feat: Implement vulnerability token signing and verification utilities

- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys. - Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries. - Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads. - Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options. - Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads. - Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features. - Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
2025-11-03 10:02:29 +02:00
parent bf2bf4b395
commit b1e78fe412
215 changed files with 19441 additions and 12185 deletions
--- a/ops/devops/TASKS.md
+++ b/ops/devops/TASKS.md
@@ -76,6 +76,8 @@
 | DEVOPS-LNM-22-002 | BLOCKED (2025-10-27) | DevOps Guild, Excititor Guild | EXCITITOR-LNM-21-102 | Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events integrated; document ops runbook. Blocked until Excititor storage migration lands. |
 | DEVOPS-LNM-22-003 | TODO | DevOps Guild, Observability Guild | CONCELIER-LNM-21-005, EXCITITOR-LNM-21-005 | Add CI/monitoring coverage for new metrics (`advisory_observations_total`, `linksets_total`, etc.) and alerts on ingest-to-API SLA breaches. | Metrics scraped into Grafana; alert thresholds set; CI job verifies metric emission. |

+> 2025-11-03: Link-Not-Merge migration playbook (`docs/migration/no-merge.md`) published—use it to sequence DEVOPS-LNM-22-001 rehearsals and record Phase 0–3 config toggles in runbooks.
+
 ## Graph & Vuln Explorer v1

 | ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
--- a/ops/devops/release/docker/Dockerfile.angular-ui
+++ b/ops/devops/release/docker/Dockerfile.angular-ui
@@ -26,6 +26,6 @@ COPY --from=build /workspace/dist/stellaops-web/ /usr/share/nginx/html/
 COPY ops/devops/release/docker/nginx-default.conf /etc/nginx/conf.d/default.conf
 LABEL org.opencontainers.image.version="${VERSION}" \
      org.opencontainers.image.revision="${GIT_SHA}" \
-      org.opencontainers.image.source="https://git.stella-ops.org/stella-ops/feedser" \
+      org.opencontainers.image.source="https://git.stella-ops.org/stella-ops/conselier" \
      org.stellaops.release.channel="${CHANNEL}"
 EXPOSE 8080
--- a/ops/devops/release/docker/Dockerfile.dotnet-service
+++ b/ops/devops/release/docker/Dockerfile.dotnet-service
@@ -1,52 +1,52 @@
-# syntax=docker/dockerfile:1.7-labs
-
-ARG SDK_IMAGE=mcr.microsoft.com/dotnet/nightly/sdk:10.0
-ARG RUNTIME_IMAGE=gcr.io/distroless/dotnet/aspnet:latest
-
-ARG PROJECT
-ARG ENTRYPOINT_DLL
-ARG VERSION=0.0.0
-ARG CHANNEL=dev
-ARG GIT_SHA=0000000
-ARG SOURCE_DATE_EPOCH=0
-
-FROM ${SDK_IMAGE} AS build
-ARG PROJECT
-ARG GIT_SHA
-ARG SOURCE_DATE_EPOCH
-WORKDIR /src
-ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
-    DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 \
-    NUGET_XMLDOC_MODE=skip \
-    SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
-COPY . .
-RUN --mount=type=cache,target=/root/.nuget/packages \
-    dotnet restore "${PROJECT}"
-RUN --mount=type=cache,target=/root/.nuget/packages \
-    dotnet publish "${PROJECT}" \
-      -c Release \
-      -o /app/publish \
-      /p:UseAppHost=false \
-      /p:ContinuousIntegrationBuild=true \
-      /p:SourceRevisionId=${GIT_SHA} \
-      /p:Deterministic=true \
-      /p:TreatWarningsAsErrors=true
-
-FROM ${RUNTIME_IMAGE} AS runtime
-WORKDIR /app
-ARG ENTRYPOINT_DLL
-ARG VERSION
-ARG CHANNEL
-ARG GIT_SHA
-ENV DOTNET_EnableDiagnostics=0 \
-    ASPNETCORE_URLS=http://0.0.0.0:8080
-COPY --from=build /app/publish/ ./
-RUN set -eu; \
-    printf '#!/usr/bin/env sh\nset -e\nexec dotnet %s "$@"\n' "${ENTRYPOINT_DLL}" > /entrypoint.sh; \
-    chmod +x /entrypoint.sh
-EXPOSE 8080
-LABEL org.opencontainers.image.version="${VERSION}" \
-      org.opencontainers.image.revision="${GIT_SHA}" \
-      org.opencontainers.image.source="https://git.stella-ops.org/stella-ops/feedser" \
-      org.stellaops.release.channel="${CHANNEL}"
-ENTRYPOINT ["/entrypoint.sh"]
+# syntax=docker/dockerfile:1.7-labs
+
+ARG SDK_IMAGE=mcr.microsoft.com/dotnet/nightly/sdk:10.0
+ARG RUNTIME_IMAGE=gcr.io/distroless/dotnet/aspnet:latest
+
+ARG PROJECT
+ARG ENTRYPOINT_DLL
+ARG VERSION=0.0.0
+ARG CHANNEL=dev
+ARG GIT_SHA=0000000
+ARG SOURCE_DATE_EPOCH=0
+
+FROM ${SDK_IMAGE} AS build
+ARG PROJECT
+ARG GIT_SHA
+ARG SOURCE_DATE_EPOCH
+WORKDIR /src
+ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 \
+    NUGET_XMLDOC_MODE=skip \
+    SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
+COPY . .
+RUN --mount=type=cache,target=/root/.nuget/packages \
+    dotnet restore "${PROJECT}"
+RUN --mount=type=cache,target=/root/.nuget/packages \
+    dotnet publish "${PROJECT}" \
+      -c Release \
+      -o /app/publish \
+      /p:UseAppHost=false \
+      /p:ContinuousIntegrationBuild=true \
+      /p:SourceRevisionId=${GIT_SHA} \
+      /p:Deterministic=true \
+      /p:TreatWarningsAsErrors=true
+
+FROM ${RUNTIME_IMAGE} AS runtime
+WORKDIR /app
+ARG ENTRYPOINT_DLL
+ARG VERSION
+ARG CHANNEL
+ARG GIT_SHA
+ENV DOTNET_EnableDiagnostics=0 \
+    ASPNETCORE_URLS=http://0.0.0.0:8080
+COPY --from=build /app/publish/ ./
+RUN set -eu; \
+    printf '#!/usr/bin/env sh\nset -e\nexec dotnet %s "$@"\n' "${ENTRYPOINT_DLL}" > /entrypoint.sh; \
+    chmod +x /entrypoint.sh
+EXPOSE 8080
+LABEL org.opencontainers.image.version="${VERSION}" \
+      org.opencontainers.image.revision="${GIT_SHA}" \
+      org.opencontainers.image.source="https://git.stella-ops.org/stella-ops/conselier" \
+      org.stellaops.release.channel="${CHANNEL}"
+ENTRYPOINT ["/entrypoint.sh"]