Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

2025-10-31 19:16:43 +02:00
parent 8da4e12a90 9e5e958d42
commit c63749d535
29 changed files with 473 additions and 477 deletions
--- a/docs/12_PERFORMANCE_WORKBOOK.md
+++ b/docs/12_PERFORMANCE_WORKBOOK.md
--- a/docs/implplan/SPRINTS.md
+++ b/docs/implplan/SPRINTS.md
@@ -1054,8 +1054,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
 | Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Draft schemas for all attestation payload types. |
 | Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Generate models/validators from schemas. |
 | Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-001 | Scaffold attestor service skeleton. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. |
-| Sprint 72 | Attestor Console Phase 1 – Foundations | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. |
+| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. |
 | Sprint 72 | Attestor Console Phase 1 – Foundations | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. |
 | Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-001 | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. |
 | Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-002 | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. |
--- a/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md
@@ -11,7 +11,6 @@
 > 2025-10-28: Documented duplicate audit + migration workflow in `docs/deploy/containers.md`, Offline Kit guide, and `MIGRATIONS.md`; published `ops/devops/scripts/check-advisory-raw-duplicates.js` for staging/offline clusters.
 > Docs alignment (2025-10-26): Offline kit requirements documented in `docs/deploy/containers.md` §5.
 | CONCELIER-STORE-AOC-19-005 `Raw linkset backfill` | TODO (2025-11-04) | Concelier Storage Guild, DevOps Guild | CONCELIER-CORE-AOC-19-004 | Plan and execute advisory_observations `rawLinkset` backfill (online + Offline Kit bundles), supply migration scripts + rehearse rollback. Follow the coordination plan in `docs/dev/raw-linkset-backfill-plan.md`. |
-

 ## Policy Engine v2

--- a/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md
+++ b/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md
@@ -3,5 +3,4 @@ If you are working on this file you need to read docs/modules/excititor/ARCHITEC
 | Task | Owner(s) | Depends on | Notes |
 |---|---|---|---|
 |EXCITITOR-ATTEST-01-003 – Verification suite & observability|Team Excititor Attestation|EXCITITOR-ATTEST-01-002|DOING (2025-10-22) – Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands.<br>2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests.|
-

--- a/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs
+++ b/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs
@@ -183,8 +183,7 @@ internal sealed class VexAttestationVerifier : IVexAttestationVerifier
        catch (Exception ex)
        {
            diagnostics["error"] = ex.GetType().Name;
-            diagnostics["error.message"] = ex.Message;
-            resultLabel = "error";
+            diagnostics["error.message"] = ex.Message;            resultLabel = "error";
            _logger.LogError(ex, "Unexpected exception verifying attestation for export {ExportId}", request.Attestation.ExportId);
            return BuildResult(false);
        }
--- a/src/Scanner/docs/events/samples/scanner.event.report.ready@1.sample.json
+++ b/src/Scanner/docs/events/samples/scanner.event.report.ready@1.sample.json
@@ -1,101 +1,101 @@
 {
-  "eventId": "6d2d1b77-f3c3-4f70-8a9d-6f2d0c8801ab",
-  "kind": "scanner.event.report.ready",
-  "version": 1,
-  "tenant": "tenant-alpha",
-  "occurredAt": "2025-10-19T12:34:56Z",
-  "recordedAt": "2025-10-19T12:34:57Z",
-  "source": "scanner.webservice",
-  "idempotencyKey": "scanner.event.report.ready:tenant-alpha:report-abc",
-  "correlationId": "report-abc",
-  "traceId": "0af7651916cd43dd8448eb211c80319c",
-  "spanId": "b7ad6b7169203331",
-  "scope": {
-    "namespace": "acme/edge",
-    "repo": "api",
-    "digest": "sha256:feedface"
-  },
-  "attributes": {
-    "reportId": "report-abc",
-    "policyRevisionId": "rev-42",
-    "policyDigest": "digest-123",
-    "verdict": "blocked"
-  },
-  "payload": {
-    "reportId": "report-abc",
-    "scanId": "report-abc",
-    "imageDigest": "sha256:feedface",
-    "generatedAt": "2025-10-19T12:34:56Z",
-    "verdict": "fail",
-    "summary": {
-      "total": 1,
-      "blocked": 1,
-      "warned": 0,
-      "ignored": 0,
-      "quieted": 0
+    "eventId": "6d2d1b77-f3c3-4f70-8a9d-6f2d0c8801ab",
+    "kind": "scanner.event.report.ready",
+    "version": 1,
+    "tenant": "tenant-alpha",
+    "occurredAt": "2025-10-19T12:34:56Z",
+    "recordedAt": "2025-10-19T12:34:57Z",
+    "source": "scanner.webservice",
+    "idempotencyKey": "scanner.event.report.ready:tenant-alpha:report-abc",
+    "correlationId": "report-abc",
+    "traceId": "0af7651916cd43dd8448eb211c80319c",
+    "spanId": "b7ad6b7169203331",
+    "scope": {
+        "namespace": "acme/edge",
+        "repo": "api",
+        "digest": "sha256:feedface"
    },
-    "delta": {
-      "newCritical": 1,
-      "kev": [
-        "CVE-2024-9999"
-      ]
+    "attributes": {
+        "reportId": "report-abc",
+        "policyRevisionId": "rev-42",
+        "policyDigest": "digest-123",
+        "verdict": "blocked"
    },
-    "quietedFindingCount": 0,
-    "policy": {
-      "digest": "digest-123",
-      "revisionId": "rev-42"
-    },
-  "links": {
-    "report": {
-      "ui": "https://scanner.example/ui/reports/report-abc",
-      "api": "https://scanner.example/api/v1/reports/report-abc"
-    },
-    "policy": {
-      "ui": "https://scanner.example/ui/policy/revisions/rev-42",
-      "api": "https://scanner.example/api/v1/policy/revisions/rev-42"
-    },
-    "attestation": {
-      "ui": "https://scanner.example/ui/attestations/report-abc",
-      "api": "https://scanner.example/api/v1/reports/report-abc/attestation"
-    }
-  },
-    "dsse": {
-      "payloadType": "application/vnd.stellaops.report+json",
-      "payload": "eyJyZXBvcnRJZCI6InJlcG9ydC1hYmMiLCJpbWFnZURpZ2VzdCI6InNoYTI1NjpmZWVkZmFjZSIsImdlbmVyYXRlZEF0IjoiMjAyNS0xMC0xOVQxMjozNDo1NiswMDowMCIsInZlcmRpY3QiOiJibG9ja2VkIiwicG9saWN5Ijp7InJldmlzaW9uSWQiOiJyZXYtNDIiLCJkaWdlc3QiOiJkaWdlc3QtMTIzIn0sInN1bW1hcnkiOnsidG90YWwiOjEsImJsb2NrZWQiOjEsIndhcm5lZCI6MCwiaWdub3JlZCI6MCwicXVpZXRlZCI6MH0sInZlcmRpY3RzIjpbeyJmaW5kaW5nSWQiOiJmaW5kaW5nLTEiLCJzdGF0dXMiOiJCbG9ja2VkIiwic2NvcmUiOjQ3LjUsInNvdXJjZVRydXN0IjoiTlZEIiwicmVhY2hhYmlsaXR5IjoicnVudGltZSJ9XSwiaXNzdWVzIjpbXX0=",
-      "signatures": [
-        {
-          "keyId": "test-key",
-          "algorithm": "hs256",
-          "signature": "signature-value"
+    "payload": {
+        "reportId": "report-abc",
+        "scanId": "report-abc",
+        "imageDigest": "sha256:feedface",
+        "generatedAt": "2025-10-19T12:34:56Z",
+        "verdict": "fail",
+        "summary": {
+            "total": 1,
+            "blocked": 1,
+            "warned": 0,
+            "ignored": 0,
+            "quieted": 0
+        },
+        "delta": {
+            "newCritical": 1,
+            "kev": [
+                "CVE-2024-9999"
+            ]
+        },
+        "quietedFindingCount": 0,
+        "policy": {
+            "digest": "digest-123",
+            "revisionId": "rev-42"
+        },
+        "links": {
+            "report": {
+                "ui": "https://scanner.example/ui/reports/report-abc",
+                "api": "https://scanner.example/api/v1/reports/report-abc"
+            },
+            "policy": {
+                "ui": "https://scanner.example/ui/policy/revisions/rev-42",
+                "api": "https://scanner.example/api/v1/policy/revisions/rev-42"
+            },
+            "attestation": {
+                "ui": "https://scanner.example/ui/attestations/report-abc",
+                "api": "https://scanner.example/api/v1/reports/report-abc/attestation"
+            }
+        },
+        "dsse": {
+            "payloadType": "application/vnd.stellaops.report+json",
+            "payload": "eyJyZXBvcnRJZCI6InJlcG9ydC1hYmMiLCJpbWFnZURpZ2VzdCI6InNoYTI1NjpmZWVkZmFjZSIsImdlbmVyYXRlZEF0IjoiMjAyNS0xMC0xOVQxMjozNDo1NiswMDowMCIsInZlcmRpY3QiOiJibG9ja2VkIiwicG9saWN5Ijp7InJldmlzaW9uSWQiOiJyZXYtNDIiLCJkaWdlc3QiOiJkaWdlc3QtMTIzIn0sInN1bW1hcnkiOnsidG90YWwiOjEsImJsb2NrZWQiOjEsIndhcm5lZCI6MCwiaWdub3JlZCI6MCwicXVpZXRlZCI6MH0sInZlcmRpY3RzIjpbeyJmaW5kaW5nSWQiOiJmaW5kaW5nLTEiLCJzdGF0dXMiOiJCbG9ja2VkIiwic2NvcmUiOjQ3LjUsInNvdXJjZVRydXN0IjoiTlZEIiwicmVhY2hhYmlsaXR5IjoicnVudGltZSJ9XSwiaXNzdWVzIjpbXX0=",
+            "signatures": [
+                {
+                    "keyId": "test-key",
+                    "algorithm": "hs256",
+                    "signature": "signature-value"
+                }
+            ]
+        },
+        "report": {
+            "reportId": "report-abc",
+            "generatedAt": "2025-10-19T12:34:56Z",
+            "imageDigest": "sha256:feedface",
+            "policy": {
+                "digest": "digest-123",
+                "revisionId": "rev-42"
+            },
+            "summary": {
+                "total": 1,
+                "blocked": 1,
+                "warned": 0,
+                "ignored": 0,
+                "quieted": 0
+            },
+            "verdict": "blocked",
+            "verdicts": [
+                {
+                    "findingId": "finding-1",
+                    "status": "Blocked",
+                    "score": 47.5,
+                    "sourceTrust": "NVD",
+                    "reachability": "runtime"
+                }
+            ],
+            "issues": []
        }
-      ]
-    },
-    "report": {
-      "reportId": "report-abc",
-      "generatedAt": "2025-10-19T12:34:56Z",
-      "imageDigest": "sha256:feedface",
-      "policy": {
-        "digest": "digest-123",
-        "revisionId": "rev-42"
-      },
-      "summary": {
-        "total": 1,
-        "blocked": 1,
-        "warned": 0,
-        "ignored": 0,
-        "quieted": 0
-      },
-      "verdict": "blocked",
-      "verdicts": [
-        {
-          "findingId": "finding-1",
-          "status": "Blocked",
-          "score": 47.5,
-          "sourceTrust": "NVD",
-          "reachability": "runtime"
-        }
-      ],
-      "issues": []
    }
-  }
 }
--- a/src/Scanner/docs/events/samples/scanner.event.scan.completed@1.sample.json
+++ b/src/Scanner/docs/events/samples/scanner.event.scan.completed@1.sample.json
@@ -1,107 +1,107 @@
 {
-  "eventId": "08a6de24-4a94-4d14-8432-9d14f36f6da3",
-  "kind": "scanner.event.scan.completed",
-  "version": 1,
-  "tenant": "tenant-alpha",
-  "occurredAt": "2025-10-19T12:34:56Z",
-  "recordedAt": "2025-10-19T12:34:57Z",
-  "source": "scanner.webservice",
-  "idempotencyKey": "scanner.event.scan.completed:tenant-alpha:report-abc",
-  "correlationId": "report-abc",
-  "traceId": "4bf92f3577b34da6a3ce929d0e0e4736",
-  "scope": {
-    "namespace": "acme/edge",
-    "repo": "api",
-    "digest": "sha256:feedface"
-  },
-  "attributes": {
-    "reportId": "report-abc",
-    "policyRevisionId": "rev-42",
-    "policyDigest": "digest-123",
-    "verdict": "blocked"
-  },
-  "payload": {
-    "reportId": "report-abc",
-    "scanId": "report-abc",
-    "imageDigest": "sha256:feedface",
-    "verdict": "fail",
-    "summary": {
-      "total": 1,
-      "blocked": 1,
-      "warned": 0,
-      "ignored": 0,
-      "quieted": 0
+    "eventId": "08a6de24-4a94-4d14-8432-9d14f36f6da3",
+    "kind": "scanner.event.scan.completed",
+    "version": 1,
+    "tenant": "tenant-alpha",
+    "occurredAt": "2025-10-19T12:34:56Z",
+    "recordedAt": "2025-10-19T12:34:57Z",
+    "source": "scanner.webservice",
+    "idempotencyKey": "scanner.event.scan.completed:tenant-alpha:report-abc",
+    "correlationId": "report-abc",
+    "traceId": "4bf92f3577b34da6a3ce929d0e0e4736",
+    "scope": {
+        "namespace": "acme/edge",
+        "repo": "api",
+        "digest": "sha256:feedface"
    },
-    "delta": {
-      "newCritical": 1,
-      "kev": [
-        "CVE-2024-9999"
-      ]
+    "attributes": {
+        "reportId": "report-abc",
+        "policyRevisionId": "rev-42",
+        "policyDigest": "digest-123",
+        "verdict": "blocked"
    },
-    "policy": {
-      "digest": "digest-123",
-      "revisionId": "rev-42"
-    },
-    "findings": [
-      {
-        "id": "finding-1",
-        "severity": "Critical",
-        "cve": "CVE-2024-9999",
-        "purl": "pkg:docker/acme/edge-api@sha256-feedface",
-        "reachability": "runtime"
-      }
-    ],
-    "links": {
-      "report": {
-        "ui": "https://scanner.example/ui/reports/report-abc",
-        "api": "https://scanner.example/api/v1/reports/report-abc"
-      },
-      "policy": {
-        "ui": "https://scanner.example/ui/policy/revisions/rev-42",
-        "api": "https://scanner.example/api/v1/policy/revisions/rev-42"
-      },
-      "attestation": {
-        "ui": "https://scanner.example/ui/attestations/report-abc",
-        "api": "https://scanner.example/api/v1/reports/report-abc/attestation"
-      }
-    },
-    "dsse": {
-      "payloadType": "application/vnd.stellaops.report+json",
-      "payload": "eyJyZXBvcnRJZCI6InJlcG9ydC1hYmMiLCJpbWFnZURpZ2VzdCI6InNoYTI1NjpmZWVkZmFjZSIsImdlbmVyYXRlZEF0IjoiMjAyNS0xMC0xOVQxMjozNDo1NiswMDowMCIsInZlcmRpY3QiOiJibG9ja2VkIiwicG9saWN5Ijp7InJldmlzaW9uSWQiOiJyZXYtNDIiLCJkaWdlc3QiOiJkaWdlc3QtMTIzIn0sInN1bW1hcnkiOnsidG90YWwiOjEsImJsb2NrZWQiOjEsIndhcm5lZCI6MCwiaWdub3JlZCI6MCwicXVpZXRlZCI6MH0sInZlcmRpY3RzIjpbeyJmaW5kaW5nSWQiOiJmaW5kaW5nLTEiLCJzdGF0dXMiOiJCbG9ja2VkIiwic2NvcmUiOjQ3LjUsInNvdXJjZVRydXN0IjoiTlZEIiwicmVhY2hhYmlsaXR5IjoicnVudGltZSJ9XSwiaXNzdWVzIjpbXX0=",
-      "signatures": [
-        {
-          "keyId": "test-key",
-          "algorithm": "hs256",
-          "signature": "signature-value"
+    "payload": {
+        "reportId": "report-abc",
+        "scanId": "report-abc",
+        "imageDigest": "sha256:feedface",
+        "verdict": "fail",
+        "summary": {
+            "total": 1,
+            "blocked": 1,
+            "warned": 0,
+            "ignored": 0,
+            "quieted": 0
+        },
+        "delta": {
+            "newCritical": 1,
+            "kev": [
+                "CVE-2024-9999"
+            ]
+        },
+        "policy": {
+            "digest": "digest-123",
+            "revisionId": "rev-42"
+        },
+        "findings": [
+            {
+                "id": "finding-1",
+                "severity": "Critical",
+                "cve": "CVE-2024-9999",
+                "purl": "pkg:docker/acme/edge-api@sha256-feedface",
+                "reachability": "runtime"
+            }
+        ],
+        "links": {
+            "report": {
+                "ui": "https://scanner.example/ui/reports/report-abc",
+                "api": "https://scanner.example/api/v1/reports/report-abc"
+            },
+            "policy": {
+                "ui": "https://scanner.example/ui/policy/revisions/rev-42",
+                "api": "https://scanner.example/api/v1/policy/revisions/rev-42"
+            },
+            "attestation": {
+                "ui": "https://scanner.example/ui/attestations/report-abc",
+                "api": "https://scanner.example/api/v1/reports/report-abc/attestation"
+            }
+        },
+        "dsse": {
+            "payloadType": "application/vnd.stellaops.report+json",
+            "payload": "eyJyZXBvcnRJZCI6InJlcG9ydC1hYmMiLCJpbWFnZURpZ2VzdCI6InNoYTI1NjpmZWVkZmFjZSIsImdlbmVyYXRlZEF0IjoiMjAyNS0xMC0xOVQxMjozNDo1NiswMDowMCIsInZlcmRpY3QiOiJibG9ja2VkIiwicG9saWN5Ijp7InJldmlzaW9uSWQiOiJyZXYtNDIiLCJkaWdlc3QiOiJkaWdlc3QtMTIzIn0sInN1bW1hcnkiOnsidG90YWwiOjEsImJsb2NrZWQiOjEsIndhcm5lZCI6MCwiaWdub3JlZCI6MCwicXVpZXRlZCI6MH0sInZlcmRpY3RzIjpbeyJmaW5kaW5nSWQiOiJmaW5kaW5nLTEiLCJzdGF0dXMiOiJCbG9ja2VkIiwic2NvcmUiOjQ3LjUsInNvdXJjZVRydXN0IjoiTlZEIiwicmVhY2hhYmlsaXR5IjoicnVudGltZSJ9XSwiaXNzdWVzIjpbXX0=",
+            "signatures": [
+                {
+                    "keyId": "test-key",
+                    "algorithm": "hs256",
+                    "signature": "signature-value"
+                }
+            ]
+        },
+        "report": {
+            "reportId": "report-abc",
+            "generatedAt": "2025-10-19T12:34:56Z",
+            "imageDigest": "sha256:feedface",
+            "policy": {
+                "digest": "digest-123",
+                "revisionId": "rev-42"
+            },
+            "summary": {
+                "total": 1,
+                "blocked": 1,
+                "warned": 0,
+                "ignored": 0,
+                "quieted": 0
+            },
+            "verdict": "blocked",
+            "verdicts": [
+                {
+                    "findingId": "finding-1",
+                    "status": "Blocked",
+                    "score": 47.5,
+                    "sourceTrust": "NVD",
+                    "reachability": "runtime"
+                }
+            ],
+            "issues": []
        }
-      ]
-    },
-    "report": {
-      "reportId": "report-abc",
-      "generatedAt": "2025-10-19T12:34:56Z",
-      "imageDigest": "sha256:feedface",
-      "policy": {
-        "digest": "digest-123",
-        "revisionId": "rev-42"
-      },
-      "summary": {
-        "total": 1,
-        "blocked": 1,
-        "warned": 0,
-        "ignored": 0,
-        "quieted": 0
-      },
-      "verdict": "blocked",
-      "verdicts": [
-        {
-          "findingId": "finding-1",
-          "status": "Blocked",
-          "score": 47.5,
-          "sourceTrust": "NVD",
-          "reachability": "runtime"
-        }
-      ],
-      "issues": []
    }
-  }
 }