stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

Browse Source 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
2025-12-23 18:20:00 +02:00
parent b444284be5
commit dac8e10e36
241 changed files with 22567 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

258
docs2/topic-map.md
View File

@@ -8,12 +8,33 @@ Product and positioning
docs/04_FEATURE_MATRIX.md, docs/05_SYSTEM_REQUIREMENTS_SPEC.md, docs/05_ROADMAP.md
- Docs2: product/overview.md, product/roadmap-and-requirements.md
Market positioning and claims
- Sources: docs/market/*, docs/marketing/*, docs/claims-index.md
- Docs2: product/market-positioning.md, product/claims-and-benchmarks.md
Architecture and system model
- Sources: docs/07_HIGH_LEVEL_ARCHITECTURE.md, docs/high-level-architecture.md,
docs/ARCHITECTURE_DETAILED.md, docs/40_ARCHITECTURE_OVERVIEW.md,
docs/modules/platform/architecture-overview.md, docs/modules/*/architecture.md
- Docs2: architecture/overview.md, architecture/workflows.md, modules/index.md
Component map
- Sources: docs/technical/architecture/component-map.md
- Docs2: architecture/component-map.md
Ingestion and aggregation (AOC, linksets)
- Sources: docs/ingestion/aggregation-only-contract.md, docs/aoc/*,
docs/advisories/aggregation.md, docs/vex/aggregation.md
- Docs2: ingestion/aggregation-and-linksets.md
AOC guardrails and library
- Sources: docs/aoc/aoc-guardrails.md, docs/aoc/guard-library.md
- Docs2: ingestion/aoc-guardrails.md
AOC linkset backfill
- Sources: docs/concelier/backfill/*
- Docs2: ingestion/backfill.md
Evidence and determinism
- Sources: docs/replay/*, docs/contracts/*, docs/ingestion/*, docs/data/*,
docs/11_DATA_SCHEMAS.md, docs/ARCHITECTURE_DETAILED.md
@@ -22,21 +43,75 @@ Evidence and determinism
Reachability, VEX, unknowns
- Sources: docs/reachability/*, docs/vex/*, docs/signals/*, docs/modules/signals/*,
docs/modules/vex-lens/architecture.md, docs/modules/vexlens/architecture.md
- Docs2: architecture/reachability-vex.md
- Docs2: architecture/reachability-vex.md, signals/unknowns.md, signals/uncertainty.md
Reachability lattice and evidence
- Sources: docs/reachability/lattice.md, docs/reachability/evidence-schema.md,
docs/reachability/edge-explainability-schema.md, docs/reachability/runtime-static-union-schema.md
- Docs2: architecture/reachability-lattice.md, architecture/reachability-evidence.md
VEX consensus
- Sources: docs/vex/consensus-overview.md, docs/vex/consensus-json.md
- Docs2: vex/consensus.md
Callgraph schema
- Sources: docs/signals/callgraph-formats.md
- Docs2: signals/callgraph-schema.md
Signal contract mapping
- Sources: docs/architecture/signal-contract-mapping.md
- Docs2: signals/contract-mapping.md
Unknowns ranking
- Sources: docs/signals/unknowns-ranking.md
- Docs2: signals/unknowns-ranking.md
Modules and services
- Sources: docs/modules/* (architecture, README, operations, runbooks)
- Docs2: modules/index.md
Advisory AI
- Sources: docs/advisory-ai/*
- Docs2: advisory-ai/overview.md
Orchestrator detail
- Sources: docs/orchestrator/*
- Docs2: orchestrator/overview.md, orchestrator/architecture.md, orchestrator/api.md,
orchestrator/cli.md, orchestrator/console.md
Orchestrator run ledger
- Sources: docs/orchestrator/run-ledger.md
- Docs2: orchestrator/run-ledger.md
Operations and deployment
- Sources: docs/21_INSTALL_GUIDE.md, docs/deploy/*, docs/install/*,
docs/operations/*, docs/runbooks/*
- Docs2: operations/install-deploy.md
docs/operations/*, docs/runbooks/*, docs/quickstart.md
- Docs2: operations/quickstart.md, operations/install-deploy.md
Deployment versioning
- Sources: docs/deployment/VERSION_MATRIX.md
- Docs2: operations/deployment-versioning.md
Binary prerequisites
- Sources: docs/ops/binary-prereqs.md
- Docs2: operations/binary-prereqs.md
Runtime readiness
- Sources: docs/runtime/SCANNER_RUNTIME_READINESS.md
- Docs2: operations/runtime-readiness.md
Service SLOs
- Sources: docs/slo/*
- Docs2: operations/slo.md
Air-gap and offline kit
- Sources: docs/24_OFFLINE_KIT.md, docs/10_OFFLINE_KIT.md, docs/airgap/*
- Docs2: operations/airgap.md
Air-gap bundles and runbooks
- Sources: docs/airgap/overview.md, docs/airgap/offline-bundle-format.md, docs/airgap/runbooks/*
- Docs2: operations/airgap-bundles.md, operations/airgap-runbooks.md
Replay and determinism
- Sources: docs/replay/*, docs/runbooks/replay_ops.md, docs/release/promotion-attestations.md
- Docs2: operations/replay-and-determinism.md
@@ -45,6 +120,21 @@ Runbooks and incident response
- Sources: docs/runbooks/*, docs/operations/*
- Docs2: operations/runbooks.md
Notifications
- Sources: docs/notifications/*, docs/modules/notify/*
- Docs2: operations/notifications.md
Notifications details
- Sources: docs/notifications/overview.md, docs/notifications/rules.md,
docs/notifications/channels.md, docs/notifications/templates.md,
docs/notifications/digests.md, docs/notifications/pack-approvals-integration.md
- Docs2: notifications/overview.md, notifications/rules.md, notifications/channels.md,
notifications/templates.md, notifications/digests.md, notifications/pack-approvals.md
Router rate limiting
- Sources: docs/router/*
- Docs2: operations/router-rate-limiting.md
Release engineering and CI/DevOps
- Sources: docs/13_RELEASE_ENGINEERING_PLAYBOOK.md, docs/ci/*, docs/devops/*,
docs/release/*, docs/releases/*
@@ -55,16 +145,72 @@ API and contracts
docs/contracts/*
- Docs2: api/overview.md, api/auth-and-tokens.md, data-and-schemas.md
Policy system
- Sources: docs/policy/*, docs/60_POLICY_TEMPLATES.md
- Docs2: policy/policy-system.md
Contracts and interfaces
- Sources: docs/contracts/*, docs/adr/*, docs/specs/*
- Docs2: contracts-and-interfaces.md
Scanner core contracts
- Sources: docs/scanner-core-contracts.md
- Docs2: contracts/scanner-core.md
Symbols specification
- Sources: docs/specs/SYMBOL_MANIFEST_v1.md, docs/specs/symbols/*
- Docs2: specs/symbols.md
SBOM handling
- Sources: docs/sbom/*
- Docs2: sbom/overview.md
Security, governance, compliance
- Sources: docs/13_SECURITY_POLICY.md, docs/17_SECURITY_HARDENING_GUIDE.md,
docs/11_GOVERNANCE.md, docs/12_CODE_OF_CONDUCT.md, docs/28_LEGAL_COMPLIANCE.md,
docs/29_LEGAL_FAQ_QUOTA.md, docs/33_333_QUOTA_OVERVIEW.md
docs/11_GOVERNANCE.md, docs/12_CODE_OF_CONDUCT.md, docs/28_LEGAL_COMPLIANCE.md
- Docs2: security-and-governance.md
Regulator threat and evidence model
- Sources: docs/28_LEGAL_COMPLIANCE.md
- Docs2: legal/regulator-threat-evidence.md
Identity, tenancy, and scopes
- Sources: docs/security/authority-scopes.md, docs/security/scopes-and-roles.md,
docs/architecture/console-admin-rbac.md
- Docs2: security/identity-tenancy-and-scopes.md
Console admin RBAC
- Sources: docs/architecture/console-admin-rbac.md
- Docs2: security/admin-rbac.md
Crypto profiles and trust
- Sources: docs/security/crypto-profile-configuration.md,
docs/security/trust-and-signing.md, docs/security/crypto-simulation-services.md
- Docs2: security/crypto-and-trust.md
Crypto compliance and licensing
- Sources: docs/security/crypto-compliance.md, docs/legal/crypto-compliance-review.md
- Docs2: security/crypto-compliance.md
Security hardening
- Sources: docs/security/dpop-mtls-rollout.md, docs/security/password-hashing.md,
docs/security/secrets-handling.md, docs/security/rate-limits.md,
docs/security/notifications-hardening.md, docs/security/export-hardening.md
- Docs2: security/operational-hardening.md
Audit events
- Sources: docs/security/audit-events.md
- Docs2: security/audit-events.md
Revocation bundles
- Sources: docs/security/revocation-bundle.md, docs/security/revocation-bundle-example.json
- Docs2: security/revocation-bundles.md
Quota and licensing
- Sources: docs/license-jwt-quota.md, docs/30_QUOTA_ENFORCEMENT_FLOW1.md,
docs/33_333_QUOTA_OVERVIEW.md
- Docs2: security/quota-and-licensing.md
Risk model and scoring
- Sources: docs/risk/*, docs/contracts/risk-scoring.md
- Docs2: security/risk-model.md
@@ -73,6 +219,11 @@ Forensics and evidence locker
- Sources: docs/forensics/*, docs/evidence-locker/*
- Docs2: security/forensics-and-evidence-locker.md
Provenance and transparency
- Sources: docs/provenance/*, docs/security/trust-and-signing.md,
docs/modules/attestor/*, docs/modules/signer/*
- Docs2: provenance/inline-provenance.md
Database and persistence
- Sources: docs/db/*, docs/adr/0001-postgresql-for-control-plane.md
- Docs2: data/persistence.md
@@ -85,10 +236,81 @@ CLI and UI
- Sources: docs/15_UI_GUIDE.md, docs/cli/*, docs/ui/*, docs/console/*, docs/ux/*
- Docs2: cli-ui.md
CLI reference
- Sources: docs/cli/*
- Docs2: cli/overview.md
CLI command guides
- Sources: docs/cli/command-reference.md, docs/cli/crypto-commands.md,
docs/cli/crypto-plugins.md, docs/cli/distribution-matrix.md,
docs/cli/reachability-cli-reference.md, docs/cli/drift-cli.md,
docs/cli/smart-diff-cli.md, docs/cli/triage-cli.md,
docs/cli/unknowns-cli-reference.md, docs/cli/score-proofs-cli-reference.md,
docs/cli/sbomer.md, docs/cli/audit-pack-commands.md,
docs/cli/keyboard-shortcuts.md, docs/cli/troubleshooting.md
- Docs2: cli/commands.md, cli/crypto.md, cli/crypto-plugins.md,
cli/distribution-matrix.md, cli/reachability.md, cli/triage.md,
cli/unknowns.md, cli/score-proofs.md, cli/sbomer.md, cli/audit-pack.md,
cli/keyboard-shortcuts.md, cli/troubleshooting.md
Console shell and navigation
- Sources: docs/ui/console-overview.md, docs/ui/navigation.md
- Docs2: ui/console.md, ui/navigation.md
Console workspaces
- Sources: docs/ui/console.md, docs/ui/findings.md, docs/ui/advisories-and-vex.md,
docs/ui/downloads.md, docs/ui/runs.md, docs/ui/policies.md
- Docs2: ui/aoc-dashboard.md, ui/findings.md, ui/advisories-vex.md, ui/downloads.md,
ui/runs.md, ui/policies.md
Console admin and governance
- Sources: docs/ui/admin.md, docs/console/admin-tenants.md, docs/ui/exception-center.md
- Docs2: ui/admin.md, ui/exception-center.md
Console SBOM and vulnerability exploration
- Sources: docs/ui/sbom-explorer.md, docs/ui/sbom-graph-explorer.md,
docs/ui/vulnerability-explorer.md, docs/ui/reachability-overlays.md
- Docs2: ui/sbom-explorer.md, ui/sbom-graph-explorer.md,
ui/vulnerability-explorer.md, ui/reachability-overlays.md
Console explainers
- Sources: docs/ui/explainers.md
- Docs2: ui/explainers.md
Console air-gap and attestations
- Sources: docs/console/airgap.md, docs/console/attestor-ui.md
- Docs2: ui/airgap.md, ui/attestor.md
Console forensics, observability, and risk
- Sources: docs/console/forensics.md, docs/console/observability.md, docs/console/risk-ui.md
- Docs2: ui/forensics.md, ui/observability.md, ui/risk-ui.md
Console branding and accessibility
- Sources: docs/ui/branding.md, docs/architecture/console-branding.md, docs/accessibility.md
- Docs2: ui/branding.md, ui/accessibility.md
Policy editor UI
- Sources: docs/ui/policy-editor.md, docs/security/policy-governance.md
- Docs2: ui/policy-editor.md
Triage UX
- Sources: docs/ux/TRIAGE_UX_GUIDE.md, docs/ux/TRIAGE_UI_REDUCER_SPEC.md
- Docs2: ui/triage.md
Console security
- Sources: docs/security/console-security.md
- Docs2: security/console-security.md
Approvals and exceptions
- Sources: docs/governance/approvals-and-routing.md, docs/governance/exceptions.md
- Docs2: governance/approvals.md, governance/exceptions.md
Developer and contribution
- Sources: docs/DEVELOPER_ONBOARDING.md, docs/10_PLUGIN_SDK_GUIDE.md,
docs/18_CODING_STANDARDS.md, docs/contributing/*
- Docs2: developer/onboarding.md, developer/plugin-sdk.md
- Sources: docs/DEVELOPER_ONBOARDING.md, docs/onboarding/*,
docs/10_PLUGIN_SDK_GUIDE.md, docs/18_CODING_STANDARDS.md, docs/contributing/*,
docs/devportal/publishing.md, docs/process/implementor-guidelines.md
- Docs2: developer/onboarding.md, developer/plugin-sdk.md, developer/devportal.md,
developer/implementation-guidelines.md
SDKs and clients
- Sources: docs/sdks/*
@@ -98,6 +320,18 @@ Task packs and automation
- Sources: docs/task-packs/*
- Docs2: task-packs.md
Interoperability
- Sources: docs/interop/*
- Docs2: interop/sbom-interop.md, interop/cosign.md
Migration guidance
- Sources: docs/migration/*
- Docs2: migration/overview.md
Vuln Explorer overview
- Sources: docs/vuln/*
- Docs2: vuln-explorer/overview.md
Testing and quality
- Sources: docs/19_TEST_SUITE_OVERVIEW.md, docs/testing/*
- Docs2: testing-and-quality.md
@@ -111,6 +345,14 @@ Benchmarks and performance
- Sources: docs/benchmarks/*, docs/12_PERFORMANCE_WORKBOOK.md
- Docs2: benchmarks.md
Guides and workflows
- Sources: docs/guides/*, docs/ci/sarif-integration.md
- Docs2: guides/compare-workflow.md, guides/epss-integration.md
Examples and fixtures
- Sources: docs/examples/*, docs/samples/*, docs/schemas/*
- Docs2: references/examples-and-fixtures.md
Training and adoption
- Sources: docs/training/*, docs/evaluate/*, docs/faq/*
- Docs2: training-and-adoption.md