stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Implement vulnerability token signing and verification utilities
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
This commit is contained in:
master
2025-11-03 10:02:29 +02:00
parent bf2bf4b395
commit b1e78fe412
215 changed files with 19441 additions and 12185 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/Findings/StellaOps.Findings.Ledger/AGENTS.md
View File

@@ -7,13 +7,13 @@ Operate the append-only Findings Ledger and projection pipeline powering the Vul
- Service code under `src/Findings/StellaOps.Findings.Ledger` (event API, projector, migrations, crypto hashing).
- Ledger storage schemas, Merkle anchoring jobs, retention policies, and replay tooling.
- Projection pipeline writing `findings_projection` collections/tables consumed by Vuln Explorer API and Console.
- Collaboration with Conseiller, Excitator, SBOM Service, Policy Engine, Scheduler, Authority, and DevOps for evidence feeds and policy events.
- Collaboration with Conseiller, Excitor, SBOM Service, Policy Engine, Scheduler, Authority, and DevOps for evidence feeds and policy events.
## Principles
1. **Immutability** Ledger events are append-only, hashed, and chained; projections derive from ledger plus policy inputs.
2. **Determinism** Replaying the same event stream yields identical projections and bundle outputs; hashing uses canonical JSON.
3. **Tenant isolation** Separate namespaces per tenant in storage, queue, and Merkle anchoring artefacts.
4. **AOC alignment** Ledger records workflow only; evidence remains in Conseiller/Excitator/SBOM stores; no mutation of source facts.
4. **AOC alignment** Ledger records workflow only; evidence remains in Conseiller/Excitor/SBOM stores; no mutation of source facts.
5. **Auditability** Provide verifiable hashes, Merkle roots, and replay tooling for auditors.
## Collaboration