stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

Browse Source 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
2025-12-23 18:20:00 +02:00
parent b444284be5
commit dac8e10e36
241 changed files with 22567 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

393
docs/testing/SPRINT_DEPENDENCY_GRAPH.md Normal file
View File

@@ -0,0 +1,393 @@
# Testing Strategy Sprint Dependency Graph & Critical Path Analysis
> **Purpose:** Visualize sprint dependencies, identify critical path, optimize parallel execution, and coordinate cross-guild work.
---
## Executive Summary
**Total Sprints:** 22 sprints across 4 batches
**Total Tasks:** ~370 tasks
**Estimated Duration:** 26 weeks (6 months) if executed sequentially
**Optimal Duration:** 14 weeks (3.5 months) with full parallelization
**Critical Path:** 14 weeks (Foundation Epics → Module Tests)
**Parallelization Opportunities:** Up to 15 sprints can run concurrently
---
## Sprint Inventory by Batch
### Batch 5100.0007: Foundation Epics (90 tasks, 6 sprints)
| Sprint ID | Name | Tasks | Waves | Dependencies |
|-----------|------|-------|-------|--------------|
| 5100.0007.0001 | Master Testing Strategy | 18 | 4 | None (entry point) |
| 5100.0007.0002 | Epic A: TestKit Foundations | 13 | 4 | 0001 (Wave 1 complete) |
| 5100.0007.0003 | Epic B: Determinism Gate | 12 | 4 | 0002 (TestKit available) |
| 5100.0007.0004 | Epic C: Storage Harness | 12 | 4 | 0002 (TestKit available) |
| 5100.0007.0005 | Epic D: Connector Fixtures | 12 | 4 | 0002 (TestKit available) |
| 5100.0007.0006 | Epic E: WebService Contract | 12 | 4 | 0002 (TestKit + OtelCapture) |
| 5100.0007.0007 | Epic F: Architecture Tests | 17 | 6 | None (can start immediately) |
### Batch 5100.0008: Quality Gates (11 tasks, 1 sprint)
| Sprint ID | Name | Tasks | Waves | Dependencies |
|-----------|------|-------|-------|--------------|
| 5100.0008.0001 | Competitor Parity Testing | 11 | 4 | 0007.0001 (Wave 1), 0007.0002 |
### Batch 5100.0009: Module Test Implementations (185 tasks, 11 sprints)
| Sprint ID | Module | Models | Tasks | Waves | Dependencies |
|-----------|--------|--------|-------|-------|--------------|
| 5100.0009.0001 | Scanner | L0,AN1,S1,T1,W1,WK1,PERF | 25 | 4 | 0002,0003,0004,0006 |
| 5100.0009.0002 | Concelier | C1,L0,S1,W1,AN1 | 18 | 4 | 0002,0003,0004,0005,0006,0007.0007 |
| 5100.0009.0003 | Excititor | C1,L0,S1,W1,WK1 | 21 | 4 | 0002,0003,0004,0005,0006,0007.0007 |
| 5100.0009.0004 | Policy | L0,S1,W1 | 15 | 3 | 0002,0003,0004,0006 |
| 5100.0009.0005 | Authority | L0,W1,C1 | 17 | 3 | 0002,0005,0006 |
| 5100.0009.0006 | Signer | L0,W1,C1 | 17 | 3 | 0002,0003,0005,0006 |
| 5100.0009.0007 | Attestor | L0,W1 | 14 | 3 | 0002,0003,0006,0009.0006 |
| 5100.0009.0008 | Scheduler | L0,S1,W1,WK1 | 14 | 3 | 0002,0004,0006 |
| 5100.0009.0009 | Notify | L0,C1,S1,W1,WK1 | 18 | 3 | 0002,0004,0005,0006 |
| 5100.0009.0010 | CLI | CLI1 | 13 | 3 | 0002,0003 |
| 5100.0009.0011 | UI | W1 | 13 | 3 | 0002,0006 |
### Batch 5100.0010: Infrastructure Tests (62 tasks, 4 sprints)
| Sprint ID | Module Family | Models | Tasks | Waves | Dependencies |
|-----------|---------------|--------|-------|-------|--------------|
| 5100.0010.0001 | EvidenceLocker + Findings + Replay | L0,S1,W1,WK1 | 16 | 3 | 0002,0004,0006 |
| 5100.0010.0002 | Graph + TimelineIndexer | L0,S1,W1,WK1 | 15 | 3 | 0002,0004,0006 |
| 5100.0010.0003 | Router + Messaging | L0,T1,W1,S1 | 14 | 3 | 0002,0004 |
| 5100.0010.0004 | AirGap | L0,AN1,S1,W1,CLI1 | 17 | 3 | 0002,0003,0004,0006 |
---
## Dependency Visualization (ASCII Graph)
```
CRITICAL PATH (14 weeks):
Week 1-2: [5100.0007.0001] Master Strategy (Wave 1-4)
Week 3-4: [5100.0007.0002] TestKit Foundations ← CRITICAL BOTTLENECK
├──────────┬──────────┬──────────┬──────────┐
Week 5-6: [0003] [0004] [0005] [0006] [0007.0007]
Determ. Storage Connect. WebSvc Arch.Tests
│ │ │ │
└─────────┴─────────┴─────────┘
Week 7-10: ┌──────────┼──────────────────────────────────┐
[5100.0009.xxxx] ALL MODULE TESTS (parallel) │
11 sprints run concurrently │
│ │
Week 11-14:└────────────────────────────────────────────┘
[5100.0010.xxxx] ALL INFRASTRUCTURE TESTS
4 sprints run concurrently
PARALLEL EXECUTION ZONES:
Zone 1 (Weeks 5-6): Epic Implementations
- 5100.0007.0003 (Determinism) ─┐
- 5100.0007.0004 (Storage) ├─ Can run in parallel
- 5100.0007.0005 (Connectors) │ (all depend only on TestKit)
- 5100.0007.0006 (WebService) │
- 5100.0007.0007 (Architecture) ─┘
Zone 2 (Weeks 7-10): Module Tests
- Scanner (5100.0009.0001) ─┐
- Concelier (5100.0009.0002) │
- Excititor (5100.0009.0003) │
- Policy (5100.0009.0004) ├─ Can run in parallel
- Authority (5100.0009.0005) │ (Epic dependencies met)
- Signer (5100.0009.0006) │
- Attestor (5100.0009.0007) │
- Scheduler (5100.0009.0008) │
- Notify (5100.0009.0009) │
- CLI (5100.0009.0010) │
- UI (5100.0009.0011) ─┘
Zone 3 (Weeks 11-14): Infrastructure Tests
- EvidenceLocker (5100.0010.0001) ─┐
- Graph (5100.0010.0002) ├─ Can run in parallel
- Router/Messaging (5100.0010.0003)│
- AirGap (5100.0010.0004) ─┘
Zone 4 (Weeks 3-14): Quality Gates (can overlap)
- Competitor Parity (5100.0008.0001) runs after Week 3
```
---
## Critical Path Analysis
### Critical Path Sequence (14 weeks)
1. **Week 1-2:** Master Strategy Sprint (5100.0007.0001)
- Wave 1: Documentation sync
- Wave 2: Quick wins (test runner scripts, trait standardization)
- Wave 3: CI infrastructure
- Wave 4: Epic sprint creation
2. **Week 3-4:** TestKit Foundations (5100.0007.0002) ← **CRITICAL BOTTLENECK**
- ALL downstream sprints depend on TestKit
- Must complete before any module tests can start
- Priority: DeterministicTime, DeterministicRandom, CanonicalJsonAssert, SnapshotAssert, PostgresFixture, OtelCapture
3. **Week 5-6:** Epic Implementation (parallel zone)
- 5 sprints run concurrently
- Unblocks all module tests
4. **Week 7-10:** Module Test Implementation (parallel zone)
- 11 sprints run concurrently
- Longest pole: Scanner (25 tasks, 4 waves)
5. **Week 11-14:** Infrastructure Test Implementation (parallel zone)
- 4 sprints run concurrently
- Can overlap with late-stage module tests
### Critical Bottleneck: TestKit (Sprint 5100.0007.0002)
**Impact:** Blocks 20 downstream sprints (all module + infrastructure tests)
**Mitigation:**
- Staff with 2-3 senior engineers
- Prioritize DeterministicTime and SnapshotAssert (most commonly used)
- Release incrementally (partial TestKit unlocks some modules)
- Run daily check-ins to unblock consuming teams
---
## Dependency Matrix
### Epic → Module Dependencies
| Epic Sprint | Blocks Module Sprints | Reason |
|-------------|----------------------|--------|
| 5100.0007.0002 (TestKit) | ALL 15 module/infra sprints | Core test utilities required |
| 5100.0007.0003 (Determinism) | Scanner, Excititor, Signer, CLI, AirGap | Determinism gate required |
| 5100.0007.0004 (Storage) | Scanner, Concelier, Excititor, Policy, Scheduler, Notify, EvidenceLocker, Graph, Router, AirGap | PostgresFixture required |
| 5100.0007.0005 (Connectors) | Concelier, Excititor, Authority, Signer, Notify | Fixture discipline required |
| 5100.0007.0006 (WebService) | Scanner, Concelier, Excititor, Policy, Authority, Signer, Attestor, Scheduler, Notify, UI, EvidenceLocker, Graph, AirGap | WebServiceFixture required |
| 5100.0007.0007 (Architecture) | Concelier, Excititor | Lattice boundary enforcement |
### Module → Module Dependencies
| Sprint | Depends On Other Modules | Reason |
|--------|--------------------------|--------|
| Attestor (0009.0007) | Signer (0009.0006) | Sign/verify integration tests |
| (None other) | - | Modules are otherwise independent |
---
## Parallelization Strategy
### Maximum Parallel Execution (15 sprints)
**Week 5-6 (5 parallel):**
- Determinism (2 eng)
- Storage (3 eng)
- Connectors (2 eng)
- WebService (2 eng)
- Architecture (1 eng)
**Week 7-10 (11 parallel):**
- Scanner (3 eng) ← longest pole
- Concelier (2 eng)
- Excititor (2 eng)
- Policy (2 eng)
- Authority (2 eng)
- Signer (2 eng)
- Attestor (2 eng)
- Scheduler (2 eng)
- Notify (2 eng)
- CLI (1 eng)
- UI (2 eng)
**Week 11-14 (4 parallel):**
- EvidenceLocker (2 eng)
- Graph (2 eng)
- Router/Messaging (2 eng)
- AirGap (2 eng)
**Resource Requirement (Peak):**
- Week 7-10: 22 engineers (11 sprints × avg 2 eng/sprint)
- Realistic: 10-12 engineers with staggered starts
---
## Risk Hotspots
### High-Impact Delays
| Risk | Impact | Probability | Mitigation |
|------|--------|-------------|------------|
| TestKit delayed (5100.0007.0002) | Blocks ALL downstream sprints; +2-4 weeks delay | MEDIUM | Staff with senior engineers; daily standups; incremental releases |
| Storage harness issues (5100.0007.0004) | Blocks 10 sprints | MEDIUM | Use Testcontainers early; validate Postgres 16 compatibility Week 1 |
| Determinism gate drift (5100.0007.0003) | Scanner/Excititor blocked; compliance issues | LOW | Explicit canonical JSON contract; freeze schema early |
| Attestor-Signer circular dependency (0009.0007 ↔ 0009.0006) | Integration tests blocked | MEDIUM | Mock signing for Attestor initial tests; coordinate guilds |
| Concurrent module tests overwhelm CI | Test suite timeout; flaky tests | HIGH | Stagger module test starts; use CI parallelization; dedicated test runners |
### Critical Path Risks
| Sprint | Risk | Impact if Delayed |
|--------|------|-------------------|
| 5100.0007.0002 (TestKit) | DeterministicTime implementation complex | +2 weeks to critical path |
| 5100.0009.0001 (Scanner) | 25 tasks, 4 waves; reachability tests complex | Delays integration tests; no impact on other modules |
| 5100.0007.0004 (Storage) | Testcontainers Postgres compatibility issues | Blocks 10 sprints; +2-3 weeks |
---
## Recommended Execution Sequence
### Phase 1: Foundation (Weeks 1-4)
**Goal:** Establish test infrastructure and strategy docs
**Sprints:**
1. 5100.0007.0001 (Master Strategy) — Week 1-2
2. 5100.0007.0002 (TestKit) — Week 3-4 ← CRITICAL
**Exit Criteria:**
- TestKit utilities available (DeterministicTime, SnapshotAssert, PostgresFixture, OtelCapture)
- Test runner scripts operational
- Trait standardization complete
### Phase 2: Epic Implementation (Weeks 5-6)
**Goal:** Implement all foundation epics in parallel
**Sprints (parallel):**
1. 5100.0007.0003 (Determinism)
2. 5100.0007.0004 (Storage)
3. 5100.0007.0005 (Connectors)
4. 5100.0007.0006 (WebService)
5. 5100.0007.0007 (Architecture)
**Exit Criteria:**
- PostgresFixture operational (Testcontainers)
- Determinism manifest format defined
- Connector fixture discipline documented
- WebServiceFixture operational
- Architecture tests in CI (PR gate)
### Phase 3: Module Tests — Priority Tier 1 (Weeks 7-8)
**Goal:** Implement tests for critical security/compliance modules
**Sprints (parallel):**
1. 5100.0009.0001 (Scanner) — critical path, longest pole
2. 5100.0009.0002 (Concelier)
3. 5100.0009.0003 (Excititor)
4. 5100.0009.0004 (Policy)
5. 5100.0009.0005 (Authority)
6. 5100.0009.0006 (Signer)
### Phase 4: Module Tests — Priority Tier 2 (Weeks 9-10)
**Goal:** Complete remaining module tests
**Sprints (parallel):**
1. 5100.0009.0007 (Attestor)
2. 5100.0009.0008 (Scheduler)
3. 5100.0009.0009 (Notify)
4. 5100.0009.0010 (CLI)
5. 5100.0009.0011 (UI)
### Phase 5: Infrastructure Tests (Weeks 11-14)
**Goal:** Complete platform infrastructure tests
**Sprints (parallel):**
1. 5100.0010.0001 (EvidenceLocker)
2. 5100.0010.0002 (Graph)
3. 5100.0010.0003 (Router/Messaging)
4. 5100.0010.0004 (AirGap)
### Phase 6: Quality Gates (Overlapping Weeks 3-14)
**Goal:** Establish ongoing parity testing
**Sprint:**
1. 5100.0008.0001 (Competitor Parity) — can start Week 3, run nightly thereafter
---
## Guild Coordination
### Cross-Guild Dependencies
| Guild | Owns Sprints | Depends On Guilds | Coordination Points |
|-------|--------------|-------------------|---------------------|
| Platform Guild | TestKit, Storage, Architecture, EvidenceLocker, Graph, Router | None | Week 3: TestKit readiness review |
| Scanner Guild | Scanner | Platform (TestKit, Storage, Determinism, WebService) | Week 5: Storage harness validation |
| Concelier Guild | Concelier | Platform (TestKit, Storage, Connectors, WebService), Architecture | Week 6: Connector fixture review |
| Excititor Guild | Excititor | Platform (TestKit, Storage, Connectors, WebService), Architecture | Week 6: Preserve-prune test design |
| Policy Guild | Policy, AirGap (analyzers) | Platform (TestKit, Storage, WebService) | Week 7: Unknown budget enforcement review |
| Authority Guild | Authority | Platform (TestKit, Connectors, WebService) | Week 7: OIDC connector fixture validation |
| Crypto Guild | Signer, Attestor | Platform (TestKit, Determinism, Connectors, WebService), Authority | Week 8: Canonical payload design; Week 9: Sign/verify integration |
| Scheduler Guild | Scheduler | Platform (TestKit, Storage, WebService) | Week 9: DeterministicTime validation |
| Notify Guild | Notify | Platform (TestKit, Storage, Connectors, WebService) | Week 9: Connector fixture templates |
| CLI Guild | CLI | Platform (TestKit, Determinism) | Week 10: Exit code conventions |
| UI Guild | UI | Platform (TestKit, WebService) | Week 10: API contract snapshot review |
| AirGap Guild | AirGap | Platform (TestKit, Determinism, Storage, WebService), Policy | Week 11: Bundle determinism validation |
| QA Guild | Competitor Parity | Platform (TestKit) | Week 3: Parity harness design |
### Weekly Sync Schedule
**Week 1-2:**
- All guilds: Master strategy review, sprint assignment
**Week 3-4:**
- Platform Guild: Daily standup (TestKit unblocking)
- All guilds: TestKit API review (design feedback)
**Week 5-6:**
- Epic guilds: Bi-weekly sync (Determinism, Storage, Connectors, WebService, Architecture)
- Scanner/Concelier/Excititor guilds: Prepare for module test sprint kickoff
**Week 7-10:**
- All module guilds: Weekly guild-specific standups
- Cross-guild: Bi-weekly integration sync (Signer ↔ Attestor, Policy ↔ AirGap)
**Week 11-14:**
- Infrastructure guilds: Weekly sync
- All guilds: Bi-weekly retrospective
---
## Metrics & Tracking
### Sprint Completion Metrics
| Metric | Target | Measurement |
|--------|--------|-------------|
| Sprint on-time completion | >80% | Tasks complete by wave deadline |
| Test coverage increase | +30% per module | Code coverage reports |
| Determinism tests passing | 100% | Determinism gate CI job |
| Contract tests in CI | 100% of WebServices | Contract lane CI job |
| Architecture tests enforcing | 100% violations blocked | Architecture test failures = build failures |
### Quality Gates
| Gate | Criteria | Enforced By |
|------|----------|-------------|
| Determinism | SHA-256 hash stable across runs | Sprint 5100.0007.0003 tests |
| Contract Stability | OpenAPI schema unchanged or explicitly versioned | Sprint 5100.0007.0006 tests |
| Architecture Boundaries | Concelier/Excititor do NOT reference Scanner lattice | Sprint 5100.0007.0007 tests |
| Preserve-Prune Source | Excititor preserves VEX source references and rationale | Sprint 5100.0009.0003 tests |
| Unknown Budget Enforcement | Policy engine fails when unknowns > N | Sprint 5100.0009.0004 tests |
---
## Next Steps
1. **Week 1 (2026-01-06):**
- Kick off Sprint 5100.0007.0001 (Master Strategy)
- Assign Platform Guild to TestKit (5100.0007.0002) for Week 3 start
- Review this dependency graph with all guild leads
2. **Week 2 (2026-01-13):**
- Complete Master Strategy Wave 1-2
- Finalize TestKit API design (DeterministicTime, SnapshotAssert, etc.)
3. **Week 3 (2026-01-20):**
- Start TestKit implementation (CRITICAL PATH)
- Daily standup for TestKit unblocking
- Prepare Epic sprint kickoffs for Week 5
4. **Week 4 (2026-01-27):**
- Complete TestKit Wave 1-2 (DeterministicTime, SnapshotAssert)
- Validate TestKit with pilot tests
- Final Epic sprint preparation
5. **Week 5 (2026-02-03):**
- Kick off 5 Epic sprints in parallel
- Weekly Epic sync meeting (Fridays)
---
**Prepared by:** Project Management
**Date:** 2025-12-23
**Next Review:** 2026-01-06 (Week 1 kickoff)