Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

2025-10-31 19:16:43 +02:00
parent 8da4e12a90 9e5e958d42
commit c63749d535
29 changed files with 473 additions and 477 deletions
--- a/src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md
+++ b/src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md
@@ -1,6 +1,6 @@
-# StellaOps Mirror VEX Connector Task Board (Sprint 7)
-
-| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+# StellaOps Mirror VEX Connector Task Board (Sprint 7)
+
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
 |----|--------|----------|------------|-------------|---------------|
 | EXCITITOR-CONN-STELLA-07-002 | TODO | Excititor Connectors – Stella | EXCITITOR-CONN-STELLA-07-001 | Parse mirror bundles into raw `VexClaim` batches, preserving original provider metadata and mirror provenance without applying consensus or weighting. | Normalizer emits deterministic VexClaims with full provenance (no policy metadata), fixtures assert parity with source exports. |
 | EXCITITOR-CONN-STELLA-07-003 | TODO | Excititor Connectors – Stella | EXCITITOR-CONN-STELLA-07-002 | Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. | Connector resumes from last export digest, handles delta/export rotation, docs show configuration; integration test covers resume + raw ingest parity. |
--- a/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md
+++ b/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md
@@ -1,7 +1,6 @@
-If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
-# TASKS
-| Task | Owner(s) | Depends on | Notes |
-|---|---|---|---|
-|EXCITITOR-ATTEST-01-003 – Verification suite & observability|Team Excititor Attestation|EXCITITOR-ATTEST-01-002|DOING (2025-10-22) – Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands.<br>2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests.|
-
-> Remark (2025-10-22): Added verifier implementation + metrics/tests; next steps include wiring into WebService/Worker flows and expanding negative-path coverage.
+If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
+# TASKS
+| Task | Owner(s) | Depends on | Notes |
+|---|---|---|---|
+|EXCITITOR-ATTEST-01-003 – Verification suite & observability|Team Excititor Attestation|EXCITITOR-ATTEST-01-002|DOING (2025-10-22) – Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands.<br>2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests.|
+
--- a/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs
+++ b/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs
@@ -183,8 +183,7 @@ internal sealed class VexAttestationVerifier : IVexAttestationVerifier
        catch (Exception ex)
        {
            diagnostics["error"] = ex.GetType().Name;
-            diagnostics["error.message"] = ex.Message;
-            resultLabel = "error";
+            diagnostics["error.message"] = ex.Message;            resultLabel = "error";
            _logger.LogError(ex, "Unexpected exception verifying attestation for export {ExportId}", request.Attestation.ExportId);
            return BuildResult(false);
        }
--- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md
+++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md
@@ -1,5 +1,5 @@
-If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
-# TASKS
-| Task | Owner(s) | Depends on | Notes |
+If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
+# TASKS
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment|Team Excititor Connectors – Oracle|EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001|TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion.|
--- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md
+++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md
@@ -1,5 +1,5 @@
-If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
-# TASKS
-| Task | Owner(s) | Depends on | Notes |
+If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
+# TASKS
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |EXCITITOR-CONN-SUSE-01-003 – Trust metadata provenance|Team Excititor Connectors – SUSE|EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001|TODO – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion.|
--- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md
+++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md
@@ -1,6 +1,6 @@
-If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
-# TASKS
-| Task | Owner(s) | Depends on | Notes |
+If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
+# TASKS
+| Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |EXCITITOR-CONN-UBUNTU-01-003 – Trust provenance enrichment|Team Excititor Connectors – Ubuntu|EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001|TODO – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting.|
-> Remark (2025-10-29, EXCITITOR-CONN-UBUNTU-01-002): Offline + network regression pass validated resume tokens, dedupe skips, checksum enforcement, and ETag handling before closing the task.
+> Remark (2025-10-29, EXCITITOR-CONN-UBUNTU-01-002): Offline + network regression pass validated resume tokens, dedupe skips, checksum enforcement, and ETag handling before closing the task.