feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance
## Summary
This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.
## Key Changes
### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement
### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
- Supports ES256/384/512, RS256/384/512, PS256/384/512
- SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis
### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution
### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*
## Compliance & Testing
- ✅ Zero direct System.Security.Cryptography usage in production code
- ✅ All crypto operations go through ICryptoProvider abstraction
- ✅ 39/39 unit tests passing for OfflineVerificationCryptoProvider
- ✅ Build successful (AirGap, Crypto plugin, DI infrastructure)
- ✅ Audit script validates crypto boundaries
## Files Modified
**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)
**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)
**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)
**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)
**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)
**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)
## Next Steps
Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
71
docs2/architecture/advisory-alignment.md
Normal file
71
docs2/architecture/advisory-alignment.md
Normal file
@@ -0,0 +1,71 @@
|
||||
# Advisory architecture alignment
|
||||
|
||||
Purpose
|
||||
- Summarize alignment with advisory architecture requirements.
|
||||
- Capture supported formats, evidence types, and known gaps.
|
||||
|
||||
DSSE predicate types
|
||||
- https://in-toto.io/attestation/slsa/v1.0 (Attestor)
|
||||
- stella.ops/sbom@v1 (Scanner)
|
||||
- stella.ops/vex@v1 (Excititor)
|
||||
- stella.ops/callgraph@v1 (Scanner.Reachability)
|
||||
- stella.ops/reachabilityWitness@v1 (Scanner.Reachability)
|
||||
- stella.ops/policy-decision@v1 (Policy.Engine)
|
||||
- stella.ops/score-attestation@v1 (Policy.Scoring)
|
||||
- stella.ops/witness@v1 (Scanner.Reachability)
|
||||
- stella.ops/drift@v1 (Scanner.ReachabilityDrift)
|
||||
- stella.ops/unknown@v1 (Scanner.Unknowns)
|
||||
- stella.ops/triage@v1 (Scanner.Triage)
|
||||
- stella.ops/vuln-surface@v1 (Scanner.VulnSurfaces)
|
||||
- stella.ops/trigger@v1 (Scanner.VulnSurfaces)
|
||||
- stella.ops/explanation@v1 (Scanner.Reachability)
|
||||
- stella.ops/boundary@v1 (Scanner.SmartDiff)
|
||||
- stella.ops/evidence@v1 (Scanner.SmartDiff)
|
||||
- stella.ops/approval@v1 (Policy.Engine)
|
||||
- stella.ops/component@v1 (Scanner.Emit)
|
||||
- stella.ops/richgraph@v1 (Scanner.Reachability)
|
||||
|
||||
VEX and advisory formats
|
||||
- OpenVEX 0.2.0+
|
||||
- CycloneDX VEX 1.4 to 1.6
|
||||
- CSAF 2.0
|
||||
- OSV
|
||||
|
||||
CVSS and scoring
|
||||
- CVSS v4 vector parsing with macrovector and environmental metrics.
|
||||
- Deterministic scoring with canonical JSON, stable ordering, and hashed snapshots.
|
||||
|
||||
EPSS handling
|
||||
- EPSS uses model_date (daily) rather than numbered versions.
|
||||
- Scores and percentiles are stored with model_date and captured at scan time.
|
||||
- Offline bundles include EPSS data and hashes for air-gapped replay.
|
||||
|
||||
Reachability analysis
|
||||
- Hybrid static and runtime reachability evidence.
|
||||
- Call graph extraction for .NET, Java, Node.js, Python, Go (external tooling), and native binaries.
|
||||
|
||||
Call-stack witnesses
|
||||
- Signed witnesses for entrypoint-to-sink paths.
|
||||
- Witnesses are stored as content-addressed artifacts with DSSE signatures.
|
||||
|
||||
Smart-diff rules
|
||||
- New finding detection.
|
||||
- Score increase detection.
|
||||
- VEX status change detection.
|
||||
- Reachability change detection.
|
||||
|
||||
Unknowns handling
|
||||
- Unknown types: missing_vex, ambiguous_indirect_call, unanalyzed_dependency,
|
||||
stale_sbom, missing_reachability, unmatched_cpe, conflict_vex, native_code,
|
||||
generated_code, dynamic_dispatch, external_boundary.
|
||||
- Scoring dimensions: blast radius, evidence scarcity, exploit pressure,
|
||||
containment signals, time decay.
|
||||
|
||||
CycloneDX baseline
|
||||
- Current baseline is CycloneDX 1.6; upgrade to 1.7 when SDK support is available.
|
||||
|
||||
Areas beyond baseline requirements
|
||||
- Offline and air-gap operation with bundled proofs.
|
||||
- Regional crypto readiness (GOST, SM2/SM3, PQ-ready modes).
|
||||
- Multi-tenant isolation and signed transparency integration.
|
||||
- Native binary analysis for PE, ELF, and Mach-O.
|
||||
49
docs2/architecture/component-map.md
Normal file
49
docs2/architecture/component-map.md
Normal file
@@ -0,0 +1,49 @@
|
||||
# Component map
|
||||
|
||||
This map summarizes how top-level modules interact. It is a compact index to
|
||||
module dossiers, not a replacement for them.
|
||||
|
||||
Advisory and evidence services
|
||||
- Concelier: advisory ingestion under the Aggregation-Only Contract (AOC).
|
||||
- Excititor: VEX ingestion and normalization under AOC guardrails.
|
||||
- VEX Lens: conflict analysis and evidence browsing for VEX.
|
||||
- Evidence Locker: long-term storage for signed evidence bundles.
|
||||
- Export Center: packages evidence and offline bundles for distribution.
|
||||
|
||||
Scanning, SBOM, and risk
|
||||
- Scanner: deterministic scan pipeline (web service + worker).
|
||||
- SBOM Service: inventory store and delta cache for SBOMs.
|
||||
- Graph and Cartographer: identity graph and relationship queries.
|
||||
- Vuln Explorer: evidence-linked findings view with VEX-first posture.
|
||||
|
||||
Policy and governance
|
||||
- Policy Engine: deterministic rule evaluation and explain traces.
|
||||
- Task Packs and Task Runner: automation workflows with approvals.
|
||||
- Governance surfaces: approvals, exceptions, and audit exports.
|
||||
|
||||
Identity, signing, and provenance
|
||||
- Authority: identity, tokens, scopes, tenancy enforcement.
|
||||
- Signer: DSSE signing and key management integration.
|
||||
- Attestor: attestations, envelopes, and transparency logging.
|
||||
- Issuer Directory: trusted issuer catalog for signatures and VEX.
|
||||
|
||||
Scheduling and orchestration
|
||||
- Scheduler: change detection and rescan orchestration.
|
||||
- Orchestrator: job dispatch and coordination for scans and exports.
|
||||
|
||||
Runtime and security enforcement
|
||||
- Zastava: runtime admission and policy enforcement.
|
||||
- Signals: runtime and reachability signals feeding policy and triage.
|
||||
|
||||
Notification and UI
|
||||
- Notifications Studio: rule-based notifications and channel delivery.
|
||||
- UI Console: Angular app for findings, policy, runs, and admin.
|
||||
- Web Gateway: API routing and auth enforcement for UI and CLI.
|
||||
|
||||
Offline and telemetry
|
||||
- Airgap and mirrors: offline bundles, sealing, and staleness control.
|
||||
- Telemetry stack: metrics, logs, traces, and offline storage.
|
||||
|
||||
Related references
|
||||
- docs/technical/architecture/component-map.md
|
||||
- docs/modules/*/architecture.md
|
||||
35
docs2/architecture/reachability-evidence.md
Normal file
35
docs2/architecture/reachability-evidence.md
Normal file
@@ -0,0 +1,35 @@
|
||||
# Reachability evidence schema
|
||||
|
||||
Reachability evidence is stored as canonical graphs plus optional runtime facts
|
||||
and edge bundles. Evidence is content-addressed and signed.
|
||||
|
||||
Core identifiers
|
||||
- symbol_id: canonical symbol identity with format, build id, address range.
|
||||
- code_id: code block identity when symbols are missing.
|
||||
- symbol_digest: sha256 of normalized signature or block hash.
|
||||
- purl: owning component identity when resolved.
|
||||
|
||||
Graph payload (richgraph-v1)
|
||||
- nodes carry symbol ids, digests, purls, and analyzer metadata.
|
||||
- edges carry kind, confidence, evidence tags, and candidate targets.
|
||||
- roots capture entrypoints and loader roots.
|
||||
- graph_hash is the content hash of canonical JSON.
|
||||
|
||||
Attestation levels
|
||||
- Graph DSSE is required for every graph (canonical JSON + hash).
|
||||
- Edge-bundle DSSE is optional for high-signal edges.
|
||||
- CAS layout uses cas://reachability/graphs and cas://reachability/edges.
|
||||
|
||||
Runtime facts
|
||||
- Events include symbolId, codeId, purl, hitCount, and observedAt.
|
||||
- Runtime traces can be stored in CAS and referenced by URI.
|
||||
|
||||
Validation rules (examples)
|
||||
- Edges must include purl or candidates.
|
||||
- Evidence arrays are sorted and confidence is within 0.0-1.0.
|
||||
- Graph and edge bundles must reference the same graph_hash.
|
||||
|
||||
Related references
|
||||
- docs/reachability/evidence-schema.md
|
||||
- docs/reachability/edge-explainability-schema.md
|
||||
- docs/reachability/runtime-static-union-schema.md
|
||||
33
docs2/architecture/reachability-lattice.md
Normal file
33
docs2/architecture/reachability-lattice.md
Normal file
@@ -0,0 +1,33 @@
|
||||
# Reachability lattice
|
||||
|
||||
Reachability is modeled as a deterministic lattice with explicit unknowns.
|
||||
Signals emits per-target states and a fact-level score that is stable under
|
||||
replay.
|
||||
|
||||
Current v0 model (buckets)
|
||||
- Buckets: entrypoint, direct, runtime, unknown, unreachable.
|
||||
- Scores are confidence * bucket weight, clamped to 0.0-1.0.
|
||||
- Unknowns pressure penalizes the fact-level score to avoid false safety.
|
||||
|
||||
Unknowns pressure
|
||||
- pressure = unknowns / (targets + unknowns)
|
||||
- score = avg(target scores) * (1 - min(pressure, ceiling))
|
||||
|
||||
Lattice v1 (design direction)
|
||||
- States: unknown, staticallyReachable, staticallyUnreachable,
|
||||
runtimeObserved, runtimeUnobserved, confirmedReachable,
|
||||
confirmedUnreachable, contested.
|
||||
- Joins are monotonic; contested absorbs conflicts.
|
||||
- Policy should treat unknown and contested as under investigation.
|
||||
|
||||
Evidence requirements
|
||||
- Reachability facts include graph hashes, path references, and runtime hit refs.
|
||||
- Evidence transitions record previous state and supporting inputs.
|
||||
|
||||
Policy guidance
|
||||
- Do not assert not_affected without high-confidence reachability evidence.
|
||||
- Unknown or contested states should surface as under_investigation.
|
||||
|
||||
Related references
|
||||
- docs/reachability/lattice.md
|
||||
- docs/signals/unknowns-registry.md
|
||||
@@ -23,3 +23,8 @@
|
||||
## Unknowns registry
|
||||
- Unknowns are first-class objects with scoring, SLA bands, and evidence links.
|
||||
- Unknowns are stored with deterministic ordering and exported for offline review.
|
||||
|
||||
## Related references
|
||||
- docs2/architecture/reachability-lattice.md
|
||||
- docs2/architecture/reachability-evidence.md
|
||||
- docs2/signals/unknowns.md
|
||||
|
||||
Reference in New Issue
Block a user