stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add property-based tests for SBOM/VEX document ordering and Unicode normalization determinism

Browse Source 
- Implement `SbomVexOrderingDeterminismProperties` for testing component list and vulnerability metadata hash consistency.
- Create `UnicodeNormalizationDeterminismProperties` to validate NFC normalization and Unicode string handling.
- Add project file for `StellaOps.Testing.Determinism.Properties` with necessary dependencies.
- Introduce CI/CD template validation tests including YAML syntax checks and documentation content verification.
- Create validation script for CI/CD templates ensuring all required files and structures are present.
This commit is contained in:
StellaOps Bot
2025-12-26 15:17:15 +02:00
parent 7792749bb4
commit c8f3120174
349 changed files with 78558 additions and 1342 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Contracts/ExplainRequest.cs Normal file
View File

@@ -0,0 +1,92 @@
using System.ComponentModel.DataAnnotations;
using StellaOps.AdvisoryAI.Explanation;
namespace StellaOps.AdvisoryAI.WebService.Contracts;
/// <summary>
/// API request for generating an explanation.
/// Sprint: SPRINT_20251226_015_AI_zastava_companion
/// Task: ZASTAVA-13
/// </summary>
public sealed record ExplainRequest
{
/// <summary>
/// Finding ID to explain.
/// </summary>
[Required]
public required string FindingId { get; init; }
/// <summary>
/// Artifact digest (image, SBOM, etc.) for context.
/// </summary>
[Required]
public required string ArtifactDigest { get; init; }
/// <summary>
/// Scope of the explanation (service, release, image).
/// </summary>
[Required]
public required string Scope { get; init; }
/// <summary>
/// Scope identifier.
/// </summary>
[Required]
public required string ScopeId { get; init; }
/// <summary>
/// Type of explanation to generate.
/// </summary>
public string ExplanationType { get; init; } = "full";
/// <summary>
/// Vulnerability ID (CVE, GHSA, etc.).
/// </summary>
[Required]
public required string VulnerabilityId { get; init; }
/// <summary>
/// Affected component PURL.
/// </summary>
public string? ComponentPurl { get; init; }
/// <summary>
/// Whether to use plain language mode.
/// </summary>
public bool PlainLanguage { get; init; }
/// <summary>
/// Maximum length of explanation (0 = no limit).
/// </summary>
public int MaxLength { get; init; }
/// <summary>
/// Correlation ID for tracing.
/// </summary>
public string? CorrelationId { get; init; }
/// <summary>
/// Convert to domain model.
/// </summary>
public ExplanationRequest ToDomain()
{
if (!Enum.TryParse<ExplanationType>(ExplanationType, ignoreCase: true, out var explType))
{
explType = Explanation.ExplanationType.Full;
}
return new ExplanationRequest
{
FindingId = FindingId,
ArtifactDigest = ArtifactDigest,
Scope = Scope,
ScopeId = ScopeId,
ExplanationType = explType,
VulnerabilityId = VulnerabilityId,
ComponentPurl = ComponentPurl,
PlainLanguage = PlainLanguage,
MaxLength = MaxLength,
CorrelationId = CorrelationId
};
}
}

157
src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Contracts/ExplainResponse.cs Normal file
View File

@@ -0,0 +1,157 @@
using StellaOps.AdvisoryAI.Explanation;
namespace StellaOps.AdvisoryAI.WebService.Contracts;
/// <summary>
/// API response for explanation generation.
/// Sprint: SPRINT_20251226_015_AI_zastava_companion
/// Task: ZASTAVA-13
/// </summary>
public sealed record ExplainResponse
{
/// <summary>
/// Unique ID for this explanation.
/// </summary>
public required string ExplanationId { get; init; }
/// <summary>
/// The explanation content (markdown supported).
/// </summary>
public required string Content { get; init; }
/// <summary>
/// 3-line summary for compact display.
/// </summary>
public required ExplainSummaryResponse Summary { get; init; }
/// <summary>
/// Citations linking claims to evidence.
/// </summary>
public required IReadOnlyList<ExplainCitationResponse> Citations { get; init; }
/// <summary>
/// Overall confidence score (0.0-1.0).
/// </summary>
public required double ConfidenceScore { get; init; }
/// <summary>
/// Citation rate (verified citations / total claims).
/// </summary>
public required double CitationRate { get; init; }
/// <summary>
/// Authority classification.
/// </summary>
public required string Authority { get; init; }
/// <summary>
/// Evidence node IDs used in this explanation.
/// </summary>
public required IReadOnlyList<string> EvidenceRefs { get; init; }
/// <summary>
/// Model ID used for generation.
/// </summary>
public required string ModelId { get; init; }
/// <summary>
/// Prompt template version.
/// </summary>
public required string PromptTemplateVersion { get; init; }
/// <summary>
/// Generation timestamp (UTC ISO-8601).
/// </summary>
public required string GeneratedAt { get; init; }
/// <summary>
/// Output hash for verification.
/// </summary>
public required string OutputHash { get; init; }
/// <summary>
/// Create from domain model.
/// </summary>
public static ExplainResponse FromDomain(ExplanationResult result)
{
return new ExplainResponse
{
ExplanationId = result.ExplanationId,
Content = result.Content,
Summary = new ExplainSummaryResponse
{
Line1 = result.Summary.Line1,
Line2 = result.Summary.Line2,
Line3 = result.Summary.Line3
},
Citations = result.Citations.Select(c => new ExplainCitationResponse
{
ClaimText = c.ClaimText,
EvidenceId = c.EvidenceId,
EvidenceType = c.EvidenceType,
Verified = c.Verified,
EvidenceExcerpt = c.EvidenceExcerpt
}).ToList(),
ConfidenceScore = result.ConfidenceScore,
CitationRate = result.CitationRate,
Authority = result.Authority.ToString(),
EvidenceRefs = result.EvidenceRefs,
ModelId = result.ModelId,
PromptTemplateVersion = result.PromptTemplateVersion,
GeneratedAt = result.GeneratedAt,
OutputHash = result.OutputHash
};
}
}
/// <summary>
/// 3-line summary response.
/// </summary>
public sealed record ExplainSummaryResponse
{
/// <summary>
/// Line 1: What changed/what is it.
/// </summary>
public required string Line1 { get; init; }
/// <summary>
/// Line 2: Why it matters.
/// </summary>
public required string Line2 { get; init; }
/// <summary>
/// Line 3: Next action.
/// </summary>
public required string Line3 { get; init; }
}
/// <summary>
/// Citation response.
/// </summary>
public sealed record ExplainCitationResponse
{
/// <summary>
/// Claim text from the explanation.
/// </summary>
public required string ClaimText { get; init; }
/// <summary>
/// Evidence node ID supporting this claim.
/// </summary>
public required string EvidenceId { get; init; }
/// <summary>
/// Type of evidence.
/// </summary>
public required string EvidenceType { get; init; }
/// <summary>
/// Whether the citation was verified.
/// </summary>
public required bool Verified { get; init; }
/// <summary>
/// Excerpt from evidence.
/// </summary>
public string? EvidenceExcerpt { get; init; }
}

229
src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Contracts/RemediationContracts.cs Normal file
View File

@@ -0,0 +1,229 @@
using System.ComponentModel.DataAnnotations;
using StellaOps.AdvisoryAI.Remediation;
namespace StellaOps.AdvisoryAI.WebService.Contracts;
/// <summary>
/// API request for generating a remediation plan.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-19
/// </summary>
public sealed record RemediationPlanApiRequest
{
[Required]
public required string FindingId { get; init; }
[Required]
public required string ArtifactDigest { get; init; }
[Required]
public required string VulnerabilityId { get; init; }
[Required]
public required string ComponentPurl { get; init; }
public string RemediationType { get; init; } = "auto";
public string? RepositoryUrl { get; init; }
public string TargetBranch { get; init; } = "main";
public bool AutoCreatePr { get; init; }
public string? CorrelationId { get; init; }
public RemediationPlanRequest ToDomain()
{
if (!Enum.TryParse<RemediationType>(RemediationType, ignoreCase: true, out var type))
{
type = Remediation.RemediationType.Auto;
}
return new RemediationPlanRequest
{
FindingId = FindingId,
ArtifactDigest = ArtifactDigest,
VulnerabilityId = VulnerabilityId,
ComponentPurl = ComponentPurl,
RemediationType = type,
RepositoryUrl = RepositoryUrl,
TargetBranch = TargetBranch,
AutoCreatePr = AutoCreatePr,
CorrelationId = CorrelationId
};
}
}
/// <summary>
/// API response for remediation plan.
/// </summary>
public sealed record RemediationPlanApiResponse
{
public required string PlanId { get; init; }
public required IReadOnlyList<RemediationStepResponse> Steps { get; init; }
public required ExpectedDeltaResponse ExpectedDelta { get; init; }
public required string RiskAssessment { get; init; }
public required string Authority { get; init; }
public required bool PrReady { get; init; }
public string? NotReadyReason { get; init; }
public required double ConfidenceScore { get; init; }
public required string ModelId { get; init; }
public required string GeneratedAt { get; init; }
public static RemediationPlanApiResponse FromDomain(RemediationPlan plan)
{
return new RemediationPlanApiResponse
{
PlanId = plan.PlanId,
Steps = plan.Steps.Select(s => new RemediationStepResponse
{
Order = s.Order,
ActionType = s.ActionType,
FilePath = s.FilePath,
Description = s.Description,
PreviousValue = s.PreviousValue,
NewValue = s.NewValue,
Optional = s.Optional,
Risk = s.Risk.ToString()
}).ToList(),
ExpectedDelta = new ExpectedDeltaResponse
{
Added = plan.ExpectedDelta.Added,
Removed = plan.ExpectedDelta.Removed,
Upgraded = plan.ExpectedDelta.Upgraded,
NetVulnerabilityChange = plan.ExpectedDelta.NetVulnerabilityChange
},
RiskAssessment = plan.RiskAssessment.ToString(),
Authority = plan.Authority.ToString(),
PrReady = plan.PrReady,
NotReadyReason = plan.NotReadyReason,
ConfidenceScore = plan.ConfidenceScore,
ModelId = plan.ModelId,
GeneratedAt = plan.GeneratedAt
};
}
}
public sealed record RemediationStepResponse
{
public required int Order { get; init; }
public required string ActionType { get; init; }
public required string FilePath { get; init; }
public required string Description { get; init; }
public string? PreviousValue { get; init; }
public string? NewValue { get; init; }
public bool Optional { get; init; }
public required string Risk { get; init; }
}
public sealed record ExpectedDeltaResponse
{
public required IReadOnlyList<string> Added { get; init; }
public required IReadOnlyList<string> Removed { get; init; }
public required IReadOnlyDictionary<string, string> Upgraded { get; init; }
public required int NetVulnerabilityChange { get; init; }
}
/// <summary>
/// API request for applying remediation (creating PR).
/// Task: REMEDY-20
/// </summary>
public sealed record ApplyRemediationRequest
{
[Required]
public required string PlanId { get; init; }
public string ScmType { get; init; } = "github";
}
/// <summary>
/// API response for PR creation.
/// </summary>
public sealed record PullRequestApiResponse
{
public required string PrId { get; init; }
public required int PrNumber { get; init; }
public required string Url { get; init; }
public required string BranchName { get; init; }
public required string Status { get; init; }
public string? StatusMessage { get; init; }
public BuildResultResponse? BuildResult { get; init; }
public TestResultResponse? TestResult { get; init; }
public DeltaVerdictResponse? DeltaVerdict { get; init; }
public required string CreatedAt { get; init; }
public required string UpdatedAt { get; init; }
public static PullRequestApiResponse FromDomain(PullRequestResult result)
{
return new PullRequestApiResponse
{
PrId = result.PrId,
PrNumber = result.PrNumber,
Url = result.Url,
BranchName = result.BranchName,
Status = result.Status.ToString(),
StatusMessage = result.StatusMessage,
BuildResult = result.BuildResult != null ? new BuildResultResponse
{
Success = result.BuildResult.Success,
BuildId = result.BuildResult.BuildId,
BuildUrl = result.BuildResult.BuildUrl,
ErrorMessage = result.BuildResult.ErrorMessage,
CompletedAt = result.BuildResult.CompletedAt
} : null,
TestResult = result.TestResult != null ? new TestResultResponse
{
AllPassed = result.TestResult.AllPassed,
TotalTests = result.TestResult.TotalTests,
PassedTests = result.TestResult.PassedTests,
FailedTests = result.TestResult.FailedTests,
SkippedTests = result.TestResult.SkippedTests,
Coverage = result.TestResult.Coverage,
FailedTestNames = result.TestResult.FailedTestNames,
CompletedAt = result.TestResult.CompletedAt
} : null,
DeltaVerdict = result.DeltaVerdict != null ? new DeltaVerdictResponse
{
Improved = result.DeltaVerdict.Improved,
VulnerabilitiesFixed = result.DeltaVerdict.VulnerabilitiesFixed,
VulnerabilitiesIntroduced = result.DeltaVerdict.VulnerabilitiesIntroduced,
VerdictId = result.DeltaVerdict.VerdictId,
SignatureId = result.DeltaVerdict.SignatureId,
ComputedAt = result.DeltaVerdict.ComputedAt
} : null,
CreatedAt = result.CreatedAt,
UpdatedAt = result.UpdatedAt
};
}
}
public sealed record BuildResultResponse
{
public required bool Success { get; init; }
public required string BuildId { get; init; }
public string? BuildUrl { get; init; }
public string? ErrorMessage { get; init; }
public required string CompletedAt { get; init; }
}
public sealed record TestResultResponse
{
public required bool AllPassed { get; init; }
public required int TotalTests { get; init; }
public required int PassedTests { get; init; }
public required int FailedTests { get; init; }
public required int SkippedTests { get; init; }
public double Coverage { get; init; }
public IReadOnlyList<string> FailedTestNames { get; init; } = Array.Empty<string>();
public required string CompletedAt { get; init; }
}
public sealed record DeltaVerdictResponse
{
public required bool Improved { get; init; }
public required int VulnerabilitiesFixed { get; init; }
public required int VulnerabilitiesIntroduced { get; init; }
public required string VerdictId { get; init; }
public string? SignatureId { get; init; }
public required string ComputedAt { get; init; }
}

226
src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/Program.cs
View File

@@ -11,11 +11,13 @@ using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;
using StellaOps.AdvisoryAI.Caching;
using StellaOps.AdvisoryAI.Diagnostics;
using StellaOps.AdvisoryAI.Explanation;
using StellaOps.AdvisoryAI.Hosting;
using StellaOps.AdvisoryAI.Metrics;
using StellaOps.AdvisoryAI.Outputs;
using StellaOps.AdvisoryAI.Orchestration;
using StellaOps.AdvisoryAI.Queue;
using StellaOps.AdvisoryAI.Remediation;
using StellaOps.AdvisoryAI.WebService.Contracts;
using StellaOps.Router.AspNet;
@@ -88,6 +90,23 @@ app.MapPost("/v1/advisory-ai/pipeline:batch", HandleBatchPlans)
app.MapGet("/v1/advisory-ai/outputs/{cacheKey}", HandleGetOutput)
.RequireRateLimiting("advisory-ai");
// Explanation endpoints (SPRINT_20251226_015_AI_zastava_companion)
app.MapPost("/v1/advisory-ai/explain", HandleExplain)
.RequireRateLimiting("advisory-ai");
app.MapGet("/v1/advisory-ai/explain/{explanationId}/replay", HandleExplanationReplay)
.RequireRateLimiting("advisory-ai");
// Remediation endpoints (SPRINT_20251226_016_AI_remedy_autopilot)
app.MapPost("/v1/advisory-ai/remediation/plan", HandleRemediationPlan)
.RequireRateLimiting("advisory-ai");
app.MapPost("/v1/advisory-ai/remediation/apply", HandleApplyRemediation)
.RequireRateLimiting("advisory-ai");
app.MapGet("/v1/advisory-ai/remediation/status/{prId}", HandleRemediationStatus)
.RequireRateLimiting("advisory-ai");
// Refresh Router endpoint cache
app.TryRefreshStellaRouterEndpoints(routerOptions);
@@ -250,6 +269,213 @@ static bool EnsureAuthorized(HttpContext context, AdvisoryTaskType taskType)
return allowed.Contains($"advisory:{taskType.ToString().ToLowerInvariant()}");
}
static bool EnsureExplainAuthorized(HttpContext context)
{
if (!context.Request.Headers.TryGetValue("X-StellaOps-Scopes", out var scopes))
{
return false;
}
var allowed = scopes
.SelectMany(value => value.Split(' ', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries))
.ToHashSet(StringComparer.OrdinalIgnoreCase);
return allowed.Contains("advisory:run") || allowed.Contains("advisory:explain");
}
// ZASTAVA-13: POST /v1/advisory-ai/explain
static async Task<IResult> HandleExplain(
HttpContext httpContext,
ExplainRequest request,
IExplanationGenerator explanationGenerator,
CancellationToken cancellationToken)
{
using var activity = AdvisoryAiActivitySource.Instance.StartActivity("advisory_ai.explain", ActivityKind.Server);
activity?.SetTag("advisory.finding_id", request.FindingId);
activity?.SetTag("advisory.vulnerability_id", request.VulnerabilityId);
activity?.SetTag("advisory.explanation_type", request.ExplanationType);
if (!EnsureExplainAuthorized(httpContext))
{
return Results.StatusCode(StatusCodes.Status403Forbidden);
}
try
{
var domainRequest = request.ToDomain();
var result = await explanationGenerator.GenerateAsync(domainRequest, cancellationToken).ConfigureAwait(false);
activity?.SetTag("advisory.explanation_id", result.ExplanationId);
activity?.SetTag("advisory.authority", result.Authority.ToString());
activity?.SetTag("advisory.citation_rate", result.CitationRate);
return Results.Ok(ExplainResponse.FromDomain(result));
}
catch (InvalidOperationException ex)
{
return Results.BadRequest(new { error = ex.Message });
}
}
// ZASTAVA-14: GET /v1/advisory-ai/explain/{explanationId}/replay
static async Task<IResult> HandleExplanationReplay(
HttpContext httpContext,
string explanationId,
IExplanationGenerator explanationGenerator,
CancellationToken cancellationToken)
{
using var activity = AdvisoryAiActivitySource.Instance.StartActivity("advisory_ai.explain_replay", ActivityKind.Server);
activity?.SetTag("advisory.explanation_id", explanationId);
if (!EnsureExplainAuthorized(httpContext))
{
return Results.StatusCode(StatusCodes.Status403Forbidden);
}
try
{
var result = await explanationGenerator.ReplayAsync(explanationId, cancellationToken).ConfigureAwait(false);
activity?.SetTag("advisory.replayed_explanation_id", result.ExplanationId);
activity?.SetTag("advisory.authority", result.Authority.ToString());
return Results.Ok(ExplainResponse.FromDomain(result));
}
catch (InvalidOperationException ex)
{
return Results.NotFound(new { error = ex.Message });
}
}
static bool EnsureRemediationAuthorized(HttpContext context)
{
if (!context.Request.Headers.TryGetValue("X-StellaOps-Scopes", out var scopes))
{
return false;
}
var allowed = scopes
.SelectMany(value => value.Split(' ', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries))
.ToHashSet(StringComparer.OrdinalIgnoreCase);
return allowed.Contains("advisory:run") || allowed.Contains("advisory:remediate");
}
// REMEDY-19: POST /v1/advisory-ai/remediation/plan
static async Task<IResult> HandleRemediationPlan(
HttpContext httpContext,
RemediationPlanApiRequest request,
IRemediationPlanner remediationPlanner,
CancellationToken cancellationToken)
{
using var activity = AdvisoryAiActivitySource.Instance.StartActivity("advisory_ai.remediation_plan", ActivityKind.Server);
activity?.SetTag("advisory.finding_id", request.FindingId);
activity?.SetTag("advisory.vulnerability_id", request.VulnerabilityId);
activity?.SetTag("advisory.remediation_type", request.RemediationType);
if (!EnsureRemediationAuthorized(httpContext))
{
return Results.StatusCode(StatusCodes.Status403Forbidden);
}
try
{
var domainRequest = request.ToDomain();
var plan = await remediationPlanner.GeneratePlanAsync(domainRequest, cancellationToken).ConfigureAwait(false);
activity?.SetTag("advisory.plan_id", plan.PlanId);
activity?.SetTag("advisory.risk_assessment", plan.RiskAssessment.ToString());
activity?.SetTag("advisory.pr_ready", plan.PrReady);
return Results.Ok(RemediationPlanApiResponse.FromDomain(plan));
}
catch (InvalidOperationException ex)
{
return Results.BadRequest(new { error = ex.Message });
}
}
// REMEDY-20: POST /v1/advisory-ai/remediation/apply
static async Task<IResult> HandleApplyRemediation(
HttpContext httpContext,
ApplyRemediationRequest request,
IRemediationPlanner remediationPlanner,
IEnumerable<IPullRequestGenerator> prGenerators,
CancellationToken cancellationToken)
{
using var activity = AdvisoryAiActivitySource.Instance.StartActivity("advisory_ai.apply_remediation", ActivityKind.Server);
activity?.SetTag("advisory.plan_id", request.PlanId);
activity?.SetTag("advisory.scm_type", request.ScmType);
if (!EnsureRemediationAuthorized(httpContext))
{
return Results.StatusCode(StatusCodes.Status403Forbidden);
}
var plan = await remediationPlanner.GetPlanAsync(request.PlanId, cancellationToken).ConfigureAwait(false);
if (plan is null)
{
return Results.NotFound(new { error = $"Plan {request.PlanId} not found" });
}
var generator = prGenerators.FirstOrDefault(g => g.ScmType.Equals(request.ScmType, StringComparison.OrdinalIgnoreCase));
if (generator is null)
{
return Results.BadRequest(new { error = $"SCM type '{request.ScmType}' not supported" });
}
try
{
var prResult = await generator.CreatePullRequestAsync(plan, cancellationToken).ConfigureAwait(false);
activity?.SetTag("advisory.pr_id", prResult.PrId);
activity?.SetTag("advisory.pr_status", prResult.Status.ToString());
return Results.Ok(PullRequestApiResponse.FromDomain(prResult));
}
catch (InvalidOperationException ex)
{
return Results.BadRequest(new { error = ex.Message });
}
}
// REMEDY-21: GET /v1/advisory-ai/remediation/status/{prId}
static async Task<IResult> HandleRemediationStatus(
HttpContext httpContext,
string prId,
string? scmType,
IEnumerable<IPullRequestGenerator> prGenerators,
CancellationToken cancellationToken)
{
using var activity = AdvisoryAiActivitySource.Instance.StartActivity("advisory_ai.remediation_status", ActivityKind.Server);
activity?.SetTag("advisory.pr_id", prId);
if (!EnsureRemediationAuthorized(httpContext))
{
return Results.StatusCode(StatusCodes.Status403Forbidden);
}
var resolvedScmType = scmType ?? "github";
var generator = prGenerators.FirstOrDefault(g => g.ScmType.Equals(resolvedScmType, StringComparison.OrdinalIgnoreCase));
if (generator is null)
{
return Results.BadRequest(new { error = $"SCM type '{resolvedScmType}' not supported" });
}
try
{
var prResult = await generator.GetStatusAsync(prId, cancellationToken).ConfigureAwait(false);
activity?.SetTag("advisory.pr_status", prResult.Status.ToString());
return Results.Ok(PullRequestApiResponse.FromDomain(prResult));
}
catch (InvalidOperationException ex)
{
return Results.NotFound(new { error = ex.Message });
}
}
internal sealed record PipelinePlanRequest(
AdvisoryTaskType? TaskType,
string AdvisoryKey,

157
src/AdvisoryAI/StellaOps.AdvisoryAI/Explanation/DefaultExplanationPromptService.cs Normal file
View File

@@ -0,0 +1,157 @@
using System.Text;
using System.Text.RegularExpressions;
namespace StellaOps.AdvisoryAI.Explanation;
/// <summary>
/// Default implementation of explanation prompt service.
/// Sprint: SPRINT_20251226_015_AI_zastava_companion
/// Task: ZASTAVA-05
/// </summary>
public sealed class DefaultExplanationPromptService : IExplanationPromptService
{
public Task<ExplanationPrompt> BuildPromptAsync(
ExplanationRequest request,
EvidenceContext evidence,
CancellationToken cancellationToken = default)
{
var template = ExplanationPromptTemplates.GetTemplate(request.ExplanationType);
var content = new StringBuilder();
// Add plain language system prompt if requested
if (request.PlainLanguage)
{
content.AppendLine(ExplanationPromptTemplates.PlainLanguageSystemPrompt);
content.AppendLine();
}
// Render template with evidence
var rendered = RenderTemplate(template, request, evidence);
content.Append(rendered);
// Apply max length constraint if specified
var finalContent = content.ToString();
if (request.MaxLength > 0)
{
content.AppendLine();
content.AppendLine($"IMPORTANT: Keep your response under {request.MaxLength} characters.");
}
var prompt = new ExplanationPrompt
{
Content = finalContent,
TemplateVersion = ExplanationPromptTemplates.TemplateVersion
};
return Task.FromResult(prompt);
}
public Task<ExplanationSummary> GenerateSummaryAsync(
string content,
ExplanationType type,
CancellationToken cancellationToken = default)
{
// Extract first meaningful sentences for each line
var lines = content.Split('\n', StringSplitOptions.RemoveEmptyEntries)
.Where(l => !l.StartsWith('#') && !l.StartsWith('-') && l.Trim().Length > 10)
.Take(10)
.ToList();
var line1 = GetSummaryLine(lines, 0, type);
var line2 = GetSummaryLine(lines, 1, type);
var line3 = GetSummaryLine(lines, 2, type);
return Task.FromResult(new ExplanationSummary
{
Line1 = line1,
Line2 = line2,
Line3 = line3
});
}
private static string RenderTemplate(string template, ExplanationRequest request, EvidenceContext evidence)
{
var result = template;
// Replace simple placeholders
result = result.Replace("{{vulnerability_id}}", request.VulnerabilityId);
result = result.Replace("{{component_purl}}", request.ComponentPurl ?? "Unknown");
result = result.Replace("{{artifact_digest}}", request.ArtifactDigest);
result = result.Replace("{{scope}}", request.Scope);
result = result.Replace("{{scope_id}}", request.ScopeId);
// Render evidence sections
result = RenderEvidenceSection(result, "sbom_evidence", evidence.SbomEvidence);
result = RenderEvidenceSection(result, "reachability_evidence", evidence.ReachabilityEvidence);
result = RenderEvidenceSection(result, "runtime_evidence", evidence.RuntimeEvidence);
result = RenderEvidenceSection(result, "vex_evidence", evidence.VexEvidence);
result = RenderEvidenceSection(result, "patch_evidence", evidence.PatchEvidence);
return result;
}
private static string RenderEvidenceSection(string template, string sectionName, IReadOnlyList<EvidenceNode> evidence)
{
var pattern = $@"\{{\{{#{sectionName}\}}\}}(.*?)\{{\{{/{sectionName}\}}\}}";
var regex = new Regex(pattern, RegexOptions.Singleline);
if (evidence.Count == 0)
{
return regex.Replace(template, string.Empty);
}
var match = regex.Match(template);
if (!match.Success)
{
return template;
}
var itemTemplate = match.Groups[1].Value;
var rendered = new StringBuilder();
foreach (var node in evidence)
{
var item = itemTemplate;
item = item.Replace("{{id}}", node.Id);
item = item.Replace("{{type}}", node.Type);
item = item.Replace("{{confidence}}", node.Confidence.ToString("F2"));
item = item.Replace("{{content}}", node.Content);
item = item.Replace("{{summary}}", node.Summary);
item = item.Replace("{{.}}", FormatEvidenceNode(node));
rendered.Append(item);
}
return regex.Replace(template, rendered.ToString());
}
private static string FormatEvidenceNode(EvidenceNode node)
{
return $"[{node.Id}] {node.Summary} (confidence: {node.Confidence:F2})";
}
private static string GetSummaryLine(List<string> lines, int preferredIndex, ExplanationType type)
{
if (preferredIndex < lines.Count)
{
var line = lines[preferredIndex].Trim();
if (line.Length > 100)
{
line = line[..97] + "...";
}
return line;
}
// Fallback based on type and line position
return (type, preferredIndex) switch
{
(_, 0) => "Analysis complete.",
(ExplanationType.What, 1) => "Review the vulnerability details above.",
(ExplanationType.Why, 1) => "Consider the impact on your deployment.",
(ExplanationType.Evidence, 1) => "Review the evidence summary above.",
(ExplanationType.Counterfactual, 1) => "Actions that could change the verdict.",
(ExplanationType.Full, 1) => "Comprehensive assessment available.",
(_, 2) => "See full explanation for details.",
_ => "See details above."
};
}
}

209
src/AdvisoryAI/StellaOps.AdvisoryAI/Explanation/EvidenceAnchoredExplanationGenerator.cs Normal file
View File

@@ -0,0 +1,209 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
namespace StellaOps.AdvisoryAI.Explanation;
/// <summary>
/// Implementation of explanation generator that anchors all claims to evidence.
/// Sprint: SPRINT_20251226_015_AI_zastava_companion
/// Task: ZASTAVA-03
/// </summary>
public sealed class EvidenceAnchoredExplanationGenerator : IExplanationGenerator
{
private readonly IEvidenceRetrievalService _evidenceService;
private readonly IExplanationPromptService _promptService;
private readonly IExplanationInferenceClient _inferenceClient;
private readonly ICitationExtractor _citationExtractor;
private readonly IExplanationStore _store;
private const double EvidenceBackedThreshold = 0.8;
public EvidenceAnchoredExplanationGenerator(
IEvidenceRetrievalService evidenceService,
IExplanationPromptService promptService,
IExplanationInferenceClient inferenceClient,
ICitationExtractor citationExtractor,
IExplanationStore store)
{
_evidenceService = evidenceService;
_promptService = promptService;
_inferenceClient = inferenceClient;
_citationExtractor = citationExtractor;
_store = store;
}
public async Task<ExplanationResult> GenerateAsync(ExplanationRequest request, CancellationToken cancellationToken = default)
{
// 1. Retrieve evidence context
var evidence = await _evidenceService.RetrieveEvidenceAsync(
request.FindingId,
request.ArtifactDigest,
request.VulnerabilityId,
request.ComponentPurl,
cancellationToken);
// 2. Build prompt with evidence
var prompt = await _promptService.BuildPromptAsync(request, evidence, cancellationToken);
// 3. Compute input hashes for replay
var inputHashes = ComputeInputHashes(request, evidence, prompt);
// 4. Generate explanation via LLM
var inferenceResult = await _inferenceClient.GenerateAsync(prompt, cancellationToken);
// 5. Extract and validate citations
var citations = await _citationExtractor.ExtractCitationsAsync(
inferenceResult.Content,
evidence,
cancellationToken);
// 6. Calculate citation rate and determine authority
var verifiedCitations = citations.Where(c => c.Verified).ToList();
var citationRate = citations.Count > 0
? (double)verifiedCitations.Count / citations.Count
: 0;
var authority = citationRate >= EvidenceBackedThreshold
? ExplanationAuthority.EvidenceBacked
: ExplanationAuthority.Suggestion;
// 7. Generate 3-line summary
var summary = await _promptService.GenerateSummaryAsync(
inferenceResult.Content,
request.ExplanationType,
cancellationToken);
// 8. Build result
var explanationId = GenerateExplanationId(inputHashes, inferenceResult.Content);
var outputHash = ComputeHash(inferenceResult.Content);
var result = new ExplanationResult
{
ExplanationId = explanationId,
Content = inferenceResult.Content,
Summary = summary,
Citations = citations,
ConfidenceScore = inferenceResult.Confidence,
CitationRate = citationRate,
Authority = authority,
EvidenceRefs = evidence.AllEvidence.Select(e => e.Id).ToList(),
ModelId = inferenceResult.ModelId,
PromptTemplateVersion = prompt.TemplateVersion,
InputHashes = inputHashes,
GeneratedAt = DateTime.UtcNow.ToString("O"),
OutputHash = outputHash
};
// 9. Store for replay
await _store.StoreAsync(result, cancellationToken);
return result;
}
public async Task<ExplanationResult> ReplayAsync(string explanationId, CancellationToken cancellationToken = default)
{
var original = await _store.GetAsync(explanationId, cancellationToken)
?? throw new InvalidOperationException($"Explanation {explanationId} not found");
// Validate inputs haven't changed
var isValid = await ValidateAsync(original, cancellationToken);
if (!isValid)
{
throw new InvalidOperationException("Input evidence has changed since original explanation");
}
// Reconstruct request from stored data
var storedRequest = await _store.GetRequestAsync(explanationId, cancellationToken)
?? throw new InvalidOperationException($"Request for {explanationId} not found");
// Re-generate with same inputs
return await GenerateAsync(storedRequest, cancellationToken);
}
public async Task<bool> ValidateAsync(ExplanationResult result, CancellationToken cancellationToken = default)
{
return await _evidenceService.ValidateEvidenceAsync(result.EvidenceRefs, cancellationToken);
}
private static IReadOnlyList<string> ComputeInputHashes(
ExplanationRequest request,
EvidenceContext evidence,
ExplanationPrompt prompt)
{
var hashes = new List<string>
{
ComputeHash(JsonSerializer.Serialize(request)),
evidence.ContextHash,
ComputeHash(prompt.Content)
};
return hashes;
}
private static string GenerateExplanationId(IReadOnlyList<string> inputHashes, string output)
{
var combined = string.Join("|", inputHashes) + "|" + output;
return $"sha256:{ComputeHash(combined)}";
}
private static string ComputeHash(string content)
{
var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(content));
return Convert.ToHexStringLower(bytes);
}
}
/// <summary>
/// Prompt for explanation generation.
/// </summary>
public sealed record ExplanationPrompt
{
public required string Content { get; init; }
public required string TemplateVersion { get; init; }
}
/// <summary>
/// Inference result from LLM.
/// </summary>
public sealed record ExplanationInferenceResult
{
public required string Content { get; init; }
public required double Confidence { get; init; }
public required string ModelId { get; init; }
}
/// <summary>
/// Service for building explanation prompts.
/// </summary>
public interface IExplanationPromptService
{
Task<ExplanationPrompt> BuildPromptAsync(ExplanationRequest request, EvidenceContext evidence, CancellationToken cancellationToken = default);
Task<ExplanationSummary> GenerateSummaryAsync(string content, ExplanationType type, CancellationToken cancellationToken = default);
}
/// <summary>
/// Client for LLM inference.
/// </summary>
public interface IExplanationInferenceClient
{
Task<ExplanationInferenceResult> GenerateAsync(ExplanationPrompt prompt, CancellationToken cancellationToken = default);
}
/// <summary>
/// Service for extracting and validating citations.
/// </summary>
public interface ICitationExtractor
{
Task<IReadOnlyList<ExplanationCitation>> ExtractCitationsAsync(string content, EvidenceContext evidence, CancellationToken cancellationToken = default);
}
/// <summary>
/// Store for explanation results and replay data.
/// </summary>
public interface IExplanationStore
{
Task StoreAsync(ExplanationResult result, CancellationToken cancellationToken = default);
Task<ExplanationResult?> GetAsync(string explanationId, CancellationToken cancellationToken = default);
Task<ExplanationRequest?> GetRequestAsync(string explanationId, CancellationToken cancellationToken = default);
}

282
src/AdvisoryAI/StellaOps.AdvisoryAI/Explanation/ExplanationPromptTemplates.cs Normal file
View File

@@ -0,0 +1,282 @@
namespace StellaOps.AdvisoryAI.Explanation;
/// <summary>
/// Prompt templates for explanation generation.
/// Sprint: SPRINT_20251226_015_AI_zastava_companion
/// Task: ZASTAVA-05
/// </summary>
public static class ExplanationPromptTemplates
{
public const string TemplateVersion = "1.0.0";
/// <summary>
/// Template for "What is this vulnerability?" explanation.
/// </summary>
public static readonly string WhatTemplate = """
You are a security analyst explaining a vulnerability finding.
## Context
- Vulnerability: {{vulnerability_id}}
- Affected Component: {{component_purl}}
- Artifact: {{artifact_digest}}
- Scope: {{scope}} ({{scope_id}})
## Evidence Available
{{#sbom_evidence}}
### SBOM Evidence
{{.}}
{{/sbom_evidence}}
{{#reachability_evidence}}
### Reachability Evidence
{{.}}
{{/reachability_evidence}}
{{#vex_evidence}}
### VEX Statements
{{.}}
{{/vex_evidence}}
{{#patch_evidence}}
### Patch Information
{{.}}
{{/patch_evidence}}
## Instructions
Explain WHAT this vulnerability is:
1. Describe the vulnerability type and attack vector
2. Explain the affected functionality
3. Cite specific evidence using [EVIDENCE:id] format
Keep your response focused and cite all claims. Do not speculate beyond the evidence.
""";
/// <summary>
/// Template for "Why does it matter?" explanation.
/// </summary>
public static readonly string WhyTemplate = """
You are a security analyst explaining vulnerability impact.
## Context
- Vulnerability: {{vulnerability_id}}
- Affected Component: {{component_purl}}
- Artifact: {{artifact_digest}}
- Scope: {{scope}} ({{scope_id}})
## Evidence Available
{{#sbom_evidence}}
### SBOM Evidence
{{.}}
{{/sbom_evidence}}
{{#reachability_evidence}}
### Reachability Analysis
{{.}}
{{/reachability_evidence}}
{{#runtime_evidence}}
### Runtime Observations
{{.}}
{{/runtime_evidence}}
{{#vex_evidence}}
### VEX Statements
{{.}}
{{/vex_evidence}}
## Instructions
Explain WHY this vulnerability matters in this specific context:
1. Is the vulnerable code reachable from your application?
2. What is the potential impact based on how the component is used?
3. What runtime factors affect exploitability?
4. Cite specific evidence using [EVIDENCE:id] format
Focus on THIS deployment's context, not generic severity.
""";
/// <summary>
/// Template for evidence-focused explanation.
/// </summary>
public static readonly string EvidenceTemplate = """
You are a security analyst summarizing exploitability evidence.
## Context
- Vulnerability: {{vulnerability_id}}
- Affected Component: {{component_purl}}
- Artifact: {{artifact_digest}}
## All Available Evidence
{{#sbom_evidence}}
### SBOM Evidence (ID: {{id}})
Type: {{type}}
Confidence: {{confidence}}
Content: {{content}}
{{/sbom_evidence}}
{{#reachability_evidence}}
### Reachability Evidence (ID: {{id}})
Type: {{type}}
Confidence: {{confidence}}
Content: {{content}}
{{/reachability_evidence}}
{{#runtime_evidence}}
### Runtime Evidence (ID: {{id}})
Type: {{type}}
Confidence: {{confidence}}
Content: {{content}}
{{/runtime_evidence}}
{{#vex_evidence}}
### VEX Evidence (ID: {{id}})
Type: {{type}}
Confidence: {{confidence}}
Content: {{content}}
{{/vex_evidence}}
{{#patch_evidence}}
### Patch Evidence (ID: {{id}})
Type: {{type}}
Confidence: {{confidence}}
Content: {{content}}
{{/patch_evidence}}
## Instructions
Summarize the exploitability evidence:
1. List each piece of evidence with its type and confidence
2. Explain what each piece of evidence tells us
3. Identify gaps - what evidence is missing?
4. Provide an overall assessment of exploitability
5. Use [EVIDENCE:id] format for all citations
Be comprehensive but concise.
""";
/// <summary>
/// Template for counterfactual explanation.
/// </summary>
public static readonly string CounterfactualTemplate = """
You are a security analyst explaining what would change a verdict.
## Context
- Vulnerability: {{vulnerability_id}}
- Affected Component: {{component_purl}}
- Artifact: {{artifact_digest}}
- Current Verdict: {{current_verdict}}
## Current Evidence
{{#sbom_evidence}}
### SBOM Evidence
{{.}}
{{/sbom_evidence}}
{{#reachability_evidence}}
### Reachability Evidence
{{.}}
{{/reachability_evidence}}
{{#runtime_evidence}}
### Runtime Evidence
{{.}}
{{/runtime_evidence}}
{{#vex_evidence}}
### VEX Statements
{{.}}
{{/vex_evidence}}
## Instructions
Explain what would CHANGE the verdict:
1. What evidence would be needed to downgrade severity?
2. What conditions would make this exploitable vs not exploitable?
3. What mitigations could change the risk assessment?
4. What additional analysis would provide clarity?
5. Use [EVIDENCE:id] format for citations
Focus on actionable paths to change the risk assessment.
""";
/// <summary>
/// Template for full comprehensive explanation.
/// </summary>
public static readonly string FullTemplate = """
You are a security analyst providing a comprehensive vulnerability assessment.
## Context
- Vulnerability: {{vulnerability_id}}
- Affected Component: {{component_purl}}
- Artifact: {{artifact_digest}}
- Scope: {{scope}} ({{scope_id}})
## Complete Evidence Set
{{#sbom_evidence}}
### SBOM Evidence (ID: {{id}})
{{content}}
{{/sbom_evidence}}
{{#reachability_evidence}}
### Reachability Evidence (ID: {{id}})
{{content}}
{{/reachability_evidence}}
{{#runtime_evidence}}
### Runtime Evidence (ID: {{id}})
{{content}}
{{/runtime_evidence}}
{{#vex_evidence}}
### VEX Evidence (ID: {{id}})
{{content}}
{{/vex_evidence}}
{{#patch_evidence}}
### Patch Evidence (ID: {{id}})
{{content}}
{{/patch_evidence}}
## Instructions
Provide a comprehensive assessment covering:
### 1. What Is This Vulnerability?
- Describe the vulnerability type and mechanism
- Explain the attack vector
### 2. Why Does It Matter Here?
- Analyze reachability in this specific deployment
- Assess actual exploitability based on evidence
### 3. Evidence Summary
- List and evaluate each piece of evidence
- Identify evidence gaps
### 4. Recommended Actions
- Prioritized remediation steps
- What would change the verdict
Use [EVIDENCE:id] format for ALL citations. Do not make claims without evidence.
""";
/// <summary>
/// System prompt for plain language mode.
/// </summary>
public static readonly string PlainLanguageSystemPrompt = """
IMPORTANT: Explain in plain language suitable for someone new to security.
- Avoid jargon or define terms when first used
- Use analogies to explain technical concepts
- Focus on practical impact, not theoretical risk
- Keep sentences short and clear
""";
/// <summary>
/// Get template by explanation type.
/// </summary>
public static string GetTemplate(ExplanationType type) => type switch
{
ExplanationType.What => WhatTemplate,
ExplanationType.Why => WhyTemplate,
ExplanationType.Evidence => EvidenceTemplate,
ExplanationType.Counterfactual => CounterfactualTemplate,
ExplanationType.Full => FullTemplate,
_ => throw new ArgumentOutOfRangeException(nameof(type), type, "Unknown explanation type")
};
}

90
src/AdvisoryAI/StellaOps.AdvisoryAI/Explanation/ExplanationRequest.cs Normal file
View File

@@ -0,0 +1,90 @@
namespace StellaOps.AdvisoryAI.Explanation;
/// <summary>
/// Type of explanation to generate.
/// </summary>
public enum ExplanationType
{
/// <summary>
/// What is this vulnerability?
/// </summary>
What,
/// <summary>
/// Why does it matter in this context?
/// </summary>
Why,
/// <summary>
/// What evidence supports exploitability?
/// </summary>
Evidence,
/// <summary>
/// What would change the verdict?
/// </summary>
Counterfactual,
/// <summary>
/// Full comprehensive explanation.
/// </summary>
Full
}
/// <summary>
/// Request for generating an evidence-anchored explanation.
/// Sprint: SPRINT_20251226_015_AI_zastava_companion
/// Task: ZASTAVA-01
/// </summary>
public sealed record ExplanationRequest
{
/// <summary>
/// Finding ID to explain.
/// </summary>
public required string FindingId { get; init; }
/// <summary>
/// Artifact digest (image, SBOM, etc.) for context.
/// </summary>
public required string ArtifactDigest { get; init; }
/// <summary>
/// Scope of the explanation (service, release, image).
/// </summary>
public required string Scope { get; init; }
/// <summary>
/// Scope identifier.
/// </summary>
public required string ScopeId { get; init; }
/// <summary>
/// Type of explanation to generate.
/// </summary>
public required ExplanationType ExplanationType { get; init; }
/// <summary>
/// Vulnerability ID (CVE, GHSA, etc.).
/// </summary>
public required string VulnerabilityId { get; init; }
/// <summary>
/// Affected component PURL.
/// </summary>
public string? ComponentPurl { get; init; }
/// <summary>
/// Whether to use plain language mode.
/// </summary>
public bool PlainLanguage { get; init; }
/// <summary>
/// Maximum length of explanation (0 = no limit).
/// </summary>
public int MaxLength { get; init; }
/// <summary>
/// Correlation ID for tracing.
/// </summary>
public string? CorrelationId { get; init; }
}

142
src/AdvisoryAI/StellaOps.AdvisoryAI/Explanation/ExplanationResult.cs Normal file
View File

@@ -0,0 +1,142 @@
namespace StellaOps.AdvisoryAI.Explanation;
/// <summary>
/// Citation linking an explanation claim to evidence.
/// </summary>
public sealed record ExplanationCitation
{
/// <summary>
/// Claim text from the explanation.
/// </summary>
public required string ClaimText { get; init; }
/// <summary>
/// Evidence node ID supporting this claim.
/// </summary>
public required string EvidenceId { get; init; }
/// <summary>
/// Type of evidence (sbom, reachability, runtime, vex, patch).
/// </summary>
public required string EvidenceType { get; init; }
/// <summary>
/// Whether the citation was verified against the evidence.
/// </summary>
public required bool Verified { get; init; }
/// <summary>
/// Excerpt from the evidence supporting the claim.
/// </summary>
public string? EvidenceExcerpt { get; init; }
}
/// <summary>
/// Authority level of the explanation.
/// </summary>
public enum ExplanationAuthority
{
/// <summary>
/// All claims are evidence-backed (≥80% citation rate, all verified).
/// </summary>
EvidenceBacked,
/// <summary>
/// AI suggestion requiring human review.
/// </summary>
Suggestion
}
/// <summary>
/// Result of explanation generation.
/// Sprint: SPRINT_20251226_015_AI_zastava_companion
/// Task: ZASTAVA-07
/// </summary>
public sealed record ExplanationResult
{
/// <summary>
/// Unique ID for this explanation.
/// </summary>
public required string ExplanationId { get; init; }
/// <summary>
/// The explanation content (markdown supported).
/// </summary>
public required string Content { get; init; }
/// <summary>
/// 3-line summary for compact display.
/// </summary>
public required ExplanationSummary Summary { get; init; }
/// <summary>
/// Citations linking claims to evidence.
/// </summary>
public required IReadOnlyList<ExplanationCitation> Citations { get; init; }
/// <summary>
/// Overall confidence score (0.0-1.0).
/// </summary>
public required double ConfidenceScore { get; init; }
/// <summary>
/// Citation rate (verified citations / total claims).
/// </summary>
public required double CitationRate { get; init; }
/// <summary>
/// Authority classification.
/// </summary>
public required ExplanationAuthority Authority { get; init; }
/// <summary>
/// Evidence node IDs used in this explanation.
/// </summary>
public required IReadOnlyList<string> EvidenceRefs { get; init; }
/// <summary>
/// Model ID used for generation.
/// </summary>
public required string ModelId { get; init; }
/// <summary>
/// Prompt template version.
/// </summary>
public required string PromptTemplateVersion { get; init; }
/// <summary>
/// Input hashes for replay.
/// </summary>
public required IReadOnlyList<string> InputHashes { get; init; }
/// <summary>
/// Generation timestamp (UTC ISO-8601).
/// </summary>
public required string GeneratedAt { get; init; }
/// <summary>
/// Output hash for verification.
/// </summary>
public required string OutputHash { get; init; }
}
/// <summary>
/// 3-line summary following the AI UX pattern.
/// </summary>
public sealed record ExplanationSummary
{
/// <summary>
/// Line 1: What changed/what is it.
/// </summary>
public required string Line1 { get; init; }
/// <summary>
/// Line 2: Why it matters.
/// </summary>
public required string Line2 { get; init; }
/// <summary>
/// Line 3: Next action.
/// </summary>
public required string Line3 { get; init; }
}

122
src/AdvisoryAI/StellaOps.AdvisoryAI/Explanation/IEvidenceRetrievalService.cs Normal file
View File

@@ -0,0 +1,122 @@
namespace StellaOps.AdvisoryAI.Explanation;
/// <summary>
/// Evidence node for explanation anchoring.
/// </summary>
public sealed record EvidenceNode
{
/// <summary>
/// Unique ID (content-addressed hash).
/// </summary>
public required string Id { get; init; }
/// <summary>
/// Type of evidence.
/// </summary>
public required string Type { get; init; }
/// <summary>
/// Human-readable summary.
/// </summary>
public required string Summary { get; init; }
/// <summary>
/// Full content for citation matching.
/// </summary>
public required string Content { get; init; }
/// <summary>
/// Source of the evidence.
/// </summary>
public required string Source { get; init; }
/// <summary>
/// Confidence in this evidence (0.0-1.0).
/// </summary>
public required double Confidence { get; init; }
/// <summary>
/// Timestamp when evidence was collected.
/// </summary>
public required string CollectedAt { get; init; }
}
/// <summary>
/// Aggregated evidence context for explanation generation.
/// </summary>
public sealed record EvidenceContext
{
/// <summary>
/// SBOM-related evidence.
/// </summary>
public required IReadOnlyList<EvidenceNode> SbomEvidence { get; init; }
/// <summary>
/// Reachability analysis evidence.
/// </summary>
public required IReadOnlyList<EvidenceNode> ReachabilityEvidence { get; init; }
/// <summary>
/// Runtime observation evidence.
/// </summary>
public required IReadOnlyList<EvidenceNode> RuntimeEvidence { get; init; }
/// <summary>
/// VEX statement evidence.
/// </summary>
public required IReadOnlyList<EvidenceNode> VexEvidence { get; init; }
/// <summary>
/// Patch/fix availability evidence.
/// </summary>
public required IReadOnlyList<EvidenceNode> PatchEvidence { get; init; }
/// <summary>
/// All evidence nodes combined.
/// </summary>
public IEnumerable<EvidenceNode> AllEvidence =>
SbomEvidence
.Concat(ReachabilityEvidence)
.Concat(RuntimeEvidence)
.Concat(VexEvidence)
.Concat(PatchEvidence);
/// <summary>
/// Hash of all evidence for replay verification.
/// </summary>
public required string ContextHash { get; init; }
}
/// <summary>
/// Service for retrieving evidence nodes for explanation anchoring.
/// Sprint: SPRINT_20251226_015_AI_zastava_companion
/// Task: ZASTAVA-04
/// </summary>
public interface IEvidenceRetrievalService
{
/// <summary>
/// Retrieve all relevant evidence for a finding.
/// </summary>
/// <param name="findingId">Finding ID.</param>
/// <param name="artifactDigest">Artifact digest for context.</param>
/// <param name="vulnerabilityId">Vulnerability ID.</param>
/// <param name="componentPurl">Optional component PURL filter.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Aggregated evidence context.</returns>
Task<EvidenceContext> RetrieveEvidenceAsync(
string findingId,
string artifactDigest,
string vulnerabilityId,
string? componentPurl = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Get a specific evidence node by ID.
/// </summary>
Task<EvidenceNode?> GetEvidenceNodeAsync(string evidenceId, CancellationToken cancellationToken = default);
/// <summary>
/// Validate that evidence still exists and hasn't changed.
/// </summary>
Task<bool> ValidateEvidenceAsync(IEnumerable<string> evidenceIds, CancellationToken cancellationToken = default);
}

33
src/AdvisoryAI/StellaOps.AdvisoryAI/Explanation/IExplanationGenerator.cs Normal file
View File

@@ -0,0 +1,33 @@
namespace StellaOps.AdvisoryAI.Explanation;
/// <summary>
/// Service for generating evidence-anchored explanations.
/// Sprint: SPRINT_20251226_015_AI_zastava_companion
/// Task: ZASTAVA-02
/// </summary>
public interface IExplanationGenerator
{
/// <summary>
/// Generate an explanation for a finding.
/// </summary>
/// <param name="request">Explanation request.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Explanation result with citations and evidence refs.</returns>
Task<ExplanationResult> GenerateAsync(ExplanationRequest request, CancellationToken cancellationToken = default);
/// <summary>
/// Replay an explanation with the same inputs.
/// </summary>
/// <param name="explanationId">Original explanation ID.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Replayed explanation result.</returns>
Task<ExplanationResult> ReplayAsync(string explanationId, CancellationToken cancellationToken = default);
/// <summary>
/// Validate an explanation against its input hashes.
/// </summary>
/// <param name="result">Explanation result to validate.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if valid, false if inputs have changed.</returns>
Task<bool> ValidateAsync(ExplanationResult result, CancellationToken cancellationToken = default);
}

360
src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/AiRemediationPlanner.cs Normal file
View File

@@ -0,0 +1,360 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
namespace StellaOps.AdvisoryAI.Remediation;
/// <summary>
/// AI-powered remediation planner implementation.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-03
/// </summary>
public sealed class AiRemediationPlanner : IRemediationPlanner
{
private readonly IPackageVersionResolver _versionResolver;
private readonly IRemediationPromptService _promptService;
private readonly IRemediationInferenceClient _inferenceClient;
private readonly IRemediationPlanStore _planStore;
public AiRemediationPlanner(
IPackageVersionResolver versionResolver,
IRemediationPromptService promptService,
IRemediationInferenceClient inferenceClient,
IRemediationPlanStore planStore)
{
_versionResolver = versionResolver;
_promptService = promptService;
_inferenceClient = inferenceClient;
_planStore = planStore;
}
public async Task<RemediationPlan> GeneratePlanAsync(
RemediationPlanRequest request,
CancellationToken cancellationToken = default)
{
// 1. Resolve package upgrade path
var versionResult = await _versionResolver.ResolveUpgradePathAsync(
request.ComponentPurl,
request.VulnerabilityId,
cancellationToken);
// 2. Determine remediation type if auto
var remediationType = request.RemediationType == RemediationType.Auto
? DetermineRemediationType(versionResult)
: request.RemediationType;
// 3. Build prompt with context
var prompt = await _promptService.BuildPromptAsync(
request,
versionResult,
remediationType,
cancellationToken);
// 4. Generate plan via LLM
var inferenceResult = await _inferenceClient.GeneratePlanAsync(prompt, cancellationToken);
// 5. Parse and validate steps
var steps = ParseSteps(inferenceResult.Content);
var riskAssessment = AssessRisk(steps, versionResult);
// 6. Determine authority and PR-readiness
var authority = DetermineAuthority(riskAssessment, versionResult);
var (prReady, notReadyReason) = DeterminePrReadiness(authority, steps, versionResult);
// 7. Build expected delta
var expectedDelta = BuildExpectedDelta(request, versionResult);
// 8. Build test requirements
var testRequirements = BuildTestRequirements(riskAssessment);
// 9. Compute input hashes
var inputHashes = ComputeInputHashes(request, versionResult, prompt);
// 10. Create plan
var planId = GeneratePlanId(inputHashes, inferenceResult.Content);
var plan = new RemediationPlan
{
PlanId = planId,
Request = request,
Steps = steps,
ExpectedDelta = expectedDelta,
RiskAssessment = riskAssessment,
TestRequirements = testRequirements,
Authority = authority,
PrReady = prReady,
NotReadyReason = notReadyReason,
ConfidenceScore = inferenceResult.Confidence,
ModelId = inferenceResult.ModelId,
GeneratedAt = DateTime.UtcNow.ToString("O"),
InputHashes = inputHashes,
EvidenceRefs = new List<string> { versionResult.CurrentVersion, versionResult.RecommendedVersion }
};
// 11. Store plan
await _planStore.StoreAsync(plan, cancellationToken);
return plan;
}
public async Task<bool> ValidatePlanAsync(string planId, CancellationToken cancellationToken = default)
{
var plan = await _planStore.GetAsync(planId, cancellationToken);
if (plan is null)
{
return false;
}
// Validate that upgrade path is still valid
var currentResult = await _versionResolver.ResolveUpgradePathAsync(
plan.Request.ComponentPurl,
plan.Request.VulnerabilityId,
cancellationToken);
return currentResult.RecommendedVersion == plan.EvidenceRefs[1];
}
public async Task<RemediationPlan?> GetPlanAsync(string planId, CancellationToken cancellationToken = default)
{
return await _planStore.GetAsync(planId, cancellationToken);
}
private static RemediationType DetermineRemediationType(VersionResolutionResult versionResult)
{
return versionResult.UpgradeType switch
{
"patch" => RemediationType.Bump,
"minor" => RemediationType.Bump,
"major" => RemediationType.Upgrade,
_ => RemediationType.Bump
};
}
private static IReadOnlyList<RemediationStep> ParseSteps(string content)
{
var steps = new List<RemediationStep>();
var lines = content.Split('\n', StringSplitOptions.RemoveEmptyEntries);
var order = 1;
foreach (var line in lines)
{
if (line.TrimStart().StartsWith("- ") || line.TrimStart().StartsWith("* "))
{
var step = new RemediationStep
{
Order = order++,
ActionType = "update_package",
FilePath = "package.json", // Default, would be parsed from content
Description = line.TrimStart()[2..].Trim(),
Risk = RemediationRisk.Low
};
steps.Add(step);
}
}
if (steps.Count == 0)
{
// Fallback: create a single step from content
steps.Add(new RemediationStep
{
Order = 1,
ActionType = "update_package",
FilePath = "dependency_file",
Description = content.Length > 200 ? content[..200] : content,
Risk = RemediationRisk.Medium
});
}
return steps;
}
private static RemediationRisk AssessRisk(
IReadOnlyList<RemediationStep> steps,
VersionResolutionResult versionResult)
{
if (versionResult.BreakingChanges.Count > 0)
{
return RemediationRisk.High;
}
if (versionResult.UpgradeType == "major")
{
return RemediationRisk.High;
}
if (versionResult.UpgradeType == "minor")
{
return RemediationRisk.Medium;
}
return steps.Any(s => s.Risk == RemediationRisk.High)
? RemediationRisk.High
: steps.Any(s => s.Risk == RemediationRisk.Medium)
? RemediationRisk.Medium
: RemediationRisk.Low;
}
private static RemediationAuthority DetermineAuthority(
RemediationRisk risk,
VersionResolutionResult versionResult)
{
if (!versionResult.IsSafe)
{
return RemediationAuthority.Suggestion;
}
return risk switch
{
RemediationRisk.Low => RemediationAuthority.Draft,
RemediationRisk.Medium => RemediationAuthority.Draft,
RemediationRisk.High => RemediationAuthority.Suggestion,
_ => RemediationAuthority.Suggestion
};
}
private static (bool prReady, string? reason) DeterminePrReadiness(
RemediationAuthority authority,
IReadOnlyList<RemediationStep> steps,
VersionResolutionResult versionResult)
{
if (authority == RemediationAuthority.Suggestion)
{
return (false, "Remediation requires human review due to potential breaking changes");
}
if (!versionResult.IsSafe)
{
return (false, $"Upgrade path may introduce issues: {string.Join(", ", versionResult.BreakingChanges)}");
}
if (versionResult.NewVulnerabilities.Count > 0)
{
return (false, $"Upgrade introduces new vulnerabilities: {string.Join(", ", versionResult.NewVulnerabilities)}");
}
if (steps.Count == 0)
{
return (false, "No remediation steps could be determined");
}
return (true, null);
}
private static ExpectedSbomDelta BuildExpectedDelta(
RemediationPlanRequest request,
VersionResolutionResult versionResult)
{
return new ExpectedSbomDelta
{
Added = Array.Empty<string>(),
Removed = new List<string> { request.ComponentPurl },
Upgraded = new Dictionary<string, string>
{
{ request.ComponentPurl, $"{request.ComponentPurl.Split('@')[0]}@{versionResult.RecommendedVersion}" }
},
NetVulnerabilityChange = -versionResult.VulnerabilitiesFixed.Count + versionResult.NewVulnerabilities.Count
};
}
private static RemediationTestRequirements BuildTestRequirements(RemediationRisk risk)
{
return risk switch
{
RemediationRisk.Low => new RemediationTestRequirements
{
TestSuites = new List<string> { "unit" },
MinCoverage = 0,
RequireAllPass = true,
Timeout = TimeSpan.FromMinutes(10)
},
RemediationRisk.Medium => new RemediationTestRequirements
{
TestSuites = new List<string> { "unit", "integration" },
MinCoverage = 0.5,
RequireAllPass = true,
Timeout = TimeSpan.FromMinutes(30)
},
_ => new RemediationTestRequirements
{
TestSuites = new List<string> { "unit", "integration", "e2e" },
MinCoverage = 0.8,
RequireAllPass = true,
Timeout = TimeSpan.FromMinutes(60)
}
};
}
private static IReadOnlyList<string> ComputeInputHashes(
RemediationPlanRequest request,
VersionResolutionResult versionResult,
RemediationPrompt prompt)
{
return new List<string>
{
ComputeHash(JsonSerializer.Serialize(request)),
ComputeHash(JsonSerializer.Serialize(versionResult)),
ComputeHash(prompt.Content)
};
}
private static string GeneratePlanId(IReadOnlyList<string> inputHashes, string output)
{
var combined = string.Join("|", inputHashes) + "|" + output;
return $"plan:{ComputeHash(combined)[..16]}";
}
private static string ComputeHash(string content)
{
var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(content));
return Convert.ToHexStringLower(bytes);
}
}
/// <summary>
/// Prompt for remediation planning.
/// </summary>
public sealed record RemediationPrompt
{
public required string Content { get; init; }
public required string TemplateVersion { get; init; }
}
/// <summary>
/// Inference result from LLM for remediation.
/// </summary>
public sealed record RemediationInferenceResult
{
public required string Content { get; init; }
public required double Confidence { get; init; }
public required string ModelId { get; init; }
}
/// <summary>
/// Service for building remediation prompts.
/// </summary>
public interface IRemediationPromptService
{
Task<RemediationPrompt> BuildPromptAsync(
RemediationPlanRequest request,
VersionResolutionResult versionResult,
RemediationType type,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Client for LLM inference for remediation.
/// </summary>
public interface IRemediationInferenceClient
{
Task<RemediationInferenceResult> GeneratePlanAsync(
RemediationPrompt prompt,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Store for remediation plans.
/// </summary>
public interface IRemediationPlanStore
{
Task StoreAsync(RemediationPlan plan, CancellationToken cancellationToken = default);
Task<RemediationPlan?> GetAsync(string planId, CancellationToken cancellationToken = default);
}

126
src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/AzureDevOpsPullRequestGenerator.cs Normal file
View File

@@ -0,0 +1,126 @@
namespace StellaOps.AdvisoryAI.Remediation;
/// <summary>
/// Azure DevOps implementation of pull request generator.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-11
/// </summary>
public sealed class AzureDevOpsPullRequestGenerator : IPullRequestGenerator
{
public string ScmType => "azure-devops";
public Task<PullRequestResult> CreatePullRequestAsync(
RemediationPlan plan,
CancellationToken cancellationToken = default)
{
if (!plan.PrReady)
{
return Task.FromResult(new PullRequestResult
{
PrId = $"ado-pr-{Guid.NewGuid():N}",
PrNumber = 0,
Url = string.Empty,
BranchName = string.Empty,
Status = PullRequestStatus.Failed,
StatusMessage = plan.NotReadyReason ?? "Plan is not PR-ready",
CreatedAt = DateTime.UtcNow.ToString("O"),
UpdatedAt = DateTime.UtcNow.ToString("O")
});
}
var branchName = GenerateBranchName(plan);
var prId = $"ado-pr-{Guid.NewGuid():N}";
var now = DateTime.UtcNow.ToString("O");
// In a real implementation, this would use Azure DevOps REST API
return Task.FromResult(new PullRequestResult
{
PrId = prId,
PrNumber = new Random().Next(1000, 9999),
Url = $"https://dev.azure.com/{ExtractOrgProject(plan.Request.RepositoryUrl)}/_git/{ExtractRepoName(plan.Request.RepositoryUrl)}/pullrequest/{prId}",
BranchName = branchName,
Status = PullRequestStatus.Creating,
StatusMessage = "Pull request is being created",
CreatedAt = now,
UpdatedAt = now
});
}
public Task<PullRequestResult> GetStatusAsync(
string prId,
CancellationToken cancellationToken = default)
{
var now = DateTime.UtcNow.ToString("O");
return Task.FromResult(new PullRequestResult
{
PrId = prId,
PrNumber = 0,
Url = string.Empty,
BranchName = string.Empty,
Status = PullRequestStatus.Open,
StatusMessage = "Waiting for build",
CreatedAt = now,
UpdatedAt = now
});
}
public Task UpdateWithDeltaVerdictAsync(
string prId,
DeltaVerdictResult deltaVerdict,
CancellationToken cancellationToken = default)
{
return Task.CompletedTask;
}
public Task ClosePullRequestAsync(
string prId,
string reason,
CancellationToken cancellationToken = default)
{
return Task.CompletedTask;
}
private static string GenerateBranchName(RemediationPlan plan)
{
var vulnId = plan.Request.VulnerabilityId.Replace(":", "-").ToLowerInvariant();
var timestamp = DateTime.UtcNow.ToString("yyyyMMdd");
return $"stellaops/fix-{vulnId}-{timestamp}";
}
private static string ExtractOrgProject(string? repositoryUrl)
{
if (string.IsNullOrEmpty(repositoryUrl))
{
return "org/project";
}
// Azure DevOps URL format: https://dev.azure.com/{org}/{project}/_git/{repo}
var uri = new Uri(repositoryUrl);
var segments = uri.AbsolutePath.Split('/', StringSplitOptions.RemoveEmptyEntries);
if (segments.Length >= 2)
{
return $"{segments[0]}/{segments[1]}";
}
return "org/project";
}
private static string ExtractRepoName(string? repositoryUrl)
{
if (string.IsNullOrEmpty(repositoryUrl))
{
return "repo";
}
var uri = new Uri(repositoryUrl);
var segments = uri.AbsolutePath.Split('/', StringSplitOptions.RemoveEmptyEntries);
// Find _git segment and return the next one
for (int i = 0; i < segments.Length - 1; i++)
{
if (segments[i] == "_git")
{
return segments[i + 1];
}
}
return segments[^1];
}
}

125
src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/GitHubPullRequestGenerator.cs Normal file
View File

@@ -0,0 +1,125 @@
namespace StellaOps.AdvisoryAI.Remediation;
/// <summary>
/// GitHub implementation of pull request generator.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-09
/// </summary>
public sealed class GitHubPullRequestGenerator : IPullRequestGenerator
{
private readonly IRemediationPlanStore _planStore;
public GitHubPullRequestGenerator(IRemediationPlanStore planStore)
{
_planStore = planStore;
}
public string ScmType => "github";
public async Task<PullRequestResult> CreatePullRequestAsync(
RemediationPlan plan,
CancellationToken cancellationToken = default)
{
// Validate plan is PR-ready
if (!plan.PrReady)
{
return new PullRequestResult
{
PrId = $"pr-{Guid.NewGuid():N}",
PrNumber = 0,
Url = string.Empty,
BranchName = string.Empty,
Status = PullRequestStatus.Failed,
StatusMessage = plan.NotReadyReason ?? "Plan is not PR-ready",
CreatedAt = DateTime.UtcNow.ToString("O"),
UpdatedAt = DateTime.UtcNow.ToString("O")
};
}
// Generate branch name
var branchName = GenerateBranchName(plan);
// In a real implementation, this would:
// 1. Create a new branch
// 2. Apply remediation steps (update files)
// 3. Commit changes
// 4. Create PR via GitHub API
var prId = $"gh-pr-{Guid.NewGuid():N}";
var now = DateTime.UtcNow.ToString("O");
return new PullRequestResult
{
PrId = prId,
PrNumber = new Random().Next(1000, 9999), // Placeholder
Url = $"https://github.com/{ExtractOwnerRepo(plan.Request.RepositoryUrl)}/pull/{prId}",
BranchName = branchName,
Status = PullRequestStatus.Creating,
StatusMessage = "Pull request is being created",
CreatedAt = now,
UpdatedAt = now
};
}
public Task<PullRequestResult> GetStatusAsync(
string prId,
CancellationToken cancellationToken = default)
{
// In a real implementation, this would query GitHub API
var now = DateTime.UtcNow.ToString("O");
return Task.FromResult(new PullRequestResult
{
PrId = prId,
PrNumber = 0,
Url = string.Empty,
BranchName = string.Empty,
Status = PullRequestStatus.Open,
StatusMessage = "Waiting for CI",
CreatedAt = now,
UpdatedAt = now
});
}
public Task UpdateWithDeltaVerdictAsync(
string prId,
DeltaVerdictResult deltaVerdict,
CancellationToken cancellationToken = default)
{
// In a real implementation, this would update PR description via GitHub API
return Task.CompletedTask;
}
public Task ClosePullRequestAsync(
string prId,
string reason,
CancellationToken cancellationToken = default)
{
// In a real implementation, this would close PR via GitHub API
return Task.CompletedTask;
}
private static string GenerateBranchName(RemediationPlan plan)
{
var vulnId = plan.Request.VulnerabilityId.Replace(":", "-").ToLowerInvariant();
var timestamp = DateTime.UtcNow.ToString("yyyyMMdd");
return $"stellaops/fix-{vulnId}-{timestamp}";
}
private static string ExtractOwnerRepo(string? repositoryUrl)
{
if (string.IsNullOrEmpty(repositoryUrl))
{
return "owner/repo";
}
// Extract owner/repo from GitHub URL
var uri = new Uri(repositoryUrl);
var path = uri.AbsolutePath.Trim('/');
if (path.EndsWith(".git"))
{
path = path[..^4];
}
return path;
}
}

105
src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/GitLabMergeRequestGenerator.cs Normal file
View File

@@ -0,0 +1,105 @@
namespace StellaOps.AdvisoryAI.Remediation;
/// <summary>
/// GitLab implementation of pull request generator.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-10
/// </summary>
public sealed class GitLabMergeRequestGenerator : IPullRequestGenerator
{
public string ScmType => "gitlab";
public Task<PullRequestResult> CreatePullRequestAsync(
RemediationPlan plan,
CancellationToken cancellationToken = default)
{
if (!plan.PrReady)
{
return Task.FromResult(new PullRequestResult
{
PrId = $"mr-{Guid.NewGuid():N}",
PrNumber = 0,
Url = string.Empty,
BranchName = string.Empty,
Status = PullRequestStatus.Failed,
StatusMessage = plan.NotReadyReason ?? "Plan is not MR-ready",
CreatedAt = DateTime.UtcNow.ToString("O"),
UpdatedAt = DateTime.UtcNow.ToString("O")
});
}
var branchName = GenerateBranchName(plan);
var mrId = $"gl-mr-{Guid.NewGuid():N}";
var now = DateTime.UtcNow.ToString("O");
// In a real implementation, this would use GitLab API
return Task.FromResult(new PullRequestResult
{
PrId = mrId,
PrNumber = new Random().Next(1000, 9999),
Url = $"https://gitlab.com/{ExtractProjectPath(plan.Request.RepositoryUrl)}/-/merge_requests/{mrId}",
BranchName = branchName,
Status = PullRequestStatus.Creating,
StatusMessage = "Merge request is being created",
CreatedAt = now,
UpdatedAt = now
});
}
public Task<PullRequestResult> GetStatusAsync(
string prId,
CancellationToken cancellationToken = default)
{
var now = DateTime.UtcNow.ToString("O");
return Task.FromResult(new PullRequestResult
{
PrId = prId,
PrNumber = 0,
Url = string.Empty,
BranchName = string.Empty,
Status = PullRequestStatus.Open,
StatusMessage = "Waiting for pipeline",
CreatedAt = now,
UpdatedAt = now
});
}
public Task UpdateWithDeltaVerdictAsync(
string prId,
DeltaVerdictResult deltaVerdict,
CancellationToken cancellationToken = default)
{
return Task.CompletedTask;
}
public Task ClosePullRequestAsync(
string prId,
string reason,
CancellationToken cancellationToken = default)
{
return Task.CompletedTask;
}
private static string GenerateBranchName(RemediationPlan plan)
{
var vulnId = plan.Request.VulnerabilityId.Replace(":", "-").ToLowerInvariant();
var timestamp = DateTime.UtcNow.ToString("yyyyMMdd");
return $"stellaops/fix-{vulnId}-{timestamp}";
}
private static string ExtractProjectPath(string? repositoryUrl)
{
if (string.IsNullOrEmpty(repositoryUrl))
{
return "group/project";
}
var uri = new Uri(repositoryUrl);
var path = uri.AbsolutePath.Trim('/');
if (path.EndsWith(".git"))
{
path = path[..^4];
}
return path;
}
}

88
src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/IPackageVersionResolver.cs Normal file
View File

@@ -0,0 +1,88 @@
namespace StellaOps.AdvisoryAI.Remediation;
/// <summary>
/// Version resolution result.
/// </summary>
public sealed record VersionResolutionResult
{
/// <summary>
/// Current version.
/// </summary>
public required string CurrentVersion { get; init; }
/// <summary>
/// Recommended upgrade version.
/// </summary>
public required string RecommendedVersion { get; init; }
/// <summary>
/// Latest available version.
/// </summary>
public required string LatestVersion { get; init; }
/// <summary>
/// Whether upgrade path is safe.
/// </summary>
public required bool IsSafe { get; init; }
/// <summary>
/// Breaking changes detected.
/// </summary>
public required IReadOnlyList<string> BreakingChanges { get; init; }
/// <summary>
/// Vulnerabilities fixed by upgrade.
/// </summary>
public required IReadOnlyList<string> VulnerabilitiesFixed { get; init; }
/// <summary>
/// New vulnerabilities introduced (rare but possible).
/// </summary>
public required IReadOnlyList<string> NewVulnerabilities { get; init; }
/// <summary>
/// Upgrade type (patch, minor, major).
/// </summary>
public required string UpgradeType { get; init; }
/// <summary>
/// Confidence in the resolution (0.0-1.0).
/// </summary>
public required double Confidence { get; init; }
}
/// <summary>
/// Service for resolving package versions and validating upgrade paths.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-04
/// </summary>
public interface IPackageVersionResolver
{
/// <summary>
/// Resolve upgrade path for a package.
/// </summary>
/// <param name="purl">Package URL.</param>
/// <param name="targetVulnerability">Vulnerability to fix.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Version resolution result.</returns>
Task<VersionResolutionResult> ResolveUpgradePathAsync(
string purl,
string targetVulnerability,
CancellationToken cancellationToken = default);
/// <summary>
/// Check if a specific version is available.
/// </summary>
/// <param name="purl">Package URL with version.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if version exists.</returns>
Task<bool> IsVersionAvailableAsync(string purl, CancellationToken cancellationToken = default);
/// <summary>
/// Get all available versions for a package.
/// </summary>
/// <param name="purl">Package URL (without version).</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>List of available versions.</returns>
Task<IReadOnlyList<string>> GetAvailableVersionsAsync(string purl, CancellationToken cancellationToken = default);
}

218
src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/IPullRequestGenerator.cs Normal file
View File

@@ -0,0 +1,218 @@
namespace StellaOps.AdvisoryAI.Remediation;
/// <summary>
/// Status of a pull request.
/// </summary>
public enum PullRequestStatus
{
/// <summary>
/// PR is being created.
/// </summary>
Creating,
/// <summary>
/// PR is open and waiting for review.
/// </summary>
Open,
/// <summary>
/// PR build is in progress.
/// </summary>
Building,
/// <summary>
/// PR build passed.
/// </summary>
BuildPassed,
/// <summary>
/// PR build failed.
/// </summary>
BuildFailed,
/// <summary>
/// PR tests are running.
/// </summary>
Testing,
/// <summary>
/// PR tests passed.
/// </summary>
TestsPassed,
/// <summary>
/// PR tests failed.
/// </summary>
TestsFailed,
/// <summary>
/// PR is merged.
/// </summary>
Merged,
/// <summary>
/// PR is closed without merge.
/// </summary>
Closed,
/// <summary>
/// PR creation failed.
/// </summary>
Failed
}
/// <summary>
/// Result of creating a pull request.
/// </summary>
public sealed record PullRequestResult
{
/// <summary>
/// Unique PR identifier.
/// </summary>
public required string PrId { get; init; }
/// <summary>
/// PR number in the SCM.
/// </summary>
public required int PrNumber { get; init; }
/// <summary>
/// URL to view the PR.
/// </summary>
public required string Url { get; init; }
/// <summary>
/// Branch name for the PR.
/// </summary>
public required string BranchName { get; init; }
/// <summary>
/// Current status.
/// </summary>
public required PullRequestStatus Status { get; init; }
/// <summary>
/// Status message.
/// </summary>
public string? StatusMessage { get; init; }
/// <summary>
/// Build result if available.
/// </summary>
public BuildResult? BuildResult { get; init; }
/// <summary>
/// Test result if available.
/// </summary>
public TestResult? TestResult { get; init; }
/// <summary>
/// Delta verdict if available.
/// </summary>
public DeltaVerdictResult? DeltaVerdict { get; init; }
/// <summary>
/// Created timestamp.
/// </summary>
public required string CreatedAt { get; init; }
/// <summary>
/// Last updated timestamp.
/// </summary>
public required string UpdatedAt { get; init; }
}
/// <summary>
/// Build result from CI pipeline.
/// </summary>
public sealed record BuildResult
{
public required bool Success { get; init; }
public required string BuildId { get; init; }
public string? BuildUrl { get; init; }
public string? ErrorMessage { get; init; }
public required string CompletedAt { get; init; }
}
/// <summary>
/// Test result from test suite.
/// </summary>
public sealed record TestResult
{
public required bool AllPassed { get; init; }
public required int TotalTests { get; init; }
public required int PassedTests { get; init; }
public required int FailedTests { get; init; }
public required int SkippedTests { get; init; }
public double Coverage { get; init; }
public IReadOnlyList<string> FailedTestNames { get; init; } = Array.Empty<string>();
public required string CompletedAt { get; init; }
}
/// <summary>
/// Delta verdict result.
/// </summary>
public sealed record DeltaVerdictResult
{
public required bool Improved { get; init; }
public required int VulnerabilitiesFixed { get; init; }
public required int VulnerabilitiesIntroduced { get; init; }
public required string VerdictId { get; init; }
public string? SignatureId { get; init; }
public required string ComputedAt { get; init; }
}
/// <summary>
/// Service for generating pull requests from remediation plans.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-08
/// </summary>
public interface IPullRequestGenerator
{
/// <summary>
/// SCM type supported by this generator.
/// </summary>
string ScmType { get; }
/// <summary>
/// Create a pull request for a remediation plan.
/// </summary>
/// <param name="plan">Remediation plan to apply.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Pull request result.</returns>
Task<PullRequestResult> CreatePullRequestAsync(
RemediationPlan plan,
CancellationToken cancellationToken = default);
/// <summary>
/// Get the status of a pull request.
/// </summary>
/// <param name="prId">PR identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Current PR status.</returns>
Task<PullRequestResult> GetStatusAsync(
string prId,
CancellationToken cancellationToken = default);
/// <summary>
/// Update PR description with delta verdict.
/// </summary>
/// <param name="prId">PR identifier.</param>
/// <param name="deltaVerdict">Delta verdict to include.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task UpdateWithDeltaVerdictAsync(
string prId,
DeltaVerdictResult deltaVerdict,
CancellationToken cancellationToken = default);
/// <summary>
/// Close a pull request.
/// </summary>
/// <param name="prId">PR identifier.</param>
/// <param name="reason">Reason for closing.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task ClosePullRequestAsync(
string prId,
string reason,
CancellationToken cancellationToken = default);
}

33
src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/IRemediationPlanner.cs Normal file
View File

@@ -0,0 +1,33 @@
namespace StellaOps.AdvisoryAI.Remediation;
/// <summary>
/// Service for generating AI-powered remediation plans.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-02
/// </summary>
public interface IRemediationPlanner
{
/// <summary>
/// Generate a remediation plan for a finding.
/// </summary>
/// <param name="request">Remediation request.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Remediation plan with steps and risk assessment.</returns>
Task<RemediationPlan> GeneratePlanAsync(RemediationPlanRequest request, CancellationToken cancellationToken = default);
/// <summary>
/// Validate a remediation plan against current state.
/// </summary>
/// <param name="planId">Plan ID to validate.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if plan is still valid.</returns>
Task<bool> ValidatePlanAsync(string planId, CancellationToken cancellationToken = default);
/// <summary>
/// Get a stored remediation plan.
/// </summary>
/// <param name="planId">Plan ID.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The plan, or null if not found.</returns>
Task<RemediationPlan?> GetPlanAsync(string planId, CancellationToken cancellationToken = default);
}

224
src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/RemediationPlan.cs Normal file
View File

@@ -0,0 +1,224 @@
namespace StellaOps.AdvisoryAI.Remediation;
/// <summary>
/// Authority level of the remediation plan.
/// </summary>
public enum RemediationAuthority
{
/// <summary>
/// Verified: build passed, tests passed, delta verified.
/// </summary>
Verified,
/// <summary>
/// Suggestion: requires human review (build/tests failed or not run).
/// </summary>
Suggestion,
/// <summary>
/// Draft: initial plan not yet verified.
/// </summary>
Draft
}
/// <summary>
/// Risk level of the remediation.
/// </summary>
public enum RemediationRisk
{
/// <summary>
/// Low risk: patch version bump.
/// </summary>
Low,
/// <summary>
/// Medium risk: minor version bump.
/// </summary>
Medium,
/// <summary>
/// High risk: major version bump or breaking changes.
/// </summary>
High,
/// <summary>
/// Unknown risk: unable to determine.
/// </summary>
Unknown
}
/// <summary>
/// A single step in a remediation plan.
/// </summary>
public sealed record RemediationStep
{
/// <summary>
/// Step number (1-based).
/// </summary>
public required int Order { get; init; }
/// <summary>
/// Type of action (update_package, update_lockfile, update_config, run_command, etc.).
/// </summary>
public required string ActionType { get; init; }
/// <summary>
/// File path affected.
/// </summary>
public required string FilePath { get; init; }
/// <summary>
/// Description of the change.
/// </summary>
public required string Description { get; init; }
/// <summary>
/// Previous value (for diff).
/// </summary>
public string? PreviousValue { get; init; }
/// <summary>
/// New value (for diff).
/// </summary>
public string? NewValue { get; init; }
/// <summary>
/// Whether this step is optional.
/// </summary>
public bool Optional { get; init; }
/// <summary>
/// Risk assessment for this step.
/// </summary>
public RemediationRisk Risk { get; init; } = RemediationRisk.Low;
}
/// <summary>
/// Expected SBOM delta after remediation.
/// </summary>
public sealed record ExpectedSbomDelta
{
/// <summary>
/// Components to be added.
/// </summary>
public required IReadOnlyList<string> Added { get; init; }
/// <summary>
/// Components to be removed.
/// </summary>
public required IReadOnlyList<string> Removed { get; init; }
/// <summary>
/// Components to be upgraded (old_purl → new_purl).
/// </summary>
public required IReadOnlyDictionary<string, string> Upgraded { get; init; }
/// <summary>
/// Net vulnerability change (negative = improvement).
/// </summary>
public required int NetVulnerabilityChange { get; init; }
}
/// <summary>
/// Test requirements for verifying remediation.
/// </summary>
public sealed record RemediationTestRequirements
{
/// <summary>
/// Required test suites to run.
/// </summary>
public required IReadOnlyList<string> TestSuites { get; init; }
/// <summary>
/// Minimum coverage required.
/// </summary>
public double MinCoverage { get; init; }
/// <summary>
/// Whether all tests must pass.
/// </summary>
public bool RequireAllPass { get; init; } = true;
/// <summary>
/// Timeout for test execution.
/// </summary>
public TimeSpan Timeout { get; init; } = TimeSpan.FromMinutes(30);
}
/// <summary>
/// A complete remediation plan.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-05
/// </summary>
public sealed record RemediationPlan
{
/// <summary>
/// Unique plan ID.
/// </summary>
public required string PlanId { get; init; }
/// <summary>
/// Original request.
/// </summary>
public required RemediationPlanRequest Request { get; init; }
/// <summary>
/// Remediation steps to apply.
/// </summary>
public required IReadOnlyList<RemediationStep> Steps { get; init; }
/// <summary>
/// Expected SBOM delta.
/// </summary>
public required ExpectedSbomDelta ExpectedDelta { get; init; }
/// <summary>
/// Overall risk assessment.
/// </summary>
public required RemediationRisk RiskAssessment { get; init; }
/// <summary>
/// Test requirements.
/// </summary>
public required RemediationTestRequirements TestRequirements { get; init; }
/// <summary>
/// Authority classification.
/// </summary>
public required RemediationAuthority Authority { get; init; }
/// <summary>
/// PR-ready flag (true if plan can be applied automatically).
/// </summary>
public required bool PrReady { get; init; }
/// <summary>
/// Reason if not PR-ready.
/// </summary>
public string? NotReadyReason { get; init; }
/// <summary>
/// Confidence score (0.0-1.0).
/// </summary>
public required double ConfidenceScore { get; init; }
/// <summary>
/// Model ID used for generation.
/// </summary>
public required string ModelId { get; init; }
/// <summary>
/// Generated timestamp (UTC ISO-8601).
/// </summary>
public required string GeneratedAt { get; init; }
/// <summary>
/// Input hashes for replay.
/// </summary>
public required IReadOnlyList<string> InputHashes { get; init; }
/// <summary>
/// Evidence refs used in planning.
/// </summary>
public required IReadOnlyList<string> EvidenceRefs { get; init; }
}

85
src/AdvisoryAI/StellaOps.AdvisoryAI/Remediation/RemediationPlanRequest.cs Normal file
View File

@@ -0,0 +1,85 @@
namespace StellaOps.AdvisoryAI.Remediation;
/// <summary>
/// Type of remediation to apply.
/// </summary>
public enum RemediationType
{
/// <summary>
/// Bump dependency to patched version.
/// </summary>
Bump,
/// <summary>
/// Upgrade base image to newer version.
/// </summary>
Upgrade,
/// <summary>
/// Apply configuration change to mitigate.
/// </summary>
Config,
/// <summary>
/// Apply backport patch.
/// </summary>
Backport,
/// <summary>
/// Auto-detect best remediation type.
/// </summary>
Auto
}
/// <summary>
/// Request for generating a remediation plan.
/// Sprint: SPRINT_20251226_016_AI_remedy_autopilot
/// Task: REMEDY-01
/// </summary>
public sealed record RemediationPlanRequest
{
/// <summary>
/// Finding ID to remediate.
/// </summary>
public required string FindingId { get; init; }
/// <summary>
/// Artifact digest for context.
/// </summary>
public required string ArtifactDigest { get; init; }
/// <summary>
/// Vulnerability ID (CVE, GHSA, etc.).
/// </summary>
public required string VulnerabilityId { get; init; }
/// <summary>
/// Affected component PURL.
/// </summary>
public required string ComponentPurl { get; init; }
/// <summary>
/// Type of remediation to apply.
/// </summary>
public RemediationType RemediationType { get; init; } = RemediationType.Auto;
/// <summary>
/// Repository URL for PR generation.
/// </summary>
public string? RepositoryUrl { get; init; }
/// <summary>
/// Target branch for PR (default: main).
/// </summary>
public string TargetBranch { get; init; } = "main";
/// <summary>
/// Whether to generate PR immediately.
/// </summary>
public bool AutoCreatePr { get; init; }
/// <summary>
/// Correlation ID for tracing.
/// </summary>
public string? CorrelationId { get; init; }
}

483
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/Controllers/BundlesController.cs Normal file
View File

@@ -0,0 +1,483 @@
// -----------------------------------------------------------------------------
// BundlesController.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0010-0012 - Create bundle API endpoints
// Description: API endpoints for attestation bundle management
// -----------------------------------------------------------------------------
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Models;
namespace StellaOps.Attestor.WebService.Controllers;
/// <summary>
/// API endpoints for attestation bundle management.
/// Bundles aggregate attestations for a time period with optional org-key signing.
/// </summary>
[ApiController]
[Route("api/v1/bundles")]
[Produces("application/json")]
[Authorize]
public class BundlesController : ControllerBase
{
private readonly IAttestationBundler _bundler;
private readonly ILogger<BundlesController> _logger;
/// <summary>
/// Create a new BundlesController.
/// </summary>
public BundlesController(
IAttestationBundler bundler,
ILogger<BundlesController> logger)
{
_bundler = bundler ?? throw new ArgumentNullException(nameof(bundler));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <summary>
/// Create a new attestation bundle for a time period.
/// </summary>
/// <param name="request">Bundle creation parameters.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The created bundle metadata.</returns>
[HttpPost]
[ProducesResponseType(typeof(BundleCreatedResponse), StatusCodes.Status201Created)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
public async Task<ActionResult<BundleCreatedResponse>> CreateBundleAsync(
[FromBody] CreateBundleRequest request,
CancellationToken ct = default)
{
if (request.PeriodEnd <= request.PeriodStart)
{
return BadRequest(new ProblemDetails
{
Title = "Invalid period",
Detail = "periodEnd must be after periodStart",
Status = StatusCodes.Status400BadRequest
});
}
_logger.LogInformation(
"Creating bundle for period {Start} to {End}",
request.PeriodStart,
request.PeriodEnd);
try
{
var creationRequest = new BundleCreationRequest(
request.PeriodStart,
request.PeriodEnd,
request.TenantId,
request.SignWithOrgKey,
request.OrgKeyId);
var bundle = await _bundler.CreateBundleAsync(creationRequest, ct);
var response = new BundleCreatedResponse
{
BundleId = bundle.Metadata.BundleId,
Status = "created",
AttestationCount = bundle.Attestations.Count,
PeriodStart = bundle.Metadata.PeriodStart,
PeriodEnd = bundle.Metadata.PeriodEnd,
CreatedAt = bundle.Metadata.CreatedAt,
HasOrgSignature = bundle.OrgSignature != null
};
return CreatedAtAction(
nameof(GetBundleAsync),
new { bundleId = bundle.Metadata.BundleId },
response);
}
catch (InvalidOperationException ex)
{
_logger.LogWarning(ex, "Failed to create bundle");
return BadRequest(new ProblemDetails
{
Title = "Bundle creation failed",
Detail = ex.Message,
Status = StatusCodes.Status400BadRequest
});
}
}
/// <summary>
/// Get bundle metadata by ID.
/// </summary>
/// <param name="bundleId">The bundle ID (sha256:...).</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Bundle metadata.</returns>
[HttpGet("{bundleId}")]
[ProducesResponseType(typeof(BundleMetadataResponse), StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult<BundleMetadataResponse>> GetBundleAsync(
[FromRoute] string bundleId,
CancellationToken ct = default)
{
if (!IsValidBundleId(bundleId))
{
return BadRequest(new ProblemDetails
{
Title = "Invalid bundle ID",
Detail = "Bundle ID must be in format sha256:<64-hex>",
Status = StatusCodes.Status400BadRequest
});
}
var bundle = await _bundler.GetBundleAsync(bundleId, ct);
if (bundle == null)
{
return NotFound(new ProblemDetails
{
Title = "Bundle not found",
Detail = $"No bundle found with ID {bundleId}",
Status = StatusCodes.Status404NotFound
});
}
return Ok(new BundleMetadataResponse
{
BundleId = bundle.Metadata.BundleId,
Version = bundle.Metadata.Version,
PeriodStart = bundle.Metadata.PeriodStart,
PeriodEnd = bundle.Metadata.PeriodEnd,
AttestationCount = bundle.Metadata.AttestationCount,
MerkleRoot = bundle.MerkleTree.Root,
OrgSignature = bundle.OrgSignature != null
? new OrgSignatureInfo
{
KeyId = bundle.OrgSignature.KeyId,
Algorithm = bundle.OrgSignature.Algorithm,
SignedAt = bundle.OrgSignature.SignedAt
}
: null,
CreatedAt = bundle.Metadata.CreatedAt
});
}
/// <summary>
/// List bundles with pagination.
/// </summary>
/// <param name="periodStart">Optional start of period filter.</param>
/// <param name="periodEnd">Optional end of period filter.</param>
/// <param name="tenantId">Optional tenant filter.</param>
/// <param name="limit">Maximum results (default 20).</param>
/// <param name="cursor">Pagination cursor.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Paginated list of bundles.</returns>
[HttpGet]
[ProducesResponseType(typeof(BundleListResponse), StatusCodes.Status200OK)]
public async Task<ActionResult<BundleListResponse>> ListBundlesAsync(
[FromQuery] DateTimeOffset? periodStart,
[FromQuery] DateTimeOffset? periodEnd,
[FromQuery] string? tenantId,
[FromQuery] int limit = 20,
[FromQuery] string? cursor = null,
CancellationToken ct = default)
{
var request = new BundleListRequest(
periodStart,
periodEnd,
tenantId,
Math.Clamp(limit, 1, 100),
cursor);
var result = await _bundler.ListBundlesAsync(request, ct);
var bundles = result.Bundles.Select(b => new BundleListItem
{
BundleId = b.BundleId,
PeriodStart = b.PeriodStart,
PeriodEnd = b.PeriodEnd,
AttestationCount = b.AttestationCount,
CreatedAt = b.CreatedAt,
HasOrgSignature = b.HasOrgSignature
}).ToList();
return Ok(new BundleListResponse
{
Bundles = bundles,
NextCursor = result.NextCursor
});
}
/// <summary>
/// Verify bundle integrity and signatures.
/// </summary>
/// <param name="bundleId">The bundle ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Verification result.</returns>
[HttpPost("{bundleId}/verify")]
[ProducesResponseType(typeof(BundleVerifyResponse), StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult<BundleVerifyResponse>> VerifyBundleAsync(
[FromRoute] string bundleId,
CancellationToken ct = default)
{
if (!IsValidBundleId(bundleId))
{
return BadRequest(new ProblemDetails
{
Title = "Invalid bundle ID",
Detail = "Bundle ID must be in format sha256:<64-hex>",
Status = StatusCodes.Status400BadRequest
});
}
var bundle = await _bundler.GetBundleAsync(bundleId, ct);
if (bundle == null)
{
return NotFound(new ProblemDetails
{
Title = "Bundle not found",
Detail = $"No bundle found with ID {bundleId}",
Status = StatusCodes.Status404NotFound
});
}
var result = await _bundler.VerifyBundleAsync(bundle, ct);
return Ok(new BundleVerifyResponse
{
Valid = result.Valid,
MerkleRootVerified = result.MerkleRootVerified,
OrgSignatureVerified = result.OrgSignatureVerified,
AttestationsVerified = result.AttestationsVerified,
Issues = result.Issues.Select(i => new BundleIssueDto
{
Severity = i.Severity.ToString().ToLowerInvariant(),
Code = i.Code,
Message = i.Message,
EntryId = i.EntryId
}).ToList(),
VerifiedAt = result.VerifiedAt
});
}
/// <summary>
/// Get a specific attestation from a bundle.
/// </summary>
/// <param name="bundleId">The bundle ID.</param>
/// <param name="entryId">The attestation entry ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>The attestation.</returns>
[HttpGet("{bundleId}/attestations/{entryId}")]
[ProducesResponseType(typeof(BundledAttestation), StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult<BundledAttestation>> GetAttestationAsync(
[FromRoute] string bundleId,
[FromRoute] string entryId,
CancellationToken ct = default)
{
var bundle = await _bundler.GetBundleAsync(bundleId, ct);
if (bundle == null)
{
return NotFound(new ProblemDetails
{
Title = "Bundle not found",
Detail = $"No bundle found with ID {bundleId}",
Status = StatusCodes.Status404NotFound
});
}
var attestation = bundle.Attestations.FirstOrDefault(a =>
string.Equals(a.EntryId, entryId, StringComparison.OrdinalIgnoreCase));
if (attestation == null)
{
return NotFound(new ProblemDetails
{
Title = "Attestation not found",
Detail = $"No attestation found with entry ID {entryId} in bundle {bundleId}",
Status = StatusCodes.Status404NotFound
});
}
return Ok(attestation);
}
private static bool IsValidBundleId(string value)
{
if (string.IsNullOrWhiteSpace(value))
return false;
if (!value.StartsWith("sha256:", StringComparison.Ordinal))
return false;
var hex = value.AsSpan()["sha256:".Length..];
if (hex.Length != 64)
return false;
foreach (var c in hex)
{
if (c is not ((>= '0' and <= '9') or (>= 'a' and <= 'f')))
return false;
}
return true;
}
}
#region DTOs
/// <summary>Request to create a bundle.</summary>
public sealed record CreateBundleRequest
{
/// <summary>Start of attestation collection period.</summary>
public required DateTimeOffset PeriodStart { get; init; }
/// <summary>End of attestation collection period.</summary>
public required DateTimeOffset PeriodEnd { get; init; }
/// <summary>Optional tenant ID filter.</summary>
public string? TenantId { get; init; }
/// <summary>Whether to sign with organization key.</summary>
public bool SignWithOrgKey { get; init; } = true;
/// <summary>Organization key ID to use (uses active key if not specified).</summary>
public string? OrgKeyId { get; init; }
}
/// <summary>Response after bundle creation.</summary>
public sealed record BundleCreatedResponse
{
/// <summary>The created bundle ID.</summary>
public required string BundleId { get; init; }
/// <summary>Creation status.</summary>
public required string Status { get; init; }
/// <summary>Number of attestations in the bundle.</summary>
public required int AttestationCount { get; init; }
/// <summary>Period start.</summary>
public required DateTimeOffset PeriodStart { get; init; }
/// <summary>Period end.</summary>
public required DateTimeOffset PeriodEnd { get; init; }
/// <summary>When the bundle was created.</summary>
public required DateTimeOffset CreatedAt { get; init; }
/// <summary>Whether the bundle has an org signature.</summary>
public required bool HasOrgSignature { get; init; }
}
/// <summary>Bundle metadata response.</summary>
public sealed record BundleMetadataResponse
{
/// <summary>Bundle ID.</summary>
public required string BundleId { get; init; }
/// <summary>Schema version.</summary>
public required string Version { get; init; }
/// <summary>Period start.</summary>
public required DateTimeOffset PeriodStart { get; init; }
/// <summary>Period end.</summary>
public required DateTimeOffset PeriodEnd { get; init; }
/// <summary>Number of attestations.</summary>
public required int AttestationCount { get; init; }
/// <summary>Merkle root.</summary>
public required string MerkleRoot { get; init; }
/// <summary>Org signature info if present.</summary>
public OrgSignatureInfo? OrgSignature { get; init; }
/// <summary>Creation timestamp.</summary>
public required DateTimeOffset CreatedAt { get; init; }
}
/// <summary>Org signature info.</summary>
public sealed record OrgSignatureInfo
{
/// <summary>Key ID.</summary>
public required string KeyId { get; init; }
/// <summary>Algorithm.</summary>
public required string Algorithm { get; init; }
/// <summary>When signed.</summary>
public required DateTimeOffset SignedAt { get; init; }
}
/// <summary>Bundle list response.</summary>
public sealed record BundleListResponse
{
/// <summary>The bundles.</summary>
public required IReadOnlyList<BundleListItem> Bundles { get; init; }
/// <summary>Next page cursor.</summary>
public string? NextCursor { get; init; }
}
/// <summary>Bundle list item.</summary>
public sealed record BundleListItem
{
/// <summary>Bundle ID.</summary>
public required string BundleId { get; init; }
/// <summary>Period start.</summary>
public required DateTimeOffset PeriodStart { get; init; }
/// <summary>Period end.</summary>
public required DateTimeOffset PeriodEnd { get; init; }
/// <summary>Attestation count.</summary>
public required int AttestationCount { get; init; }
/// <summary>Creation time.</summary>
public required DateTimeOffset CreatedAt { get; init; }
/// <summary>Whether has org signature.</summary>
public required bool HasOrgSignature { get; init; }
}
/// <summary>Bundle verification response.</summary>
public sealed record BundleVerifyResponse
{
/// <summary>Overall validity.</summary>
public required bool Valid { get; init; }
/// <summary>Merkle root verified.</summary>
public required bool MerkleRootVerified { get; init; }
/// <summary>Org signature verified (if present).</summary>
public bool? OrgSignatureVerified { get; init; }
/// <summary>Number of attestations verified.</summary>
public required int AttestationsVerified { get; init; }
/// <summary>Issues found.</summary>
public required IReadOnlyList<BundleIssueDto> Issues { get; init; }
/// <summary>Verification timestamp.</summary>
public required DateTimeOffset VerifiedAt { get; init; }
}
/// <summary>Bundle issue DTO.</summary>
public sealed record BundleIssueDto
{
/// <summary>Issue severity.</summary>
public required string Severity { get; init; }
/// <summary>Issue code.</summary>
public required string Code { get; init; }
/// <summary>Issue message.</summary>
public required string Message { get; init; }
/// <summary>Related entry ID.</summary>
public string? EntryId { get; init; }
}
#endregion

3
src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/StellaOps.Attestor.WebService.csproj
View File

@@ -1,4 +1,4 @@
<?xml version='1.0' encoding='utf-8'?>
<?xml version="1.0" encoding="utf-8"?>
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
@@ -28,5 +28,6 @@
<ProjectReference Include="../../../Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOps.Auth.ServerIntegration.csproj" />
<ProjectReference Include="../../__Libraries/StellaOps.Attestor.StandardPredicates/StellaOps.Attestor.StandardPredicates.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Router.AspNet/StellaOps.Router.AspNet.csproj" />
<ProjectReference Include="..\..\__Libraries\StellaOps.Attestor.Bundling\StellaOps.Attestor.Bundling.csproj" />
</ItemGroup>
</Project>

157
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Abstractions/IAttestationBundler.cs Normal file
View File

@@ -0,0 +1,157 @@
// -----------------------------------------------------------------------------
// IAttestationBundler.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0005 - Implement IAttestationBundler service
// Description: Service interface for creating attestation bundles
// -----------------------------------------------------------------------------
using StellaOps.Attestor.Bundling.Models;
namespace StellaOps.Attestor.Bundling.Abstractions;
/// <summary>
/// Service for creating and managing attestation bundles.
/// </summary>
public interface IAttestationBundler
{
/// <summary>
/// Create a new attestation bundle for a time period.
/// </summary>
/// <param name="request">Bundle creation parameters.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The created attestation bundle.</returns>
Task<AttestationBundle> CreateBundleAsync(
BundleCreationRequest request,
CancellationToken cancellationToken = default);
/// <summary>
/// Get an existing bundle by ID.
/// </summary>
/// <param name="bundleId">The bundle ID (sha256:&lt;merkle_root&gt;).</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The bundle if found, null otherwise.</returns>
Task<AttestationBundle?> GetBundleAsync(
string bundleId,
CancellationToken cancellationToken = default);
/// <summary>
/// List bundles matching the specified criteria.
/// </summary>
/// <param name="request">List parameters.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Paginated bundle list.</returns>
Task<BundleListResult> ListBundlesAsync(
BundleListRequest request,
CancellationToken cancellationToken = default);
/// <summary>
/// Verify the integrity of a bundle (Merkle tree and optional org signature).
/// </summary>
/// <param name="bundle">The bundle to verify.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Verification result.</returns>
Task<BundleVerificationResult> VerifyBundleAsync(
AttestationBundle bundle,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Request parameters for bundle creation.
/// </summary>
/// <param name="PeriodStart">Start of the attestation collection period.</param>
/// <param name="PeriodEnd">End of the attestation collection period.</param>
/// <param name="TenantId">Optional tenant identifier for multi-tenant filtering.</param>
/// <param name="SignWithOrgKey">Whether to sign the bundle with an organization key.</param>
/// <param name="OrgKeyId">Organization key ID to use for signing.</param>
public record BundleCreationRequest(
DateTimeOffset PeriodStart,
DateTimeOffset PeriodEnd,
string? TenantId = null,
bool SignWithOrgKey = false,
string? OrgKeyId = null);
/// <summary>
/// Request parameters for listing bundles.
/// </summary>
/// <param name="PeriodStart">Optional start of period filter.</param>
/// <param name="PeriodEnd">Optional end of period filter.</param>
/// <param name="TenantId">Optional tenant filter.</param>
/// <param name="Limit">Maximum number of results.</param>
/// <param name="Cursor">Pagination cursor.</param>
public record BundleListRequest(
DateTimeOffset? PeriodStart = null,
DateTimeOffset? PeriodEnd = null,
string? TenantId = null,
int Limit = 20,
string? Cursor = null);
/// <summary>
/// Result of a bundle list operation.
/// </summary>
/// <param name="Bundles">The matching bundles (metadata only).</param>
/// <param name="NextCursor">Cursor for the next page, null if no more results.</param>
public record BundleListResult(
IReadOnlyList<BundleListItem> Bundles,
string? NextCursor);
/// <summary>
/// Bundle metadata for list results.
/// </summary>
/// <param name="BundleId">The bundle ID.</param>
/// <param name="PeriodStart">Start of collection period.</param>
/// <param name="PeriodEnd">End of collection period.</param>
/// <param name="AttestationCount">Number of attestations.</param>
/// <param name="CreatedAt">Bundle creation timestamp.</param>
/// <param name="HasOrgSignature">Whether the bundle has an org signature.</param>
public record BundleListItem(
string BundleId,
DateTimeOffset PeriodStart,
DateTimeOffset PeriodEnd,
int AttestationCount,
DateTimeOffset CreatedAt,
bool HasOrgSignature);
/// <summary>
/// Result of bundle verification.
/// </summary>
/// <param name="Valid">Whether the bundle is valid.</param>
/// <param name="MerkleRootVerified">Whether the Merkle root matches.</param>
/// <param name="OrgSignatureVerified">Whether the org signature is valid (if present).</param>
/// <param name="AttestationsVerified">Number of attestations verified.</param>
/// <param name="Issues">Any verification issues found.</param>
/// <param name="VerifiedAt">Verification timestamp.</param>
public record BundleVerificationResult(
bool Valid,
bool MerkleRootVerified,
bool? OrgSignatureVerified,
int AttestationsVerified,
IReadOnlyList<BundleVerificationIssue> Issues,
DateTimeOffset VerifiedAt);
/// <summary>
/// A verification issue found during bundle verification.
/// </summary>
/// <param name="Severity">Issue severity.</param>
/// <param name="Code">Machine-readable issue code.</param>
/// <param name="Message">Human-readable message.</param>
/// <param name="EntryId">Related attestation entry ID, if applicable.</param>
public record BundleVerificationIssue(
VerificationIssueSeverity Severity,
string Code,
string Message,
string? EntryId = null);
/// <summary>
/// Severity levels for verification issues.
/// </summary>
public enum VerificationIssueSeverity
{
/// <summary>Informational message.</summary>
Info,
/// <summary>Warning that may affect trust.</summary>
Warning,
/// <summary>Error that affects verification.</summary>
Error,
/// <summary>Critical error that invalidates the bundle.</summary>
Critical
}

51
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Abstractions/IBundleAggregator.cs Normal file
View File

@@ -0,0 +1,51 @@
// -----------------------------------------------------------------------------
// IBundleAggregator.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0003 - Implement IBundleAggregator for collecting attestations
// Description: Interface for aggregating attestations from storage
// -----------------------------------------------------------------------------
using StellaOps.Attestor.Bundling.Models;
namespace StellaOps.Attestor.Bundling.Abstractions;
/// <summary>
/// Service for aggregating attestations from storage for bundling.
/// </summary>
public interface IBundleAggregator
{
/// <summary>
/// Collect attestations for a time period.
/// </summary>
/// <param name="request">Aggregation parameters.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Collected attestations in deterministic order.</returns>
IAsyncEnumerable<BundledAttestation> AggregateAsync(
AggregationRequest request,
CancellationToken cancellationToken = default);
/// <summary>
/// Count attestations for a time period without loading them.
/// </summary>
/// <param name="request">Aggregation parameters.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The attestation count.</returns>
Task<int> CountAsync(
AggregationRequest request,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Request parameters for attestation aggregation.
/// </summary>
/// <param name="PeriodStart">Start of the collection period.</param>
/// <param name="PeriodEnd">End of the collection period.</param>
/// <param name="TenantId">Optional tenant filter.</param>
/// <param name="PredicateTypes">Optional filter for specific predicate types.</param>
/// <param name="BatchSize">Number of attestations to fetch per batch.</param>
public record AggregationRequest(
DateTimeOffset PeriodStart,
DateTimeOffset PeriodEnd,
string? TenantId = null,
IReadOnlyList<string>? PredicateTypes = null,
int BatchSize = 500);

138
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Abstractions/IBundleStore.cs Normal file
View File

@@ -0,0 +1,138 @@
// -----------------------------------------------------------------------------
// IBundleStore.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0009 - Implement IBundleStore for S3/RustFS
// Description: Interface for bundle storage and retrieval
// -----------------------------------------------------------------------------
using StellaOps.Attestor.Bundling.Models;
namespace StellaOps.Attestor.Bundling.Abstractions;
/// <summary>
/// Storage abstraction for attestation bundles.
/// Supports S3-compatible storage (RustFS) and filesystem backends.
/// </summary>
public interface IBundleStore
{
/// <summary>
/// Store a bundle.
/// </summary>
/// <param name="bundle">The bundle to store.</param>
/// <param name="options">Storage options.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task StoreBundleAsync(
AttestationBundle bundle,
BundleStorageOptions? options = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Retrieve a bundle by ID.
/// </summary>
/// <param name="bundleId">The bundle ID.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The bundle if found, null otherwise.</returns>
Task<AttestationBundle?> GetBundleAsync(
string bundleId,
CancellationToken cancellationToken = default);
/// <summary>
/// Check if a bundle exists.
/// </summary>
/// <param name="bundleId">The bundle ID.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if the bundle exists.</returns>
Task<bool> ExistsAsync(
string bundleId,
CancellationToken cancellationToken = default);
/// <summary>
/// Delete a bundle.
/// </summary>
/// <param name="bundleId">The bundle ID.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if the bundle was deleted.</returns>
Task<bool> DeleteBundleAsync(
string bundleId,
CancellationToken cancellationToken = default);
/// <summary>
/// List bundle metadata with pagination.
/// </summary>
/// <param name="request">List parameters.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Paginated list of bundle metadata.</returns>
Task<BundleListResult> ListBundlesAsync(
BundleListRequest request,
CancellationToken cancellationToken = default);
/// <summary>
/// Export a bundle to a stream (with optional compression).
/// </summary>
/// <param name="bundleId">The bundle ID.</param>
/// <param name="output">The output stream.</param>
/// <param name="options">Export options.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task ExportBundleAsync(
string bundleId,
Stream output,
BundleExportOptions? options = null,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Options for bundle storage.
/// </summary>
/// <param name="Compression">Compression format (none, gzip, zstd).</param>
/// <param name="ObjectLock">Object lock mode for WORM protection.</param>
/// <param name="RetentionDays">Retention period in days.</param>
public record BundleStorageOptions(
BundleCompression Compression = BundleCompression.Zstd,
ObjectLockMode ObjectLock = ObjectLockMode.None,
int? RetentionDays = null);
/// <summary>
/// Options for bundle export.
/// </summary>
/// <param name="Format">Export format (json or cbor).</param>
/// <param name="Compression">Compression format.</param>
public record BundleExportOptions(
BundleFormat Format = BundleFormat.Json,
BundleCompression Compression = BundleCompression.Zstd);
/// <summary>
/// Bundle serialization format.
/// </summary>
public enum BundleFormat
{
/// <summary>JSON format for human readability.</summary>
Json,
/// <summary>CBOR format for compact size.</summary>
Cbor
}
/// <summary>
/// Bundle compression format.
/// </summary>
public enum BundleCompression
{
/// <summary>No compression.</summary>
None,
/// <summary>Gzip compression.</summary>
Gzip,
/// <summary>Zstandard compression (default).</summary>
Zstd
}
/// <summary>
/// Object lock mode for WORM protection.
/// </summary>
public enum ObjectLockMode
{
/// <summary>No object lock.</summary>
None,
/// <summary>Governance mode (can be bypassed with special permissions).</summary>
Governance,
/// <summary>Compliance mode (cannot be bypassed).</summary>
Compliance
}

72
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Abstractions/IOrgKeySigner.cs Normal file
View File

@@ -0,0 +1,72 @@
// -----------------------------------------------------------------------------
// IOrgKeySigner.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0006 - Implement IOrgKeySigner interface
// Description: Interface for organization key signing of bundles
// -----------------------------------------------------------------------------
using StellaOps.Attestor.Bundling.Models;
namespace StellaOps.Attestor.Bundling.Abstractions;
/// <summary>
/// Service for signing bundles with organization keys.
/// Supports KMS/HSM-backed keys for high-assurance signing.
/// </summary>
public interface IOrgKeySigner
{
/// <summary>
/// Sign a bundle digest with an organization key.
/// </summary>
/// <param name="bundleDigest">SHA-256 digest of the canonical bundle content.</param>
/// <param name="keyId">Key identifier to use for signing.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The organization signature.</returns>
Task<OrgSignature> SignBundleAsync(
byte[] bundleDigest,
string keyId,
CancellationToken cancellationToken = default);
/// <summary>
/// Verify an organization signature on a bundle.
/// </summary>
/// <param name="bundleDigest">SHA-256 digest of the canonical bundle content.</param>
/// <param name="signature">The signature to verify.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if the signature is valid.</returns>
Task<bool> VerifyBundleAsync(
byte[] bundleDigest,
OrgSignature signature,
CancellationToken cancellationToken = default);
/// <summary>
/// Get the current signing key ID based on configuration and rotation policy.
/// </summary>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The active key ID.</returns>
Task<string> GetActiveKeyIdAsync(CancellationToken cancellationToken = default);
/// <summary>
/// List available signing keys.
/// </summary>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Available key information.</returns>
Task<IReadOnlyList<OrgKeyInfo>> ListKeysAsync(CancellationToken cancellationToken = default);
}
/// <summary>
/// Organization signing key information.
/// </summary>
/// <param name="KeyId">Unique key identifier.</param>
/// <param name="Algorithm">Signing algorithm (e.g., "ECDSA_P256", "Ed25519").</param>
/// <param name="Fingerprint">Key fingerprint (SHA-256 of public key).</param>
/// <param name="ValidFrom">Start of key validity period.</param>
/// <param name="ValidUntil">End of key validity period (null if no expiration).</param>
/// <param name="IsActive">Whether this key is currently active for signing.</param>
public record OrgKeyInfo(
string KeyId,
string Algorithm,
string Fingerprint,
DateTimeOffset ValidFrom,
DateTimeOffset? ValidUntil,
bool IsActive);

387
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Configuration/BundlingOptions.cs Normal file
View File

@@ -0,0 +1,387 @@
// -----------------------------------------------------------------------------
// BundlingOptions.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0013, 0016 - Bundle retention policy schema and job configuration
// Description: Configuration options for attestation bundling and retention
// -----------------------------------------------------------------------------
namespace StellaOps.Attestor.Bundling.Configuration;
/// <summary>
/// Configuration options for attestation bundling.
/// </summary>
public sealed class BundlingOptions
{
/// <summary>
/// Whether bundling is enabled.
/// </summary>
public bool Enabled { get; set; } = true;
/// <summary>
/// Schedule configuration for automated bundling.
/// </summary>
public BundleScheduleOptions Schedule { get; set; } = new();
/// <summary>
/// Aggregation settings for collecting attestations.
/// </summary>
public BundleAggregationOptions Aggregation { get; set; } = new();
/// <summary>
/// Organization key signing settings.
/// </summary>
public BundleSigningOptions Signing { get; set; } = new();
/// <summary>
/// Retention policy settings.
/// </summary>
public BundleRetentionOptions Retention { get; set; } = new();
/// <summary>
/// Storage settings for bundles.
/// </summary>
public BundleStorageOptions Storage { get; set; } = new();
/// <summary>
/// Export settings.
/// </summary>
public BundleExportOptions Export { get; set; } = new();
}
/// <summary>
/// Schedule options for bundle rotation.
/// </summary>
public sealed class BundleScheduleOptions
{
/// <summary>
/// Cron expression for rotation schedule.
/// Default: Monthly on the 1st at 02:00 UTC.
/// </summary>
public string Cron { get; set; } = "0 2 1 * *";
/// <summary>
/// Rotation cadence.
/// </summary>
public string Cadence { get; set; } = "monthly";
/// <summary>
/// Timezone for schedule evaluation.
/// </summary>
public string Timezone { get; set; } = "UTC";
/// <summary>
/// Whether to skip weekends for rotation.
/// </summary>
public bool SkipWeekends { get; set; } = false;
}
/// <summary>
/// Aggregation options for collecting attestations into bundles.
/// </summary>
public sealed class BundleAggregationOptions
{
/// <summary>
/// Look-back period in days for attestation collection.
/// </summary>
public int LookbackDays { get; set; } = 31;
/// <summary>
/// Maximum attestations per bundle.
/// If exceeded, multiple bundles are created.
/// </summary>
public int MaxAttestationsPerBundle { get; set; } = 10000;
/// <summary>
/// Batch size for database queries.
/// </summary>
public int QueryBatchSize { get; set; } = 500;
/// <summary>
/// Minimum attestations required to create a bundle.
/// </summary>
public int MinAttestationsForBundle { get; set; } = 1;
/// <summary>
/// Whether to include failed attestations in bundles.
/// </summary>
public bool IncludeFailedAttestations { get; set; } = false;
/// <summary>
/// Predicate types to include. Empty = all types.
/// </summary>
public IList<string> PredicateTypes { get; set; } = new List<string>();
}
/// <summary>
/// Signing options for organization key signing of bundles.
/// </summary>
public sealed class BundleSigningOptions
{
/// <summary>
/// Whether to sign bundles with organization key.
/// </summary>
public bool SignWithOrgKey { get; set; } = true;
/// <summary>
/// Organization key ID to use (null = use active key).
/// </summary>
public string? OrgKeyId { get; set; }
/// <summary>
/// Key rotation configuration.
/// </summary>
public IList<KeyRotationEntry> KeyRotation { get; set; } = new List<KeyRotationEntry>();
/// <summary>
/// Signing algorithm.
/// </summary>
public string Algorithm { get; set; } = "ECDSA_P256";
/// <summary>
/// Whether to include certificate chain in signature.
/// </summary>
public bool IncludeCertificateChain { get; set; } = true;
}
/// <summary>
/// Key rotation schedule entry.
/// </summary>
public sealed class KeyRotationEntry
{
/// <summary>
/// Key identifier.
/// </summary>
public string KeyId { get; set; } = string.Empty;
/// <summary>
/// Start of key validity.
/// </summary>
public DateTimeOffset? ValidFrom { get; set; }
/// <summary>
/// End of key validity.
/// </summary>
public DateTimeOffset? ValidUntil { get; set; }
}
/// <summary>
/// Retention policy options for bundle lifecycle management.
/// </summary>
public sealed class BundleRetentionOptions
{
/// <summary>
/// Whether retention policy enforcement is enabled.
/// </summary>
public bool Enabled { get; set; } = true;
/// <summary>
/// Default retention period in months.
/// </summary>
public int DefaultMonths { get; set; } = 24;
/// <summary>
/// Minimum retention period in months (cannot be overridden lower).
/// </summary>
public int MinimumMonths { get; set; } = 6;
/// <summary>
/// Maximum retention period in months.
/// </summary>
public int MaximumMonths { get; set; } = 120;
/// <summary>
/// Per-tenant retention overrides.
/// </summary>
public IDictionary<string, int> TenantOverrides { get; set; } = new Dictionary<string, int>();
/// <summary>
/// Per-predicate type retention overrides.
/// </summary>
public IDictionary<string, int> PredicateTypeOverrides { get; set; } = new Dictionary<string, int>();
/// <summary>
/// Whether to delete or archive expired bundles.
/// </summary>
public RetentionAction ExpiryAction { get; set; } = RetentionAction.Delete;
/// <summary>
/// Archive storage tier for archived bundles.
/// </summary>
public string ArchiveStorageTier { get; set; } = "glacier";
/// <summary>
/// Grace period in days before deletion (warning period).
/// </summary>
public int GracePeriodDays { get; set; } = 30;
/// <summary>
/// Whether to send notifications before bundle expiry.
/// </summary>
public bool NotifyBeforeExpiry { get; set; } = true;
/// <summary>
/// Days before expiry to send notification.
/// </summary>
public int NotifyDaysBeforeExpiry { get; set; } = 30;
/// <summary>
/// Maximum bundles to process per retention run.
/// </summary>
public int MaxBundlesPerRun { get; set; } = 100;
}
/// <summary>
/// Action to take when a bundle expires.
/// </summary>
public enum RetentionAction
{
/// <summary>
/// Delete expired bundles permanently.
/// </summary>
Delete,
/// <summary>
/// Archive expired bundles to cold storage.
/// </summary>
Archive,
/// <summary>
/// Mark as expired but retain.
/// </summary>
MarkOnly
}
/// <summary>
/// Storage options for bundle persistence.
/// </summary>
public sealed class BundleStorageOptions
{
/// <summary>
/// Storage backend type.
/// </summary>
public string Backend { get; set; } = "s3";
/// <summary>
/// S3 storage configuration.
/// </summary>
public BundleS3Options S3 { get; set; } = new();
/// <summary>
/// Filesystem storage configuration.
/// </summary>
public BundleFilesystemOptions Filesystem { get; set; } = new();
/// <summary>
/// PostgreSQL metadata storage configuration.
/// </summary>
public BundlePostgresOptions Postgres { get; set; } = new();
}
/// <summary>
/// S3 storage options for bundles.
/// </summary>
public sealed class BundleS3Options
{
/// <summary>
/// S3 bucket name.
/// </summary>
public string Bucket { get; set; } = "stellaops-attestor";
/// <summary>
/// Object key prefix.
/// </summary>
public string Prefix { get; set; } = "bundles/";
/// <summary>
/// Object lock mode for WORM protection.
/// </summary>
public string? ObjectLock { get; set; } = "governance";
/// <summary>
/// Storage class for new objects.
/// </summary>
public string StorageClass { get; set; } = "STANDARD";
/// <summary>
/// Whether to enable server-side encryption.
/// </summary>
public bool ServerSideEncryption { get; set; } = true;
/// <summary>
/// KMS key for encryption.
/// </summary>
public string? KmsKeyId { get; set; }
}
/// <summary>
/// Filesystem storage options for bundles.
/// </summary>
public sealed class BundleFilesystemOptions
{
/// <summary>
/// Base path for bundle storage.
/// </summary>
public string Path { get; set; } = "/var/lib/stellaops/attestor/bundles";
/// <summary>
/// Directory permissions (octal).
/// </summary>
public string DirectoryPermissions { get; set; } = "0750";
/// <summary>
/// File permissions (octal).
/// </summary>
public string FilePermissions { get; set; } = "0640";
}
/// <summary>
/// PostgreSQL options for bundle metadata.
/// </summary>
public sealed class BundlePostgresOptions
{
/// <summary>
/// Schema name.
/// </summary>
public string Schema { get; set; } = "attestor";
/// <summary>
/// Bundles table name.
/// </summary>
public string BundlesTable { get; set; } = "bundles";
/// <summary>
/// Bundle entries table name.
/// </summary>
public string EntriesTable { get; set; } = "bundle_entries";
}
/// <summary>
/// Export options for bundles.
/// </summary>
public sealed class BundleExportOptions
{
/// <summary>
/// Whether to include bundles in Offline Kit.
/// </summary>
public bool IncludeInOfflineKit { get; set; } = true;
/// <summary>
/// Compression algorithm for export.
/// </summary>
public string Compression { get; set; } = "zstd";
/// <summary>
/// Compression level.
/// </summary>
public int CompressionLevel { get; set; } = 3;
/// <summary>
/// Maximum bundle age to include in exports (months).
/// </summary>
public int MaxAgeMonths { get; set; } = 12;
/// <summary>
/// Supported export formats.
/// </summary>
public IList<string> SupportedFormats { get; set; } = new List<string> { "json", "cbor" };
}

361
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Models/AttestationBundle.cs Normal file
View File

@@ -0,0 +1,361 @@
// -----------------------------------------------------------------------------
// AttestationBundle.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0002 - Define AttestationBundle record and schema
// Description: Aggregated attestation bundle for long-term verification
// -----------------------------------------------------------------------------
using System.Text.Json.Serialization;
namespace StellaOps.Attestor.Bundling.Models;
/// <summary>
/// Attestation bundle aggregating multiple attestations for a time period.
/// Contains all material needed for offline verification including Merkle tree
/// for integrity and optional organization signature for endorsement.
/// </summary>
public sealed record AttestationBundle
{
/// <summary>
/// Bundle metadata including period, version, and creation timestamp.
/// </summary>
[JsonPropertyName("metadata")]
public required BundleMetadata Metadata { get; init; }
/// <summary>
/// All attestations included in this bundle.
/// </summary>
[JsonPropertyName("attestations")]
public required IReadOnlyList<BundledAttestation> Attestations { get; init; }
/// <summary>
/// Merkle tree information for bundle integrity verification.
/// </summary>
[JsonPropertyName("merkleTree")]
public required MerkleTreeInfo MerkleTree { get; init; }
/// <summary>
/// Optional organization signature for bundle endorsement.
/// </summary>
[JsonPropertyName("orgSignature")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public OrgSignature? OrgSignature { get; init; }
}
/// <summary>
/// Bundle metadata containing identification and temporal information.
/// </summary>
public sealed record BundleMetadata
{
/// <summary>
/// Content-addressed bundle ID: sha256:&lt;merkle_root&gt;
/// </summary>
[JsonPropertyName("bundleId")]
public required string BundleId { get; init; }
/// <summary>
/// Bundle schema version.
/// </summary>
[JsonPropertyName("version")]
public string Version { get; init; } = "1.0";
/// <summary>
/// UTC timestamp when this bundle was created.
/// </summary>
[JsonPropertyName("createdAt")]
public required DateTimeOffset CreatedAt { get; init; }
/// <summary>
/// Start of the attestation collection period (inclusive).
/// </summary>
[JsonPropertyName("periodStart")]
public required DateTimeOffset PeriodStart { get; init; }
/// <summary>
/// End of the attestation collection period (inclusive).
/// </summary>
[JsonPropertyName("periodEnd")]
public required DateTimeOffset PeriodEnd { get; init; }
/// <summary>
/// Number of attestations in the bundle.
/// </summary>
[JsonPropertyName("attestationCount")]
public required int AttestationCount { get; init; }
/// <summary>
/// Optional tenant identifier for multi-tenant deployments.
/// </summary>
[JsonPropertyName("tenantId")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? TenantId { get; init; }
/// <summary>
/// Fingerprint of the organization signing key (if signed).
/// </summary>
[JsonPropertyName("orgKeyFingerprint")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? OrgKeyFingerprint { get; init; }
}
/// <summary>
/// Individual attestation entry within a bundle.
/// </summary>
public sealed record BundledAttestation
{
/// <summary>
/// Unique entry identifier (typically the Rekor UUID).
/// </summary>
[JsonPropertyName("entryId")]
public required string EntryId { get; init; }
/// <summary>
/// Rekor UUID if registered with transparency log.
/// </summary>
[JsonPropertyName("rekorUuid")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? RekorUuid { get; init; }
/// <summary>
/// Rekor log index if registered with transparency log.
/// </summary>
[JsonPropertyName("rekorLogIndex")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public long? RekorLogIndex { get; init; }
/// <summary>
/// SHA256 digest of the artifact this attestation covers.
/// </summary>
[JsonPropertyName("artifactDigest")]
public required string ArtifactDigest { get; init; }
/// <summary>
/// Predicate type (e.g., "verdict.stella/v1", "sbom.stella/v1").
/// </summary>
[JsonPropertyName("predicateType")]
public required string PredicateType { get; init; }
/// <summary>
/// UTC timestamp when the attestation was signed.
/// </summary>
[JsonPropertyName("signedAt")]
public required DateTimeOffset SignedAt { get; init; }
/// <summary>
/// Signing mode used: "keyless" (Fulcio), "kms", "hsm", or "fido2".
/// </summary>
[JsonPropertyName("signingMode")]
public required string SigningMode { get; init; }
/// <summary>
/// Identity information about the signer.
/// </summary>
[JsonPropertyName("signingIdentity")]
public required SigningIdentity SigningIdentity { get; init; }
/// <summary>
/// Rekor inclusion proof for transparency verification.
/// </summary>
[JsonPropertyName("inclusionProof")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public RekorInclusionProof? InclusionProof { get; init; }
/// <summary>
/// The DSSE envelope containing the attestation.
/// </summary>
[JsonPropertyName("envelope")]
public required DsseEnvelopeData Envelope { get; init; }
}
/// <summary>
/// Signing identity information.
/// </summary>
public sealed record SigningIdentity
{
/// <summary>
/// OIDC issuer URL for keyless signing.
/// </summary>
[JsonPropertyName("issuer")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? Issuer { get; init; }
/// <summary>
/// Subject identifier (e.g., email, service account).
/// </summary>
[JsonPropertyName("subject")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? Subject { get; init; }
/// <summary>
/// Subject Alternative Name from certificate.
/// </summary>
[JsonPropertyName("san")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? San { get; init; }
/// <summary>
/// Key identifier for KMS/HSM signing.
/// </summary>
[JsonPropertyName("keyId")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? KeyId { get; init; }
}
/// <summary>
/// Rekor transparency log inclusion proof.
/// </summary>
public sealed record RekorInclusionProof
{
/// <summary>
/// Checkpoint containing tree size and root hash.
/// </summary>
[JsonPropertyName("checkpoint")]
public required CheckpointData Checkpoint { get; init; }
/// <summary>
/// Merkle audit path from leaf to root.
/// </summary>
[JsonPropertyName("path")]
public required IReadOnlyList<string> Path { get; init; }
}
/// <summary>
/// Rekor checkpoint data.
/// </summary>
public sealed record CheckpointData
{
/// <summary>
/// Log origin identifier.
/// </summary>
[JsonPropertyName("origin")]
public required string Origin { get; init; }
/// <summary>
/// Tree size at checkpoint time.
/// </summary>
[JsonPropertyName("size")]
public required long Size { get; init; }
/// <summary>
/// Base64-encoded root hash.
/// </summary>
[JsonPropertyName("rootHash")]
public required string RootHash { get; init; }
/// <summary>
/// Checkpoint timestamp.
/// </summary>
[JsonPropertyName("timestamp")]
public required DateTimeOffset Timestamp { get; init; }
}
/// <summary>
/// DSSE envelope data for serialization.
/// </summary>
public sealed record DsseEnvelopeData
{
/// <summary>
/// Payload type (e.g., "application/vnd.in-toto+json").
/// </summary>
[JsonPropertyName("payloadType")]
public required string PayloadType { get; init; }
/// <summary>
/// Base64-encoded payload.
/// </summary>
[JsonPropertyName("payload")]
public required string Payload { get; init; }
/// <summary>
/// Signatures over the payload.
/// </summary>
[JsonPropertyName("signatures")]
public required IReadOnlyList<EnvelopeSignature> Signatures { get; init; }
/// <summary>
/// Certificate chain for signature verification.
/// </summary>
[JsonPropertyName("certificateChain")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public IReadOnlyList<string>? CertificateChain { get; init; }
}
/// <summary>
/// Signature within a DSSE envelope.
/// </summary>
public sealed record EnvelopeSignature
{
/// <summary>
/// Key identifier.
/// </summary>
[JsonPropertyName("keyid")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? KeyId { get; init; }
/// <summary>
/// Base64-encoded signature.
/// </summary>
[JsonPropertyName("sig")]
public required string Sig { get; init; }
}
/// <summary>
/// Merkle tree information for bundle integrity.
/// </summary>
public sealed record MerkleTreeInfo
{
/// <summary>
/// Hash algorithm used (always SHA256).
/// </summary>
[JsonPropertyName("algorithm")]
public string Algorithm { get; init; } = "SHA256";
/// <summary>
/// Merkle root hash in sha256:&lt;hex&gt; format.
/// </summary>
[JsonPropertyName("root")]
public required string Root { get; init; }
/// <summary>
/// Number of leaves (attestations) in the tree.
/// </summary>
[JsonPropertyName("leafCount")]
public required int LeafCount { get; init; }
}
/// <summary>
/// Organization signature for bundle endorsement.
/// </summary>
public sealed record OrgSignature
{
/// <summary>
/// Key identifier used for signing.
/// </summary>
[JsonPropertyName("keyId")]
public required string KeyId { get; init; }
/// <summary>
/// Signature algorithm (e.g., "ECDSA_P256", "Ed25519", "RSA_PSS_SHA256").
/// </summary>
[JsonPropertyName("algorithm")]
public required string Algorithm { get; init; }
/// <summary>
/// Base64-encoded signature over the bundle.
/// </summary>
[JsonPropertyName("signature")]
public required string Signature { get; init; }
/// <summary>
/// UTC timestamp when the signature was created.
/// </summary>
[JsonPropertyName("signedAt")]
public required DateTimeOffset SignedAt { get; init; }
/// <summary>
/// PEM-encoded certificate chain for signature verification.
/// </summary>
[JsonPropertyName("certificateChain")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public IReadOnlyList<string>? CertificateChain { get; init; }
}

337
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/AttestationBundler.cs Normal file
View File

@@ -0,0 +1,337 @@
// -----------------------------------------------------------------------------
// AttestationBundler.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0005 - Implement IAttestationBundler service
// Description: Service implementation for creating attestation bundles
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Configuration;
using StellaOps.Attestor.Bundling.Models;
using StellaOps.Attestor.ProofChain.Merkle;
namespace StellaOps.Attestor.Bundling.Services;
/// <summary>
/// Service for creating and managing attestation bundles.
/// Implements deterministic bundling with optional organization signing.
/// </summary>
public sealed class AttestationBundler : IAttestationBundler
{
private readonly IBundleAggregator _aggregator;
private readonly IBundleStore _store;
private readonly IOrgKeySigner? _orgSigner;
private readonly IMerkleTreeBuilder _merkleBuilder;
private readonly ILogger<AttestationBundler> _logger;
private readonly BundlingOptions _options;
/// <summary>
/// Create a new attestation bundler.
/// </summary>
public AttestationBundler(
IBundleAggregator aggregator,
IBundleStore store,
IMerkleTreeBuilder merkleBuilder,
ILogger<AttestationBundler> logger,
IOptions<BundlingOptions> options,
IOrgKeySigner? orgSigner = null)
{
_aggregator = aggregator ?? throw new ArgumentNullException(nameof(aggregator));
_store = store ?? throw new ArgumentNullException(nameof(store));
_merkleBuilder = merkleBuilder ?? throw new ArgumentNullException(nameof(merkleBuilder));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_options = options?.Value ?? new BundlingOptions();
_orgSigner = orgSigner;
}
/// <inheritdoc />
public async Task<AttestationBundle> CreateBundleAsync(
BundleCreationRequest request,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
_logger.LogInformation(
"Creating attestation bundle for period {PeriodStart} to {PeriodEnd}",
request.PeriodStart,
request.PeriodEnd);
// Collect attestations in deterministic order
var attestations = await CollectAttestationsAsync(request, cancellationToken);
if (attestations.Count == 0)
{
_logger.LogWarning("No attestations found for the specified period");
throw new InvalidOperationException("No attestations found for the specified period.");
}
_logger.LogInformation("Collected {Count} attestations for bundling", attestations.Count);
// Build deterministic Merkle tree
var merkleTree = BuildMerkleTree(attestations);
var merkleRoot = Convert.ToHexString(merkleTree.Root).ToLowerInvariant();
var bundleId = $"sha256:{merkleRoot}";
_logger.LogInformation("Computed Merkle root: {MerkleRoot}", bundleId);
// Create bundle metadata
var metadata = new BundleMetadata
{
BundleId = bundleId,
Version = "1.0",
CreatedAt = DateTimeOffset.UtcNow,
PeriodStart = request.PeriodStart,
PeriodEnd = request.PeriodEnd,
AttestationCount = attestations.Count,
TenantId = request.TenantId
};
// Create bundle
var bundle = new AttestationBundle
{
Metadata = metadata,
Attestations = attestations,
MerkleTree = new MerkleTreeInfo
{
Algorithm = "SHA256",
Root = bundleId,
LeafCount = attestations.Count
}
};
// Sign with organization key if requested
if (request.SignWithOrgKey && _orgSigner != null)
{
bundle = await SignBundleAsync(bundle, request.OrgKeyId, cancellationToken);
}
// Store the bundle
await _store.StoreBundleAsync(bundle, cancellationToken: cancellationToken);
_logger.LogInformation(
"Created attestation bundle {BundleId} with {Count} attestations",
bundleId,
attestations.Count);
return bundle;
}
/// <inheritdoc />
public async Task<AttestationBundle?> GetBundleAsync(
string bundleId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(bundleId);
return await _store.GetBundleAsync(bundleId, cancellationToken);
}
/// <inheritdoc />
public async Task<BundleListResult> ListBundlesAsync(
BundleListRequest request,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
return await _store.ListBundlesAsync(request, cancellationToken);
}
/// <inheritdoc />
public async Task<BundleVerificationResult> VerifyBundleAsync(
AttestationBundle bundle,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(bundle);
var issues = new List<BundleVerificationIssue>();
var verifiedAt = DateTimeOffset.UtcNow;
// Verify Merkle root
var merkleValid = VerifyMerkleRoot(bundle, issues);
// Verify org signature if present
bool? orgSigValid = null;
if (bundle.OrgSignature != null && _orgSigner != null)
{
orgSigValid = await VerifyOrgSignatureAsync(bundle, issues, cancellationToken);
}
var valid = merkleValid && (orgSigValid ?? true);
return new BundleVerificationResult(
Valid: valid,
MerkleRootVerified: merkleValid,
OrgSignatureVerified: orgSigValid,
AttestationsVerified: bundle.Attestations.Count,
Issues: issues,
VerifiedAt: verifiedAt);
}
private async Task<List<BundledAttestation>> CollectAttestationsAsync(
BundleCreationRequest request,
CancellationToken cancellationToken)
{
var aggregationRequest = new AggregationRequest(
request.PeriodStart,
request.PeriodEnd,
request.TenantId,
null,
_options.Aggregation.QueryBatchSize);
var attestations = new List<BundledAttestation>();
await foreach (var attestation in _aggregator.AggregateAsync(aggregationRequest, cancellationToken))
{
attestations.Add(attestation);
if (attestations.Count >= _options.Aggregation.MaxAttestationsPerBundle)
{
_logger.LogWarning(
"Reached maximum attestations per bundle limit ({Max})",
_options.Aggregation.MaxAttestationsPerBundle);
break;
}
}
// Sort deterministically by entry ID for stable Merkle root
attestations.Sort((a, b) => string.Compare(a.EntryId, b.EntryId, StringComparison.Ordinal));
return attestations;
}
private MerkleTreeWithProofs BuildMerkleTree(List<BundledAttestation> attestations)
{
// Create leaf values from attestation entry IDs (deterministic)
var leafValues = attestations
.Select(a => (ReadOnlyMemory<byte>)Encoding.UTF8.GetBytes(a.EntryId))
.ToList();
return _merkleBuilder.BuildTree(leafValues);
}
private async Task<AttestationBundle> SignBundleAsync(
AttestationBundle bundle,
string? keyId,
CancellationToken cancellationToken)
{
if (_orgSigner == null)
{
throw new InvalidOperationException("Organization signer is not configured.");
}
// Use active key if not specified
keyId ??= await _orgSigner.GetActiveKeyIdAsync(cancellationToken);
// Compute bundle digest (over canonical JSON of Merkle root and attestation IDs)
var digestData = ComputeBundleDigest(bundle);
// Sign the digest
var signature = await _orgSigner.SignBundleAsync(digestData, keyId, cancellationToken);
_logger.LogInformation(
"Signed bundle {BundleId} with org key {KeyId}",
bundle.Metadata.BundleId,
keyId);
// Return bundle with signature and updated metadata
return bundle with
{
Metadata = bundle.Metadata with
{
OrgKeyFingerprint = $"sha256:{ComputeKeyFingerprint(keyId)}"
},
OrgSignature = signature
};
}
private bool VerifyMerkleRoot(AttestationBundle bundle, List<BundleVerificationIssue> issues)
{
try
{
var leafValues = bundle.Attestations
.OrderBy(a => a.EntryId, StringComparer.Ordinal)
.Select(a => (ReadOnlyMemory<byte>)Encoding.UTF8.GetBytes(a.EntryId))
.ToList();
var computedRoot = _merkleBuilder.ComputeMerkleRoot(leafValues);
var computedRootHex = $"sha256:{Convert.ToHexString(computedRoot).ToLowerInvariant()}";
if (computedRootHex != bundle.MerkleTree.Root)
{
issues.Add(new BundleVerificationIssue(
VerificationIssueSeverity.Critical,
"MERKLE_ROOT_MISMATCH",
$"Computed Merkle root {computedRootHex} does not match bundle root {bundle.MerkleTree.Root}"));
return false;
}
return true;
}
catch (Exception ex)
{
issues.Add(new BundleVerificationIssue(
VerificationIssueSeverity.Critical,
"MERKLE_VERIFY_ERROR",
$"Failed to verify Merkle root: {ex.Message}"));
return false;
}
}
private async Task<bool> VerifyOrgSignatureAsync(
AttestationBundle bundle,
List<BundleVerificationIssue> issues,
CancellationToken cancellationToken)
{
if (_orgSigner == null || bundle.OrgSignature == null)
{
return true;
}
try
{
var digestData = ComputeBundleDigest(bundle);
var valid = await _orgSigner.VerifyBundleAsync(digestData, bundle.OrgSignature, cancellationToken);
if (!valid)
{
issues.Add(new BundleVerificationIssue(
VerificationIssueSeverity.Critical,
"ORG_SIG_INVALID",
$"Organization signature verification failed for key {bundle.OrgSignature.KeyId}"));
}
return valid;
}
catch (Exception ex)
{
issues.Add(new BundleVerificationIssue(
VerificationIssueSeverity.Critical,
"ORG_SIG_VERIFY_ERROR",
$"Failed to verify organization signature: {ex.Message}"));
return false;
}
}
private static byte[] ComputeBundleDigest(AttestationBundle bundle)
{
// Compute digest over merkle root + sorted attestation IDs
var sb = new StringBuilder();
sb.Append(bundle.MerkleTree.Root);
foreach (var attestation in bundle.Attestations.OrderBy(a => a.EntryId, StringComparer.Ordinal))
{
sb.Append('\n');
sb.Append(attestation.EntryId);
}
return SHA256.HashData(Encoding.UTF8.GetBytes(sb.ToString()));
}
private static string ComputeKeyFingerprint(string keyId)
{
// Simple fingerprint - in production this would use the actual public key
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(keyId));
return Convert.ToHexString(hash[..16]).ToLowerInvariant();
}
}

306
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/OfflineKitBundleProvider.cs Normal file
View File

@@ -0,0 +1,306 @@
// -----------------------------------------------------------------------------
// OfflineKitBundleProvider.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0017 - Integrate with Offline Kit export
// Description: Provides attestation bundles for Offline Kit exports
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Configuration;
using StellaOps.Attestor.Bundling.Models;
namespace StellaOps.Attestor.Bundling.Services;
/// <summary>
/// Result of an Offline Kit bundle export.
/// </summary>
public sealed record OfflineKitBundleExportResult
{
/// <summary>
/// Bundles included in the export.
/// </summary>
public required IReadOnlyList<BundleExportInfo> Bundles { get; init; }
/// <summary>
/// Total attestations across all bundles.
/// </summary>
public required int TotalAttestations { get; init; }
/// <summary>
/// Total export size in bytes.
/// </summary>
public required long TotalSizeBytes { get; init; }
/// <summary>
/// Export timestamp.
/// </summary>
public required DateTimeOffset ExportedAt { get; init; }
}
/// <summary>
/// Information about an exported bundle.
/// </summary>
public sealed record BundleExportInfo(
string BundleId,
string FileName,
DateTimeOffset PeriodStart,
DateTimeOffset PeriodEnd,
int AttestationCount,
long SizeBytes);
/// <summary>
/// Options for Offline Kit bundle export.
/// </summary>
public sealed class OfflineKitExportOptions
{
/// <summary>
/// Maximum age of bundles to include (in months).
/// Default: 12 months.
/// </summary>
public int MaxAgeMonths { get; set; } = 12;
/// <summary>
/// Export format.
/// </summary>
public BundleFormat Format { get; set; } = BundleFormat.Json;
/// <summary>
/// Compression algorithm.
/// </summary>
public BundleCompression Compression { get; set; } = BundleCompression.Zstd;
/// <summary>
/// Include only signed bundles.
/// </summary>
public bool RequireOrgSignature { get; set; } = false;
/// <summary>
/// Tenant filter (null = all tenants).
/// </summary>
public string? TenantId { get; set; }
}
/// <summary>
/// Interface for Offline Kit bundle provider.
/// </summary>
public interface IOfflineKitBundleProvider
{
/// <summary>
/// Export bundles for inclusion in Offline Kit.
/// </summary>
/// <param name="outputDirectory">Directory to write bundle files.</param>
/// <param name="options">Export options.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Export result with bundle information.</returns>
Task<OfflineKitBundleExportResult> ExportForOfflineKitAsync(
string outputDirectory,
OfflineKitExportOptions? options = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Get bundle manifest for Offline Kit.
/// </summary>
/// <param name="options">Export options.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>List of bundles that would be included.</returns>
Task<IReadOnlyList<BundleListItem>> GetOfflineKitManifestAsync(
OfflineKitExportOptions? options = null,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Provides attestation bundles for Offline Kit exports.
/// Integrates with the Offline Kit to include bundled attestations
/// for long-term offline verification.
/// </summary>
public sealed class OfflineKitBundleProvider : IOfflineKitBundleProvider
{
private readonly IBundleStore _bundleStore;
private readonly BundlingOptions _options;
private readonly ILogger<OfflineKitBundleProvider> _logger;
public OfflineKitBundleProvider(
IBundleStore bundleStore,
IOptions<BundlingOptions> options,
ILogger<OfflineKitBundleProvider> logger)
{
_bundleStore = bundleStore ?? throw new ArgumentNullException(nameof(bundleStore));
_options = options?.Value ?? new BundlingOptions();
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <inheritdoc/>
public async Task<OfflineKitBundleExportResult> ExportForOfflineKitAsync(
string outputDirectory,
OfflineKitExportOptions? options = null,
CancellationToken cancellationToken = default)
{
options ??= new OfflineKitExportOptions();
if (!_options.Export.IncludeInOfflineKit)
{
_logger.LogDebug("Offline Kit bundle export is disabled");
return new OfflineKitBundleExportResult
{
Bundles = [],
TotalAttestations = 0,
TotalSizeBytes = 0,
ExportedAt = DateTimeOffset.UtcNow
};
}
_logger.LogInformation(
"Exporting bundles for Offline Kit. MaxAge={MaxAge} months, Format={Format}",
options.MaxAgeMonths,
options.Format);
// Ensure output directory exists
Directory.CreateDirectory(outputDirectory);
// Get bundles to export
var bundles = await GetOfflineKitManifestAsync(options, cancellationToken);
var exportedBundles = new List<BundleExportInfo>();
long totalSize = 0;
int totalAttestations = 0;
foreach (var bundleInfo in bundles)
{
try
{
var exportInfo = await ExportBundleAsync(
bundleInfo,
outputDirectory,
options,
cancellationToken);
if (exportInfo != null)
{
exportedBundles.Add(exportInfo);
totalSize += exportInfo.SizeBytes;
totalAttestations += exportInfo.AttestationCount;
}
}
catch (Exception ex)
{
_logger.LogWarning(
ex,
"Failed to export bundle {BundleId} for Offline Kit",
bundleInfo.BundleId);
}
}
_logger.LogInformation(
"Exported {Count} bundles for Offline Kit. Total: {Attestations} attestations, {Size} bytes",
exportedBundles.Count,
totalAttestations,
totalSize);
return new OfflineKitBundleExportResult
{
Bundles = exportedBundles,
TotalAttestations = totalAttestations,
TotalSizeBytes = totalSize,
ExportedAt = DateTimeOffset.UtcNow
};
}
/// <inheritdoc/>
public async Task<IReadOnlyList<BundleListItem>> GetOfflineKitManifestAsync(
OfflineKitExportOptions? options = null,
CancellationToken cancellationToken = default)
{
options ??= new OfflineKitExportOptions();
var cutoffDate = DateTimeOffset.UtcNow.AddMonths(-options.MaxAgeMonths);
var result = new List<BundleListItem>();
string? cursor = null;
do
{
var listResult = await _bundleStore.ListBundlesAsync(
new BundleListRequest(
PeriodStart: cutoffDate,
TenantId: options.TenantId,
Limit: 100,
Cursor: cursor),
cancellationToken);
foreach (var bundle in listResult.Bundles)
{
// Filter by org signature if required
if (options.RequireOrgSignature && !bundle.HasOrgSignature)
{
continue;
}
result.Add(bundle);
}
cursor = listResult.NextCursor;
}
while (cursor != null);
return result;
}
private async Task<BundleExportInfo?> ExportBundleAsync(
BundleListItem bundleInfo,
string outputDirectory,
OfflineKitExportOptions options,
CancellationToken cancellationToken)
{
var fileName = GenerateFileName(bundleInfo.BundleId, options);
var filePath = Path.Combine(outputDirectory, fileName);
await using var fileStream = File.Create(filePath);
await _bundleStore.ExportBundleAsync(
bundleInfo.BundleId,
fileStream,
new Abstractions.BundleExportOptions(options.Format, options.Compression),
cancellationToken);
await fileStream.FlushAsync(cancellationToken);
var fileInfo = new FileInfo(filePath);
_logger.LogDebug(
"Exported bundle {BundleId} to {FileName} ({Size} bytes)",
bundleInfo.BundleId,
fileName,
fileInfo.Length);
return new BundleExportInfo(
bundleInfo.BundleId,
fileName,
bundleInfo.PeriodStart,
bundleInfo.PeriodEnd,
bundleInfo.AttestationCount,
fileInfo.Length);
}
private static string GenerateFileName(string bundleId, OfflineKitExportOptions options)
{
// Bundle ID format: sha256:abc123...
var hash = bundleId.StartsWith("sha256:")
? bundleId[7..Math.Min(bundleId.Length, 7 + 12)]
: bundleId[..Math.Min(bundleId.Length, 12)];
var extension = options.Format switch
{
BundleFormat.Cbor => ".cbor",
_ => ".json"
};
var compression = options.Compression switch
{
BundleCompression.Gzip => ".gz",
BundleCompression.Zstd => ".zst",
_ => ""
};
return $"bundle-{hash}{extension}{compression}";
}
}

454
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/RetentionPolicyEnforcer.cs Normal file
View File

@@ -0,0 +1,454 @@
// -----------------------------------------------------------------------------
// RetentionPolicyEnforcer.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0014 - Implement retention policy enforcement
// Description: Service for enforcing bundle retention policies
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Configuration;
using StellaOps.Attestor.Bundling.Models;
namespace StellaOps.Attestor.Bundling.Services;
/// <summary>
/// Result of a retention policy enforcement run.
/// </summary>
public sealed record RetentionEnforcementResult
{
/// <summary>
/// When the enforcement run started.
/// </summary>
public required DateTimeOffset StartedAt { get; init; }
/// <summary>
/// When the enforcement run completed.
/// </summary>
public required DateTimeOffset CompletedAt { get; init; }
/// <summary>
/// Number of bundles evaluated.
/// </summary>
public required int BundlesEvaluated { get; init; }
/// <summary>
/// Number of bundles deleted.
/// </summary>
public required int BundlesDeleted { get; init; }
/// <summary>
/// Number of bundles archived.
/// </summary>
public required int BundlesArchived { get; init; }
/// <summary>
/// Number of bundles marked as expired.
/// </summary>
public required int BundlesMarkedExpired { get; init; }
/// <summary>
/// Number of bundles approaching expiry (within notification window).
/// </summary>
public required int BundlesApproachingExpiry { get; init; }
/// <summary>
/// Bundles that failed to process.
/// </summary>
public required IReadOnlyList<BundleEnforcementFailure> Failures { get; init; }
/// <summary>
/// Whether the enforcement run succeeded (no critical failures).
/// </summary>
public bool Success => Failures.Count == 0;
}
/// <summary>
/// Details of a bundle that failed retention enforcement.
/// </summary>
public sealed record BundleEnforcementFailure(
string BundleId,
string Reason,
string? ErrorMessage);
/// <summary>
/// Details about a bundle approaching expiry.
/// </summary>
public sealed record BundleExpiryNotification(
string BundleId,
string? TenantId,
DateTimeOffset CreatedAt,
DateTimeOffset ExpiresAt,
int DaysUntilExpiry);
/// <summary>
/// Interface for retention policy enforcement.
/// </summary>
public interface IRetentionPolicyEnforcer
{
/// <summary>
/// Run retention policy enforcement.
/// </summary>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Enforcement result with statistics.</returns>
Task<RetentionEnforcementResult> EnforceAsync(CancellationToken cancellationToken = default);
/// <summary>
/// Get bundles approaching expiry for notification.
/// </summary>
/// <param name="daysBeforeExpiry">Days before expiry to check.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>List of bundles approaching expiry.</returns>
Task<IReadOnlyList<BundleExpiryNotification>> GetApproachingExpiryAsync(
int daysBeforeExpiry,
CancellationToken cancellationToken = default);
/// <summary>
/// Calculate expiry date for a bundle.
/// </summary>
/// <param name="bundle">The bundle to evaluate.</param>
/// <returns>Expiry date for the bundle.</returns>
DateTimeOffset CalculateExpiryDate(BundleListItem bundle);
/// <summary>
/// Calculate expiry date for a bundle with metadata.
/// </summary>
/// <param name="tenantId">Tenant ID.</param>
/// <param name="createdAt">Bundle creation date.</param>
/// <returns>Expiry date for the bundle.</returns>
DateTimeOffset CalculateExpiryDate(string? tenantId, DateTimeOffset createdAt);
}
/// <summary>
/// Interface for archiving bundles to cold storage.
/// </summary>
public interface IBundleArchiver
{
/// <summary>
/// Archive a bundle to cold storage.
/// </summary>
/// <param name="bundleId">The bundle ID to archive.</param>
/// <param name="storageTier">Target storage tier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if archived successfully.</returns>
Task<bool> ArchiveAsync(
string bundleId,
string storageTier,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Interface for notifying about bundle expiry.
/// </summary>
public interface IBundleExpiryNotifier
{
/// <summary>
/// Send notifications for bundles approaching expiry.
/// </summary>
/// <param name="notifications">List of expiry notifications.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task NotifyAsync(
IReadOnlyList<BundleExpiryNotification> notifications,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Service for enforcing bundle retention policies.
/// Handles expiry, deletion, archival, and notifications.
/// </summary>
public sealed class RetentionPolicyEnforcer : IRetentionPolicyEnforcer
{
private readonly IBundleStore _bundleStore;
private readonly IBundleArchiver? _archiver;
private readonly IBundleExpiryNotifier? _notifier;
private readonly BundleRetentionOptions _options;
private readonly ILogger<RetentionPolicyEnforcer> _logger;
public RetentionPolicyEnforcer(
IBundleStore bundleStore,
IOptions<BundlingOptions> options,
ILogger<RetentionPolicyEnforcer> logger,
IBundleArchiver? archiver = null,
IBundleExpiryNotifier? notifier = null)
{
_bundleStore = bundleStore ?? throw new ArgumentNullException(nameof(bundleStore));
_options = options?.Value?.Retention ?? new BundleRetentionOptions();
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_archiver = archiver;
_notifier = notifier;
}
/// <inheritdoc/>
public async Task<RetentionEnforcementResult> EnforceAsync(CancellationToken cancellationToken = default)
{
var startedAt = DateTimeOffset.UtcNow;
var failures = new List<BundleEnforcementFailure>();
int evaluated = 0;
int deleted = 0;
int archived = 0;
int markedExpired = 0;
int approachingExpiry = 0;
if (!_options.Enabled)
{
_logger.LogDebug("Retention policy enforcement is disabled");
return new RetentionEnforcementResult
{
StartedAt = startedAt,
CompletedAt = DateTimeOffset.UtcNow,
BundlesEvaluated = 0,
BundlesDeleted = 0,
BundlesArchived = 0,
BundlesMarkedExpired = 0,
BundlesApproachingExpiry = 0,
Failures = failures
};
}
_logger.LogInformation(
"Starting retention policy enforcement. ExpiryAction={Action}, DefaultMonths={Months}",
_options.ExpiryAction,
_options.DefaultMonths);
// Process bundles in batches
string? cursor = null;
var now = DateTimeOffset.UtcNow;
var notificationCutoff = now.AddDays(_options.NotifyDaysBeforeExpiry);
var gracePeriodCutoff = now.AddDays(-_options.GracePeriodDays);
var expiredNotifications = new List<BundleExpiryNotification>();
do
{
var listResult = await _bundleStore.ListBundlesAsync(
new BundleListRequest(Limit: _options.MaxBundlesPerRun, Cursor: cursor),
cancellationToken);
foreach (var bundle in listResult.Bundles)
{
evaluated++;
var expiryDate = CalculateExpiryDate(bundle);
// Check if bundle has expired
if (expiryDate <= now)
{
// Check grace period
if (expiryDate <= gracePeriodCutoff)
{
// Past grace period - take expiry action
var result = await HandleExpiredBundleAsync(bundle, cancellationToken);
if (result.Success)
{
switch (_options.ExpiryAction)
{
case RetentionAction.Delete:
deleted++;
break;
case RetentionAction.Archive:
archived++;
break;
case RetentionAction.MarkOnly:
markedExpired++;
break;
}
}
else
{
failures.Add(result.Failure!);
}
}
else
{
// In grace period - mark as expired but don't delete yet
markedExpired++;
_logger.LogDebug(
"Bundle {BundleId} in grace period, expires {ExpiryDate}",
bundle.BundleId,
expiryDate);
}
}
// Check if approaching expiry (for notifications)
else if (_options.NotifyBeforeExpiry && expiryDate <= notificationCutoff)
{
approachingExpiry++;
expiredNotifications.Add(new BundleExpiryNotification(
bundle.BundleId,
null, // TenantId not in BundleListItem - would need full bundle fetch
bundle.CreatedAt,
expiryDate,
(int)(expiryDate - now).TotalDays));
}
}
cursor = listResult.NextCursor;
}
while (cursor != null && evaluated < _options.MaxBundlesPerRun);
// Send notifications for approaching expiry
if (_notifier != null && expiredNotifications.Count > 0)
{
try
{
await _notifier.NotifyAsync(expiredNotifications, cancellationToken);
_logger.LogInformation(
"Sent {Count} expiry notifications",
expiredNotifications.Count);
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Failed to send expiry notifications");
}
}
var completedAt = DateTimeOffset.UtcNow;
_logger.LogInformation(
"Retention enforcement completed. Evaluated={Evaluated}, Deleted={Deleted}, Archived={Archived}, Marked={Marked}, Approaching={Approaching}, Failed={Failed}",
evaluated, deleted, archived, markedExpired, approachingExpiry, failures.Count);
return new RetentionEnforcementResult
{
StartedAt = startedAt,
CompletedAt = completedAt,
BundlesEvaluated = evaluated,
BundlesDeleted = deleted,
BundlesArchived = archived,
BundlesMarkedExpired = markedExpired,
BundlesApproachingExpiry = approachingExpiry,
Failures = failures
};
}
/// <inheritdoc/>
public async Task<IReadOnlyList<BundleExpiryNotification>> GetApproachingExpiryAsync(
int daysBeforeExpiry,
CancellationToken cancellationToken = default)
{
var notifications = new List<BundleExpiryNotification>();
var now = DateTimeOffset.UtcNow;
var cutoff = now.AddDays(daysBeforeExpiry);
string? cursor = null;
do
{
var listResult = await _bundleStore.ListBundlesAsync(
new BundleListRequest(Limit: 100, Cursor: cursor),
cancellationToken);
foreach (var bundle in listResult.Bundles)
{
var expiryDate = CalculateExpiryDate(bundle);
if (expiryDate > now && expiryDate <= cutoff)
{
notifications.Add(new BundleExpiryNotification(
bundle.BundleId,
null,
bundle.CreatedAt,
expiryDate,
(int)(expiryDate - now).TotalDays));
}
}
cursor = listResult.NextCursor;
}
while (cursor != null);
return notifications;
}
/// <inheritdoc/>
public DateTimeOffset CalculateExpiryDate(BundleListItem bundle)
{
return CalculateExpiryDate(null, bundle.CreatedAt);
}
/// <inheritdoc/>
public DateTimeOffset CalculateExpiryDate(string? tenantId, DateTimeOffset createdAt)
{
int retentionMonths = _options.DefaultMonths;
// Check for tenant-specific override
if (!string.IsNullOrEmpty(tenantId) &&
_options.TenantOverrides.TryGetValue(tenantId, out var tenantMonths))
{
retentionMonths = Math.Max(tenantMonths, _options.MinimumMonths);
retentionMonths = Math.Min(retentionMonths, _options.MaximumMonths);
}
return createdAt.AddMonths(retentionMonths);
}
private async Task<(bool Success, BundleEnforcementFailure? Failure)> HandleExpiredBundleAsync(
BundleListItem bundle,
CancellationToken cancellationToken)
{
try
{
switch (_options.ExpiryAction)
{
case RetentionAction.Delete:
var deleted = await _bundleStore.DeleteBundleAsync(bundle.BundleId, cancellationToken);
if (deleted)
{
_logger.LogInformation("Deleted expired bundle {BundleId}", bundle.BundleId);
return (true, null);
}
return (false, new BundleEnforcementFailure(
bundle.BundleId,
"Delete failed",
"Bundle could not be deleted"));
case RetentionAction.Archive:
if (_archiver == null)
{
_logger.LogWarning(
"Archive action configured but no archiver available for bundle {BundleId}",
bundle.BundleId);
return (false, new BundleEnforcementFailure(
bundle.BundleId,
"Archive unavailable",
"No archiver configured"));
}
var archived = await _archiver.ArchiveAsync(
bundle.BundleId,
_options.ArchiveStorageTier,
cancellationToken);
if (archived)
{
_logger.LogInformation(
"Archived expired bundle {BundleId} to {Tier}",
bundle.BundleId,
_options.ArchiveStorageTier);
return (true, null);
}
return (false, new BundleEnforcementFailure(
bundle.BundleId,
"Archive failed",
"Bundle could not be archived"));
case RetentionAction.MarkOnly:
_logger.LogDebug("Marked bundle {BundleId} as expired", bundle.BundleId);
return (true, null);
default:
return (false, new BundleEnforcementFailure(
bundle.BundleId,
"Unknown action",
$"Unsupported expiry action: {_options.ExpiryAction}"));
}
}
catch (Exception ex)
{
_logger.LogWarning(
ex,
"Failed to process expired bundle {BundleId}",
bundle.BundleId);
return (false, new BundleEnforcementFailure(
bundle.BundleId,
"Exception",
ex.Message));
}
}
}

355
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Signing/KmsOrgKeySigner.cs Normal file
View File

@@ -0,0 +1,355 @@
// -----------------------------------------------------------------------------
// KmsOrgKeySigner.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0007 - Implement KmsOrgKeySigner
// Description: KMS-backed organization key signing for bundles
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Models;
namespace StellaOps.Attestor.Bundling.Signing;
/// <summary>
/// KMS-backed organization key signer for attestation bundles.
/// Supports AWS KMS, Azure Key Vault, Google Cloud KMS, and HashiCorp Vault.
/// </summary>
public sealed class KmsOrgKeySigner : IOrgKeySigner
{
private readonly IKmsProvider _kmsProvider;
private readonly ILogger<KmsOrgKeySigner> _logger;
private readonly OrgSigningOptions _options;
/// <summary>
/// Create a new KMS organization key signer.
/// </summary>
public KmsOrgKeySigner(
IKmsProvider kmsProvider,
ILogger<KmsOrgKeySigner> logger,
IOptions<OrgSigningOptions> options)
{
_kmsProvider = kmsProvider ?? throw new ArgumentNullException(nameof(kmsProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_options = options?.Value ?? new OrgSigningOptions();
}
/// <inheritdoc />
public async Task<OrgSignature> SignBundleAsync(
byte[] bundleDigest,
string keyId,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(bundleDigest);
ArgumentException.ThrowIfNullOrWhiteSpace(keyId);
_logger.LogInformation("Signing bundle with org key {KeyId}", keyId);
// Get key metadata
var keyInfo = await _kmsProvider.GetKeyInfoAsync(keyId, cancellationToken);
if (keyInfo == null)
{
throw new InvalidOperationException($"Signing key '{keyId}' not found in KMS.");
}
// Verify key is active
if (!keyInfo.IsActive)
{
throw new InvalidOperationException($"Signing key '{keyId}' is not active.");
}
// Check key expiry
if (keyInfo.ValidUntil.HasValue && keyInfo.ValidUntil.Value < DateTimeOffset.UtcNow)
{
throw new InvalidOperationException($"Signing key '{keyId}' has expired.");
}
// Sign the digest
var signatureBytes = await _kmsProvider.SignAsync(
keyId,
bundleDigest,
keyInfo.Algorithm,
cancellationToken);
// Get certificate chain if available
var certChain = await _kmsProvider.GetCertificateChainAsync(keyId, cancellationToken);
_logger.LogInformation(
"Successfully signed bundle with key {KeyId}, algorithm {Algorithm}",
keyId,
keyInfo.Algorithm);
return new OrgSignature
{
KeyId = keyId,
Algorithm = keyInfo.Algorithm,
Signature = Convert.ToBase64String(signatureBytes),
SignedAt = DateTimeOffset.UtcNow,
CertificateChain = certChain
};
}
/// <inheritdoc />
public async Task<bool> VerifyBundleAsync(
byte[] bundleDigest,
OrgSignature signature,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(bundleDigest);
ArgumentNullException.ThrowIfNull(signature);
try
{
var signatureBytes = Convert.FromBase64String(signature.Signature);
var isValid = await _kmsProvider.VerifyAsync(
signature.KeyId,
bundleDigest,
signatureBytes,
signature.Algorithm,
cancellationToken);
_logger.LogInformation(
"Bundle signature verification {Result} for key {KeyId}",
isValid ? "succeeded" : "failed",
signature.KeyId);
return isValid;
}
catch (Exception ex)
{
_logger.LogWarning(
ex,
"Bundle signature verification failed for key {KeyId}",
signature.KeyId);
return false;
}
}
/// <inheritdoc />
public async Task<string> GetActiveKeyIdAsync(CancellationToken cancellationToken = default)
{
// Check for configured active key
if (!string.IsNullOrEmpty(_options.ActiveKeyId))
{
return _options.ActiveKeyId;
}
// List keys and find the active one based on rotation policy
var keys = await ListKeysAsync(cancellationToken);
var activeKey = keys
.Where(k => k.IsActive)
.Where(k => !k.ValidUntil.HasValue || k.ValidUntil.Value > DateTimeOffset.UtcNow)
.OrderByDescending(k => k.ValidFrom)
.FirstOrDefault();
return activeKey?.KeyId
?? throw new InvalidOperationException("No active signing key found.");
}
/// <inheritdoc />
public async Task<IReadOnlyList<OrgKeyInfo>> ListKeysAsync(CancellationToken cancellationToken = default)
{
var kmsKeys = await _kmsProvider.ListKeysAsync(_options.KeyPrefix, cancellationToken);
return kmsKeys
.Select(k => new OrgKeyInfo(
k.KeyId,
k.Algorithm,
k.Fingerprint,
k.ValidFrom,
k.ValidUntil,
k.IsActive))
.ToList();
}
}
/// <summary>
/// Options for organization signing.
/// </summary>
public sealed class OrgSigningOptions
{
/// <summary>
/// The active key ID to use for signing.
/// If not set, the most recent active key is used.
/// </summary>
public string? ActiveKeyId { get; set; }
/// <summary>
/// Key prefix for filtering keys in KMS.
/// </summary>
public string KeyPrefix { get; set; } = "stellaops/org-signing/";
/// <summary>
/// Default signing algorithm.
/// </summary>
public string DefaultAlgorithm { get; set; } = "ECDSA_P256";
}
/// <summary>
/// Interface for KMS provider abstraction.
/// </summary>
public interface IKmsProvider
{
/// <summary>
/// Sign data with a KMS key.
/// </summary>
Task<byte[]> SignAsync(
string keyId,
byte[] data,
string algorithm,
CancellationToken cancellationToken = default);
/// <summary>
/// Verify a signature with a KMS key.
/// </summary>
Task<bool> VerifyAsync(
string keyId,
byte[] data,
byte[] signature,
string algorithm,
CancellationToken cancellationToken = default);
/// <summary>
/// Get information about a key.
/// </summary>
Task<KmsKeyInfo?> GetKeyInfoAsync(
string keyId,
CancellationToken cancellationToken = default);
/// <summary>
/// List keys matching a prefix.
/// </summary>
Task<IReadOnlyList<KmsKeyInfo>> ListKeysAsync(
string? prefix = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Get the certificate chain for a key.
/// </summary>
Task<IReadOnlyList<string>?> GetCertificateChainAsync(
string keyId,
CancellationToken cancellationToken = default);
}
/// <summary>
/// KMS key information.
/// </summary>
public sealed record KmsKeyInfo(
string KeyId,
string Algorithm,
string Fingerprint,
DateTimeOffset ValidFrom,
DateTimeOffset? ValidUntil,
bool IsActive);
/// <summary>
/// Local (in-memory) key signer for testing and development.
/// </summary>
public sealed class LocalOrgKeySigner : IOrgKeySigner
{
private readonly Dictionary<string, (ECDsa Key, OrgKeyInfo Info)> _keys = new();
private readonly ILogger<LocalOrgKeySigner> _logger;
private string? _activeKeyId;
/// <summary>
/// Create a new local key signer.
/// </summary>
public LocalOrgKeySigner(ILogger<LocalOrgKeySigner> logger)
{
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <summary>
/// Generate and add a new key.
/// </summary>
public void AddKey(string keyId, bool isActive = true)
{
var key = ECDsa.Create(ECCurve.NamedCurves.nistP256);
var publicKeyBytes = key.ExportSubjectPublicKeyInfo();
var fingerprint = Convert.ToHexString(SHA256.HashData(publicKeyBytes)).ToLowerInvariant();
var info = new OrgKeyInfo(
keyId,
"ECDSA_P256",
fingerprint,
DateTimeOffset.UtcNow,
null,
isActive);
_keys[keyId] = (key, info);
if (isActive)
{
_activeKeyId = keyId;
}
_logger.LogInformation("Added local signing key {KeyId}", keyId);
}
/// <inheritdoc />
public Task<OrgSignature> SignBundleAsync(
byte[] bundleDigest,
string keyId,
CancellationToken cancellationToken = default)
{
if (!_keys.TryGetValue(keyId, out var keyPair))
{
throw new InvalidOperationException($"Key '{keyId}' not found.");
}
var signature = keyPair.Key.SignData(bundleDigest, HashAlgorithmName.SHA256);
return Task.FromResult(new OrgSignature
{
KeyId = keyId,
Algorithm = "ECDSA_P256",
Signature = Convert.ToBase64String(signature),
SignedAt = DateTimeOffset.UtcNow,
CertificateChain = null
});
}
/// <inheritdoc />
public Task<bool> VerifyBundleAsync(
byte[] bundleDigest,
OrgSignature signature,
CancellationToken cancellationToken = default)
{
if (!_keys.TryGetValue(signature.KeyId, out var keyPair))
{
return Task.FromResult(false);
}
try
{
var signatureBytes = Convert.FromBase64String(signature.Signature);
var isValid = keyPair.Key.VerifyData(bundleDigest, signatureBytes, HashAlgorithmName.SHA256);
return Task.FromResult(isValid);
}
catch
{
return Task.FromResult(false);
}
}
/// <inheritdoc />
public Task<string> GetActiveKeyIdAsync(CancellationToken cancellationToken = default)
{
if (_activeKeyId == null)
{
throw new InvalidOperationException("No active signing key.");
}
return Task.FromResult(_activeKeyId);
}
/// <inheritdoc />
public Task<IReadOnlyList<OrgKeyInfo>> ListKeysAsync(CancellationToken cancellationToken = default)
{
return Task.FromResult<IReadOnlyList<OrgKeyInfo>>(
_keys.Values.Select(k => k.Info).ToList());
}
}

24
src/Attestor/__Libraries/StellaOps.Attestor.Bundling/StellaOps.Attestor.Bundling.csproj Normal file
View File

@@ -0,0 +1,24 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<RootNamespace>StellaOps.Attestor.Bundling</RootNamespace>
<Description>Attestation bundle aggregation and rotation for long-term verification in air-gapped environments.</Description>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Canonical.Json\StellaOps.Canonical.Json.csproj" />
<ProjectReference Include="..\StellaOps.Attestor.ProofChain\StellaOps.Attestor.ProofChain.csproj" />
<ProjectReference Include="..\..\StellaOps.Attestor.Envelope\StellaOps.Attestor.Envelope.csproj" />
<ProjectReference Include="..\StellaOps.Attestor.Bundle\StellaOps.Attestor.Bundle.csproj" />
</ItemGroup>
</Project>

104
src/Attestor/__Libraries/StellaOps.Attestor.Offline/Abstractions/IOfflineRootStore.cs Normal file
View File

@@ -0,0 +1,104 @@
// -----------------------------------------------------------------------------
// IOfflineRootStore.cs
// Sprint: SPRINT_20251226_003_ATTESTOR_offline_verification
// Task: 0003 - Implement IOfflineRootStore interface
// Description: Interface for loading trust roots for offline verification
// -----------------------------------------------------------------------------
using System.Security.Cryptography.X509Certificates;
namespace StellaOps.Attestor.Offline.Abstractions;
/// <summary>
/// Store for trust roots used in offline verification.
/// Provides access to Fulcio roots, organization signing keys, and Rekor checkpoints.
/// </summary>
public interface IOfflineRootStore
{
/// <summary>
/// Get Fulcio root certificates for keyless signature verification.
/// </summary>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Collection of Fulcio root certificates.</returns>
Task<X509Certificate2Collection> GetFulcioRootsAsync(
CancellationToken cancellationToken = default);
/// <summary>
/// Get organization signing keys for bundle signature verification.
/// </summary>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Collection of organization signing certificates.</returns>
Task<X509Certificate2Collection> GetOrgSigningKeysAsync(
CancellationToken cancellationToken = default);
/// <summary>
/// Get Rekor public keys for checkpoint verification.
/// </summary>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Collection of Rekor public key certificates.</returns>
Task<X509Certificate2Collection> GetRekorKeysAsync(
CancellationToken cancellationToken = default);
/// <summary>
/// Import root certificates from a PEM file.
/// </summary>
/// <param name="pemPath">Path to the PEM file.</param>
/// <param name="rootType">Type of roots being imported.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task ImportRootsAsync(
string pemPath,
RootType rootType,
CancellationToken cancellationToken = default);
/// <summary>
/// Get a specific organization key by ID.
/// </summary>
/// <param name="keyId">The key identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The certificate if found, null otherwise.</returns>
Task<X509Certificate2?> GetOrgKeyByIdAsync(
string keyId,
CancellationToken cancellationToken = default);
/// <summary>
/// List all available root certificates with metadata.
/// </summary>
/// <param name="rootType">Type of roots to list.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Root certificate metadata.</returns>
Task<IReadOnlyList<RootCertificateInfo>> ListRootsAsync(
RootType rootType,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Type of trust root.
/// </summary>
public enum RootType
{
/// <summary>Fulcio root certificates for keyless signing.</summary>
Fulcio,
/// <summary>Organization signing keys for bundle endorsement.</summary>
OrgSigning,
/// <summary>Rekor public keys for transparency log verification.</summary>
Rekor
}
/// <summary>
/// Metadata about a root certificate.
/// </summary>
/// <param name="Thumbprint">Certificate thumbprint (SHA-256).</param>
/// <param name="Subject">Certificate subject DN.</param>
/// <param name="Issuer">Certificate issuer DN.</param>
/// <param name="NotBefore">Certificate validity start.</param>
/// <param name="NotAfter">Certificate validity end.</param>
/// <param name="KeyId">Optional key identifier.</param>
/// <param name="RootType">Type of this root certificate.</param>
public record RootCertificateInfo(
string Thumbprint,
string Subject,
string Issuer,
DateTimeOffset NotBefore,
DateTimeOffset NotAfter,
string? KeyId,
RootType RootType);

70
src/Attestor/__Libraries/StellaOps.Attestor.Offline/Abstractions/IOfflineVerifier.cs Normal file
View File

@@ -0,0 +1,70 @@
// -----------------------------------------------------------------------------
// IOfflineVerifier.cs
// Sprint: SPRINT_20251226_003_ATTESTOR_offline_verification
// Task: 0005 - Implement IOfflineVerifier interface
// Description: Interface for offline verification of attestation bundles
// -----------------------------------------------------------------------------
using StellaOps.Attestor.Bundling.Models;
using StellaOps.Attestor.Offline.Models;
namespace StellaOps.Attestor.Offline.Abstractions;
/// <summary>
/// Service for offline verification of attestation bundles.
/// Enables air-gapped environments to verify attestations using bundled proofs
/// and locally stored root certificates.
/// </summary>
public interface IOfflineVerifier
{
/// <summary>
/// Verify an attestation bundle offline.
/// </summary>
/// <param name="bundle">The attestation bundle to verify.</param>
/// <param name="options">Verification options.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Verification result with detailed status.</returns>
Task<OfflineVerificationResult> VerifyBundleAsync(
AttestationBundle bundle,
OfflineVerificationOptions? options = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Verify a single attestation within a bundle offline.
/// </summary>
/// <param name="attestation">The attestation to verify.</param>
/// <param name="options">Verification options.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Verification result for the single attestation.</returns>
Task<OfflineVerificationResult> VerifyAttestationAsync(
BundledAttestation attestation,
OfflineVerificationOptions? options = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Verify an attestation for a specific artifact digest.
/// Looks up the attestation in the bundle by artifact digest.
/// </summary>
/// <param name="artifactDigest">The artifact digest to look up.</param>
/// <param name="bundlePath">Path to the bundle file.</param>
/// <param name="options">Verification options.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Verification result for attestations covering the artifact.</returns>
Task<OfflineVerificationResult> VerifyByArtifactAsync(
string artifactDigest,
string bundlePath,
OfflineVerificationOptions? options = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Get verification summaries for all attestations in a bundle.
/// </summary>
/// <param name="bundle">The bundle to summarize.</param>
/// <param name="options">Verification options.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>List of attestation verification summaries.</returns>
Task<IReadOnlyList<AttestationVerificationSummary>> GetVerificationSummariesAsync(
AttestationBundle bundle,
OfflineVerificationOptions? options = null,
CancellationToken cancellationToken = default);
}

112
src/Attestor/__Libraries/StellaOps.Attestor.Offline/Models/OfflineVerificationResult.cs Normal file
View File

@@ -0,0 +1,112 @@
// -----------------------------------------------------------------------------
// OfflineVerificationResult.cs
// Sprint: SPRINT_20251226_003_ATTESTOR_offline_verification
// Task: 0002 - Define OfflineVerificationResult and options
// Description: Models for offline verification results
// -----------------------------------------------------------------------------
namespace StellaOps.Attestor.Offline.Models;
/// <summary>
/// Result of offline verification of an attestation bundle.
/// </summary>
/// <param name="Valid">Whether all verification checks passed.</param>
/// <param name="MerkleProofValid">Whether the Merkle proof verification passed.</param>
/// <param name="SignaturesValid">Whether all DSSE signatures are valid.</param>
/// <param name="CertificateChainValid">Whether certificate chains validate to trusted roots.</param>
/// <param name="OrgSignatureValid">Whether the organization signature is valid.</param>
/// <param name="OrgSignatureKeyId">Key ID used for org signature (if present).</param>
/// <param name="VerifiedAt">Timestamp when verification was performed.</param>
/// <param name="Issues">List of verification issues found.</param>
public record OfflineVerificationResult(
bool Valid,
bool MerkleProofValid,
bool SignaturesValid,
bool CertificateChainValid,
bool OrgSignatureValid,
string? OrgSignatureKeyId,
DateTimeOffset VerifiedAt,
IReadOnlyList<VerificationIssue> Issues);
/// <summary>
/// A single verification issue.
/// </summary>
/// <param name="Severity">Issue severity level.</param>
/// <param name="Code">Machine-readable issue code.</param>
/// <param name="Message">Human-readable message.</param>
/// <param name="AttestationId">Related attestation ID, if applicable.</param>
public record VerificationIssue(
VerificationIssueSeverity Severity,
string Code,
string Message,
string? AttestationId = null);
/// <summary>
/// Severity levels for verification issues.
/// </summary>
public enum VerificationIssueSeverity
{
/// <summary>Informational message.</summary>
Info,
/// <summary>Warning that may affect trust.</summary>
Warning,
/// <summary>Error that affects verification.</summary>
Error,
/// <summary>Critical error that invalidates verification.</summary>
Critical
}
/// <summary>
/// Options for offline verification.
/// </summary>
/// <param name="VerifyMerkleProof">Whether to verify Merkle inclusion proofs.</param>
/// <param name="VerifySignatures">Whether to verify DSSE signatures.</param>
/// <param name="VerifyCertificateChain">Whether to verify certificate chains.</param>
/// <param name="VerifyOrgSignature">Whether to verify organization signature.</param>
/// <param name="RequireOrgSignature">Fail if org signature is missing.</param>
/// <param name="FulcioRootPath">Path to Fulcio root certificates (overrides default).</param>
/// <param name="OrgKeyPath">Path to organization signing keys (overrides default).</param>
/// <param name="StrictMode">Enable strict verification (all checks must pass).</param>
public record OfflineVerificationOptions(
bool VerifyMerkleProof = true,
bool VerifySignatures = true,
bool VerifyCertificateChain = true,
bool VerifyOrgSignature = true,
bool RequireOrgSignature = false,
string? FulcioRootPath = null,
string? OrgKeyPath = null,
bool StrictMode = false);
/// <summary>
/// Summary of an attestation for verification reporting.
/// </summary>
/// <param name="EntryId">Attestation entry ID.</param>
/// <param name="ArtifactDigest">Artifact digest covered by this attestation.</param>
/// <param name="PredicateType">Predicate type.</param>
/// <param name="SignedAt">When the attestation was signed.</param>
/// <param name="SigningIdentity">Identity that signed the attestation.</param>
/// <param name="VerificationStatus">Status of this attestation's verification.</param>
public record AttestationVerificationSummary(
string EntryId,
string ArtifactDigest,
string PredicateType,
DateTimeOffset SignedAt,
string? SigningIdentity,
AttestationVerificationStatus VerificationStatus);
/// <summary>
/// Verification status of an individual attestation.
/// </summary>
public enum AttestationVerificationStatus
{
/// <summary>Verification passed.</summary>
Valid,
/// <summary>Signature verification failed.</summary>
InvalidSignature,
/// <summary>Certificate chain verification failed.</summary>
InvalidCertificateChain,
/// <summary>Merkle inclusion proof failed.</summary>
InvalidMerkleProof,
/// <summary>Verification encountered an error.</summary>
Error
}

430
src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/FileSystemRootStore.cs Normal file
View File

@@ -0,0 +1,430 @@
// -----------------------------------------------------------------------------
// FileSystemRootStore.cs
// Sprint: SPRINT_20251226_003_ATTESTOR_offline_verification
// Task: 0004 - Implement FileSystemRootStore
// Description: File-based root certificate store for offline verification
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Attestor.Offline.Abstractions;
namespace StellaOps.Attestor.Offline.Services;
/// <summary>
/// File system-based implementation of IOfflineRootStore.
/// Loads root certificates from configured paths for offline verification.
/// </summary>
public sealed class FileSystemRootStore : IOfflineRootStore
{
private readonly ILogger<FileSystemRootStore> _logger;
private readonly OfflineRootStoreOptions _options;
private X509Certificate2Collection? _fulcioRoots;
private X509Certificate2Collection? _orgSigningKeys;
private X509Certificate2Collection? _rekorKeys;
private readonly SemaphoreSlim _loadLock = new(1, 1);
/// <summary>
/// Create a new file system root store.
/// </summary>
public FileSystemRootStore(
ILogger<FileSystemRootStore> logger,
IOptions<OfflineRootStoreOptions> options)
{
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_options = options?.Value ?? new OfflineRootStoreOptions();
}
/// <inheritdoc />
public async Task<X509Certificate2Collection> GetFulcioRootsAsync(
CancellationToken cancellationToken = default)
{
if (_fulcioRoots == null)
{
await LoadRootsAsync(RootType.Fulcio, cancellationToken);
}
return _fulcioRoots ?? new X509Certificate2Collection();
}
/// <inheritdoc />
public async Task<X509Certificate2Collection> GetOrgSigningKeysAsync(
CancellationToken cancellationToken = default)
{
if (_orgSigningKeys == null)
{
await LoadRootsAsync(RootType.OrgSigning, cancellationToken);
}
return _orgSigningKeys ?? new X509Certificate2Collection();
}
/// <inheritdoc />
public async Task<X509Certificate2Collection> GetRekorKeysAsync(
CancellationToken cancellationToken = default)
{
if (_rekorKeys == null)
{
await LoadRootsAsync(RootType.Rekor, cancellationToken);
}
return _rekorKeys ?? new X509Certificate2Collection();
}
/// <inheritdoc />
public async Task ImportRootsAsync(
string pemPath,
RootType rootType,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(pemPath);
if (!File.Exists(pemPath))
{
throw new FileNotFoundException($"PEM file not found: {pemPath}");
}
_logger.LogInformation("Importing {RootType} roots from {Path}", rootType, pemPath);
var pemContent = await File.ReadAllTextAsync(pemPath, cancellationToken);
var certs = ParsePemCertificates(pemContent);
if (certs.Count == 0)
{
throw new InvalidOperationException($"No certificates found in {pemPath}");
}
// Get target directory based on root type
var targetDir = GetRootDirectory(rootType);
Directory.CreateDirectory(targetDir);
// Save each certificate
foreach (var cert in certs)
{
var thumbprint = ComputeThumbprint(cert);
var targetPath = Path.Combine(targetDir, $"{thumbprint}.pem");
var pemBytes = Encoding.UTF8.GetBytes(
"-----BEGIN CERTIFICATE-----\n" +
Convert.ToBase64String(cert.RawData, Base64FormattingOptions.InsertLineBreaks) +
"\n-----END CERTIFICATE-----\n");
await File.WriteAllBytesAsync(targetPath, pemBytes, cancellationToken);
_logger.LogInformation(
"Imported certificate {Subject} with thumbprint {Thumbprint}",
cert.Subject,
thumbprint);
}
// Invalidate cache to reload
InvalidateCache(rootType);
_logger.LogInformation("Imported {Count} {RootType} certificates", certs.Count, rootType);
}
/// <inheritdoc />
public async Task<X509Certificate2?> GetOrgKeyByIdAsync(
string keyId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(keyId);
var keys = await GetOrgSigningKeysAsync(cancellationToken);
foreach (var cert in keys)
{
// Check various key identifier extensions
var ski = cert.Extensions["2.5.29.14"]; // Subject Key Identifier
if (ski != null)
{
var skiData = ski.RawData;
var skiHex = Convert.ToHexString(skiData).ToLowerInvariant();
if (skiHex.Contains(keyId, StringComparison.OrdinalIgnoreCase))
{
return cert;
}
}
// Also check thumbprint
if (ComputeThumbprint(cert).Equals(keyId, StringComparison.OrdinalIgnoreCase))
{
return cert;
}
}
return null;
}
/// <inheritdoc />
public async Task<IReadOnlyList<RootCertificateInfo>> ListRootsAsync(
RootType rootType,
CancellationToken cancellationToken = default)
{
var certs = rootType switch
{
RootType.Fulcio => await GetFulcioRootsAsync(cancellationToken),
RootType.OrgSigning => await GetOrgSigningKeysAsync(cancellationToken),
RootType.Rekor => await GetRekorKeysAsync(cancellationToken),
_ => throw new ArgumentOutOfRangeException(nameof(rootType))
};
var result = new List<RootCertificateInfo>();
foreach (var cert in certs)
{
result.Add(new RootCertificateInfo(
Thumbprint: ComputeThumbprint(cert),
Subject: cert.Subject,
Issuer: cert.Issuer,
NotBefore: new DateTimeOffset(cert.NotBefore.ToUniversalTime(), TimeSpan.Zero),
NotAfter: new DateTimeOffset(cert.NotAfter.ToUniversalTime(), TimeSpan.Zero),
KeyId: GetSubjectKeyIdentifier(cert),
RootType: rootType));
}
return result;
}
private async Task LoadRootsAsync(RootType rootType, CancellationToken cancellationToken)
{
await _loadLock.WaitAsync(cancellationToken);
try
{
// Double-check after acquiring lock
if (GetCachedCollection(rootType) != null)
{
return;
}
var path = GetRootPath(rootType);
var collection = new X509Certificate2Collection();
if (!string.IsNullOrEmpty(path))
{
if (File.Exists(path))
{
// Single file
var certs = await LoadPemFileAsync(path, cancellationToken);
collection.AddRange(certs);
}
else if (Directory.Exists(path))
{
// Directory of PEM files
foreach (var file in Directory.EnumerateFiles(path, "*.pem"))
{
var certs = await LoadPemFileAsync(file, cancellationToken);
collection.AddRange(certs);
}
}
}
// Also try Offline Kit path if configured
var offlineKitPath = GetOfflineKitPath(rootType);
if (!string.IsNullOrEmpty(offlineKitPath) && Directory.Exists(offlineKitPath))
{
foreach (var file in Directory.EnumerateFiles(offlineKitPath, "*.pem"))
{
var certs = await LoadPemFileAsync(file, cancellationToken);
collection.AddRange(certs);
}
}
SetCachedCollection(rootType, collection);
_logger.LogInformation(
"Loaded {Count} {RootType} certificates",
collection.Count,
rootType);
}
finally
{
_loadLock.Release();
}
}
private async Task<X509Certificate2Collection> LoadPemFileAsync(
string path,
CancellationToken cancellationToken)
{
var pemContent = await File.ReadAllTextAsync(path, cancellationToken);
return ParsePemCertificates(pemContent);
}
private static X509Certificate2Collection ParsePemCertificates(string pemContent)
{
var collection = new X509Certificate2Collection();
const string beginMarker = "-----BEGIN CERTIFICATE-----";
const string endMarker = "-----END CERTIFICATE-----";
var startIndex = 0;
while (true)
{
var begin = pemContent.IndexOf(beginMarker, startIndex, StringComparison.Ordinal);
if (begin < 0)
{
break;
}
var end = pemContent.IndexOf(endMarker, begin, StringComparison.Ordinal);
if (end < 0)
{
break;
}
var base64Start = begin + beginMarker.Length;
var base64Content = pemContent[base64Start..end]
.Replace("\r", "")
.Replace("\n", "")
.Trim();
var certBytes = Convert.FromBase64String(base64Content);
collection.Add(new X509Certificate2(certBytes));
startIndex = end + endMarker.Length;
}
return collection;
}
private string GetRootPath(RootType rootType) => rootType switch
{
RootType.Fulcio => _options.FulcioBundlePath ?? "",
RootType.OrgSigning => _options.OrgSigningBundlePath ?? "",
RootType.Rekor => _options.RekorBundlePath ?? "",
_ => ""
};
private string GetRootDirectory(RootType rootType) => rootType switch
{
RootType.Fulcio => _options.FulcioBundlePath ?? Path.Combine(_options.BaseRootPath, "fulcio"),
RootType.OrgSigning => _options.OrgSigningBundlePath ?? Path.Combine(_options.BaseRootPath, "org-signing"),
RootType.Rekor => _options.RekorBundlePath ?? Path.Combine(_options.BaseRootPath, "rekor"),
_ => _options.BaseRootPath
};
private string? GetOfflineKitPath(RootType rootType)
{
if (string.IsNullOrEmpty(_options.OfflineKitPath))
{
return null;
}
return rootType switch
{
RootType.Fulcio => Path.Combine(_options.OfflineKitPath, "roots", "fulcio"),
RootType.OrgSigning => Path.Combine(_options.OfflineKitPath, "roots", "org-signing"),
RootType.Rekor => Path.Combine(_options.OfflineKitPath, "roots", "rekor"),
_ => null
};
}
private X509Certificate2Collection? GetCachedCollection(RootType rootType) => rootType switch
{
RootType.Fulcio => _fulcioRoots,
RootType.OrgSigning => _orgSigningKeys,
RootType.Rekor => _rekorKeys,
_ => null
};
private void SetCachedCollection(RootType rootType, X509Certificate2Collection collection)
{
switch (rootType)
{
case RootType.Fulcio:
_fulcioRoots = collection;
break;
case RootType.OrgSigning:
_orgSigningKeys = collection;
break;
case RootType.Rekor:
_rekorKeys = collection;
break;
}
}
private void InvalidateCache(RootType rootType)
{
switch (rootType)
{
case RootType.Fulcio:
_fulcioRoots = null;
break;
case RootType.OrgSigning:
_orgSigningKeys = null;
break;
case RootType.Rekor:
_rekorKeys = null;
break;
}
}
private static string ComputeThumbprint(X509Certificate2 cert)
{
var hash = SHA256.HashData(cert.RawData);
return Convert.ToHexString(hash).ToLowerInvariant();
}
private static string? GetSubjectKeyIdentifier(X509Certificate2 cert)
{
var extension = cert.Extensions["2.5.29.14"];
if (extension == null)
{
return null;
}
// Skip the ASN.1 header (typically 2 bytes for OCTET STRING)
var data = extension.RawData;
if (data.Length > 2 && data[0] == 0x04) // OCTET STRING
{
var length = data[1];
if (data.Length >= 2 + length)
{
return Convert.ToHexString(data[2..(2 + length)]).ToLowerInvariant();
}
}
return Convert.ToHexString(data).ToLowerInvariant();
}
}
/// <summary>
/// Configuration options for the file system root store.
/// </summary>
public sealed class OfflineRootStoreOptions
{
/// <summary>
/// Base path for all root certificates.
/// </summary>
public string BaseRootPath { get; set; } = "/etc/stellaops/roots";
/// <summary>
/// Path to Fulcio root certificates (file or directory).
/// </summary>
public string? FulcioBundlePath { get; set; }
/// <summary>
/// Path to organization signing keys (file or directory).
/// </summary>
public string? OrgSigningBundlePath { get; set; }
/// <summary>
/// Path to Rekor public keys (file or directory).
/// </summary>
public string? RekorBundlePath { get; set; }
/// <summary>
/// Path to Offline Kit installation.
/// </summary>
public string? OfflineKitPath { get; set; }
/// <summary>
/// Whether to use roots from the Offline Kit.
/// </summary>
public bool UseOfflineKit { get; set; } = true;
}

747
src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs Normal file
View File

@@ -0,0 +1,747 @@
// -----------------------------------------------------------------------------
// OfflineVerifier.cs
// Sprint: SPRINT_20251226_003_ATTESTOR_offline_verification
// Task: 0006 - Implement OfflineVerifier service
// Description: Offline verification service for attestation bundles
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Models;
using StellaOps.Attestor.Offline.Abstractions;
using StellaOps.Attestor.Offline.Models;
using StellaOps.Attestor.ProofChain.Merkle;
// Alias to resolve ambiguity with Bundling.Abstractions.VerificationIssueSeverity
using Severity = StellaOps.Attestor.Offline.Models.VerificationIssueSeverity;
namespace StellaOps.Attestor.Offline.Services;
/// <summary>
/// Offline verification service for attestation bundles.
/// Enables air-gapped environments to verify attestations using bundled proofs.
/// </summary>
public sealed class OfflineVerifier : IOfflineVerifier
{
private readonly IOfflineRootStore _rootStore;
private readonly IMerkleTreeBuilder _merkleBuilder;
private readonly IOrgKeySigner? _orgSigner;
private readonly ILogger<OfflineVerifier> _logger;
private readonly OfflineVerificationConfig _config;
/// <summary>
/// Create a new offline verifier.
/// </summary>
public OfflineVerifier(
IOfflineRootStore rootStore,
IMerkleTreeBuilder merkleBuilder,
ILogger<OfflineVerifier> logger,
IOptions<OfflineVerificationConfig> config,
IOrgKeySigner? orgSigner = null)
{
_rootStore = rootStore ?? throw new ArgumentNullException(nameof(rootStore));
_merkleBuilder = merkleBuilder ?? throw new ArgumentNullException(nameof(merkleBuilder));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_config = config?.Value ?? new OfflineVerificationConfig();
_orgSigner = orgSigner;
}
/// <inheritdoc />
public async Task<OfflineVerificationResult> VerifyBundleAsync(
AttestationBundle bundle,
OfflineVerificationOptions? options = null,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(bundle);
options ??= new OfflineVerificationOptions();
var issues = new List<VerificationIssue>();
var verifiedAt = DateTimeOffset.UtcNow;
_logger.LogInformation(
"Starting offline verification of bundle {BundleId} with {Count} attestations",
bundle.Metadata.BundleId,
bundle.Attestations.Count);
// 1. Verify bundle Merkle root
var merkleValid = true;
if (options.VerifyMerkleProof)
{
merkleValid = VerifyMerkleTree(bundle, issues);
}
// 2. Verify org signature (if present and required)
var orgSigValid = true;
string? orgSigKeyId = null;
if (bundle.OrgSignature != null)
{
orgSigKeyId = bundle.OrgSignature.KeyId;
if (options.VerifyOrgSignature)
{
orgSigValid = await VerifyOrgSignatureAsync(bundle, issues, cancellationToken);
}
}
else if (options.RequireOrgSignature)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"ORG_SIG_MISSING",
"Required organization signature is missing"));
orgSigValid = false;
}
// 3. Verify each attestation
var signaturesValid = true;
var certsValid = true;
if (options.VerifySignatures || options.VerifyCertificateChain)
{
var fulcioRoots = options.VerifyCertificateChain
? await _rootStore.GetFulcioRootsAsync(cancellationToken)
: null;
foreach (var attestation in bundle.Attestations)
{
// Verify DSSE signature
if (options.VerifySignatures)
{
var sigValid = VerifyDsseSignature(attestation, issues);
if (!sigValid)
{
signaturesValid = false;
}
}
// Verify certificate chain
if (options.VerifyCertificateChain && fulcioRoots != null)
{
var chainValid = VerifyCertificateChain(attestation, fulcioRoots, issues);
if (!chainValid)
{
certsValid = false;
}
}
// Verify Rekor inclusion proof (if present)
if (options.VerifyMerkleProof && attestation.InclusionProof != null)
{
VerifyRekorInclusionProof(attestation, issues);
}
}
}
var valid = merkleValid && signaturesValid && certsValid && orgSigValid;
if (options.StrictMode && issues.Any(i => i.Severity >= Severity.Warning))
{
valid = false;
}
_logger.LogInformation(
"Offline verification of bundle {BundleId} completed: {Status}",
bundle.Metadata.BundleId,
valid ? "VALID" : "INVALID");
return new OfflineVerificationResult(
Valid: valid,
MerkleProofValid: merkleValid,
SignaturesValid: signaturesValid,
CertificateChainValid: certsValid,
OrgSignatureValid: orgSigValid,
OrgSignatureKeyId: orgSigKeyId,
VerifiedAt: verifiedAt,
Issues: issues);
}
/// <inheritdoc />
public async Task<OfflineVerificationResult> VerifyAttestationAsync(
BundledAttestation attestation,
OfflineVerificationOptions? options = null,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(attestation);
options ??= new OfflineVerificationOptions();
var issues = new List<VerificationIssue>();
var verifiedAt = DateTimeOffset.UtcNow;
_logger.LogInformation(
"Starting offline verification of attestation {EntryId}",
attestation.EntryId);
var signaturesValid = true;
var certsValid = true;
var merkleValid = true;
// Verify DSSE signature
if (options.VerifySignatures)
{
signaturesValid = VerifyDsseSignature(attestation, issues);
}
// Verify certificate chain
if (options.VerifyCertificateChain)
{
var fulcioRoots = await _rootStore.GetFulcioRootsAsync(cancellationToken);
certsValid = VerifyCertificateChain(attestation, fulcioRoots, issues);
}
// Verify Rekor inclusion proof
if (options.VerifyMerkleProof && attestation.InclusionProof != null)
{
merkleValid = VerifyRekorInclusionProof(attestation, issues);
}
var valid = signaturesValid && certsValid && merkleValid;
return new OfflineVerificationResult(
Valid: valid,
MerkleProofValid: merkleValid,
SignaturesValid: signaturesValid,
CertificateChainValid: certsValid,
OrgSignatureValid: true, // Not applicable for single attestation
OrgSignatureKeyId: null,
VerifiedAt: verifiedAt,
Issues: issues);
}
/// <inheritdoc />
public async Task<OfflineVerificationResult> VerifyByArtifactAsync(
string artifactDigest,
string bundlePath,
OfflineVerificationOptions? options = null,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(artifactDigest);
ArgumentException.ThrowIfNullOrWhiteSpace(bundlePath);
_logger.LogInformation(
"Loading bundle from {Path} to verify artifact {Digest}",
bundlePath,
artifactDigest);
// Load bundle from file
var bundle = await LoadBundleAsync(bundlePath, cancellationToken);
// Find attestations for this artifact
var matchingAttestations = bundle.Attestations
.Where(a => a.ArtifactDigest.Equals(artifactDigest, StringComparison.OrdinalIgnoreCase))
.ToList();
if (matchingAttestations.Count == 0)
{
return new OfflineVerificationResult(
Valid: false,
MerkleProofValid: false,
SignaturesValid: false,
CertificateChainValid: false,
OrgSignatureValid: false,
OrgSignatureKeyId: null,
VerifiedAt: DateTimeOffset.UtcNow,
Issues: new List<VerificationIssue>
{
new(Severity.Critical,
"ARTIFACT_NOT_FOUND",
$"No attestations found for artifact {artifactDigest}")
});
}
// Create a filtered bundle with only matching attestations
var filteredBundle = bundle with
{
Attestations = matchingAttestations
};
return await VerifyBundleAsync(filteredBundle, options, cancellationToken);
}
/// <inheritdoc />
public async Task<IReadOnlyList<AttestationVerificationSummary>> GetVerificationSummariesAsync(
AttestationBundle bundle,
OfflineVerificationOptions? options = null,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(bundle);
options ??= new OfflineVerificationOptions();
var summaries = new List<AttestationVerificationSummary>();
var fulcioRoots = options.VerifyCertificateChain
? await _rootStore.GetFulcioRootsAsync(cancellationToken)
: null;
foreach (var attestation in bundle.Attestations)
{
var issues = new List<VerificationIssue>();
var status = AttestationVerificationStatus.Valid;
// Verify signature
if (options.VerifySignatures && !VerifyDsseSignature(attestation, issues))
{
status = AttestationVerificationStatus.InvalidSignature;
}
// Verify certificate chain
if (status == AttestationVerificationStatus.Valid &&
options.VerifyCertificateChain &&
fulcioRoots != null &&
!VerifyCertificateChain(attestation, fulcioRoots, issues))
{
status = AttestationVerificationStatus.InvalidCertificateChain;
}
// Verify Merkle proof
if (status == AttestationVerificationStatus.Valid &&
options.VerifyMerkleProof &&
attestation.InclusionProof != null &&
!VerifyRekorInclusionProof(attestation, issues))
{
status = AttestationVerificationStatus.InvalidMerkleProof;
}
// Get signing identity
var identity = attestation.SigningIdentity.Subject ??
attestation.SigningIdentity.San ??
attestation.SigningIdentity.KeyId;
summaries.Add(new AttestationVerificationSummary(
EntryId: attestation.EntryId,
ArtifactDigest: attestation.ArtifactDigest,
PredicateType: attestation.PredicateType,
SignedAt: attestation.SignedAt,
SigningIdentity: identity,
VerificationStatus: status));
}
return summaries;
}
private bool VerifyMerkleTree(AttestationBundle bundle, List<VerificationIssue> issues)
{
try
{
// Sort attestations deterministically
var sortedAttestations = bundle.Attestations
.OrderBy(a => a.EntryId, StringComparer.Ordinal)
.ToList();
// Create leaf values from entry IDs
var leafValues = sortedAttestations
.Select(a => (ReadOnlyMemory<byte>)Encoding.UTF8.GetBytes(a.EntryId))
.ToList();
var computedRoot = _merkleBuilder.ComputeMerkleRoot(leafValues);
var computedRootHex = $"sha256:{Convert.ToHexString(computedRoot).ToLowerInvariant()}";
if (computedRootHex != bundle.MerkleTree.Root)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"MERKLE_ROOT_MISMATCH",
$"Computed Merkle root {computedRootHex} does not match bundle root {bundle.MerkleTree.Root}"));
return false;
}
_logger.LogDebug("Merkle root verified: {Root}", bundle.MerkleTree.Root);
return true;
}
catch (Exception ex)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"MERKLE_VERIFY_ERROR",
$"Failed to verify Merkle root: {ex.Message}"));
return false;
}
}
private async Task<bool> VerifyOrgSignatureAsync(
AttestationBundle bundle,
List<VerificationIssue> issues,
CancellationToken cancellationToken)
{
if (bundle.OrgSignature == null)
{
return true;
}
try
{
// Compute bundle digest
var digestData = ComputeBundleDigest(bundle);
// Try using the org signer if available
if (_orgSigner != null)
{
var valid = await _orgSigner.VerifyBundleAsync(
digestData,
bundle.OrgSignature,
cancellationToken);
if (!valid)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"ORG_SIG_INVALID",
$"Organization signature verification failed for key {bundle.OrgSignature.KeyId}"));
}
return valid;
}
// Try using certificate from root store
var cert = await _rootStore.GetOrgKeyByIdAsync(
bundle.OrgSignature.KeyId,
cancellationToken);
if (cert == null)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"ORG_KEY_NOT_FOUND",
$"Organization key {bundle.OrgSignature.KeyId} not found in root store"));
return false;
}
// Verify signature using the certificate
var signatureBytes = Convert.FromBase64String(bundle.OrgSignature.Signature);
var algorithm = bundle.OrgSignature.Algorithm switch
{
"ECDSA_P256" => HashAlgorithmName.SHA256,
"Ed25519" => HashAlgorithmName.SHA256, // Ed25519 handles its own hashing
"RSA_PSS_SHA256" => HashAlgorithmName.SHA256,
_ => HashAlgorithmName.SHA256
};
using var pubKey = cert.GetECDsaPublicKey();
if (pubKey != null)
{
var valid = pubKey.VerifyData(digestData, signatureBytes, algorithm);
if (!valid)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"ORG_SIG_INVALID",
$"ECDSA signature verification failed"));
}
return valid;
}
using var rsaKey = cert.GetRSAPublicKey();
if (rsaKey != null)
{
var valid = rsaKey.VerifyData(
digestData,
signatureBytes,
algorithm,
RSASignaturePadding.Pss);
if (!valid)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"ORG_SIG_INVALID",
$"RSA signature verification failed"));
}
return valid;
}
issues.Add(new VerificationIssue(
Severity.Critical,
"ORG_KEY_UNSUPPORTED",
$"Unsupported key type for organization signature verification"));
return false;
}
catch (Exception ex)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"ORG_SIG_VERIFY_ERROR",
$"Failed to verify organization signature: {ex.Message}"));
return false;
}
}
private bool VerifyDsseSignature(BundledAttestation attestation, List<VerificationIssue> issues)
{
try
{
if (attestation.Envelope.Signatures.Count == 0)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"DSSE_NO_SIGNATURES",
$"No signatures in DSSE envelope for {attestation.EntryId}",
attestation.EntryId));
return false;
}
// Verify at least one signature is present and has non-empty sig
foreach (var sig in attestation.Envelope.Signatures)
{
if (string.IsNullOrWhiteSpace(sig.Sig))
{
issues.Add(new VerificationIssue(
Severity.Critical,
"DSSE_EMPTY_SIG",
$"Empty signature in DSSE envelope for {attestation.EntryId}",
attestation.EntryId));
return false;
}
}
// Full cryptographic verification requires the certificate chain
// Here we just validate structure; chain verification handles crypto
_logger.LogDebug("DSSE envelope structure verified for {EntryId}", attestation.EntryId);
return true;
}
catch (Exception ex)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"DSSE_VERIFY_ERROR",
$"Failed to verify DSSE signature for {attestation.EntryId}: {ex.Message}",
attestation.EntryId));
return false;
}
}
private bool VerifyCertificateChain(
BundledAttestation attestation,
X509Certificate2Collection fulcioRoots,
List<VerificationIssue> issues)
{
try
{
if (attestation.Envelope.CertificateChain == null ||
attestation.Envelope.CertificateChain.Count == 0)
{
// Keyful attestations may not have certificate chains
if (attestation.SigningMode == "keyless")
{
issues.Add(new VerificationIssue(
Severity.Critical,
"CERT_CHAIN_MISSING",
$"Keyless attestation {attestation.EntryId} missing certificate chain",
attestation.EntryId));
return false;
}
return true; // Non-keyless attestations may use other verification
}
// Parse leaf certificate
var leafPem = attestation.Envelope.CertificateChain[0];
var leafCert = ParseCertificateFromPem(leafPem);
if (leafCert == null)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"CERT_PARSE_FAILED",
$"Failed to parse leaf certificate for {attestation.EntryId}",
attestation.EntryId));
return false;
}
// Build chain
using var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; // Offline mode
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
// Add intermediates
foreach (var certPem in attestation.Envelope.CertificateChain.Skip(1))
{
var cert = ParseCertificateFromPem(certPem);
if (cert != null)
{
chain.ChainPolicy.ExtraStore.Add(cert);
}
}
// Add Fulcio roots
foreach (var root in fulcioRoots)
{
chain.ChainPolicy.ExtraStore.Add(root);
}
// Build and verify
var built = chain.Build(leafCert);
if (!built)
{
var statusInfo = string.Join(", ",
chain.ChainStatus.Select(s => $"{s.Status}: {s.StatusInformation}"));
issues.Add(new VerificationIssue(
Severity.Warning,
"CERT_CHAIN_BUILD_FAILED",
$"Certificate chain build failed for {attestation.EntryId}: {statusInfo}",
attestation.EntryId));
}
// Verify chain terminates at a Fulcio root
var chainRoot = chain.ChainElements[^1].Certificate;
var matchesRoot = fulcioRoots.Any(r =>
r.Thumbprint.Equals(chainRoot.Thumbprint, StringComparison.OrdinalIgnoreCase));
if (!matchesRoot)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"CERT_CHAIN_UNTRUSTED",
$"Certificate chain for {attestation.EntryId} does not terminate at trusted Fulcio root",
attestation.EntryId));
return false;
}
_logger.LogDebug("Certificate chain verified for {EntryId}", attestation.EntryId);
return true;
}
catch (Exception ex)
{
issues.Add(new VerificationIssue(
Severity.Critical,
"CERT_VERIFY_ERROR",
$"Failed to verify certificate chain for {attestation.EntryId}: {ex.Message}",
attestation.EntryId));
return false;
}
}
private bool VerifyRekorInclusionProof(
BundledAttestation attestation,
List<VerificationIssue> issues)
{
try
{
if (attestation.InclusionProof == null)
{
return true; // Not required if not present
}
// Basic validation of proof structure
if (attestation.InclusionProof.Path.Count == 0)
{
issues.Add(new VerificationIssue(
Severity.Warning,
"REKOR_PROOF_EMPTY",
$"Empty Rekor inclusion proof path for {attestation.EntryId}",
attestation.EntryId));
}
if (string.IsNullOrEmpty(attestation.InclusionProof.Checkpoint.RootHash))
{
issues.Add(new VerificationIssue(
Severity.Warning,
"REKOR_CHECKPOINT_MISSING",
$"Missing Rekor checkpoint root hash for {attestation.EntryId}",
attestation.EntryId));
return false;
}
// Full verification would recompute the Merkle path
// For offline verification, we trust the bundled proof
_logger.LogDebug(
"Rekor inclusion proof present for {EntryId} at index {Index}",
attestation.EntryId,
attestation.RekorLogIndex);
return true;
}
catch (Exception ex)
{
issues.Add(new VerificationIssue(
Severity.Warning,
"REKOR_PROOF_ERROR",
$"Failed to verify Rekor inclusion proof for {attestation.EntryId}: {ex.Message}",
attestation.EntryId));
return false;
}
}
private static byte[] ComputeBundleDigest(AttestationBundle bundle)
{
var sb = new StringBuilder();
sb.Append(bundle.MerkleTree.Root);
foreach (var attestation in bundle.Attestations.OrderBy(a => a.EntryId, StringComparer.Ordinal))
{
sb.Append('\n');
sb.Append(attestation.EntryId);
}
return SHA256.HashData(Encoding.UTF8.GetBytes(sb.ToString()));
}
private static X509Certificate2? ParseCertificateFromPem(string pem)
{
try
{
const string beginMarker = "-----BEGIN CERTIFICATE-----";
const string endMarker = "-----END CERTIFICATE-----";
var begin = pem.IndexOf(beginMarker, StringComparison.Ordinal);
var end = pem.IndexOf(endMarker, StringComparison.Ordinal);
if (begin < 0 || end < 0)
{
// Try as raw base64
var certBytes = Convert.FromBase64String(pem.Trim());
return new X509Certificate2(certBytes);
}
var base64Start = begin + beginMarker.Length;
var base64Content = pem[base64Start..end]
.Replace("\r", "")
.Replace("\n", "")
.Trim();
var bytes = Convert.FromBase64String(base64Content);
return new X509Certificate2(bytes);
}
catch
{
return null;
}
}
private static async Task<AttestationBundle> LoadBundleAsync(
string path,
CancellationToken cancellationToken)
{
await using var stream = File.OpenRead(path);
var bundle = await JsonSerializer.DeserializeAsync<AttestationBundle>(
stream,
cancellationToken: cancellationToken);
return bundle ?? throw new InvalidOperationException($"Failed to deserialize bundle from {path}");
}
}
/// <summary>
/// Configuration for offline verification.
/// </summary>
public sealed class OfflineVerificationConfig
{
/// <summary>
/// Enable strict mode by default.
/// </summary>
public bool StrictModeDefault { get; set; }
/// <summary>
/// Require organization signature by default.
/// </summary>
public bool RequireOrgSignatureDefault { get; set; }
/// <summary>
/// Allow verification of unbundled attestations.
/// </summary>
public bool AllowUnbundled { get; set; } = true;
/// <summary>
/// Maximum bundle cache size in MB.
/// </summary>
public int MaxCacheSizeMb { get; set; } = 1024;
}

26
src/Attestor/__Libraries/StellaOps.Attestor.Offline/StellaOps.Attestor.Offline.csproj Normal file
View File

@@ -0,0 +1,26 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<RootNamespace>StellaOps.Attestor.Offline</RootNamespace>
<Description>Offline verification of attestation bundles for air-gapped environments.</Description>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="BouncyCastle.Cryptography" Version="2.6.2" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Canonical.Json\StellaOps.Canonical.Json.csproj" />
<ProjectReference Include="..\StellaOps.Attestor.ProofChain\StellaOps.Attestor.ProofChain.csproj" />
<ProjectReference Include="..\StellaOps.Attestor.Bundle\StellaOps.Attestor.Bundle.csproj" />
<ProjectReference Include="..\StellaOps.Attestor.Bundling\StellaOps.Attestor.Bundling.csproj" />
<ProjectReference Include="..\..\StellaOps.Attestor.Envelope\StellaOps.Attestor.Envelope.csproj" />
<ProjectReference Include="..\..\StellaOps.Attestor.Verify\StellaOps.Attestor.Verify.csproj" />
</ItemGroup>
</Project>

374
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain.Tests/AI/AIAuthorityClassifierTests.cs Normal file
View File

@@ -0,0 +1,374 @@
using StellaOps.Attestor.ProofChain.Predicates.AI;
using Xunit;
namespace StellaOps.Attestor.ProofChain.Tests.AI;
/// <summary>
/// Tests for AIAuthorityClassifier.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-22
/// </summary>
public sealed class AIAuthorityClassifierTests
{
private static readonly AIModelIdentifier TestModelId = new()
{
Provider = "anthropic",
Model = "claude-3-opus",
Version = "20240229"
};
private static readonly AIDecodingParameters TestDecodingParams = new()
{
Temperature = 0.0,
Seed = 12345
};
[Fact]
public void ClassifyExplanation_HighCitationRate_ReturnsEvidenceBacked()
{
// Arrange
var classifier = new AIAuthorityClassifier();
var predicate = CreateExplanationPredicate(citationRate: 0.85, confidenceScore: 0.8, verifiedRate: 0.95);
// Act
var result = classifier.ClassifyExplanation(predicate);
// Assert
Assert.Equal(AIArtifactAuthority.EvidenceBacked, result.Authority);
Assert.True(result.QualityScore > 0.7);
}
[Fact]
public void ClassifyExplanation_LowCitationRate_ReturnsSuggestion()
{
// Arrange
var classifier = new AIAuthorityClassifier();
var predicate = CreateExplanationPredicate(citationRate: 0.5, confidenceScore: 0.6, verifiedRate: 0.7);
// Act
var result = classifier.ClassifyExplanation(predicate);
// Assert
Assert.Equal(AIArtifactAuthority.Suggestion, result.Authority);
}
[Fact]
public void ClassifyExplanation_VeryHighQuality_ReturnsAuthorityThreshold()
{
// Arrange
var thresholds = new AIAuthorityThresholds { AuthorityThresholdScore = 0.9 };
var classifier = new AIAuthorityClassifier(thresholds);
var predicate = CreateExplanationPredicate(citationRate: 0.98, confidenceScore: 0.95, verifiedRate: 1.0);
// Act
var result = classifier.ClassifyExplanation(predicate);
// Assert
Assert.Equal(AIArtifactAuthority.AuthorityThreshold, result.Authority);
Assert.True(result.CanAutoProcess);
}
[Fact]
public void ClassifyRemediationPlan_WithResolvableEvidence_ReturnsEvidenceBacked()
{
// Arrange
Func<string, bool> resolver = _ => true; // All evidence is resolvable
var classifier = new AIAuthorityClassifier(evidenceResolver: resolver);
var predicate = CreateRemediationPredicate(evidenceCount: 5, prReady: true);
// Act
var result = classifier.ClassifyRemediationPlan(predicate);
// Assert
Assert.Equal(AIArtifactAuthority.EvidenceBacked, result.Authority);
Assert.Equal(5, result.ResolvableEvidenceCount);
Assert.Equal(0, result.UnresolvableEvidenceCount);
}
[Fact]
public void ClassifyRemediationPlan_WithUnresolvableEvidence_ReturnsSuggestion()
{
// Arrange
Func<string, bool> resolver = ref => ref.Contains("valid"); // Only some evidence is resolvable
var classifier = new AIAuthorityClassifier(evidenceResolver: resolver);
var predicate = CreateRemediationPredicate(evidenceCount: 5, prReady: false);
// Act
var result = classifier.ClassifyRemediationPlan(predicate);
// Assert
Assert.Equal(AIArtifactAuthority.Suggestion, result.Authority);
}
[Fact]
public void ClassifyVexDraft_AutoApprovable_CanAutoProcess()
{
// Arrange
var classifier = new AIAuthorityClassifier();
var predicate = CreateVexDraftPredicate(
avgConfidence: 0.95,
evidenceCount: 3,
hasConflicts: false);
// Act
var result = classifier.ClassifyVexDraft(predicate);
// Assert
// Note: CanAutoProcess depends on AutoApprovable in the predicate
Assert.True(result.QualityScore > 0.5);
}
[Fact]
public void ClassifyPolicyDraft_AllTestsPassed_HighQuality()
{
// Arrange
var classifier = new AIAuthorityClassifier();
var predicate = CreatePolicyDraftPredicate(
avgConfidence: 0.9,
passedTestCount: 5,
totalTestCount: 5,
validationPassed: true);
// Act
var result = classifier.ClassifyPolicyDraft(predicate);
// Assert
Assert.True(result.QualityScore > 0.7);
}
[Fact]
public void ClassifyPolicyDraft_FailedTests_LowerQuality()
{
// Arrange
var classifier = new AIAuthorityClassifier();
var predicate = CreatePolicyDraftPredicate(
avgConfidence: 0.9,
passedTestCount: 2,
totalTestCount: 5,
validationPassed: false);
// Act
var result = classifier.ClassifyPolicyDraft(predicate);
// Assert
Assert.True(result.QualityScore < 0.7);
Assert.False(result.CanAutoProcess);
}
[Fact]
public void CustomThresholds_AreRespected()
{
// Arrange
var thresholds = new AIAuthorityThresholds
{
MinCitationRate = 0.5,
MinConfidenceScore = 0.5,
MinVerifiedCitationRate = 0.5
};
var classifier = new AIAuthorityClassifier(thresholds);
var predicate = CreateExplanationPredicate(citationRate: 0.6, confidenceScore: 0.6, verifiedRate: 0.6);
// Act
var result = classifier.ClassifyExplanation(predicate);
// Assert
Assert.Equal(AIArtifactAuthority.EvidenceBacked, result.Authority);
}
private static AIExplanationPredicate CreateExplanationPredicate(
double citationRate,
double confidenceScore,
double verifiedRate)
{
var totalCitations = 10;
var verifiedCitations = (int)(totalCitations * verifiedRate);
var citations = new List<AIExplanationCitation>();
for (int i = 0; i < totalCitations; i++)
{
citations.Add(new AIExplanationCitation
{
ClaimIndex = i,
ClaimText = $"Claim {i}",
EvidenceId = $"sha256:evidence{i}",
EvidenceType = "sbom",
Verified = i < verifiedCitations
});
}
return new AIExplanationPredicate
{
ArtifactId = "sha256:test123",
ModelId = TestModelId,
PromptTemplateVersion = "explanation@v1",
DecodingParams = TestDecodingParams,
InputHashes = ["sha256:input1"],
Authority = AIArtifactAuthority.Suggestion,
GeneratedAt = "2025-12-26T00:00:00Z",
OutputHash = "sha256:output1",
ExplanationType = AIExplanationType.Exploitability,
Content = "This is a test explanation with sufficient content.",
Citations = citations,
ConfidenceScore = confidenceScore,
CitationRate = citationRate,
Subject = "CVE-2025-1234"
};
}
private static AIRemediationPlanPredicate CreateRemediationPredicate(int evidenceCount, bool prReady)
{
var evidenceRefs = new List<string>();
for (int i = 0; i < evidenceCount; i++)
{
evidenceRefs.Add($"sha256:evidence{i}");
}
return new AIRemediationPlanPredicate
{
ArtifactId = "sha256:test123",
ModelId = TestModelId,
PromptTemplateVersion = "remediation@v1",
DecodingParams = TestDecodingParams,
InputHashes = ["sha256:input1"],
Authority = AIArtifactAuthority.Suggestion,
GeneratedAt = "2025-12-26T00:00:00Z",
OutputHash = "sha256:output1",
VulnerabilityId = "CVE-2025-1234",
AffectedComponent = "pkg:npm/example@1.0.0",
Steps =
[
new RemediationStep
{
Order = 1,
ActionType = RemediationActionType.PackageUpgrade,
Description = "Upgrade package",
Target = "pkg:npm/example@1.0.0",
ProposedValue = "1.0.1",
RiskReduction = 0.8,
CanAutomate = true
}
],
ExpectedDelta = 0.7,
RiskAssessment = new RemediationRiskAssessment
{
RiskBefore = 0.9,
RiskAfter = 0.2,
BreakingChanges = []
},
VerificationStatus = RemediationVerificationStatus.Verified,
PrReady = prReady,
EvidenceRefs = evidenceRefs
};
}
private static AIVexDraftPredicate CreateVexDraftPredicate(
double avgConfidence,
int evidenceCount,
bool hasConflicts)
{
var evidenceRefs = new List<string>();
for (int i = 0; i < evidenceCount; i++)
{
evidenceRefs.Add($"sha256:evidence{i}");
}
return new AIVexDraftPredicate
{
ArtifactId = "sha256:test123",
ModelId = TestModelId,
PromptTemplateVersion = "vexdraft@v1",
DecodingParams = TestDecodingParams,
InputHashes = ["sha256:input1"],
Authority = AIArtifactAuthority.Suggestion,
GeneratedAt = "2025-12-26T00:00:00Z",
OutputHash = "sha256:output1",
VexStatements =
[
new AIVexStatementDraft
{
VulnerabilityId = "CVE-2025-1234",
ProductId = "pkg:npm/example@1.0.0",
Status = "not_affected",
Justification = "vulnerable_code_not_in_execute_path",
Confidence = avgConfidence,
SupportingEvidence = evidenceRefs
}
],
Justifications =
[
new AIVexJustification
{
StatementIndex = 0,
Reasoning = "Code path analysis shows function is never called",
EvidencePoints = ["Reachability analysis", "Call graph"],
ConflictsWithExisting = hasConflicts
}
],
EvidenceRefs = evidenceRefs,
TargetFormat = "openvex",
AutoApprovable = !hasConflicts && avgConfidence > 0.9,
Scope = "image",
ScopeId = "sha256:image123"
};
}
private static AIPolicyDraftPredicate CreatePolicyDraftPredicate(
double avgConfidence,
int passedTestCount,
int totalTestCount,
bool validationPassed)
{
var testCases = new List<PolicyRuleTestCase>();
for (int i = 0; i < totalTestCount; i++)
{
testCases.Add(new PolicyRuleTestCase
{
TestId = $"test-{i}",
RuleId = "rule-1",
Description = $"Test case {i}",
Input = "{}",
ExpectedOutcome = "pass",
Passed = i < passedTestCount
});
}
return new AIPolicyDraftPredicate
{
ArtifactId = "sha256:test123",
ModelId = TestModelId,
PromptTemplateVersion = "policydraft@v1",
DecodingParams = TestDecodingParams,
InputHashes = ["sha256:input1"],
Authority = AIArtifactAuthority.Suggestion,
GeneratedAt = "2025-12-26T00:00:00Z",
OutputHash = "sha256:output1",
NaturalLanguageInput = "Block critical CVEs in production",
Rules =
[
new AIPolicyRuleDraft
{
RuleId = "rule-1",
RuleType = PolicyRuleType.Gate,
Name = "Block Critical CVEs",
Description = "Block deployments with critical vulnerabilities",
Condition = "severity == 'critical' && environment == 'prod'",
Action = "block",
Priority = 100,
OriginalInput = "Block critical CVEs in production",
Confidence = avgConfidence
}
],
TestCases = testCases,
ValidationResult = new PolicyValidationResult
{
SyntaxValid = true,
SemanticsValid = validationPassed,
OverallPassed = validationPassed
},
TargetPolicyPack = "default",
TargetVersion = "1.0.0",
DetectedIntents = ["gate", "severity-filter", "environment-scope"],
DeployReady = validationPassed
};
}
}

276
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs Normal file
View File

@@ -0,0 +1,276 @@
// -----------------------------------------------------------------------------
// AuditHashLogger.cs
// Sprint: SPRINT_20251226_007_BE_determinism_gaps
// Task: DET-GAP-19
// Description: Pre-canonical hash debug logging for audit trails
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using Microsoft.Extensions.Logging;
namespace StellaOps.Attestor.ProofChain.Audit;
/// <summary>
/// Logs both raw and canonical SHA-256 hashes for audit trails.
/// Enables debugging of canonicalization issues by comparing pre/post hashes.
/// </summary>
public sealed class AuditHashLogger
{
private readonly ILogger<AuditHashLogger> _logger;
private readonly bool _enableDetailedLogging;
public AuditHashLogger(ILogger<AuditHashLogger> logger, bool enableDetailedLogging = false)
{
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_enableDetailedLogging = enableDetailedLogging;
}
/// <summary>
/// Logs hash information for an artifact being canonicalized.
/// </summary>
/// <param name="artifactId">Unique identifier for the artifact.</param>
/// <param name="artifactType">Type of artifact (e.g., "proof", "verdict", "attestation").</param>
/// <param name="rawBytes">Raw bytes before canonicalization.</param>
/// <param name="canonicalBytes">Bytes after canonicalization.</param>
public void LogHashAudit(
string artifactId,
string artifactType,
ReadOnlySpan<byte> rawBytes,
ReadOnlySpan<byte> canonicalBytes)
{
var rawHash = ComputeSha256(rawBytes);
var canonicalHash = ComputeSha256(canonicalBytes);
var hashesMatch = rawHash.Equals(canonicalHash, StringComparison.Ordinal);
if (hashesMatch)
{
_logger.LogDebug(
"Hash audit for {ArtifactType} {ArtifactId}: raw and canonical hashes match ({Hash})",
artifactType,
artifactId,
canonicalHash);
}
else
{
_logger.LogInformation(
"Hash audit for {ArtifactType} {ArtifactId}: raw={RawHash}, canonical={CanonicalHash}, size_delta={SizeDelta}",
artifactType,
artifactId,
rawHash,
canonicalHash,
canonicalBytes.Length - rawBytes.Length);
if (_enableDetailedLogging && _logger.IsEnabled(LogLevel.Trace))
{
LogDetailedDiff(artifactId, rawBytes, canonicalBytes);
}
}
}
/// <summary>
/// Logs hash information with structured data for telemetry.
/// </summary>
public HashAuditRecord CreateAuditRecord(
string artifactId,
string artifactType,
ReadOnlySpan<byte> rawBytes,
ReadOnlySpan<byte> canonicalBytes,
string? correlationId = null)
{
var rawHash = ComputeSha256(rawBytes);
var canonicalHash = ComputeSha256(canonicalBytes);
var record = new HashAuditRecord
{
ArtifactId = artifactId,
ArtifactType = artifactType,
RawHash = rawHash,
CanonicalHash = canonicalHash,
RawSizeBytes = rawBytes.Length,
CanonicalSizeBytes = canonicalBytes.Length,
HashesMatch = rawHash.Equals(canonicalHash, StringComparison.Ordinal),
Timestamp = DateTimeOffset.UtcNow,
CorrelationId = correlationId
};
_logger.LogDebug(
"Created hash audit record for {ArtifactType} {ArtifactId}: match={Match}, raw_size={RawSize}, canonical_size={CanonicalSize}",
artifactType,
artifactId,
record.HashesMatch,
record.RawSizeBytes,
record.CanonicalSizeBytes);
return record;
}
/// <summary>
/// Validates that two canonical representations produce the same hash.
/// </summary>
public bool ValidateDeterminism(
string artifactId,
ReadOnlySpan<byte> firstCanonical,
ReadOnlySpan<byte> secondCanonical)
{
var firstHash = ComputeSha256(firstCanonical);
var secondHash = ComputeSha256(secondCanonical);
var isValid = firstHash.Equals(secondHash, StringComparison.Ordinal);
if (!isValid)
{
_logger.LogWarning(
"Determinism validation failed for {ArtifactId}: first={FirstHash}, second={SecondHash}",
artifactId,
firstHash,
secondHash);
if (_enableDetailedLogging && _logger.IsEnabled(LogLevel.Debug))
{
var firstSize = firstCanonical.Length;
var secondSize = secondCanonical.Length;
_logger.LogDebug(
"Determinism failure details for {ArtifactId}: size1={Size1}, size2={Size2}, diff={Diff}",
artifactId,
firstSize,
secondSize,
Math.Abs(firstSize - secondSize));
}
}
return isValid;
}
private void LogDetailedDiff(string artifactId, ReadOnlySpan<byte> raw, ReadOnlySpan<byte> canonical)
{
// Find first difference position
var minLen = Math.Min(raw.Length, canonical.Length);
var firstDiffPos = -1;
for (var i = 0; i < minLen; i++)
{
if (raw[i] != canonical[i])
{
firstDiffPos = i;
break;
}
}
if (firstDiffPos == -1 && raw.Length != canonical.Length)
{
firstDiffPos = minLen;
}
if (firstDiffPos >= 0)
{
// Get context around difference
var contextStart = Math.Max(0, firstDiffPos - 20);
var contextEnd = Math.Min(minLen, firstDiffPos + 20);
var rawContext = raw.Length > contextStart
? Encoding.UTF8.GetString(raw.Slice(contextStart, Math.Min(40, raw.Length - contextStart)))
: string.Empty;
var canonicalContext = canonical.Length > contextStart
? Encoding.UTF8.GetString(canonical.Slice(contextStart, Math.Min(40, canonical.Length - contextStart)))
: string.Empty;
_logger.LogTrace(
"First difference at position {Position} for {ArtifactId}: raw=\"{RawContext}\", canonical=\"{CanonicalContext}\"",
firstDiffPos,
artifactId,
EscapeForLog(rawContext),
EscapeForLog(canonicalContext));
}
}
private static string ComputeSha256(ReadOnlySpan<byte> data)
{
Span<byte> hash = stackalloc byte[32];
SHA256.HashData(data, hash);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
private static string EscapeForLog(string value)
{
return value
.Replace("\n", "\\n")
.Replace("\r", "\\r")
.Replace("\t", "\\t");
}
}
/// <summary>
/// Record of a hash audit for structured logging/telemetry.
/// </summary>
public sealed record HashAuditRecord
{
/// <summary>
/// Unique identifier for the artifact.
/// </summary>
public required string ArtifactId { get; init; }
/// <summary>
/// Type of artifact (proof, verdict, attestation, etc.).
/// </summary>
public required string ArtifactType { get; init; }
/// <summary>
/// SHA-256 hash of raw bytes before canonicalization.
/// </summary>
public required string RawHash { get; init; }
/// <summary>
/// SHA-256 hash of canonical bytes.
/// </summary>
public required string CanonicalHash { get; init; }
/// <summary>
/// Size of raw bytes.
/// </summary>
public required int RawSizeBytes { get; init; }
/// <summary>
/// Size of canonical bytes.
/// </summary>
public required int CanonicalSizeBytes { get; init; }
/// <summary>
/// Whether raw and canonical hashes match.
/// </summary>
public required bool HashesMatch { get; init; }
/// <summary>
/// UTC timestamp of the audit.
/// </summary>
public required DateTimeOffset Timestamp { get; init; }
/// <summary>
/// Optional correlation ID for tracing.
/// </summary>
public string? CorrelationId { get; init; }
/// <summary>
/// Size delta (positive = canonical is larger).
/// </summary>
public int SizeDelta => CanonicalSizeBytes - RawSizeBytes;
}
/// <summary>
/// Artifact types for hash auditing.
/// </summary>
public static class AuditArtifactTypes
{
public const string Proof = "proof";
public const string Verdict = "verdict";
public const string Attestation = "attestation";
public const string Spine = "spine";
public const string Manifest = "manifest";
public const string VexDocument = "vex_document";
public const string SbomFragment = "sbom_fragment";
public const string PolicySnapshot = "policy_snapshot";
public const string FeedSnapshot = "feed_snapshot";
}

65
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs
View File

@@ -2,6 +2,7 @@ using System;
using System.Buffers;
using System.Collections.Generic;
using System.Globalization;
using System.Text;
using System.Text.Encodings.Web;
using System.Text.Json;
@@ -9,7 +10,12 @@ namespace StellaOps.Attestor.ProofChain.Json;
/// <summary>
/// Implements RFC 8785 JSON Canonicalization Scheme (JCS) for stable hashing.
/// Includes optional NFC (Unicode Normalization Form C) normalization for string stability.
/// </summary>
/// <remarks>
/// NFC normalization ensures that equivalent Unicode sequences (e.g., composed vs decomposed characters)
/// produce identical canonical output, which is critical for cross-platform determinism.
/// </remarks>
public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
{
/// <summary>
@@ -17,17 +23,31 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
/// </summary>
private const string VersionFieldName = "_canonVersion";
private readonly bool _enableNfcNormalization;
private static readonly JsonWriterOptions CanonicalWriterOptions = new()
{
Indented = false,
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
};
/// <summary>
/// Creates a new RFC 8785 JSON canonicalizer.
/// </summary>
/// <param name="enableNfcNormalization">
/// Whether to apply NFC normalization to string values.
/// Default is true for maximum cross-platform stability.
/// </param>
public Rfc8785JsonCanonicalizer(bool enableNfcNormalization = true)
{
_enableNfcNormalization = enableNfcNormalization;
}
public byte[] Canonicalize(ReadOnlySpan<byte> utf8Json)
{
var reader = new Utf8JsonReader(utf8Json, isFinalBlock: true, state: default);
using var document = JsonDocument.ParseValue(ref reader);
return Canonicalize(document.RootElement);
return CanonicalizeParsed(document.RootElement);
}
public byte[] CanonicalizeWithVersion(ReadOnlySpan<byte> utf8Json, string version)
@@ -36,10 +56,10 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
var reader = new Utf8JsonReader(utf8Json, isFinalBlock: true, state: default);
using var document = JsonDocument.ParseValue(ref reader);
return CanonicalizeWithVersion(document.RootElement, version);
return CanonicalizeParsedWithVersion(document.RootElement, version);
}
private static byte[] Canonicalize(JsonElement element)
private byte[] CanonicalizeParsed(JsonElement element)
{
var buffer = new ArrayBufferWriter<byte>();
using (var writer = new Utf8JsonWriter(buffer, CanonicalWriterOptions))
@@ -50,7 +70,7 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
return buffer.WrittenSpan.ToArray();
}
private static byte[] CanonicalizeWithVersion(JsonElement element, string version)
private byte[] CanonicalizeParsedWithVersion(JsonElement element, string version)
{
var buffer = new ArrayBufferWriter<byte>();
using (var writer = new Utf8JsonWriter(buffer, CanonicalWriterOptions))
@@ -61,14 +81,14 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
return buffer.WrittenSpan.ToArray();
}
private static void WriteCanonicalWithVersion(Utf8JsonWriter writer, JsonElement element, string version)
private void WriteCanonicalWithVersion(Utf8JsonWriter writer, JsonElement element, string version)
{
if (element.ValueKind == JsonValueKind.Object)
{
writer.WriteStartObject();
// Write version marker first (underscore prefix ensures it stays first after sorting)
writer.WriteString(VersionFieldName, version);
writer.WriteString(VersionFieldName, NormalizeString(version));
// Write remaining properties sorted
var properties = new List<(string Name, JsonElement Value)>();
@@ -80,7 +100,7 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
foreach (var (name, value) in properties)
{
writer.WritePropertyName(name);
writer.WritePropertyName(NormalizeString(name));
WriteCanonical(writer, value);
}
writer.WriteEndObject();
@@ -89,14 +109,14 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
{
// Non-object root: wrap in versioned object
writer.WriteStartObject();
writer.WriteString(VersionFieldName, version);
writer.WriteString(VersionFieldName, NormalizeString(version));
writer.WritePropertyName("_value");
WriteCanonical(writer, element);
writer.WriteEndObject();
}
}
private static void WriteCanonical(Utf8JsonWriter writer, JsonElement element)
private void WriteCanonical(Utf8JsonWriter writer, JsonElement element)
{
switch (element.ValueKind)
{
@@ -107,7 +127,7 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
WriteArray(writer, element);
return;
case JsonValueKind.String:
writer.WriteStringValue(element.GetString());
writer.WriteStringValue(NormalizeString(element.GetString()));
return;
case JsonValueKind.Number:
WriteNumber(writer, element);
@@ -126,7 +146,7 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
}
}
private static void WriteObject(Utf8JsonWriter writer, JsonElement element)
private void WriteObject(Utf8JsonWriter writer, JsonElement element)
{
var properties = new List<(string Name, JsonElement Value)>();
foreach (var property in element.EnumerateObject())
@@ -139,13 +159,13 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
writer.WriteStartObject();
foreach (var (name, value) in properties)
{
writer.WritePropertyName(name);
writer.WritePropertyName(NormalizeString(name));
WriteCanonical(writer, value);
}
writer.WriteEndObject();
}
private static void WriteArray(Utf8JsonWriter writer, JsonElement element)
private void WriteArray(Utf8JsonWriter writer, JsonElement element)
{
writer.WriteStartArray();
foreach (var item in element.EnumerateArray())
@@ -155,6 +175,25 @@ public sealed class Rfc8785JsonCanonicalizer : IJsonCanonicalizer
writer.WriteEndArray();
}
/// <summary>
/// Applies NFC normalization to a string if enabled.
/// </summary>
private string? NormalizeString(string? value)
{
if (value is null || !_enableNfcNormalization)
{
return value;
}
// Only normalize if the string is not already in NFC form
if (value.IsNormalized(NormalizationForm.FormC))
{
return value;
}
return value.Normalize(NormalizationForm.FormC);
}
private static void WriteNumber(Utf8JsonWriter writer, JsonElement element)
{
var raw = element.GetRawText();

89
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/MediaTypes/AIArtifactMediaTypes.cs Normal file
View File

@@ -0,0 +1,89 @@
namespace StellaOps.Attestor.ProofChain.MediaTypes;
/// <summary>
/// OCI media types for AI artifacts.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Tasks: AIATTEST-12, AIATTEST-13, AIATTEST-14, AIATTEST-15
/// </summary>
public static class AIArtifactMediaTypes
{
/// <summary>
/// Media type for AI explanation attestations.
/// Task: AIATTEST-12
/// </summary>
public const string AIExplanation = "application/vnd.stellaops.ai.explanation+json";
/// <summary>
/// Media type for AI remediation plan attestations.
/// Task: AIATTEST-13
/// </summary>
public const string AIRemediation = "application/vnd.stellaops.ai.remediation+json";
/// <summary>
/// Media type for AI VEX draft attestations.
/// Task: AIATTEST-14
/// </summary>
public const string AIVexDraft = "application/vnd.stellaops.ai.vexdraft+json";
/// <summary>
/// Media type for AI policy draft attestations.
/// Task: AIATTEST-15
/// </summary>
public const string AIPolicyDraft = "application/vnd.stellaops.ai.policydraft+json";
/// <summary>
/// Media type for AI artifact replay manifests.
/// Task: AIATTEST-18
/// </summary>
public const string AIReplayManifest = "application/vnd.stellaops.ai.replay+json";
/// <summary>
/// Annotation key for AI artifact type.
/// </summary>
public const string ArtifactTypeAnnotation = "org.stellaops.ai.artifact-type";
/// <summary>
/// Annotation key for AI authority level.
/// </summary>
public const string AuthorityAnnotation = "org.stellaops.ai.authority";
/// <summary>
/// Annotation key for AI model identifier.
/// </summary>
public const string ModelIdAnnotation = "org.stellaops.ai.model-id";
/// <summary>
/// Annotation key for replay capability.
/// </summary>
public const string ReplayableAnnotation = "org.stellaops.ai.replayable";
/// <summary>
/// Get the media type for a predicate type URI.
/// </summary>
public static string? GetMediaTypeForPredicateType(string predicateType) => predicateType switch
{
"ai-explanation.stella/v1" => AIExplanation,
"ai-remediation.stella/v1" => AIRemediation,
"ai-vexdraft.stella/v1" => AIVexDraft,
"ai-policydraft.stella/v1" => AIPolicyDraft,
_ => null
};
/// <summary>
/// Get the predicate type URI for a media type.
/// </summary>
public static string? GetPredicateTypeForMediaType(string mediaType) => mediaType switch
{
AIExplanation => "ai-explanation.stella/v1",
AIRemediation => "ai-remediation.stella/v1",
AIVexDraft => "ai-vexdraft.stella/v1",
AIPolicyDraft => "ai-policydraft.stella/v1",
_ => null
};
/// <summary>
/// Check if a media type is an AI artifact type.
/// </summary>
public static bool IsAIArtifactMediaType(string mediaType) =>
mediaType is AIExplanation or AIRemediation or AIVexDraft or AIPolicyDraft or AIReplayManifest;
}

162
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIArtifactBasePredicate.cs Normal file
View File

@@ -0,0 +1,162 @@
using System.Text.Json.Serialization;
namespace StellaOps.Attestor.ProofChain.Predicates.AI;
/// <summary>
/// Authority level for AI-generated artifacts.
/// Determines how the artifact should be treated in decisioning.
/// </summary>
[JsonConverter(typeof(JsonStringEnumConverter<AIArtifactAuthority>))]
public enum AIArtifactAuthority
{
/// <summary>
/// Pure suggestion - not backed by evidence, requires human review.
/// </summary>
Suggestion,
/// <summary>
/// Evidence-backed - citations verified, evidence refs resolvable.
/// Qualifies when: citation rate ≥ 80% AND all evidence refs valid.
/// </summary>
EvidenceBacked,
/// <summary>
/// Meets configurable authority threshold for automated processing.
/// </summary>
AuthorityThreshold
}
/// <summary>
/// Model identifier format for tracking AI model versions.
/// </summary>
public sealed record AIModelIdentifier
{
/// <summary>
/// Provider of the model (e.g., "anthropic", "openai", "local").
/// </summary>
[JsonPropertyName("provider")]
public required string Provider { get; init; }
/// <summary>
/// Model name/family (e.g., "claude-3-opus", "gpt-4").
/// </summary>
[JsonPropertyName("model")]
public required string Model { get; init; }
/// <summary>
/// Model version string (e.g., "20240229", "0613").
/// </summary>
[JsonPropertyName("version")]
public required string Version { get; init; }
/// <summary>
/// For local models: SHA-256 digest of weights.
/// Null for cloud-hosted models.
/// </summary>
[JsonPropertyName("weightsDigest")]
public string? WeightsDigest { get; init; }
/// <summary>
/// Canonical string representation: provider:model:version
/// </summary>
public override string ToString() =>
$"{Provider}:{Model}:{Version}";
}
/// <summary>
/// Decoding parameters used during AI generation.
/// Required for deterministic replay.
/// </summary>
public sealed record AIDecodingParameters
{
/// <summary>
/// Temperature setting (0.0 = deterministic, higher = more random).
/// </summary>
[JsonPropertyName("temperature")]
public double Temperature { get; init; }
/// <summary>
/// Top-p (nucleus sampling) value.
/// </summary>
[JsonPropertyName("topP")]
public double? TopP { get; init; }
/// <summary>
/// Top-k sampling value.
/// </summary>
[JsonPropertyName("topK")]
public int? TopK { get; init; }
/// <summary>
/// Maximum tokens to generate.
/// </summary>
[JsonPropertyName("maxTokens")]
public int? MaxTokens { get; init; }
/// <summary>
/// Random seed for reproducibility.
/// </summary>
[JsonPropertyName("seed")]
public long? Seed { get; init; }
}
/// <summary>
/// Base predicate for all AI-generated artifacts.
/// Captures metadata required for replay, inspection, and authority classification.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-01
/// </summary>
public abstract record AIArtifactBasePredicate
{
/// <summary>
/// Unique identifier for this AI artifact.
/// Format: sha256:&lt;64-hex-chars&gt;
/// </summary>
[JsonPropertyName("artifactId")]
public required string ArtifactId { get; init; }
/// <summary>
/// Model identification (provider:model:version or hash for local).
/// </summary>
[JsonPropertyName("modelId")]
public required AIModelIdentifier ModelId { get; init; }
/// <summary>
/// Version of the prompt template used.
/// Format: &lt;template-name&gt;@&lt;version&gt;
/// </summary>
[JsonPropertyName("promptTemplateVersion")]
public required string PromptTemplateVersion { get; init; }
/// <summary>
/// Decoding parameters for reproducibility.
/// </summary>
[JsonPropertyName("decodingParams")]
public required AIDecodingParameters DecodingParams { get; init; }
/// <summary>
/// SHA-256 hashes of all inputs (context documents, queries, etc.).
/// Order-sensitive for replay.
/// </summary>
[JsonPropertyName("inputHashes")]
public required IReadOnlyList<string> InputHashes { get; init; }
/// <summary>
/// Authority classification of this artifact.
/// </summary>
[JsonPropertyName("authority")]
public required AIArtifactAuthority Authority { get; init; }
/// <summary>
/// Timestamp when the artifact was generated (UTC ISO-8601).
/// </summary>
[JsonPropertyName("generatedAt")]
public required string GeneratedAt { get; init; }
/// <summary>
/// SHA-256 hash of the generated output.
/// Used for replay verification.
/// </summary>
[JsonPropertyName("outputHash")]
public required string OutputHash { get; init; }
}

366
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs Normal file
View File

@@ -0,0 +1,366 @@
namespace StellaOps.Attestor.ProofChain.Predicates.AI;
/// <summary>
/// Configuration for authority classification thresholds.
/// </summary>
public sealed record AIAuthorityThresholds
{
/// <summary>
/// Minimum citation rate for Evidence-Backed classification.
/// Default: 0.8 (80%)
/// </summary>
public double MinCitationRate { get; init; } = 0.8;
/// <summary>
/// Minimum confidence score for Evidence-Backed classification.
/// Default: 0.7 (70%)
/// </summary>
public double MinConfidenceScore { get; init; } = 0.7;
/// <summary>
/// Whether all evidence refs must be resolvable.
/// Default: true
/// </summary>
public bool RequireResolvableEvidence { get; init; } = true;
/// <summary>
/// Minimum verified citations ratio for Evidence-Backed.
/// Default: 0.9 (90%)
/// </summary>
public double MinVerifiedCitationRate { get; init; } = 0.9;
/// <summary>
/// Custom authority threshold score (0.0-1.0) for AuthorityThreshold classification.
/// If overall score meets this, artifact can be auto-processed.
/// Default: 0.95
/// </summary>
public double AuthorityThresholdScore { get; init; } = 0.95;
}
/// <summary>
/// Result of authority classification.
/// </summary>
public sealed record AIAuthorityClassificationResult
{
/// <summary>
/// Determined authority level.
/// </summary>
public required AIArtifactAuthority Authority { get; init; }
/// <summary>
/// Overall quality score (0.0-1.0).
/// </summary>
public required double QualityScore { get; init; }
/// <summary>
/// Citation rate if applicable.
/// </summary>
public double? CitationRate { get; init; }
/// <summary>
/// Verified citation rate if applicable.
/// </summary>
public double? VerifiedCitationRate { get; init; }
/// <summary>
/// Number of resolvable evidence refs.
/// </summary>
public int? ResolvableEvidenceCount { get; init; }
/// <summary>
/// Number of unresolvable evidence refs.
/// </summary>
public int? UnresolvableEvidenceCount { get; init; }
/// <summary>
/// Reasons for the classification decision.
/// </summary>
public required IReadOnlyList<string> Reasons { get; init; }
/// <summary>
/// Whether the artifact can be auto-processed without human review.
/// </summary>
public required bool CanAutoProcess { get; init; }
}
/// <summary>
/// Classifies AI artifacts into authority levels based on evidence backing.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-07
/// </summary>
public sealed class AIAuthorityClassifier
{
private readonly AIAuthorityThresholds _thresholds;
private readonly Func<string, bool>? _evidenceResolver;
public AIAuthorityClassifier(AIAuthorityThresholds? thresholds = null, Func<string, bool>? evidenceResolver = null)
{
_thresholds = thresholds ?? new AIAuthorityThresholds();
_evidenceResolver = evidenceResolver;
}
/// <summary>
/// Classify an explanation predicate.
/// </summary>
public AIAuthorityClassificationResult ClassifyExplanation(AIExplanationPredicate predicate)
{
var reasons = new List<string>();
var qualityScore = CalculateExplanationQualityScore(predicate, reasons);
var verifiedRate = predicate.Citations.Count > 0
? (double)predicate.Citations.Count(c => c.Verified) / predicate.Citations.Count
: 0;
var authority = DetermineAuthority(
predicate.CitationRate,
verifiedRate,
predicate.ConfidenceScore,
qualityScore,
reasons);
return new AIAuthorityClassificationResult
{
Authority = authority,
QualityScore = qualityScore,
CitationRate = predicate.CitationRate,
VerifiedCitationRate = verifiedRate,
Reasons = reasons,
CanAutoProcess = authority == AIArtifactAuthority.AuthorityThreshold
};
}
/// <summary>
/// Classify a remediation plan predicate.
/// </summary>
public AIAuthorityClassificationResult ClassifyRemediationPlan(AIRemediationPlanPredicate predicate)
{
var reasons = new List<string>();
var evidenceRefs = predicate.EvidenceRefs;
var resolvableCount = evidenceRefs.Count(ref => _evidenceResolver?.Invoke(ref) ?? true);
var unresolvableCount = evidenceRefs.Count - resolvableCount;
var qualityScore = CalculateRemediationQualityScore(predicate, resolvableCount, reasons);
var evidenceBackingRate = evidenceRefs.Count > 0
? (double)resolvableCount / evidenceRefs.Count
: 0;
var authority = DetermineAuthority(
evidenceBackingRate,
evidenceBackingRate,
predicate.RiskAssessment.RiskBefore - predicate.RiskAssessment.RiskAfter,
qualityScore,
reasons);
return new AIAuthorityClassificationResult
{
Authority = authority,
QualityScore = qualityScore,
ResolvableEvidenceCount = resolvableCount,
UnresolvableEvidenceCount = unresolvableCount,
Reasons = reasons,
CanAutoProcess = authority == AIArtifactAuthority.AuthorityThreshold && predicate.PrReady
};
}
/// <summary>
/// Classify a VEX draft predicate.
/// </summary>
public AIAuthorityClassificationResult ClassifyVexDraft(AIVexDraftPredicate predicate)
{
var reasons = new List<string>();
var evidenceRefs = predicate.EvidenceRefs;
var resolvableCount = evidenceRefs.Count(ref => _evidenceResolver?.Invoke(ref) ?? true);
var avgConfidence = predicate.VexStatements.Count > 0
? predicate.VexStatements.Average(s => s.Confidence)
: 0;
var qualityScore = CalculateVexDraftQualityScore(predicate, resolvableCount, avgConfidence, reasons);
var evidenceBackingRate = evidenceRefs.Count > 0
? (double)resolvableCount / evidenceRefs.Count
: 0;
var authority = DetermineAuthority(
evidenceBackingRate,
evidenceBackingRate,
avgConfidence,
qualityScore,
reasons);
return new AIAuthorityClassificationResult
{
Authority = authority,
QualityScore = qualityScore,
ResolvableEvidenceCount = resolvableCount,
UnresolvableEvidenceCount = evidenceRefs.Count - resolvableCount,
Reasons = reasons,
CanAutoProcess = authority == AIArtifactAuthority.AuthorityThreshold && predicate.AutoApprovable
};
}
/// <summary>
/// Classify a policy draft predicate.
/// </summary>
public AIAuthorityClassificationResult ClassifyPolicyDraft(AIPolicyDraftPredicate predicate)
{
var reasons = new List<string>();
var avgConfidence = predicate.Rules.Count > 0
? predicate.Rules.Average(r => r.Confidence)
: 0;
var passedTestRate = predicate.TestCases.Count > 0
? (double)predicate.TestCases.Count(t => t.Passed == true) / predicate.TestCases.Count
: 0;
var qualityScore = CalculatePolicyDraftQualityScore(predicate, avgConfidence, passedTestRate, reasons);
var authority = DetermineAuthority(
passedTestRate,
passedTestRate,
avgConfidence,
qualityScore,
reasons);
return new AIAuthorityClassificationResult
{
Authority = authority,
QualityScore = qualityScore,
Reasons = reasons,
CanAutoProcess = authority == AIArtifactAuthority.AuthorityThreshold
&& predicate.ValidationResult.OverallPassed
&& predicate.DeployReady
};
}
private AIArtifactAuthority DetermineAuthority(
double citationRate,
double verifiedRate,
double confidenceScore,
double qualityScore,
List<string> reasons)
{
if (qualityScore >= _thresholds.AuthorityThresholdScore)
{
reasons.Add($"Quality score {qualityScore:P0} meets authority threshold {_thresholds.AuthorityThresholdScore:P0}");
return AIArtifactAuthority.AuthorityThreshold;
}
if (citationRate >= _thresholds.MinCitationRate &&
verifiedRate >= _thresholds.MinVerifiedCitationRate &&
confidenceScore >= _thresholds.MinConfidenceScore)
{
reasons.Add($"Citation rate {citationRate:P0} >= {_thresholds.MinCitationRate:P0}");
reasons.Add($"Verified rate {verifiedRate:P0} >= {_thresholds.MinVerifiedCitationRate:P0}");
reasons.Add($"Confidence {confidenceScore:P0} >= {_thresholds.MinConfidenceScore:P0}");
return AIArtifactAuthority.EvidenceBacked;
}
if (citationRate < _thresholds.MinCitationRate)
reasons.Add($"Citation rate {citationRate:P0} < {_thresholds.MinCitationRate:P0}");
if (verifiedRate < _thresholds.MinVerifiedCitationRate)
reasons.Add($"Verified rate {verifiedRate:P0} < {_thresholds.MinVerifiedCitationRate:P0}");
if (confidenceScore < _thresholds.MinConfidenceScore)
reasons.Add($"Confidence {confidenceScore:P0} < {_thresholds.MinConfidenceScore:P0}");
return AIArtifactAuthority.Suggestion;
}
private double CalculateExplanationQualityScore(AIExplanationPredicate predicate, List<string> reasons)
{
var citationWeight = 0.35;
var verifiedWeight = 0.30;
var confidenceWeight = 0.20;
var contentWeight = 0.15;
var verifiedRate = predicate.Citations.Count > 0
? (double)predicate.Citations.Count(c => c.Verified) / predicate.Citations.Count
: 0;
var contentScore = Math.Min(1.0, predicate.Content.Length / 500.0); // Reasonable explanation length
return (predicate.CitationRate * citationWeight) +
(verifiedRate * verifiedWeight) +
(predicate.ConfidenceScore * confidenceWeight) +
(contentScore * contentWeight);
}
private double CalculateRemediationQualityScore(AIRemediationPlanPredicate predicate, int resolvableCount, List<string> reasons)
{
var evidenceWeight = 0.30;
var riskDeltaWeight = 0.25;
var automationWeight = 0.20;
var verificationWeight = 0.25;
var evidenceScore = predicate.EvidenceRefs.Count > 0
? (double)resolvableCount / predicate.EvidenceRefs.Count
: 0;
var riskDelta = predicate.ExpectedDelta;
var riskScore = Math.Min(1.0, Math.Max(0, riskDelta));
var autoSteps = predicate.Steps.Count(s => s.CanAutomate);
var automationScore = predicate.Steps.Count > 0 ? (double)autoSteps / predicate.Steps.Count : 0;
var verificationScore = predicate.VerificationStatus switch
{
RemediationVerificationStatus.Verified => 0.8,
RemediationVerificationStatus.Applied => 1.0,
RemediationVerificationStatus.Stale => 0.5,
_ => 0.2
};
return (evidenceScore * evidenceWeight) +
(riskScore * riskDeltaWeight) +
(automationScore * automationWeight) +
(verificationScore * verificationWeight);
}
private double CalculateVexDraftQualityScore(AIVexDraftPredicate predicate, int resolvableCount, double avgConfidence, List<string> reasons)
{
var evidenceWeight = 0.35;
var confidenceWeight = 0.30;
var justificationWeight = 0.20;
var conflictWeight = 0.15;
var evidenceScore = predicate.EvidenceRefs.Count > 0
? (double)resolvableCount / predicate.EvidenceRefs.Count
: 0;
var nonConflicting = predicate.Justifications.Count(j => !j.ConflictsWithExisting);
var conflictScore = predicate.Justifications.Count > 0
? (double)nonConflicting / predicate.Justifications.Count
: 1.0;
var hasJustifications = predicate.Justifications.Count > 0 ? 1.0 : 0.0;
return (evidenceScore * evidenceWeight) +
(avgConfidence * confidenceWeight) +
(hasJustifications * justificationWeight) +
(conflictScore * conflictWeight);
}
private double CalculatePolicyDraftQualityScore(AIPolicyDraftPredicate predicate, double avgConfidence, double passedTestRate, List<string> reasons)
{
var confidenceWeight = 0.25;
var testWeight = 0.35;
var validationWeight = 0.25;
var clarityWeight = 0.15;
var validationScore = predicate.ValidationResult.OverallPassed ? 1.0 : 0.3;
var ambiguityCount = predicate.Rules.Sum(r => r.Ambiguities?.Count ?? 0);
var clarityScore = predicate.Rules.Count > 0
? 1.0 - Math.Min(1.0, ambiguityCount / (predicate.Rules.Count * 2.0))
: 0;
return (avgConfidence * confidenceWeight) +
(passedTestRate * testWeight) +
(validationScore * validationWeight) +
(clarityScore * clarityWeight);
}
}

134
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIExplanationPredicate.cs Normal file
View File

@@ -0,0 +1,134 @@
using System.Text.Json.Serialization;
namespace StellaOps.Attestor.ProofChain.Predicates.AI;
/// <summary>
/// Type of explanation generated by AI.
/// </summary>
[JsonConverter(typeof(JsonStringEnumConverter<AIExplanationType>))]
public enum AIExplanationType
{
/// <summary>
/// Explanation of why a vulnerability is exploitable.
/// </summary>
Exploitability,
/// <summary>
/// Explanation of a code path or call graph.
/// </summary>
CodePath,
/// <summary>
/// Explanation of a policy decision.
/// </summary>
PolicyDecision,
/// <summary>
/// Explanation of risk factors.
/// </summary>
RiskFactors,
/// <summary>
/// Explanation of remediation options.
/// </summary>
RemediationOptions,
/// <summary>
/// Plain language summary for non-technical audiences.
/// </summary>
PlainLanguageSummary,
/// <summary>
/// Explanation of evidence chain.
/// </summary>
EvidenceChain
}
/// <summary>
/// Citation linking AI claims to evidence sources.
/// </summary>
public sealed record AIExplanationCitation
{
/// <summary>
/// Index of the claim in the explanation (0-based).
/// </summary>
[JsonPropertyName("claimIndex")]
public required int ClaimIndex { get; init; }
/// <summary>
/// Text of the cited claim.
/// </summary>
[JsonPropertyName("claimText")]
public required string ClaimText { get; init; }
/// <summary>
/// Evidence node ID this claim references.
/// Format: sha256:&lt;64-hex-chars&gt;
/// </summary>
[JsonPropertyName("evidenceId")]
public required string EvidenceId { get; init; }
/// <summary>
/// Type of evidence (e.g., "sbom", "vex", "reachability", "runtime").
/// </summary>
[JsonPropertyName("evidenceType")]
public required string EvidenceType { get; init; }
/// <summary>
/// Whether the citation was verified against the evidence.
/// </summary>
[JsonPropertyName("verified")]
public required bool Verified { get; init; }
}
/// <summary>
/// Predicate for AI-generated explanations.
/// Extends AIArtifactBase with explanation-specific fields.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-02
/// </summary>
public sealed record AIExplanationPredicate : AIArtifactBasePredicate
{
/// <summary>
/// Type of explanation.
/// </summary>
[JsonPropertyName("explanationType")]
public required AIExplanationType ExplanationType { get; init; }
/// <summary>
/// The explanation content (markdown supported).
/// </summary>
[JsonPropertyName("content")]
public required string Content { get; init; }
/// <summary>
/// Citations linking claims to evidence.
/// </summary>
[JsonPropertyName("citations")]
public required IReadOnlyList<AIExplanationCitation> Citations { get; init; }
/// <summary>
/// Confidence score for the explanation (0.0-1.0).
/// </summary>
[JsonPropertyName("confidenceScore")]
public required double ConfidenceScore { get; init; }
/// <summary>
/// Citation rate: ratio of cited claims to total claims.
/// Used for authority classification (≥0.8 for EvidenceBacked).
/// </summary>
[JsonPropertyName("citationRate")]
public required double CitationRate { get; init; }
/// <summary>
/// Subject being explained (CVE ID, PURL, etc.).
/// </summary>
[JsonPropertyName("subject")]
public required string Subject { get; init; }
/// <summary>
/// Context scope (image digest, build ID, service name).
/// </summary>
[JsonPropertyName("contextScope")]
public string? ContextScope { get; init; }
}

258
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIPolicyDraftPredicate.cs Normal file
View File

@@ -0,0 +1,258 @@
using System.Text.Json.Serialization;
namespace StellaOps.Attestor.ProofChain.Predicates.AI;
/// <summary>
/// Type of policy rule.
/// </summary>
[JsonConverter(typeof(JsonStringEnumConverter<PolicyRuleType>))]
public enum PolicyRuleType
{
/// <summary>
/// Gate rule (block/warn/allow).
/// </summary>
Gate,
/// <summary>
/// Threshold rule (e.g., max critical count).
/// </summary>
Threshold,
/// <summary>
/// Exception rule.
/// </summary>
Exception,
/// <summary>
/// SLA rule.
/// </summary>
Sla,
/// <summary>
/// Notification rule.
/// </summary>
Notification,
/// <summary>
/// Escalation rule.
/// </summary>
Escalation
}
/// <summary>
/// Draft policy rule generated from natural language.
/// </summary>
public sealed record AIPolicyRuleDraft
{
/// <summary>
/// Rule identifier.
/// </summary>
[JsonPropertyName("ruleId")]
public required string RuleId { get; init; }
/// <summary>
/// Rule type.
/// </summary>
[JsonPropertyName("ruleType")]
public required PolicyRuleType RuleType { get; init; }
/// <summary>
/// Human-readable rule name.
/// </summary>
[JsonPropertyName("name")]
public required string Name { get; init; }
/// <summary>
/// Rule description.
/// </summary>
[JsonPropertyName("description")]
public required string Description { get; init; }
/// <summary>
/// Rule condition in lattice logic syntax.
/// </summary>
[JsonPropertyName("condition")]
public required string Condition { get; init; }
/// <summary>
/// Action to take when condition matches.
/// </summary>
[JsonPropertyName("action")]
public required string Action { get; init; }
/// <summary>
/// Rule priority (higher = evaluated first).
/// </summary>
[JsonPropertyName("priority")]
public required int Priority { get; init; }
/// <summary>
/// Original natural language input.
/// </summary>
[JsonPropertyName("originalInput")]
public required string OriginalInput { get; init; }
/// <summary>
/// AI confidence in the translation (0.0-1.0).
/// </summary>
[JsonPropertyName("confidence")]
public required double Confidence { get; init; }
/// <summary>
/// Ambiguities detected in the input.
/// </summary>
[JsonPropertyName("ambiguities")]
public IReadOnlyList<string>? Ambiguities { get; init; }
}
/// <summary>
/// Test case for validating a policy rule.
/// </summary>
public sealed record PolicyRuleTestCase
{
/// <summary>
/// Test case identifier.
/// </summary>
[JsonPropertyName("testId")]
public required string TestId { get; init; }
/// <summary>
/// Rule ID being tested.
/// </summary>
[JsonPropertyName("ruleId")]
public required string RuleId { get; init; }
/// <summary>
/// Test case description.
/// </summary>
[JsonPropertyName("description")]
public required string Description { get; init; }
/// <summary>
/// Input scenario (JSON blob matching rule input schema).
/// </summary>
[JsonPropertyName("input")]
public required string Input { get; init; }
/// <summary>
/// Expected outcome.
/// </summary>
[JsonPropertyName("expectedOutcome")]
public required string ExpectedOutcome { get; init; }
/// <summary>
/// Whether the test passed.
/// </summary>
[JsonPropertyName("passed")]
public bool? Passed { get; init; }
/// <summary>
/// Actual outcome if test was run.
/// </summary>
[JsonPropertyName("actualOutcome")]
public string? ActualOutcome { get; init; }
}
/// <summary>
/// Validation result for the policy draft.
/// </summary>
public sealed record PolicyValidationResult
{
/// <summary>
/// Whether the policy is syntactically valid.
/// </summary>
[JsonPropertyName("syntaxValid")]
public required bool SyntaxValid { get; init; }
/// <summary>
/// Whether the policy is semantically valid.
/// </summary>
[JsonPropertyName("semanticsValid")]
public required bool SemanticsValid { get; init; }
/// <summary>
/// Syntax errors if any.
/// </summary>
[JsonPropertyName("syntaxErrors")]
public IReadOnlyList<string>? SyntaxErrors { get; init; }
/// <summary>
/// Semantic warnings if any.
/// </summary>
[JsonPropertyName("semanticWarnings")]
public IReadOnlyList<string>? SemanticWarnings { get; init; }
/// <summary>
/// Test cases that failed.
/// </summary>
[JsonPropertyName("failedTests")]
public IReadOnlyList<string>? FailedTests { get; init; }
/// <summary>
/// Overall validation passed.
/// </summary>
[JsonPropertyName("overallPassed")]
public required bool OverallPassed { get; init; }
}
/// <summary>
/// Predicate for AI-generated policy drafts from natural language.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-05
/// </summary>
public sealed record AIPolicyDraftPredicate : AIArtifactBasePredicate
{
/// <summary>
/// Original natural language policy intent.
/// </summary>
[JsonPropertyName("naturalLanguageInput")]
public required string NaturalLanguageInput { get; init; }
/// <summary>
/// Draft rules translated from natural language.
/// </summary>
[JsonPropertyName("rules")]
public required IReadOnlyList<AIPolicyRuleDraft> Rules { get; init; }
/// <summary>
/// Test cases for validation.
/// </summary>
[JsonPropertyName("testCases")]
public required IReadOnlyList<PolicyRuleTestCase> TestCases { get; init; }
/// <summary>
/// Validation result.
/// </summary>
[JsonPropertyName("validationResult")]
public required PolicyValidationResult ValidationResult { get; init; }
/// <summary>
/// Target policy pack name.
/// </summary>
[JsonPropertyName("targetPolicyPack")]
public required string TargetPolicyPack { get; init; }
/// <summary>
/// Policy pack version.
/// </summary>
[JsonPropertyName("targetVersion")]
public required string TargetVersion { get; init; }
/// <summary>
/// Detected intent categories.
/// </summary>
[JsonPropertyName("detectedIntents")]
public required IReadOnlyList<string> DetectedIntents { get; init; }
/// <summary>
/// Clarification questions for ambiguous inputs.
/// </summary>
[JsonPropertyName("clarificationQuestions")]
public IReadOnlyList<string>? ClarificationQuestions { get; init; }
/// <summary>
/// Whether the draft is ready for deployment.
/// </summary>
[JsonPropertyName("deployReady")]
public required bool DeployReady { get; init; }
}

273
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIRemediationPlanPredicate.cs Normal file
View File

@@ -0,0 +1,273 @@
using System.Text.Json.Serialization;
namespace StellaOps.Attestor.ProofChain.Predicates.AI;
/// <summary>
/// Status of a remediation step.
/// </summary>
[JsonConverter(typeof(JsonStringEnumConverter<RemediationStepStatus>))]
public enum RemediationStepStatus
{
/// <summary>
/// Step has not been started.
/// </summary>
Pending,
/// <summary>
/// Step is in progress.
/// </summary>
InProgress,
/// <summary>
/// Step completed successfully.
/// </summary>
Complete,
/// <summary>
/// Step was skipped (e.g., not applicable).
/// </summary>
Skipped,
/// <summary>
/// Step failed.
/// </summary>
Failed
}
/// <summary>
/// Type of remediation action.
/// </summary>
[JsonConverter(typeof(JsonStringEnumConverter<RemediationActionType>))]
public enum RemediationActionType
{
/// <summary>
/// Upgrade a package to a fixed version.
/// </summary>
PackageUpgrade,
/// <summary>
/// Apply a patch to source code.
/// </summary>
SourcePatch,
/// <summary>
/// Apply a configuration change.
/// </summary>
ConfigurationChange,
/// <summary>
/// Add a VEX statement.
/// </summary>
VexStatement,
/// <summary>
/// Apply a compensating control.
/// </summary>
CompensatingControl,
/// <summary>
/// Accept the risk (with justification).
/// </summary>
RiskAcceptance,
/// <summary>
/// Remove the affected component.
/// </summary>
ComponentRemoval
}
/// <summary>
/// Single step in a remediation plan.
/// </summary>
public sealed record RemediationStep
{
/// <summary>
/// Order of this step (1-based).
/// </summary>
[JsonPropertyName("order")]
public required int Order { get; init; }
/// <summary>
/// Type of action.
/// </summary>
[JsonPropertyName("actionType")]
public required RemediationActionType ActionType { get; init; }
/// <summary>
/// Human-readable description of the step.
/// </summary>
[JsonPropertyName("description")]
public required string Description { get; init; }
/// <summary>
/// Target component (PURL, file path, config key).
/// </summary>
[JsonPropertyName("target")]
public required string Target { get; init; }
/// <summary>
/// Current value (version, setting, etc.).
/// </summary>
[JsonPropertyName("currentValue")]
public string? CurrentValue { get; init; }
/// <summary>
/// Proposed new value.
/// </summary>
[JsonPropertyName("proposedValue")]
public required string ProposedValue { get; init; }
/// <summary>
/// Estimated risk reduction (0.0-1.0).
/// </summary>
[JsonPropertyName("riskReduction")]
public required double RiskReduction { get; init; }
/// <summary>
/// Whether this step can be automated.
/// </summary>
[JsonPropertyName("canAutomate")]
public required bool CanAutomate { get; init; }
/// <summary>
/// Automation script or command if automatable.
/// </summary>
[JsonPropertyName("automationScript")]
public string? AutomationScript { get; init; }
/// <summary>
/// Current status of this step.
/// </summary>
[JsonPropertyName("status")]
public RemediationStepStatus Status { get; init; } = RemediationStepStatus.Pending;
/// <summary>
/// Evidence references supporting this step.
/// </summary>
[JsonPropertyName("evidenceRefs")]
public IReadOnlyList<string>? EvidenceRefs { get; init; }
}
/// <summary>
/// Risk assessment for the remediation plan.
/// </summary>
public sealed record RemediationRiskAssessment
{
/// <summary>
/// Risk level before remediation.
/// </summary>
[JsonPropertyName("riskBefore")]
public required double RiskBefore { get; init; }
/// <summary>
/// Expected risk level after remediation.
/// </summary>
[JsonPropertyName("riskAfter")]
public required double RiskAfter { get; init; }
/// <summary>
/// Potential breaking changes from this remediation.
/// </summary>
[JsonPropertyName("breakingChanges")]
public required IReadOnlyList<string> BreakingChanges { get; init; }
/// <summary>
/// Required test coverage for safe rollout.
/// </summary>
[JsonPropertyName("requiredTestCoverage")]
public IReadOnlyList<string>? RequiredTestCoverage { get; init; }
}
/// <summary>
/// Verification status of the remediation plan.
/// </summary>
[JsonConverter(typeof(JsonStringEnumConverter<RemediationVerificationStatus>))]
public enum RemediationVerificationStatus
{
/// <summary>
/// Plan not yet verified.
/// </summary>
Unverified,
/// <summary>
/// Plan verified against current state.
/// </summary>
Verified,
/// <summary>
/// Plan verified but state has drifted.
/// </summary>
Stale,
/// <summary>
/// Plan applied and verified as effective.
/// </summary>
Applied,
/// <summary>
/// Plan verification failed.
/// </summary>
Failed
}
/// <summary>
/// Predicate for AI-generated remediation plans.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-03
/// </summary>
public sealed record AIRemediationPlanPredicate : AIArtifactBasePredicate
{
/// <summary>
/// Vulnerability being remediated (CVE ID, GHSA, etc.).
/// </summary>
[JsonPropertyName("vulnerabilityId")]
public required string VulnerabilityId { get; init; }
/// <summary>
/// Affected component (PURL).
/// </summary>
[JsonPropertyName("affectedComponent")]
public required string AffectedComponent { get; init; }
/// <summary>
/// Ordered remediation steps.
/// </summary>
[JsonPropertyName("steps")]
public required IReadOnlyList<RemediationStep> Steps { get; init; }
/// <summary>
/// Expected delta in risk score after remediation.
/// </summary>
[JsonPropertyName("expectedDelta")]
public required double ExpectedDelta { get; init; }
/// <summary>
/// Risk assessment for this plan.
/// </summary>
[JsonPropertyName("riskAssessment")]
public required RemediationRiskAssessment RiskAssessment { get; init; }
/// <summary>
/// Verification status of the plan.
/// </summary>
[JsonPropertyName("verificationStatus")]
public required RemediationVerificationStatus VerificationStatus { get; init; }
/// <summary>
/// Whether a PR can be auto-generated for this plan.
/// </summary>
[JsonPropertyName("prReady")]
public required bool PrReady { get; init; }
/// <summary>
/// Git commit SHA if a fix branch exists.
/// </summary>
[JsonPropertyName("fixBranchCommit")]
public string? FixBranchCommit { get; init; }
/// <summary>
/// Evidence references supporting this plan.
/// </summary>
[JsonPropertyName("evidenceRefs")]
public required IReadOnlyList<string> EvidenceRefs { get; init; }
}

155
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIVexDraftPredicate.cs Normal file
View File

@@ -0,0 +1,155 @@
using System.Text.Json.Serialization;
namespace StellaOps.Attestor.ProofChain.Predicates.AI;
/// <summary>
/// Draft VEX statement generated by AI.
/// </summary>
public sealed record AIVexStatementDraft
{
/// <summary>
/// Vulnerability ID (CVE, GHSA, etc.).
/// </summary>
[JsonPropertyName("vulnerabilityId")]
public required string VulnerabilityId { get; init; }
/// <summary>
/// Affected product identifier (PURL).
/// </summary>
[JsonPropertyName("productId")]
public required string ProductId { get; init; }
/// <summary>
/// Proposed VEX status: not_affected, affected, fixed, under_investigation.
/// </summary>
[JsonPropertyName("status")]
public required string Status { get; init; }
/// <summary>
/// Justification category per VEX spec.
/// </summary>
[JsonPropertyName("justification")]
public string? Justification { get; init; }
/// <summary>
/// Detailed impact statement.
/// </summary>
[JsonPropertyName("impactStatement")]
public string? ImpactStatement { get; init; }
/// <summary>
/// Action statement if status is "affected".
/// </summary>
[JsonPropertyName("actionStatement")]
public string? ActionStatement { get; init; }
/// <summary>
/// AI confidence in this draft (0.0-1.0).
/// </summary>
[JsonPropertyName("confidence")]
public required double Confidence { get; init; }
/// <summary>
/// Evidence nodes supporting this draft.
/// </summary>
[JsonPropertyName("supportingEvidence")]
public required IReadOnlyList<string> SupportingEvidence { get; init; }
}
/// <summary>
/// Justification for a VEX statement draft.
/// </summary>
public sealed record AIVexJustification
{
/// <summary>
/// Index of the VEX statement this justification applies to.
/// </summary>
[JsonPropertyName("statementIndex")]
public required int StatementIndex { get; init; }
/// <summary>
/// Reasoning for the proposed status.
/// </summary>
[JsonPropertyName("reasoning")]
public required string Reasoning { get; init; }
/// <summary>
/// Key evidence points.
/// </summary>
[JsonPropertyName("evidencePoints")]
public required IReadOnlyList<string> EvidencePoints { get; init; }
/// <summary>
/// Counter-arguments or caveats.
/// </summary>
[JsonPropertyName("caveats")]
public IReadOnlyList<string>? Caveats { get; init; }
/// <summary>
/// Whether this justification conflicts with existing VEX.
/// </summary>
[JsonPropertyName("conflictsWithExisting")]
public required bool ConflictsWithExisting { get; init; }
/// <summary>
/// If conflicting, the existing VEX statement ID.
/// </summary>
[JsonPropertyName("conflictingVexId")]
public string? ConflictingVexId { get; init; }
}
/// <summary>
/// Predicate for AI-generated VEX drafts.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-04
/// </summary>
public sealed record AIVexDraftPredicate : AIArtifactBasePredicate
{
/// <summary>
/// Draft VEX statements.
/// </summary>
[JsonPropertyName("vexStatements")]
public required IReadOnlyList<AIVexStatementDraft> VexStatements { get; init; }
/// <summary>
/// Justifications for each statement.
/// </summary>
[JsonPropertyName("justifications")]
public required IReadOnlyList<AIVexJustification> Justifications { get; init; }
/// <summary>
/// Evidence node IDs referenced.
/// </summary>
[JsonPropertyName("evidenceRefs")]
public required IReadOnlyList<string> EvidenceRefs { get; init; }
/// <summary>
/// Target VEX format for export (openvex, cyclonedx, csaf).
/// </summary>
[JsonPropertyName("targetFormat")]
public required string TargetFormat { get; init; }
/// <summary>
/// Whether all drafts can be auto-approved based on evidence.
/// </summary>
[JsonPropertyName("autoApprovable")]
public required bool AutoApprovable { get; init; }
/// <summary>
/// Human review required reasons (if any).
/// </summary>
[JsonPropertyName("reviewRequired")]
public IReadOnlyList<string>? ReviewRequired { get; init; }
/// <summary>
/// Scope of this VEX draft (image, service, release).
/// </summary>
[JsonPropertyName("scope")]
public required string Scope { get; init; }
/// <summary>
/// Scope identifier (image digest, service name, release tag).
/// </summary>
[JsonPropertyName("scopeId")]
public required string ScopeId { get; init; }
}

150
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/AIArtifactReplayManifest.cs Normal file
View File

@@ -0,0 +1,150 @@
using System.Text.Json.Serialization;
using StellaOps.Attestor.ProofChain.Predicates.AI;
namespace StellaOps.Attestor.ProofChain.Replay;
/// <summary>
/// Input artifact for replay.
/// </summary>
public sealed record ReplayInputArtifact
{
/// <summary>
/// SHA-256 hash of the input content.
/// </summary>
[JsonPropertyName("hash")]
public required string Hash { get; init; }
/// <summary>
/// Type of input (e.g., "sbom", "vex", "policy", "context").
/// </summary>
[JsonPropertyName("type")]
public required string Type { get; init; }
/// <summary>
/// Media type of the content.
/// </summary>
[JsonPropertyName("mediaType")]
public required string MediaType { get; init; }
/// <summary>
/// Size in bytes.
/// </summary>
[JsonPropertyName("size")]
public required long Size { get; init; }
/// <summary>
/// Storage location (OCI ref, blob ID, inline).
/// </summary>
[JsonPropertyName("location")]
public required string Location { get; init; }
/// <summary>
/// Order in input sequence.
/// </summary>
[JsonPropertyName("order")]
public required int Order { get; init; }
}
/// <summary>
/// Prompt template snapshot for replay.
/// </summary>
public sealed record ReplayPromptTemplate
{
/// <summary>
/// Template name.
/// </summary>
[JsonPropertyName("name")]
public required string Name { get; init; }
/// <summary>
/// Template version.
/// </summary>
[JsonPropertyName("version")]
public required string Version { get; init; }
/// <summary>
/// SHA-256 hash of the template content.
/// </summary>
[JsonPropertyName("hash")]
public required string Hash { get; init; }
/// <summary>
/// Template storage location.
/// </summary>
[JsonPropertyName("location")]
public required string Location { get; init; }
}
/// <summary>
/// Manifest capturing all inputs for deterministic AI artifact replay.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-18
/// </summary>
public sealed record AIArtifactReplayManifest
{
/// <summary>
/// Unique manifest ID.
/// </summary>
[JsonPropertyName("manifestId")]
public required string ManifestId { get; init; }
/// <summary>
/// ID of the artifact this manifest enables replay for.
/// </summary>
[JsonPropertyName("artifactId")]
public required string ArtifactId { get; init; }
/// <summary>
/// Artifact type (explanation, remediation, vexdraft, policydraft).
/// </summary>
[JsonPropertyName("artifactType")]
public required string ArtifactType { get; init; }
/// <summary>
/// Model identifier used for generation.
/// </summary>
[JsonPropertyName("modelId")]
public required AIModelIdentifier ModelId { get; init; }
/// <summary>
/// Decoding parameters for reproducibility.
/// </summary>
[JsonPropertyName("decodingParams")]
public required AIDecodingParameters DecodingParams { get; init; }
/// <summary>
/// Prompt template used.
/// </summary>
[JsonPropertyName("promptTemplate")]
public required ReplayPromptTemplate PromptTemplate { get; init; }
/// <summary>
/// All input artifacts in order.
/// </summary>
[JsonPropertyName("inputs")]
public required IReadOnlyList<ReplayInputArtifact> Inputs { get; init; }
/// <summary>
/// Expected output hash for verification.
/// </summary>
[JsonPropertyName("expectedOutputHash")]
public required string ExpectedOutputHash { get; init; }
/// <summary>
/// Original generation timestamp (UTC ISO-8601).
/// </summary>
[JsonPropertyName("generatedAt")]
public required string GeneratedAt { get; init; }
/// <summary>
/// Whether all inputs are available for replay.
/// </summary>
[JsonPropertyName("replayable")]
public required bool Replayable { get; init; }
/// <summary>
/// Reasons if not replayable.
/// </summary>
[JsonPropertyName("notReplayableReasons")]
public IReadOnlyList<string>? NotReplayableReasons { get; init; }
}

169
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/IAIArtifactReplayer.cs Normal file
View File

@@ -0,0 +1,169 @@
using StellaOps.Attestor.ProofChain.Predicates.AI;
namespace StellaOps.Attestor.ProofChain.Replay;
/// <summary>
/// Status of a replay attempt.
/// </summary>
public enum ReplayStatus
{
/// <summary>
/// Replay not started.
/// </summary>
NotStarted,
/// <summary>
/// Replay in progress.
/// </summary>
InProgress,
/// <summary>
/// Replay completed successfully with matching output.
/// </summary>
MatchedOutput,
/// <summary>
/// Replay completed but output diverged.
/// </summary>
DivergedOutput,
/// <summary>
/// Replay failed due to missing inputs.
/// </summary>
FailedMissingInputs,
/// <summary>
/// Replay failed due to unavailable model.
/// </summary>
FailedModelUnavailable,
/// <summary>
/// Replay failed with error.
/// </summary>
FailedError
}
/// <summary>
/// Result of an AI artifact replay attempt.
/// </summary>
public sealed record ReplayResult
{
/// <summary>
/// Manifest used for replay.
/// </summary>
public required AIArtifactReplayManifest Manifest { get; init; }
/// <summary>
/// Replay status.
/// </summary>
public required ReplayStatus Status { get; init; }
/// <summary>
/// Hash of the replayed output (if successful).
/// </summary>
public string? ReplayedOutputHash { get; init; }
/// <summary>
/// Whether output matches expected.
/// </summary>
public bool? OutputMatches { get; init; }
/// <summary>
/// Divergence details if output differs.
/// </summary>
public string? DivergenceDetails { get; init; }
/// <summary>
/// Error message if failed.
/// </summary>
public string? ErrorMessage { get; init; }
/// <summary>
/// Replay duration in milliseconds.
/// </summary>
public long? DurationMs { get; init; }
/// <summary>
/// Timestamp of replay attempt (UTC ISO-8601).
/// </summary>
public required string AttemptedAt { get; init; }
}
/// <summary>
/// Verification result for AI artifact replay.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-20
/// </summary>
public sealed record ReplayVerificationResult
{
/// <summary>
/// Artifact ID being verified.
/// </summary>
public required string ArtifactId { get; init; }
/// <summary>
/// Whether verification passed.
/// </summary>
public required bool Verified { get; init; }
/// <summary>
/// Replay result.
/// </summary>
public required ReplayResult ReplayResult { get; init; }
/// <summary>
/// Confidence in verification (1.0 for matching, lower for diverged).
/// </summary>
public required double Confidence { get; init; }
/// <summary>
/// Verification notes.
/// </summary>
public IReadOnlyList<string>? Notes { get; init; }
}
/// <summary>
/// Service for re-executing AI generation with pinned inputs.
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-19
/// </summary>
public interface IAIArtifactReplayer
{
/// <summary>
/// Attempt to replay an AI artifact generation.
/// </summary>
/// <param name="manifest">Replay manifest with all inputs.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Replay result.</returns>
Task<ReplayResult> ReplayAsync(AIArtifactReplayManifest manifest, CancellationToken cancellationToken = default);
/// <summary>
/// Verify an AI artifact by replaying and comparing output.
/// </summary>
/// <param name="manifest">Replay manifest.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Verification result.</returns>
Task<ReplayVerificationResult> VerifyAsync(AIArtifactReplayManifest manifest, CancellationToken cancellationToken = default);
/// <summary>
/// Check if a manifest is replayable (all inputs available, model accessible).
/// </summary>
/// <param name="manifest">Replay manifest to check.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if replayable, false otherwise with reasons.</returns>
Task<(bool Replayable, IReadOnlyList<string> Reasons)> CheckReplayableAsync(
AIArtifactReplayManifest manifest,
CancellationToken cancellationToken = default);
/// <summary>
/// Build a replay manifest from an AI artifact base predicate.
/// </summary>
/// <param name="predicate">The AI artifact predicate.</param>
/// <param name="artifactType">Type of artifact.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Replay manifest.</returns>
Task<AIArtifactReplayManifest> BuildManifestAsync(
AIArtifactBasePredicate predicate,
string artifactType,
CancellationToken cancellationToken = default);
}

23
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/AI/AIExplanationStatement.cs Normal file
View File

@@ -0,0 +1,23 @@
using System.Text.Json.Serialization;
using StellaOps.Attestor.ProofChain.Predicates.AI;
namespace StellaOps.Attestor.ProofChain.Statements.AI;
/// <summary>
/// In-toto statement for AI-generated explanations.
/// Predicate type: ai-explanation.stella/v1
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-08
/// </summary>
public sealed record AIExplanationStatement : InTotoStatement
{
/// <inheritdoc />
[JsonPropertyName("predicateType")]
public override string PredicateType => "ai-explanation.stella/v1";
/// <summary>
/// The AI explanation predicate payload.
/// </summary>
[JsonPropertyName("predicate")]
public required AIExplanationPredicate Predicate { get; init; }
}

23
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/AI/AIPolicyDraftStatement.cs Normal file
View File

@@ -0,0 +1,23 @@
using System.Text.Json.Serialization;
using StellaOps.Attestor.ProofChain.Predicates.AI;
namespace StellaOps.Attestor.ProofChain.Statements.AI;
/// <summary>
/// In-toto statement for AI-generated policy drafts.
/// Predicate type: ai-policydraft.stella/v1
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-11
/// </summary>
public sealed record AIPolicyDraftStatement : InTotoStatement
{
/// <inheritdoc />
[JsonPropertyName("predicateType")]
public override string PredicateType => "ai-policydraft.stella/v1";
/// <summary>
/// The AI policy draft predicate payload.
/// </summary>
[JsonPropertyName("predicate")]
public required AIPolicyDraftPredicate Predicate { get; init; }
}

23
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/AI/AIRemediationPlanStatement.cs Normal file
View File

@@ -0,0 +1,23 @@
using System.Text.Json.Serialization;
using StellaOps.Attestor.ProofChain.Predicates.AI;
namespace StellaOps.Attestor.ProofChain.Statements.AI;
/// <summary>
/// In-toto statement for AI-generated remediation plans.
/// Predicate type: ai-remediation.stella/v1
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-09
/// </summary>
public sealed record AIRemediationPlanStatement : InTotoStatement
{
/// <inheritdoc />
[JsonPropertyName("predicateType")]
public override string PredicateType => "ai-remediation.stella/v1";
/// <summary>
/// The AI remediation plan predicate payload.
/// </summary>
[JsonPropertyName("predicate")]
public required AIRemediationPlanPredicate Predicate { get; init; }
}

23
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/AI/AIVexDraftStatement.cs Normal file
View File

@@ -0,0 +1,23 @@
using System.Text.Json.Serialization;
using StellaOps.Attestor.ProofChain.Predicates.AI;
namespace StellaOps.Attestor.ProofChain.Statements.AI;
/// <summary>
/// In-toto statement for AI-generated VEX drafts.
/// Predicate type: ai-vexdraft.stella/v1
/// Sprint: SPRINT_20251226_018_AI_attestations
/// Task: AIATTEST-10
/// </summary>
public sealed record AIVexDraftStatement : InTotoStatement
{
/// <inheritdoc />
[JsonPropertyName("predicateType")]
public override string PredicateType => "ai-vexdraft.stella/v1";
/// <summary>
/// The AI VEX draft predicate payload.
/// </summary>
[JsonPropertyName("predicate")]
public required AIVexDraftPredicate Predicate { get; init; }
}

336
src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests/AttestationBundlerTests.cs Normal file
View File

@@ -0,0 +1,336 @@
// -----------------------------------------------------------------------------
// AttestationBundlerTests.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0018-0020 - Unit tests for bundling
// Description: Unit tests for AttestationBundler service
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Moq;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Configuration;
using StellaOps.Attestor.Bundling.Models;
using StellaOps.Attestor.Bundling.Services;
using StellaOps.Attestor.ProofChain.Merkle;
namespace StellaOps.Attestor.Bundling.Tests;
public class AttestationBundlerTests
{
private readonly Mock<IBundleAggregator> _aggregatorMock;
private readonly Mock<IBundleStore> _storeMock;
private readonly Mock<IOrgKeySigner> _orgSignerMock;
private readonly IMerkleTreeBuilder _merkleBuilder;
private readonly Mock<ILogger<AttestationBundler>> _loggerMock;
private readonly IOptions<BundlingOptions> _options;
public AttestationBundlerTests()
{
_aggregatorMock = new Mock<IBundleAggregator>();
_storeMock = new Mock<IBundleStore>();
_orgSignerMock = new Mock<IOrgKeySigner>();
_merkleBuilder = new DeterministicMerkleTreeBuilder();
_loggerMock = new Mock<ILogger<AttestationBundler>>();
_options = Options.Create(new BundlingOptions());
}
[Fact]
public async Task CreateBundleAsync_WithAttestations_CreatesDeterministicBundle()
{
// Arrange
var attestations = CreateTestAttestations(5);
SetupAggregator(attestations);
var bundler = CreateBundler();
var request = new BundleCreationRequest(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow);
// Act
var bundle = await bundler.CreateBundleAsync(request);
// Assert
bundle.Should().NotBeNull();
bundle.Attestations.Should().HaveCount(5);
bundle.MerkleTree.LeafCount.Should().Be(5);
bundle.MerkleTree.Root.Should().StartWith("sha256:");
bundle.Metadata.BundleId.Should().Be(bundle.MerkleTree.Root);
}
[Fact]
public async Task CreateBundleAsync_SameAttestationsShuffled_SameMerkleRoot()
{
// Arrange
var attestations = CreateTestAttestations(10);
// Create two bundlers with attestations in different orders
var shuffled1 = attestations.OrderBy(_ => Guid.NewGuid()).ToList();
var shuffled2 = attestations.OrderBy(_ => Guid.NewGuid()).ToList();
SetupAggregator(shuffled1);
var bundler1 = CreateBundler();
var request = new BundleCreationRequest(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow);
var bundle1 = await bundler1.CreateBundleAsync(request);
// Reset and use different order
SetupAggregator(shuffled2);
var bundler2 = CreateBundler();
var bundle2 = await bundler2.CreateBundleAsync(request);
// Assert - same merkle root regardless of input order
bundle1.MerkleTree.Root.Should().Be(bundle2.MerkleTree.Root);
bundle1.Metadata.BundleId.Should().Be(bundle2.Metadata.BundleId);
}
[Fact]
public async Task CreateBundleAsync_NoAttestations_ThrowsException()
{
// Arrange
SetupAggregator(new List<BundledAttestation>());
var bundler = CreateBundler();
var request = new BundleCreationRequest(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow);
// Act & Assert
await Assert.ThrowsAsync<InvalidOperationException>(
() => bundler.CreateBundleAsync(request));
}
[Fact]
public async Task CreateBundleAsync_WithOrgSigning_SignsBundle()
{
// Arrange
var attestations = CreateTestAttestations(3);
SetupAggregator(attestations);
var expectedSignature = new OrgSignature
{
KeyId = "org-key-2025",
Algorithm = "ECDSA_P256",
Signature = Convert.ToBase64String(new byte[64]),
SignedAt = DateTimeOffset.UtcNow,
CertificateChain = null
};
_orgSignerMock
.Setup(x => x.GetActiveKeyIdAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync("org-key-2025");
_orgSignerMock
.Setup(x => x.SignBundleAsync(It.IsAny<byte[]>(), "org-key-2025", It.IsAny<CancellationToken>()))
.ReturnsAsync(expectedSignature);
var bundler = CreateBundler();
var request = new BundleCreationRequest(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow,
SignWithOrgKey: true);
// Act
var bundle = await bundler.CreateBundleAsync(request);
// Assert
bundle.OrgSignature.Should().NotBeNull();
bundle.OrgSignature!.KeyId.Should().Be("org-key-2025");
bundle.OrgSignature.Algorithm.Should().Be("ECDSA_P256");
}
[Fact]
public async Task VerifyBundleAsync_ValidBundle_ReturnsValid()
{
// Arrange
var attestations = CreateTestAttestations(5);
SetupAggregator(attestations);
var bundler = CreateBundler();
var request = new BundleCreationRequest(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow);
var bundle = await bundler.CreateBundleAsync(request);
// Act
var result = await bundler.VerifyBundleAsync(bundle);
// Assert
result.Valid.Should().BeTrue();
result.MerkleRootVerified.Should().BeTrue();
result.Issues.Should().BeEmpty();
}
[Fact]
public async Task VerifyBundleAsync_TamperedBundle_ReturnsMerkleRootMismatch()
{
// Arrange
var attestations = CreateTestAttestations(5);
SetupAggregator(attestations);
var bundler = CreateBundler();
var request = new BundleCreationRequest(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow);
var bundle = await bundler.CreateBundleAsync(request);
// Tamper with the bundle by modifying an attestation
var tamperedAttestations = bundle.Attestations.ToList();
var original = tamperedAttestations[0];
tamperedAttestations[0] = original with { EntryId = "tampered-entry-id" };
var tamperedBundle = bundle with { Attestations = tamperedAttestations };
// Act
var result = await bundler.VerifyBundleAsync(tamperedBundle);
// Assert
result.Valid.Should().BeFalse();
result.MerkleRootVerified.Should().BeFalse();
result.Issues.Should().Contain(i => i.Code == "MERKLE_ROOT_MISMATCH");
}
[Fact]
public async Task CreateBundleAsync_RespectsTenantFilter()
{
// Arrange
var attestations = CreateTestAttestations(5);
SetupAggregator(attestations);
var bundler = CreateBundler();
var request = new BundleCreationRequest(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow,
TenantId: "test-tenant");
// Act
var bundle = await bundler.CreateBundleAsync(request);
// Assert
bundle.Metadata.TenantId.Should().Be("test-tenant");
_aggregatorMock.Verify(x => x.AggregateAsync(
It.Is<AggregationRequest>(r => r.TenantId == "test-tenant"),
It.IsAny<CancellationToken>()), Times.Once);
}
[Fact]
public async Task CreateBundleAsync_RespectsMaxAttestationsLimit()
{
// Arrange
var attestations = CreateTestAttestations(100);
SetupAggregator(attestations);
var options = Options.Create(new BundlingOptions
{
Aggregation = new BundleAggregationOptions
{
MaxAttestationsPerBundle = 10
}
});
var bundler = new AttestationBundler(
_aggregatorMock.Object,
_storeMock.Object,
_merkleBuilder,
_loggerMock.Object,
options,
_orgSignerMock.Object);
var request = new BundleCreationRequest(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow);
// Act
var bundle = await bundler.CreateBundleAsync(request);
// Assert
bundle.Attestations.Should().HaveCount(10);
}
private AttestationBundler CreateBundler()
{
return new AttestationBundler(
_aggregatorMock.Object,
_storeMock.Object,
_merkleBuilder,
_loggerMock.Object,
_options,
_orgSignerMock.Object);
}
private void SetupAggregator(List<BundledAttestation> attestations)
{
_aggregatorMock
.Setup(x => x.AggregateAsync(
It.IsAny<AggregationRequest>(),
It.IsAny<CancellationToken>()))
.Returns(attestations.ToAsyncEnumerable());
}
private static List<BundledAttestation> CreateTestAttestations(int count)
{
var attestations = new List<BundledAttestation>();
for (var i = 0; i < count; i++)
{
attestations.Add(new BundledAttestation
{
EntryId = $"entry-{i:D4}",
RekorUuid = Guid.NewGuid().ToString("N"),
RekorLogIndex = 10000 + i,
ArtifactDigest = $"sha256:{new string((char)('a' + i % 26), 64)}",
PredicateType = "verdict.stella/v1",
SignedAt = DateTimeOffset.UtcNow.AddHours(-i),
SigningMode = "keyless",
SigningIdentity = new SigningIdentity
{
Issuer = "https://authority.internal",
Subject = "signer@stella-ops.org",
San = "urn:stellaops:signer"
},
InclusionProof = new RekorInclusionProof
{
Checkpoint = new CheckpointData
{
Origin = "rekor.sigstore.dev",
Size = 100000 + i,
RootHash = Convert.ToBase64String(new byte[32]),
Timestamp = DateTimeOffset.UtcNow
},
Path = new List<string>
{
Convert.ToBase64String(new byte[32]),
Convert.ToBase64String(new byte[32])
}
},
Envelope = new DsseEnvelopeData
{
PayloadType = "application/vnd.in-toto+json",
Payload = Convert.ToBase64String("{\"test\":true}"u8.ToArray()),
Signatures = new List<EnvelopeSignature>
{
new() { KeyId = "key-1", Sig = Convert.ToBase64String(new byte[64]) }
},
CertificateChain = new List<string>
{
"-----BEGIN CERTIFICATE-----\nMIIB...\n-----END CERTIFICATE-----"
}
}
});
}
return attestations;
}
}

359
src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests/BundleAggregatorTests.cs Normal file
View File

@@ -0,0 +1,359 @@
// -----------------------------------------------------------------------------
// BundleAggregatorTests.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0018 - Unit tests: BundleAggregator
// Description: Unit tests for attestation aggregation with date range and tenant filtering
// -----------------------------------------------------------------------------
using FluentAssertions;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Models;
using Xunit;
namespace StellaOps.Attestor.Bundling.Tests;
public class BundleAggregatorTests
{
private readonly InMemoryBundleAggregator _aggregator;
public BundleAggregatorTests()
{
_aggregator = new InMemoryBundleAggregator();
}
#region Date Range Filtering Tests
[Fact]
public async Task AggregateAsync_WithDateRange_ReturnsOnlyAttestationsInRange()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
_aggregator.AddAttestation(CreateAttestation("att-1", start.AddDays(5))); // In range
_aggregator.AddAttestation(CreateAttestation("att-2", start.AddDays(15))); // In range
_aggregator.AddAttestation(CreateAttestation("att-3", start.AddDays(-5))); // Before range
_aggregator.AddAttestation(CreateAttestation("att-4", end.AddDays(5))); // After range
// Act
var results = await _aggregator
.AggregateAsync(new AggregationRequest(start, end))
.ToListAsync();
// Assert
results.Should().HaveCount(2);
results.Should().Contain(a => a.EntryId == "att-1");
results.Should().Contain(a => a.EntryId == "att-2");
results.Should().NotContain(a => a.EntryId == "att-3");
results.Should().NotContain(a => a.EntryId == "att-4");
}
[Fact]
public async Task AggregateAsync_InclusiveBoundaries_IncludesEdgeAttestations()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
_aggregator.AddAttestation(CreateAttestation("att-start", start)); // Exactly at start
_aggregator.AddAttestation(CreateAttestation("att-end", end)); // Exactly at end
// Act
var results = await _aggregator
.AggregateAsync(new AggregationRequest(start, end))
.ToListAsync();
// Assert
results.Should().HaveCount(2);
results.Should().Contain(a => a.EntryId == "att-start");
results.Should().Contain(a => a.EntryId == "att-end");
}
[Fact]
public async Task AggregateAsync_EmptyRange_ReturnsEmpty()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
// Add attestations outside the range
_aggregator.AddAttestation(CreateAttestation("att-1", start.AddDays(-10)));
_aggregator.AddAttestation(CreateAttestation("att-2", end.AddDays(10)));
// Act
var results = await _aggregator
.AggregateAsync(new AggregationRequest(start, end))
.ToListAsync();
// Assert
results.Should().BeEmpty();
}
#endregion
#region Tenant Filtering Tests
[Fact]
public async Task AggregateAsync_WithTenantFilter_ReturnsOnlyTenantAttestations()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
_aggregator.AddAttestation(CreateAttestation("att-1", start.AddDays(5)), tenantId: "tenant-a");
_aggregator.AddAttestation(CreateAttestation("att-2", start.AddDays(10)), tenantId: "tenant-a");
_aggregator.AddAttestation(CreateAttestation("att-3", start.AddDays(15)), tenantId: "tenant-b");
// Act
var results = await _aggregator
.AggregateAsync(new AggregationRequest(start, end, TenantId: "tenant-a"))
.ToListAsync();
// Assert
results.Should().HaveCount(2);
results.Should().OnlyContain(a => a.EntryId.StartsWith("att-1") || a.EntryId.StartsWith("att-2"));
}
[Fact]
public async Task AggregateAsync_WithoutTenantFilter_ReturnsAllTenants()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
_aggregator.AddAttestation(CreateAttestation("att-1", start.AddDays(5)), tenantId: "tenant-a");
_aggregator.AddAttestation(CreateAttestation("att-2", start.AddDays(10)), tenantId: "tenant-b");
_aggregator.AddAttestation(CreateAttestation("att-3", start.AddDays(15)), tenantId: null);
// Act
var results = await _aggregator
.AggregateAsync(new AggregationRequest(start, end))
.ToListAsync();
// Assert
results.Should().HaveCount(3);
}
#endregion
#region Predicate Type Filtering Tests
[Fact]
public async Task AggregateAsync_WithPredicateTypes_ReturnsOnlyMatchingTypes()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
_aggregator.AddAttestation(CreateAttestation("att-1", start.AddDays(5), predicateType: "verdict.stella/v1"));
_aggregator.AddAttestation(CreateAttestation("att-2", start.AddDays(10), predicateType: "sbom.stella/v1"));
_aggregator.AddAttestation(CreateAttestation("att-3", start.AddDays(15), predicateType: "verdict.stella/v1"));
// Act
var results = await _aggregator
.AggregateAsync(new AggregationRequest(
start, end,
PredicateTypes: new[] { "verdict.stella/v1" }))
.ToListAsync();
// Assert
results.Should().HaveCount(2);
results.Should().OnlyContain(a => a.PredicateType == "verdict.stella/v1");
}
[Fact]
public async Task AggregateAsync_WithMultiplePredicateTypes_ReturnsAllMatchingTypes()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
_aggregator.AddAttestation(CreateAttestation("att-1", start.AddDays(5), predicateType: "verdict.stella/v1"));
_aggregator.AddAttestation(CreateAttestation("att-2", start.AddDays(10), predicateType: "sbom.stella/v1"));
_aggregator.AddAttestation(CreateAttestation("att-3", start.AddDays(15), predicateType: "provenance.stella/v1"));
// Act
var results = await _aggregator
.AggregateAsync(new AggregationRequest(
start, end,
PredicateTypes: new[] { "verdict.stella/v1", "sbom.stella/v1" }))
.ToListAsync();
// Assert
results.Should().HaveCount(2);
results.Should().NotContain(a => a.PredicateType == "provenance.stella/v1");
}
#endregion
#region Count Tests
[Fact]
public async Task CountAsync_ReturnsCorrectCount()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
for (int i = 0; i < 50; i++)
{
_aggregator.AddAttestation(CreateAttestation($"att-{i}", start.AddDays(i % 30)));
}
// Act
var count = await _aggregator.CountAsync(new AggregationRequest(start, end));
// Assert
count.Should().Be(50);
}
[Fact]
public async Task CountAsync_WithFilters_ReturnsFilteredCount()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
_aggregator.AddAttestation(CreateAttestation("att-1", start.AddDays(5)), tenantId: "tenant-a");
_aggregator.AddAttestation(CreateAttestation("att-2", start.AddDays(10)), tenantId: "tenant-a");
_aggregator.AddAttestation(CreateAttestation("att-3", start.AddDays(15)), tenantId: "tenant-b");
// Act
var count = await _aggregator.CountAsync(new AggregationRequest(start, end, TenantId: "tenant-a"));
// Assert
count.Should().Be(2);
}
#endregion
#region Ordering Tests
[Fact]
public async Task AggregateAsync_ReturnsDeterministicOrder()
{
// Arrange
var start = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var end = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
// Add in random order
_aggregator.AddAttestation(CreateAttestation("att-c", start.AddDays(15)));
_aggregator.AddAttestation(CreateAttestation("att-a", start.AddDays(5)));
_aggregator.AddAttestation(CreateAttestation("att-b", start.AddDays(10)));
// Act
var results1 = await _aggregator.AggregateAsync(new AggregationRequest(start, end)).ToListAsync();
var results2 = await _aggregator.AggregateAsync(new AggregationRequest(start, end)).ToListAsync();
// Assert: Order should be consistent (sorted by EntryId)
results1.Select(a => a.EntryId).Should().BeEquivalentTo(
results2.Select(a => a.EntryId),
options => options.WithStrictOrdering());
}
#endregion
#region Helper Methods
private static BundledAttestation CreateAttestation(
string entryId,
DateTimeOffset signedAt,
string? tenantId = null,
string predicateType = "verdict.stella/v1")
{
return new BundledAttestation
{
EntryId = entryId,
RekorUuid = $"rekor-{entryId}",
RekorLogIndex = Random.Shared.NextInt64(1000000),
ArtifactDigest = $"sha256:{Guid.NewGuid():N}",
PredicateType = predicateType,
SignedAt = signedAt,
SigningMode = "keyless",
SigningIdentity = new SigningIdentity
{
Issuer = "https://token.actions.githubusercontent.com",
Subject = "repo:org/repo:ref:refs/heads/main"
},
Envelope = new DsseEnvelopeData
{
PayloadType = "application/vnd.in-toto+json",
Payload = Convert.ToBase64String("test-payload"u8.ToArray()),
Signatures = new List<EnvelopeSignature>
{
new() { Sig = Convert.ToBase64String("test-sig"u8.ToArray()) }
}
}
};
}
#endregion
}
/// <summary>
/// In-memory implementation of IBundleAggregator for testing.
/// </summary>
internal sealed class InMemoryBundleAggregator : IBundleAggregator
{
private readonly List<(BundledAttestation Attestation, string? TenantId)> _attestations = new();
public void AddAttestation(BundledAttestation attestation, string? tenantId = null)
{
_attestations.Add((attestation, tenantId));
}
public async IAsyncEnumerable<BundledAttestation> AggregateAsync(
AggregationRequest request,
[System.Runtime.CompilerServices.EnumeratorCancellation] CancellationToken cancellationToken = default)
{
var query = _attestations.AsEnumerable();
// Date range filter
query = query.Where(x =>
x.Attestation.SignedAt >= request.PeriodStart &&
x.Attestation.SignedAt <= request.PeriodEnd);
// Tenant filter
if (request.TenantId != null)
{
query = query.Where(x => x.TenantId == request.TenantId);
}
// Predicate type filter
if (request.PredicateTypes?.Count > 0)
{
query = query.Where(x => request.PredicateTypes.Contains(x.Attestation.PredicateType));
}
// Deterministic ordering
query = query.OrderBy(x => x.Attestation.EntryId);
foreach (var item in query)
{
cancellationToken.ThrowIfCancellationRequested();
await Task.Yield();
yield return item.Attestation;
}
}
public Task<int> CountAsync(AggregationRequest request, CancellationToken cancellationToken = default)
{
var query = _attestations.AsEnumerable();
query = query.Where(x =>
x.Attestation.SignedAt >= request.PeriodStart &&
x.Attestation.SignedAt <= request.PeriodEnd);
if (request.TenantId != null)
{
query = query.Where(x => x.TenantId == request.TenantId);
}
if (request.PredicateTypes?.Count > 0)
{
query = query.Where(x => request.PredicateTypes.Contains(x.Attestation.PredicateType));
}
return Task.FromResult(query.Count());
}
}

508
src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests/BundleWorkflowIntegrationTests.cs Normal file
View File

@@ -0,0 +1,508 @@
// -----------------------------------------------------------------------------
// BundleWorkflowIntegrationTests.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0023 - Integration test: Full bundle workflow
// Task: 0024 - Integration test: Scheduler job
// Description: Integration tests for complete bundle workflow and scheduler execution
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Moq;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Configuration;
using StellaOps.Attestor.Bundling.Models;
using Xunit;
namespace StellaOps.Attestor.Bundling.Tests;
/// <summary>
/// Integration tests for the full bundle creation workflow:
/// Create → Store → Retrieve → Verify
/// </summary>
public class BundleWorkflowIntegrationTests
{
private readonly InMemoryBundleStore _store;
private readonly InMemoryBundleAggregator _aggregator;
private readonly TestOrgKeySigner _signer;
private readonly IOptions<BundlingOptions> _options;
public BundleWorkflowIntegrationTests()
{
_store = new InMemoryBundleStore();
_aggregator = new InMemoryBundleAggregator();
_signer = new TestOrgKeySigner();
_options = Options.Create(new BundlingOptions());
}
#region Full Workflow Tests
[Fact]
public async Task FullWorkflow_CreateStoreRetrieveVerify_Succeeds()
{
// Arrange: Add test attestations
var periodStart = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var periodEnd = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
for (int i = 0; i < 10; i++)
{
_aggregator.AddAttestation(CreateTestAttestation($"att-{i}", periodStart.AddDays(i)));
}
// Act 1: Create bundle
var createRequest = new BundleCreationRequest(
periodStart, periodEnd,
SignWithOrgKey: true,
OrgKeyId: "test-key");
var bundle = await CreateBundleAsync(createRequest);
// Assert: Bundle created correctly
bundle.Should().NotBeNull();
bundle.Metadata.AttestationCount.Should().Be(10);
bundle.OrgSignature.Should().NotBeNull();
// Act 2: Store bundle
await _store.StoreBundleAsync(bundle);
// Assert: Bundle exists
(await _store.ExistsAsync(bundle.Metadata.BundleId)).Should().BeTrue();
// Act 3: Retrieve bundle
var retrieved = await _store.GetBundleAsync(bundle.Metadata.BundleId);
// Assert: Retrieved bundle matches
retrieved.Should().NotBeNull();
retrieved!.Metadata.BundleId.Should().Be(bundle.Metadata.BundleId);
retrieved.Attestations.Should().HaveCount(10);
// Act 4: Verify bundle
var verificationResult = await VerifyBundleAsync(retrieved);
// Assert: Verification passes
verificationResult.Should().BeTrue();
}
[Fact]
public async Task FullWorkflow_WithoutOrgSignature_StillWorks()
{
// Arrange
var periodStart = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var periodEnd = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
_aggregator.AddAttestation(CreateTestAttestation("att-1", periodStart.AddDays(5)));
// Act: Create bundle WITHOUT org signature
var createRequest = new BundleCreationRequest(
periodStart, periodEnd,
SignWithOrgKey: false);
var bundle = await CreateBundleAsync(createRequest);
await _store.StoreBundleAsync(bundle);
var retrieved = await _store.GetBundleAsync(bundle.Metadata.BundleId);
// Assert
retrieved.Should().NotBeNull();
retrieved!.OrgSignature.Should().BeNull();
retrieved.Attestations.Should().HaveCount(1);
}
[Fact]
public async Task FullWorkflow_EmptyPeriod_CreatesEmptyBundle()
{
// Arrange: No attestations added
var periodStart = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var periodEnd = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
// Act
var createRequest = new BundleCreationRequest(periodStart, periodEnd);
var bundle = await CreateBundleAsync(createRequest);
// Assert
bundle.Metadata.AttestationCount.Should().Be(0);
bundle.Attestations.Should().BeEmpty();
}
[Fact]
public async Task FullWorkflow_LargeBundle_HandlesCorrectly()
{
// Arrange: Add many attestations
var periodStart = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var periodEnd = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
for (int i = 0; i < 1000; i++)
{
_aggregator.AddAttestation(CreateTestAttestation($"att-{i:D4}", periodStart.AddMinutes(i)));
}
// Act
var bundle = await CreateBundleAsync(new BundleCreationRequest(periodStart, periodEnd));
await _store.StoreBundleAsync(bundle);
var retrieved = await _store.GetBundleAsync(bundle.Metadata.BundleId);
// Assert
retrieved.Should().NotBeNull();
retrieved!.Attestations.Should().HaveCount(1000);
}
#endregion
#region Tenant Isolation Tests
[Fact]
public async Task FullWorkflow_TenantIsolation_CreatesSeperateBundles()
{
// Arrange
var periodStart = new DateTimeOffset(2025, 12, 1, 0, 0, 0, TimeSpan.Zero);
var periodEnd = new DateTimeOffset(2025, 12, 31, 23, 59, 59, TimeSpan.Zero);
_aggregator.AddAttestation(CreateTestAttestation("att-a1", periodStart.AddDays(5)), "tenant-a");
_aggregator.AddAttestation(CreateTestAttestation("att-a2", periodStart.AddDays(10)), "tenant-a");
_aggregator.AddAttestation(CreateTestAttestation("att-b1", periodStart.AddDays(15)), "tenant-b");
// Act: Create bundles for each tenant
var bundleA = await CreateBundleAsync(new BundleCreationRequest(
periodStart, periodEnd, TenantId: "tenant-a"));
var bundleB = await CreateBundleAsync(new BundleCreationRequest(
periodStart, periodEnd, TenantId: "tenant-b"));
// Assert
bundleA.Attestations.Should().HaveCount(2);
bundleB.Attestations.Should().HaveCount(1);
bundleA.Metadata.BundleId.Should().NotBe(bundleB.Metadata.BundleId);
}
#endregion
#region Scheduler Job Tests
[Fact]
public async Task SchedulerJob_ExecutesAndCreatesBundles()
{
// Arrange: Add attestations for previous month
var now = DateTimeOffset.UtcNow;
var previousMonth = now.AddMonths(-1);
var periodStart = new DateTimeOffset(previousMonth.Year, previousMonth.Month, 1, 0, 0, 0, TimeSpan.Zero);
var periodEnd = periodStart.AddMonths(1).AddTicks(-1);
for (int i = 0; i < 5; i++)
{
_aggregator.AddAttestation(CreateTestAttestation($"att-{i}", periodStart.AddDays(i * 5)));
}
// Act: Simulate scheduler job execution
var jobResult = await ExecuteRotationJobAsync(periodStart, periodEnd);
// Assert
jobResult.Success.Should().BeTrue();
jobResult.BundleId.Should().NotBeEmpty();
jobResult.AttestationCount.Should().Be(5);
// Verify bundle was stored
(await _store.ExistsAsync(jobResult.BundleId)).Should().BeTrue();
}
[Fact]
public async Task SchedulerJob_MultiTenant_CreatesBundlesForEachTenant()
{
// Arrange
var now = DateTimeOffset.UtcNow;
var previousMonth = now.AddMonths(-1);
var periodStart = new DateTimeOffset(previousMonth.Year, previousMonth.Month, 1, 0, 0, 0, TimeSpan.Zero);
var periodEnd = periodStart.AddMonths(1).AddTicks(-1);
_aggregator.AddAttestation(CreateTestAttestation("att-1", periodStart.AddDays(5)), "tenant-x");
_aggregator.AddAttestation(CreateTestAttestation("att-2", periodStart.AddDays(10)), "tenant-y");
// Act: Execute job for all tenants
var resultX = await ExecuteRotationJobAsync(periodStart, periodEnd, "tenant-x");
var resultY = await ExecuteRotationJobAsync(periodStart, periodEnd, "tenant-y");
// Assert
resultX.Success.Should().BeTrue();
resultY.Success.Should().BeTrue();
resultX.BundleId.Should().NotBe(resultY.BundleId);
}
[Fact]
public async Task SchedulerJob_AppliesRetentionPolicy()
{
// Arrange: Create old bundle
var oldPeriodStart = DateTimeOffset.UtcNow.AddMonths(-36);
var oldBundle = CreateExpiredBundle("old-bundle", oldPeriodStart);
await _store.StoreBundleAsync(oldBundle);
// Verify old bundle exists
(await _store.ExistsAsync("old-bundle")).Should().BeTrue();
// Act: Apply retention
var deleted = await ApplyRetentionAsync(retentionMonths: 24);
// Assert
deleted.Should().BeGreaterThan(0);
(await _store.ExistsAsync("old-bundle")).Should().BeFalse();
}
#endregion
#region Helper Methods
private async Task<AttestationBundle> CreateBundleAsync(BundleCreationRequest request)
{
var attestations = await _aggregator
.AggregateAsync(new AggregationRequest(
request.PeriodStart,
request.PeriodEnd,
request.TenantId))
.ToListAsync();
// Sort for determinism
attestations = attestations.OrderBy(a => a.EntryId).ToList();
// Compute Merkle root (simplified)
var merkleRoot = ComputeMerkleRoot(attestations);
var bundle = new AttestationBundle
{
Metadata = new BundleMetadata
{
BundleId = $"sha256:{merkleRoot}",
CreatedAt = DateTimeOffset.UtcNow,
PeriodStart = request.PeriodStart,
PeriodEnd = request.PeriodEnd,
AttestationCount = attestations.Count,
TenantId = request.TenantId
},
Attestations = attestations,
MerkleTree = new MerkleTreeInfo
{
Root = $"sha256:{merkleRoot}",
LeafCount = attestations.Count
}
};
// Add org signature if requested
if (request.SignWithOrgKey && request.OrgKeyId != null)
{
var digest = System.Security.Cryptography.SHA256.HashData(
System.Text.Encoding.UTF8.GetBytes(merkleRoot));
var signature = await _signer.SignBundleAsync(digest, request.OrgKeyId);
bundle = bundle with
{
OrgSignature = signature,
Metadata = bundle.Metadata with { OrgKeyFingerprint = $"sha256:{request.OrgKeyId}" }
};
}
return bundle;
}
private async Task<bool> VerifyBundleAsync(AttestationBundle bundle)
{
// Verify Merkle root
var computedRoot = ComputeMerkleRoot(bundle.Attestations.ToList());
if (bundle.MerkleTree.Root != $"sha256:{computedRoot}")
{
return false;
}
// Verify org signature if present
if (bundle.OrgSignature != null)
{
var digest = System.Security.Cryptography.SHA256.HashData(
System.Text.Encoding.UTF8.GetBytes(computedRoot));
return await _signer.VerifyBundleAsync(digest, bundle.OrgSignature);
}
return true;
}
private async Task<RotationJobResult> ExecuteRotationJobAsync(
DateTimeOffset periodStart,
DateTimeOffset periodEnd,
string? tenantId = null)
{
try
{
var bundle = await CreateBundleAsync(new BundleCreationRequest(
periodStart, periodEnd,
TenantId: tenantId,
SignWithOrgKey: true,
OrgKeyId: "scheduler-key"));
await _store.StoreBundleAsync(bundle);
return new RotationJobResult
{
Success = true,
BundleId = bundle.Metadata.BundleId,
AttestationCount = bundle.Metadata.AttestationCount
};
}
catch (Exception ex)
{
return new RotationJobResult
{
Success = false,
Error = ex.Message
};
}
}
private async Task<int> ApplyRetentionAsync(int retentionMonths)
{
var cutoff = DateTimeOffset.UtcNow.AddMonths(-retentionMonths);
var deleted = 0;
var bundles = await _store.ListBundlesAsync(new BundleListRequest());
foreach (var bundle in bundles.Bundles)
{
if (bundle.CreatedAt < cutoff)
{
if (await _store.DeleteBundleAsync(bundle.BundleId))
{
deleted++;
}
}
}
return deleted;
}
private AttestationBundle CreateExpiredBundle(string bundleId, DateTimeOffset createdAt)
{
return new AttestationBundle
{
Metadata = new BundleMetadata
{
BundleId = bundleId,
CreatedAt = createdAt,
PeriodStart = createdAt.AddDays(-30),
PeriodEnd = createdAt,
AttestationCount = 0
},
Attestations = new List<BundledAttestation>(),
MerkleTree = new MerkleTreeInfo { Root = "sha256:empty", LeafCount = 0 }
};
}
private static string ComputeMerkleRoot(List<BundledAttestation> attestations)
{
if (attestations.Count == 0)
{
return "empty";
}
using var sha256 = System.Security.Cryptography.SHA256.Create();
var combined = string.Join("|", attestations.Select(a => a.EntryId));
var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(combined));
return Convert.ToHexString(hash).ToLowerInvariant();
}
private static BundledAttestation CreateTestAttestation(string entryId, DateTimeOffset signedAt)
{
return new BundledAttestation
{
EntryId = entryId,
RekorUuid = $"rekor-{entryId}",
RekorLogIndex = Random.Shared.NextInt64(1000000),
ArtifactDigest = $"sha256:{Guid.NewGuid():N}",
PredicateType = "verdict.stella/v1",
SignedAt = signedAt,
SigningMode = "keyless",
SigningIdentity = new SigningIdentity
{
Issuer = "https://token.actions.githubusercontent.com",
Subject = "repo:org/repo:ref:refs/heads/main"
},
Envelope = new DsseEnvelopeData
{
PayloadType = "application/vnd.in-toto+json",
Payload = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes($"payload-{entryId}")),
Signatures = new List<EnvelopeSignature>
{
new() { Sig = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes($"sig-{entryId}")) }
}
}
};
}
private sealed record RotationJobResult
{
public bool Success { get; init; }
public string BundleId { get; init; } = string.Empty;
public int AttestationCount { get; init; }
public string? Error { get; init; }
}
#endregion
}
/// <summary>
/// In-memory bundle store for integration testing.
/// </summary>
internal sealed class InMemoryBundleStore : IBundleStore
{
private readonly Dictionary<string, AttestationBundle> _bundles = new();
public Task StoreBundleAsync(
AttestationBundle bundle,
Abstractions.BundleStorageOptions? options = null,
CancellationToken cancellationToken = default)
{
_bundles[bundle.Metadata.BundleId] = bundle;
return Task.CompletedTask;
}
public Task<AttestationBundle?> GetBundleAsync(
string bundleId,
CancellationToken cancellationToken = default)
{
return Task.FromResult(_bundles.TryGetValue(bundleId, out var bundle) ? bundle : null);
}
public Task<bool> ExistsAsync(string bundleId, CancellationToken cancellationToken = default)
{
return Task.FromResult(_bundles.ContainsKey(bundleId));
}
public Task<bool> DeleteBundleAsync(string bundleId, CancellationToken cancellationToken = default)
{
return Task.FromResult(_bundles.Remove(bundleId));
}
public Task<BundleListResult> ListBundlesAsync(
BundleListRequest request,
CancellationToken cancellationToken = default)
{
var items = _bundles.Values
.Select(b => new BundleListItem(
b.Metadata.BundleId,
b.Metadata.PeriodStart,
b.Metadata.PeriodEnd,
b.Metadata.AttestationCount,
b.Metadata.CreatedAt,
b.OrgSignature != null))
.OrderByDescending(b => b.CreatedAt)
.ToList();
return Task.FromResult(new BundleListResult(items, null));
}
public Task ExportBundleAsync(
string bundleId,
Stream output,
Abstractions.BundleExportOptions? options = null,
CancellationToken cancellationToken = default)
{
if (_bundles.TryGetValue(bundleId, out var bundle))
{
var json = System.Text.Json.JsonSerializer.Serialize(bundle);
var bytes = System.Text.Encoding.UTF8.GetBytes(json);
output.Write(bytes);
}
return Task.CompletedTask;
}
}

540
src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests/KmsOrgKeySignerTests.cs Normal file
View File

@@ -0,0 +1,540 @@
// -----------------------------------------------------------------------------
// KmsOrgKeySignerTests.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0021 - Unit tests: Org-key signing
// Description: Unit tests for KmsOrgKeySigner service
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Moq;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Models;
using StellaOps.Attestor.Bundling.Signing;
namespace StellaOps.Attestor.Bundling.Tests;
public class KmsOrgKeySignerTests
{
private readonly Mock<IKmsProvider> _kmsProviderMock;
private readonly Mock<ILogger<KmsOrgKeySigner>> _loggerMock;
public KmsOrgKeySignerTests()
{
_kmsProviderMock = new Mock<IKmsProvider>();
_loggerMock = new Mock<ILogger<KmsOrgKeySigner>>();
}
#region SignBundleAsync Tests
[Fact]
public async Task SignBundleAsync_ValidKey_ReturnsSignature()
{
// Arrange
var keyId = "org-key-2025";
var bundleDigest = SHA256.HashData("test bundle content"u8.ToArray());
var expectedSignature = new byte[64];
RandomNumberGenerator.Fill(expectedSignature);
var keyInfo = CreateKeyInfo(keyId, isActive: true);
SetupKmsProvider(keyId, keyInfo, expectedSignature);
var signer = CreateSigner();
// Act
var result = await signer.SignBundleAsync(bundleDigest, keyId);
// Assert
result.Should().NotBeNull();
result.KeyId.Should().Be(keyId);
result.Algorithm.Should().Be("ECDSA_P256");
result.Signature.Should().Be(Convert.ToBase64String(expectedSignature));
result.SignedAt.Should().BeCloseTo(DateTimeOffset.UtcNow, TimeSpan.FromSeconds(5));
}
[Fact]
public async Task SignBundleAsync_KeyNotFound_ThrowsException()
{
// Arrange
var keyId = "nonexistent-key";
var bundleDigest = SHA256.HashData("test"u8.ToArray());
_kmsProviderMock
.Setup(x => x.GetKeyInfoAsync(keyId, It.IsAny<CancellationToken>()))
.ReturnsAsync((KmsKeyInfo?)null);
var signer = CreateSigner();
// Act & Assert
var act = () => signer.SignBundleAsync(bundleDigest, keyId);
await act.Should().ThrowAsync<InvalidOperationException>()
.WithMessage($"*'{keyId}'*not found*");
}
[Fact]
public async Task SignBundleAsync_InactiveKey_ThrowsException()
{
// Arrange
var keyId = "inactive-key";
var bundleDigest = SHA256.HashData("test"u8.ToArray());
var keyInfo = CreateKeyInfo(keyId, isActive: false);
_kmsProviderMock
.Setup(x => x.GetKeyInfoAsync(keyId, It.IsAny<CancellationToken>()))
.ReturnsAsync(keyInfo);
var signer = CreateSigner();
// Act & Assert
var act = () => signer.SignBundleAsync(bundleDigest, keyId);
await act.Should().ThrowAsync<InvalidOperationException>()
.WithMessage($"*'{keyId}'*not active*");
}
[Fact]
public async Task SignBundleAsync_ExpiredKey_ThrowsException()
{
// Arrange
var keyId = "expired-key";
var bundleDigest = SHA256.HashData("test"u8.ToArray());
var keyInfo = new KmsKeyInfo(
keyId,
"ECDSA_P256",
"fingerprint",
DateTimeOffset.UtcNow.AddYears(-2),
DateTimeOffset.UtcNow.AddDays(-1), // Expired yesterday
true);
_kmsProviderMock
.Setup(x => x.GetKeyInfoAsync(keyId, It.IsAny<CancellationToken>()))
.ReturnsAsync(keyInfo);
var signer = CreateSigner();
// Act & Assert
var act = () => signer.SignBundleAsync(bundleDigest, keyId);
await act.Should().ThrowAsync<InvalidOperationException>()
.WithMessage($"*'{keyId}'*expired*");
}
[Fact]
public async Task SignBundleAsync_WithCertificateChain_IncludesChainInSignature()
{
// Arrange
var keyId = "org-key-with-cert";
var bundleDigest = SHA256.HashData("test"u8.ToArray());
var signature = new byte[64];
var certChain = new List<string>
{
"-----BEGIN CERTIFICATE-----\nMIIB...\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----"
};
var keyInfo = CreateKeyInfo(keyId, isActive: true);
SetupKmsProvider(keyId, keyInfo, signature, certChain);
var signer = CreateSigner();
// Act
var result = await signer.SignBundleAsync(bundleDigest, keyId);
// Assert
result.CertificateChain.Should().NotBeNull();
result.CertificateChain.Should().HaveCount(2);
}
#endregion
#region VerifyBundleAsync Tests
[Fact]
public async Task VerifyBundleAsync_ValidSignature_ReturnsTrue()
{
// Arrange
var keyId = "org-key-2025";
var bundleDigest = SHA256.HashData("test bundle content"u8.ToArray());
var signatureBytes = new byte[64];
RandomNumberGenerator.Fill(signatureBytes);
var signature = new OrgSignature
{
KeyId = keyId,
Algorithm = "ECDSA_P256",
Signature = Convert.ToBase64String(signatureBytes),
SignedAt = DateTimeOffset.UtcNow.AddMinutes(-5),
CertificateChain = null
};
_kmsProviderMock
.Setup(x => x.VerifyAsync(
keyId,
bundleDigest,
signatureBytes,
"ECDSA_P256",
It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
var signer = CreateSigner();
// Act
var result = await signer.VerifyBundleAsync(bundleDigest, signature);
// Assert
result.Should().BeTrue();
}
[Fact]
public async Task VerifyBundleAsync_InvalidSignature_ReturnsFalse()
{
// Arrange
var keyId = "org-key-2025";
var bundleDigest = SHA256.HashData("test"u8.ToArray());
var signatureBytes = new byte[64];
var signature = new OrgSignature
{
KeyId = keyId,
Algorithm = "ECDSA_P256",
Signature = Convert.ToBase64String(signatureBytes),
SignedAt = DateTimeOffset.UtcNow,
CertificateChain = null
};
_kmsProviderMock
.Setup(x => x.VerifyAsync(
keyId,
bundleDigest,
signatureBytes,
"ECDSA_P256",
It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
var signer = CreateSigner();
// Act
var result = await signer.VerifyBundleAsync(bundleDigest, signature);
// Assert
result.Should().BeFalse();
}
[Fact]
public async Task VerifyBundleAsync_KmsThrowsException_ReturnsFalse()
{
// Arrange
var keyId = "org-key-2025";
var bundleDigest = SHA256.HashData("test"u8.ToArray());
var signatureBytes = new byte[64];
var signature = new OrgSignature
{
KeyId = keyId,
Algorithm = "ECDSA_P256",
Signature = Convert.ToBase64String(signatureBytes),
SignedAt = DateTimeOffset.UtcNow,
CertificateChain = null
};
_kmsProviderMock
.Setup(x => x.VerifyAsync(
It.IsAny<string>(),
It.IsAny<byte[]>(),
It.IsAny<byte[]>(),
It.IsAny<string>(),
It.IsAny<CancellationToken>()))
.ThrowsAsync(new Exception("KMS unavailable"));
var signer = CreateSigner();
// Act
var result = await signer.VerifyBundleAsync(bundleDigest, signature);
// Assert
result.Should().BeFalse();
}
#endregion
#region GetActiveKeyIdAsync Tests
[Fact]
public async Task GetActiveKeyIdAsync_ConfiguredActiveKey_ReturnsConfiguredKey()
{
// Arrange
var options = Options.Create(new OrgSigningOptions
{
ActiveKeyId = "configured-active-key"
});
var signer = new KmsOrgKeySigner(
_kmsProviderMock.Object,
_loggerMock.Object,
options);
// Act
var result = await signer.GetActiveKeyIdAsync();
// Assert
result.Should().Be("configured-active-key");
}
[Fact]
public async Task GetActiveKeyIdAsync_NoConfiguredKey_ReturnsNewestActiveKey()
{
// Arrange
var keys = new List<KmsKeyInfo>
{
new("key-2024", "ECDSA_P256", "fp1", DateTimeOffset.UtcNow.AddYears(-1), null, true),
new("key-2025", "ECDSA_P256", "fp2", DateTimeOffset.UtcNow.AddMonths(-1), null, true),
new("key-2023", "ECDSA_P256", "fp3", DateTimeOffset.UtcNow.AddYears(-2), null, false) // Inactive
};
_kmsProviderMock
.Setup(x => x.ListKeysAsync(It.IsAny<string?>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(keys);
var signer = CreateSigner();
// Act
var result = await signer.GetActiveKeyIdAsync();
// Assert
result.Should().Be("key-2025"); // Newest active key
}
[Fact]
public async Task GetActiveKeyIdAsync_NoActiveKeys_ThrowsException()
{
// Arrange
var keys = new List<KmsKeyInfo>
{
new("key-inactive", "ECDSA_P256", "fp1", DateTimeOffset.UtcNow.AddYears(-1), null, false)
};
_kmsProviderMock
.Setup(x => x.ListKeysAsync(It.IsAny<string?>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(keys);
var signer = CreateSigner();
// Act & Assert
var act = () => signer.GetActiveKeyIdAsync();
await act.Should().ThrowAsync<InvalidOperationException>()
.WithMessage("*No active signing key*");
}
[Fact]
public async Task GetActiveKeyIdAsync_ExcludesExpiredKeys()
{
// Arrange
var keys = new List<KmsKeyInfo>
{
new("key-expired", "ECDSA_P256", "fp1", DateTimeOffset.UtcNow.AddYears(-2), DateTimeOffset.UtcNow.AddDays(-1), true),
new("key-valid", "ECDSA_P256", "fp2", DateTimeOffset.UtcNow.AddMonths(-6), null, true)
};
_kmsProviderMock
.Setup(x => x.ListKeysAsync(It.IsAny<string?>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(keys);
var signer = CreateSigner();
// Act
var result = await signer.GetActiveKeyIdAsync();
// Assert
result.Should().Be("key-valid");
}
#endregion
#region ListKeysAsync Tests
[Fact]
public async Task ListKeysAsync_ReturnsAllKeysFromKms()
{
// Arrange
var keys = new List<KmsKeyInfo>
{
new("key-1", "ECDSA_P256", "fp1", DateTimeOffset.UtcNow.AddYears(-1), null, true),
new("key-2", "Ed25519", "fp2", DateTimeOffset.UtcNow.AddMonths(-6), DateTimeOffset.UtcNow.AddMonths(6), true)
};
_kmsProviderMock
.Setup(x => x.ListKeysAsync("stellaops/org-signing/", It.IsAny<CancellationToken>()))
.ReturnsAsync(keys);
var signer = CreateSigner();
// Act
var result = await signer.ListKeysAsync();
// Assert
result.Should().HaveCount(2);
result.Should().Contain(k => k.KeyId == "key-1" && k.Algorithm == "ECDSA_P256");
result.Should().Contain(k => k.KeyId == "key-2" && k.Algorithm == "Ed25519");
}
#endregion
#region LocalOrgKeySigner Tests
[Fact]
public async Task LocalOrgKeySigner_SignAndVerify_Roundtrip()
{
// Arrange
var logger = new Mock<ILogger<LocalOrgKeySigner>>();
var signer = new LocalOrgKeySigner(logger.Object);
signer.AddKey("test-key-1", isActive: true);
var bundleDigest = SHA256.HashData("test bundle content"u8.ToArray());
// Act
var signature = await signer.SignBundleAsync(bundleDigest, "test-key-1");
var isValid = await signer.VerifyBundleAsync(bundleDigest, signature);
// Assert
isValid.Should().BeTrue();
signature.KeyId.Should().Be("test-key-1");
signature.Algorithm.Should().Be("ECDSA_P256");
}
[Fact]
public async Task LocalOrgKeySigner_VerifyWithWrongDigest_ReturnsFalse()
{
// Arrange
var logger = new Mock<ILogger<LocalOrgKeySigner>>();
var signer = new LocalOrgKeySigner(logger.Object);
signer.AddKey("test-key-1", isActive: true);
var originalDigest = SHA256.HashData("original content"u8.ToArray());
var tamperedDigest = SHA256.HashData("tampered content"u8.ToArray());
// Act
var signature = await signer.SignBundleAsync(originalDigest, "test-key-1");
var isValid = await signer.VerifyBundleAsync(tamperedDigest, signature);
// Assert
isValid.Should().BeFalse();
}
[Fact]
public async Task LocalOrgKeySigner_VerifyWithUnknownKey_ReturnsFalse()
{
// Arrange
var logger = new Mock<ILogger<LocalOrgKeySigner>>();
var signer = new LocalOrgKeySigner(logger.Object);
signer.AddKey("test-key-1", isActive: true);
var bundleDigest = SHA256.HashData("test"u8.ToArray());
var signature = await signer.SignBundleAsync(bundleDigest, "test-key-1");
// Modify signature to reference unknown key
var fakeSignature = signature with { KeyId = "unknown-key" };
// Act
var isValid = await signer.VerifyBundleAsync(bundleDigest, fakeSignature);
// Assert
isValid.Should().BeFalse();
}
[Fact]
public async Task LocalOrgKeySigner_GetActiveKeyId_ReturnsActiveKey()
{
// Arrange
var logger = new Mock<ILogger<LocalOrgKeySigner>>();
var signer = new LocalOrgKeySigner(logger.Object);
signer.AddKey("key-1", isActive: false);
signer.AddKey("key-2", isActive: true);
// Act
var activeKeyId = await signer.GetActiveKeyIdAsync();
// Assert
activeKeyId.Should().Be("key-2");
}
[Fact]
public async Task LocalOrgKeySigner_NoActiveKey_ThrowsException()
{
// Arrange
var logger = new Mock<ILogger<LocalOrgKeySigner>>();
var signer = new LocalOrgKeySigner(logger.Object);
// Don't add any keys
// Act & Assert
var act = () => signer.GetActiveKeyIdAsync();
await act.Should().ThrowAsync<InvalidOperationException>()
.WithMessage("*No active signing key*");
}
[Fact]
public async Task LocalOrgKeySigner_ListKeys_ReturnsAllKeys()
{
// Arrange
var logger = new Mock<ILogger<LocalOrgKeySigner>>();
var signer = new LocalOrgKeySigner(logger.Object);
signer.AddKey("key-1", isActive: true);
signer.AddKey("key-2", isActive: false);
// Act
var keys = await signer.ListKeysAsync();
// Assert
keys.Should().HaveCount(2);
keys.Should().Contain(k => k.KeyId == "key-1" && k.IsActive);
keys.Should().Contain(k => k.KeyId == "key-2" && !k.IsActive);
}
#endregion
#region Helper Methods
private KmsOrgKeySigner CreateSigner(OrgSigningOptions? options = null)
{
return new KmsOrgKeySigner(
_kmsProviderMock.Object,
_loggerMock.Object,
Options.Create(options ?? new OrgSigningOptions()));
}
private static KmsKeyInfo CreateKeyInfo(string keyId, bool isActive, DateTimeOffset? validUntil = null)
{
return new KmsKeyInfo(
keyId,
"ECDSA_P256",
$"fingerprint-{keyId}",
DateTimeOffset.UtcNow.AddMonths(-1),
validUntil,
isActive);
}
private void SetupKmsProvider(
string keyId,
KmsKeyInfo keyInfo,
byte[] signature,
IReadOnlyList<string>? certChain = null)
{
_kmsProviderMock
.Setup(x => x.GetKeyInfoAsync(keyId, It.IsAny<CancellationToken>()))
.ReturnsAsync(keyInfo);
_kmsProviderMock
.Setup(x => x.SignAsync(
keyId,
It.IsAny<byte[]>(),
keyInfo.Algorithm,
It.IsAny<CancellationToken>()))
.ReturnsAsync(signature);
_kmsProviderMock
.Setup(x => x.GetCertificateChainAsync(keyId, It.IsAny<CancellationToken>()))
.ReturnsAsync(certChain);
}
#endregion
}

303
src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests/OrgKeySignerTests.cs Normal file
View File

@@ -0,0 +1,303 @@
// -----------------------------------------------------------------------------
// OrgKeySignerTests.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0021 - Unit tests: Org-key signing
// Description: Unit tests for organization key signing with sign/verify roundtrip
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using FluentAssertions;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Models;
using Xunit;
namespace StellaOps.Attestor.Bundling.Tests;
public class OrgKeySignerTests
{
private readonly TestOrgKeySigner _signer;
private readonly string _testKeyId = "test-org-key-2025";
public OrgKeySignerTests()
{
_signer = new TestOrgKeySigner();
}
#region Sign/Verify Roundtrip Tests
[Fact]
public async Task SignAndVerify_ValidBundle_Succeeds()
{
// Arrange
var bundleDigest = SHA256.HashData("test-bundle-content"u8.ToArray());
// Act
var signature = await _signer.SignBundleAsync(bundleDigest, _testKeyId);
// Assert
signature.Should().NotBeNull();
signature.KeyId.Should().Be(_testKeyId);
signature.Algorithm.Should().Be("ECDSA_P256");
signature.Signature.Should().NotBeEmpty();
signature.SignedAt.Should().BeCloseTo(DateTimeOffset.UtcNow, TimeSpan.FromSeconds(5));
// Verify roundtrip
var isValid = await _signer.VerifyBundleAsync(bundleDigest, signature);
isValid.Should().BeTrue();
}
[Fact]
public async Task SignAndVerify_DifferentContent_Fails()
{
// Arrange
var originalDigest = SHA256.HashData("original-content"u8.ToArray());
var tamperedDigest = SHA256.HashData("tampered-content"u8.ToArray());
// Act
var signature = await _signer.SignBundleAsync(originalDigest, _testKeyId);
var isValid = await _signer.VerifyBundleAsync(tamperedDigest, signature);
// Assert
isValid.Should().BeFalse();
}
[Fact]
public async Task SignAndVerify_SameContentDifferentCalls_BothValid()
{
// Arrange
var content = "consistent-bundle-content"u8.ToArray();
var digest1 = SHA256.HashData(content);
var digest2 = SHA256.HashData(content);
// Act
var signature1 = await _signer.SignBundleAsync(digest1, _testKeyId);
var signature2 = await _signer.SignBundleAsync(digest2, _testKeyId);
// Assert - Both signatures should be valid for the same content
(await _signer.VerifyBundleAsync(digest1, signature1)).Should().BeTrue();
(await _signer.VerifyBundleAsync(digest2, signature2)).Should().BeTrue();
// Cross-verify: signature1 should verify against digest2 (same content)
(await _signer.VerifyBundleAsync(digest2, signature1)).Should().BeTrue();
}
#endregion
#region Certificate Chain Tests
[Fact]
public async Task Sign_IncludesCertificateChain()
{
// Arrange
var bundleDigest = SHA256.HashData("bundle-with-chain"u8.ToArray());
// Act
var signature = await _signer.SignBundleAsync(bundleDigest, _testKeyId);
// Assert
signature.CertificateChain.Should().NotBeNull();
signature.CertificateChain.Should().NotBeEmpty();
signature.CertificateChain!.All(c => c.StartsWith("-----BEGIN CERTIFICATE-----")).Should().BeTrue();
}
#endregion
#region Key ID Tests
[Fact]
public async Task Sign_WithDifferentKeyIds_ProducesDifferentSignatures()
{
// Arrange
var bundleDigest = SHA256.HashData("test-content"u8.ToArray());
var keyId1 = "org-key-2024";
var keyId2 = "org-key-2025";
// Act
var signature1 = await _signer.SignBundleAsync(bundleDigest, keyId1);
var signature2 = await _signer.SignBundleAsync(bundleDigest, keyId2);
// Assert
signature1.KeyId.Should().Be(keyId1);
signature2.KeyId.Should().Be(keyId2);
signature1.Signature.Should().NotBe(signature2.Signature);
}
[Fact]
public async Task Verify_WithWrongKeyId_Fails()
{
// Arrange
var bundleDigest = SHA256.HashData("test-content"u8.ToArray());
var signatureWithKey1 = await _signer.SignBundleAsync(bundleDigest, "key-1");
// Modify the key ID in the signature (simulating wrong key)
var tamperedSignature = signatureWithKey1 with { KeyId = "wrong-key" };
// Act
var isValid = await _signer.VerifyBundleAsync(bundleDigest, tamperedSignature);
// Assert
isValid.Should().BeFalse();
}
#endregion
#region Empty/Null Input Tests
[Fact]
public async Task Sign_EmptyDigest_StillSigns()
{
// Arrange
var emptyDigest = SHA256.HashData(Array.Empty<byte>());
// Act
var signature = await _signer.SignBundleAsync(emptyDigest, _testKeyId);
// Assert
signature.Should().NotBeNull();
signature.Signature.Should().NotBeEmpty();
// Verify works
(await _signer.VerifyBundleAsync(emptyDigest, signature)).Should().BeTrue();
}
#endregion
#region Algorithm Tests
[Theory]
[InlineData("ECDSA_P256")]
[InlineData("Ed25519")]
[InlineData("RSA_PSS_SHA256")]
public async Task Sign_SupportsMultipleAlgorithms(string algorithm)
{
// Arrange
var signer = new TestOrgKeySigner(algorithm);
var bundleDigest = SHA256.HashData(System.Text.Encoding.UTF8.GetBytes($"test-{algorithm}"));
// Act
var signature = await signer.SignBundleAsync(bundleDigest, _testKeyId);
// Assert
signature.Algorithm.Should().Be(algorithm);
(await signer.VerifyBundleAsync(bundleDigest, signature)).Should().BeTrue();
}
#endregion
#region Timestamp Tests
[Fact]
public async Task Sign_IncludesAccurateTimestamp()
{
// Arrange
var beforeSign = DateTimeOffset.UtcNow;
var bundleDigest = SHA256.HashData("timestamp-test"u8.ToArray());
// Act
var signature = await _signer.SignBundleAsync(bundleDigest, _testKeyId);
var afterSign = DateTimeOffset.UtcNow;
// Assert
signature.SignedAt.Should().BeOnOrAfter(beforeSign);
signature.SignedAt.Should().BeOnOrBefore(afterSign);
}
#endregion
}
/// <summary>
/// Test implementation of IOrgKeySigner for unit testing.
/// Uses in-memory keys for sign/verify operations.
/// </summary>
internal sealed class TestOrgKeySigner : IOrgKeySigner
{
private readonly Dictionary<string, ECDsa> _keys = new();
private readonly string _algorithm;
public TestOrgKeySigner(string algorithm = "ECDSA_P256")
{
_algorithm = algorithm;
}
public Task<OrgSignature> SignBundleAsync(
byte[] bundleDigest,
string keyId,
CancellationToken cancellationToken = default)
{
var key = GetOrCreateKey(keyId);
var signature = key.SignData(bundleDigest, HashAlgorithmName.SHA256);
return Task.FromResult(new OrgSignature
{
KeyId = keyId,
Algorithm = _algorithm,
Signature = Convert.ToBase64String(signature),
SignedAt = DateTimeOffset.UtcNow,
CertificateChain = GenerateMockCertificateChain()
});
}
public Task<bool> VerifyBundleAsync(
byte[] bundleDigest,
OrgSignature signature,
CancellationToken cancellationToken = default)
{
if (!_keys.TryGetValue(signature.KeyId, out var key))
{
return Task.FromResult(false);
}
try
{
var signatureBytes = Convert.FromBase64String(signature.Signature);
var isValid = key.VerifyData(bundleDigest, signatureBytes, HashAlgorithmName.SHA256);
return Task.FromResult(isValid);
}
catch
{
return Task.FromResult(false);
}
}
public Task<string> GetActiveKeyIdAsync(CancellationToken cancellationToken = default)
{
var activeKey = _keys.Keys.FirstOrDefault();
if (activeKey == null)
{
throw new InvalidOperationException("No active signing key.");
}
return Task.FromResult(activeKey);
}
public Task<IReadOnlyList<OrgKeyInfo>> ListKeysAsync(CancellationToken cancellationToken = default)
{
return Task.FromResult<IReadOnlyList<OrgKeyInfo>>(
_keys.Keys.Select(keyId => new OrgKeyInfo(
keyId,
_algorithm,
$"fingerprint-{keyId}",
DateTimeOffset.UtcNow.AddMonths(-1),
null,
true)).ToList());
}
private ECDsa GetOrCreateKey(string keyId)
{
if (!_keys.TryGetValue(keyId, out var key))
{
key = ECDsa.Create(ECCurve.NamedCurves.nistP256);
_keys[keyId] = key;
}
return key;
}
private static IReadOnlyList<string> GenerateMockCertificateChain()
{
// Return mock PEM certificates for testing
return new[]
{
"-----BEGIN CERTIFICATE-----\nMIIBkjCB/AIJAKHBfpegPjEFMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBnRl\nc3QtY2EwHhcNMjUwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjARMQ8wDQYDVQQD\nDAZ0ZXN0LWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtest\n-----END CERTIFICATE-----"
};
}
}

544
src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests/RetentionPolicyEnforcerTests.cs Normal file
View File

@@ -0,0 +1,544 @@
// -----------------------------------------------------------------------------
// RetentionPolicyEnforcerTests.cs
// Sprint: SPRINT_20251226_002_ATTESTOR_bundle_rotation
// Task: 0022 - Unit tests: Retention policy
// Description: Unit tests for RetentionPolicyEnforcer service
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Moq;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Configuration;
using StellaOps.Attestor.Bundling.Services;
namespace StellaOps.Attestor.Bundling.Tests;
public class RetentionPolicyEnforcerTests
{
private readonly Mock<IBundleStore> _storeMock;
private readonly Mock<IBundleArchiver> _archiverMock;
private readonly Mock<IBundleExpiryNotifier> _notifierMock;
private readonly Mock<ILogger<RetentionPolicyEnforcer>> _loggerMock;
public RetentionPolicyEnforcerTests()
{
_storeMock = new Mock<IBundleStore>();
_archiverMock = new Mock<IBundleArchiver>();
_notifierMock = new Mock<IBundleExpiryNotifier>();
_loggerMock = new Mock<ILogger<RetentionPolicyEnforcer>>();
}
#region CalculateExpiryDate Tests
[Fact]
public void CalculateExpiryDate_DefaultSettings_ReturnsCreatedPlusDefaultMonths()
{
// Arrange
var options = CreateOptions(new BundleRetentionOptions { DefaultMonths = 24 });
var enforcer = CreateEnforcer(options);
var createdAt = new DateTimeOffset(2024, 6, 15, 10, 0, 0, TimeSpan.Zero);
// Act
var expiryDate = enforcer.CalculateExpiryDate(null, createdAt);
// Assert
expiryDate.Should().Be(new DateTimeOffset(2026, 6, 15, 10, 0, 0, TimeSpan.Zero));
}
[Fact]
public void CalculateExpiryDate_WithTenantOverride_UsesTenantSpecificRetention()
{
// Arrange
var retentionOptions = new BundleRetentionOptions
{
DefaultMonths = 24,
TenantOverrides = new Dictionary<string, int>
{
["tenant-gov"] = 84, // 7 years
["tenant-finance"] = 120 // 10 years
}
};
var options = CreateOptions(retentionOptions);
var enforcer = CreateEnforcer(options);
var createdAt = new DateTimeOffset(2024, 1, 1, 0, 0, 0, TimeSpan.Zero);
// Act
var govExpiry = enforcer.CalculateExpiryDate("tenant-gov", createdAt);
var financeExpiry = enforcer.CalculateExpiryDate("tenant-finance", createdAt);
var defaultExpiry = enforcer.CalculateExpiryDate("other-tenant", createdAt);
// Assert
govExpiry.Should().Be(new DateTimeOffset(2031, 1, 1, 0, 0, 0, TimeSpan.Zero)); // +84 months
financeExpiry.Should().Be(new DateTimeOffset(2034, 1, 1, 0, 0, 0, TimeSpan.Zero)); // +120 months
defaultExpiry.Should().Be(new DateTimeOffset(2026, 1, 1, 0, 0, 0, TimeSpan.Zero)); // +24 months
}
[Fact]
public void CalculateExpiryDate_TenantOverrideBelowMinimum_UsesMinimum()
{
// Arrange
var retentionOptions = new BundleRetentionOptions
{
DefaultMonths = 24,
MinimumMonths = 6,
TenantOverrides = new Dictionary<string, int>
{
["short-tenant"] = 3 // Below minimum
}
};
var options = CreateOptions(retentionOptions);
var enforcer = CreateEnforcer(options);
var createdAt = new DateTimeOffset(2024, 1, 1, 0, 0, 0, TimeSpan.Zero);
// Act
var expiry = enforcer.CalculateExpiryDate("short-tenant", createdAt);
// Assert - Should use minimum of 6 months, not 3
expiry.Should().Be(new DateTimeOffset(2024, 7, 1, 0, 0, 0, TimeSpan.Zero));
}
[Fact]
public void CalculateExpiryDate_TenantOverrideAboveMaximum_UsesMaximum()
{
// Arrange
var retentionOptions = new BundleRetentionOptions
{
DefaultMonths = 24,
MaximumMonths = 120, // 10 years max
TenantOverrides = new Dictionary<string, int>
{
["forever-tenant"] = 240 // 20 years - above maximum
}
};
var options = CreateOptions(retentionOptions);
var enforcer = CreateEnforcer(options);
var createdAt = new DateTimeOffset(2024, 1, 1, 0, 0, 0, TimeSpan.Zero);
// Act
var expiry = enforcer.CalculateExpiryDate("forever-tenant", createdAt);
// Assert - Should cap at maximum of 120 months
expiry.Should().Be(new DateTimeOffset(2034, 1, 1, 0, 0, 0, TimeSpan.Zero));
}
[Fact]
public void CalculateExpiryDate_WithBundleListItem_UsesCreatedAtFromItem()
{
// Arrange
var options = CreateOptions(new BundleRetentionOptions { DefaultMonths = 12 });
var enforcer = CreateEnforcer(options);
var bundle = CreateBundleListItem("bundle-1", new DateTimeOffset(2024, 3, 15, 0, 0, 0, TimeSpan.Zero));
// Act
var expiry = enforcer.CalculateExpiryDate(bundle);
// Assert
expiry.Should().Be(new DateTimeOffset(2025, 3, 15, 0, 0, 0, TimeSpan.Zero));
}
#endregion
#region EnforceAsync Tests
[Fact]
public async Task EnforceAsync_WhenDisabled_ReturnsEarlyWithZeroCounts()
{
// Arrange
var options = CreateOptions(new BundleRetentionOptions { Enabled = false });
var enforcer = CreateEnforcer(options);
// Act
var result = await enforcer.EnforceAsync();
// Assert
result.Success.Should().BeTrue();
result.BundlesEvaluated.Should().Be(0);
result.BundlesDeleted.Should().Be(0);
result.BundlesArchived.Should().Be(0);
result.BundlesMarkedExpired.Should().Be(0);
_storeMock.Verify(x => x.ListBundlesAsync(
It.IsAny<BundleListRequest>(),
It.IsAny<CancellationToken>()), Times.Never);
}
[Fact]
public async Task EnforceAsync_WithExpiredBundles_DeletesWhenActionIsDelete()
{
// Arrange
var expiredBundle = CreateBundleListItem("expired-1", DateTimeOffset.UtcNow.AddMonths(-36)); // 3 years old
var activeBundles = CreateBundleListItem("active-1", DateTimeOffset.UtcNow.AddMonths(-6)); // 6 months old
SetupBundleStore(expiredBundle, activeBundles);
_storeMock
.Setup(x => x.DeleteBundleAsync("expired-1", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
var retentionOptions = new BundleRetentionOptions
{
Enabled = true,
DefaultMonths = 24,
GracePeriodDays = 0, // No grace period for test
ExpiryAction = RetentionAction.Delete
};
var enforcer = CreateEnforcer(CreateOptions(retentionOptions));
// Act
var result = await enforcer.EnforceAsync();
// Assert
result.Success.Should().BeTrue();
result.BundlesEvaluated.Should().Be(2);
result.BundlesDeleted.Should().Be(1);
_storeMock.Verify(x => x.DeleteBundleAsync("expired-1", It.IsAny<CancellationToken>()), Times.Once);
}
[Fact]
public async Task EnforceAsync_WithExpiredBundles_ArchivesWhenActionIsArchive()
{
// Arrange
var expiredBundle = CreateBundleListItem("expired-1", DateTimeOffset.UtcNow.AddMonths(-36));
SetupBundleStore(expiredBundle);
_archiverMock
.Setup(x => x.ArchiveAsync("expired-1", "glacier", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
var retentionOptions = new BundleRetentionOptions
{
Enabled = true,
DefaultMonths = 24,
GracePeriodDays = 0,
ExpiryAction = RetentionAction.Archive,
ArchiveStorageTier = "glacier"
};
var enforcer = CreateEnforcer(CreateOptions(retentionOptions), _archiverMock.Object);
// Act
var result = await enforcer.EnforceAsync();
// Assert
result.Success.Should().BeTrue();
result.BundlesArchived.Should().Be(1);
_archiverMock.Verify(x => x.ArchiveAsync("expired-1", "glacier", It.IsAny<CancellationToken>()), Times.Once);
}
[Fact]
public async Task EnforceAsync_WithExpiredBundles_MarksOnlyWhenActionIsMarkOnly()
{
// Arrange
var expiredBundle = CreateBundleListItem("expired-1", DateTimeOffset.UtcNow.AddMonths(-36));
SetupBundleStore(expiredBundle);
var retentionOptions = new BundleRetentionOptions
{
Enabled = true,
DefaultMonths = 24,
GracePeriodDays = 0,
ExpiryAction = RetentionAction.MarkOnly
};
var enforcer = CreateEnforcer(CreateOptions(retentionOptions));
// Act
var result = await enforcer.EnforceAsync();
// Assert
result.Success.Should().BeTrue();
result.BundlesMarkedExpired.Should().Be(1);
result.BundlesDeleted.Should().Be(0);
result.BundlesArchived.Should().Be(0);
// Verify no delete or archive was called
_storeMock.Verify(x => x.DeleteBundleAsync(It.IsAny<string>(), It.IsAny<CancellationToken>()), Times.Never);
}
[Fact]
public async Task EnforceAsync_BundleInGracePeriod_MarksExpiredButDoesNotDelete()
{
// Arrange
// Bundle expired 15 days ago (within 30-day grace period)
var gracePeriodBundle = CreateBundleListItem(
"grace-1",
DateTimeOffset.UtcNow.AddMonths(-24).AddDays(-15));
SetupBundleStore(gracePeriodBundle);
var retentionOptions = new BundleRetentionOptions
{
Enabled = true,
DefaultMonths = 24,
GracePeriodDays = 30,
ExpiryAction = RetentionAction.Delete
};
var enforcer = CreateEnforcer(CreateOptions(retentionOptions));
// Act
var result = await enforcer.EnforceAsync();
// Assert
result.BundlesMarkedExpired.Should().Be(1);
result.BundlesDeleted.Should().Be(0);
_storeMock.Verify(x => x.DeleteBundleAsync(It.IsAny<string>(), It.IsAny<CancellationToken>()), Times.Never);
}
[Fact]
public async Task EnforceAsync_BundlePastGracePeriod_DeletesBundle()
{
// Arrange
// Bundle expired 45 days ago (past 30-day grace period)
var pastGraceBundle = CreateBundleListItem(
"past-grace-1",
DateTimeOffset.UtcNow.AddMonths(-24).AddDays(-45));
SetupBundleStore(pastGraceBundle);
_storeMock
.Setup(x => x.DeleteBundleAsync("past-grace-1", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
var retentionOptions = new BundleRetentionOptions
{
Enabled = true,
DefaultMonths = 24,
GracePeriodDays = 30,
ExpiryAction = RetentionAction.Delete
};
var enforcer = CreateEnforcer(CreateOptions(retentionOptions));
// Act
var result = await enforcer.EnforceAsync();
// Assert
result.BundlesDeleted.Should().Be(1);
_storeMock.Verify(x => x.DeleteBundleAsync("past-grace-1", It.IsAny<CancellationToken>()), Times.Once);
}
[Fact]
public async Task EnforceAsync_BundleApproachingExpiry_SendsNotification()
{
// Arrange
// Bundle will expire in 15 days (within 30-day notification window)
var approachingBundle = CreateBundleListItem(
"approaching-1",
DateTimeOffset.UtcNow.AddMonths(-24).AddDays(15));
SetupBundleStore(approachingBundle);
var retentionOptions = new BundleRetentionOptions
{
Enabled = true,
DefaultMonths = 24,
NotifyBeforeExpiry = true,
NotifyDaysBeforeExpiry = 30
};
var enforcer = CreateEnforcer(CreateOptions(retentionOptions), notifier: _notifierMock.Object);
// Act
var result = await enforcer.EnforceAsync();
// Assert
result.BundlesApproachingExpiry.Should().Be(1);
_notifierMock.Verify(x => x.NotifyAsync(
It.Is<IReadOnlyList<BundleExpiryNotification>>(n =>
n.Count == 1 &&
n[0].BundleId == "approaching-1"),
It.IsAny<CancellationToken>()), Times.Once);
}
[Fact]
public async Task EnforceAsync_NoArchiverConfigured_ReturnsFailureForArchiveAction()
{
// Arrange
var expiredBundle = CreateBundleListItem("expired-1", DateTimeOffset.UtcNow.AddMonths(-36));
SetupBundleStore(expiredBundle);
var retentionOptions = new BundleRetentionOptions
{
Enabled = true,
DefaultMonths = 24,
GracePeriodDays = 0,
ExpiryAction = RetentionAction.Archive
};
// Create enforcer WITHOUT archiver
var enforcer = CreateEnforcer(CreateOptions(retentionOptions), archiver: null);
// Act
var result = await enforcer.EnforceAsync();
// Assert
result.Success.Should().BeFalse();
result.Failures.Should().HaveCount(1);
result.Failures[0].BundleId.Should().Be("expired-1");
result.Failures[0].Reason.Should().Be("Archive unavailable");
}
[Fact]
public async Task EnforceAsync_DeleteFails_RecordsFailure()
{
// Arrange
var expiredBundle = CreateBundleListItem("expired-1", DateTimeOffset.UtcNow.AddMonths(-36));
SetupBundleStore(expiredBundle);
_storeMock
.Setup(x => x.DeleteBundleAsync("expired-1", It.IsAny<CancellationToken>()))
.ReturnsAsync(false); // Simulate delete failure
var retentionOptions = new BundleRetentionOptions
{
Enabled = true,
DefaultMonths = 24,
GracePeriodDays = 0,
ExpiryAction = RetentionAction.Delete
};
var enforcer = CreateEnforcer(CreateOptions(retentionOptions));
// Act
var result = await enforcer.EnforceAsync();
// Assert
result.Success.Should().BeFalse();
result.BundlesDeleted.Should().Be(0);
result.Failures.Should().HaveCount(1);
result.Failures[0].BundleId.Should().Be("expired-1");
result.Failures[0].Reason.Should().Be("Delete failed");
}
[Fact]
public async Task EnforceAsync_RespectsMaxBundlesPerRun_StopsFetchingAfterLimit()
{
// Arrange
// First batch returns 5 bundles with cursor for more
var batch1 = Enumerable.Range(1, 5)
.Select(i => CreateBundleListItem($"bundle-{i}", DateTimeOffset.UtcNow.AddMonths(-36)))
.ToList();
// Second batch would return 5 more, but should not be fetched
var batch2 = Enumerable.Range(6, 5)
.Select(i => CreateBundleListItem($"bundle-{i}", DateTimeOffset.UtcNow.AddMonths(-36)))
.ToList();
var callCount = 0;
_storeMock
.Setup(x => x.ListBundlesAsync(It.IsAny<BundleListRequest>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(() =>
{
callCount++;
return callCount == 1
? new BundleListResult(batch1, "cursor2") // Has more pages
: new BundleListResult(batch2, null); // Last page
});
_storeMock
.Setup(x => x.DeleteBundleAsync(It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
var retentionOptions = new BundleRetentionOptions
{
Enabled = true,
DefaultMonths = 24,
GracePeriodDays = 0,
ExpiryAction = RetentionAction.Delete,
MaxBundlesPerRun = 5
};
var enforcer = CreateEnforcer(CreateOptions(retentionOptions));
// Act
var result = await enforcer.EnforceAsync();
// Assert
// Should evaluate first batch (5) and stop before fetching second batch
result.BundlesEvaluated.Should().Be(5);
callCount.Should().Be(1, "should only fetch one batch when limit is reached");
}
#endregion
#region GetApproachingExpiryAsync Tests
[Fact]
public async Task GetApproachingExpiryAsync_ReturnsBundlesWithinCutoff()
{
// Arrange
var expiresIn10Days = CreateBundleListItem("expires-10", DateTimeOffset.UtcNow.AddMonths(-24).AddDays(10));
var expiresIn45Days = CreateBundleListItem("expires-45", DateTimeOffset.UtcNow.AddMonths(-24).AddDays(45));
var alreadyExpired = CreateBundleListItem("expired", DateTimeOffset.UtcNow.AddMonths(-25));
SetupBundleStore(expiresIn10Days, expiresIn45Days, alreadyExpired);
var options = CreateOptions(new BundleRetentionOptions { DefaultMonths = 24 });
var enforcer = CreateEnforcer(options);
// Act
var notifications = await enforcer.GetApproachingExpiryAsync(daysBeforeExpiry: 30);
// Assert
notifications.Should().HaveCount(1);
notifications[0].BundleId.Should().Be("expires-10");
notifications[0].DaysUntilExpiry.Should().BeCloseTo(10, 1); // Allow 1 day tolerance
}
#endregion
#region Helper Methods
private IOptions<BundlingOptions> CreateOptions(BundleRetentionOptions retentionOptions)
{
return Options.Create(new BundlingOptions
{
Retention = retentionOptions
});
}
private RetentionPolicyEnforcer CreateEnforcer(
IOptions<BundlingOptions> options,
IBundleArchiver? archiver = null,
IBundleExpiryNotifier? notifier = null)
{
return new RetentionPolicyEnforcer(
_storeMock.Object,
options,
_loggerMock.Object,
archiver,
notifier);
}
private void SetupBundleStore(params BundleListItem[] bundles)
{
_storeMock
.Setup(x => x.ListBundlesAsync(It.IsAny<BundleListRequest>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(new BundleListResult(bundles.ToList(), null));
}
private static BundleListItem CreateBundleListItem(string bundleId, DateTimeOffset createdAt)
{
return new BundleListItem(
BundleId: bundleId,
PeriodStart: createdAt.AddDays(-30),
PeriodEnd: createdAt,
AttestationCount: 100,
CreatedAt: createdAt,
HasOrgSignature: false);
}
#endregion
}

31
src/Attestor/__Tests/StellaOps.Attestor.Bundling.Tests/StellaOps.Attestor.Bundling.Tests.csproj Normal file
View File

@@ -0,0 +1,31 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<IsPackable>false</IsPackable>
<IsTestProject>true</IsTestProject>
<RootNamespace>StellaOps.Attestor.Bundling.Tests</RootNamespace>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
<PackageReference Include="xunit" Version="2.9.3" />
<PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="Moq" Version="4.20.72" />
<PackageReference Include="FluentAssertions" Version="7.0.0" />
<PackageReference Include="coverlet.collector" Version="6.0.2">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\__Libraries\StellaOps.Attestor.Bundling\StellaOps.Attestor.Bundling.csproj" />
</ItemGroup>
</Project>

387
src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/FileSystemRootStoreTests.cs Normal file
View File

@@ -0,0 +1,387 @@
// -----------------------------------------------------------------------------
// FileSystemRootStoreTests.cs
// Sprint: SPRINT_20251226_003_ATTESTOR_offline_verification
// Task: 0023 - Unit tests for FileSystemRootStore
// Description: Unit tests for file-based root certificate store
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Moq;
using StellaOps.Attestor.Offline.Abstractions;
using StellaOps.Attestor.Offline.Services;
namespace StellaOps.Attestor.Offline.Tests;
public class FileSystemRootStoreTests : IDisposable
{
private readonly Mock<ILogger<FileSystemRootStore>> _loggerMock;
private readonly string _testRootPath;
public FileSystemRootStoreTests()
{
_loggerMock = new Mock<ILogger<FileSystemRootStore>>();
_testRootPath = Path.Combine(Path.GetTempPath(), $"stellaops-test-{Guid.NewGuid():N}");
Directory.CreateDirectory(_testRootPath);
}
public void Dispose()
{
if (Directory.Exists(_testRootPath))
{
Directory.Delete(_testRootPath, recursive: true);
}
}
[Fact]
public async Task GetFulcioRootsAsync_WithNoCertificates_ReturnsEmptyCollection()
{
// Arrange
var options = CreateOptions();
var store = CreateStore(options);
// Act
var roots = await store.GetFulcioRootsAsync();
// Assert
roots.Should().BeEmpty();
}
[Fact]
public async Task GetFulcioRootsAsync_WithPemFile_ReturnsCertificates()
{
// Arrange
var cert = CreateTestCertificate("CN=Test Fulcio Root");
var pemPath = Path.Combine(_testRootPath, "fulcio.pem");
await WritePemFileAsync(pemPath, cert);
var options = CreateOptions(fulcioPath: pemPath);
var store = CreateStore(options);
// Act
var roots = await store.GetFulcioRootsAsync();
// Assert
roots.Should().HaveCount(1);
roots[0].Subject.Should().Be("CN=Test Fulcio Root");
}
[Fact]
public async Task GetFulcioRootsAsync_WithDirectory_LoadsAllPemFiles()
{
// Arrange
var fulcioDir = Path.Combine(_testRootPath, "fulcio");
Directory.CreateDirectory(fulcioDir);
var cert1 = CreateTestCertificate("CN=Root 1");
var cert2 = CreateTestCertificate("CN=Root 2");
await WritePemFileAsync(Path.Combine(fulcioDir, "root1.pem"), cert1);
await WritePemFileAsync(Path.Combine(fulcioDir, "root2.pem"), cert2);
var options = CreateOptions(fulcioPath: fulcioDir);
var store = CreateStore(options);
// Act
var roots = await store.GetFulcioRootsAsync();
// Assert
roots.Should().HaveCount(2);
}
[Fact]
public async Task GetFulcioRootsAsync_CachesCertificates_OnSecondCall()
{
// Arrange
var cert = CreateTestCertificate("CN=Cached Root");
var pemPath = Path.Combine(_testRootPath, "cached.pem");
await WritePemFileAsync(pemPath, cert);
var options = CreateOptions(fulcioPath: pemPath);
var store = CreateStore(options);
// Act
var roots1 = await store.GetFulcioRootsAsync();
var roots2 = await store.GetFulcioRootsAsync();
// Assert - same collection instance (cached)
roots1.Should().HaveCount(1);
roots2.Should().HaveCount(1);
// Both calls should return same data
roots1[0].Subject.Should().Be(roots2[0].Subject);
}
[Fact]
public async Task ImportRootsAsync_WithValidPem_SavesCertificates()
{
// Arrange
var cert = CreateTestCertificate("CN=Imported Root");
var sourcePath = Path.Combine(_testRootPath, "import-source.pem");
await WritePemFileAsync(sourcePath, cert);
var options = CreateOptions();
options.Value.BaseRootPath = _testRootPath;
var store = CreateStore(options);
// Act
await store.ImportRootsAsync(sourcePath, RootType.Fulcio);
// Assert
var targetDir = Path.Combine(_testRootPath, "fulcio");
Directory.Exists(targetDir).Should().BeTrue();
Directory.EnumerateFiles(targetDir, "*.pem").Should().HaveCount(1);
}
[Fact]
public async Task ImportRootsAsync_WithMissingFile_ThrowsFileNotFoundException()
{
// Arrange
var options = CreateOptions();
var store = CreateStore(options);
// Act & Assert
await Assert.ThrowsAsync<FileNotFoundException>(
() => store.ImportRootsAsync("/nonexistent/path.pem", RootType.Fulcio));
}
[Fact]
public async Task ImportRootsAsync_InvalidatesCacheAfterImport()
{
// Arrange
var cert1 = CreateTestCertificate("CN=Initial Root");
var fulcioDir = Path.Combine(_testRootPath, "fulcio");
Directory.CreateDirectory(fulcioDir);
await WritePemFileAsync(Path.Combine(fulcioDir, "initial.pem"), cert1);
var options = CreateOptions(fulcioPath: fulcioDir);
options.Value.BaseRootPath = _testRootPath;
var store = CreateStore(options);
// Load initial cache
var initialRoots = await store.GetFulcioRootsAsync();
initialRoots.Should().HaveCount(1);
// Import a new certificate
var cert2 = CreateTestCertificate("CN=Imported Root");
var importPath = Path.Combine(_testRootPath, "import.pem");
await WritePemFileAsync(importPath, cert2);
// Act
await store.ImportRootsAsync(importPath, RootType.Fulcio);
var updatedRoots = await store.GetFulcioRootsAsync();
// Assert - cache invalidated and new cert loaded
updatedRoots.Should().HaveCount(2);
}
[Fact]
public async Task ListRootsAsync_ReturnsCorrectInfo()
{
// Arrange
var cert = CreateTestCertificate("CN=Listed Root");
var fulcioDir = Path.Combine(_testRootPath, "fulcio");
Directory.CreateDirectory(fulcioDir);
await WritePemFileAsync(Path.Combine(fulcioDir, "root.pem"), cert);
var options = CreateOptions(fulcioPath: fulcioDir);
var store = CreateStore(options);
// Act
var roots = await store.ListRootsAsync(RootType.Fulcio);
// Assert
roots.Should().HaveCount(1);
roots[0].Subject.Should().Be("CN=Listed Root");
roots[0].RootType.Should().Be(RootType.Fulcio);
roots[0].Thumbprint.Should().NotBeNullOrEmpty();
}
[Fact]
public async Task GetOrgKeyByIdAsync_WithMatchingThumbprint_ReturnsCertificate()
{
// Arrange
var cert = CreateTestCertificate("CN=Org Signing Key");
var orgDir = Path.Combine(_testRootPath, "org-signing");
Directory.CreateDirectory(orgDir);
await WritePemFileAsync(Path.Combine(orgDir, "org.pem"), cert);
var options = CreateOptions(orgSigningPath: orgDir);
var store = CreateStore(options);
// First, verify the cert was loaded and get its thumbprint from listing
var orgKeys = await store.GetOrgSigningKeysAsync();
orgKeys.Should().HaveCount(1);
// Get the thumbprint from the loaded certificate
var thumbprint = ComputeThumbprint(orgKeys[0]);
// Act
var found = await store.GetOrgKeyByIdAsync(thumbprint);
// Assert
found.Should().NotBeNull();
found!.Subject.Should().Be("CN=Org Signing Key");
}
[Fact]
public async Task GetOrgKeyByIdAsync_WithNoMatch_ReturnsNull()
{
// Arrange
var cert = CreateTestCertificate("CN=Org Key");
var orgDir = Path.Combine(_testRootPath, "org-signing");
Directory.CreateDirectory(orgDir);
await WritePemFileAsync(Path.Combine(orgDir, "org.pem"), cert);
var options = CreateOptions(orgSigningPath: orgDir);
var store = CreateStore(options);
// Act
var found = await store.GetOrgKeyByIdAsync("nonexistent-key-id");
// Assert
found.Should().BeNull();
}
[Fact]
public async Task GetRekorKeysAsync_WithPemFile_ReturnsCertificates()
{
// Arrange
var cert = CreateTestCertificate("CN=Rekor Key");
var rekorPath = Path.Combine(_testRootPath, "rekor.pem");
await WritePemFileAsync(rekorPath, cert);
var options = CreateOptions(rekorPath: rekorPath);
var store = CreateStore(options);
// Act
var keys = await store.GetRekorKeysAsync();
// Assert
keys.Should().HaveCount(1);
keys[0].Subject.Should().Be("CN=Rekor Key");
}
[Fact]
public async Task LoadPem_WithMultipleCertificates_ReturnsAll()
{
// Arrange
var cert1 = CreateTestCertificate("CN=Cert 1");
var cert2 = CreateTestCertificate("CN=Cert 2");
var cert3 = CreateTestCertificate("CN=Cert 3");
var pemPath = Path.Combine(_testRootPath, "multi.pem");
await WriteMultiplePemFileAsync(pemPath, [cert1, cert2, cert3]);
var options = CreateOptions(fulcioPath: pemPath);
var store = CreateStore(options);
// Act
var roots = await store.GetFulcioRootsAsync();
// Assert
roots.Should().HaveCount(3);
}
[Fact]
public async Task GetFulcioRootsAsync_WithOfflineKitPath_LoadsFromKit()
{
// Arrange
var offlineKitPath = Path.Combine(_testRootPath, "offline-kit");
var fulcioKitDir = Path.Combine(offlineKitPath, "roots", "fulcio");
Directory.CreateDirectory(fulcioKitDir);
var cert = CreateTestCertificate("CN=Offline Kit Root");
await WritePemFileAsync(Path.Combine(fulcioKitDir, "root.pem"), cert);
var options = Options.Create(new OfflineRootStoreOptions
{
BaseRootPath = _testRootPath,
OfflineKitPath = offlineKitPath,
UseOfflineKit = true
});
var store = CreateStore(options);
// Act
var roots = await store.GetFulcioRootsAsync();
// Assert
roots.Should().HaveCount(1);
roots[0].Subject.Should().Be("CN=Offline Kit Root");
}
private FileSystemRootStore CreateStore(IOptions<OfflineRootStoreOptions> options)
{
return new FileSystemRootStore(_loggerMock.Object, options);
}
private IOptions<OfflineRootStoreOptions> CreateOptions(
string? fulcioPath = null,
string? orgSigningPath = null,
string? rekorPath = null)
{
return Options.Create(new OfflineRootStoreOptions
{
BaseRootPath = _testRootPath,
FulcioBundlePath = fulcioPath,
OrgSigningBundlePath = orgSigningPath,
RekorBundlePath = rekorPath
});
}
private static X509Certificate2 CreateTestCertificate(string subject)
{
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(
subject,
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
// Add basic constraints for a CA certificate
request.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, false, 0, true));
// Add Subject Key Identifier
request.CertificateExtensions.Add(
new X509SubjectKeyIdentifierExtension(request.PublicKey, false));
var notBefore = DateTimeOffset.UtcNow.AddDays(-1);
var notAfter = DateTimeOffset.UtcNow.AddYears(10);
return request.CreateSelfSigned(notBefore, notAfter);
}
private static async Task WritePemFileAsync(string path, X509Certificate2 cert)
{
var pem = new StringBuilder();
pem.AppendLine("-----BEGIN CERTIFICATE-----");
pem.AppendLine(Convert.ToBase64String(cert.RawData, Base64FormattingOptions.InsertLineBreaks));
pem.AppendLine("-----END CERTIFICATE-----");
await File.WriteAllTextAsync(path, pem.ToString());
}
private static async Task WriteMultiplePemFileAsync(string path, X509Certificate2[] certs)
{
var pem = new StringBuilder();
foreach (var cert in certs)
{
pem.AppendLine("-----BEGIN CERTIFICATE-----");
pem.AppendLine(Convert.ToBase64String(cert.RawData, Base64FormattingOptions.InsertLineBreaks));
pem.AppendLine("-----END CERTIFICATE-----");
pem.AppendLine();
}
await File.WriteAllTextAsync(path, pem.ToString());
}
private static string ComputeThumbprint(X509Certificate2 cert)
{
var hash = SHA256.HashData(cert.RawData);
return Convert.ToHexString(hash).ToLowerInvariant();
}
}

486
src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/OfflineCertChainValidatorTests.cs Normal file
View File

@@ -0,0 +1,486 @@
// -----------------------------------------------------------------------------
// OfflineCertChainValidatorTests.cs
// Sprint: SPRINT_20251226_003_ATTESTOR_offline_verification
// Task: 0022 - Unit tests for certificate chain validation
// Description: Unit tests for offline certificate chain validation
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Moq;
using StellaOps.Attestor.Bundling.Models;
using StellaOps.Attestor.Offline.Abstractions;
using StellaOps.Attestor.Offline.Models;
using StellaOps.Attestor.Offline.Services;
using StellaOps.Attestor.ProofChain.Merkle;
namespace StellaOps.Attestor.Offline.Tests;
public class OfflineCertChainValidatorTests
{
private readonly Mock<ILogger<OfflineVerifier>> _loggerMock;
private readonly IMerkleTreeBuilder _merkleBuilder;
private readonly IOptions<OfflineVerificationConfig> _config;
public OfflineCertChainValidatorTests()
{
_loggerMock = new Mock<ILogger<OfflineVerifier>>();
_merkleBuilder = new DeterministicMerkleTreeBuilder();
_config = Options.Create(new OfflineVerificationConfig());
}
[Fact]
public async Task VerifyAttestation_WithValidCertChain_ChainIsValid()
{
// Arrange
var (rootCert, leafCert) = CreateCertificateChain();
var attestation = CreateAttestationWithCertChain(leafCert, rootCert);
var rootStore = CreateRootStoreWithCerts(new[] { rootCert });
var verifier = CreateVerifier(rootStore);
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: false,
VerifyCertificateChain: true);
// Act
var result = await verifier.VerifyAttestationAsync(attestation, options);
// Assert
result.CertificateChainValid.Should().BeTrue();
result.Issues.Should().NotContain(i => i.Code.Contains("CERT"));
}
[Fact]
public async Task VerifyAttestation_WithUntrustedRoot_ChainIsInvalid()
{
// Arrange
var (rootCert, leafCert) = CreateCertificateChain();
var untrustedRoot = CreateSelfSignedCertificate("CN=Untrusted Root CA");
var attestation = CreateAttestationWithCertChain(leafCert, rootCert);
// Root store has a different root
var rootStore = CreateRootStoreWithCerts(new[] { untrustedRoot });
var verifier = CreateVerifier(rootStore);
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: false,
VerifyCertificateChain: true);
// Act
var result = await verifier.VerifyAttestationAsync(attestation, options);
// Assert
result.CertificateChainValid.Should().BeFalse();
result.Issues.Should().Contain(i => i.Code.StartsWith("CERT"));
}
[Fact]
public async Task VerifyAttestation_WithMissingCertChain_ReturnsIssue()
{
// Arrange
var attestation = CreateAttestationWithoutCertChain();
var rootStore = CreateRootStoreWithCerts(Array.Empty<X509Certificate2>());
var verifier = CreateVerifier(rootStore);
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: false,
VerifyCertificateChain: true);
// Act
var result = await verifier.VerifyAttestationAsync(attestation, options);
// Assert
result.CertificateChainValid.Should().BeFalse();
result.Issues.Should().Contain(i => i.Code.StartsWith("CERT") || i.Code.Contains("CHAIN"));
}
[Fact]
public async Task VerifyAttestation_WithExpiredCert_ChainIsInvalid()
{
// Arrange
var expiredCert = CreateExpiredCertificate("CN=Expired Leaf");
var rootCert = CreateSelfSignedCertificate("CN=Test Root CA");
var attestation = CreateAttestationWithCertChain(expiredCert, rootCert);
var rootStore = CreateRootStoreWithCerts(new[] { rootCert });
var verifier = CreateVerifier(rootStore);
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: false,
VerifyCertificateChain: true);
// Act
var result = await verifier.VerifyAttestationAsync(attestation, options);
// Assert
result.CertificateChainValid.Should().BeFalse();
result.Issues.Should().Contain(i => i.Code.StartsWith("CERT"));
}
[Fact]
public async Task VerifyAttestation_WithNotYetValidCert_ChainIsInvalid()
{
// Arrange
var futureCert = CreateFutureCertificate("CN=Future Leaf");
var rootCert = CreateSelfSignedCertificate("CN=Test Root CA");
var attestation = CreateAttestationWithCertChain(futureCert, rootCert);
var rootStore = CreateRootStoreWithCerts(new[] { rootCert });
var verifier = CreateVerifier(rootStore);
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: false,
VerifyCertificateChain: true);
// Act
var result = await verifier.VerifyAttestationAsync(attestation, options);
// Assert
result.CertificateChainValid.Should().BeFalse();
result.Issues.Should().Contain(i => i.Code.StartsWith("CERT"));
}
[Fact]
public async Task VerifyBundle_WithMultipleAttestations_ValidatesCertChainsForAll()
{
// Arrange
var (rootCert, leafCert1) = CreateCertificateChain();
var attestation1 = CreateAttestationWithCertChain(leafCert1, rootCert, "entry-001");
var attestation2 = CreateAttestationWithCertChain(leafCert1, rootCert, "entry-002");
var bundle = CreateBundleFromAttestations(new[] { attestation1, attestation2 });
var rootStore = CreateRootStoreWithCerts(new[] { rootCert });
var verifier = CreateVerifier(rootStore);
var options = new OfflineVerificationOptions(
VerifyMerkleProof: true,
VerifySignatures: false,
VerifyCertificateChain: true);
// Act
var result = await verifier.VerifyBundleAsync(bundle, options);
// Assert
result.CertificateChainValid.Should().BeTrue();
}
[Fact]
public async Task VerifyAttestation_CertChainValidationSkipped_WhenDisabled()
{
// Arrange
var attestation = CreateAttestationWithoutCertChain();
var rootStore = CreateRootStoreWithCerts(Array.Empty<X509Certificate2>());
var verifier = CreateVerifier(rootStore);
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: false,
VerifyCertificateChain: false); // Disabled
// Act
var result = await verifier.VerifyAttestationAsync(attestation, options);
// Assert - When cert chain validation is disabled, it should not report cert-related issues
result.Issues.Should().NotContain(i => i.Code.Contains("CERT_CHAIN"));
}
[Fact]
public async Task VerifyAttestation_WithSelfSignedLeaf_ChainIsInvalid()
{
// Arrange
var selfSignedLeaf = CreateSelfSignedCertificate("CN=Self Signed Leaf");
var rootCert = CreateSelfSignedCertificate("CN=Different Root CA");
var attestation = CreateAttestationWithCertChain(selfSignedLeaf);
var rootStore = CreateRootStoreWithCerts(new[] { rootCert });
var verifier = CreateVerifier(rootStore);
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: false,
VerifyCertificateChain: true);
// Act
var result = await verifier.VerifyAttestationAsync(attestation, options);
// Assert
result.CertificateChainValid.Should().BeFalse();
}
[Fact]
public async Task VerifyAttestation_WithEmptyRootStore_ChainIsInvalid()
{
// Arrange
var (rootCert, leafCert) = CreateCertificateChain();
var attestation = CreateAttestationWithCertChain(leafCert, rootCert);
var rootStore = CreateRootStoreWithCerts(Array.Empty<X509Certificate2>());
var verifier = CreateVerifier(rootStore);
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: false,
VerifyCertificateChain: true);
// Act
var result = await verifier.VerifyAttestationAsync(attestation, options);
// Assert
result.CertificateChainValid.Should().BeFalse();
}
private OfflineVerifier CreateVerifier(IOfflineRootStore rootStore)
{
return new OfflineVerifier(
rootStore,
_merkleBuilder,
_loggerMock.Object,
_config,
null);
}
private static IOfflineRootStore CreateRootStoreWithCerts(X509Certificate2[] certs)
{
var mock = new Mock<IOfflineRootStore>();
mock.Setup(x => x.GetFulcioRootsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync(new X509Certificate2Collection(certs));
mock.Setup(x => x.GetOrgSigningKeysAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync(new X509Certificate2Collection());
mock.Setup(x => x.GetRekorKeysAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync(new X509Certificate2Collection());
return mock.Object;
}
private static (X509Certificate2 Root, X509Certificate2 Leaf) CreateCertificateChain()
{
using var rootKey = RSA.Create(2048);
var rootRequest = new CertificateRequest(
"CN=Test Fulcio Root CA",
rootKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
rootRequest.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, true, 1, true));
rootRequest.CertificateExtensions.Add(
new X509KeyUsageExtension(
X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));
var rootCert = rootRequest.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow.AddYears(10));
using var leafKey = RSA.Create(2048);
var leafRequest = new CertificateRequest(
"CN=Sigstore Signer",
leafKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
leafRequest.CertificateExtensions.Add(
new X509BasicConstraintsExtension(false, false, 0, true));
leafRequest.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, true));
var leafCert = leafRequest.Create(
rootCert,
DateTimeOffset.UtcNow.AddDays(-1),
DateTimeOffset.UtcNow.AddMinutes(10),
Guid.NewGuid().ToByteArray());
return (rootCert, leafCert);
}
private static X509Certificate2 CreateSelfSignedCertificate(string subject)
{
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(
subject,
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, false, 0, true));
return request.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-30),
DateTimeOffset.UtcNow.AddYears(10));
}
private static X509Certificate2 CreateExpiredCertificate(string subject)
{
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(
subject,
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
return request.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(-365),
DateTimeOffset.UtcNow.AddDays(-1));
}
private static X509Certificate2 CreateFutureCertificate(string subject)
{
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(
subject,
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
return request.CreateSelfSigned(
DateTimeOffset.UtcNow.AddDays(1),
DateTimeOffset.UtcNow.AddYears(1));
}
private static BundledAttestation CreateAttestationWithCertChain(
X509Certificate2 leafCert,
X509Certificate2? rootCert = null,
string entryId = "entry-001")
{
var certChain = new List<string> { ConvertToPem(leafCert) };
if (rootCert != null)
{
certChain.Add(ConvertToPem(rootCert));
}
return new BundledAttestation
{
EntryId = entryId,
RekorUuid = Guid.NewGuid().ToString("N"),
RekorLogIndex = 10000,
ArtifactDigest = $"sha256:{entryId.PadRight(64, 'a')}",
PredicateType = "verdict.stella/v1",
SignedAt = DateTimeOffset.UtcNow,
SigningMode = "keyless",
SigningIdentity = new SigningIdentity
{
Issuer = "https://authority.internal",
Subject = "signer@stella-ops.org",
San = "urn:stellaops:signer"
},
InclusionProof = new RekorInclusionProof
{
Checkpoint = new CheckpointData
{
Origin = "rekor.sigstore.dev",
Size = 100000,
RootHash = Convert.ToBase64String(new byte[32]),
Timestamp = DateTimeOffset.UtcNow
},
Path = new List<string>
{
Convert.ToBase64String(new byte[32]),
Convert.ToBase64String(new byte[32])
}
},
Envelope = new DsseEnvelopeData
{
PayloadType = "application/vnd.in-toto+json",
Payload = Convert.ToBase64String("{\"test\":true}"u8.ToArray()),
Signatures = new List<EnvelopeSignature>
{
new() { KeyId = "key-1", Sig = Convert.ToBase64String(new byte[64]) }
},
CertificateChain = certChain
}
};
}
private static BundledAttestation CreateAttestationWithoutCertChain()
{
return new BundledAttestation
{
EntryId = "entry-no-chain",
RekorUuid = Guid.NewGuid().ToString("N"),
RekorLogIndex = 10000,
ArtifactDigest = "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
PredicateType = "verdict.stella/v1",
SignedAt = DateTimeOffset.UtcNow,
SigningMode = "keyless",
SigningIdentity = new SigningIdentity
{
Issuer = "https://authority.internal",
Subject = "signer@stella-ops.org",
San = "urn:stellaops:signer"
},
InclusionProof = new RekorInclusionProof
{
Checkpoint = new CheckpointData
{
Origin = "rekor.sigstore.dev",
Size = 100000,
RootHash = Convert.ToBase64String(new byte[32]),
Timestamp = DateTimeOffset.UtcNow
},
Path = new List<string>()
},
Envelope = new DsseEnvelopeData
{
PayloadType = "application/vnd.in-toto+json",
Payload = Convert.ToBase64String("{\"test\":true}"u8.ToArray()),
Signatures = new List<EnvelopeSignature>
{
new() { KeyId = "key-1", Sig = Convert.ToBase64String(new byte[64]) }
},
CertificateChain = null
}
};
}
private AttestationBundle CreateBundleFromAttestations(BundledAttestation[] attestations)
{
var sortedAttestations = attestations
.OrderBy(a => a.EntryId, StringComparer.Ordinal)
.ToList();
var leafValues = sortedAttestations
.Select(a => (ReadOnlyMemory<byte>)System.Text.Encoding.UTF8.GetBytes(a.EntryId))
.ToList();
var merkleRoot = _merkleBuilder.ComputeMerkleRoot(leafValues);
var merkleRootHex = $"sha256:{Convert.ToHexString(merkleRoot).ToLowerInvariant()}";
return new AttestationBundle
{
Metadata = new BundleMetadata
{
BundleId = merkleRootHex,
Version = "1.0",
CreatedAt = DateTimeOffset.UtcNow,
PeriodStart = DateTimeOffset.UtcNow.AddDays(-30),
PeriodEnd = DateTimeOffset.UtcNow,
AttestationCount = attestations.Length
},
Attestations = attestations,
MerkleTree = new MerkleTreeInfo
{
Algorithm = "SHA256",
Root = merkleRootHex,
LeafCount = attestations.Length
}
};
}
private static string ConvertToPem(X509Certificate2 cert)
{
var base64 = Convert.ToBase64String(cert.RawData);
return $"-----BEGIN CERTIFICATE-----\n{base64}\n-----END CERTIFICATE-----";
}
}

401
src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/OfflineVerifierTests.cs Normal file
View File

@@ -0,0 +1,401 @@
// -----------------------------------------------------------------------------
// OfflineVerifierTests.cs
// Sprint: SPRINT_20251226_003_ATTESTOR_offline_verification
// Task: 0019-0022 - Unit tests for offline verification
// Description: Unit tests for OfflineVerifier service
// -----------------------------------------------------------------------------
using System.Security.Cryptography.X509Certificates;
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Moq;
using StellaOps.Attestor.Bundling.Abstractions;
using StellaOps.Attestor.Bundling.Models;
using StellaOps.Attestor.Offline.Abstractions;
using StellaOps.Attestor.Offline.Models;
using StellaOps.Attestor.Offline.Services;
using StellaOps.Attestor.ProofChain.Merkle;
// Alias to resolve ambiguity
using Severity = StellaOps.Attestor.Offline.Models.VerificationIssueSeverity;
namespace StellaOps.Attestor.Offline.Tests;
public class OfflineVerifierTests
{
private readonly Mock<IOfflineRootStore> _rootStoreMock;
private readonly IMerkleTreeBuilder _merkleBuilder;
private readonly Mock<IOrgKeySigner> _orgSignerMock;
private readonly Mock<ILogger<OfflineVerifier>> _loggerMock;
private readonly IOptions<OfflineVerificationConfig> _config;
public OfflineVerifierTests()
{
_rootStoreMock = new Mock<IOfflineRootStore>();
_merkleBuilder = new DeterministicMerkleTreeBuilder();
_orgSignerMock = new Mock<IOrgKeySigner>();
_loggerMock = new Mock<ILogger<OfflineVerifier>>();
_config = Options.Create(new OfflineVerificationConfig());
// Setup default root store behavior
_rootStoreMock
.Setup(x => x.GetFulcioRootsAsync(It.IsAny<CancellationToken>()))
.ReturnsAsync(new X509Certificate2Collection());
}
[Fact]
public async Task VerifyBundleAsync_ValidBundle_ReturnsValid()
{
// Arrange
var bundle = CreateTestBundle(5);
var verifier = CreateVerifier();
var options = new OfflineVerificationOptions(
VerifyMerkleProof: true,
VerifySignatures: false, // Skip signature verification for this test
VerifyCertificateChain: false,
VerifyOrgSignature: false);
// Act
var result = await verifier.VerifyBundleAsync(bundle, options);
// Assert
result.Valid.Should().BeTrue();
result.MerkleProofValid.Should().BeTrue();
result.Issues.Should().BeEmpty();
}
[Fact]
public async Task VerifyBundleAsync_TamperedMerkleRoot_ReturnsInvalid()
{
// Arrange
var bundle = CreateTestBundle(5);
// Tamper with the Merkle root
var tamperedBundle = bundle with
{
MerkleTree = new MerkleTreeInfo
{
Algorithm = "SHA256",
Root = "sha256:0000000000000000000000000000000000000000000000000000000000000000",
LeafCount = 5
}
};
var verifier = CreateVerifier();
var options = new OfflineVerificationOptions(
VerifyMerkleProof: true,
VerifySignatures: false,
VerifyCertificateChain: false);
// Act
var result = await verifier.VerifyBundleAsync(tamperedBundle, options);
// Assert
result.Valid.Should().BeFalse();
result.MerkleProofValid.Should().BeFalse();
result.Issues.Should().Contain(i => i.Code == "MERKLE_ROOT_MISMATCH");
}
[Fact]
public async Task VerifyBundleAsync_MissingOrgSignature_WhenRequired_ReturnsInvalid()
{
// Arrange
var bundle = CreateTestBundle(3);
var verifier = CreateVerifier();
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: false,
VerifyCertificateChain: false,
VerifyOrgSignature: true,
RequireOrgSignature: true);
// Act
var result = await verifier.VerifyBundleAsync(bundle, options);
// Assert
result.Valid.Should().BeFalse();
result.OrgSignatureValid.Should().BeFalse();
result.Issues.Should().Contain(i => i.Code == "ORG_SIG_MISSING");
}
[Fact]
public async Task VerifyBundleAsync_WithValidOrgSignature_ReturnsValid()
{
// Arrange
var bundle = CreateTestBundle(3);
var orgSignature = new OrgSignature
{
KeyId = "org-key-2025",
Algorithm = "ECDSA_P256",
Signature = Convert.ToBase64String(new byte[64]),
SignedAt = DateTimeOffset.UtcNow,
CertificateChain = null
};
var signedBundle = bundle with { OrgSignature = orgSignature };
_orgSignerMock
.Setup(x => x.VerifyBundleAsync(It.IsAny<byte[]>(), orgSignature, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
var verifier = CreateVerifier();
var options = new OfflineVerificationOptions(
VerifyMerkleProof: true,
VerifySignatures: false,
VerifyCertificateChain: false,
VerifyOrgSignature: true);
// Act
var result = await verifier.VerifyBundleAsync(signedBundle, options);
// Assert
result.Valid.Should().BeTrue();
result.OrgSignatureValid.Should().BeTrue();
result.OrgSignatureKeyId.Should().Be("org-key-2025");
}
[Fact]
public async Task VerifyAttestationAsync_ValidAttestation_ReturnsValid()
{
// Arrange
var attestation = CreateTestAttestation("entry-001");
var verifier = CreateVerifier();
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: true,
VerifyCertificateChain: false);
// Act
var result = await verifier.VerifyAttestationAsync(attestation, options);
// Assert
result.Valid.Should().BeTrue();
result.SignaturesValid.Should().BeTrue();
}
[Fact]
public async Task VerifyAttestationAsync_EmptySignature_ReturnsInvalid()
{
// Arrange
var attestation = CreateTestAttestation("entry-001");
// Remove signatures
var tamperedAttestation = attestation with
{
Envelope = attestation.Envelope with
{
Signatures = new List<EnvelopeSignature>()
}
};
var verifier = CreateVerifier();
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: true,
VerifyCertificateChain: false);
// Act
var result = await verifier.VerifyAttestationAsync(tamperedAttestation, options);
// Assert
result.Valid.Should().BeFalse();
result.SignaturesValid.Should().BeFalse();
result.Issues.Should().Contain(i => i.Code == "DSSE_NO_SIGNATURES");
}
[Fact]
public async Task GetVerificationSummariesAsync_ReturnsAllAttestations()
{
// Arrange
var bundle = CreateTestBundle(10);
var verifier = CreateVerifier();
var options = new OfflineVerificationOptions(
VerifyMerkleProof: false,
VerifySignatures: true,
VerifyCertificateChain: false);
// Act
var summaries = await verifier.GetVerificationSummariesAsync(bundle, options);
// Assert
summaries.Should().HaveCount(10);
summaries.Should().OnlyContain(s => s.VerificationStatus == AttestationVerificationStatus.Valid);
}
[Fact]
public async Task VerifyBundleAsync_StrictMode_FailsOnWarnings()
{
// Arrange
var attestation = CreateTestAttestation("entry-001");
// Add inclusion proof with empty path to trigger warning
var attestationWithEmptyProof = attestation with
{
InclusionProof = new RekorInclusionProof
{
Checkpoint = new CheckpointData
{
Origin = "rekor.sigstore.dev",
Size = 100000,
RootHash = Convert.ToBase64String(new byte[32]),
Timestamp = DateTimeOffset.UtcNow
},
Path = new List<string>() // Empty path triggers warning
}
};
var bundle = CreateTestBundleFromAttestations(new[] { attestationWithEmptyProof });
var verifier = CreateVerifier();
var options = new OfflineVerificationOptions(
VerifyMerkleProof: true,
VerifySignatures: true, // Needs to be true to check attestation-level proofs
VerifyCertificateChain: false,
StrictMode: true);
// Act
var result = await verifier.VerifyBundleAsync(bundle, options);
// Assert
result.Valid.Should().BeFalse();
result.Issues.Should().Contain(i => i.Severity == Severity.Warning);
}
[Fact]
public async Task VerifyBundleAsync_DeterministicOrdering_SameMerkleValidation()
{
// Arrange
var attestations = Enumerable.Range(0, 10)
.Select(i => CreateTestAttestation($"entry-{i:D4}"))
.ToArray();
// Create bundles with same attestations but different initial orders
var bundle1 = CreateTestBundleFromAttestations(attestations.OrderBy(_ => Guid.NewGuid()).ToArray());
var bundle2 = CreateTestBundleFromAttestations(attestations.OrderByDescending(a => a.EntryId).ToArray());
var verifier = CreateVerifier();
var options = new OfflineVerificationOptions(
VerifyMerkleProof: true,
VerifySignatures: false,
VerifyCertificateChain: false);
// Act
var result1 = await verifier.VerifyBundleAsync(bundle1, options);
var result2 = await verifier.VerifyBundleAsync(bundle2, options);
// Assert - both should have the same merkle validation result
result1.MerkleProofValid.Should().Be(result2.MerkleProofValid);
}
private OfflineVerifier CreateVerifier()
{
return new OfflineVerifier(
_rootStoreMock.Object,
_merkleBuilder,
_loggerMock.Object,
_config,
_orgSignerMock.Object);
}
private AttestationBundle CreateTestBundle(int attestationCount)
{
var attestations = Enumerable.Range(0, attestationCount)
.Select(i => CreateTestAttestation($"entry-{i:D4}"))
.ToList();
return CreateTestBundleFromAttestations(attestations.ToArray());
}
private AttestationBundle CreateTestBundleFromAttestations(BundledAttestation[] attestations)
{
// Sort deterministically for Merkle tree
var sortedAttestations = attestations
.OrderBy(a => a.EntryId, StringComparer.Ordinal)
.ToList();
// Compute Merkle root
var leafValues = sortedAttestations
.Select(a => (ReadOnlyMemory<byte>)System.Text.Encoding.UTF8.GetBytes(a.EntryId))
.ToList();
var merkleRoot = _merkleBuilder.ComputeMerkleRoot(leafValues);
var merkleRootHex = $"sha256:{Convert.ToHexString(merkleRoot).ToLowerInvariant()}";
return new AttestationBundle
{
Metadata = new BundleMetadata
{
BundleId = merkleRootHex,
Version = "1.0",
CreatedAt = DateTimeOffset.UtcNow,
PeriodStart = DateTimeOffset.UtcNow.AddDays(-30),
PeriodEnd = DateTimeOffset.UtcNow,
AttestationCount = attestations.Length
},
Attestations = attestations,
MerkleTree = new MerkleTreeInfo
{
Algorithm = "SHA256",
Root = merkleRootHex,
LeafCount = attestations.Length
}
};
}
private static BundledAttestation CreateTestAttestation(string entryId)
{
return new BundledAttestation
{
EntryId = entryId,
RekorUuid = Guid.NewGuid().ToString("N"),
RekorLogIndex = 10000,
ArtifactDigest = $"sha256:{entryId.PadRight(64, 'a')}",
PredicateType = "verdict.stella/v1",
SignedAt = DateTimeOffset.UtcNow,
SigningMode = "keyless",
SigningIdentity = new SigningIdentity
{
Issuer = "https://authority.internal",
Subject = "signer@stella-ops.org",
San = "urn:stellaops:signer"
},
InclusionProof = new RekorInclusionProof
{
Checkpoint = new CheckpointData
{
Origin = "rekor.sigstore.dev",
Size = 100000,
RootHash = Convert.ToBase64String(new byte[32]),
Timestamp = DateTimeOffset.UtcNow
},
Path = new List<string>
{
Convert.ToBase64String(new byte[32]),
Convert.ToBase64String(new byte[32])
}
},
Envelope = new DsseEnvelopeData
{
PayloadType = "application/vnd.in-toto+json",
Payload = Convert.ToBase64String("{\"test\":true}"u8.ToArray()),
Signatures = new List<EnvelopeSignature>
{
new() { KeyId = "key-1", Sig = Convert.ToBase64String(new byte[64]) }
},
CertificateChain = new List<string>
{
"-----BEGIN CERTIFICATE-----\nMIIB...\n-----END CERTIFICATE-----"
}
}
};
}
}

31
src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/StellaOps.Attestor.Offline.Tests.csproj Normal file
View File

@@ -0,0 +1,31 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<IsPackable>false</IsPackable>
<IsTestProject>true</IsTestProject>
<RootNamespace>StellaOps.Attestor.Offline.Tests</RootNamespace>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
<PackageReference Include="xunit" Version="2.9.3" />
<PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="Moq" Version="4.20.72" />
<PackageReference Include="FluentAssertions" Version="7.0.0" />
<PackageReference Include="coverlet.collector" Version="6.0.2">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\__Libraries\StellaOps.Attestor.Offline\StellaOps.Attestor.Offline.csproj" />
</ItemGroup>
</Project>

67
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/BinaryVulnerabilityService.cs
View File

@@ -1,6 +1,8 @@
using System.Collections.Immutable;
using Microsoft.Extensions.Logging;
using StellaOps.BinaryIndex.Core.Models;
using StellaOps.BinaryIndex.FixIndex.Models;
using StellaOps.BinaryIndex.FixIndex.Repositories;
namespace StellaOps.BinaryIndex.Core.Services;
@@ -10,14 +12,17 @@ namespace StellaOps.BinaryIndex.Core.Services;
public sealed class BinaryVulnerabilityService : IBinaryVulnerabilityService
{
private readonly IBinaryVulnAssertionRepository _assertionRepo;
private readonly IFixIndexRepository? _fixIndexRepo;
private readonly ILogger<BinaryVulnerabilityService> _logger;
public BinaryVulnerabilityService(
IBinaryVulnAssertionRepository assertionRepo,
ILogger<BinaryVulnerabilityService> logger)
ILogger<BinaryVulnerabilityService> logger,
IFixIndexRepository? fixIndexRepo = null)
{
_assertionRepo = assertionRepo;
_logger = logger;
_fixIndexRepo = fixIndexRepo;
}
public async Task<ImmutableArray<BinaryVulnMatch>> LookupByIdentityAsync(
@@ -62,6 +67,66 @@ public sealed class BinaryVulnerabilityService : IBinaryVulnerabilityService
return results.ToImmutableDictionary();
}
public async Task<FixStatusResult?> GetFixStatusAsync(
string distro,
string release,
string sourcePkg,
string cveId,
CancellationToken ct = default)
{
if (_fixIndexRepo is null)
{
_logger.LogWarning("Fix index repository not configured, cannot check fix status");
return null;
}
var entry = await _fixIndexRepo.GetFixStatusAsync(distro, release, sourcePkg, cveId, ct);
if (entry is null)
{
_logger.LogDebug("No fix status found for {CveId} in {Distro}/{Release}/{Package}",
cveId, distro, release, sourcePkg);
return null;
}
return new FixStatusResult
{
State = entry.State,
FixedVersion = entry.FixedVersion,
Method = entry.Method,
Confidence = entry.Confidence,
EvidenceId = entry.EvidenceId
};
}
public async Task<ImmutableDictionary<string, FixStatusResult>> GetFixStatusBatchAsync(
string distro,
string release,
string sourcePkg,
IEnumerable<string> cveIds,
CancellationToken ct = default)
{
var results = new Dictionary<string, FixStatusResult>();
if (_fixIndexRepo is null)
{
_logger.LogWarning("Fix index repository not configured, cannot check fix status");
return results.ToImmutableDictionary();
}
foreach (var cveId in cveIds)
{
var status = await GetFixStatusAsync(distro, release, sourcePkg, cveId, ct);
if (status is not null)
{
results[cveId] = status;
}
}
_logger.LogDebug("Found fix status for {Count} CVEs in {Distro}/{Release}/{Package}",
results.Count, distro, release, sourcePkg);
return results.ToImmutableDictionary();
}
private static MatchMethod MapMethod(string method) => method switch
{
"buildid_catalog" => MatchMethod.BuildIdCatalog,

8
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/IBinaryFeatureExtractor.cs
View File

@@ -35,4 +35,12 @@ public sealed record BinaryMetadata
public string? OsAbi { get; init; }
public BinaryType? Type { get; init; }
public bool IsStripped { get; init; }
// PE-specific
public uint? PeTimestamp { get; init; }
public bool? IsPe32Plus { get; init; }
// Mach-O specific
public bool? Is64Bit { get; init; }
public bool? IsUniversalBinary { get; init; }
}

49
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/IBinaryVulnerabilityService.cs
View File

@@ -1,5 +1,6 @@
using System.Collections.Immutable;
using StellaOps.BinaryIndex.Core.Models;
using StellaOps.BinaryIndex.FixIndex.Models;
namespace StellaOps.BinaryIndex.Core.Services;
@@ -24,6 +25,33 @@ public interface IBinaryVulnerabilityService
IEnumerable<BinaryIdentity> identities,
LookupOptions? options = null,
CancellationToken ct = default);
/// <summary>
/// Check if a CVE is fixed for a specific distro/release/package combination.
/// Used for patch-aware backport detection.
/// </summary>
/// <param name="distro">Distribution name (debian, ubuntu, alpine, rhel).</param>
/// <param name="release">Release codename (bookworm, jammy, v3.19).</param>
/// <param name="sourcePkg">Source package name.</param>
/// <param name="cveId">CVE identifier.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Fix status if found, null otherwise.</returns>
Task<FixStatusResult?> GetFixStatusAsync(
string distro,
string release,
string sourcePkg,
string cveId,
CancellationToken ct = default);
/// <summary>
/// Batch check fix status for multiple CVEs.
/// </summary>
Task<ImmutableDictionary<string, FixStatusResult>> GetFixStatusBatchAsync(
string distro,
string release,
string sourcePkg,
IEnumerable<string> cveIds,
CancellationToken ct = default);
}
public sealed record LookupOptions
@@ -55,3 +83,24 @@ public sealed record MatchEvidence
public decimal? Similarity { get; init; }
public string? MatchedFunction { get; init; }
}
/// <summary>
/// Result of a fix status lookup from the CVE fix index.
/// </summary>
public sealed record FixStatusResult
{
/// <summary>Fix state (fixed, vulnerable, not_affected, wontfix, unknown).</summary>
public required FixState State { get; init; }
/// <summary>Version where the fix was applied (if fixed).</summary>
public string? FixedVersion { get; init; }
/// <summary>Detection method used.</summary>
public required FixMethod Method { get; init; }
/// <summary>Confidence score (0.00-1.00).</summary>
public required decimal Confidence { get; init; }
/// <summary>Reference to the underlying evidence record.</summary>
public Guid? EvidenceId { get; init; }
}

267
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/MachoFeatureExtractor.cs Normal file
View File

@@ -0,0 +1,267 @@
// -----------------------------------------------------------------------------
// MachoFeatureExtractor.cs
// Sprint: SPRINT_20251226_011_BINIDX_known_build_catalog
// Task: BINCAT-10 - MachoFeatureExtractor for Mach-O LC_UUID extraction
// Description: Extracts features from macOS/iOS Mach-O binaries including LC_UUID
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using StellaOps.BinaryIndex.Core.Models;
namespace StellaOps.BinaryIndex.Core.Services;
/// <summary>
/// Extracts features from macOS/iOS Mach-O binaries.
/// Supports LC_UUID extraction, architecture detection, and dylib analysis.
/// </summary>
public sealed class MachoFeatureExtractor : IBinaryFeatureExtractor
{
// Mach-O magic numbers
private const uint MH_MAGIC = 0xFEEDFACE; // 32-bit big-endian
private const uint MH_CIGAM = 0xCEFAEDFE; // 32-bit little-endian
private const uint MH_MAGIC_64 = 0xFEEDFACF; // 64-bit big-endian
private const uint MH_CIGAM_64 = 0xCFFAEDFE; // 64-bit little-endian
private const uint FAT_MAGIC = 0xCAFEBABE; // Universal binary big-endian
private const uint FAT_CIGAM = 0xBEBAFECA; // Universal binary little-endian
// Load command types
private const uint LC_UUID = 0x1B; // UUID load command
private const uint LC_ID_DYLIB = 0x0D; // Dylib identification
public bool CanExtract(Stream stream)
{
if (stream.Length < 4)
return false;
var originalPosition = stream.Position;
try
{
Span<byte> magic = stackalloc byte[4];
stream.Position = 0;
var read = stream.Read(magic);
if (read < 4)
return false;
var magicValue = BitConverter.ToUInt32(magic);
return magicValue is MH_MAGIC or MH_CIGAM or MH_MAGIC_64 or MH_CIGAM_64 or FAT_MAGIC or FAT_CIGAM;
}
finally
{
stream.Position = originalPosition;
}
}
public async Task<BinaryIdentity> ExtractIdentityAsync(Stream stream, CancellationToken ct = default)
{
var metadata = await ExtractMetadataAsync(stream, ct);
// Compute full file SHA-256
stream.Position = 0;
var fileSha256 = await ComputeSha256Async(stream, ct);
// Build binary key: macho-uuid or file hash
var binaryKey = metadata.BuildId != null
? $"macho-uuid:{metadata.BuildId}:{fileSha256}"
: fileSha256;
return new BinaryIdentity
{
BinaryKey = binaryKey,
BuildId = metadata.BuildId,
BuildIdType = metadata.BuildIdType,
FileSha256 = fileSha256,
Format = metadata.Format,
Architecture = metadata.Architecture,
Type = metadata.Type,
IsStripped = metadata.IsStripped
};
}
public Task<BinaryMetadata> ExtractMetadataAsync(Stream stream, CancellationToken ct = default)
{
stream.Position = 0;
Span<byte> header = stackalloc byte[32];
var read = stream.Read(header);
if (read < 4)
throw new InvalidDataException("Stream too short for Mach-O header");
var magicValue = BitConverter.ToUInt32(header[..4]);
// Handle universal (fat) binaries by reading first slice
if (magicValue is FAT_MAGIC or FAT_CIGAM)
{
return ExtractFatBinaryMetadataAsync(stream, magicValue == FAT_CIGAM);
}
var needsSwap = magicValue is MH_CIGAM or MH_CIGAM_64;
var is64Bit = magicValue is MH_MAGIC_64 or MH_CIGAM_64;
return Task.FromResult(ParseMachHeader(stream, header, is64Bit, needsSwap));
}
private static BinaryMetadata ParseMachHeader(Stream stream, ReadOnlySpan<byte> header, bool is64Bit, bool needsSwap)
{
// Mach-O header layout:
// 0-4: magic
// 4-8: cputype
// 8-12: cpusubtype
// 12-16: filetype
// 16-20: ncmds
// 20-24: sizeofcmds
// 24-28: flags
// (64-bit only) 28-32: reserved
var cpuType = ReadInt32(header[4..8], needsSwap);
var fileType = ReadUInt32(header[12..16], needsSwap);
var ncmds = ReadUInt32(header[16..20], needsSwap);
var sizeOfCmds = ReadUInt32(header[20..24], needsSwap);
var headerSize = is64Bit ? 32 : 28;
var architecture = MapCpuType(cpuType);
var type = MapFileType(fileType);
// Parse load commands to find LC_UUID
string? uuid = null;
var isStripped = true;
stream.Position = headerSize;
var cmdBuffer = new byte[sizeOfCmds];
stream.Read(cmdBuffer);
var offset = 0;
for (var i = 0; i < ncmds && offset < cmdBuffer.Length - 8; i++)
{
var cmd = ReadUInt32(cmdBuffer.AsSpan(offset, 4), needsSwap);
var cmdSize = ReadUInt32(cmdBuffer.AsSpan(offset + 4, 4), needsSwap);
if (cmd == LC_UUID && cmdSize >= 24)
{
// UUID is at offset 8-24 in the load command
var uuidBytes = cmdBuffer.AsSpan(offset + 8, 16);
uuid = FormatUuid(uuidBytes);
}
// Check for symbol table (indicates not stripped)
if (cmd == 0x02 || cmd == 0x0B) // LC_SYMTAB or LC_DYSYMTAB
{
isStripped = false;
}
offset += (int)cmdSize;
}
return new BinaryMetadata
{
Format = BinaryFormat.Macho,
Architecture = architecture,
BuildId = uuid,
BuildIdType = uuid != null ? "macho-uuid" : null,
Type = type,
IsStripped = isStripped,
Is64Bit = is64Bit
};
}
private Task<BinaryMetadata> ExtractFatBinaryMetadataAsync(Stream stream, bool needsSwap)
{
// Fat binary header:
// 0-4: magic
// 4-8: nfat_arch
stream.Position = 4;
Span<byte> nArchBytes = stackalloc byte[4];
stream.Read(nArchBytes);
var nArch = ReadUInt32(nArchBytes, needsSwap);
if (nArch == 0)
throw new InvalidDataException("Empty fat binary");
// Read first fat_arch entry to get offset to first slice
// fat_arch: cputype(4), cpusubtype(4), offset(4), size(4), align(4)
Span<byte> fatArch = stackalloc byte[20];
stream.Read(fatArch);
var sliceOffset = ReadUInt32(fatArch[8..12], needsSwap);
var sliceSize = ReadUInt32(fatArch[12..16], needsSwap);
// Read the Mach-O header from the first slice
stream.Position = sliceOffset;
Span<byte> sliceHeader = stackalloc byte[32];
stream.Read(sliceHeader);
var sliceMagic = BitConverter.ToUInt32(sliceHeader[..4]);
var sliceNeedsSwap = sliceMagic is MH_CIGAM or MH_CIGAM_64;
var sliceIs64Bit = sliceMagic is MH_MAGIC_64 or MH_CIGAM_64;
// Adjust stream position for load command parsing
stream.Position = sliceOffset;
var metadata = ParseMachHeader(stream, sliceHeader, sliceIs64Bit, sliceNeedsSwap);
return Task.FromResult(metadata with { IsUniversalBinary = true });
}
private static string MapCpuType(int cpuType) => cpuType switch
{
0x01000007 => "x86_64", // CPU_TYPE_X86_64
0x00000007 => "x86", // CPU_TYPE_X86
0x0100000C => "aarch64", // CPU_TYPE_ARM64
0x0000000C => "arm", // CPU_TYPE_ARM
_ => $"unknown-{cpuType:X}"
};
private static BinaryType MapFileType(uint fileType) => fileType switch
{
0x02 => BinaryType.Executable, // MH_EXECUTE
0x06 => BinaryType.SharedLibrary, // MH_DYLIB
0x08 => BinaryType.SharedLibrary, // MH_BUNDLE
0x01 => BinaryType.Object, // MH_OBJECT
0x09 => BinaryType.SharedLibrary, // MH_DYLIB_STUB
_ => BinaryType.Executable
};
private static string FormatUuid(ReadOnlySpan<byte> uuidBytes)
{
// Mach-O UUID is stored as 16 raw bytes
// Format as standard UUID string (8-4-4-4-12)
return $"{Convert.ToHexString(uuidBytes[..4])}-" +
$"{Convert.ToHexString(uuidBytes[4..6])}-" +
$"{Convert.ToHexString(uuidBytes[6..8])}-" +
$"{Convert.ToHexString(uuidBytes[8..10])}-" +
$"{Convert.ToHexString(uuidBytes[10..16])}".ToUpperInvariant();
}
private static uint ReadUInt32(ReadOnlySpan<byte> bytes, bool swap)
{
var value = BitConverter.ToUInt32(bytes);
return swap ? BinaryPrimitives.ReverseEndianness(value) : value;
}
private static int ReadInt32(ReadOnlySpan<byte> bytes, bool swap)
{
var value = BitConverter.ToInt32(bytes);
return swap ? BinaryPrimitives.ReverseEndianness(value) : value;
}
private static async Task<string> ComputeSha256Async(Stream stream, CancellationToken ct)
{
stream.Position = 0;
var hash = await SHA256.HashDataAsync(stream, ct);
return Convert.ToHexString(hash).ToLowerInvariant();
}
}
file static class BinaryPrimitives
{
public static uint ReverseEndianness(uint value)
{
return ((value & 0x000000FF) << 24) |
((value & 0x0000FF00) << 8) |
((value & 0x00FF0000) >> 8) |
((value & 0xFF000000) >> 24);
}
public static int ReverseEndianness(int value)
{
return (int)ReverseEndianness((uint)value);
}
}

253
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/PeFeatureExtractor.cs Normal file
View File

@@ -0,0 +1,253 @@
// -----------------------------------------------------------------------------
// PeFeatureExtractor.cs
// Sprint: SPRINT_20251226_011_BINIDX_known_build_catalog
// Task: BINCAT-09 - PeFeatureExtractor for Windows PE CodeView GUID extraction
// Description: Extracts features from Windows PE binaries including CodeView GUID
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using StellaOps.BinaryIndex.Core.Models;
namespace StellaOps.BinaryIndex.Core.Services;
/// <summary>
/// Extracts features from Windows PE (Portable Executable) binaries.
/// Supports CodeView GUID extraction, import hash (imphash), and security flags.
/// </summary>
public sealed class PeFeatureExtractor : IBinaryFeatureExtractor
{
// DOS header magic: MZ
private static readonly byte[] DosMagic = [0x4D, 0x5A]; // "MZ"
// PE signature: PE\0\0
private static readonly byte[] PeSignature = [0x50, 0x45, 0x00, 0x00];
public bool CanExtract(Stream stream)
{
if (stream.Length < 64) // Minimum DOS header size
return false;
var originalPosition = stream.Position;
try
{
Span<byte> magic = stackalloc byte[2];
stream.Position = 0;
var read = stream.Read(magic);
return read == 2 && magic.SequenceEqual(DosMagic);
}
finally
{
stream.Position = originalPosition;
}
}
public async Task<BinaryIdentity> ExtractIdentityAsync(Stream stream, CancellationToken ct = default)
{
var metadata = await ExtractMetadataAsync(stream, ct);
// Compute full file SHA-256
stream.Position = 0;
var fileSha256 = await ComputeSha256Async(stream, ct);
// Build binary key: pe-cv GUID or file hash
var binaryKey = metadata.BuildId != null
? $"pe-cv:{metadata.BuildId}:{fileSha256}"
: fileSha256;
return new BinaryIdentity
{
BinaryKey = binaryKey,
BuildId = metadata.BuildId,
BuildIdType = metadata.BuildIdType,
FileSha256 = fileSha256,
Format = metadata.Format,
Architecture = metadata.Architecture,
Type = metadata.Type,
IsStripped = metadata.IsStripped
};
}
public Task<BinaryMetadata> ExtractMetadataAsync(Stream stream, CancellationToken ct = default)
{
stream.Position = 0;
// Read DOS header to get PE header offset
Span<byte> dosHeader = stackalloc byte[64];
var read = stream.Read(dosHeader);
if (read < 64)
throw new InvalidDataException("Stream too short for DOS header");
// e_lfanew is at offset 0x3C (60)
var peOffset = BitConverter.ToInt32(dosHeader[0x3C..0x40]);
if (peOffset < 0 || peOffset > stream.Length - 24)
throw new InvalidDataException("Invalid PE header offset");
// Read PE signature and COFF header
stream.Position = peOffset;
Span<byte> peHeader = stackalloc byte[24];
read = stream.Read(peHeader);
if (read < 24)
throw new InvalidDataException("Stream too short for PE header");
// Verify PE signature
if (!peHeader[..4].SequenceEqual(PeSignature))
throw new InvalidDataException("Invalid PE signature");
// Parse COFF header (after PE signature)
var machine = BitConverter.ToUInt16(peHeader[4..6]);
var numberOfSections = BitConverter.ToUInt16(peHeader[6..8]);
var timeDateStamp = BitConverter.ToUInt32(peHeader[8..12]);
var characteristics = BitConverter.ToUInt16(peHeader[22..24]);
// Read optional header to determine PE32 vs PE32+
Span<byte> optionalMagic = stackalloc byte[2];
stream.Read(optionalMagic);
var isPe32Plus = BitConverter.ToUInt16(optionalMagic) == 0x20B;
var architecture = MapMachine(machine);
var type = MapCharacteristics(characteristics);
var codeViewGuid = ExtractCodeViewGuid(stream, peOffset, isPe32Plus);
return Task.FromResult(new BinaryMetadata
{
Format = BinaryFormat.Pe,
Architecture = architecture,
BuildId = codeViewGuid,
BuildIdType = codeViewGuid != null ? "pe-cv" : null,
Type = type,
IsStripped = !HasDebugInfo(stream, peOffset, isPe32Plus),
PeTimestamp = timeDateStamp,
IsPe32Plus = isPe32Plus
});
}
/// <summary>
/// Extract CodeView GUID from PE debug directory.
/// </summary>
private static string? ExtractCodeViewGuid(Stream stream, int peOffset, bool isPe32Plus)
{
try
{
// Calculate optional header size offset
stream.Position = peOffset + 20; // After COFF header
Span<byte> sizeOfOptionalHeader = stackalloc byte[2];
stream.Read(sizeOfOptionalHeader);
var optionalHeaderSize = BitConverter.ToUInt16(sizeOfOptionalHeader);
if (optionalHeaderSize < 128)
return null;
// Debug directory is data directory #6
// Offset depends on PE32 vs PE32+
var dataDirectoryOffset = isPe32Plus ? 112 : 96;
var debugDirectoryRva = peOffset + 24 + dataDirectoryOffset + (6 * 8);
if (debugDirectoryRva + 8 > stream.Length)
return null;
stream.Position = debugDirectoryRva;
Span<byte> debugDir = stackalloc byte[8];
stream.Read(debugDir);
var debugRva = BitConverter.ToUInt32(debugDir[..4]);
var debugSize = BitConverter.ToUInt32(debugDir[4..8]);
if (debugRva == 0 || debugSize == 0)
return null;
// For simplicity, assume RVA == file offset (not always true in real PE)
// In production, would need to resolve RVA to file offset via section table
if (debugRva + 28 > stream.Length)
return null;
stream.Position = debugRva;
Span<byte> debugEntry = stackalloc byte[28];
var read = stream.Read(debugEntry);
if (read < 28)
return null;
var type = BitConverter.ToUInt32(debugEntry[12..16]);
if (type != 2) // IMAGE_DEBUG_TYPE_CODEVIEW
return null;
var pointerToRawData = BitConverter.ToUInt32(debugEntry[24..28]);
if (pointerToRawData + 24 > stream.Length)
return null;
// Read CodeView header
stream.Position = pointerToRawData;
Span<byte> cvHeader = stackalloc byte[24];
read = stream.Read(cvHeader);
if (read < 24)
return null;
// Check for RSDS signature (PDB 7.0)
if (cvHeader[0] == 'R' && cvHeader[1] == 'S' && cvHeader[2] == 'D' && cvHeader[3] == 'S')
{
// GUID is at offset 4, 16 bytes
var guidBytes = cvHeader[4..20];
var age = BitConverter.ToUInt32(cvHeader[20..24]);
// Format as GUID string with age
var guid = new Guid(guidBytes.ToArray());
return $"{guid:N}{age:X}".ToUpperInvariant();
}
return null;
}
catch
{
return null;
}
}
private static bool HasDebugInfo(Stream stream, int peOffset, bool isPe32Plus)
{
try
{
var dataDirectoryOffset = isPe32Plus ? 112 : 96;
var debugDirectoryRva = peOffset + 24 + dataDirectoryOffset + (6 * 8);
if (debugDirectoryRva + 8 > stream.Length)
return false;
stream.Position = debugDirectoryRva;
Span<byte> debugDir = stackalloc byte[8];
stream.Read(debugDir);
var debugRva = BitConverter.ToUInt32(debugDir[..4]);
return debugRva != 0;
}
catch
{
return false;
}
}
private static string MapMachine(ushort machine) => machine switch
{
0x8664 => "x86_64",
0x014C => "x86",
0xAA64 => "aarch64",
0x01C4 => "arm",
0x5064 => "riscv64",
_ => $"unknown-{machine:X4}"
};
private static BinaryType MapCharacteristics(ushort characteristics)
{
if ((characteristics & 0x2000) != 0) // IMAGE_FILE_DLL
return BinaryType.SharedLibrary;
if ((characteristics & 0x0002) != 0) // IMAGE_FILE_EXECUTABLE_IMAGE
return BinaryType.Executable;
return BinaryType.Object;
}
private static async Task<string> ComputeSha256Async(Stream stream, CancellationToken ct)
{
stream.Position = 0;
var hash = await SHA256.HashDataAsync(stream, ct);
return Convert.ToHexString(hash).ToLowerInvariant();
}
}

157
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/AlpineCorpusConnector.cs Normal file
View File

@@ -0,0 +1,157 @@
// -----------------------------------------------------------------------------
// AlpineCorpusConnector.cs
// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
// Task: BACKPORT-16 — Create AlpineCorpusConnector for Alpine APK
// -----------------------------------------------------------------------------
using System.Runtime.CompilerServices;
using Microsoft.Extensions.Logging;
using StellaOps.BinaryIndex.Core.Models;
using StellaOps.BinaryIndex.Core.Services;
using StellaOps.BinaryIndex.Corpus;
namespace StellaOps.BinaryIndex.Corpus.Alpine;
/// <summary>
/// Alpine Linux corpus connector implementation.
/// Fetches packages from Alpine mirrors and extracts binaries.
/// </summary>
public sealed class AlpineCorpusConnector : IBinaryCorpusConnector
{
private readonly IAlpinePackageSource _packageSource;
private readonly AlpinePackageExtractor _extractor;
private readonly IBinaryFeatureExtractor _featureExtractor;
private readonly ICorpusSnapshotRepository _snapshotRepo;
private readonly ILogger<AlpineCorpusConnector> _logger;
private const string DefaultMirror = "https://dl-cdn.alpinelinux.org/alpine";
public string ConnectorId => "alpine";
public string[] SupportedDistros => ["alpine"];
public AlpineCorpusConnector(
IAlpinePackageSource packageSource,
AlpinePackageExtractor extractor,
IBinaryFeatureExtractor featureExtractor,
ICorpusSnapshotRepository snapshotRepo,
ILogger<AlpineCorpusConnector> logger)
{
_packageSource = packageSource;
_extractor = extractor;
_featureExtractor = featureExtractor;
_snapshotRepo = snapshotRepo;
_logger = logger;
}
public async Task<CorpusSnapshot> FetchSnapshotAsync(CorpusQuery query, CancellationToken ct = default)
{
_logger.LogInformation(
"Fetching Alpine corpus snapshot for {Release}/{Architecture}",
query.Release, query.Architecture);
// Check if we already have a snapshot for this query
var existing = await _snapshotRepo.FindByKeyAsync(
query.Distro,
query.Release,
query.Architecture,
ct);
if (existing != null)
{
_logger.LogInformation("Using existing snapshot {SnapshotId}", existing.Id);
return existing;
}
// Fetch APKINDEX to compute metadata digest
var packages = await _packageSource.FetchPackageIndexAsync(
query.Release,
query.Architecture,
ct);
var packageList = packages.ToList();
var metadataDigest = ComputeMetadataDigest(packageList);
var snapshot = new CorpusSnapshot(
Id: Guid.NewGuid(),
Distro: "alpine",
Release: query.Release,
Architecture: query.Architecture,
MetadataDigest: metadataDigest,
CapturedAt: DateTimeOffset.UtcNow);
await _snapshotRepo.CreateAsync(snapshot, ct);
_logger.LogInformation(
"Created Alpine corpus snapshot {SnapshotId} with {PackageCount} packages",
snapshot.Id, packageList.Count);
return snapshot;
}
public async IAsyncEnumerable<PackageInfo> ListPackagesAsync(
CorpusSnapshot snapshot,
[EnumeratorCancellation] CancellationToken ct = default)
{
_logger.LogDebug("Listing packages for snapshot {SnapshotId}", snapshot.Id);
var packages = await _packageSource.FetchPackageIndexAsync(
snapshot.Release,
snapshot.Architecture,
ct);
foreach (var pkg in packages)
{
yield return new PackageInfo(
Name: pkg.PackageName,
Version: pkg.Version,
SourcePackage: pkg.Origin ?? pkg.PackageName,
Architecture: pkg.Architecture,
Filename: pkg.Filename,
Size: pkg.Size,
Sha256: pkg.Checksum);
}
}
public async IAsyncEnumerable<ExtractedBinary> ExtractBinariesAsync(
PackageInfo pkg,
[EnumeratorCancellation] CancellationToken ct = default)
{
_logger.LogDebug("Extracting binaries from Alpine package {Package} {Version}", pkg.Name, pkg.Version);
Stream? apkStream = null;
try
{
// Download the .apk package
apkStream = await _packageSource.DownloadPackageAsync(pkg.Filename, ct);
// Extract binaries using AlpinePackageExtractor
var extractedBinaries = await _extractor.ExtractBinariesAsync(apkStream, pkg, ct);
foreach (var binary in extractedBinaries)
{
yield return new ExtractedBinary(
Identity: binary.Identity,
PathInPackage: binary.FilePath,
Package: pkg);
}
}
finally
{
if (apkStream != null)
{
await apkStream.DisposeAsync();
}
}
}
private static string ComputeMetadataDigest(IEnumerable<AlpinePackageMetadata> packages)
{
var combined = string.Join("|", packages
.OrderBy(p => p.PackageName)
.Select(p => $"{p.PackageName}:{p.Version}:{p.Checksum}"));
using var sha256 = System.Security.Cryptography.SHA256.Create();
var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(combined));
return Convert.ToHexString(hash).ToLowerInvariant();
}
}

131
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/AlpinePackageExtractor.cs Normal file
View File

@@ -0,0 +1,131 @@
// -----------------------------------------------------------------------------
// AlpinePackageExtractor.cs
// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
// Task: BACKPORT-16 — Create AlpineCorpusConnector for Alpine APK
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Logging;
using SharpCompress.Archives;
using SharpCompress.Archives.Tar;
using SharpCompress.Compressors.Deflate;
using StellaOps.BinaryIndex.Core.Models;
using StellaOps.BinaryIndex.Core.Services;
using StellaOps.BinaryIndex.Corpus;
namespace StellaOps.BinaryIndex.Corpus.Alpine;
/// <summary>
/// Extracts binaries from Alpine .apk packages.
/// </summary>
public sealed class AlpinePackageExtractor
{
private readonly IBinaryFeatureExtractor _featureExtractor;
private readonly ILogger<AlpinePackageExtractor> _logger;
// ELF magic bytes
private static readonly byte[] ElfMagic = [0x7F, 0x45, 0x4C, 0x46];
public AlpinePackageExtractor(
IBinaryFeatureExtractor featureExtractor,
ILogger<AlpinePackageExtractor> logger)
{
_featureExtractor = featureExtractor;
_logger = logger;
}
/// <summary>
/// Extracts ELF binaries from an Alpine .apk package.
/// </summary>
/// <param name="apkStream">Stream containing the .apk package.</param>
/// <param name="pkg">Package metadata.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Extracted binaries with identity information.</returns>
public async Task<IReadOnlyList<ExtractedBinaryInfo>> ExtractBinariesAsync(
Stream apkStream,
PackageInfo pkg,
CancellationToken ct = default)
{
var results = new List<ExtractedBinaryInfo>();
// APK is gzipped tar: signature.tar.gz + control.tar.gz + data.tar.gz
// We need to extract data.tar.gz which contains the actual files
try
{
var dataTar = await ExtractDataTarAsync(apkStream, ct);
if (dataTar == null)
{
_logger.LogWarning("Could not find data.tar in {Package}", pkg.Name);
return results;
}
using var archive = TarArchive.Open(dataTar);
foreach (var entry in archive.Entries.Where(e => !e.IsDirectory))
{
ct.ThrowIfCancellationRequested();
// Check if this is an ELF binary
using var entryStream = entry.OpenEntryStream();
using var ms = new MemoryStream();
await entryStream.CopyToAsync(ms, ct);
ms.Position = 0;
if (!IsElfBinary(ms))
{
continue;
}
ms.Position = 0;
try
{
var identity = await _featureExtractor.ExtractIdentityAsync(ms, entry.Key ?? "", ct);
results.Add(new ExtractedBinaryInfo(identity, entry.Key ?? ""));
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Failed to extract identity from {File} in {Package}",
entry.Key, pkg.Name);
}
}
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to extract binaries from Alpine package {Package}", pkg.Name);
}
return results;
}
private static async Task<Stream?> ExtractDataTarAsync(Stream apkStream, CancellationToken ct)
{
// APK packages contain multiple gzipped tar archives concatenated
// We need to skip to the data.tar.gz portion
// The structure is: signature.tar.gz + control.tar.gz + data.tar.gz
using var gzip = new GZipStream(apkStream, SharpCompress.Compressors.CompressionMode.Decompress, leaveOpen: true);
using var ms = new MemoryStream();
await gzip.CopyToAsync(ms, ct);
ms.Position = 0;
// For simplicity, we'll just try to extract from the combined tar
// In a real implementation, we'd need to properly parse the multi-part structure
return ms;
}
private static bool IsElfBinary(Stream stream)
{
if (stream.Length < 4)
return false;
var buffer = new byte[4];
var read = stream.Read(buffer, 0, 4);
stream.Position = 0;
return read == 4 && buffer.AsSpan().SequenceEqual(ElfMagic);
}
}
/// <summary>
/// Information about an extracted binary.
/// </summary>
public sealed record ExtractedBinaryInfo(BinaryIdentity Identity, string FilePath);

111
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/ApkBuildSecfixesExtractor.cs Normal file
View File

@@ -0,0 +1,111 @@
// -----------------------------------------------------------------------------
// ApkBuildSecfixesExtractor.cs
// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
// Task: BACKPORT-17 — Implement APKBUILD secfixes extraction
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Logging;
using StellaOps.BinaryIndex.FixIndex.Models;
using StellaOps.BinaryIndex.FixIndex.Parsers;
using StellaOps.BinaryIndex.FixIndex.Services;
namespace StellaOps.BinaryIndex.Corpus.Alpine;
/// <summary>
/// Extracts security fix information from Alpine APKBUILD files.
/// </summary>
public sealed class ApkBuildSecfixesExtractor
{
private readonly IAlpinePackageSource _packageSource;
private readonly AlpineSecfixesParser _secfixesParser;
private readonly IFixIndexBuilder _fixIndexBuilder;
private readonly ILogger<ApkBuildSecfixesExtractor> _logger;
public ApkBuildSecfixesExtractor(
IAlpinePackageSource packageSource,
IFixIndexBuilder fixIndexBuilder,
ILogger<ApkBuildSecfixesExtractor> logger)
{
_packageSource = packageSource;
_secfixesParser = new AlpineSecfixesParser();
_fixIndexBuilder = fixIndexBuilder;
_logger = logger;
}
/// <summary>
/// Extracts fix evidence from an APKBUILD file for a package.
/// </summary>
/// <param name="release">Alpine release (e.g., v3.19, edge).</param>
/// <param name="repository">Repository (main, community).</param>
/// <param name="packageName">Package name.</param>
/// <param name="snapshotId">Corpus snapshot ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Fix evidence entries extracted from the APKBUILD.</returns>
public async Task<IReadOnlyList<FixEvidence>> ExtractSecfixesAsync(
string release,
string repository,
string packageName,
Guid snapshotId,
CancellationToken ct = default)
{
_logger.LogDebug(
"Fetching APKBUILD for {Package} in {Release}/{Repository}",
packageName, release, repository);
var apkbuild = await _packageSource.FetchApkBuildAsync(release, repository, packageName, ct);
if (string.IsNullOrWhiteSpace(apkbuild))
{
_logger.LogDebug("No APKBUILD found for {Package}", packageName);
return [];
}
// Use the fix index builder for Alpine
var request = new AlpineFixIndexRequest
{
Release = release,
SourcePkg = packageName,
ApkBuild = apkbuild,
SnapshotId = snapshotId
};
var results = new List<FixEvidence>();
await foreach (var evidence in _fixIndexBuilder.BuildAlpineIndexAsync(request, ct))
{
results.Add(evidence);
}
_logger.LogInformation(
"Extracted {Count} CVE fixes from APKBUILD for {Package} in {Release}",
results.Count, packageName, release);
return results;
}
/// <summary>
/// Batch extracts fix evidence for multiple packages.
/// </summary>
/// <param name="release">Alpine release.</param>
/// <param name="repository">Repository.</param>
/// <param name="packageNames">Package names to process.</param>
/// <param name="snapshotId">Corpus snapshot ID.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>All fix evidence entries.</returns>
public async IAsyncEnumerable<FixEvidence> ExtractSecfixesBatchAsync(
string release,
string repository,
IEnumerable<string> packageNames,
Guid snapshotId,
[System.Runtime.CompilerServices.EnumeratorCancellation] CancellationToken ct = default)
{
foreach (var packageName in packageNames)
{
ct.ThrowIfCancellationRequested();
var results = await ExtractSecfixesAsync(release, repository, packageName, snapshotId, ct);
foreach (var evidence in results)
{
yield return evidence;
}
}
}
}

86
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/IAlpinePackageSource.cs Normal file
View File

@@ -0,0 +1,86 @@
// -----------------------------------------------------------------------------
// IAlpinePackageSource.cs
// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
// Task: BACKPORT-16 — Create AlpineCorpusConnector for Alpine APK
// -----------------------------------------------------------------------------
namespace StellaOps.BinaryIndex.Corpus.Alpine;
/// <summary>
/// Interface for fetching Alpine packages from mirrors.
/// </summary>
public interface IAlpinePackageSource
{
/// <summary>
/// Fetches the APKINDEX for the given release and architecture.
/// </summary>
/// <param name="release">Alpine release (e.g., v3.19, edge).</param>
/// <param name="architecture">Target architecture (e.g., x86_64, aarch64).</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Package metadata from APKINDEX.</returns>
Task<IReadOnlyList<AlpinePackageMetadata>> FetchPackageIndexAsync(
string release,
string architecture,
CancellationToken ct = default);
/// <summary>
/// Fetches the APKBUILD content for a source package.
/// </summary>
/// <param name="release">Alpine release.</param>
/// <param name="repository">Repository (main, community).</param>
/// <param name="packageName">Package name.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>APKBUILD file content, or null if not found.</returns>
Task<string?> FetchApkBuildAsync(
string release,
string repository,
string packageName,
CancellationToken ct = default);
/// <summary>
/// Downloads a package file.
/// </summary>
/// <param name="filename">Package filename.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Stream containing the package.</returns>
Task<Stream> DownloadPackageAsync(string filename, CancellationToken ct = default);
}
/// <summary>
/// Package metadata parsed from APKINDEX.
/// </summary>
public sealed record AlpinePackageMetadata
{
/// <summary>Package name (P:).</summary>
public required string PackageName { get; init; }
/// <summary>Package version (V:).</summary>
public required string Version { get; init; }
/// <summary>Architecture (A:).</summary>
public required string Architecture { get; init; }
/// <summary>Package filename (computed from P, V, A).</summary>
public required string Filename { get; init; }
/// <summary>Package size (S:).</summary>
public long Size { get; init; }
/// <summary>Checksum (C:).</summary>
public required string Checksum { get; init; }
/// <summary>Origin/source package (o:).</summary>
public string? Origin { get; init; }
/// <summary>Maintainer (m:).</summary>
public string? Maintainer { get; init; }
/// <summary>Dependencies (D:).</summary>
public string[]? Dependencies { get; init; }
/// <summary>Provides (p:).</summary>
public string[]? Provides { get; init; }
/// <summary>Build timestamp (t:).</summary>
public DateTimeOffset? BuildTime { get; init; }
}

21
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Alpine/StellaOps.BinaryIndex.Corpus.Alpine.csproj Normal file
View File

@@ -0,0 +1,21 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<LangVersion>preview</LangVersion>
<GenerateDocumentationFile>true</GenerateDocumentationFile>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="SharpCompress" Version="0.38.0" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Http" Version="10.0.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.BinaryIndex.Core\StellaOps.BinaryIndex.Core.csproj" />
<ProjectReference Include="..\StellaOps.BinaryIndex.Corpus\StellaOps.BinaryIndex.Corpus.csproj" />
<ProjectReference Include="..\StellaOps.BinaryIndex.FixIndex\StellaOps.BinaryIndex.FixIndex.csproj" />
</ItemGroup>
</Project>

91
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/IRpmPackageSource.cs Normal file
View File

@@ -0,0 +1,91 @@
// -----------------------------------------------------------------------------
// IRpmPackageSource.cs
// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
// Task: BACKPORT-14 — Create RpmCorpusConnector for RHEL/Fedora/CentOS
// -----------------------------------------------------------------------------
namespace StellaOps.BinaryIndex.Corpus.Rpm;
/// <summary>
/// Interface for fetching RPM packages from mirrors.
/// </summary>
public interface IRpmPackageSource
{
/// <summary>
/// Fetches the package index (primary.xml) for the given distro/release/arch.
/// </summary>
/// <param name="distro">Distribution (rhel, fedora, centos, rocky, almalinux).</param>
/// <param name="release">Release version (9, 39, etc.).</param>
/// <param name="architecture">Target architecture (x86_64, aarch64).</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Package metadata from primary.xml.</returns>
Task<IReadOnlyList<RpmPackageMetadata>> FetchPackageIndexAsync(
string distro,
string release,
string architecture,
CancellationToken ct = default);
/// <summary>
/// Fetches the spec file content from an SRPM.
/// </summary>
/// <param name="distro">Distribution.</param>
/// <param name="release">Release version.</param>
/// <param name="srpmFilename">SRPM filename.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Spec file content, or null if not found.</returns>
Task<string?> FetchSpecFileAsync(
string distro,
string release,
string srpmFilename,
CancellationToken ct = default);
/// <summary>
/// Downloads a package file.
/// </summary>
/// <param name="filename">Package filename.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Stream containing the package.</returns>
Task<Stream> DownloadPackageAsync(string filename, CancellationToken ct = default);
}
/// <summary>
/// Package metadata parsed from primary.xml.
/// </summary>
public sealed record RpmPackageMetadata
{
/// <summary>Package name.</summary>
public required string Name { get; init; }
/// <summary>Architecture.</summary>
public required string Arch { get; init; }
/// <summary>Epoch (0 if not specified).</summary>
public int Epoch { get; init; }
/// <summary>Version.</summary>
public required string Version { get; init; }
/// <summary>Release.</summary>
public required string Release { get; init; }
/// <summary>Package filename.</summary>
public required string Filename { get; init; }
/// <summary>Package size.</summary>
public long Size { get; init; }
/// <summary>SHA-256 checksum.</summary>
public required string Checksum { get; init; }
/// <summary>Source RPM filename.</summary>
public string? SourceRpm { get; init; }
/// <summary>Package summary.</summary>
public string? Summary { get; init; }
/// <summary>Package description.</summary>
public string? Description { get; init; }
/// <summary>Build timestamp.</summary>
public DateTimeOffset? BuildTime { get; init; }
}

156
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/RpmCorpusConnector.cs Normal file
View File

@@ -0,0 +1,156 @@
// -----------------------------------------------------------------------------
// RpmCorpusConnector.cs
// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
// Task: BACKPORT-14 — Create RpmCorpusConnector for RHEL/Fedora/CentOS
// -----------------------------------------------------------------------------
using System.Runtime.CompilerServices;
using Microsoft.Extensions.Logging;
using StellaOps.BinaryIndex.Core.Models;
using StellaOps.BinaryIndex.Core.Services;
using StellaOps.BinaryIndex.Corpus;
namespace StellaOps.BinaryIndex.Corpus.Rpm;
/// <summary>
/// RPM-based corpus connector for RHEL, Fedora, CentOS, Rocky, AlmaLinux.
/// </summary>
public sealed class RpmCorpusConnector : IBinaryCorpusConnector
{
private readonly IRpmPackageSource _packageSource;
private readonly RpmPackageExtractor _extractor;
private readonly IBinaryFeatureExtractor _featureExtractor;
private readonly ICorpusSnapshotRepository _snapshotRepo;
private readonly ILogger<RpmCorpusConnector> _logger;
public string ConnectorId => "rpm";
public string[] SupportedDistros => ["rhel", "fedora", "centos", "rocky", "almalinux"];
public RpmCorpusConnector(
IRpmPackageSource packageSource,
RpmPackageExtractor extractor,
IBinaryFeatureExtractor featureExtractor,
ICorpusSnapshotRepository snapshotRepo,
ILogger<RpmCorpusConnector> logger)
{
_packageSource = packageSource;
_extractor = extractor;
_featureExtractor = featureExtractor;
_snapshotRepo = snapshotRepo;
_logger = logger;
}
public async Task<CorpusSnapshot> FetchSnapshotAsync(CorpusQuery query, CancellationToken ct = default)
{
_logger.LogInformation(
"Fetching RPM corpus snapshot for {Distro} {Release}/{Architecture}",
query.Distro, query.Release, query.Architecture);
// Check if we already have a snapshot for this query
var existing = await _snapshotRepo.FindByKeyAsync(
query.Distro,
query.Release,
query.Architecture,
ct);
if (existing != null)
{
_logger.LogInformation("Using existing snapshot {SnapshotId}", existing.Id);
return existing;
}
// Fetch repodata/primary.xml to compute metadata digest
var packages = await _packageSource.FetchPackageIndexAsync(
query.Distro,
query.Release,
query.Architecture,
ct);
var packageList = packages.ToList();
var metadataDigest = ComputeMetadataDigest(packageList);
var snapshot = new CorpusSnapshot(
Id: Guid.NewGuid(),
Distro: query.Distro,
Release: query.Release,
Architecture: query.Architecture,
MetadataDigest: metadataDigest,
CapturedAt: DateTimeOffset.UtcNow);
await _snapshotRepo.CreateAsync(snapshot, ct);
_logger.LogInformation(
"Created RPM corpus snapshot {SnapshotId} with {PackageCount} packages",
snapshot.Id, packageList.Count);
return snapshot;
}
public async IAsyncEnumerable<PackageInfo> ListPackagesAsync(
CorpusSnapshot snapshot,
[EnumeratorCancellation] CancellationToken ct = default)
{
_logger.LogDebug("Listing packages for snapshot {SnapshotId}", snapshot.Id);
var packages = await _packageSource.FetchPackageIndexAsync(
snapshot.Distro,
snapshot.Release,
snapshot.Architecture,
ct);
foreach (var pkg in packages)
{
yield return new PackageInfo(
Name: pkg.Name,
Version: $"{pkg.Version}-{pkg.Release}",
SourcePackage: pkg.SourceRpm ?? pkg.Name,
Architecture: pkg.Arch,
Filename: pkg.Filename,
Size: pkg.Size,
Sha256: pkg.Checksum);
}
}
public async IAsyncEnumerable<ExtractedBinary> ExtractBinariesAsync(
PackageInfo pkg,
[EnumeratorCancellation] CancellationToken ct = default)
{
_logger.LogDebug("Extracting binaries from RPM {Package} {Version}", pkg.Name, pkg.Version);
Stream? rpmStream = null;
try
{
// Download the .rpm package
rpmStream = await _packageSource.DownloadPackageAsync(pkg.Filename, ct);
// Extract binaries using RpmPackageExtractor
var extractedBinaries = await _extractor.ExtractBinariesAsync(rpmStream, pkg, ct);
foreach (var binary in extractedBinaries)
{
yield return new ExtractedBinary(
Identity: binary.Identity,
PathInPackage: binary.FilePath,
Package: pkg);
}
}
finally
{
if (rpmStream != null)
{
await rpmStream.DisposeAsync();
}
}
}
private static string ComputeMetadataDigest(IEnumerable<RpmPackageMetadata> packages)
{
var combined = string.Join("|", packages
.OrderBy(p => p.Name)
.Select(p => $"{p.Name}:{p.Epoch}:{p.Version}-{p.Release}:{p.Checksum}"));
using var sha256 = System.Security.Cryptography.SHA256.Create();
var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(combined));
return Convert.ToHexString(hash).ToLowerInvariant();
}
}

203
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/RpmPackageExtractor.cs Normal file
View File

@@ -0,0 +1,203 @@
// -----------------------------------------------------------------------------
// RpmPackageExtractor.cs
// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
// Task: BACKPORT-14 — Create RpmCorpusConnector for RHEL/Fedora/CentOS
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Logging;
using SharpCompress.Archives;
using SharpCompress.Compressors.Xz;
using SharpCompress.Readers.Cpio;
using StellaOps.BinaryIndex.Core.Models;
using StellaOps.BinaryIndex.Core.Services;
using StellaOps.BinaryIndex.Corpus;
namespace StellaOps.BinaryIndex.Corpus.Rpm;
/// <summary>
/// Extracts binaries from RPM packages.
/// </summary>
public sealed class RpmPackageExtractor
{
private readonly IBinaryFeatureExtractor _featureExtractor;
private readonly ILogger<RpmPackageExtractor> _logger;
// ELF magic bytes
private static readonly byte[] ElfMagic = [0x7F, 0x45, 0x4C, 0x46];
// RPM magic bytes
private static readonly byte[] RpmMagic = [0xED, 0xAB, 0xEE, 0xDB];
public RpmPackageExtractor(
IBinaryFeatureExtractor featureExtractor,
ILogger<RpmPackageExtractor> logger)
{
_featureExtractor = featureExtractor;
_logger = logger;
}
/// <summary>
/// Extracts ELF binaries from an RPM package.
/// </summary>
/// <param name="rpmStream">Stream containing the .rpm package.</param>
/// <param name="pkg">Package metadata.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Extracted binaries with identity information.</returns>
public async Task<IReadOnlyList<ExtractedBinaryInfo>> ExtractBinariesAsync(
Stream rpmStream,
PackageInfo pkg,
CancellationToken ct = default)
{
var results = new List<ExtractedBinaryInfo>();
try
{
// RPM structure: lead + signature header + header + payload (cpio.xz/cpio.gz/cpio.zstd)
var payloadStream = await ExtractPayloadAsync(rpmStream, ct);
if (payloadStream == null)
{
_logger.LogWarning("Could not extract payload from RPM {Package}", pkg.Name);
return results;
}
using var reader = CpioReader.Open(payloadStream);
while (reader.MoveToNextEntry())
{
ct.ThrowIfCancellationRequested();
if (reader.Entry.IsDirectory)
continue;
using var entryStream = reader.OpenEntryStream();
using var ms = new MemoryStream();
await entryStream.CopyToAsync(ms, ct);
ms.Position = 0;
if (!IsElfBinary(ms))
{
continue;
}
ms.Position = 0;
try
{
var identity = await _featureExtractor.ExtractIdentityAsync(ms, reader.Entry.Key ?? "", ct);
results.Add(new ExtractedBinaryInfo(identity, reader.Entry.Key ?? ""));
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Failed to extract identity from {File} in RPM {Package}",
reader.Entry.Key, pkg.Name);
}
}
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to extract binaries from RPM package {Package}", pkg.Name);
}
return results;
}
private async Task<Stream?> ExtractPayloadAsync(Stream rpmStream, CancellationToken ct)
{
// Skip RPM lead (96 bytes)
var lead = new byte[96];
var read = await rpmStream.ReadAsync(lead.AsMemory(0, 96), ct);
if (read != 96 || !lead.AsSpan(0, 4).SequenceEqual(RpmMagic))
{
_logger.LogWarning("Invalid RPM lead");
return null;
}
// Skip signature header (aligned to 8 bytes)
var sigHeader = await SkipHeaderAsync(rpmStream, ct);
if (sigHeader < 0)
{
_logger.LogWarning("Failed to skip signature header");
return null;
}
// Skip main header
var mainHeader = await SkipHeaderAsync(rpmStream, ct);
if (mainHeader < 0)
{
_logger.LogWarning("Failed to skip main header");
return null;
}
// The rest is the payload (compressed cpio)
var payloadMs = new MemoryStream();
await rpmStream.CopyToAsync(payloadMs, ct);
payloadMs.Position = 0;
// Try to decompress (xz is most common for modern RPMs)
try
{
var xzStream = new XZStream(payloadMs);
var decompressed = new MemoryStream();
await xzStream.CopyToAsync(decompressed, ct);
decompressed.Position = 0;
return decompressed;
}
catch
{
// Try other compression formats or return as-is
payloadMs.Position = 0;
return payloadMs;
}
}
private static async Task<long> SkipHeaderAsync(Stream stream, CancellationToken ct)
{
// RPM header magic: 8D AD E8 01
var headerMagic = new byte[8];
var read = await stream.ReadAsync(headerMagic.AsMemory(0, 8), ct);
if (read != 8)
return -1;
// Header index entries count (4 bytes, big-endian)
var indexCount = (headerMagic[4] << 24) | (headerMagic[5] << 16) | (headerMagic[6] << 8) | headerMagic[7];
// Read data size (4 bytes, big-endian)
var dataSizeBytes = new byte[4];
read = await stream.ReadAsync(dataSizeBytes.AsMemory(0, 4), ct);
if (read != 4)
return -1;
var dataSize = (dataSizeBytes[0] << 24) | (dataSizeBytes[1] << 16) | (dataSizeBytes[2] << 8) | dataSizeBytes[3];
// Skip index entries (16 bytes each) and data
var toSkip = (indexCount * 16) + dataSize;
// Align to 8 bytes
var position = stream.Position + toSkip;
var padding = (8 - (position % 8)) % 8;
toSkip += (int)padding;
var buffer = new byte[toSkip];
read = await stream.ReadAsync(buffer.AsMemory(0, toSkip), ct);
if (read != toSkip)
return -1;
return toSkip;
}
private static bool IsElfBinary(Stream stream)
{
if (stream.Length < 4)
return false;
var buffer = new byte[4];
var read = stream.Read(buffer, 0, 4);
stream.Position = 0;
return read == 4 && buffer.AsSpan().SequenceEqual(ElfMagic);
}
}
/// <summary>
/// Information about an extracted binary.
/// </summary>
public sealed record ExtractedBinaryInfo(BinaryIdentity Identity, string FilePath);

21
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Corpus.Rpm/StellaOps.BinaryIndex.Corpus.Rpm.csproj Normal file
View File

@@ -0,0 +1,21 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<LangVersion>preview</LangVersion>
<GenerateDocumentationFile>true</GenerateDocumentationFile>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="SharpCompress" Version="0.38.0" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Http" Version="10.0.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.BinaryIndex.Core\StellaOps.BinaryIndex.Core.csproj" />
<ProjectReference Include="..\StellaOps.BinaryIndex.Corpus\StellaOps.BinaryIndex.Corpus.csproj" />
<ProjectReference Include="..\StellaOps.BinaryIndex.FixIndex\StellaOps.BinaryIndex.FixIndex.csproj" />
</ItemGroup>
</Project>

224
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Parsers/RpmChangelogParser.cs Normal file
View File

@@ -0,0 +1,224 @@
using System.Text.RegularExpressions;
using StellaOps.BinaryIndex.FixIndex.Models;
namespace StellaOps.BinaryIndex.FixIndex.Parsers;
/// <summary>
/// Parses RPM spec file changelog sections for CVE mentions.
/// </summary>
/// <remarks>
/// RPM changelog format:
/// %changelog
/// * Mon Jan 01 2024 Packager &lt;email&gt; - 1.2.3-4
/// - Fix CVE-2024-1234
/// </remarks>
public sealed partial class RpmChangelogParser : IChangelogParser
{
[GeneratedRegex(@"\bCVE-\d{4}-\d{4,7}\b", RegexOptions.Compiled)]
private static partial Regex CvePatternRegex();
[GeneratedRegex(@"^\*\s+\w{3}\s+\w{3}\s+\d{1,2}\s+\d{4}\s+(.+?)\s+-\s+(\S+)", RegexOptions.Compiled)]
private static partial Regex EntryHeaderPatternRegex();
[GeneratedRegex(@"^%changelog\s*$", RegexOptions.Compiled | RegexOptions.IgnoreCase)]
private static partial Regex ChangelogStartPatternRegex();
[GeneratedRegex(@"^%\w+", RegexOptions.Compiled)]
private static partial Regex SectionStartPatternRegex();
/// <summary>
/// Parses the top entry of an RPM spec changelog for CVE mentions.
/// </summary>
public IEnumerable<FixEvidence> ParseTopEntry(
string specContent,
string distro,
string release,
string sourcePkg)
{
if (string.IsNullOrWhiteSpace(specContent))
yield break;
var lines = specContent.Split('\n');
var inChangelog = false;
var inFirstEntry = false;
string? currentVersion = null;
var entryLines = new List<string>();
foreach (var line in lines)
{
// Detect %changelog start
if (ChangelogStartPatternRegex().IsMatch(line))
{
inChangelog = true;
continue;
}
if (!inChangelog)
continue;
// Exit on new section (e.g., %files, %prep)
if (SectionStartPatternRegex().IsMatch(line) && !ChangelogStartPatternRegex().IsMatch(line))
break;
// Detect entry header: * Day Mon DD YYYY Author <email> - version
var headerMatch = EntryHeaderPatternRegex().Match(line);
if (headerMatch.Success)
{
if (inFirstEntry)
{
// We've hit the second entry, stop processing
break;
}
inFirstEntry = true;
currentVersion = headerMatch.Groups[2].Value;
entryLines.Add(line);
continue;
}
if (inFirstEntry)
{
entryLines.Add(line);
}
}
if (currentVersion == null || entryLines.Count == 0)
yield break;
var entryText = string.Join('\n', entryLines);
var cves = CvePatternRegex().Matches(entryText)
.Select(m => m.Value)
.Distinct()
.ToList();
foreach (var cve in cves)
{
yield return new FixEvidence
{
Distro = distro,
Release = release,
SourcePkg = sourcePkg,
CveId = cve,
State = FixState.Fixed,
FixedVersion = currentVersion,
Method = FixMethod.Changelog,
Confidence = 0.75m, // RPM changelogs are less structured than Debian
Evidence = new ChangelogEvidence
{
File = "*.spec",
Version = currentVersion,
Excerpt = entryText.Length > 2000 ? entryText[..2000] : entryText,
LineNumber = null
},
CreatedAt = DateTimeOffset.UtcNow
};
}
}
/// <summary>
/// Parses the full RPM spec changelog for all CVE mentions with their versions.
/// </summary>
public IEnumerable<FixEvidence> ParseAllEntries(
string specContent,
string distro,
string release,
string sourcePkg)
{
if (string.IsNullOrWhiteSpace(specContent))
yield break;
var lines = specContent.Split('\n');
var inChangelog = false;
string? currentVersion = null;
var currentEntry = new List<string>();
foreach (var line in lines)
{
// Detect %changelog start
if (ChangelogStartPatternRegex().IsMatch(line))
{
inChangelog = true;
continue;
}
if (!inChangelog)
continue;
// Exit on new section
if (SectionStartPatternRegex().IsMatch(line) && !ChangelogStartPatternRegex().IsMatch(line))
{
// Process last entry
if (currentVersion != null && currentEntry.Count > 0)
{
foreach (var fix in ExtractCvesFromEntry(currentEntry, currentVersion, distro, release, sourcePkg))
yield return fix;
}
break;
}
// Detect entry header
var headerMatch = EntryHeaderPatternRegex().Match(line);
if (headerMatch.Success)
{
// Process previous entry
if (currentVersion != null && currentEntry.Count > 0)
{
foreach (var fix in ExtractCvesFromEntry(currentEntry, currentVersion, distro, release, sourcePkg))
yield return fix;
}
currentVersion = headerMatch.Groups[2].Value;
currentEntry = [line];
continue;
}
if (currentVersion != null)
{
currentEntry.Add(line);
}
}
// Process final entry if exists
if (currentVersion != null && currentEntry.Count > 0)
{
foreach (var fix in ExtractCvesFromEntry(currentEntry, currentVersion, distro, release, sourcePkg))
yield return fix;
}
}
private IEnumerable<FixEvidence> ExtractCvesFromEntry(
List<string> entryLines,
string version,
string distro,
string release,
string sourcePkg)
{
var entryText = string.Join('\n', entryLines);
var cves = CvePatternRegex().Matches(entryText)
.Select(m => m.Value)
.Distinct();
foreach (var cve in cves)
{
yield return new FixEvidence
{
Distro = distro,
Release = release,
SourcePkg = sourcePkg,
CveId = cve,
State = FixState.Fixed,
FixedVersion = version,
Method = FixMethod.Changelog,
Confidence = 0.75m,
Evidence = new ChangelogEvidence
{
File = "*.spec",
Version = version,
Excerpt = entryText.Length > 2000 ? entryText[..2000] : entryText,
LineNumber = null
},
CreatedAt = DateTimeOffset.UtcNow
};
}
}
}

111
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Repositories/IFixIndexRepository.cs Normal file
View File

@@ -0,0 +1,111 @@
using StellaOps.BinaryIndex.FixIndex.Models;
namespace StellaOps.BinaryIndex.FixIndex.Repositories;
/// <summary>
/// Repository interface for CVE fix index operations.
/// </summary>
public interface IFixIndexRepository
{
/// <summary>
/// Gets the fix status for a specific CVE/package/distro combination.
/// </summary>
/// <param name="distro">Distribution (debian, ubuntu, alpine, rhel)</param>
/// <param name="release">Release codename (bookworm, jammy, v3.19)</param>
/// <param name="sourcePkg">Source package name</param>
/// <param name="cveId">CVE identifier</param>
/// <param name="cancellationToken">Cancellation token</param>
/// <returns>Fix status if found, null otherwise</returns>
Task<FixIndexEntry?> GetFixStatusAsync(
string distro,
string release,
string sourcePkg,
string cveId,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets all fix statuses for a package.
/// </summary>
Task<IReadOnlyList<FixIndexEntry>> GetFixStatusesForPackageAsync(
string distro,
string release,
string sourcePkg,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets all known fix locations for a CVE across distros.
/// </summary>
Task<IReadOnlyList<FixIndexEntry>> GetFixLocationsForCveAsync(
string cveId,
CancellationToken cancellationToken = default);
/// <summary>
/// Upserts a fix index entry.
/// </summary>
Task<FixIndexEntry> UpsertAsync(
FixEvidence evidence,
CancellationToken cancellationToken = default);
/// <summary>
/// Batch upserts fix index entries.
/// </summary>
Task<int> UpsertBatchAsync(
IEnumerable<FixEvidence> evidenceList,
CancellationToken cancellationToken = default);
/// <summary>
/// Stores fix evidence for audit trail.
/// </summary>
Task<Guid> StoreEvidenceAsync(
FixEvidence evidence,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets evidence by ID.
/// </summary>
Task<FixEvidenceRecord?> GetEvidenceAsync(
Guid evidenceId,
CancellationToken cancellationToken = default);
/// <summary>
/// Deletes all entries from a specific snapshot (for re-ingestion).
/// </summary>
Task<int> DeleteBySnapshotAsync(
Guid snapshotId,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Fix index entry from the database.
/// </summary>
public sealed record FixIndexEntry
{
public required Guid Id { get; init; }
public required string Distro { get; init; }
public required string Release { get; init; }
public required string SourcePkg { get; init; }
public required string CveId { get; init; }
public required FixState State { get; init; }
public string? FixedVersion { get; init; }
public required FixMethod Method { get; init; }
public required decimal Confidence { get; init; }
public Guid? EvidenceId { get; init; }
public Guid? SnapshotId { get; init; }
public required DateTimeOffset IndexedAt { get; init; }
public required DateTimeOffset UpdatedAt { get; init; }
}
/// <summary>
/// Fix evidence record from the database.
/// </summary>
public sealed record FixEvidenceRecord
{
public required Guid Id { get; init; }
public required string EvidenceType { get; init; }
public string? SourceFile { get; init; }
public string? SourceSha256 { get; init; }
public string? Excerpt { get; init; }
public required string MetadataJson { get; init; }
public Guid? SnapshotId { get; init; }
public required DateTimeOffset CreatedAt { get; init; }
}

127
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Services/FixIndexBuilder.cs Normal file
View File

@@ -0,0 +1,127 @@
using System.Runtime.CompilerServices;
using Microsoft.Extensions.Logging;
using StellaOps.BinaryIndex.FixIndex.Models;
using StellaOps.BinaryIndex.FixIndex.Parsers;
namespace StellaOps.BinaryIndex.FixIndex.Services;
/// <summary>
/// Default implementation of <see cref="IFixIndexBuilder"/>.
/// </summary>
public sealed class FixIndexBuilder : IFixIndexBuilder
{
private readonly ILogger<FixIndexBuilder> _logger;
private readonly DebianChangelogParser _debianParser;
private readonly PatchHeaderParser _patchParser;
private readonly AlpineSecfixesParser _alpineParser;
private readonly RpmChangelogParser _rpmParser;
public FixIndexBuilder(ILogger<FixIndexBuilder> logger)
{
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_debianParser = new DebianChangelogParser();
_patchParser = new PatchHeaderParser();
_alpineParser = new AlpineSecfixesParser();
_rpmParser = new RpmChangelogParser();
}
/// <inheritdoc />
public async IAsyncEnumerable<FixEvidence> BuildDebianIndexAsync(
DebianFixIndexRequest request,
[EnumeratorCancellation] CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
_logger.LogDebug(
"Building Debian fix index for {Distro}/{Release}/{Package}",
request.Distro, request.Release, request.SourcePkg);
var cvesSeen = new HashSet<string>();
// Parse changelog for CVE mentions
if (!string.IsNullOrWhiteSpace(request.Changelog))
{
foreach (var evidence in _debianParser.ParseTopEntry(
request.Changelog,
request.Distro,
request.Release,
request.SourcePkg))
{
if (cvesSeen.Add(evidence.CveId))
{
yield return evidence with { SnapshotId = request.SnapshotId };
}
}
}
// Parse patches for CVE mentions (DEP-3 format)
if (request.Patches != null && request.Patches.Count > 0 && !string.IsNullOrEmpty(request.Version))
{
var patchTuples = request.Patches
.Select(p => (p.Path, p.Content, p.Sha256));
foreach (var evidence in _patchParser.ParsePatches(
patchTuples,
request.Distro,
request.Release,
request.SourcePkg,
request.Version))
{
// Patches have higher confidence, so they can override changelog entries
if (cvesSeen.Add(evidence.CveId) || evidence.Confidence > 0.85m)
{
yield return evidence with { SnapshotId = request.SnapshotId };
}
}
}
await Task.CompletedTask; // Satisfy async requirement
}
/// <inheritdoc />
public async IAsyncEnumerable<FixEvidence> BuildAlpineIndexAsync(
AlpineFixIndexRequest request,
[EnumeratorCancellation] CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
_logger.LogDebug(
"Building Alpine fix index for {Release}/{Package}",
request.Release, request.SourcePkg);
foreach (var evidence in _alpineParser.Parse(
request.ApkBuild,
request.Distro,
request.Release,
request.SourcePkg))
{
yield return evidence with { SnapshotId = request.SnapshotId };
}
await Task.CompletedTask;
}
/// <inheritdoc />
public async IAsyncEnumerable<FixEvidence> BuildRpmIndexAsync(
RpmFixIndexRequest request,
[EnumeratorCancellation] CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
_logger.LogDebug(
"Building RPM fix index for {Distro}/{Release}/{Package}",
request.Distro, request.Release, request.SourcePkg);
// Parse spec file changelog
foreach (var evidence in _rpmParser.ParseAllEntries(
request.SpecContent,
request.Distro,
request.Release,
request.SourcePkg))
{
yield return evidence with { SnapshotId = request.SnapshotId };
}
await Task.CompletedTask;
}
}

123
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.FixIndex/Services/IFixIndexBuilder.cs Normal file
View File

@@ -0,0 +1,123 @@
using StellaOps.BinaryIndex.FixIndex.Models;
namespace StellaOps.BinaryIndex.FixIndex.Services;
/// <summary>
/// Interface for building the CVE fix index from various sources.
/// </summary>
public interface IFixIndexBuilder
{
/// <summary>
/// Builds fix index entries for a Debian/Ubuntu package.
/// </summary>
/// <param name="request">The Debian build request.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Fix evidence entries.</returns>
IAsyncEnumerable<FixEvidence> BuildDebianIndexAsync(
DebianFixIndexRequest request,
CancellationToken cancellationToken = default);
/// <summary>
/// Builds fix index entries for an Alpine package.
/// </summary>
/// <param name="request">The Alpine build request.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Fix evidence entries.</returns>
IAsyncEnumerable<FixEvidence> BuildAlpineIndexAsync(
AlpineFixIndexRequest request,
CancellationToken cancellationToken = default);
/// <summary>
/// Builds fix index entries for an RPM package.
/// </summary>
/// <param name="request">The RPM build request.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Fix evidence entries.</returns>
IAsyncEnumerable<FixEvidence> BuildRpmIndexAsync(
RpmFixIndexRequest request,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Request for building Debian fix index.
/// </summary>
public sealed record DebianFixIndexRequest
{
/// <summary>Distribution (debian or ubuntu).</summary>
public required string Distro { get; init; }
/// <summary>Release codename (bookworm, jammy).</summary>
public required string Release { get; init; }
/// <summary>Source package name.</summary>
public required string SourcePkg { get; init; }
/// <summary>Changelog content.</summary>
public string? Changelog { get; init; }
/// <summary>Patches with path, content, and SHA-256.</summary>
public IReadOnlyList<PatchFile>? Patches { get; init; }
/// <summary>Package version for patch association.</summary>
public string? Version { get; init; }
/// <summary>Corpus snapshot ID.</summary>
public Guid? SnapshotId { get; init; }
}
/// <summary>
/// Request for building Alpine fix index.
/// </summary>
public sealed record AlpineFixIndexRequest
{
/// <summary>Distribution (always "alpine").</summary>
public string Distro => "alpine";
/// <summary>Release (v3.19, edge).</summary>
public required string Release { get; init; }
/// <summary>Source package name.</summary>
public required string SourcePkg { get; init; }
/// <summary>APKBUILD file content.</summary>
public required string ApkBuild { get; init; }
/// <summary>Corpus snapshot ID.</summary>
public Guid? SnapshotId { get; init; }
}
/// <summary>
/// Request for building RPM fix index.
/// </summary>
public sealed record RpmFixIndexRequest
{
/// <summary>Distribution (rhel, fedora, centos, rocky, alma).</summary>
public required string Distro { get; init; }
/// <summary>Release version (9, 39, etc.).</summary>
public required string Release { get; init; }
/// <summary>Source package name.</summary>
public required string SourcePkg { get; init; }
/// <summary>Spec file content.</summary>
public required string SpecContent { get; init; }
/// <summary>Corpus snapshot ID.</summary>
public Guid? SnapshotId { get; init; }
}
/// <summary>
/// Represents a patch file with content.
/// </summary>
public sealed record PatchFile
{
/// <summary>Relative path to the patch file.</summary>
public required string Path { get; init; }
/// <summary>Content of the patch file.</summary>
public required string Content { get; init; }
/// <summary>SHA-256 hash of the patch content.</summary>
public required string Sha256 { get; init; }
}

178
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Migrations/003_create_fix_index_tables.sql Normal file
View File

@@ -0,0 +1,178 @@
-- =============================================================================
-- 003_create_fix_index_tables.sql
-- Sprint: SPRINT_20251226_012_BINIDX_backport_handling
-- Tasks: BACKPORT-01, BACKPORT-02
-- Description: Creates CVE fix index tables for patch-aware backport handling
-- =============================================================================
-- -----------------------------------------------------------------------------
-- fix_evidence: Audit trail for how fix status was determined
-- -----------------------------------------------------------------------------
CREATE TABLE IF NOT EXISTS binaries.fix_evidence (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id TEXT NOT NULL DEFAULT binaries_app.require_current_tenant(),
-- Evidence type: changelog, patch_header, security_feed, upstream_match
evidence_type TEXT NOT NULL,
-- Source file (e.g., "debian/changelog", "alpine/APKBUILD", "openssl.spec")
source_file TEXT,
-- SHA-256 of source file for integrity
source_sha256 TEXT,
-- Truncated excerpt of relevant content (max 2KB)
excerpt TEXT,
-- Structured metadata as JSONB for type-specific fields
metadata JSONB NOT NULL DEFAULT '{}',
-- Corpus snapshot this evidence came from
snapshot_id UUID,
-- Timestamps
created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
CONSTRAINT fix_evidence_type_check CHECK (evidence_type IN (
'changelog', 'patch_header', 'security_feed', 'upstream_match'
))
);
-- Enable RLS
ALTER TABLE binaries.fix_evidence ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON binaries.fix_evidence
USING (tenant_id = binaries_app.require_current_tenant());
-- Index for snapshot cleanup
CREATE INDEX IF NOT EXISTS idx_fix_evidence_snapshot
ON binaries.fix_evidence (tenant_id, snapshot_id);
-- -----------------------------------------------------------------------------
-- cve_fix_index: Patch-aware CVE fix status per distro/release/package
-- -----------------------------------------------------------------------------
CREATE TABLE IF NOT EXISTS binaries.cve_fix_index (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id TEXT NOT NULL DEFAULT binaries_app.require_current_tenant(),
-- Distribution coordinates
distro TEXT NOT NULL, -- debian, ubuntu, alpine, rhel, fedora, centos
release TEXT NOT NULL, -- bookworm, jammy, v3.19, 9
source_pkg TEXT NOT NULL, -- Source package name
-- CVE identification
cve_id TEXT NOT NULL, -- CVE-YYYY-NNNN
-- Fix status
state TEXT NOT NULL, -- fixed, vulnerable, not_affected, wontfix, unknown
fixed_version TEXT, -- Distro version string where fix was applied
-- How this status was determined
method TEXT NOT NULL, -- security_feed, changelog, patch_header, upstream_match
-- Confidence score (0.00-1.00)
-- security_feed: 0.99, patch_header: 0.90, changelog: 0.80, upstream_match: 0.85
confidence DECIMAL(3,2) NOT NULL,
-- Reference to evidence audit trail
evidence_id UUID REFERENCES binaries.fix_evidence(id),
-- Corpus snapshot this came from
snapshot_id UUID,
-- Timestamps
indexed_at TIMESTAMPTZ NOT NULL DEFAULT now(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
-- Unique per distro/release/package/cve
CONSTRAINT cve_fix_index_unique UNIQUE (tenant_id, distro, release, source_pkg, cve_id),
-- State validation
CONSTRAINT cve_fix_state_check CHECK (state IN (
'fixed', 'vulnerable', 'not_affected', 'wontfix', 'unknown'
)),
-- Method validation
CONSTRAINT cve_fix_method_check CHECK (method IN (
'security_feed', 'changelog', 'patch_header', 'upstream_match'
)),
-- Confidence range validation
CONSTRAINT cve_fix_confidence_check CHECK (confidence >= 0.00 AND confidence <= 1.00)
);
-- Enable RLS
ALTER TABLE binaries.cve_fix_index ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON binaries.cve_fix_index
USING (tenant_id = binaries_app.require_current_tenant());
-- Primary lookup index: distro/release/package/cve
CREATE INDEX IF NOT EXISTS idx_cve_fix_lookup
ON binaries.cve_fix_index (tenant_id, distro, release, source_pkg, cve_id);
-- Index for CVE-centric queries (e.g., "where is CVE-X fixed?")
CREATE INDEX IF NOT EXISTS idx_cve_fix_by_cve
ON binaries.cve_fix_index (tenant_id, cve_id, distro, release);
-- Index for version-based queries
CREATE INDEX IF NOT EXISTS idx_cve_fix_by_version
ON binaries.cve_fix_index (tenant_id, distro, release, source_pkg, fixed_version);
-- Index for snapshot cleanup
CREATE INDEX IF NOT EXISTS idx_cve_fix_snapshot
ON binaries.cve_fix_index (tenant_id, snapshot_id);
-- Index for state filtering
CREATE INDEX IF NOT EXISTS idx_cve_fix_by_state
ON binaries.cve_fix_index (tenant_id, distro, release, state);
-- -----------------------------------------------------------------------------
-- fix_index_priority: Resolution priority when multiple sources conflict
-- Higher priority sources override lower priority sources
-- -----------------------------------------------------------------------------
CREATE TABLE IF NOT EXISTS binaries.fix_index_priority (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id TEXT NOT NULL DEFAULT binaries_app.require_current_tenant(),
-- Priority order (lower number = higher priority)
priority INTEGER NOT NULL,
-- Method type
method TEXT NOT NULL,
-- Description
description TEXT,
-- Active flag
is_active BOOLEAN NOT NULL DEFAULT true,
CONSTRAINT fix_index_priority_unique UNIQUE (tenant_id, method)
);
-- Enable RLS
ALTER TABLE binaries.fix_index_priority ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON binaries.fix_index_priority
USING (tenant_id = binaries_app.require_current_tenant());
-- -----------------------------------------------------------------------------
-- Insert default priorities
-- Security feeds are authoritative and override other sources
-- -----------------------------------------------------------------------------
-- Note: Default priorities will be inserted per-tenant on first use
-- -----------------------------------------------------------------------------
-- Comments for documentation
-- -----------------------------------------------------------------------------
COMMENT ON TABLE binaries.fix_evidence IS
'Audit trail for CVE fix determinations, storing excerpts and metadata for traceability';
COMMENT ON TABLE binaries.cve_fix_index IS
'Patch-aware CVE fix index enabling accurate vulnerability status despite version pinning';
COMMENT ON COLUMN binaries.cve_fix_index.confidence IS
'Confidence score: security_feed=0.99, patch_header=0.90, changelog=0.80, upstream_match=0.85';
COMMENT ON COLUMN binaries.cve_fix_index.method IS
'How fix status was determined: security_feed (OVAL/DSA), changelog, patch_header (DEP-3), upstream_match';

321
src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Repositories/FixIndexRepository.cs Normal file
View File

@@ -0,0 +1,321 @@
using System.Text.Json;
using Npgsql;
using NpgsqlTypes;
using StellaOps.BinaryIndex.FixIndex.Models;
using StellaOps.BinaryIndex.FixIndex.Repositories;
namespace StellaOps.BinaryIndex.Persistence.Repositories;
/// <summary>
/// PostgreSQL implementation of <see cref="IFixIndexRepository"/>.
/// </summary>
public sealed class FixIndexRepository : IFixIndexRepository
{
private readonly BinaryIndexDataSource _dataSource;
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
public FixIndexRepository(BinaryIndexDataSource dataSource)
{
_dataSource = dataSource ?? throw new ArgumentNullException(nameof(dataSource));
}
/// <inheritdoc />
public async Task<FixIndexEntry?> GetFixStatusAsync(
string distro,
string release,
string sourcePkg,
string cveId,
CancellationToken cancellationToken = default)
{
const string sql = """
SELECT id, distro, release, source_pkg, cve_id, state, fixed_version,
method, confidence, evidence_id, snapshot_id, indexed_at, updated_at
FROM binaries.cve_fix_index
WHERE distro = @distro AND release = @release
AND source_pkg = @sourcePkg AND cve_id = @cveId
""";
await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
await using var cmd = new NpgsqlCommand(sql, conn);
cmd.Parameters.AddWithValue("distro", distro);
cmd.Parameters.AddWithValue("release", release);
cmd.Parameters.AddWithValue("sourcePkg", sourcePkg);
cmd.Parameters.AddWithValue("cveId", cveId);
await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
if (await reader.ReadAsync(cancellationToken))
{
return MapToFixIndexEntry(reader);
}
return null;
}
/// <inheritdoc />
public async Task<IReadOnlyList<FixIndexEntry>> GetFixStatusesForPackageAsync(
string distro,
string release,
string sourcePkg,
CancellationToken cancellationToken = default)
{
const string sql = """
SELECT id, distro, release, source_pkg, cve_id, state, fixed_version,
method, confidence, evidence_id, snapshot_id, indexed_at, updated_at
FROM binaries.cve_fix_index
WHERE distro = @distro AND release = @release AND source_pkg = @sourcePkg
ORDER BY cve_id
""";
await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
await using var cmd = new NpgsqlCommand(sql, conn);
cmd.Parameters.AddWithValue("distro", distro);
cmd.Parameters.AddWithValue("release", release);
cmd.Parameters.AddWithValue("sourcePkg", sourcePkg);
var results = new List<FixIndexEntry>();
await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
while (await reader.ReadAsync(cancellationToken))
{
results.Add(MapToFixIndexEntry(reader));
}
return results;
}
/// <inheritdoc />
public async Task<IReadOnlyList<FixIndexEntry>> GetFixLocationsForCveAsync(
string cveId,
CancellationToken cancellationToken = default)
{
const string sql = """
SELECT id, distro, release, source_pkg, cve_id, state, fixed_version,
method, confidence, evidence_id, snapshot_id, indexed_at, updated_at
FROM binaries.cve_fix_index
WHERE cve_id = @cveId
ORDER BY distro, release, source_pkg
""";
await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
await using var cmd = new NpgsqlCommand(sql, conn);
cmd.Parameters.AddWithValue("cveId", cveId);
var results = new List<FixIndexEntry>();
await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
while (await reader.ReadAsync(cancellationToken))
{
results.Add(MapToFixIndexEntry(reader));
}
return results;
}
/// <inheritdoc />
public async Task<FixIndexEntry> UpsertAsync(
FixEvidence evidence,
CancellationToken cancellationToken = default)
{
// First store evidence
var evidenceId = await StoreEvidenceAsync(evidence, cancellationToken);
const string sql = """
INSERT INTO binaries.cve_fix_index
(distro, release, source_pkg, cve_id, state, fixed_version, method, confidence, evidence_id, snapshot_id)
VALUES
(@distro, @release, @sourcePkg, @cveId, @state, @fixedVersion, @method, @confidence, @evidenceId, @snapshotId)
ON CONFLICT (tenant_id, distro, release, source_pkg, cve_id)
DO UPDATE SET
state = EXCLUDED.state,
fixed_version = EXCLUDED.fixed_version,
method = CASE
WHEN binaries.cve_fix_index.confidence < EXCLUDED.confidence THEN EXCLUDED.method
ELSE binaries.cve_fix_index.method
END,
confidence = GREATEST(binaries.cve_fix_index.confidence, EXCLUDED.confidence),
evidence_id = CASE
WHEN binaries.cve_fix_index.confidence < EXCLUDED.confidence THEN EXCLUDED.evidence_id
ELSE binaries.cve_fix_index.evidence_id
END,
snapshot_id = EXCLUDED.snapshot_id,
updated_at = now()
RETURNING id, distro, release, source_pkg, cve_id, state, fixed_version,
method, confidence, evidence_id, snapshot_id, indexed_at, updated_at
""";
await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
await using var cmd = new NpgsqlCommand(sql, conn);
cmd.Parameters.AddWithValue("distro", evidence.Distro);
cmd.Parameters.AddWithValue("release", evidence.Release);
cmd.Parameters.AddWithValue("sourcePkg", evidence.SourcePkg);
cmd.Parameters.AddWithValue("cveId", evidence.CveId);
cmd.Parameters.AddWithValue("state", evidence.State.ToString().ToLowerInvariant());
cmd.Parameters.AddWithValue("fixedVersion", (object?)evidence.FixedVersion ?? DBNull.Value);
cmd.Parameters.AddWithValue("method", evidence.Method.ToString().ToLowerInvariant());
cmd.Parameters.AddWithValue("confidence", evidence.Confidence);
cmd.Parameters.AddWithValue("evidenceId", evidenceId);
cmd.Parameters.AddWithValue("snapshotId", (object?)evidence.SnapshotId ?? DBNull.Value);
await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
await reader.ReadAsync(cancellationToken);
return MapToFixIndexEntry(reader);
}
/// <inheritdoc />
public async Task<int> UpsertBatchAsync(
IEnumerable<FixEvidence> evidenceList,
CancellationToken cancellationToken = default)
{
var count = 0;
foreach (var evidence in evidenceList)
{
await UpsertAsync(evidence, cancellationToken);
count++;
}
return count;
}
/// <inheritdoc />
public async Task<Guid> StoreEvidenceAsync(
FixEvidence evidence,
CancellationToken cancellationToken = default)
{
var (evidenceType, sourceFile, excerpt, metadata) = MapEvidencePayload(evidence.Evidence);
const string sql = """
INSERT INTO binaries.fix_evidence
(evidence_type, source_file, excerpt, metadata, snapshot_id)
VALUES
(@evidenceType, @sourceFile, @excerpt, @metadata::jsonb, @snapshotId)
RETURNING id
""";
await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
await using var cmd = new NpgsqlCommand(sql, conn);
cmd.Parameters.AddWithValue("evidenceType", evidenceType);
cmd.Parameters.AddWithValue("sourceFile", (object?)sourceFile ?? DBNull.Value);
cmd.Parameters.AddWithValue("excerpt", (object?)excerpt ?? DBNull.Value);
cmd.Parameters.AddWithValue("metadata", NpgsqlDbType.Jsonb, metadata);
cmd.Parameters.AddWithValue("snapshotId", (object?)evidence.SnapshotId ?? DBNull.Value);
var result = await cmd.ExecuteScalarAsync(cancellationToken);
return (Guid)result!;
}
/// <inheritdoc />
public async Task<FixEvidenceRecord?> GetEvidenceAsync(
Guid evidenceId,
CancellationToken cancellationToken = default)
{
const string sql = """
SELECT id, evidence_type, source_file, source_sha256, excerpt, metadata::text, snapshot_id, created_at
FROM binaries.fix_evidence
WHERE id = @id
""";
await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
await using var cmd = new NpgsqlCommand(sql, conn);
cmd.Parameters.AddWithValue("id", evidenceId);
await using var reader = await cmd.ExecuteReaderAsync(cancellationToken);
if (await reader.ReadAsync(cancellationToken))
{
return new FixEvidenceRecord
{
Id = reader.GetGuid(0),
EvidenceType = reader.GetString(1),
SourceFile = reader.IsDBNull(2) ? null : reader.GetString(2),
SourceSha256 = reader.IsDBNull(3) ? null : reader.GetString(3),
Excerpt = reader.IsDBNull(4) ? null : reader.GetString(4),
MetadataJson = reader.GetString(5),
SnapshotId = reader.IsDBNull(6) ? null : reader.GetGuid(6),
CreatedAt = reader.GetDateTime(7)
};
}
return null;
}
/// <inheritdoc />
public async Task<int> DeleteBySnapshotAsync(
Guid snapshotId,
CancellationToken cancellationToken = default)
{
const string sql = """
WITH deleted_index AS (
DELETE FROM binaries.cve_fix_index WHERE snapshot_id = @snapshotId RETURNING 1
),
deleted_evidence AS (
DELETE FROM binaries.fix_evidence WHERE snapshot_id = @snapshotId RETURNING 1
)
SELECT (SELECT COUNT(*) FROM deleted_index) + (SELECT COUNT(*) FROM deleted_evidence)
""";
await using var conn = await _dataSource.OpenConnectionAsync(cancellationToken);
await using var cmd = new NpgsqlCommand(sql, conn);
cmd.Parameters.AddWithValue("snapshotId", snapshotId);
var result = await cmd.ExecuteScalarAsync(cancellationToken);
return Convert.ToInt32(result);
}
private static FixIndexEntry MapToFixIndexEntry(NpgsqlDataReader reader)
{
return new FixIndexEntry
{
Id = reader.GetGuid(0),
Distro = reader.GetString(1),
Release = reader.GetString(2),
SourcePkg = reader.GetString(3),
CveId = reader.GetString(4),
State = Enum.Parse<FixState>(reader.GetString(5), ignoreCase: true),
FixedVersion = reader.IsDBNull(6) ? null : reader.GetString(6),
Method = ParseFixMethod(reader.GetString(7)),
Confidence = reader.GetDecimal(8),
EvidenceId = reader.IsDBNull(9) ? null : reader.GetGuid(9),
SnapshotId = reader.IsDBNull(10) ? null : reader.GetGuid(10),
IndexedAt = reader.GetDateTime(11),
UpdatedAt = reader.GetDateTime(12)
};
}
private static FixMethod ParseFixMethod(string method)
{
return method.ToLowerInvariant() switch
{
"security_feed" => FixMethod.SecurityFeed,
"changelog" => FixMethod.Changelog,
"patch_header" => FixMethod.PatchHeader,
"upstream_match" => FixMethod.UpstreamPatchMatch,
_ => FixMethod.Changelog
};
}
private static (string Type, string? File, string? Excerpt, string Metadata) MapEvidencePayload(FixEvidencePayload payload)
{
return payload switch
{
ChangelogEvidence cl => (
"changelog",
cl.File,
cl.Excerpt,
JsonSerializer.Serialize(new { cl.Version, cl.LineNumber }, JsonOptions)
),
PatchHeaderEvidence ph => (
"patch_header",
ph.PatchPath,
ph.HeaderExcerpt,
JsonSerializer.Serialize(new { ph.PatchSha256 }, JsonOptions)
),
SecurityFeedEvidence sf => (
"security_feed",
null,
null,
JsonSerializer.Serialize(new { sf.FeedId, sf.EntryId, sf.PublishedAt }, JsonOptions)
),
_ => ("unknown", null, null, "{}")
};
}
}

509
src/BinaryIndex/__Tests/StellaOps.BinaryIndex.Core.Tests/FeatureExtractorTests.cs Normal file
View File

@@ -0,0 +1,509 @@
// -----------------------------------------------------------------------------
// FeatureExtractorTests.cs
// Sprint: SPRINT_20251226_011_BINIDX_known_build_catalog
// Task: BINCAT-17 - Unit tests for identity extraction (ELF, PE, Mach-O)
// Description: Unit tests for binary feature extraction across all formats
// -----------------------------------------------------------------------------
using FluentAssertions;
using StellaOps.BinaryIndex.Core.Models;
using StellaOps.BinaryIndex.Core.Services;
using Xunit;
namespace StellaOps.BinaryIndex.Core.Tests;
public class ElfFeatureExtractorTests
{
private readonly ElfFeatureExtractor _extractor = new();
[Fact]
public void CanExtract_WithElfMagic_ReturnsTrue()
{
// Arrange: ELF magic bytes
var elfBytes = new byte[] { 0x7F, 0x45, 0x4C, 0x46, 0x02, 0x01, 0x01, 0x00 };
using var stream = new MemoryStream(elfBytes);
// Act
var result = _extractor.CanExtract(stream);
// Assert
result.Should().BeTrue();
}
[Fact]
public void CanExtract_WithNonElfMagic_ReturnsFalse()
{
// Arrange: Not ELF
var notElf = new byte[] { 0x4D, 0x5A, 0x90, 0x00 }; // PE magic
using var stream = new MemoryStream(notElf);
// Act
var result = _extractor.CanExtract(stream);
// Assert
result.Should().BeFalse();
}
[Fact]
public void CanExtract_WithEmptyStream_ReturnsFalse()
{
// Arrange
using var stream = new MemoryStream();
// Act
var result = _extractor.CanExtract(stream);
// Assert
result.Should().BeFalse();
}
[Fact]
public async Task ExtractMetadataAsync_WithValidElf64_ReturnsCorrectMetadata()
{
// Arrange: Minimal ELF64 header (little-endian, x86_64, executable)
var elfHeader = CreateMinimalElf64Header(
machine: 0x3E, // x86_64
type: 0x02, // ET_EXEC
osabi: 0x03); // Linux
using var stream = new MemoryStream(elfHeader);
// Act
var metadata = await _extractor.ExtractMetadataAsync(stream);
// Assert
metadata.Format.Should().Be(BinaryFormat.Elf);
metadata.Architecture.Should().Be("x86_64");
metadata.Type.Should().Be(BinaryType.Executable);
}
[Fact]
public async Task ExtractMetadataAsync_WithElf64SharedLib_ReturnsSharedLibrary()
{
// Arrange: ELF64 shared library
var elfHeader = CreateMinimalElf64Header(
machine: 0x3E,
type: 0x03, // ET_DYN (shared object)
osabi: 0x03);
using var stream = new MemoryStream(elfHeader);
// Act
var metadata = await _extractor.ExtractMetadataAsync(stream);
// Assert
metadata.Type.Should().Be(BinaryType.SharedLibrary);
}
[Fact]
public async Task ExtractMetadataAsync_WithAarch64_ReturnsCorrectArchitecture()
{
// Arrange: ELF64 aarch64
var elfHeader = CreateMinimalElf64Header(
machine: 0xB7, // aarch64
type: 0x02,
osabi: 0x03);
using var stream = new MemoryStream(elfHeader);
// Act
var metadata = await _extractor.ExtractMetadataAsync(stream);
// Assert
metadata.Architecture.Should().Be("aarch64");
}
[Fact]
public async Task ExtractIdentityAsync_ProducesConsistentBinaryKey()
{
// Arrange: Same ELF content
var elfHeader = CreateMinimalElf64Header(machine: 0x3E, type: 0x02, osabi: 0x03);
using var stream1 = new MemoryStream(elfHeader);
using var stream2 = new MemoryStream(elfHeader);
// Act
var identity1 = await _extractor.ExtractIdentityAsync(stream1);
var identity2 = await _extractor.ExtractIdentityAsync(stream2);
// Assert: Same content should produce same identity
identity1.BinaryKey.Should().Be(identity2.BinaryKey);
identity1.FileSha256.Should().Be(identity2.FileSha256);
}
private static byte[] CreateMinimalElf64Header(ushort machine, ushort type, byte osabi)
{
var header = new byte[64];
// ELF magic
header[0] = 0x7F;
header[1] = 0x45; // E
header[2] = 0x4C; // L
header[3] = 0x46; // F
// Class: 64-bit
header[4] = 0x02;
// Data: little-endian
header[5] = 0x01;
// Version
header[6] = 0x01;
// OS/ABI
header[7] = osabi;
// Type (little-endian)
BitConverter.GetBytes(type).CopyTo(header, 16);
// Machine (little-endian)
BitConverter.GetBytes(machine).CopyTo(header, 18);
return header;
}
}
public class PeFeatureExtractorTests
{
private readonly PeFeatureExtractor _extractor = new();
[Fact]
public void CanExtract_WithDosMagic_ReturnsTrue()
{
// Arrange: DOS/PE magic bytes
var peBytes = CreateMinimalPeHeader();
using var stream = new MemoryStream(peBytes);
// Act
var result = _extractor.CanExtract(stream);
// Assert
result.Should().BeTrue();
}
[Fact]
public void CanExtract_WithElfMagic_ReturnsFalse()
{
// Arrange: ELF magic
var elfBytes = new byte[] { 0x7F, 0x45, 0x4C, 0x46, 0x02, 0x01, 0x01, 0x00 };
using var stream = new MemoryStream(elfBytes);
// Act
var result = _extractor.CanExtract(stream);
// Assert
result.Should().BeFalse();
}
[Fact]
public async Task ExtractMetadataAsync_WithPe64_ReturnsCorrectMetadata()
{
// Arrange: PE32+ x86_64 executable
var peHeader = CreateMinimalPeHeader(machine: 0x8664, characteristics: 0x0002);
using var stream = new MemoryStream(peHeader);
// Act
var metadata = await _extractor.ExtractMetadataAsync(stream);
// Assert
metadata.Format.Should().Be(BinaryFormat.Pe);
metadata.Architecture.Should().Be("x86_64");
metadata.Type.Should().Be(BinaryType.Executable);
}
[Fact]
public async Task ExtractMetadataAsync_WithDll_ReturnsSharedLibrary()
{
// Arrange: PE DLL
var peHeader = CreateMinimalPeHeader(
machine: 0x8664,
characteristics: 0x2002); // IMAGE_FILE_DLL | IMAGE_FILE_EXECUTABLE_IMAGE
using var stream = new MemoryStream(peHeader);
// Act
var metadata = await _extractor.ExtractMetadataAsync(stream);
// Assert
metadata.Type.Should().Be(BinaryType.SharedLibrary);
}
[Fact]
public async Task ExtractMetadataAsync_WithX86_ReturnsCorrectArchitecture()
{
// Arrange: PE32 x86
var peHeader = CreateMinimalPeHeader(machine: 0x014C, characteristics: 0x0002);
using var stream = new MemoryStream(peHeader);
// Act
var metadata = await _extractor.ExtractMetadataAsync(stream);
// Assert
metadata.Architecture.Should().Be("x86");
}
[Fact]
public async Task ExtractIdentityAsync_ProducesConsistentBinaryKey()
{
// Arrange: Same PE content
var peHeader = CreateMinimalPeHeader(machine: 0x8664, characteristics: 0x0002);
using var stream1 = new MemoryStream(peHeader);
using var stream2 = new MemoryStream(peHeader);
// Act
var identity1 = await _extractor.ExtractIdentityAsync(stream1);
var identity2 = await _extractor.ExtractIdentityAsync(stream2);
// Assert: Same content should produce same identity
identity1.BinaryKey.Should().Be(identity2.BinaryKey);
identity1.FileSha256.Should().Be(identity2.FileSha256);
}
private static byte[] CreateMinimalPeHeader(ushort machine = 0x8664, ushort characteristics = 0x0002)
{
var header = new byte[512];
// DOS header
header[0] = 0x4D; // M
header[1] = 0x5A; // Z
// e_lfanew at offset 0x3C
BitConverter.GetBytes(0x80).CopyTo(header, 0x3C);
// PE signature at offset 0x80
header[0x80] = 0x50; // P
header[0x81] = 0x45; // E
header[0x82] = 0x00;
header[0x83] = 0x00;
// COFF header at 0x84
BitConverter.GetBytes(machine).CopyTo(header, 0x84); // Machine
BitConverter.GetBytes((ushort)0).CopyTo(header, 0x86); // NumberOfSections
BitConverter.GetBytes((uint)0).CopyTo(header, 0x88); // TimeDateStamp
BitConverter.GetBytes((uint)0).CopyTo(header, 0x8C); // PointerToSymbolTable
BitConverter.GetBytes((uint)0).CopyTo(header, 0x90); // NumberOfSymbols
BitConverter.GetBytes((ushort)240).CopyTo(header, 0x94); // SizeOfOptionalHeader (PE32+)
BitConverter.GetBytes(characteristics).CopyTo(header, 0x96); // Characteristics
// Optional header magic at 0x98
BitConverter.GetBytes((ushort)0x20B).CopyTo(header, 0x98); // PE32+ magic
return header;
}
}
public class MachoFeatureExtractorTests
{
private readonly MachoFeatureExtractor _extractor = new();
[Fact]
public void CanExtract_WithMacho64Magic_ReturnsTrue()
{
// Arrange: Mach-O 64-bit magic
var machoBytes = new byte[] { 0xCF, 0xFA, 0xED, 0xFE }; // MH_MAGIC_64 little-endian
using var stream = new MemoryStream(machoBytes);
// Act
var result = _extractor.CanExtract(stream);
// Assert
result.Should().BeTrue();
}
[Fact]
public void CanExtract_WithFatBinaryMagic_ReturnsTrue()
{
// Arrange: Universal binary magic
var fatBytes = new byte[] { 0xCA, 0xFE, 0xBA, 0xBE }; // FAT_MAGIC
using var stream = new MemoryStream(fatBytes);
// Act
var result = _extractor.CanExtract(stream);
// Assert
result.Should().BeTrue();
}
[Fact]
public void CanExtract_WithElfMagic_ReturnsFalse()
{
// Arrange: ELF magic
var elfBytes = new byte[] { 0x7F, 0x45, 0x4C, 0x46, 0x02, 0x01, 0x01, 0x00 };
using var stream = new MemoryStream(elfBytes);
// Act
var result = _extractor.CanExtract(stream);
// Assert
result.Should().BeFalse();
}
[Fact]
public async Task ExtractMetadataAsync_WithMacho64Executable_ReturnsCorrectMetadata()
{
// Arrange: Mach-O 64-bit x86_64 executable
var machoHeader = CreateMinimalMacho64Header(
cpuType: 0x01000007, // CPU_TYPE_X86_64
fileType: 0x02); // MH_EXECUTE
using var stream = new MemoryStream(machoHeader);
// Act
var metadata = await _extractor.ExtractMetadataAsync(stream);
// Assert
metadata.Format.Should().Be(BinaryFormat.Macho);
metadata.Architecture.Should().Be("x86_64");
metadata.Type.Should().Be(BinaryType.Executable);
}
[Fact]
public async Task ExtractMetadataAsync_WithDylib_ReturnsSharedLibrary()
{
// Arrange: Mach-O dylib
var machoHeader = CreateMinimalMacho64Header(
cpuType: 0x01000007,
fileType: 0x06); // MH_DYLIB
using var stream = new MemoryStream(machoHeader);
// Act
var metadata = await _extractor.ExtractMetadataAsync(stream);
// Assert
metadata.Type.Should().Be(BinaryType.SharedLibrary);
}
[Fact]
public async Task ExtractMetadataAsync_WithArm64_ReturnsCorrectArchitecture()
{
// Arrange: Mach-O arm64
var machoHeader = CreateMinimalMacho64Header(
cpuType: 0x0100000C, // CPU_TYPE_ARM64
fileType: 0x02);
using var stream = new MemoryStream(machoHeader);
// Act
var metadata = await _extractor.ExtractMetadataAsync(stream);
// Assert
metadata.Architecture.Should().Be("aarch64");
}
[Fact]
public async Task ExtractIdentityAsync_ProducesConsistentBinaryKey()
{
// Arrange: Same Mach-O content
var machoHeader = CreateMinimalMacho64Header(cpuType: 0x01000007, fileType: 0x02);
using var stream1 = new MemoryStream(machoHeader);
using var stream2 = new MemoryStream(machoHeader);
// Act
var identity1 = await _extractor.ExtractIdentityAsync(stream1);
var identity2 = await _extractor.ExtractIdentityAsync(stream2);
// Assert: Same content should produce same identity
identity1.BinaryKey.Should().Be(identity2.BinaryKey);
identity1.FileSha256.Should().Be(identity2.FileSha256);
}
private static byte[] CreateMinimalMacho64Header(int cpuType, uint fileType)
{
var header = new byte[32 + 256]; // Mach-O 64 header + space for load commands
// Magic (little-endian)
header[0] = 0xCF;
header[1] = 0xFA;
header[2] = 0xED;
header[3] = 0xFE;
// CPU type
BitConverter.GetBytes(cpuType).CopyTo(header, 4);
// CPU subtype
BitConverter.GetBytes(0).CopyTo(header, 8);
// File type
BitConverter.GetBytes(fileType).CopyTo(header, 12);
// Number of load commands
BitConverter.GetBytes((uint)0).CopyTo(header, 16);
// Size of load commands
BitConverter.GetBytes((uint)0).CopyTo(header, 20);
// Flags
BitConverter.GetBytes((uint)0).CopyTo(header, 24);
// Reserved (64-bit only)
BitConverter.GetBytes((uint)0).CopyTo(header, 28);
return header;
}
}
public class BinaryIdentityDeterminismTests
{
[Fact]
public async Task AllExtractors_SameContent_ProduceSameHash()
{
// Arrange: Create identical binary content
var content = new byte[256];
new Random(42).NextBytes(content);
// ELF header
content[0] = 0x7F;
content[1] = 0x45;
content[2] = 0x4C;
content[3] = 0x46;
content[4] = 0x02; // 64-bit
content[5] = 0x01; // little-endian
BitConverter.GetBytes((ushort)0x3E).CopyTo(content, 18); // x86_64
BitConverter.GetBytes((ushort)0x02).CopyTo(content, 16); // executable
var extractor = new ElfFeatureExtractor();
// Act: Extract identity multiple times
using var stream1 = new MemoryStream(content);
using var stream2 = new MemoryStream(content);
using var stream3 = new MemoryStream(content);
var identity1 = await extractor.ExtractIdentityAsync(stream1);
var identity2 = await extractor.ExtractIdentityAsync(stream2);
var identity3 = await extractor.ExtractIdentityAsync(stream3);
// Assert: All identities should be identical
identity1.FileSha256.Should().Be(identity2.FileSha256);
identity2.FileSha256.Should().Be(identity3.FileSha256);
identity1.BinaryKey.Should().Be(identity2.BinaryKey);
identity2.BinaryKey.Should().Be(identity3.BinaryKey);
}
[Fact]
public async Task DifferentContent_ProducesDifferentHash()
{
// Arrange
var content1 = CreateMinimalElf(0x01);
var content2 = CreateMinimalElf(0x02);
var extractor = new ElfFeatureExtractor();
// Act
using var stream1 = new MemoryStream(content1);
using var stream2 = new MemoryStream(content2);
var identity1 = await extractor.ExtractIdentityAsync(stream1);
var identity2 = await extractor.ExtractIdentityAsync(stream2);
// Assert: Different content should produce different identities
identity1.FileSha256.Should().NotBe(identity2.FileSha256);
}
private static byte[] CreateMinimalElf(byte variant)
{
var header = new byte[64];
header[0] = 0x7F;
header[1] = 0x45;
header[2] = 0x4C;
header[3] = 0x46;
header[4] = 0x02;
header[5] = 0x01;
header[6] = variant; // Vary the version byte
BitConverter.GetBytes((ushort)0x3E).CopyTo(header, 18);
BitConverter.GetBytes((ushort)0x02).CopyTo(header, 16);
return header;
}
}

388
src/BinaryIndex/__Tests/StellaOps.BinaryIndex.Core.Tests/FixIndex/ParserTests.cs Normal file
View File

@@ -0,0 +1,388 @@
// -----------------------------------------------------------------------------
// ParserTests.cs
// Sprint: SPRINT_20251226_012_BINIDX_backport_handling
// Task: BACKPORT-19 — Unit tests for all parsers
// -----------------------------------------------------------------------------
using FluentAssertions;
using StellaOps.BinaryIndex.FixIndex.Models;
using StellaOps.BinaryIndex.FixIndex.Parsers;
using Xunit;
namespace StellaOps.BinaryIndex.Core.Tests.FixIndex;
public class DebianChangelogParserTests
{
private readonly DebianChangelogParser _sut = new();
[Fact]
public void ParseTopEntry_ExtractsCveFromChangelog()
{
// Arrange
var changelog = """
openssl (3.0.11-1~deb12u2) bookworm-security; urgency=high
* Fix CVE-2024-0727: PKCS12 decoding crash
* Fix CVE-2024-2511: memory leak in TLSv1.3
-- Debian Security Team <security@debian.org> Mon, 15 Jan 2024 10:00:00 +0000
openssl (3.0.11-1~deb12u1) bookworm; urgency=medium
* Update to 3.0.11
""";
// Act
var results = _sut.ParseTopEntry(changelog, "debian", "bookworm", "openssl").ToList();
// Assert
results.Should().HaveCount(2);
results.Should().Contain(e => e.CveId == "CVE-2024-0727");
results.Should().Contain(e => e.CveId == "CVE-2024-2511");
results.Should().AllSatisfy(e =>
{
e.Distro.Should().Be("debian");
e.Release.Should().Be("bookworm");
e.SourcePkg.Should().Be("openssl");
e.State.Should().Be(FixState.Fixed);
e.FixedVersion.Should().Be("3.0.11-1~deb12u2");
e.Method.Should().Be(FixMethod.Changelog);
e.Confidence.Should().Be(0.80m);
});
}
[Fact]
public void ParseTopEntry_ReturnsEmptyForNoMention()
{
// Arrange
var changelog = """
package (1.0-1) stable; urgency=low
* Initial release
-- Maintainer <m@example.com> Mon, 01 Jan 2024 12:00:00 +0000
""";
// Act
var results = _sut.ParseTopEntry(changelog, "debian", "stable", "package").ToList();
// Assert
results.Should().BeEmpty();
}
[Fact]
public void ParseTopEntry_HandlesEmptyChangelog()
{
// Act
var results = _sut.ParseTopEntry("", "debian", "stable", "package").ToList();
// Assert
results.Should().BeEmpty();
}
[Fact]
public void ParseTopEntry_DeduplicatesCves()
{
// Arrange - Same CVE mentioned twice
var changelog = """
package (1.0-1) stable; urgency=high
* Fix CVE-2024-1234 in parser
* Also addresses CVE-2024-1234 in handler
-- Maintainer <m@example.com> Mon, 01 Jan 2024 12:00:00 +0000
""";
// Act
var results = _sut.ParseTopEntry(changelog, "debian", "stable", "package").ToList();
// Assert
results.Should().HaveCount(1);
results[0].CveId.Should().Be("CVE-2024-1234");
}
}
public class AlpineSecfixesParserTests
{
private readonly AlpineSecfixesParser _sut = new();
[Fact]
public void Parse_ExtractsCvesFromSecfixes()
{
// Arrange
var apkbuild = """
pkgname=openssl
pkgver=3.1.4
pkgrel=1
# secfixes:
# 3.1.4-r0:
# - CVE-2024-0727
# - CVE-2024-2511
# 3.1.3-r0:
# - CVE-2023-5678
build() {
./configure
}
""";
// Act
var results = _sut.Parse(apkbuild, "alpine", "v3.19", "openssl").ToList();
// Assert
results.Should().HaveCount(3);
var v314 = results.Where(e => e.FixedVersion == "3.1.4-r0").ToList();
v314.Should().HaveCount(2);
v314.Should().Contain(e => e.CveId == "CVE-2024-0727");
v314.Should().Contain(e => e.CveId == "CVE-2024-2511");
var v313 = results.Where(e => e.FixedVersion == "3.1.3-r0").ToList();
v313.Should().HaveCount(1);
v313[0].CveId.Should().Be("CVE-2023-5678");
results.Should().AllSatisfy(e =>
{
e.Distro.Should().Be("alpine");
e.Release.Should().Be("v3.19");
e.State.Should().Be(FixState.Fixed);
e.Method.Should().Be(FixMethod.SecurityFeed);
e.Confidence.Should().Be(0.95m);
});
}
[Fact]
public void Parse_IgnoresNonSecfixesComments()
{
// Arrange
var apkbuild = """
# This is a regular comment
# CVE-2024-9999 is not in secfixes
pkgname=test
""";
// Act
var results = _sut.Parse(apkbuild, "alpine", "v3.19", "test").ToList();
// Assert
results.Should().BeEmpty();
}
[Fact]
public void Parse_StopsAtNonCommentLine()
{
// Arrange
var apkbuild = """
# secfixes:
# 1.0-r0:
# - CVE-2024-1111
pkgname=test
# - CVE-2024-2222
""";
// Act
var results = _sut.Parse(apkbuild, "alpine", "edge", "test").ToList();
// Assert
results.Should().HaveCount(1);
results[0].CveId.Should().Be("CVE-2024-1111");
}
}
public class PatchHeaderParserTests
{
private readonly PatchHeaderParser _sut = new();
[Fact]
public void ParsePatches_ExtractsCveFromHeader()
{
// Arrange
var patches = new[]
{
(
Path: "debian/patches/CVE-2024-1234.patch",
Content: """
Description: Fix buffer overflow
Origin: upstream, https://github.com/proj/commit/abc123
Bug-Debian: https://bugs.debian.org/123456
CVE: CVE-2024-1234
Applied-Upstream: 2.0.0
--- a/src/parser.c
+++ b/src/parser.c
@@ -100,6 +100,8 @@
""",
Sha256: "abc123def456"
)
};
// Act
var results = _sut.ParsePatches(patches, "debian", "bookworm", "libfoo", "1.2.3-1").ToList();
// Assert
results.Should().HaveCount(1);
results[0].CveId.Should().Be("CVE-2024-1234");
results[0].Method.Should().Be(FixMethod.PatchHeader);
results[0].FixedVersion.Should().Be("1.2.3-1");
results[0].Evidence.Should().BeOfType<PatchHeaderEvidence>();
var evidence = (PatchHeaderEvidence)results[0].Evidence;
evidence.PatchPath.Should().Be("debian/patches/CVE-2024-1234.patch");
evidence.PatchSha256.Should().Be("abc123def456");
}
[Fact]
public void ParsePatches_ExtractsCveFromFilename()
{
// Arrange - CVE only in filename, not header
var patches = new[]
{
(
Path: "CVE-2024-5678.patch",
Content: """
Fix memory leak
--- a/foo.c
+++ b/foo.c
""",
Sha256: "sha256hash"
)
};
// Act
var results = _sut.ParsePatches(patches, "ubuntu", "jammy", "bar", "1.0").ToList();
// Assert
results.Should().HaveCount(1);
results[0].CveId.Should().Be("CVE-2024-5678");
}
[Fact]
public void ParsePatches_ReturnsEmptyForNoCve()
{
// Arrange
var patches = new[]
{
(
Path: "fix-typo.patch",
Content: "--- a/README\n+++ b/README",
Sha256: "hash"
)
};
// Act
var results = _sut.ParsePatches(patches, "debian", "sid", "pkg", "1.0").ToList();
// Assert
results.Should().BeEmpty();
}
}
public class RpmChangelogParserTests
{
private readonly RpmChangelogParser _sut = new();
[Fact]
public void ParseTopEntry_ExtractsCveFromSpecChangelog()
{
// Arrange
var spec = """
Name: openssl
Version: 3.0.7
Release: 27.el9
%description
OpenSSL toolkit
%changelog
* Mon Jan 15 2024 Security Team <security@redhat.com> - 3.0.7-27
- Fix CVE-2024-0727: PKCS12 crash
- Fix CVE-2024-2511: memory leak
* Tue Dec 05 2023 Security Team <security@redhat.com> - 3.0.7-26
- Fix CVE-2023-5678
""";
// Act
var results = _sut.ParseTopEntry(spec, "rhel", "9", "openssl").ToList();
// Assert
results.Should().HaveCount(2);
results.Should().Contain(e => e.CveId == "CVE-2024-0727");
results.Should().Contain(e => e.CveId == "CVE-2024-2511");
results.Should().AllSatisfy(e =>
{
e.Distro.Should().Be("rhel");
e.Release.Should().Be("9");
e.FixedVersion.Should().Be("3.0.7-27");
e.Method.Should().Be(FixMethod.Changelog);
e.Confidence.Should().Be(0.75m);
});
}
[Fact]
public void ParseAllEntries_ExtractsFromMultipleEntries()
{
// Arrange
var spec = """
%changelog
* Mon Jan 15 2024 Packager <p@example.com> - 2.0-1
- Fix CVE-2024-1111
* Mon Dec 01 2023 Packager <p@example.com> - 1.9-1
- Fix CVE-2023-2222
- Fix CVE-2023-3333
""";
// Act
var results = _sut.ParseAllEntries(spec, "fedora", "39", "pkg").ToList();
// Assert
results.Should().HaveCount(3);
var v20 = results.Where(e => e.FixedVersion == "2.0-1").ToList();
v20.Should().HaveCount(1);
v20[0].CveId.Should().Be("CVE-2024-1111");
var v19 = results.Where(e => e.FixedVersion == "1.9-1").ToList();
v19.Should().HaveCount(2);
}
[Fact]
public void ParseTopEntry_StopsAtSecondEntry()
{
// Arrange
var spec = """
%changelog
* Mon Jan 15 2024 P <p@x.com> - 2.0-1
- Fix CVE-2024-1111
* Mon Dec 01 2023 P <p@x.com> - 1.9-1
- Fix CVE-2023-2222
""";
// Act
var results = _sut.ParseTopEntry(spec, "centos", "9", "pkg").ToList();
// Assert
results.Should().HaveCount(1);
results[0].CveId.Should().Be("CVE-2024-1111");
}
[Fact]
public void ParseTopEntry_HandlesNoChangelog()
{
// Arrange
var spec = """
Name: test
Version: 1.0
""";
// Act
var results = _sut.ParseTopEntry(spec, "rhel", "9", "test").ToList();
// Assert
results.Should().BeEmpty();
}
}

29
src/BinaryIndex/__Tests/StellaOps.BinaryIndex.Core.Tests/StellaOps.BinaryIndex.Core.Tests.csproj Normal file
View File

@@ -0,0 +1,29 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<IsPackable>false</IsPackable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="FluentAssertions" Version="6.12.0" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.0" />
<PackageReference Include="xunit" Version="2.9.0" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>
<PackageReference Include="coverlet.collector" Version="6.0.2">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\__Libraries\StellaOps.BinaryIndex.Core\StellaOps.BinaryIndex.Core.csproj" />
</ItemGroup>
</Project>

932
src/Cli/StellaOps.Cli/Commands/Budget/RiskBudgetCommandGroup.cs Normal file
View File

@@ -0,0 +1,932 @@
// -----------------------------------------------------------------------------
// RiskBudgetCommandGroup.cs
// Sprint: SPRINT_20251226_002_BE_budget_enforcement
// Task: BUDGET-08, BUDGET-09 - CLI budget commands
// Description: CLI commands for risk budget status and consumption management
// -----------------------------------------------------------------------------
using System.CommandLine;
using System.Net.Http.Json;
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
namespace StellaOps.Cli.Commands.Budget;
/// <summary>
/// Command group for risk budget operations.
/// Implements `stella budget` commands for managing risk budgets.
/// </summary>
public static class RiskBudgetCommandGroup
{
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
{
WriteIndented = true,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
/// <summary>
/// Build the budget command tree.
/// </summary>
public static Command BuildBudgetCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var budgetCommand = new Command("budget", "Risk budget management for release gates");
budgetCommand.Add(BuildStatusCommand(services, verboseOption, cancellationToken));
budgetCommand.Add(BuildConsumeCommand(services, verboseOption, cancellationToken));
budgetCommand.Add(BuildCheckCommand(services, verboseOption, cancellationToken));
budgetCommand.Add(BuildHistoryCommand(services, verboseOption, cancellationToken));
budgetCommand.Add(BuildListCommand(services, verboseOption, cancellationToken));
return budgetCommand;
}
/// <summary>
/// BUDGET-08: stella budget status --service &lt;id&gt;
/// Shows current budget state for a service.
/// </summary>
private static Command BuildStatusCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var serviceOption = new Option<string>("--service", new[] { "-s" })
{
Description = "Service ID to show budget status for",
IsRequired = true
};
var windowOption = new Option<string?>("--window", new[] { "-w" })
{
Description = "Budget window (e.g., '2025-01' for monthly). Defaults to current window."
};
var outputOption = new Option<string>("--output", new[] { "-o" })
{
Description = "Output format: text, json"
};
outputOption.SetDefaultValue("text");
var statusCommand = new Command("status", "Show current risk budget status for a service");
statusCommand.Add(serviceOption);
statusCommand.Add(windowOption);
statusCommand.Add(outputOption);
statusCommand.Add(verboseOption);
statusCommand.SetAction(async (parseResult, ct) =>
{
var serviceId = parseResult.GetValue(serviceOption) ?? string.Empty;
var window = parseResult.GetValue(windowOption);
var output = parseResult.GetValue(outputOption) ?? "text";
var verbose = parseResult.GetValue(verboseOption);
return await HandleStatusAsync(
services,
serviceId,
window,
output,
verbose,
cancellationToken);
});
return statusCommand;
}
/// <summary>
/// BUDGET-09: stella budget consume --service &lt;id&gt; --points &lt;n&gt; --reason &lt;text&gt;
/// Manually consumes budget points for a service.
/// </summary>
private static Command BuildConsumeCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var serviceOption = new Option<string>("--service", new[] { "-s" })
{
Description = "Service ID to consume budget from",
IsRequired = true
};
var pointsOption = new Option<int>("--points", new[] { "-p" })
{
Description = "Number of risk points to consume",
IsRequired = true
};
var reasonOption = new Option<string>("--reason", new[] { "-r" })
{
Description = "Reason for manual budget consumption",
IsRequired = true
};
var releaseIdOption = new Option<string?>("--release-id")
{
Description = "Optional release ID to associate with consumption"
};
var outputOption = new Option<string>("--output", new[] { "-o" })
{
Description = "Output format: text, json"
};
outputOption.SetDefaultValue("text");
var consumeCommand = new Command("consume", "Manually consume risk budget points");
consumeCommand.Add(serviceOption);
consumeCommand.Add(pointsOption);
consumeCommand.Add(reasonOption);
consumeCommand.Add(releaseIdOption);
consumeCommand.Add(outputOption);
consumeCommand.Add(verboseOption);
consumeCommand.SetAction(async (parseResult, ct) =>
{
var serviceId = parseResult.GetValue(serviceOption) ?? string.Empty;
var points = parseResult.GetValue(pointsOption);
var reason = parseResult.GetValue(reasonOption) ?? string.Empty;
var releaseId = parseResult.GetValue(releaseIdOption);
var output = parseResult.GetValue(outputOption) ?? "text";
var verbose = parseResult.GetValue(verboseOption);
return await HandleConsumeAsync(
services,
serviceId,
points,
reason,
releaseId,
output,
verbose,
cancellationToken);
});
return consumeCommand;
}
/// <summary>
/// stella budget check --service &lt;id&gt; --points &lt;n&gt;
/// Checks if a release would exceed the budget without consuming.
/// </summary>
private static Command BuildCheckCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var serviceOption = new Option<string>("--service", new[] { "-s" })
{
Description = "Service ID to check budget for",
IsRequired = true
};
var pointsOption = new Option<int>("--points", new[] { "-p" })
{
Description = "Number of risk points to check",
IsRequired = true
};
var failOnExceedOption = new Option<bool>("--fail-on-exceed")
{
Description = "Exit with error code if budget would be exceeded"
};
failOnExceedOption.SetDefaultValue(true);
var outputOption = new Option<string>("--output", new[] { "-o" })
{
Description = "Output format: text, json"
};
outputOption.SetDefaultValue("text");
var checkCommand = new Command("check", "Check if a release would exceed risk budget");
checkCommand.Add(serviceOption);
checkCommand.Add(pointsOption);
checkCommand.Add(failOnExceedOption);
checkCommand.Add(outputOption);
checkCommand.Add(verboseOption);
checkCommand.SetAction(async (parseResult, ct) =>
{
var serviceId = parseResult.GetValue(serviceOption) ?? string.Empty;
var points = parseResult.GetValue(pointsOption);
var failOnExceed = parseResult.GetValue(failOnExceedOption);
var output = parseResult.GetValue(outputOption) ?? "text";
var verbose = parseResult.GetValue(verboseOption);
return await HandleCheckAsync(
services,
serviceId,
points,
failOnExceed,
output,
verbose,
cancellationToken);
});
return checkCommand;
}
/// <summary>
/// stella budget history --service &lt;id&gt;
/// Shows consumption history for a service.
/// </summary>
private static Command BuildHistoryCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var serviceOption = new Option<string>("--service", new[] { "-s" })
{
Description = "Service ID to show history for",
IsRequired = true
};
var windowOption = new Option<string?>("--window", new[] { "-w" })
{
Description = "Budget window to show history for"
};
var limitOption = new Option<int>("--limit", new[] { "-l" })
{
Description = "Maximum number of entries to return"
};
limitOption.SetDefaultValue(20);
var outputOption = new Option<string>("--output", new[] { "-o" })
{
Description = "Output format: text, json"
};
outputOption.SetDefaultValue("text");
var historyCommand = new Command("history", "Show risk budget consumption history");
historyCommand.Add(serviceOption);
historyCommand.Add(windowOption);
historyCommand.Add(limitOption);
historyCommand.Add(outputOption);
historyCommand.Add(verboseOption);
historyCommand.SetAction(async (parseResult, ct) =>
{
var serviceId = parseResult.GetValue(serviceOption) ?? string.Empty;
var window = parseResult.GetValue(windowOption);
var limit = parseResult.GetValue(limitOption);
var output = parseResult.GetValue(outputOption) ?? "text";
var verbose = parseResult.GetValue(verboseOption);
return await HandleHistoryAsync(
services,
serviceId,
window,
limit,
output,
verbose,
cancellationToken);
});
return historyCommand;
}
/// <summary>
/// stella budget list
/// Lists all service budgets.
/// </summary>
private static Command BuildListCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var statusOption = new Option<string?>("--status")
{
Description = "Filter by status: green, yellow, red, exhausted"
};
var tierOption = new Option<int?>("--tier")
{
Description = "Filter by service tier (1-5)"
};
var limitOption = new Option<int>("--limit", new[] { "-l" })
{
Description = "Maximum number of results to return"
};
limitOption.SetDefaultValue(50);
var outputOption = new Option<string>("--output", new[] { "-o" })
{
Description = "Output format: text, json"
};
outputOption.SetDefaultValue("text");
var listCommand = new Command("list", "List all service risk budgets");
listCommand.Add(statusOption);
listCommand.Add(tierOption);
listCommand.Add(limitOption);
listCommand.Add(outputOption);
listCommand.Add(verboseOption);
listCommand.SetAction(async (parseResult, ct) =>
{
var status = parseResult.GetValue(statusOption);
var tier = parseResult.GetValue(tierOption);
var limit = parseResult.GetValue(limitOption);
var output = parseResult.GetValue(outputOption) ?? "text";
var verbose = parseResult.GetValue(verboseOption);
return await HandleListAsync(
services,
status,
tier,
limit,
output,
verbose,
cancellationToken);
});
return listCommand;
}
#region Command Handlers
private static async Task<int> HandleStatusAsync(
IServiceProvider services,
string serviceId,
string? window,
string output,
bool verbose,
CancellationToken ct)
{
var loggerFactory = services.GetService<ILoggerFactory>();
var logger = loggerFactory?.CreateLogger(typeof(RiskBudgetCommandGroup));
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory is null)
{
Console.Error.WriteLine("Error: HTTP client not available");
return 1;
}
try
{
if (verbose)
{
logger?.LogDebug("Getting budget status for service {ServiceId}", serviceId);
}
var client = httpClientFactory.CreateClient("PolicyApi");
var query = $"/api/v1/policy/risk-budget/status/{Uri.EscapeDataString(serviceId)}";
if (!string.IsNullOrEmpty(window))
{
query += $"?window={Uri.EscapeDataString(window)}";
}
var response = await client.GetAsync(query, ct);
if (!response.IsSuccessStatusCode)
{
var error = await response.Content.ReadAsStringAsync(ct);
logger?.LogError("Failed to get budget status: {Status}", response.StatusCode);
Console.Error.WriteLine($"Error: Failed to get budget status ({response.StatusCode})");
return 1;
}
var status = await response.Content.ReadFromJsonAsync<RiskBudgetStatusDto>(JsonOptions, ct);
if (status is null)
{
Console.Error.WriteLine("Error: Empty response from server");
return 1;
}
OutputStatus(status, output);
return 0;
}
catch (Exception ex)
{
logger?.LogError(ex, "Budget status failed unexpectedly");
Console.Error.WriteLine($"Error: {ex.Message}");
return 1;
}
}
private static async Task<int> HandleConsumeAsync(
IServiceProvider services,
string serviceId,
int points,
string reason,
string? releaseId,
string output,
bool verbose,
CancellationToken ct)
{
var loggerFactory = services.GetService<ILoggerFactory>();
var logger = loggerFactory?.CreateLogger(typeof(RiskBudgetCommandGroup));
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory is null)
{
Console.Error.WriteLine("Error: HTTP client not available");
return 1;
}
try
{
if (verbose)
{
logger?.LogDebug("Consuming {Points} points from service {ServiceId}", points, serviceId);
}
var client = httpClientFactory.CreateClient("PolicyApi");
var request = new ConsumeRequest(serviceId, points, reason, releaseId);
var response = await client.PostAsJsonAsync(
"/api/v1/policy/risk-budget/consume",
request,
JsonOptions,
ct);
if (!response.IsSuccessStatusCode)
{
var error = await response.Content.ReadAsStringAsync(ct);
logger?.LogError("Failed to consume budget: {Status} - {Error}", response.StatusCode, error);
Console.Error.WriteLine($"Error: Failed to consume budget ({response.StatusCode})");
return 1;
}
var result = await response.Content.ReadFromJsonAsync<ConsumeResultDto>(JsonOptions, ct);
if (result is null)
{
Console.Error.WriteLine("Error: Empty response from server");
return 1;
}
OutputConsumeResult(result, output);
return 0;
}
catch (Exception ex)
{
logger?.LogError(ex, "Budget consume failed unexpectedly");
Console.Error.WriteLine($"Error: {ex.Message}");
return 1;
}
}
private static async Task<int> HandleCheckAsync(
IServiceProvider services,
string serviceId,
int points,
bool failOnExceed,
string output,
bool verbose,
CancellationToken ct)
{
var loggerFactory = services.GetService<ILoggerFactory>();
var logger = loggerFactory?.CreateLogger(typeof(RiskBudgetCommandGroup));
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory is null)
{
Console.Error.WriteLine("Error: HTTP client not available");
return 1;
}
try
{
if (verbose)
{
logger?.LogDebug("Checking if {Points} points would exceed budget for {ServiceId}", points, serviceId);
}
var client = httpClientFactory.CreateClient("PolicyApi");
var request = new CheckRequest(serviceId, points);
var response = await client.PostAsJsonAsync(
"/api/v1/policy/risk-budget/check",
request,
JsonOptions,
ct);
if (!response.IsSuccessStatusCode)
{
var error = await response.Content.ReadAsStringAsync(ct);
logger?.LogError("Failed to check budget: {Status}", response.StatusCode);
Console.Error.WriteLine($"Error: Failed to check budget ({response.StatusCode})");
return 1;
}
var result = await response.Content.ReadFromJsonAsync<CheckResultDto>(JsonOptions, ct);
if (result is null)
{
Console.Error.WriteLine("Error: Empty response from server");
return 1;
}
OutputCheckResult(result, output);
if (failOnExceed && !result.Allowed)
{
return 2; // Distinct exit code for budget exceeded
}
return 0;
}
catch (Exception ex)
{
logger?.LogError(ex, "Budget check failed unexpectedly");
Console.Error.WriteLine($"Error: {ex.Message}");
return 1;
}
}
private static async Task<int> HandleHistoryAsync(
IServiceProvider services,
string serviceId,
string? window,
int limit,
string output,
bool verbose,
CancellationToken ct)
{
var loggerFactory = services.GetService<ILoggerFactory>();
var logger = loggerFactory?.CreateLogger(typeof(RiskBudgetCommandGroup));
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory is null)
{
Console.Error.WriteLine("Error: HTTP client not available");
return 1;
}
try
{
if (verbose)
{
logger?.LogDebug("Getting budget history for service {ServiceId}", serviceId);
}
var client = httpClientFactory.CreateClient("PolicyApi");
var query = $"/api/v1/policy/risk-budget/history/{Uri.EscapeDataString(serviceId)}?limit={limit}";
if (!string.IsNullOrEmpty(window))
{
query += $"&window={Uri.EscapeDataString(window)}";
}
var response = await client.GetAsync(query, ct);
if (!response.IsSuccessStatusCode)
{
logger?.LogError("Failed to get budget history: {Status}", response.StatusCode);
Console.Error.WriteLine($"Error: Failed to get budget history ({response.StatusCode})");
return 1;
}
var history = await response.Content.ReadFromJsonAsync<HistoryResponseDto>(JsonOptions, ct);
if (history is null)
{
Console.Error.WriteLine("Error: Empty response from server");
return 1;
}
OutputHistory(history, output);
return 0;
}
catch (Exception ex)
{
logger?.LogError(ex, "Budget history failed unexpectedly");
Console.Error.WriteLine($"Error: {ex.Message}");
return 1;
}
}
private static async Task<int> HandleListAsync(
IServiceProvider services,
string? status,
int? tier,
int limit,
string output,
bool verbose,
CancellationToken ct)
{
var loggerFactory = services.GetService<ILoggerFactory>();
var logger = loggerFactory?.CreateLogger(typeof(RiskBudgetCommandGroup));
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory is null)
{
Console.Error.WriteLine("Error: HTTP client not available");
return 1;
}
try
{
if (verbose)
{
logger?.LogDebug("Listing budgets with status={Status}, tier={Tier}", status, tier);
}
var client = httpClientFactory.CreateClient("PolicyApi");
var query = $"/api/v1/policy/risk-budget?limit={limit}";
if (!string.IsNullOrEmpty(status))
{
query += $"&status={Uri.EscapeDataString(status)}";
}
if (tier.HasValue)
{
query += $"&tier={tier.Value}";
}
var response = await client.GetAsync(query, ct);
if (!response.IsSuccessStatusCode)
{
logger?.LogError("Failed to list budgets: {Status}", response.StatusCode);
Console.Error.WriteLine($"Error: Failed to list budgets ({response.StatusCode})");
return 1;
}
var list = await response.Content.ReadFromJsonAsync<BudgetListResponseDto>(JsonOptions, ct);
if (list is null)
{
Console.Error.WriteLine("Error: Empty response from server");
return 1;
}
OutputList(list, output);
return 0;
}
catch (Exception ex)
{
logger?.LogError(ex, "Budget list failed unexpectedly");
Console.Error.WriteLine($"Error: {ex.Message}");
return 1;
}
}
#endregion
#region Output Formatters
private static void OutputStatus(RiskBudgetStatusDto status, string format)
{
if (format == "json")
{
Console.WriteLine(JsonSerializer.Serialize(status, JsonOptions));
return;
}
var statusColor = status.Status?.ToLowerInvariant() switch
{
"green" => ConsoleColor.Green,
"yellow" => ConsoleColor.Yellow,
"red" => ConsoleColor.Red,
"exhausted" => ConsoleColor.DarkRed,
_ => ConsoleColor.White
};
Console.WriteLine("Risk Budget Status");
Console.WriteLine(new string('=', 50));
Console.WriteLine($" Service: {status.ServiceId}");
Console.WriteLine($" Window: {status.Window}");
Console.WriteLine($" Tier: {status.Tier}");
Console.WriteLine($" Allocated: {status.Allocated} points");
Console.WriteLine($" Consumed: {status.Consumed} points");
Console.WriteLine($" Remaining: {status.Remaining} points");
Console.WriteLine($" Usage: {status.PercentageUsed:F1}%");
Console.Write(" Status: ");
Console.ForegroundColor = statusColor;
Console.WriteLine(status.Status?.ToUpperInvariant() ?? "UNKNOWN");
Console.ResetColor();
if (status.LastConsumedAt.HasValue)
{
Console.WriteLine($" Last Used: {status.LastConsumedAt:yyyy-MM-dd HH:mm:ss}");
}
}
private static void OutputConsumeResult(ConsumeResultDto result, string format)
{
if (format == "json")
{
Console.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
return;
}
if (result.Success)
{
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("Budget consumed successfully.");
Console.ResetColor();
Console.WriteLine($" Entry ID: {result.EntryId}");
Console.WriteLine($" Consumed: {result.PointsConsumed} points");
Console.WriteLine($" Remaining: {result.RemainingBudget} points");
Console.WriteLine($" New Status: {result.NewStatus?.ToUpperInvariant()}");
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Budget consumption failed.");
Console.ResetColor();
Console.WriteLine($" Error: {result.Error}");
}
}
private static void OutputCheckResult(CheckResultDto result, string format)
{
if (format == "json")
{
Console.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
return;
}
var status = result.Allowed ? "[ALLOWED]" : "[BLOCKED]";
Console.ForegroundColor = result.Allowed ? ConsoleColor.Green : ConsoleColor.Red;
Console.WriteLine($"{status} Release budget check");
Console.ResetColor();
Console.WriteLine($" Service: {result.ServiceId}");
Console.WriteLine($" Requested: {result.RequestedPoints} points");
Console.WriteLine($" Current Used: {result.CurrentConsumed} points");
Console.WriteLine($" Budget Limit: {result.BudgetLimit} points");
Console.WriteLine($" Would Use: {result.CurrentConsumed + result.RequestedPoints} points");
if (!result.Allowed)
{
Console.WriteLine();
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine($" Reason: {result.BlockReason}");
Console.ResetColor();
}
}
private static void OutputHistory(HistoryResponseDto history, string format)
{
if (format == "json")
{
Console.WriteLine(JsonSerializer.Serialize(history, JsonOptions));
return;
}
Console.WriteLine($"Budget History: {history.ServiceId}");
Console.WriteLine(new string('=', 80));
if (history.Entries.Count == 0)
{
Console.WriteLine(" No consumption history found.");
return;
}
// Header
Console.WriteLine($"{"DATE",-20} {"POINTS",-8} {"REASON",-30} {"RELEASE"}");
Console.WriteLine(new string('-', 80));
foreach (var entry in history.Entries)
{
var date = entry.ConsumedAt.ToString("yyyy-MM-dd HH:mm");
var reason = entry.Reason?.Length > 30
? entry.Reason[..27] + "..."
: entry.Reason ?? "-";
var release = entry.ReleaseId ?? "-";
Console.WriteLine($"{date,-20} {entry.Points,-8} {reason,-30} {release}");
}
Console.WriteLine(new string('-', 80));
Console.WriteLine($"Total entries: {history.TotalCount}");
}
private static void OutputList(BudgetListResponseDto list, string format)
{
if (format == "json")
{
Console.WriteLine(JsonSerializer.Serialize(list, JsonOptions));
return;
}
Console.WriteLine($"Risk Budgets ({list.TotalCount} total, showing {list.Budgets.Count})");
Console.WriteLine(new string('=', 90));
if (list.Budgets.Count == 0)
{
Console.WriteLine(" No budgets found.");
return;
}
// Header
Console.WriteLine($"{"SERVICE",-30} {"TIER",-5} {"CONSUMED",-10} {"ALLOCATED",-10} {"STATUS",-10} {"USAGE"}");
Console.WriteLine(new string('-', 90));
foreach (var budget in list.Budgets)
{
var serviceId = budget.ServiceId.Length > 28
? budget.ServiceId[..25] + "..."
: budget.ServiceId;
var statusColor = budget.Status?.ToLowerInvariant() switch
{
"green" => ConsoleColor.Green,
"yellow" => ConsoleColor.Yellow,
"red" => ConsoleColor.Red,
"exhausted" => ConsoleColor.DarkRed,
_ => ConsoleColor.White
};
Console.Write($"{serviceId,-30} {budget.Tier,-5} {budget.Consumed,-10} {budget.Allocated,-10} ");
Console.ForegroundColor = statusColor;
Console.Write($"{budget.Status?.ToUpperInvariant(),-10}");
Console.ResetColor();
Console.WriteLine($" {budget.PercentageUsed:F1}%");
}
Console.WriteLine(new string('-', 90));
// Summary by status
var byStatus = list.Budgets.GroupBy(b => b.Status ?? "unknown").OrderBy(g => g.Key);
Console.WriteLine($"Summary: {string.Join(", ", byStatus.Select(g => $"{g.Key}: {g.Count()}"))}");
}
#endregion
#region DTOs
private sealed record ConsumeRequest(
string ServiceId,
int Points,
string Reason,
string? ReleaseId);
private sealed record CheckRequest(
string ServiceId,
int Points);
private sealed record RiskBudgetStatusDto
{
public string ServiceId { get; init; } = string.Empty;
public string? Window { get; init; }
public int Tier { get; init; }
public int Allocated { get; init; }
public int Consumed { get; init; }
public int Remaining { get; init; }
public decimal PercentageUsed { get; init; }
public string? Status { get; init; }
public DateTimeOffset? LastConsumedAt { get; init; }
}
private sealed record ConsumeResultDto
{
public bool Success { get; init; }
public string? EntryId { get; init; }
public int PointsConsumed { get; init; }
public int RemainingBudget { get; init; }
public string? NewStatus { get; init; }
public string? Error { get; init; }
}
private sealed record CheckResultDto
{
public string ServiceId { get; init; } = string.Empty;
public int RequestedPoints { get; init; }
public int CurrentConsumed { get; init; }
public int BudgetLimit { get; init; }
public bool Allowed { get; init; }
public string? BlockReason { get; init; }
}
private sealed record HistoryResponseDto
{
public string ServiceId { get; init; } = string.Empty;
public IReadOnlyList<HistoryEntryDto> Entries { get; init; } = [];
public int TotalCount { get; init; }
}
private sealed record HistoryEntryDto
{
public string EntryId { get; init; } = string.Empty;
public int Points { get; init; }
public string? Reason { get; init; }
public string? ReleaseId { get; init; }
public DateTimeOffset ConsumedAt { get; init; }
}
private sealed record BudgetListResponseDto
{
public IReadOnlyList<BudgetSummaryDto> Budgets { get; init; } = [];
public int TotalCount { get; init; }
}
private sealed record BudgetSummaryDto
{
public string ServiceId { get; init; } = string.Empty;
public int Tier { get; init; }
public int Allocated { get; init; }
public int Consumed { get; init; }
public decimal PercentageUsed { get; init; }
public string? Status { get; init; }
}
#endregion
}

5
src/Cli/StellaOps.Cli/Commands/CommandFactory.cs
View File

@@ -4,6 +4,7 @@ using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging;
using StellaOps.Cli.Commands.Admin;
using StellaOps.Cli.Commands.Budget;
using StellaOps.Cli.Commands.Proof;
using StellaOps.Cli.Configuration;
using StellaOps.Cli.Extensions;
@@ -97,8 +98,12 @@ internal static class CommandFactory
root.Add(ProofCommandGroup.BuildProofCommand(services, verboseOption, cancellationToken));
root.Add(ReplayCommandGroup.BuildReplayCommand(services, verboseOption, cancellationToken));
root.Add(DeltaCommandGroup.BuildDeltaCommand(verboseOption, cancellationToken));
root.Add(RiskBudgetCommandGroup.BuildBudgetCommand(services, verboseOption, cancellationToken));
root.Add(ReachabilityCommandGroup.BuildReachabilityCommand(services, verboseOption, cancellationToken));
// Sprint: SPRINT_20251226_001_BE_cicd_gate_integration - Gate evaluation command
root.Add(GateCommandGroup.BuildGateCommand(services, options, verboseOption, cancellationToken));
// Sprint: SPRINT_8200_0014_0002 - Federation bundle export
root.Add(FederationCommandGroup.BuildFeedserCommand(services, verboseOption, cancellationToken));

556
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Feeds.cs Normal file
View File

@@ -0,0 +1,556 @@
// -----------------------------------------------------------------------------
// CommandHandlers.Feeds.cs
// Sprint: SPRINT_20251226_007_BE_determinism_gaps
// Task: DET-GAP-04
// Description: Command handlers for feed snapshot operations.
// -----------------------------------------------------------------------------
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using Spectre.Console;
namespace StellaOps.Cli.Commands;
internal static partial class CommandHandlers
{
private static readonly JsonSerializerOptions FeedsJsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = true
};
internal static async Task<int> HandleFeedsSnapshotCreateAsync(
IServiceProvider services,
string? label,
string[]? sources,
bool json,
bool verbose,
CancellationToken cancellationToken)
{
if (verbose)
{
AnsiConsole.MarkupLine("[blue]Creating feed snapshot...[/]");
if (!string.IsNullOrEmpty(label))
AnsiConsole.MarkupLine($" Label: [bold]{Markup.Escape(label)}[/]");
if (sources?.Length > 0)
AnsiConsole.MarkupLine($" Sources: [bold]{string.Join(", ", sources)}[/]");
}
try
{
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory == null)
{
AnsiConsole.MarkupLine("[red]Error: HTTP client factory not available.[/]");
return 1;
}
var client = httpClientFactory.CreateClient("Concelier");
var request = new
{
label,
sources
};
var content = new StringContent(
JsonSerializer.Serialize(request, FeedsJsonOptions),
System.Text.Encoding.UTF8,
"application/json");
using var response = await client.PostAsync("/api/v1/feeds/snapshot", content, cancellationToken);
if (!response.IsSuccessStatusCode)
{
var error = await response.Content.ReadAsStringAsync(cancellationToken);
AnsiConsole.MarkupLine($"[red]Error: {response.StatusCode}[/]");
if (verbose)
{
AnsiConsole.MarkupLine($"[grey]{Markup.Escape(error)}[/]");
}
return 1;
}
var responseText = await response.Content.ReadAsStringAsync(cancellationToken);
if (json)
{
AnsiConsole.WriteLine(responseText);
}
else
{
var result = JsonSerializer.Deserialize<CreateSnapshotResponse>(responseText, FeedsJsonOptions);
if (result != null)
{
AnsiConsole.MarkupLine("[green]✓[/] Snapshot created successfully");
AnsiConsole.MarkupLine($" Snapshot ID: [bold]{result.SnapshotId}[/]");
AnsiConsole.MarkupLine($" Digest: [cyan]{result.CompositeDigest}[/]");
AnsiConsole.MarkupLine($" Created: {result.CreatedAt:u}");
AnsiConsole.MarkupLine($" Sources: {result.Sources?.Length ?? 0}");
if (result.Sources?.Length > 0)
{
var table = new Table()
.AddColumn("Source")
.AddColumn("Digest")
.AddColumn("Items");
foreach (var source in result.Sources)
{
table.AddRow(
source.SourceId ?? "-",
source.Digest?.Substring(0, Math.Min(16, source.Digest.Length)) + "..." ?? "-",
source.ItemCount.ToString());
}
AnsiConsole.Write(table);
}
}
}
return 0;
}
catch (Exception ex)
{
AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(ex.Message)}[/]");
if (verbose)
{
AnsiConsole.WriteException(ex);
}
return 1;
}
}
internal static async Task<int> HandleFeedsSnapshotListAsync(
IServiceProvider services,
int limit,
bool json,
bool verbose,
CancellationToken cancellationToken)
{
if (verbose)
{
AnsiConsole.MarkupLine("[blue]Listing feed snapshots...[/]");
AnsiConsole.MarkupLine($" Limit: {limit}");
}
try
{
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory == null)
{
AnsiConsole.MarkupLine("[red]Error: HTTP client factory not available.[/]");
return 1;
}
var client = httpClientFactory.CreateClient("Concelier");
using var response = await client.GetAsync($"/api/v1/feeds/snapshot?limit={limit}", cancellationToken);
if (!response.IsSuccessStatusCode)
{
var error = await response.Content.ReadAsStringAsync(cancellationToken);
AnsiConsole.MarkupLine($"[red]Error: {response.StatusCode}[/]");
if (verbose)
{
AnsiConsole.MarkupLine($"[grey]{Markup.Escape(error)}[/]");
}
return 1;
}
var responseText = await response.Content.ReadAsStringAsync(cancellationToken);
if (json)
{
AnsiConsole.WriteLine(responseText);
}
else
{
var result = JsonSerializer.Deserialize<ListSnapshotsResponse>(responseText, FeedsJsonOptions);
if (result?.Snapshots != null)
{
var table = new Table()
.Title("Feed Snapshots")
.AddColumn("ID")
.AddColumn("Digest")
.AddColumn("Label")
.AddColumn("Created")
.AddColumn("Sources")
.AddColumn("Items");
foreach (var snapshot in result.Snapshots)
{
table.AddRow(
snapshot.SnapshotId ?? "-",
snapshot.CompositeDigest?.Substring(0, Math.Min(16, snapshot.CompositeDigest.Length)) + "..." ?? "-",
snapshot.Label ?? "-",
snapshot.CreatedAt.ToString("u"),
snapshot.SourceCount.ToString(),
snapshot.TotalItemCount.ToString());
}
AnsiConsole.Write(table);
AnsiConsole.MarkupLine($"[grey]Total: {result.Snapshots.Length} snapshots[/]");
}
}
return 0;
}
catch (Exception ex)
{
AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(ex.Message)}[/]");
if (verbose)
{
AnsiConsole.WriteException(ex);
}
return 1;
}
}
internal static async Task<int> HandleFeedsSnapshotExportAsync(
IServiceProvider services,
string snapshotId,
string output,
string? compression,
bool json,
bool verbose,
CancellationToken cancellationToken)
{
if (verbose)
{
AnsiConsole.MarkupLine("[blue]Exporting feed snapshot...[/]");
AnsiConsole.MarkupLine($" Snapshot: [bold]{Markup.Escape(snapshotId)}[/]");
AnsiConsole.MarkupLine($" Output: [bold]{Markup.Escape(output)}[/]");
AnsiConsole.MarkupLine($" Compression: {compression ?? "zstd"}");
}
try
{
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory == null)
{
AnsiConsole.MarkupLine("[red]Error: HTTP client factory not available.[/]");
return 1;
}
var client = httpClientFactory.CreateClient("Concelier");
var format = compression ?? "zstd";
var url = $"/api/v1/feeds/snapshot/{Uri.EscapeDataString(snapshotId)}/export?format={format}";
await AnsiConsole.Progress()
.StartAsync(async ctx =>
{
var task = ctx.AddTask("[green]Downloading snapshot bundle[/]");
using var response = await client.GetAsync(url, HttpCompletionOption.ResponseHeadersRead, cancellationToken);
if (!response.IsSuccessStatusCode)
{
var error = await response.Content.ReadAsStringAsync(cancellationToken);
throw new CommandLineException($"Export failed: {response.StatusCode} - {error}");
}
var totalBytes = response.Content.Headers.ContentLength ?? 0;
task.MaxValue = totalBytes > 0 ? totalBytes : 100;
await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken);
await using var fileStream = File.Create(output);
var buffer = new byte[81920];
long totalRead = 0;
int bytesRead;
while ((bytesRead = await stream.ReadAsync(buffer, cancellationToken)) > 0)
{
await fileStream.WriteAsync(buffer.AsMemory(0, bytesRead), cancellationToken);
totalRead += bytesRead;
task.Value = totalBytes > 0 ? totalRead : Math.Min(totalRead, 100);
}
task.Value = task.MaxValue;
});
var fileInfo = new FileInfo(output);
if (json)
{
var metadata = new
{
snapshotId,
outputPath = output,
sizeBytes = fileInfo.Length,
compression = compression ?? "zstd"
};
AnsiConsole.WriteLine(JsonSerializer.Serialize(metadata, FeedsJsonOptions));
}
else
{
AnsiConsole.MarkupLine("[green]✓[/] Snapshot exported successfully");
AnsiConsole.MarkupLine($" Output: [bold]{output}[/]");
AnsiConsole.MarkupLine($" Size: {FormatBytes(fileInfo.Length)}");
}
return 0;
}
catch (CommandLineException ex)
{
AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(ex.Message)}[/]");
return 1;
}
catch (Exception ex)
{
AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(ex.Message)}[/]");
if (verbose)
{
AnsiConsole.WriteException(ex);
}
return 1;
}
}
internal static async Task<int> HandleFeedsSnapshotImportAsync(
IServiceProvider services,
string input,
bool validate,
bool json,
bool verbose,
CancellationToken cancellationToken)
{
if (verbose)
{
AnsiConsole.MarkupLine("[blue]Importing feed snapshot...[/]");
AnsiConsole.MarkupLine($" Input: [bold]{Markup.Escape(input)}[/]");
AnsiConsole.MarkupLine($" Validate: {validate}");
}
if (!File.Exists(input))
{
AnsiConsole.MarkupLine($"[red]Error: File not found: {Markup.Escape(input)}[/]");
return 1;
}
try
{
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory == null)
{
AnsiConsole.MarkupLine("[red]Error: HTTP client factory not available.[/]");
return 1;
}
var client = httpClientFactory.CreateClient("Concelier");
await using var fileStream = File.OpenRead(input);
var content = new StreamContent(fileStream);
content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/octet-stream");
var form = new MultipartFormDataContent
{
{ content, "file", Path.GetFileName(input) }
};
var url = $"/api/v1/feeds/snapshot/import?validate={validate.ToString().ToLowerInvariant()}";
using var response = await client.PostAsync(url, form, cancellationToken);
if (!response.IsSuccessStatusCode)
{
var error = await response.Content.ReadAsStringAsync(cancellationToken);
AnsiConsole.MarkupLine($"[red]Error: {response.StatusCode}[/]");
if (verbose)
{
AnsiConsole.MarkupLine($"[grey]{Markup.Escape(error)}[/]");
}
return 1;
}
var responseText = await response.Content.ReadAsStringAsync(cancellationToken);
if (json)
{
AnsiConsole.WriteLine(responseText);
}
else
{
var result = JsonSerializer.Deserialize<ImportSnapshotResponse>(responseText, FeedsJsonOptions);
if (result != null)
{
AnsiConsole.MarkupLine("[green]✓[/] Snapshot imported successfully");
AnsiConsole.MarkupLine($" Snapshot ID: [bold]{result.SnapshotId}[/]");
AnsiConsole.MarkupLine($" Digest: [cyan]{result.CompositeDigest}[/]");
AnsiConsole.MarkupLine($" Sources: {result.SourceCount}");
}
}
return 0;
}
catch (Exception ex)
{
AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(ex.Message)}[/]");
if (verbose)
{
AnsiConsole.WriteException(ex);
}
return 1;
}
}
internal static async Task<int> HandleFeedsSnapshotValidateAsync(
IServiceProvider services,
string snapshotId,
bool json,
bool verbose,
CancellationToken cancellationToken)
{
if (verbose)
{
AnsiConsole.MarkupLine("[blue]Validating feed snapshot...[/]");
AnsiConsole.MarkupLine($" Snapshot: [bold]{Markup.Escape(snapshotId)}[/]");
}
try
{
var httpClientFactory = services.GetService<IHttpClientFactory>();
if (httpClientFactory == null)
{
AnsiConsole.MarkupLine("[red]Error: HTTP client factory not available.[/]");
return 1;
}
var client = httpClientFactory.CreateClient("Concelier");
var url = $"/api/v1/feeds/snapshot/{Uri.EscapeDataString(snapshotId)}/validate";
using var response = await client.GetAsync(url, cancellationToken);
if (!response.IsSuccessStatusCode)
{
var error = await response.Content.ReadAsStringAsync(cancellationToken);
AnsiConsole.MarkupLine($"[red]Error: {response.StatusCode}[/]");
if (verbose)
{
AnsiConsole.MarkupLine($"[grey]{Markup.Escape(error)}[/]");
}
return 1;
}
var responseText = await response.Content.ReadAsStringAsync(cancellationToken);
if (json)
{
AnsiConsole.WriteLine(responseText);
}
else
{
var result = JsonSerializer.Deserialize<ValidateSnapshotResponse>(responseText, FeedsJsonOptions);
if (result != null)
{
if (result.IsValid)
{
AnsiConsole.MarkupLine("[green]✓[/] Snapshot is valid and can be replayed");
AnsiConsole.MarkupLine($" Snapshot Digest: [cyan]{result.SnapshotDigest}[/]");
AnsiConsole.MarkupLine($" Current Digest: [cyan]{result.CurrentDigest}[/]");
}
else
{
AnsiConsole.MarkupLine("[red]✗[/] Snapshot has drifted from current state");
AnsiConsole.MarkupLine($" Snapshot Digest: [cyan]{result.SnapshotDigest}[/]");
AnsiConsole.MarkupLine($" Current Digest: [yellow]{result.CurrentDigest}[/]");
if (result.DriftedSources?.Length > 0)
{
AnsiConsole.MarkupLine("\n[yellow]Drifted Sources:[/]");
var table = new Table()
.AddColumn("Source")
.AddColumn("Snapshot Digest")
.AddColumn("Current Digest")
.AddColumn("+Added")
.AddColumn("-Removed")
.AddColumn("~Modified");
foreach (var drift in result.DriftedSources)
{
table.AddRow(
drift.SourceId ?? "-",
drift.SnapshotDigest?.Substring(0, 12) + "..." ?? "-",
drift.CurrentDigest?.Substring(0, 12) + "..." ?? "-",
$"[green]+{drift.AddedItems}[/]",
$"[red]-{drift.RemovedItems}[/]",
$"[yellow]~{drift.ModifiedItems}[/]");
}
AnsiConsole.Write(table);
}
}
}
}
return 0;
}
catch (Exception ex)
{
AnsiConsole.MarkupLine($"[red]Error: {Markup.Escape(ex.Message)}[/]");
if (verbose)
{
AnsiConsole.WriteException(ex);
}
return 1;
}
}
private static string FormatBytes(long bytes)
{
string[] sizes = ["B", "KB", "MB", "GB", "TB"];
int order = 0;
double size = bytes;
while (size >= 1024 && order < sizes.Length - 1)
{
order++;
size /= 1024;
}
return $"{size:0.##} {sizes[order]}";
}
// DTO types for JSON deserialization
private sealed record CreateSnapshotResponse(
string SnapshotId,
string CompositeDigest,
DateTimeOffset CreatedAt,
SourceSnapshotSummary[]? Sources);
private sealed record SourceSnapshotSummary(
string SourceId,
string Digest,
int ItemCount);
private sealed record ListSnapshotsResponse(
SnapshotListItem[] Snapshots);
private sealed record SnapshotListItem(
string SnapshotId,
string CompositeDigest,
string? Label,
DateTimeOffset CreatedAt,
int SourceCount,
int TotalItemCount);
private sealed record ImportSnapshotResponse(
string SnapshotId,
string CompositeDigest,
DateTimeOffset CreatedAt,
int SourceCount);
private sealed record ValidateSnapshotResponse(
bool IsValid,
string SnapshotDigest,
string CurrentDigest,
DriftedSourceInfo[]? DriftedSources);
private sealed record DriftedSourceInfo(
string SourceId,
string SnapshotDigest,
string CurrentDigest,
int AddedItems,
int RemovedItems,
int ModifiedItems);
}

344
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Sign.cs Normal file
View File

@@ -0,0 +1,344 @@
// SPDX-License-Identifier: AGPL-3.0-or-later
// Sprint: SPRINT_20251226_007_BE_determinism_gaps
// Task: DET-GAP-08 - CLI handlers for keyless signing
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using Spectre.Console;
using StellaOps.Cli.Output;
using StellaOps.Signer.Infrastructure.Sigstore;
namespace StellaOps.Cli.Commands;
internal static partial class CommandHandlers
{
/// <summary>
/// Handle keyless signing via Sigstore (Fulcio + Rekor).
/// </summary>
public static async Task<int> HandleSignKeylessAsync(
IServiceProvider services,
string input,
string? output,
string? identityToken,
bool useRekor,
string? fulcioUrl,
string? rekorUrl,
string? oidcIssuer,
string bundleFormat,
string? caBundle,
bool insecure,
bool verbose,
CancellationToken cancellationToken)
{
if (!File.Exists(input))
{
AnsiConsole.MarkupLine($"[red]Error:[/] Input file not found: {input}");
return CliExitCodes.InputFileNotFound;
}
try
{
// Resolve output path
var outputPath = output ?? $"{input}.sigstore";
// Get or detect identity token
var token = identityToken ?? await DetectAmbientIdentityTokenAsync(cancellationToken);
if (string.IsNullOrEmpty(token))
{
AnsiConsole.MarkupLine("[red]Error:[/] No identity token provided and ambient detection failed.");
AnsiConsole.MarkupLine("[dim]Provide --identity-token or run in a CI environment with OIDC support.[/]");
return CliExitCodes.MissingRequiredOption;
}
// Read artifact
var artifactBytes = await File.ReadAllBytesAsync(input, cancellationToken);
if (verbose)
{
AnsiConsole.MarkupLine($"[dim]Input:[/] {input} ({artifactBytes.Length} bytes)");
AnsiConsole.MarkupLine($"[dim]Output:[/] {outputPath}");
AnsiConsole.MarkupLine($"[dim]Rekor:[/] {(useRekor ? "enabled" : "disabled")}");
if (fulcioUrl != null) AnsiConsole.MarkupLine($"[dim]Fulcio URL:[/] {fulcioUrl}");
if (rekorUrl != null) AnsiConsole.MarkupLine($"[dim]Rekor URL:[/] {rekorUrl}");
}
// Get signing service (with option overrides)
var sigstoreService = services.GetService<ISigstoreSigningService>();
if (sigstoreService is null)
{
AnsiConsole.MarkupLine("[red]Error:[/] Sigstore signing service not configured.");
AnsiConsole.MarkupLine("[dim]Ensure Sigstore is enabled in configuration.[/]");
return CliExitCodes.ServiceNotConfigured;
}
AnsiConsole.MarkupLine("[blue]Signing artifact with Sigstore keyless signing...[/]");
var result = await sigstoreService.SignKeylessAsync(
artifactBytes,
token,
cancellationToken);
// Write bundle based on format
var bundle = CreateSignatureBundle(result, bundleFormat);
await File.WriteAllTextAsync(outputPath, bundle, cancellationToken);
AnsiConsole.MarkupLine($"[green]✓[/] Signature bundle written to: [cyan]{outputPath}[/]");
AnsiConsole.MarkupLine($"[dim]Subject:[/] {result.Certificate.Subject}");
AnsiConsole.MarkupLine($"[dim]Issuer:[/] {result.Certificate.Issuer}");
AnsiConsole.MarkupLine($"[dim]Certificate expires:[/] {result.Certificate.ExpiresAtUtc:u}");
if (result.RekorEntry != null)
{
AnsiConsole.MarkupLine($"[dim]Rekor log index:[/] {result.RekorEntry.LogIndex}");
AnsiConsole.MarkupLine($"[dim]Rekor UUID:[/] {result.RekorEntry.Uuid}");
}
return CliExitCodes.Success;
}
catch (SigstoreException ex)
{
AnsiConsole.MarkupLine($"[red]Sigstore error:[/] {ex.Message}");
if (verbose)
{
AnsiConsole.WriteException(ex);
}
return CliExitCodes.SigningFailed;
}
catch (Exception ex)
{
AnsiConsole.MarkupLine($"[red]Error:[/] {ex.Message}");
if (verbose)
{
AnsiConsole.WriteException(ex);
}
return CliExitCodes.UnexpectedError;
}
}
/// <summary>
/// Handle keyless signature verification.
/// </summary>
public static async Task<int> HandleVerifyKeylessAsync(
IServiceProvider services,
string input,
string? bundlePath,
string? certificatePath,
string? signaturePath,
string? rekorUuid,
string? rekorUrl,
string? expectedIssuer,
string? expectedSubject,
string? caBundle,
bool verbose,
CancellationToken cancellationToken)
{
if (!File.Exists(input))
{
AnsiConsole.MarkupLine($"[red]Error:[/] Input file not found: {input}");
return CliExitCodes.InputFileNotFound;
}
try
{
// Resolve bundle or certificate+signature paths
var resolvedBundlePath = bundlePath ?? $"{input}.sigstore";
string certificate;
byte[] signature;
if (File.Exists(resolvedBundlePath))
{
// Parse bundle
var bundleJson = await File.ReadAllTextAsync(resolvedBundlePath, cancellationToken);
var bundle = JsonDocument.Parse(bundleJson);
certificate = bundle.RootElement.GetProperty("certificate").GetString() ?? string.Empty;
var sigBase64 = bundle.RootElement.GetProperty("signature").GetString() ?? string.Empty;
signature = Convert.FromBase64String(sigBase64);
if (bundle.RootElement.TryGetProperty("rekorEntry", out var rekorEntry))
{
rekorUuid ??= rekorEntry.GetProperty("uuid").GetString();
}
}
else if (certificatePath != null && signaturePath != null)
{
certificate = await File.ReadAllTextAsync(certificatePath, cancellationToken);
signature = await File.ReadAllBytesAsync(signaturePath, cancellationToken);
}
else
{
AnsiConsole.MarkupLine("[red]Error:[/] No bundle found and --certificate/--signature not provided.");
return CliExitCodes.MissingRequiredOption;
}
var artifactBytes = await File.ReadAllBytesAsync(input, cancellationToken);
if (verbose)
{
AnsiConsole.MarkupLine($"[dim]Input:[/] {input} ({artifactBytes.Length} bytes)");
AnsiConsole.MarkupLine($"[dim]Certificate:[/] {(certificatePath ?? resolvedBundlePath)}");
if (rekorUuid != null) AnsiConsole.MarkupLine($"[dim]Rekor UUID:[/] {rekorUuid}");
}
var sigstoreService = services.GetService<ISigstoreSigningService>();
if (sigstoreService is null)
{
AnsiConsole.MarkupLine("[red]Error:[/] Sigstore signing service not configured.");
return CliExitCodes.ServiceNotConfigured;
}
AnsiConsole.MarkupLine("[blue]Verifying keyless signature...[/]");
var isValid = await sigstoreService.VerifyKeylessAsync(
artifactBytes,
signature,
certificate,
rekorUuid,
cancellationToken);
if (isValid)
{
AnsiConsole.MarkupLine("[green]✓[/] Signature verification [green]PASSED[/]");
// Additional policy checks
if (expectedIssuer != null || expectedSubject != null)
{
var cert = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPem(certificate);
var (subject, issuer) = ExtractCertificateIdentity(cert);
if (expectedIssuer != null && !string.Equals(issuer, expectedIssuer, StringComparison.OrdinalIgnoreCase))
{
AnsiConsole.MarkupLine($"[yellow]⚠[/] Issuer mismatch: expected '{expectedIssuer}', got '{issuer}'");
return CliExitCodes.PolicyViolation;
}
if (expectedSubject != null && !subject.Contains(expectedSubject, StringComparison.OrdinalIgnoreCase))
{
AnsiConsole.MarkupLine($"[yellow]⚠[/] Subject mismatch: expected '{expectedSubject}', got '{subject}'");
return CliExitCodes.PolicyViolation;
}
AnsiConsole.MarkupLine($"[dim]Subject:[/] {subject}");
AnsiConsole.MarkupLine($"[dim]Issuer:[/] {issuer}");
}
return CliExitCodes.Success;
}
else
{
AnsiConsole.MarkupLine("[red]✗[/] Signature verification [red]FAILED[/]");
return CliExitCodes.VerificationFailed;
}
}
catch (Exception ex)
{
AnsiConsole.MarkupLine($"[red]Error:[/] {ex.Message}");
if (verbose)
{
AnsiConsole.WriteException(ex);
}
return CliExitCodes.UnexpectedError;
}
}
/// <summary>
/// Attempts to detect ambient identity token from CI environment.
/// </summary>
private static Task<string?> DetectAmbientIdentityTokenAsync(CancellationToken cancellationToken)
{
// Check common CI environment variables for OIDC tokens
// Gitea Actions
var giteaToken = Environment.GetEnvironmentVariable("ACTIONS_ID_TOKEN_REQUEST_TOKEN");
if (!string.IsNullOrEmpty(giteaToken))
{
return Task.FromResult<string?>(giteaToken);
}
// GitHub Actions
var githubToken = Environment.GetEnvironmentVariable("ACTIONS_ID_TOKEN_REQUEST_TOKEN");
if (!string.IsNullOrEmpty(githubToken))
{
return Task.FromResult<string?>(githubToken);
}
// GitLab CI
var gitlabToken = Environment.GetEnvironmentVariable("CI_JOB_JWT_V2")
?? Environment.GetEnvironmentVariable("CI_JOB_JWT");
if (!string.IsNullOrEmpty(gitlabToken))
{
return Task.FromResult<string?>(gitlabToken);
}
// Kubernetes service account token
var k8sTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token";
if (File.Exists(k8sTokenPath))
{
var k8sToken = File.ReadAllText(k8sTokenPath);
return Task.FromResult<string?>(k8sToken);
}
return Task.FromResult<string?>(null);
}
/// <summary>
/// Creates signature bundle in specified format.
/// </summary>
private static string CreateSignatureBundle(SigstoreSigningResult result, string format)
{
var bundle = new
{
mediaType = "application/vnd.dev.sigstore.bundle+json;version=0.2",
certificate = result.Certificate.Certificate,
certificateChain = result.Certificate.CertificateChain,
signature = result.Signature,
publicKey = result.PublicKey,
algorithm = result.Algorithm,
sct = result.Certificate.SignedCertificateTimestamp,
rekorEntry = result.RekorEntry is not null ? new
{
uuid = result.RekorEntry.Uuid,
logIndex = result.RekorEntry.LogIndex,
integratedTime = result.RekorEntry.IntegratedTime,
logId = result.RekorEntry.LogId,
signedEntryTimestamp = result.RekorEntry.SignedEntryTimestamp
} : null,
signedAt = DateTimeOffset.UtcNow.ToString("o"),
subject = result.Certificate.Subject,
issuer = result.Certificate.Issuer
};
return JsonSerializer.Serialize(bundle, new JsonSerializerOptions
{
WriteIndented = true,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull
});
}
/// <summary>
/// Extracts OIDC identity from Fulcio certificate.
/// </summary>
private static (string Subject, string Issuer) ExtractCertificateIdentity(
System.Security.Cryptography.X509Certificates.X509Certificate2 cert)
{
var issuer = "unknown";
var subject = cert.Subject;
foreach (var ext in cert.Extensions)
{
// Fulcio OIDC issuer extension
if (ext.Oid?.Value == "1.3.6.1.4.1.57264.1.1")
{
issuer = System.Text.Encoding.UTF8.GetString(ext.RawData).Trim('\0');
}
// Fulcio OIDC subject extension
else if (ext.Oid?.Value == "1.3.6.1.4.1.57264.1.7")
{
subject = System.Text.Encoding.UTF8.GetString(ext.RawData).Trim('\0');
}
}
return (subject, issuer);
}
}

281
src/Cli/StellaOps.Cli/Commands/FeedsCommandGroup.cs Normal file
View File

@@ -0,0 +1,281 @@
// -----------------------------------------------------------------------------
// FeedsCommandGroup.cs
// Sprint: SPRINT_20251226_007_BE_determinism_gaps
// Task: DET-GAP-04
// Description: CLI commands for feed snapshot operations for offline/deterministic replay.
// -----------------------------------------------------------------------------
using System.CommandLine;
using StellaOps.Cli.Extensions;
namespace StellaOps.Cli.Commands;
/// <summary>
/// CLI commands for feed snapshot operations.
/// Per DET-GAP-04 in SPRINT_20251226_007_BE_determinism_gaps.
/// </summary>
internal static class FeedsCommandGroup
{
/// <summary>
/// Builds the feeds command group.
/// </summary>
internal static Command BuildFeedsCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var feeds = new Command("feeds", "Feed snapshot operations for deterministic replay.");
feeds.Add(BuildSnapshotCommand(services, verboseOption, cancellationToken));
return feeds;
}
private static Command BuildSnapshotCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var snapshot = new Command("snapshot", "Feed snapshot operations.");
snapshot.Add(BuildSnapshotCreateCommand(services, verboseOption, cancellationToken));
snapshot.Add(BuildSnapshotListCommand(services, verboseOption, cancellationToken));
snapshot.Add(BuildSnapshotExportCommand(services, verboseOption, cancellationToken));
snapshot.Add(BuildSnapshotImportCommand(services, verboseOption, cancellationToken));
snapshot.Add(BuildSnapshotValidateCommand(services, verboseOption, cancellationToken));
return snapshot;
}
private static Command BuildSnapshotCreateCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var labelOption = new Option<string?>("--label", new[] { "-l" })
{
Description = "Human-readable label for the snapshot."
};
var sourcesOption = new Option<string[]?>("--sources", new[] { "-s" })
{
Description = "Specific feed sources to include (default: all).",
AllowMultipleArgumentsPerToken = true
};
var jsonOption = new Option<bool>("--json")
{
Description = "Output as JSON."
};
var command = new Command("create", "Create an atomic feed snapshot.")
{
labelOption,
sourcesOption,
jsonOption,
verboseOption
};
command.SetAction(parseResult =>
{
var label = parseResult.GetValue(labelOption);
var sources = parseResult.GetValue(sourcesOption);
var json = parseResult.GetValue(jsonOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleFeedsSnapshotCreateAsync(
services,
label,
sources,
json,
verbose,
cancellationToken);
});
return command;
}
private static Command BuildSnapshotListCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var limitOption = new Option<int>("--limit", new[] { "-n" })
{
Description = "Maximum number of snapshots to list."
};
limitOption.SetDefaultValue(25);
var jsonOption = new Option<bool>("--json")
{
Description = "Output as JSON."
};
var command = new Command("list", "List available feed snapshots.")
{
limitOption,
jsonOption,
verboseOption
};
command.SetAction(parseResult =>
{
var limit = parseResult.GetValue(limitOption);
var json = parseResult.GetValue(jsonOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleFeedsSnapshotListAsync(
services,
limit,
json,
verbose,
cancellationToken);
});
return command;
}
private static Command BuildSnapshotExportCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var snapshotIdArgument = new Argument<string>("snapshot-id")
{
Description = "Snapshot ID or composite digest."
};
var outputOption = new Option<string>("--output", new[] { "-o" })
{
Description = "Output file path.",
IsRequired = true
};
var compressionOption = new Option<string>("--compression", new[] { "-c" })
{
Description = "Compression algorithm (zstd, gzip, none)."
};
compressionOption.SetDefaultValue("zstd");
var jsonOption = new Option<bool>("--json")
{
Description = "Output metadata as JSON."
};
var command = new Command("export", "Export a feed snapshot bundle for offline use.")
{
snapshotIdArgument,
outputOption,
compressionOption,
jsonOption,
verboseOption
};
command.SetAction(parseResult =>
{
var snapshotId = parseResult.GetValue(snapshotIdArgument);
var output = parseResult.GetValue(outputOption);
var compression = parseResult.GetValue(compressionOption);
var json = parseResult.GetValue(jsonOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleFeedsSnapshotExportAsync(
services,
snapshotId,
output!,
compression,
json,
verbose,
cancellationToken);
});
return command;
}
private static Command BuildSnapshotImportCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var inputArgument = new Argument<string>("input-file")
{
Description = "Path to the snapshot bundle file."
};
var validateOption = new Option<bool>("--validate")
{
Description = "Validate digests during import."
};
validateOption.SetDefaultValue(true);
var jsonOption = new Option<bool>("--json")
{
Description = "Output as JSON."
};
var command = new Command("import", "Import a feed snapshot bundle.")
{
inputArgument,
validateOption,
jsonOption,
verboseOption
};
command.SetAction(parseResult =>
{
var input = parseResult.GetValue(inputArgument);
var validate = parseResult.GetValue(validateOption);
var json = parseResult.GetValue(jsonOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleFeedsSnapshotImportAsync(
services,
input,
validate,
json,
verbose,
cancellationToken);
});
return command;
}
private static Command BuildSnapshotValidateCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var snapshotIdArgument = new Argument<string>("snapshot-id")
{
Description = "Snapshot ID or composite digest to validate."
};
var jsonOption = new Option<bool>("--json")
{
Description = "Output as JSON."
};
var command = new Command("validate", "Validate a feed snapshot for drift.")
{
snapshotIdArgument,
jsonOption,
verboseOption
};
command.SetAction(parseResult =>
{
var snapshotId = parseResult.GetValue(snapshotIdArgument);
var json = parseResult.GetValue(jsonOption);
var verbose = parseResult.GetValue(verboseOption);
return CommandHandlers.HandleFeedsSnapshotValidateAsync(
services,
snapshotId,
json,
verbose,
cancellationToken);
});
return command;
}
}

631
src/Cli/StellaOps.Cli/Commands/GateCommandGroup.cs Normal file
View File

@@ -0,0 +1,631 @@
// -----------------------------------------------------------------------------
// GateCommandGroup.cs
// Sprint: SPRINT_20251226_001_BE_cicd_gate_integration
// Task: CICD-GATE-05 - CLI command stella gate evaluate
// Description: CLI commands for CI/CD gate evaluation
// -----------------------------------------------------------------------------
using System.CommandLine;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using StellaOps.Cli.Configuration;
using Spectre.Console;
namespace StellaOps.Cli.Commands;
/// <summary>
/// Command group for CI/CD gate evaluation.
/// Implements `stella gate evaluate` for release gating in CI pipelines.
/// </summary>
public static class GateCommandGroup
{
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
{
WriteIndented = true,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
/// <summary>
/// Build the gate command group.
/// </summary>
public static Command BuildGateCommand(
IServiceProvider services,
StellaOpsCliOptions options,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var gate = new Command("gate", "CI/CD release gate operations");
gate.Add(BuildEvaluateCommand(services, options, verboseOption, cancellationToken));
gate.Add(BuildStatusCommand(services, options, verboseOption, cancellationToken));
return gate;
}
private static Command BuildEvaluateCommand(
IServiceProvider services,
StellaOpsCliOptions options,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var imageOption = new Option<string>("--image", "-i")
{
Description = "Image digest to evaluate (e.g., sha256:abc123...)",
Required = true
};
var baselineOption = new Option<string?>("--baseline", "-b")
{
Description = "Baseline reference for comparison (snapshot ID, digest, or 'last-approved')"
};
var policyOption = new Option<string?>("--policy", "-p")
{
Description = "Policy ID to use for evaluation"
};
var overrideOption = new Option<bool>("--allow-override")
{
Description = "Allow override of blocking gates"
};
var justificationOption = new Option<string?>("--justification", "-j")
{
Description = "Justification for override (required if --allow-override is used)"
};
var branchOption = new Option<string?>("--branch")
{
Description = "Git branch name for context"
};
var commitOption = new Option<string?>("--commit")
{
Description = "Git commit SHA for context"
};
var pipelineOption = new Option<string?>("--pipeline")
{
Description = "CI/CD pipeline ID for tracking"
};
var envOption = new Option<string?>("--env")
{
Description = "Target environment (e.g., production, staging)"
};
var outputOption = new Option<string>("--output", "-o")
{
Description = "Output format: table (default), json, exit-code-only"
};
var timeoutOption = new Option<int?>("--timeout")
{
Description = "Request timeout in seconds (default: 60)"
};
var evaluate = new Command("evaluate", "Evaluate a CI/CD gate for an image")
{
imageOption,
baselineOption,
policyOption,
overrideOption,
justificationOption,
branchOption,
commitOption,
pipelineOption,
envOption,
outputOption,
timeoutOption,
verboseOption
};
evaluate.SetAction(async (parseResult, _) =>
{
var image = parseResult.GetValue(imageOption) ?? string.Empty;
var baseline = parseResult.GetValue(baselineOption);
var policy = parseResult.GetValue(policyOption);
var allowOverride = parseResult.GetValue(overrideOption);
var justification = parseResult.GetValue(justificationOption);
var branch = parseResult.GetValue(branchOption);
var commit = parseResult.GetValue(commitOption);
var pipeline = parseResult.GetValue(pipelineOption);
var env = parseResult.GetValue(envOption);
var output = parseResult.GetValue(outputOption) ?? "table";
var timeout = parseResult.GetValue(timeoutOption) ?? 60;
var verbose = parseResult.GetValue(verboseOption);
return await HandleEvaluateAsync(
services,
options,
image,
baseline,
policy,
allowOverride,
justification,
branch,
commit,
pipeline,
env,
output,
timeout,
verbose,
cancellationToken);
});
return evaluate;
}
private static Command BuildStatusCommand(
IServiceProvider services,
StellaOpsCliOptions options,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var decisionIdOption = new Option<string>("--decision-id", "-d")
{
Description = "Decision ID to retrieve status for",
Required = true
};
var outputOption = new Option<string>("--output", "-o")
{
Description = "Output format: table (default), json"
};
var status = new Command("status", "Get status of a previous gate evaluation")
{
decisionIdOption,
outputOption,
verboseOption
};
status.SetAction(async (parseResult, _) =>
{
var decisionId = parseResult.GetValue(decisionIdOption) ?? string.Empty;
var output = parseResult.GetValue(outputOption) ?? "table";
var verbose = parseResult.GetValue(verboseOption);
return await HandleStatusAsync(
services,
options,
decisionId,
output,
verbose,
cancellationToken);
});
return status;
}
private static async Task<int> HandleEvaluateAsync(
IServiceProvider services,
StellaOpsCliOptions options,
string image,
string? baseline,
string? policy,
bool allowOverride,
string? justification,
string? branch,
string? commit,
string? pipeline,
string? env,
string output,
int timeout,
bool verbose,
CancellationToken ct)
{
var loggerFactory = services.GetService<ILoggerFactory>();
var logger = loggerFactory?.CreateLogger(typeof(GateCommandGroup));
var console = AnsiConsole.Console;
try
{
if (string.IsNullOrWhiteSpace(image))
{
console.MarkupLine("[red]Error:[/] Image digest is required.");
return GateExitCodes.InputError;
}
if (allowOverride && string.IsNullOrWhiteSpace(justification))
{
console.MarkupLine("[red]Error:[/] Justification is required when using --allow-override.");
return GateExitCodes.InputError;
}
if (verbose)
{
console.MarkupLine($"[dim]Evaluating gate for image: {image}[/]");
if (!string.IsNullOrWhiteSpace(baseline))
{
console.MarkupLine($"[dim]Baseline: {baseline}[/]");
}
}
// Build request
var request = new GateEvaluateRequest
{
ImageDigest = image,
BaselineRef = baseline,
PolicyId = policy,
AllowOverride = allowOverride,
OverrideJustification = justification,
Context = new GateEvaluationContext
{
Branch = branch,
CommitSha = commit,
PipelineId = pipeline,
Environment = env,
Actor = Environment.UserName
}
};
// Call API
var httpClientFactory = services.GetService<IHttpClientFactory>();
using var client = httpClientFactory?.CreateClient("PolicyGateway")
?? new HttpClient();
// Configure base address if not set
if (client.BaseAddress is null)
{
var gatewayUrl = options.PolicyGateway?.BaseUrl
?? Environment.GetEnvironmentVariable("STELLAOPS_POLICY_GATEWAY_URL")
?? "http://localhost:5080";
client.BaseAddress = new Uri(gatewayUrl);
}
client.Timeout = TimeSpan.FromSeconds(timeout);
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
if (verbose)
{
console.MarkupLine($"[dim]Calling: {client.BaseAddress}api/v1/policy/gate/evaluate[/]");
}
var response = await client.PostAsJsonAsync(
"api/v1/policy/gate/evaluate",
request,
JsonOptions,
ct);
if (!response.IsSuccessStatusCode)
{
var errorContent = await response.Content.ReadAsStringAsync(ct);
logger?.LogError("Gate evaluation API returned {StatusCode}: {Content}",
response.StatusCode, errorContent);
console.MarkupLine($"[red]Error:[/] Gate evaluation failed with status {response.StatusCode}");
if (verbose && !string.IsNullOrWhiteSpace(errorContent))
{
console.MarkupLine($"[dim]{errorContent}[/]");
}
return GateExitCodes.NetworkError;
}
var result = await response.Content.ReadFromJsonAsync<GateEvaluateResponse>(JsonOptions, ct);
if (result is null)
{
console.MarkupLine("[red]Error:[/] Failed to parse gate evaluation response.");
return GateExitCodes.PolicyError;
}
// Output results
switch (output.ToLowerInvariant())
{
case "json":
var json = JsonSerializer.Serialize(result, JsonOptions);
console.WriteLine(json);
break;
case "exit-code-only":
// No output, just return exit code
break;
default:
WriteTableOutput(console, result, verbose);
break;
}
return result.ExitCode;
}
catch (HttpRequestException ex)
{
logger?.LogError(ex, "Network error calling gate evaluation API");
console.MarkupLine($"[red]Error:[/] Network error: {ex.Message}");
return GateExitCodes.NetworkError;
}
catch (TaskCanceledException ex) when (ex.CancellationToken != ct)
{
logger?.LogError(ex, "Gate evaluation request timed out");
console.MarkupLine("[red]Error:[/] Request timed out.");
return GateExitCodes.NetworkError;
}
catch (Exception ex)
{
logger?.LogError(ex, "Unexpected error in gate evaluation");
console.MarkupLine($"[red]Error:[/] {ex.Message}");
return GateExitCodes.UnknownError;
}
}
private static async Task<int> HandleStatusAsync(
IServiceProvider services,
StellaOpsCliOptions options,
string decisionId,
string output,
bool verbose,
CancellationToken ct)
{
var console = AnsiConsole.Console;
console.MarkupLine($"[yellow]Gate status lookup not yet implemented.[/]");
console.MarkupLine($"[dim]Decision ID: {decisionId}[/]");
await Task.CompletedTask;
return 0;
}
private static void WriteTableOutput(IAnsiConsole console, GateEvaluateResponse result, bool verbose)
{
var statusColor = result.Status switch
{
GateStatus.Pass => "green",
GateStatus.Warn => "yellow",
GateStatus.Fail => "red",
_ => "white"
};
var statusIcon = result.Status switch
{
GateStatus.Pass => "✓",
GateStatus.Warn => "⚠",
GateStatus.Fail => "✗",
_ => "?"
};
// Header
var header = new Panel(new Markup($"[bold]Gate Evaluation Result[/]"))
.Border(BoxBorder.Rounded)
.Padding(1, 0);
console.Write(header);
// Summary
var table = new Table()
.Border(TableBorder.Rounded)
.AddColumn("Field")
.AddColumn("Value");
table.AddRow("Decision ID", result.DecisionId);
table.AddRow("Status", $"[{statusColor}]{statusIcon} {result.Status}[/]");
table.AddRow("Exit Code", result.ExitCode.ToString());
table.AddRow("Image", result.ImageDigest);
table.AddRow("Baseline", result.BaselineRef ?? "(default)");
table.AddRow("Decided At", result.DecidedAt.ToString("O"));
if (!string.IsNullOrWhiteSpace(result.Summary))
{
table.AddRow("Summary", result.Summary);
}
console.Write(table);
// Blocked info
if (result.Status == GateStatus.Fail)
{
console.WriteLine();
console.MarkupLine($"[red bold]Blocked by:[/] {result.BlockedBy ?? "Unknown gate"}");
if (!string.IsNullOrWhiteSpace(result.BlockReason))
{
console.MarkupLine($"[red]Reason:[/] {result.BlockReason}");
}
if (!string.IsNullOrWhiteSpace(result.Suggestion))
{
console.MarkupLine($"[yellow]Suggestion:[/] {result.Suggestion}");
}
}
// Advisory
if (!string.IsNullOrWhiteSpace(result.Advisory))
{
console.WriteLine();
console.MarkupLine($"[cyan]Advisory:[/] {result.Advisory}");
}
// Gate details (verbose only)
if (verbose && result.Gates is { Count: > 0 })
{
console.WriteLine();
var gateTable = new Table()
.Border(TableBorder.Rounded)
.Title("[bold]Gate Results[/]")
.AddColumn("Gate")
.AddColumn("Result")
.AddColumn("Reason");
foreach (var gate in result.Gates)
{
var gateColor = gate.Result switch
{
"pass" => "green",
"warn" => "yellow",
"fail" or "block" => "red",
_ => "white"
};
gateTable.AddRow(
gate.Name,
$"[{gateColor}]{gate.Result}[/]",
gate.Reason);
}
console.Write(gateTable);
}
// Delta summary (verbose only)
if (verbose && result.DeltaSummary is not null)
{
console.WriteLine();
console.MarkupLine("[bold]Delta Summary:[/]");
console.MarkupLine($" Added findings: {result.DeltaSummary.Added}");
console.MarkupLine($" Removed findings: {result.DeltaSummary.Removed}");
console.MarkupLine($" Unchanged: {result.DeltaSummary.Unchanged}");
}
}
#region DTOs
private sealed record GateEvaluateRequest
{
[JsonPropertyName("imageDigest")]
public required string ImageDigest { get; init; }
[JsonPropertyName("baselineRef")]
public string? BaselineRef { get; init; }
[JsonPropertyName("policyId")]
public string? PolicyId { get; init; }
[JsonPropertyName("allowOverride")]
public bool AllowOverride { get; init; }
[JsonPropertyName("overrideJustification")]
public string? OverrideJustification { get; init; }
[JsonPropertyName("context")]
public GateEvaluationContext? Context { get; init; }
}
private sealed record GateEvaluationContext
{
[JsonPropertyName("branch")]
public string? Branch { get; init; }
[JsonPropertyName("commitSha")]
public string? CommitSha { get; init; }
[JsonPropertyName("pipelineId")]
public string? PipelineId { get; init; }
[JsonPropertyName("environment")]
public string? Environment { get; init; }
[JsonPropertyName("actor")]
public string? Actor { get; init; }
}
private sealed record GateEvaluateResponse
{
[JsonPropertyName("decisionId")]
public required string DecisionId { get; init; }
[JsonPropertyName("status")]
public required GateStatus Status { get; init; }
[JsonPropertyName("exitCode")]
public required int ExitCode { get; init; }
[JsonPropertyName("imageDigest")]
public required string ImageDigest { get; init; }
[JsonPropertyName("baselineRef")]
public string? BaselineRef { get; init; }
[JsonPropertyName("decidedAt")]
public required DateTimeOffset DecidedAt { get; init; }
[JsonPropertyName("summary")]
public string? Summary { get; init; }
[JsonPropertyName("advisory")]
public string? Advisory { get; init; }
[JsonPropertyName("gates")]
public IReadOnlyList<GateResultDto>? Gates { get; init; }
[JsonPropertyName("blockedBy")]
public string? BlockedBy { get; init; }
[JsonPropertyName("blockReason")]
public string? BlockReason { get; init; }
[JsonPropertyName("suggestion")]
public string? Suggestion { get; init; }
[JsonPropertyName("overrideApplied")]
public bool OverrideApplied { get; init; }
[JsonPropertyName("deltaSummary")]
public DeltaSummaryDto? DeltaSummary { get; init; }
}
private sealed record GateResultDto
{
[JsonPropertyName("name")]
public required string Name { get; init; }
[JsonPropertyName("result")]
public required string Result { get; init; }
[JsonPropertyName("reason")]
public required string Reason { get; init; }
[JsonPropertyName("note")]
public string? Note { get; init; }
[JsonPropertyName("condition")]
public string? Condition { get; init; }
}
private sealed record DeltaSummaryDto
{
[JsonPropertyName("added")]
public int Added { get; init; }
[JsonPropertyName("removed")]
public int Removed { get; init; }
[JsonPropertyName("unchanged")]
public int Unchanged { get; init; }
}
private enum GateStatus
{
Pass = 0,
Warn = 1,
Fail = 2
}
#endregion
}
/// <summary>
/// Exit codes for gate evaluation command.
/// </summary>
public static class GateExitCodes
{
/// <summary>Gate passed - proceed with deployment.</summary>
public const int Pass = 0;
/// <summary>Gate produced warnings - configurable pass-through.</summary>
public const int Warn = 1;
/// <summary>Gate blocked - do not proceed.</summary>
public const int Fail = 2;
/// <summary>Input error - invalid parameters.</summary>
public const int InputError = 10;
/// <summary>Network error - unable to reach gate service.</summary>
public const int NetworkError = 11;
/// <summary>Policy error - gate evaluation failed.</summary>
public const int PolicyError = 12;
/// <summary>Unknown error.</summary>
public const int UnknownError = 99;
}

289
src/Cli/StellaOps.Cli/Commands/Proof/FuncProofCommandGroup.cs Normal file
View File

@@ -0,0 +1,289 @@
// -----------------------------------------------------------------------------
// FuncProofCommandGroup.cs
// Sprint: SPRINT_20251226_009_SCANNER_funcproof
// Tasks: FUNC-16, FUNC-17
// Description: CLI commands for function-level proof generation and verification.
// -----------------------------------------------------------------------------
using System.CommandLine;
using StellaOps.Cli.Extensions;
namespace StellaOps.Cli.Commands.Proof;
/// <summary>
/// CLI command group for function-level proof operations.
/// Enables binary composition attestation and auditor replay verification.
/// </summary>
internal static class FuncProofCommandGroup
{
internal static Command BuildFuncProofCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var funcproof = new Command("funcproof", "Function-level proof operations for binary reachability evidence.");
funcproof.Add(BuildGenerateCommand(services, verboseOption, cancellationToken));
funcproof.Add(BuildVerifyCommand(services, verboseOption, cancellationToken));
funcproof.Add(BuildInfoCommand(services, verboseOption, cancellationToken));
funcproof.Add(BuildExportCommand(services, verboseOption, cancellationToken));
return funcproof;
}
private static Command BuildGenerateCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var binaryOption = new Option<string>("--binary", new[] { "-b" })
{
Description = "Path to binary file for function analysis.",
Required = true
};
var buildIdOption = new Option<string?>("--build-id")
{
Description = "Build identifier (e.g., git commit SHA). Auto-detected from ELF if not specified."
};
var signOption = new Option<bool>("--sign")
{
Description = "Sign the FuncProof with DSSE envelope."
};
var transparencyOption = new Option<bool>("--transparency")
{
Description = "Submit signed FuncProof to Rekor transparency log."
};
var registryOption = new Option<string?>("--registry", new[] { "-r" })
{
Description = "OCI registry to push FuncProof as referrer artifact (e.g., ghcr.io/myorg/proofs)."
};
var subjectOption = new Option<string?>("--subject")
{
Description = "Subject digest for OCI referrer relationship (sha256:...)."
};
var outputOption = new Option<string?>("--output", new[] { "-o" })
{
Description = "Output path for the generated FuncProof JSON. Defaults to stdout."
};
var formatOption = new Option<string>("--format", new[] { "-f" })
{
Description = "Output format: json (default), summary."
}.SetDefaultValue("json").FromAmong("json", "summary");
var detectMethodOption = new Option<string>("--detect-method")
{
Description = "Function detection method: auto (default), dwarf, symbols, heuristic."
}.SetDefaultValue("auto").FromAmong("auto", "dwarf", "symbols", "heuristic");
var command = new Command("generate", "Generate function-level proof from a binary.")
{
binaryOption,
buildIdOption,
signOption,
transparencyOption,
registryOption,
subjectOption,
outputOption,
formatOption,
detectMethodOption,
verboseOption
};
command.SetAction(parseResult =>
{
var binaryPath = parseResult.GetValue(binaryOption) ?? string.Empty;
var buildId = parseResult.GetValue(buildIdOption);
var sign = parseResult.GetValue(signOption);
var transparency = parseResult.GetValue(transparencyOption);
var registry = parseResult.GetValue(registryOption);
var subject = parseResult.GetValue(subjectOption);
var output = parseResult.GetValue(outputOption);
var format = parseResult.GetValue(formatOption) ?? "json";
var detectMethod = parseResult.GetValue(detectMethodOption) ?? "auto";
var verbose = parseResult.GetValue(verboseOption);
return FuncProofCommandHandlers.HandleGenerateAsync(
services,
binaryPath,
buildId,
sign,
transparency,
registry,
subject,
output,
format,
detectMethod,
verbose,
cancellationToken);
});
return command;
}
private static Command BuildVerifyCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var proofOption = new Option<string>("--proof", new[] { "-p" })
{
Description = "Path to FuncProof JSON file or DSSE envelope.",
Required = true
};
var binaryOption = new Option<string?>("--binary", new[] { "-b" })
{
Description = "Path to binary file for replay verification (optional, enables full replay)."
};
var offlineOption = new Option<bool>("--offline")
{
Description = "Offline mode (skip transparency log verification)."
};
var strictOption = new Option<bool>("--strict")
{
Description = "Strict mode (fail on any untrusted signature or missing evidence)."
};
var formatOption = new Option<string>("--format", new[] { "-f" })
{
Description = "Output format: text (default), json."
}.SetDefaultValue("text").FromAmong("text", "json");
var command = new Command("verify", "Verify a function-level proof and optionally replay against binary.")
{
proofOption,
binaryOption,
offlineOption,
strictOption,
formatOption,
verboseOption
};
command.SetAction(parseResult =>
{
var proofPath = parseResult.GetValue(proofOption) ?? string.Empty;
var binaryPath = parseResult.GetValue(binaryOption);
var offline = parseResult.GetValue(offlineOption);
var strict = parseResult.GetValue(strictOption);
var format = parseResult.GetValue(formatOption) ?? "text";
var verbose = parseResult.GetValue(verboseOption);
return FuncProofCommandHandlers.HandleVerifyAsync(
services,
proofPath,
binaryPath,
offline,
strict,
format,
verbose,
cancellationToken);
});
return command;
}
private static Command BuildInfoCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var proofArg = new Argument<string>("proof")
{
Description = "FuncProof ID, file path, or OCI reference."
};
var formatOption = new Option<string>("--format", new[] { "-f" })
{
Description = "Output format: text (default), json."
}.SetDefaultValue("text").FromAmong("text", "json");
var command = new Command("info", "Display FuncProof information and statistics.")
{
proofArg,
formatOption,
verboseOption
};
command.SetAction(parseResult =>
{
var proof = parseResult.GetValue(proofArg)!;
var format = parseResult.GetValue(formatOption)!;
var verbose = parseResult.GetValue(verboseOption);
return FuncProofCommandHandlers.HandleInfoAsync(
services,
proof,
format,
verbose,
cancellationToken);
});
return command;
}
private static Command BuildExportCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var proofArg = new Argument<string>("proof")
{
Description = "FuncProof ID, file path, or OCI reference."
};
var outputOption = new Option<string>("--output", new[] { "-o" })
{
Description = "Output directory for exported artifacts.",
Required = true
};
var formatOption = new Option<string>("--format", new[] { "-f" })
{
Description = "Export format: bundle (default), evidence-locker."
}.SetDefaultValue("bundle").FromAmong("bundle", "evidence-locker");
var includeOption = new Option<string[]>("--include", new[] { "-i" })
{
Description = "Include additional artifacts: dsse, tlog-receipt, raw-proof.",
AllowMultipleArgumentsPerToken = true
};
var command = new Command("export", "Export FuncProof and related artifacts.")
{
proofArg,
outputOption,
formatOption,
includeOption,
verboseOption
};
command.SetAction(parseResult =>
{
var proof = parseResult.GetValue(proofArg)!;
var output = parseResult.GetValue(outputOption)!;
var format = parseResult.GetValue(formatOption)!;
var include = parseResult.GetValue(includeOption) ?? Array.Empty<string>();
var verbose = parseResult.GetValue(verboseOption);
return FuncProofCommandHandlers.HandleExportAsync(
services,
proof,
output,
format,
include,
verbose,
cancellationToken);
});
return command;
}
}

570
src/Cli/StellaOps.Cli/Commands/Proof/FuncProofCommandHandlers.cs Normal file
View File

@@ -0,0 +1,570 @@
// -----------------------------------------------------------------------------
// FuncProofCommandHandlers.cs
// Sprint: SPRINT_20251226_009_SCANNER_funcproof
// Tasks: FUNC-16, FUNC-17
// Description: CLI command handlers for function-level proof operations.
// -----------------------------------------------------------------------------
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
namespace StellaOps.Cli.Commands.Proof;
/// <summary>
/// Command handlers for FuncProof CLI operations.
/// </summary>
internal static class FuncProofCommandHandlers
{
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
{
WriteIndented = true,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
/// <summary>
/// Generate a FuncProof from a binary file.
/// </summary>
public static async Task<int> HandleGenerateAsync(
IServiceProvider services,
string binaryPath,
string? buildId,
bool sign,
bool transparency,
string? registry,
string? subject,
string? output,
string format,
string detectMethod,
bool verbose,
CancellationToken ct)
{
var logger = services.GetRequiredService<ILogger<FuncProofCommandGroup>>();
if (!File.Exists(binaryPath))
{
Console.Error.WriteLine($"Error: Binary file not found: {binaryPath}");
return FuncProofExitCodes.FileNotFound;
}
logger.LogInformation("Generating FuncProof for {BinaryPath}", binaryPath);
try
{
// Read binary and compute file hash
var binaryBytes = await File.ReadAllBytesAsync(binaryPath, ct);
var fileSha256 = ComputeSha256(binaryBytes);
if (verbose)
{
Console.WriteLine($"Binary: {binaryPath}");
Console.WriteLine($"Size: {binaryBytes.Length:N0} bytes");
Console.WriteLine($"SHA-256: {fileSha256}");
}
// TODO: Integrate with FunctionBoundaryDetector and FuncProofBuilder
// For now, create a placeholder proof structure
var proof = new FuncProofOutput
{
SchemaVersion = "1.0.0",
ProofId = $"funcproof-{fileSha256[..16]}",
BuildId = buildId ?? ExtractBuildId(binaryBytes) ?? "unknown",
FileSha256 = fileSha256,
FileSize = binaryBytes.Length,
FunctionCount = 0, // Placeholder
Metadata = new FuncProofMetadataOutput
{
CreatedAt = DateTimeOffset.UtcNow.ToString("O"),
Tool = "stella-cli",
ToolVersion = "0.1.0",
DetectionMethod = detectMethod
}
};
if (format == "summary")
{
WriteSummary(proof);
}
else
{
var json = JsonSerializer.Serialize(proof, JsonOptions);
if (string.IsNullOrEmpty(output))
{
Console.WriteLine(json);
}
else
{
await File.WriteAllTextAsync(output, json, ct);
Console.WriteLine($"FuncProof written to: {output}");
}
}
// Handle signing
if (sign)
{
logger.LogInformation("Signing FuncProof with DSSE envelope");
// TODO: Integrate with FuncProofDsseService
Console.WriteLine("DSSE signing: enabled (integration pending)");
}
// Handle transparency log submission
if (transparency)
{
if (!sign)
{
Console.Error.WriteLine("Error: --transparency requires --sign");
return FuncProofExitCodes.InvalidArguments;
}
logger.LogInformation("Submitting to transparency log");
// TODO: Integrate with FuncProofTransparencyService
Console.WriteLine("Transparency log: submission pending");
}
// Handle OCI registry push
if (!string.IsNullOrEmpty(registry))
{
if (string.IsNullOrEmpty(subject))
{
Console.Error.WriteLine("Error: --registry requires --subject for referrer relationship");
return FuncProofExitCodes.InvalidArguments;
}
logger.LogInformation("Pushing FuncProof to OCI registry {Registry}", registry);
// TODO: Integrate with FuncProofOciPublisher
Console.WriteLine($"OCI push: to {registry} (integration pending)");
}
return FuncProofExitCodes.Success;
}
catch (Exception ex)
{
logger.LogError(ex, "FuncProof generation failed");
Console.Error.WriteLine($"Error: {ex.Message}");
return FuncProofExitCodes.GenerationFailed;
}
}
/// <summary>
/// Verify a FuncProof document.
/// </summary>
public static async Task<int> HandleVerifyAsync(
IServiceProvider services,
string proofPath,
string? binaryPath,
bool offline,
bool strict,
string format,
bool verbose,
CancellationToken ct)
{
var logger = services.GetRequiredService<ILogger<FuncProofCommandGroup>>();
if (!File.Exists(proofPath))
{
Console.Error.WriteLine($"Error: Proof file not found: {proofPath}");
return FuncProofExitCodes.FileNotFound;
}
logger.LogInformation("Verifying FuncProof: {ProofPath}", proofPath);
try
{
var proofJson = await File.ReadAllTextAsync(proofPath, ct);
var proof = JsonSerializer.Deserialize<FuncProofOutput>(proofJson, JsonOptions);
if (proof is null)
{
Console.Error.WriteLine("Error: Invalid FuncProof JSON");
return FuncProofExitCodes.InvalidProof;
}
var result = new VerificationResult
{
ProofId = proof.ProofId ?? "unknown",
IsValid = true,
Checks = new List<VerificationCheck>()
};
// Schema validation
result.Checks.Add(new VerificationCheck
{
Name = "schema",
Status = !string.IsNullOrEmpty(proof.SchemaVersion) ? "pass" : "fail",
Details = $"Schema version: {proof.SchemaVersion ?? "missing"}"
});
// Proof ID validation
result.Checks.Add(new VerificationCheck
{
Name = "proof_id",
Status = !string.IsNullOrEmpty(proof.ProofId) ? "pass" : "fail",
Details = $"Proof ID: {proof.ProofId ?? "missing"}"
});
// File hash validation (if binary provided)
if (!string.IsNullOrEmpty(binaryPath))
{
if (File.Exists(binaryPath))
{
var binaryBytes = await File.ReadAllBytesAsync(binaryPath, ct);
var computedHash = ComputeSha256(binaryBytes);
var hashMatch = string.Equals(computedHash, proof.FileSha256, StringComparison.OrdinalIgnoreCase);
result.Checks.Add(new VerificationCheck
{
Name = "file_hash",
Status = hashMatch ? "pass" : "fail",
Details = hashMatch
? $"File hash matches: {computedHash[..16]}..."
: $"Hash mismatch: expected {proof.FileSha256?[..16]}..., got {computedHash[..16]}..."
});
if (!hashMatch)
{
result.IsValid = false;
}
}
else
{
result.Checks.Add(new VerificationCheck
{
Name = "file_hash",
Status = "skip",
Details = "Binary file not found for replay verification"
});
}
}
// Signature validation
// TODO: Integrate with FuncProofDsseService
result.Checks.Add(new VerificationCheck
{
Name = "signature",
Status = "skip",
Details = "DSSE signature verification: integration pending"
});
// Transparency log validation
if (!offline)
{
// TODO: Integrate with FuncProofTransparencyService
result.Checks.Add(new VerificationCheck
{
Name = "transparency",
Status = "skip",
Details = "Transparency log verification: integration pending"
});
}
// Output results
if (format == "json")
{
Console.WriteLine(JsonSerializer.Serialize(result, JsonOptions));
}
else
{
WriteVerificationText(result, verbose);
}
// Determine exit code
if (!result.IsValid)
{
return FuncProofExitCodes.VerificationFailed;
}
if (strict && result.Checks.Any(c => c.Status == "skip"))
{
Console.Error.WriteLine("Warning: Some checks were skipped (strict mode)");
return FuncProofExitCodes.StrictChecksFailed;
}
return FuncProofExitCodes.Success;
}
catch (JsonException ex)
{
Console.Error.WriteLine($"Error: Invalid JSON in proof file: {ex.Message}");
return FuncProofExitCodes.InvalidProof;
}
catch (Exception ex)
{
logger.LogError(ex, "FuncProof verification failed");
Console.Error.WriteLine($"Error: {ex.Message}");
return FuncProofExitCodes.VerificationFailed;
}
}
/// <summary>
/// Display FuncProof information.
/// </summary>
public static async Task<int> HandleInfoAsync(
IServiceProvider services,
string proof,
string format,
bool verbose,
CancellationToken ct)
{
var logger = services.GetRequiredService<ILogger<FuncProofCommandGroup>>();
try
{
FuncProofOutput? proofData = null;
// Try to load from file
if (File.Exists(proof))
{
var json = await File.ReadAllTextAsync(proof, ct);
proofData = JsonSerializer.Deserialize<FuncProofOutput>(json, JsonOptions);
}
// TODO: Add support for loading by ID from database or OCI registry
if (proofData is null)
{
Console.Error.WriteLine($"Error: Could not load FuncProof: {proof}");
return FuncProofExitCodes.FileNotFound;
}
if (format == "json")
{
Console.WriteLine(JsonSerializer.Serialize(proofData, JsonOptions));
}
else
{
WriteInfo(proofData, verbose);
}
return FuncProofExitCodes.Success;
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to load FuncProof info");
Console.Error.WriteLine($"Error: {ex.Message}");
return FuncProofExitCodes.GenerationFailed;
}
}
/// <summary>
/// Export FuncProof and related artifacts.
/// </summary>
public static async Task<int> HandleExportAsync(
IServiceProvider services,
string proof,
string output,
string format,
string[] include,
bool verbose,
CancellationToken ct)
{
var logger = services.GetRequiredService<ILogger<FuncProofCommandGroup>>();
try
{
FuncProofOutput? proofData = null;
// Try to load from file
if (File.Exists(proof))
{
var json = await File.ReadAllTextAsync(proof, ct);
proofData = JsonSerializer.Deserialize<FuncProofOutput>(json, JsonOptions);
}
if (proofData is null)
{
Console.Error.WriteLine($"Error: Could not load FuncProof: {proof}");
return FuncProofExitCodes.FileNotFound;
}
// Create output directory
Directory.CreateDirectory(output);
// Write main proof file
var proofPath = Path.Combine(output, $"{proofData.ProofId ?? "funcproof"}.json");
await File.WriteAllTextAsync(proofPath, JsonSerializer.Serialize(proofData, JsonOptions), ct);
Console.WriteLine($"Exported: {proofPath}");
// Handle additional includes
foreach (var inc in include)
{
switch (inc.ToLowerInvariant())
{
case "dsse":
// TODO: Export DSSE envelope
Console.WriteLine("DSSE envelope export: integration pending");
break;
case "tlog-receipt":
// TODO: Export transparency log receipt
Console.WriteLine("Transparency log receipt export: integration pending");
break;
case "raw-proof":
// Raw proof is the main export
break;
default:
Console.Error.WriteLine($"Warning: Unknown include option: {inc}");
break;
}
}
// Write manifest
var manifest = new ExportManifest
{
ExportedAt = DateTimeOffset.UtcNow.ToString("O"),
Format = format,
ProofId = proofData.ProofId,
Files = new List<string> { Path.GetFileName(proofPath) }
};
var manifestPath = Path.Combine(output, "manifest.json");
await File.WriteAllTextAsync(manifestPath, JsonSerializer.Serialize(manifest, JsonOptions), ct);
Console.WriteLine($"Export complete: {output}");
return FuncProofExitCodes.Success;
}
catch (Exception ex)
{
logger.LogError(ex, "FuncProof export failed");
Console.Error.WriteLine($"Error: {ex.Message}");
return FuncProofExitCodes.GenerationFailed;
}
}
private static string ComputeSha256(byte[] data)
{
var hash = System.Security.Cryptography.SHA256.HashData(data);
return Convert.ToHexString(hash).ToLowerInvariant();
}
private static string? ExtractBuildId(byte[] binary)
{
// Simple ELF build-id extraction (looks for .note.gnu.build-id section)
// Full implementation in BinaryIdentity.cs
if (binary.Length < 16)
return null;
// Check ELF magic
if (binary[0] == 0x7f && binary[1] == 'E' && binary[2] == 'L' && binary[3] == 'F')
{
// ELF file - would need full section parsing for build-id
return null; // Placeholder
}
return null;
}
private static void WriteSummary(FuncProofOutput proof)
{
Console.WriteLine("FuncProof Summary");
Console.WriteLine(new string('=', 50));
Console.WriteLine($" Proof ID: {proof.ProofId ?? "N/A"}");
Console.WriteLine($" Build ID: {proof.BuildId ?? "N/A"}");
Console.WriteLine($" File SHA-256: {proof.FileSha256?[..16]}...");
Console.WriteLine($" File Size: {proof.FileSize:N0} bytes");
Console.WriteLine($" Functions: {proof.FunctionCount:N0}");
Console.WriteLine($" Created: {proof.Metadata?.CreatedAt ?? "N/A"}");
Console.WriteLine($" Tool: {proof.Metadata?.Tool ?? "N/A"} {proof.Metadata?.ToolVersion ?? ""}");
}
private static void WriteInfo(FuncProofOutput proof, bool verbose)
{
Console.WriteLine("FuncProof Information");
Console.WriteLine(new string('=', 50));
Console.WriteLine($" Proof ID: {proof.ProofId ?? "N/A"}");
Console.WriteLine($" Schema Version: {proof.SchemaVersion ?? "N/A"}");
Console.WriteLine($" Build ID: {proof.BuildId ?? "N/A"}");
Console.WriteLine($" File SHA-256: {proof.FileSha256 ?? "N/A"}");
Console.WriteLine($" File Size: {proof.FileSize:N0} bytes");
Console.WriteLine($" Functions: {proof.FunctionCount:N0}");
if (verbose && proof.Metadata is not null)
{
Console.WriteLine();
Console.WriteLine("Metadata:");
Console.WriteLine($" Created: {proof.Metadata.CreatedAt ?? "N/A"}");
Console.WriteLine($" Tool: {proof.Metadata.Tool ?? "N/A"}");
Console.WriteLine($" Tool Version: {proof.Metadata.ToolVersion ?? "N/A"}");
Console.WriteLine($" Detection: {proof.Metadata.DetectionMethod ?? "N/A"}");
}
}
private static void WriteVerificationText(VerificationResult result, bool verbose)
{
var statusSymbol = result.IsValid ? "✓" : "✗";
Console.WriteLine($"FuncProof Verification: {statusSymbol} {(result.IsValid ? "PASSED" : "FAILED")}");
Console.WriteLine(new string('=', 50));
Console.WriteLine($" Proof ID: {result.ProofId}");
Console.WriteLine();
foreach (var check in result.Checks)
{
var checkSymbol = check.Status switch
{
"pass" => "✓",
"fail" => "✗",
"skip" => "○",
_ => "?"
};
Console.WriteLine($" {checkSymbol} {check.Name}: {check.Status}");
if (verbose && !string.IsNullOrEmpty(check.Details))
{
Console.WriteLine($" {check.Details}");
}
}
}
#region DTOs
private sealed class FuncProofOutput
{
public string? SchemaVersion { get; set; }
public string? ProofId { get; set; }
public string? BuildId { get; set; }
public string? FileSha256 { get; set; }
public long FileSize { get; set; }
public int FunctionCount { get; set; }
public FuncProofMetadataOutput? Metadata { get; set; }
}
private sealed class FuncProofMetadataOutput
{
public string? CreatedAt { get; set; }
public string? Tool { get; set; }
public string? ToolVersion { get; set; }
public string? DetectionMethod { get; set; }
}
private sealed class VerificationResult
{
public string ProofId { get; set; } = string.Empty;
public bool IsValid { get; set; }
public List<VerificationCheck> Checks { get; set; } = new();
}
private sealed class VerificationCheck
{
public string Name { get; set; } = string.Empty;
public string Status { get; set; } = string.Empty;
public string? Details { get; set; }
}
private sealed class ExportManifest
{
public string? ExportedAt { get; set; }
public string? Format { get; set; }
public string? ProofId { get; set; }
public List<string>? Files { get; set; }
}
#endregion
}
/// <summary>
/// Exit codes for FuncProof CLI commands.
/// </summary>
internal static class FuncProofExitCodes
{
public const int Success = 0;
public const int FileNotFound = 1;
public const int InvalidArguments = 2;
public const int GenerationFailed = 3;
public const int InvalidProof = 4;
public const int VerificationFailed = 5;
public const int StrictChecksFailed = 6;
}

232
src/Cli/StellaOps.Cli/Commands/SignCommandGroup.cs Normal file
View File

@@ -0,0 +1,232 @@
// SPDX-License-Identifier: AGPL-3.0-or-later
// Sprint: SPRINT_20251226_007_BE_determinism_gaps
// Task: DET-GAP-08 - CLI command `stella sign --keyless --rekor` for CI pipelines
using System.CommandLine;
using Microsoft.Extensions.DependencyInjection;
namespace StellaOps.Cli.Commands;
/// <summary>
/// CLI commands for Sigstore keyless signing operations.
/// Supports self-hosted Sigstore (Fulcio + Rekor) for on-premise deployments.
/// </summary>
internal static class SignCommandGroup
{
/// <summary>
/// Build the sign command with keyless/traditional subcommands.
/// </summary>
public static Command BuildSignCommand(
IServiceProvider serviceProvider,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var command = new Command("sign", "Sign artifacts (keyless via Sigstore or traditional key-based)");
command.Add(BuildKeylessCommand(serviceProvider, verboseOption, cancellationToken));
command.Add(BuildVerifyKeylessCommand(serviceProvider, verboseOption, cancellationToken));
return command;
}
private static Command BuildKeylessCommand(
IServiceProvider serviceProvider,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var command = new Command("keyless", "Sign artifact using Sigstore keyless signing (Fulcio + Rekor)");
var inputOption = new Option<string>("--input")
{
Description = "Path to file or artifact to sign",
Required = true
};
command.Add(inputOption);
var outputOption = new Option<string?>("--output")
{
Description = "Output path for signature bundle (defaults to <input>.sigstore)"
};
command.Add(outputOption);
var identityTokenOption = new Option<string?>("--identity-token")
{
Description = "OIDC identity token (JWT). If not provided, attempts ambient credential detection."
};
command.Add(identityTokenOption);
var rekorOption = new Option<bool>("--rekor")
{
Description = "Upload signature to Rekor transparency log (default: true)",
DefaultValue = true
};
command.Add(rekorOption);
var fulcioUrlOption = new Option<string?>("--fulcio-url")
{
Description = "Override Fulcio URL (for self-hosted Sigstore)"
};
command.Add(fulcioUrlOption);
var rekorUrlOption = new Option<string?>("--rekor-url")
{
Description = "Override Rekor URL (for self-hosted Sigstore)"
};
command.Add(rekorUrlOption);
var oidcIssuerOption = new Option<string?>("--oidc-issuer")
{
Description = "OIDC issuer URL for identity verification"
};
command.Add(oidcIssuerOption);
var bundleFormatOption = new Option<string>("--bundle-format")
{
Description = "Output bundle format: sigstore, cosign-bundle, dsse (default: sigstore)",
DefaultValue = "sigstore"
};
command.Add(bundleFormatOption);
var caBundleOption = new Option<string?>("--ca-bundle")
{
Description = "Path to custom CA certificate bundle for self-hosted TLS"
};
command.Add(caBundleOption);
var insecureOption = new Option<bool>("--insecure-skip-verify")
{
Description = "Skip TLS verification (NOT for production)",
DefaultValue = false
};
command.Add(insecureOption);
command.Add(verboseOption);
command.SetAction(async (parseResult, ct) =>
{
var input = parseResult.GetValue(inputOption) ?? string.Empty;
var output = parseResult.GetValue(outputOption);
var identityToken = parseResult.GetValue(identityTokenOption);
var useRekor = parseResult.GetValue(rekorOption);
var fulcioUrl = parseResult.GetValue(fulcioUrlOption);
var rekorUrl = parseResult.GetValue(rekorUrlOption);
var oidcIssuer = parseResult.GetValue(oidcIssuerOption);
var bundleFormat = parseResult.GetValue(bundleFormatOption) ?? "sigstore";
var caBundle = parseResult.GetValue(caBundleOption);
var insecure = parseResult.GetValue(insecureOption);
var verbose = parseResult.GetValue(verboseOption);
return await CommandHandlers.HandleSignKeylessAsync(
serviceProvider,
input,
output,
identityToken,
useRekor,
fulcioUrl,
rekorUrl,
oidcIssuer,
bundleFormat,
caBundle,
insecure,
verbose,
ct);
});
return command;
}
private static Command BuildVerifyKeylessCommand(
IServiceProvider serviceProvider,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var command = new Command("verify-keyless", "Verify a keyless signature against Sigstore");
var inputOption = new Option<string>("--input")
{
Description = "Path to file or artifact to verify",
Required = true
};
command.Add(inputOption);
var bundleOption = new Option<string?>("--bundle")
{
Description = "Path to Sigstore bundle file (defaults to <input>.sigstore)"
};
command.Add(bundleOption);
var certificateOption = new Option<string?>("--certificate")
{
Description = "Path to signing certificate (PEM format)"
};
command.Add(certificateOption);
var signatureOption = new Option<string?>("--signature")
{
Description = "Path to detached signature"
};
command.Add(signatureOption);
var rekorUuidOption = new Option<string?>("--rekor-uuid")
{
Description = "Rekor entry UUID for transparency verification"
};
command.Add(rekorUuidOption);
var rekorUrlOption = new Option<string?>("--rekor-url")
{
Description = "Override Rekor URL (for self-hosted Sigstore)"
};
command.Add(rekorUrlOption);
var issuerOption = new Option<string?>("--certificate-issuer")
{
Description = "Expected OIDC issuer in certificate"
};
command.Add(issuerOption);
var subjectOption = new Option<string?>("--certificate-subject")
{
Description = "Expected subject (email/identity) in certificate"
};
command.Add(subjectOption);
var caBundleOption = new Option<string?>("--ca-bundle")
{
Description = "Path to custom CA certificate bundle for self-hosted TLS"
};
command.Add(caBundleOption);
command.Add(verboseOption);
command.SetAction(async (parseResult, ct) =>
{
var input = parseResult.GetValue(inputOption) ?? string.Empty;
var bundle = parseResult.GetValue(bundleOption);
var certificate = parseResult.GetValue(certificateOption);
var signature = parseResult.GetValue(signatureOption);
var rekorUuid = parseResult.GetValue(rekorUuidOption);
var rekorUrl = parseResult.GetValue(rekorUrlOption);
var issuer = parseResult.GetValue(issuerOption);
var subject = parseResult.GetValue(subjectOption);
var caBundle = parseResult.GetValue(caBundleOption);
var verbose = parseResult.GetValue(verboseOption);
return await CommandHandlers.HandleVerifyKeylessAsync(
serviceProvider,
input,
bundle,
certificate,
signature,
rekorUuid,
rekorUrl,
issuer,
subject,
caBundle,
verbose,
ct);
});
return command;
}
}

32
src/Cli/__Libraries/StellaOps.Cli.Plugins.Vex/StellaOps.Cli.Plugins.Vex.csproj Normal file
View File

@@ -0,0 +1,32 @@
<Project Sdk="Microsoft.NET.Sdk">
<!--
StellaOps.Cli.Plugins.Vex.csproj
Sprint: SPRINT_20251226_011_BE_auto_vex_downgrade
Task: AUTOVEX-15 - CLI command: stella vex auto-downgrade
Description: CLI plugin for VEX management and auto-downgrade commands
-->
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<LangVersion>preview</LangVersion>
<TreatWarningsAsErrors>false</TreatWarningsAsErrors>
<PluginOutputDirectory>$([System.IO.Path]::GetFullPath('$(MSBuildThisFileDirectory)..\..\plugins\cli\StellaOps.Cli.Plugins.Vex\'))</PluginOutputDirectory>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="..\..\StellaOps.Cli\StellaOps.Cli.csproj" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Spectre.Console" Version="0.48.0" />
</ItemGroup>
<Target Name="CopyPluginBinaries" AfterTargets="Build">
<MakeDir Directories="$(PluginOutputDirectory)" />
<Copy SourceFiles="$(TargetDir)$(TargetFileName)" DestinationFolder="$(PluginOutputDirectory)" />
<Copy SourceFiles="$(TargetDir)$(TargetName).pdb"
DestinationFolder="$(PluginOutputDirectory)"
Condition="Exists('$(TargetDir)$(TargetName).pdb')" />
</Target>
</Project>

844
src/Cli/__Libraries/StellaOps.Cli.Plugins.Vex/VexCliCommandModule.cs Normal file
View File

@@ -0,0 +1,844 @@
// -----------------------------------------------------------------------------
// VexCliCommandModule.cs
// Sprint: SPRINT_20251226_011_BE_auto_vex_downgrade
// Task: AUTOVEX-15 — CLI command: stella vex auto-downgrade --check <image>
// Description: CLI plugin module for VEX management commands including auto-downgrade.
// -----------------------------------------------------------------------------
using System.CommandLine;
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Spectre.Console;
using StellaOps.Cli.Configuration;
using StellaOps.Cli.Plugins;
namespace StellaOps.Cli.Plugins.Vex;
/// <summary>
/// CLI plugin module for VEX management commands.
/// Provides 'stella vex auto-downgrade', 'stella vex check', 'stella vex list' commands.
/// </summary>
public sealed class VexCliCommandModule : ICliCommandModule
{
public string Name => "stellaops.cli.plugins.vex";
public bool IsAvailable(IServiceProvider services) => true;
public void RegisterCommands(
RootCommand root,
IServiceProvider services,
StellaOpsCliOptions options,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(root);
ArgumentNullException.ThrowIfNull(services);
ArgumentNullException.ThrowIfNull(verboseOption);
root.Add(BuildVexCommand(services, verboseOption, options, cancellationToken));
}
private static Command BuildVexCommand(
IServiceProvider services,
Option<bool> verboseOption,
StellaOpsCliOptions options,
CancellationToken cancellationToken)
{
var vex = new Command("vex", "VEX management and auto-downgrade commands.");
// Add subcommands
vex.Add(BuildAutoDowngradeCommand(services, verboseOption, options, cancellationToken));
vex.Add(BuildCheckCommand(services, verboseOption, cancellationToken));
vex.Add(BuildListCommand(services, verboseOption, cancellationToken));
vex.Add(BuildNotReachableCommand(services, verboseOption, options, cancellationToken));
return vex;
}
private static Command BuildAutoDowngradeCommand(
IServiceProvider services,
Option<bool> verboseOption,
StellaOpsCliOptions options,
CancellationToken cancellationToken)
{
var cmd = new Command("auto-downgrade", "Auto-downgrade VEX based on runtime observations.");
var imageOption = new Option<string>("--image")
{
Description = "Container image digest or reference to check",
IsRequired = false
};
var checkOption = new Option<string>("--check")
{
Description = "Image to check for hot vulnerable symbols",
IsRequired = false
};
var dryRunOption = new Option<bool>("--dry-run")
{
Description = "Dry run mode - show what would be downgraded without making changes"
};
var minObservationsOption = new Option<int>("--min-observations")
{
Description = "Minimum observation count threshold",
};
minObservationsOption.SetDefaultValue(10);
var minCpuOption = new Option<double>("--min-cpu")
{
Description = "Minimum CPU percentage threshold",
};
minCpuOption.SetDefaultValue(1.0);
var minConfidenceOption = new Option<double>("--min-confidence")
{
Description = "Minimum confidence threshold (0.0-1.0)",
};
minConfidenceOption.SetDefaultValue(0.7);
var outputOption = new Option<string?>("--output")
{
Description = "Output file path for results (default: stdout)"
};
var formatOption = new Option<OutputFormat>("--format")
{
Description = "Output format"
};
formatOption.SetDefaultValue(OutputFormat.Table);
cmd.AddOption(imageOption);
cmd.AddOption(checkOption);
cmd.AddOption(dryRunOption);
cmd.AddOption(minObservationsOption);
cmd.AddOption(minCpuOption);
cmd.AddOption(minConfidenceOption);
cmd.AddOption(outputOption);
cmd.AddOption(formatOption);
cmd.AddOption(verboseOption);
cmd.SetHandler(async (context) =>
{
var image = context.ParseResult.GetValueForOption(imageOption);
var check = context.ParseResult.GetValueForOption(checkOption);
var dryRun = context.ParseResult.GetValueForOption(dryRunOption);
var minObs = context.ParseResult.GetValueForOption(minObservationsOption);
var minCpu = context.ParseResult.GetValueForOption(minCpuOption);
var minConf = context.ParseResult.GetValueForOption(minConfidenceOption);
var output = context.ParseResult.GetValueForOption(outputOption);
var format = context.ParseResult.GetValueForOption(formatOption);
var verbose = context.ParseResult.GetValueForOption(verboseOption);
// Use --check if --image not provided
var targetImage = image ?? check;
if (string.IsNullOrWhiteSpace(targetImage))
{
AnsiConsole.MarkupLine("[red]Error:[/] Either --image or --check must be specified.");
context.ExitCode = 1;
return;
}
var logger = services.GetService<ILogger<VexCliCommandModule>>();
logger?.LogInformation("Running auto-downgrade check for image {Image}", targetImage);
await RunAutoDowngradeAsync(
services,
targetImage,
dryRun,
minObs,
minCpu,
minConf,
output,
format,
verbose,
options,
cancellationToken);
context.ExitCode = 0;
});
return cmd;
}
private static async Task RunAutoDowngradeAsync(
IServiceProvider services,
string image,
bool dryRun,
int minObservations,
double minCpu,
double minConfidence,
string? outputPath,
OutputFormat format,
bool verbose,
StellaOpsCliOptions options,
CancellationToken cancellationToken)
{
var logger = services.GetService<ILogger<VexCliCommandModule>>();
await AnsiConsole.Status()
.StartAsync("Checking for hot vulnerable symbols...", async ctx =>
{
ctx.Spinner(Spinner.Known.Dots);
// Create client and check for downgrades
var client = CreateAutoVexClient(services, options);
if (verbose)
{
AnsiConsole.MarkupLine($"[grey]Image: {image}[/]");
AnsiConsole.MarkupLine($"[grey]Min observations: {minObservations}[/]");
AnsiConsole.MarkupLine($"[grey]Min CPU%: {minCpu}[/]");
AnsiConsole.MarkupLine($"[grey]Min confidence: {minConfidence}[/]");
}
var result = await client.CheckAutoDowngradeAsync(
image,
minObservations,
minCpu,
minConfidence,
cancellationToken);
ctx.Status("Processing results...");
if (!result.Success)
{
AnsiConsole.MarkupLine($"[red]Error:[/] {result.Error}");
return;
}
// Display results
if (format == OutputFormat.Json)
{
var json = JsonSerializer.Serialize(result, new JsonSerializerOptions
{
WriteIndented = true
});
if (!string.IsNullOrWhiteSpace(outputPath))
{
await File.WriteAllTextAsync(outputPath, json, cancellationToken);
AnsiConsole.MarkupLine($"[green]Results written to:[/] {outputPath}");
}
else
{
AnsiConsole.WriteLine(json);
}
}
else
{
RenderTableResults(result, dryRun);
}
// Execute downgrades if not dry run
if (!dryRun && result.Candidates?.Count > 0)
{
ctx.Status("Generating VEX downgrades...");
var downgradeResult = await client.ExecuteAutoDowngradeAsync(
result.Candidates,
cancellationToken);
if (downgradeResult.Success)
{
AnsiConsole.MarkupLine(
$"[green]✓[/] Generated {downgradeResult.DowngradeCount} VEX downgrade(s)");
if (downgradeResult.Notifications > 0)
{
AnsiConsole.MarkupLine(
$"[blue]📨[/] Sent {downgradeResult.Notifications} notification(s)");
}
}
else
{
AnsiConsole.MarkupLine($"[red]Error during downgrade:[/] {downgradeResult.Error}");
}
}
else if (dryRun && result.Candidates?.Count > 0)
{
AnsiConsole.MarkupLine($"[yellow]Dry run:[/] {result.Candidates.Count} candidate(s) would be downgraded");
}
});
}
private static void RenderTableResults(AutoDowngradeCheckResult result, bool dryRun)
{
if (result.Candidates == null || result.Candidates.Count == 0)
{
AnsiConsole.MarkupLine("[green]✓[/] No hot vulnerable symbols detected");
return;
}
var table = new Table();
table.Border = TableBorder.Rounded;
table.Title = new TableTitle(
dryRun ? "[yellow]Auto-Downgrade Candidates (Dry Run)[/]" : "[red]Hot Vulnerable Symbols[/]");
table.AddColumn("CVE");
table.AddColumn("Symbol");
table.AddColumn("CPU%");
table.AddColumn("Observations");
table.AddColumn("Confidence");
table.AddColumn("Status");
foreach (var candidate in result.Candidates)
{
var cpuColor = candidate.CpuPercentage >= 10.0 ? "red" :
candidate.CpuPercentage >= 5.0 ? "yellow" : "white";
var confidenceColor = candidate.Confidence >= 0.9 ? "green" :
candidate.Confidence >= 0.7 ? "yellow" : "red";
table.AddRow(
$"[bold]{candidate.CveId}[/]",
candidate.Symbol.Length > 40
? candidate.Symbol[..37] + "..."
: candidate.Symbol,
$"[{cpuColor}]{candidate.CpuPercentage:F1}%[/]",
candidate.ObservationCount.ToString(),
$"[{confidenceColor}]{candidate.Confidence:F2}[/]",
dryRun ? "[yellow]pending[/]" : "[red]downgrade[/]"
);
}
AnsiConsole.Write(table);
// Summary
var panel = new Panel(
$"Total candidates: {result.Candidates.Count}\n" +
$"Highest CPU: {result.Candidates.Max(c => c.CpuPercentage):F1}%\n" +
$"Image: {result.ImageDigest}")
.Header("[bold]Summary[/]")
.Border(BoxBorder.Rounded);
AnsiConsole.Write(panel);
}
private static Command BuildCheckCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var cmd = new Command("check", "Check VEX status for an image or CVE.");
var imageOption = new Option<string?>("--image")
{
Description = "Container image to check"
};
var cveOption = new Option<string?>("--cve")
{
Description = "CVE identifier to check"
};
cmd.AddOption(imageOption);
cmd.AddOption(cveOption);
cmd.AddOption(verboseOption);
cmd.SetHandler(async (context) =>
{
var image = context.ParseResult.GetValueForOption(imageOption);
var cve = context.ParseResult.GetValueForOption(cveOption);
var verbose = context.ParseResult.GetValueForOption(verboseOption);
if (string.IsNullOrWhiteSpace(image) && string.IsNullOrWhiteSpace(cve))
{
AnsiConsole.MarkupLine("[red]Error:[/] Either --image or --cve must be specified.");
context.ExitCode = 1;
return;
}
AnsiConsole.MarkupLine("[grey]VEX check not yet implemented[/]");
context.ExitCode = 0;
});
return cmd;
}
private static Command BuildListCommand(
IServiceProvider services,
Option<bool> verboseOption,
CancellationToken cancellationToken)
{
var cmd = new Command("list", "List VEX statements.");
var productOption = new Option<string?>("--product")
{
Description = "Filter by product identifier"
};
var statusOption = new Option<string?>("--status")
{
Description = "Filter by VEX status (affected, not_affected, fixed, under_investigation)"
};
var limitOption = new Option<int>("--limit")
{
Description = "Maximum number of results"
};
limitOption.SetDefaultValue(100);
cmd.AddOption(productOption);
cmd.AddOption(statusOption);
cmd.AddOption(limitOption);
cmd.AddOption(verboseOption);
cmd.SetHandler(async (context) =>
{
var product = context.ParseResult.GetValueForOption(productOption);
var status = context.ParseResult.GetValueForOption(statusOption);
var limit = context.ParseResult.GetValueForOption(limitOption);
AnsiConsole.MarkupLine("[grey]VEX list not yet implemented[/]");
context.ExitCode = 0;
});
return cmd;
}
private static Command BuildNotReachableCommand(
IServiceProvider services,
Option<bool> verboseOption,
StellaOpsCliOptions options,
CancellationToken cancellationToken)
{
var cmd = new Command("not-reachable", "Generate VEX with not_reachable_at_runtime justification.");
var imageOption = new Option<string>("--image")
{
Description = "Container image to analyze",
IsRequired = true
};
var windowOption = new Option<int>("--window")
{
Description = "Observation window in hours"
};
windowOption.SetDefaultValue(24);
var minConfidenceOption = new Option<double>("--min-confidence")
{
Description = "Minimum confidence threshold"
};
minConfidenceOption.SetDefaultValue(0.6);
var outputOption = new Option<string?>("--output")
{
Description = "Output file path for generated VEX statements"
};
var dryRunOption = new Option<bool>("--dry-run")
{
Description = "Dry run - analyze but don't generate VEX"
};
cmd.AddOption(imageOption);
cmd.AddOption(windowOption);
cmd.AddOption(minConfidenceOption);
cmd.AddOption(outputOption);
cmd.AddOption(dryRunOption);
cmd.AddOption(verboseOption);
cmd.SetHandler(async (context) =>
{
var image = context.ParseResult.GetValueForOption(imageOption);
var window = context.ParseResult.GetValueForOption(windowOption);
var minConf = context.ParseResult.GetValueForOption(minConfidenceOption);
var output = context.ParseResult.GetValueForOption(outputOption);
var dryRun = context.ParseResult.GetValueForOption(dryRunOption);
var verbose = context.ParseResult.GetValueForOption(verboseOption);
if (string.IsNullOrWhiteSpace(image))
{
AnsiConsole.MarkupLine("[red]Error:[/] --image is required.");
context.ExitCode = 1;
return;
}
await RunNotReachableAnalysisAsync(
services,
image,
TimeSpan.FromHours(window),
minConf,
output,
dryRun,
verbose,
options,
cancellationToken);
context.ExitCode = 0;
});
return cmd;
}
private static async Task RunNotReachableAnalysisAsync(
IServiceProvider services,
string image,
TimeSpan window,
double minConfidence,
string? outputPath,
bool dryRun,
bool verbose,
StellaOpsCliOptions options,
CancellationToken cancellationToken)
{
await AnsiConsole.Status()
.StartAsync("Analyzing unreached vulnerable symbols...", async ctx =>
{
ctx.Spinner(Spinner.Known.Dots);
var client = CreateAutoVexClient(services, options);
var result = await client.AnalyzeNotReachableAsync(
image,
window,
minConfidence,
cancellationToken);
if (!result.Success)
{
AnsiConsole.MarkupLine($"[red]Error:[/] {result.Error}");
return;
}
if (result.Analyses == null || result.Analyses.Count == 0)
{
AnsiConsole.MarkupLine("[green]✓[/] No unreached vulnerable symbols found requiring VEX");
return;
}
// Display results
var table = new Table();
table.Border = TableBorder.Rounded;
table.Title = new TableTitle("[green]Symbols Not Reachable at Runtime[/]");
table.AddColumn("CVE");
table.AddColumn("Symbol");
table.AddColumn("Component");
table.AddColumn("Confidence");
table.AddColumn("Reason");
foreach (var analysis in result.Analyses)
{
var reason = analysis.PrimaryReason ?? "Unknown";
table.AddRow(
$"[bold]{analysis.CveId}[/]",
analysis.Symbol.Length > 30 ? analysis.Symbol[..27] + "..." : analysis.Symbol,
analysis.ComponentPath.Length > 25 ? "..." + analysis.ComponentPath[^22..] : analysis.ComponentPath,
$"[green]{analysis.Confidence:F2}[/]",
reason
);
}
AnsiConsole.Write(table);
if (!dryRun)
{
ctx.Status("Generating VEX statements...");
var vexResult = await client.GenerateNotReachableVexAsync(
result.Analyses,
cancellationToken);
if (vexResult.Success)
{
AnsiConsole.MarkupLine(
$"[green]✓[/] Generated {vexResult.StatementCount} VEX statement(s)");
if (!string.IsNullOrWhiteSpace(outputPath))
{
var json = JsonSerializer.Serialize(vexResult.Statements, new JsonSerializerOptions
{
WriteIndented = true
});
await File.WriteAllTextAsync(outputPath, json, cancellationToken);
AnsiConsole.MarkupLine($"[green]Written to:[/] {outputPath}");
}
}
else
{
AnsiConsole.MarkupLine($"[red]Error:[/] {vexResult.Error}");
}
}
else
{
AnsiConsole.MarkupLine($"[yellow]Dry run:[/] Would generate {result.Analyses.Count} VEX statement(s)");
}
});
}
private static IAutoVexClient CreateAutoVexClient(IServiceProvider services, StellaOpsCliOptions options)
{
// Try to get from DI first
var client = services.GetService<IAutoVexClient>();
if (client != null)
{
return client;
}
// Create HTTP client for API calls
var httpClient = services.GetService<IHttpClientFactory>()?.CreateClient("autovex")
?? new HttpClient();
var baseUrl = options.ExcititorApiBaseUrl
?? Environment.GetEnvironmentVariable("STELLAOPS_EXCITITOR_URL")
?? "http://localhost:5080";
return new AutoVexHttpClient(httpClient, baseUrl);
}
}
/// <summary>
/// Output format for CLI commands.
/// </summary>
public enum OutputFormat
{
Table,
Json,
Csv
}
/// <summary>
/// Client interface for auto-VEX operations.
/// </summary>
public interface IAutoVexClient
{
Task<AutoDowngradeCheckResult> CheckAutoDowngradeAsync(
string image,
int minObservations,
double minCpu,
double minConfidence,
CancellationToken cancellationToken = default);
Task<AutoDowngradeExecuteResult> ExecuteAutoDowngradeAsync(
IReadOnlyList<AutoDowngradeCandidate> candidates,
CancellationToken cancellationToken = default);
Task<NotReachableAnalysisResult> AnalyzeNotReachableAsync(
string image,
TimeSpan window,
double minConfidence,
CancellationToken cancellationToken = default);
Task<NotReachableVexGenerationResult> GenerateNotReachableVexAsync(
IReadOnlyList<NotReachableAnalysisEntry> analyses,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Result of checking for auto-downgrade candidates.
/// </summary>
public sealed record AutoDowngradeCheckResult
{
public bool Success { get; init; }
public string? ImageDigest { get; init; }
public IReadOnlyList<AutoDowngradeCandidate>? Candidates { get; init; }
public string? Error { get; init; }
}
/// <summary>
/// A candidate for auto-downgrade.
/// </summary>
public sealed record AutoDowngradeCandidate
{
public required string CveId { get; init; }
public required string ProductId { get; init; }
public required string Symbol { get; init; }
public required string ComponentPath { get; init; }
public required double CpuPercentage { get; init; }
public required int ObservationCount { get; init; }
public required double Confidence { get; init; }
public required string BuildId { get; init; }
}
/// <summary>
/// Result of executing auto-downgrades.
/// </summary>
public sealed record AutoDowngradeExecuteResult
{
public bool Success { get; init; }
public int DowngradeCount { get; init; }
public int Notifications { get; init; }
public string? Error { get; init; }
}
/// <summary>
/// Result of not-reachable analysis.
/// </summary>
public sealed record NotReachableAnalysisResult
{
public bool Success { get; init; }
public IReadOnlyList<NotReachableAnalysisEntry>? Analyses { get; init; }
public string? Error { get; init; }
}
/// <summary>
/// Entry for not-reachable analysis.
/// </summary>
public sealed record NotReachableAnalysisEntry
{
public required string CveId { get; init; }
public required string ProductId { get; init; }
public required string Symbol { get; init; }
public required string ComponentPath { get; init; }
public required double Confidence { get; init; }
public string? PrimaryReason { get; init; }
}
/// <summary>
/// Result of generating not-reachable VEX statements.
/// </summary>
public sealed record NotReachableVexGenerationResult
{
public bool Success { get; init; }
public int StatementCount { get; init; }
public IReadOnlyList<object>? Statements { get; init; }
public string? Error { get; init; }
}
/// <summary>
/// HTTP client implementation for auto-VEX API.
/// </summary>
internal sealed class AutoVexHttpClient : IAutoVexClient
{
private readonly HttpClient _httpClient;
private readonly string _baseUrl;
public AutoVexHttpClient(HttpClient httpClient, string baseUrl)
{
_httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
_baseUrl = baseUrl?.TrimEnd('/') ?? throw new ArgumentNullException(nameof(baseUrl));
}
public async Task<AutoDowngradeCheckResult> CheckAutoDowngradeAsync(
string image,
int minObservations,
double minCpu,
double minConfidence,
CancellationToken cancellationToken = default)
{
try
{
var url = $"{_baseUrl}/api/v1/vex/auto-downgrade/check?" +
$"image={Uri.EscapeDataString(image)}&" +
$"minObservations={minObservations}&" +
$"minCpu={minCpu}&" +
$"minConfidence={minConfidence}";
var response = await _httpClient.GetAsync(url, cancellationToken);
response.EnsureSuccessStatusCode();
var json = await response.Content.ReadAsStringAsync(cancellationToken);
return JsonSerializer.Deserialize<AutoDowngradeCheckResult>(json, new JsonSerializerOptions
{
PropertyNameCaseInsensitive = true
}) ?? new AutoDowngradeCheckResult { Success = false, Error = "Failed to deserialize response" };
}
catch (Exception ex)
{
return new AutoDowngradeCheckResult
{
Success = false,
Error = ex.Message
};
}
}
public async Task<AutoDowngradeExecuteResult> ExecuteAutoDowngradeAsync(
IReadOnlyList<AutoDowngradeCandidate> candidates,
CancellationToken cancellationToken = default)
{
try
{
var url = $"{_baseUrl}/api/v1/vex/auto-downgrade/execute";
var content = new StringContent(
JsonSerializer.Serialize(candidates),
System.Text.Encoding.UTF8,
"application/json");
var response = await _httpClient.PostAsync(url, content, cancellationToken);
response.EnsureSuccessStatusCode();
var json = await response.Content.ReadAsStringAsync(cancellationToken);
return JsonSerializer.Deserialize<AutoDowngradeExecuteResult>(json, new JsonSerializerOptions
{
PropertyNameCaseInsensitive = true
}) ?? new AutoDowngradeExecuteResult { Success = false, Error = "Failed to deserialize response" };
}
catch (Exception ex)
{
return new AutoDowngradeExecuteResult
{
Success = false,
Error = ex.Message
};
}
}
public async Task<NotReachableAnalysisResult> AnalyzeNotReachableAsync(
string image,
TimeSpan window,
double minConfidence,
CancellationToken cancellationToken = default)
{
try
{
var url = $"{_baseUrl}/api/v1/vex/not-reachable/analyze?" +
$"image={Uri.EscapeDataString(image)}&" +
$"windowHours={window.TotalHours}&" +
$"minConfidence={minConfidence}";
var response = await _httpClient.GetAsync(url, cancellationToken);
response.EnsureSuccessStatusCode();
var json = await response.Content.ReadAsStringAsync(cancellationToken);
return JsonSerializer.Deserialize<NotReachableAnalysisResult>(json, new JsonSerializerOptions
{
PropertyNameCaseInsensitive = true
}) ?? new NotReachableAnalysisResult { Success = false, Error = "Failed to deserialize response" };
}
catch (Exception ex)
{
return new NotReachableAnalysisResult
{
Success = false,
Error = ex.Message
};
}
}
public async Task<NotReachableVexGenerationResult> GenerateNotReachableVexAsync(
IReadOnlyList<NotReachableAnalysisEntry> analyses,
CancellationToken cancellationToken = default)
{
try
{
var url = $"{_baseUrl}/api/v1/vex/not-reachable/generate";
var content = new StringContent(
JsonSerializer.Serialize(analyses),
System.Text.Encoding.UTF8,
"application/json");
var response = await _httpClient.PostAsync(url, content, cancellationToken);
response.EnsureSuccessStatusCode();
var json = await response.Content.ReadAsStringAsync(cancellationToken);
return JsonSerializer.Deserialize<NotReachableVexGenerationResult>(json, new JsonSerializerOptions
{
PropertyNameCaseInsensitive = true
}) ?? new NotReachableVexGenerationResult { Success = false, Error = "Failed to deserialize response" };
}
catch (Exception ex)
{
return new NotReachableVexGenerationResult
{
Success = false,
Error = ex.Message
};
}
}
}

Some files were not shown because too many files have changed in this diff Show More