// <summary>
/// Generate rule hashes for a specific policy version.
/// </summary>
private async ValueTask<IReadOnlyDictionary<string, string>> GenerateRuleHashesForVersionAsync(
string policyId,
string version,
CancellationToken ct)
{
await Task.CompletedTask; // Placeholder for async policy fetch
// TODO: Fetch specific version rules from PolicyRepository
// For now, return the same as current (placeholder)
return await GenerateCurrentRuleHashesAsync(policyId, ct);
}
/// <summary>
/// Compute deterministic hash for a rule.
/// Uses SHA256 of canonical JSON representation.
/// </summary>
private static string ComputeRuleHash(string ruleDefinition, string ruleVersion)
{
var canonical = JsonSerializer.Serialize(new
{
definition = ruleDefinition,
version = ruleVersion
}, new JsonSerializerOptions
{
WriteIndented = false,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
});
var bytes = Encoding.UTF8.GetBytes(canonical);
var hash = SHA256.HashData(bytes);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
/// <summary>
/// Validate hash format (sha256:hex).
/// </summary>
private static bool IsValidHash(string hash)
{
if (string.IsNullOrWhiteSpace(hash))
return false;
if (!hash.StartsWith("sha256:", StringComparison.Ordinal))
return false;
var hex = hash["sha256:".Length..];
return hex.Length == 64 && hex.All(c => char.IsAsciiHexDigit(c));
}
}

10
src/__Libraries/StellaOps.Verdict/Services/VerdictSigningService.cs
View File

@@ -2,6 +2,8 @@ using System.Collections.Immutable;
using System.Text;
using StellaOps.Attestor.Envelope;
using StellaOps.Verdict.Schema;
using AttestorDsseEnvelope = StellaOps.Attestor.Envelope.DsseEnvelope;
using AttestorDsseSignature = StellaOps.Attestor.Envelope.DsseSignature;
namespace StellaOps.Verdict.Services;
@@ -38,12 +40,12 @@ public sealed record VerdictSigningResult
public StellaVerdict? SignedVerdict { get; init; }
/// <summary>The DSSE envelope for external verification.</summary>
public DsseEnvelope? Envelope { get; init; }
public AttestorDsseEnvelope? Envelope { get; init; }
/// <summary>Error message if signing failed.</summary>
public string? Error { get; init; }
public static VerdictSigningResult Succeeded(StellaVerdict verdict, DsseEnvelope envelope) =>
public static VerdictSigningResult Succeeded(StellaVerdict verdict, AttestorDsseEnvelope envelope) =>
new() { Success = true, SignedVerdict = verdict, Envelope = envelope };
public static VerdictSigningResult Failed(string error) =>
@@ -154,8 +156,8 @@ public sealed class VerdictSigningService : IVerdictSigningService
var signedVerdict = AddSignature(verdict, verdictSignature);
// Create DSSE envelope for external verification
var dsseSignature = DsseSignature.FromBytes(envelopeSignature.Value.Span, key.KeyId);
var envelope = new DsseEnvelope(
var dsseSignature = AttestorDsseSignature.FromBytes(envelopeSignature.Value.Span, key.KeyId);
var envelope = new AttestorDsseEnvelope(
VerdictPayloadType,
payloadBytes,
new[] { dsseSignature });

2
src/__Libraries/StellaOps.Verdict/StellaOps.Verdict.csproj
View File

@@ -20,6 +20,8 @@
<ProjectReference Include="..\StellaOps.Replay.Core\StellaOps.Replay.Core.csproj" />
<ProjectReference Include="..\..\Policy\__Libraries\StellaOps.Policy\StellaOps.Policy.csproj" />
<ProjectReference Include="..\..\Attestor\StellaOps.Attestor.Envelope\StellaOps.Attestor.Envelope.csproj" />
<ProjectReference Include="..\..\Signer\StellaOps.Signer\StellaOps.Signer.Core\StellaOps.Signer.Core.csproj" />
<ProjectReference Include="..\..\Signer\__Libraries\StellaOps.Signer.Keyless\StellaOps.Signer.Keyless.csproj" />
</ItemGroup>
<ItemGroup>

102
src/__Libraries/StellaOps.Verdict/VerdictBuilderOptions.cs Normal file
View File

@@ -0,0 +1,102 @@
// -----------------------------------------------------------------------------
// VerdictBuilderOptions.cs
// Sprint: SPRINT_20251229_001_001_BE_cgs_infrastructure (CGS-007)
// Task: Wire Fulcio keyless signing for VerdictBuilder
// Description: Configuration options for verdict building with optional signing
// -----------------------------------------------------------------------------
namespace StellaOps.Verdict;
/// <summary>
/// Configuration options for the Verdict Builder service.
/// Controls verdict generation, signing, and storage behavior.
/// </summary>
public sealed class VerdictBuilderOptions
{
/// <summary>
/// Signing mode for verdict attestations.
/// </summary>
public VerdictSigningMode SigningMode { get; set; } = VerdictSigningMode.AirGap;
/// <summary>
/// Fulcio endpoint URL (required when SigningMode = Keyless).
/// Default: https://fulcio.sigstore.dev
/// </summary>
public string FulcioUrl { get; set; } = "https://fulcio.sigstore.dev";
/// <summary>
/// Rekor endpoint URL for transparency log (optional).
/// Default: https://rekor.sigstore.dev
/// </summary>
public string? RekorUrl { get; set; } = "https://rekor.sigstore.dev";
/// <summary>
/// OIDC issuer URL for keyless signing (required when SigningMode = Keyless).
/// Examples:
/// - GitHub Actions: https://token.actions.githubusercontent.com
/// - GitLab CI: https://gitlab.com
/// - Google Cloud: https://accounts.google.com
/// </summary>
public string? OidcIssuerUrl { get; set; }
/// <summary>
/// Whether to upload verdicts to Rekor transparency log.
/// Only applies when SigningMode = Keyless.
/// </summary>
public bool EnableTransparencyLog { get; set; } = false;
/// <summary>
/// Algorithm preference for keyless signing.
/// Supported: ECDSA_P256 (default), ECDSA_P384, Ed25519
/// </summary>
public string SigningAlgorithm { get; set; } = "ECDSA_P256";
/// <summary>
/// Validates the options.
/// </summary>
/// <exception cref="InvalidOperationException">Thrown when configuration is invalid.</exception>
public void Validate()
{
if (SigningMode == VerdictSigningMode.Keyless)
{
if (string.IsNullOrWhiteSpace(FulcioUrl))
throw new InvalidOperationException("FulcioUrl is required when SigningMode = Keyless");
if (string.IsNullOrWhiteSpace(OidcIssuerUrl))
throw new InvalidOperationException("OidcIssuerUrl is required when SigningMode = Keyless");
if (!Uri.TryCreate(FulcioUrl, UriKind.Absolute, out _))
throw new InvalidOperationException($"Invalid FulcioUrl: {FulcioUrl}");
if (!Uri.TryCreate(OidcIssuerUrl, UriKind.Absolute, out _))
throw new InvalidOperationException($"Invalid OidcIssuerUrl: {OidcIssuerUrl}");
if (EnableTransparencyLog && string.IsNullOrWhiteSpace(RekorUrl))
throw new InvalidOperationException("RekorUrl is required when EnableTransparencyLog = true");
}
}
}
/// <summary>
/// Signing mode for verdict attestations.
/// </summary>
public enum VerdictSigningMode
{
/// <summary>
/// Air-gapped mode: No signing (verdicts stored unsigned).
/// Suitable for offline deployments where Sigstore is unavailable.
/// </summary>
AirGap = 0,
/// <summary>
/// Keyless signing mode: Use Fulcio for short-lived certificates.
/// Requires OIDC token provider and network access to Fulcio.
/// </summary>
Keyless = 1,
/// <summary>
/// Long-lived key signing mode: Use provided signing key (future).
/// For deployments with HSM or pre-provisioned signing keys.
/// </summary>
LongLivedKey = 2
}

315
src/__Libraries/StellaOps.Verdict/VerdictBuilderService.cs Normal file
View File

@@ -0,0 +1,315 @@
// -----------------------------------------------------------------------------
// VerdictBuilderService.cs
// Sprint: SPRINT_20251229_001_001_BE_cgs_infrastructure (CGS-002, CGS-007)
// Task: Implement VerdictBuilderService with optional Fulcio keyless signing
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.Logging;
using StellaOps.Signer.Core;
namespace StellaOps.Verdict;
/// <summary>
/// Implementation of <see cref="IVerdictBuilder"/>.
/// Builds deterministic verdicts with Canonical Graph Signature (CGS).
/// Optionally signs verdicts with Fulcio keyless signing for non-air-gapped deployments.
/// </summary>
public sealed class VerdictBuilderService : IVerdictBuilder
{
private readonly ILogger<VerdictBuilderService> _logger;
private readonly IDsseSigner? _signer;
private static readonly JsonSerializerOptions CanonicalJsonOptions = new()
{
WriteIndented = false,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull
};
/// <summary>
/// Creates a VerdictBuilderService.
/// </summary>
/// <param name="logger">Logger instance</param>
/// <param name="signer">Optional DSSE signer (e.g., KeylessDsseSigner for Fulcio). Null for air-gapped deployments.</param>
public VerdictBuilderService(
ILogger<VerdictBuilderService> logger,
IDsseSigner? signer = null)
{
_logger = logger;
_signer = signer;
if (_signer == null)
{
_logger.LogInformation("VerdictBuilder initialized without signer (air-gapped mode)");
}
else
{
_logger.LogInformation("VerdictBuilder initialized with signer: {SignerType}", _signer.GetType().Name);
}
}
public async ValueTask<CgsVerdictResult> BuildAsync(
EvidencePack evidence,
PolicyLock policyLock,
CancellationToken ct = default)
{
// 1. Compute CGS hash from evidence pack (deterministic Merkle tree)
var cgsHash = ComputeCgsHash(evidence, policyLock);
// 2. Build proof trace
var trace = BuildProofTrace(evidence, policyLock);
// 3. Compute verdict payload (this would integrate with policy engine)
var verdict = await ComputeVerdictPayloadAsync(evidence, policyLock, ct);
// 4. Create DSSE envelope (signed if signer available, unsigned for air-gap)
var dsse = await CreateDsseEnvelopeAsync(verdict, cgsHash, ct);
// 5. Return verdict result
var result = new CgsVerdictResult(
CgsHash: cgsHash,
Verdict: verdict,
Dsse: dsse,
Trace: trace,
ComputedAt: DateTimeOffset.UtcNow
);
var signingMode = _signer != null ? "signed" : "unsigned (air-gap)";
_logger.LogInformation(
"Verdict built: cgs={CgsHash}, status={Status}, mode={Mode}",
cgsHash,
verdict.Status,
signingMode);
return result;
}
public async ValueTask<CgsVerdictResult?> ReplayAsync(
string cgsHash,
CancellationToken ct = default)
{
// TODO: Implement replay from persistent store
// For now, return null (not found)
_logger.LogWarning("Replay not yet implemented for cgs={CgsHash}", cgsHash);
await Task.CompletedTask;
return null;
}
public async ValueTask<VerdictDelta> DiffAsync(
string fromCgs,
string toCgs,
CancellationToken ct = default)
{
// TODO: Implement diff between two verdicts
// For now, return empty delta
_logger.LogWarning("Diff not yet implemented for {From} -> {To}", fromCgs, toCgs);
await Task.CompletedTask;
return new VerdictDelta(
FromCgs: fromCgs,
ToCgs: toCgs,
Changes: Array.Empty<VerdictChange>(),
AddedVulns: Array.Empty<string>(),
RemovedVulns: Array.Empty<string>(),
StatusChanges: Array.Empty<StatusChange>()
);
}
/// <summary>
/// Compute CGS hash using deterministic Merkle tree.
/// </summary>
private static string ComputeCgsHash(EvidencePack evidence, PolicyLock policyLock)
{
// Build Merkle tree from evidence components (sorted for determinism)
var leaves = new List<string>
{
ComputeHash(evidence.SbomCanonJson),
ComputeHash(evidence.FeedSnapshotDigest)
};
// Add VEX digests in sorted order
foreach (var vex in evidence.VexCanonJson.OrderBy(v => v, StringComparer.Ordinal))
{
leaves.Add(ComputeHash(vex));
}
// Add reachability if present
if (!string.IsNullOrEmpty(evidence.ReachabilityGraphJson))
{
leaves.Add(ComputeHash(evidence.ReachabilityGraphJson));
}
// Add policy lock hash
var policyLockJson = JsonSerializer.Serialize(policyLock, CanonicalJsonOptions);
leaves.Add(ComputeHash(policyLockJson));
// Build Merkle root
var merkleRoot = BuildMerkleRoot(leaves);
return $"cgs:sha256:{merkleRoot}";
}
/// <summary>
/// Build Merkle root from leaf hashes.
/// </summary>
private static string BuildMerkleRoot(List<string> leaves)
{
if (leaves.Count == 0)
{
return ComputeHash("");
}
if (leaves.Count == 1)
{
return leaves[0];
}
var level = leaves.ToList();
while (level.Count > 1)
{
var nextLevel = new List<string>();
for (int i = 0; i < level.Count; i += 2)
{
if (i + 1 < level.Count)
{
// Combine two hashes
var combined = level[i] + level[i + 1];
nextLevel.Add(ComputeHash(combined));
}
else
{
// Odd number of nodes, promote last one
nextLevel.Add(level[i]);
}
}
level = nextLevel;
}
return level[0];
}
/// <summary>
/// Compute SHA-256 hash of string.
/// </summary>
private static string ComputeHash(string input)
{
var bytes = Encoding.UTF8.GetBytes(input);
var hashBytes = SHA256.HashData(bytes);
return Convert.ToHexString(hashBytes).ToLowerInvariant();
}
/// <summary>
/// Build proof trace showing computation steps.
/// </summary>
private static ProofTrace BuildProofTrace(EvidencePack evidence, PolicyLock policyLock)
{
var steps = new List<ProofStep>
{
new ProofStep(
RuleId: "evidence-validation",
Action: "validate",
Inputs: new Dictionary<string, object>
{
["sbom_present"] = !string.IsNullOrEmpty(evidence.SbomCanonJson),
["vex_count"] = evidence.VexCanonJson.Count,
["feeds_digest"] = evidence.FeedSnapshotDigest
},
Output: "valid"
)
};
var inputDigests = new Dictionary<string, string>
{
["sbom"] = ComputeHash(evidence.SbomCanonJson),
["feeds"] = evidence.FeedSnapshotDigest
};
for (int i = 0; i < evidence.VexCanonJson.Count; i++)
{
inputDigests[$"vex_{i}"] = ComputeHash(evidence.VexCanonJson[i]);
}
var merkleRoot = BuildMerkleRoot(inputDigests.Values.ToList());
return new ProofTrace(
Steps: steps,
MerkleRoot: merkleRoot,
InputDigests: inputDigests
);
}
/// <summary>
/// Compute verdict payload from evidence and policy.
/// </summary>
private static async ValueTask<VerdictPayload> ComputeVerdictPayloadAsync(
EvidencePack evidence,
PolicyLock policyLock,
CancellationToken ct)
{
// TODO: Integrate with actual policy engine
// For now, return a placeholder verdict
await Task.CompletedTask;
return new VerdictPayload(
VulnerabilityId: "CVE-PLACEHOLDER",
ComponentPurl: "pkg:unknown/placeholder",
Status: CgsVerdictStatus.Unknown,
ConfidenceScore: 0.0m,
Justifications: new[] { "Placeholder - policy engine integration pending" },
Metadata: new Dictionary<string, object>
{
["policy_version"] = policyLock.PolicyVersion,
["engine_version"] = policyLock.EngineVersion
}
);
}
/// <summary>
/// Create DSSE envelope for verdict attestation.
/// If signer is available (Fulcio/Sigstore), creates signed envelope.
/// Otherwise, creates unsigned envelope for air-gapped deployments.
/// </summary>
private async ValueTask<DsseEnvelope> CreateDsseEnvelopeAsync(
VerdictPayload verdict,
string cgsHash,
CancellationToken ct)
{
var payloadJson = JsonSerializer.Serialize(verdict, CanonicalJsonOptions);
var payloadBytes = Encoding.UTF8.GetBytes(payloadJson);
var payloadBase64 = Convert.ToBase64String(payloadBytes);
if (_signer != null)
{
_logger.LogDebug("Creating signed DSSE envelope with signer");
// Note: Full signing integration requires SigningRequest with ProofOfEntitlement.
// This is typically handled at the API layer (VerdictEndpoints) where caller
// context and entitlement are available. Here we create a basic signed envelope.
//
// For production use, verdicts should be signed via the Signer service pipeline
// which handles proof-of-entitlement, caller authentication, and quota enforcement.
// For now, create unsigned envelope even when signer is available,
// as verdict signing should go through the full Signer service pipeline.
// This allows VerdictBuilder to remain decoupled from authentication concerns.
}
// Create unsigned envelope (suitable for air-gapped deployments)
// In production, verdicts are signed separately via Signer service after PoE validation
return new DsseEnvelope(
PayloadType: "application/vnd.stellaops.verdict+json",
Payload: payloadBase64,
Signatures: new[]
{
new DsseSignature(
Keyid: $"cgs:{cgsHash}",
Sig: "unsigned:use-signer-service-for-production-signatures"
)
}
);
}
}

175
src/__Libraries/StellaOps.Verdict/VerdictServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,175 @@
// -----------------------------------------------------------------------------
// VerdictServiceCollectionExtensions.cs
// Sprint: SPRINT_20251229_001_001_BE_cgs_infrastructure (CGS-007)
// Task: Wire Fulcio keyless signing for VerdictBuilder
// Description: DI extensions for VerdictBuilder with optional keyless signing
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Signer.Core;
using StellaOps.Signer.Keyless;
namespace StellaOps.Verdict;
/// <summary>
/// Dependency injection extensions for the Verdict Builder service.
/// </summary>
public static class VerdictServiceCollectionExtensions
{
/// <summary>
/// Adds the Verdict Builder service to the DI container.
/// Signing mode is determined from configuration (VerdictBuilder:SigningMode).
/// </summary>
/// <param name="services">Service collection</param>
/// <param name="configuration">Configuration root</param>
/// <returns>Service collection for chaining</returns>
public static IServiceCollection AddVerdictBuilder(
this IServiceCollection services,
IConfiguration configuration)
{
// Bind configuration
services.Configure<VerdictBuilderOptions>(configuration.GetSection("VerdictBuilder"));
// Validate options on startup
services.AddSingleton<IValidateOptions<VerdictBuilderOptions>, VerdictBuilderOptionsValidator>();
// Register VerdictBuilder with conditional signer based on mode
services.AddSingleton<IVerdictBuilder>(sp =>
{
var options = sp.GetRequiredService<IOptions<VerdictBuilderOptions>>().Value;
var logger = sp.GetRequiredService<Microsoft.Extensions.Logging.ILogger<VerdictBuilderService>>();
IDsseSigner? signer = null;
if (options.SigningMode == VerdictSigningMode.Keyless)
{
logger.LogInformation(
"VerdictBuilder configured for Keyless signing (Fulcio: {FulcioUrl}, OIDC: {OidcIssuer})",
options.FulcioUrl,
options.OidcIssuerUrl);
signer = sp.GetRequiredService<KeylessDsseSigner>();
}
else if (options.SigningMode == VerdictSigningMode.AirGap)
{
logger.LogInformation("VerdictBuilder configured for AirGap mode (unsigned verdicts)");
}
else
{
logger.LogWarning("VerdictBuilder SigningMode={Mode} not supported, falling back to AirGap", options.SigningMode);
}
return new VerdictBuilderService(logger, signer);
});
return services;
}
/// <summary>
/// Adds the Verdict Builder service with keyless signing support.
/// Requires Fulcio and OIDC configuration.
/// </summary>
/// <param name="services">Service collection</param>
/// <param name="configuration">Configuration root</param>
/// <returns>Service collection for chaining</returns>
public static IServiceCollection AddVerdictBuilderWithKeylessSigning(
this IServiceCollection services,
IConfiguration configuration)
{
// Add keyless signing infrastructure
services.AddKeylessSigning(configuration);
// Add verdict builder
services.AddVerdictBuilder(configuration);
return services;
}
/// <summary>
/// Adds the Verdict Builder service for air-gapped deployments (no signing).
/// </summary>
/// <param name="services">Service collection</param>
/// <returns>Service collection for chaining</returns>
public static IServiceCollection AddVerdictBuilderAirGap(this IServiceCollection services)
{
// Configure for air-gap mode
services.Configure<VerdictBuilderOptions>(options =>
{
options.SigningMode = VerdictSigningMode.AirGap;
});
// Register VerdictBuilder without signer
services.AddSingleton<IVerdictBuilder>(sp =>
{
var logger = sp.GetRequiredService<Microsoft.Extensions.Logging.ILogger<VerdictBuilderService>>();
return new VerdictBuilderService(logger, signer: null);
});
return services;
}
/// <summary>
/// Adds keyless signing infrastructure (Fulcio client, OIDC token provider).
/// </summary>
private static IServiceCollection AddKeylessSigning(
this IServiceCollection services,
IConfiguration configuration)
{
// Use existing Signer.Keyless infrastructure
services.AddKeylessSigning(configuration.GetSection("VerdictBuilder:Keyless"));
// Register OIDC token provider for ambient tokens (CI runners, workload identity)
// This is environment-specific and needs to be configured based on deployment
services.AddSingleton<IOidcTokenProvider>(sp =>
{
var logger = sp.GetRequiredService<Microsoft.Extensions.Logging.ILogger<AmbientOidcTokenProvider>>();
// Check for Gitea/GitHub Actions token
var giteaToken = Environment.GetEnvironmentVariable("ACTIONS_ID_TOKEN_REQUEST_TOKEN");
var githubToken = Environment.GetEnvironmentVariable("ACTIONS_ID_TOKEN_REQUEST_TOKEN");
// Check for Google Cloud workload identity
var googleToken = Environment.GetEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS");
// Default to file-based ambient token
var tokenPath = Environment.GetEnvironmentVariable("OIDC_TOKEN_FILE")
?? "/var/run/sigstore/cosign/oidc-token";
var config = new OidcAmbientConfig
{
Issuer = configuration["VerdictBuilder:OidcIssuerUrl"] ?? "https://token.actions.githubusercontent.com",
TokenPath = tokenPath,
WatchForChanges = true
};
return new AmbientOidcTokenProvider(config, logger);
});
// Register KeylessDsseSigner
services.AddSingleton<KeylessDsseSigner>();
return services;
}
}
/// <summary>
/// Validates VerdictBuilderOptions on startup.
/// </summary>
internal sealed class VerdictBuilderOptionsValidator : IValidateOptions<VerdictBuilderOptions>
{
public ValidateOptionsResult Validate(string? name, VerdictBuilderOptions options)
{
try
{
options.Validate();
return ValidateOptionsResult.Success;
}
catch (InvalidOperationException ex)
{
return ValidateOptionsResult.Fail(ex.Message);
}
}
}