stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

Browse Source 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
2025-12-23 18:20:00 +02:00
parent b444284be5
commit dac8e10e36
241 changed files with 22567 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
docs2/signals/callgraph-schema.md Normal file
View File

@@ -0,0 +1,48 @@
# Callgraph schema (stella.callgraph.v1)
Purpose
- Represent static and runtime call graphs for reachability.
- Preserve provenance, entrypoints, and explainable edge reasons.
Top-level fields
- schema: fixed string stella.callgraph.v1.
- nodes: symbol nodes with ids, names, and metadata.
- edges: call edges between nodes.
- entrypoints: entry nodes and routes.
- artifacts: optional artifacts list for mapping nodes to binaries.
- metadata: graph-level info (language, component, version, ingestedAt).
- graphHash: sha256 of canonical content for deduplication.
Core enumerations (examples)
- Language: DotNet, Java, Node, Python, Go, Rust, Binary.
- EdgeKind: static, heuristic, runtime.
- EdgeReason: directCall, virtualCall, reflectionString, dynamicImport, runtimeMinted.
- EntrypointKind: http, grpc, cli, job, event, timer, main.
Node shape (key fields)
- id, name, kind, namespace, file, line.
- symbolKey: canonical signature for the symbol.
- visibility: public, internal, protected, private.
- isEntrypointCandidate: boolean.
- attributes: extra metadata such as http method and route.
Edge shape (key fields)
- sourceId, targetId.
- kind, reason, weight, isResolved.
- candidates for unresolved dynamic dispatch.
Determinism rules
- Sort nodes by id, edges by sourceId then targetId, entrypoints by order.
- Enums serialize as camelCase strings.
- Timestamps use UTC ISO-8601.
- graphHash uses SHA-256 over canonical JSON.
Validation rules
- Node ids are unique.
- Edge endpoints reference existing nodes.
- Entrypoint nodeIds reference existing nodes.
- Edge weights are within 0.0 to 1.0.
Related references
- docs/signals/callgraph-formats.md
- docs/reachability/README.md

34
docs2/signals/contract-mapping.md Normal file
View File

@@ -0,0 +1,34 @@
# Signal contract mapping
StellaOps implements advisory signal contracts using domain-specific models.
The signals align to five core concepts:
Mapping summary
| Advisory signal | StellaOps equivalent | Purpose |
| --- | --- | --- |
| Signal-10 (SBOM intake) | SBOM ingestion + callgraph ingest | Normalize SBOMs and call graphs with tenant and source metadata. |
| Signal-12 (Evidence) | in-toto statements + DSSE envelopes | Signed attestations and evidence bundles. |
| Signal-14 (Triage fact) | Triage finding, reachability, risk, and VEX entities | Aggregated facts for a vuln and component. |
| Signal-16 (Diff delta) | Triage snapshot + smart-diff + drift causes | Deterministic change detection between runs. |
| Signal-18 (Decision) | Triage decision + policy decision attestation | Final decision with rationale and signatures. |
Evidence references
- DSSE envelopes are addressed by sha256 of the envelope payload.
- CAS URIs reference content-addressed evidence blobs (graphs, traces).
Idempotency
- Event envelopes include explicit idempotency keys.
- Findings use stable identifiers derived from CVE and subject context.
API surface alignment
- SBOM ingest endpoints map to scanner and signals ingest.
- Decision and diff endpoints map to triage and smart-diff APIs.
Key equivalence guarantees
- Subject digests and PURLs are preserved across ingestion and triage.
- Reachability and VEX evidence is attached to findings, not rewritten.
- Decisions carry rationale and policy references suitable for audit.
Related references
- docs/architecture/signal-contract-mapping.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md

30
docs2/signals/uncertainty.md Normal file
View File

@@ -0,0 +1,30 @@
# Uncertainty and entropy
Uncertainty captures missing or untrusted evidence as first-class signals.
It prevents silent false negatives and feeds risk scoring and policy gates.
Core states (examples)
- U1: MissingSymbolResolution
- U2: MissingPurl
- U3: UntrustedAdvisory
- U4: Unknown (no analysis yet)
Tiers and scoring
- Tiers group states by entropy ranges.
- The aggregate tier is the maximum severity present.
- Risk score adds an entropy-based modifier.
Policy guidance
- High uncertainty blocks not_affected claims.
- Lower tiers allow decisions with caveats.
- Remediation hints are attached to findings.
Determinism rules
- Stable ordering of uncertainty states.
- UTC timestamps and fixed precision for entropy values.
- Canonical JSON for hashing and replay.
Related references
- docs/uncertainty/README.md
- docs/reachability/lattice.md
- docs/policy/dsl.md

30
docs2/signals/unknowns-ranking.md Normal file
View File

@@ -0,0 +1,30 @@
# Unknowns ranking
Unknowns are prioritized using a deterministic, multi-factor score and
assigned to triage bands that drive rescan scheduling.
Scoring formula
- Score = wP*P + wE*E + wU*U + wC*C + wS*S (clamped to 0.0-1.0).
- Factors: Popularity (P), Exploit potential (E), Uncertainty density (U),
Centrality (C), Staleness (S).
- Default weights: P 0.25, E 0.25, U 0.25, C 0.15, S 0.10.
Band thresholds
- HOT: score >= 0.70 (immediate rescan, 15-minute cadence).
- WARM: 0.40 <= score < 0.70 (scheduled rescan, 12-72 hours).
- COLD: score < 0.40 (weekly batch).
Determinism and replay
- Each scored unknown stores a normalization trace with raw values,
normalized values, weights, and computed score.
- Replaying the trace yields the same score and band.
Configuration (Signals:UnknownsScoring)
- WeightPopularity, WeightExploitPotential, WeightUncertainty,
WeightCentrality, WeightStaleness.
- HotThreshold, WarmThreshold, HotRescanMinutes, WarmRescanHours,
ColdRescanDays.
Related references
- docs/signals/unknowns-ranking.md
- docs/signals/unknowns-registry.md

40
docs2/signals/unknowns.md Normal file
View File

@@ -0,0 +1,40 @@
# Signals and unknowns
Unknowns are first-class signals that capture gaps in identity, reachability,
or evidence mapping. They prevent silent false negatives.
Unknowns registry model
- Deterministic id based on type, scope, and evidence.
- Includes provenance, scope, unknown_type, evidence, and status.
- Stores confidence metrics and exposure hints.
Producers
- Scanner: unresolved symbols or missing mappings.
- Signals: runtime hits without graph linkage.
- SbomService: conflicting versions or hash mismatches.
- Policy: undecidable cases due to missing evidence.
Consumers
- Risk and reachability scoring uses unknowns pressure.
- Policy gates can block not_affected when unknowns are high.
- UI and CLI provide triage and suppression workflows.
Ranking and triage bands
- Unknowns are scored using popularity, exploit potential, uncertainty, centrality, and staleness.
- Bands: hot, warm, cold drive rescan cadence.
API sketch
- POST /unknowns/ingest for idempotent upserts.
- GET /unknowns with filters by artifact and status.
- POST /unknowns/{id}/triage to update status and labels.
Storage
- Append-only store with CAS references for large evidence blobs.
- Tenant isolation and schema versioning for replay.
Related references
- docs/signals/unknowns-registry.md
- docs/signals/unknowns-ranking.md
- docs/uncertainty/README.md
- docs2/signals/uncertainty.md
- docs2/signals/unknowns-ranking.md