stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

Browse Source 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
2025-12-23 18:20:00 +02:00
parent b444284be5
commit dac8e10e36
241 changed files with 22567 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
docs2/policy/policy-system.md Normal file
View File

@@ -0,0 +1,108 @@
# Policy system
The policy system turns evidence into deterministic findings and explanations.
Policies are authored in the Stella Policy DSL, compiled to canonical IR, and
executed in the Policy Engine.
Purpose and scope
- Convert raw evidence into effective findings with explainability.
- Keep decisions deterministic and reproducible across environments.
- Support offline execution with content-addressed inputs.
Inputs and signals
- SBOM inventory and usage data from Scanner.
- Advisory observations and linksets from Concelier.
- VEX observations and linksets from Excititor.
- Reachability graphs and runtime traces from Signals.
- Trust, entropy, and uncertainty signals.
DSL structure (stella-dsl@1)
- metadata: optional descriptive fields surfaced in UI and CLI.
- profile blocks: maps and scalar adjustments for severity or trust.
- rule blocks: when-then logic with optional priority.
- settings: evaluation toggles (shadow, defaults).
Example (short)
```dsl
policy "Baseline" syntax "stella-dsl@1" {
metadata { description = "VEX first" }
profile severity { map vendor_weight { source "OSV" => 0.0; } }
rule vex_override priority 10 {
when vex.any(status == "not_affected")
then status := "not_affected"
because "VEX claim"
}
}
```
Evaluation model
- The engine evaluates tuples of (component, advisory, vex[]).
- Rules execute by ascending priority; ties resolve by lexical order.
- Actions set status, severity, and annotations; missing evidence yields unknown.
- Suppressions and overrides must be explicit and explained.
Outputs and explainability
- effective findings with status, severity, and confidence fields.
- explain trace with rule id, because text, and evidence hashes.
- policy hash and input hashes recorded for replay and audit.
Lifecycle and gates
1) Draft with shadow mode enabled.
2) Lint and simulate with coverage fixtures.
3) Review and approve with Authority scopes.
4) Publish with attestation and optional ledger anchor.
5) Promote to environments and activate runs.
6) Archive and retain audit history.
Minimum gates for publish
- Lint is clean.
- Simulation diff is reviewed and attached.
- Coverage fixtures pass in CI and shadow runs exist.
- Reason and ticket metadata are provided for approvals.
Fixtures and simulation
- Fixtures live under tests/policy/<policyId>/cases/.
- Each case includes inputs and expected status or severity.
- Fixtures must include unknown reachability and VEX conflict cases.
Fixture example (short)
```json
{
"caseId": "vex-not-affected",
"sbom": { "components": [{ "purl": "pkg:npm/lodash@4.17.21" }] },
"advisories": [{ "id": "CVE-2024-1234", "purl": "pkg:npm/lodash@4.17.21" }],
"vex": [{ "status": "not_affected", "justification": "component_not_present" }],
"signals": { "reachability": { "state": "unknown" } },
"expect": { "status": "not_affected" }
}
```
Simulation output (summary)
- policyHash: canonical hash of the policy IR.
- inputsHash: canonical hash of inputs and fixtures.
- findingsCount: total findings produced.
- determinismHash: stable hash for replay comparisons.
Governance
- Scopes include policy:author, policy:review, policy:approve, policy:publish,
policy:promote, policy:operate, policy:audit.
- Two-person approval is recommended for publish and promote.
- Authors should not approve their own submissions.
- Approval evidence and run history are immutable and exportable.
- Offline governance follows the same workflow with signed bundles.
Determinism and offline
- Canonical JSON and stable ordering for IR and outputs.
- No network calls or non-deterministic functions in evaluation.
- Offline kits bundle policies, attestations, and fixtures.
Testing
- stella policy lint, simulate, and test must run in CI.
- Coverage fixtures should include reachability unknown and VEX conflicts.
Related references
- docs/policy/overview.md
- docs/policy/dsl.md
- docs/policy/lifecycle.md
- docs/policy/exception-effects.md
- docs/60_POLICY_TEMPLATES.md