stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Refactor code structure for improved readability and maintainability
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-06 21:48:12 +02:00
parent f6c22854a4
commit dd0067ea0b
105 changed files with 12662 additions and 427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
docs/implplan/archived/SPRINT_0204_0001_0004_cli_iv.md Normal file
View File

@@ -0,0 +1,47 @@
# Sprint 204 - Experience & SDKs · 180.A) Cli.IV
## Topic & Scope
- Experience & SDKs focus on CLI (phase IV) covering policy lifecycle, risk workflows, SDK uplift, and reachability commands.
- Deliver CLI parity with Policy Studio outputs and offline-friendly risk/simulator flows.
- Working directory: `src/Cli` (StellaOps.Cli and docs).
## Dependencies & Concurrency
- Depends on Sprint 180.A - Cli.III deliverables.
- Review `BLOCKED_DEPENDENCY_TREE.md` before resuming any deferred follow-ups.
- Historical tasks are mirrored in `docs/implplan/archived/tasks.md` (2025-11-08).
## Documentation Prerequisites
- docs/README.md
- docs/modules/platform/architecture-overview.md
- docs/modules/cli/architecture.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CLI-POLICY-27-002 | DONE | Depends on CLI-POLICY-27-001 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Add submission/review workflow commands (`stella policy version bump`, `submit`, `review comment`, `approve`, `reject`) supporting reviewer assignment, changelog capture, and exit codes. |
| 2 | CLI-POLICY-27-003 | DONE | Depends on CLI-POLICY-27-002 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella policy simulate` enhancements (quick vs batch, SBOM selectors, heatmap summary, manifest download) with `--json` and Markdown report output for CI. |
| 3 | CLI-POLICY-27-004 | DONE | Depends on CLI-POLICY-27-003 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Add lifecycle commands for publish/promote/rollback/sign (`stella policy publish --sign`, `promote --env`, `rollback`) with attestation verification and canary arguments. |
| 4 | CLI-POLICY-27-005 | DONE | Depends on CLI-POLICY-27-004 | DevEx/CLI Guild; Docs Guild (`src/Cli/StellaOps.Cli`) | Update CLI reference and samples for Policy Studio including JSON schemas, exit codes, and CI snippets. |
| 5 | CLI-POLICY-27-006 | DONE | Depends on CLI-POLICY-27-005 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Update CLI policy profiles/help text to request the new Policy Studio scope family; surface ProblemDetails guidance for `invalid_scope`; adjust regression tests for scope failures. |
| 6 | CLI-RISK-66-001 | DONE | None | DevEx/CLI Guild; Policy Guild (`src/Cli/StellaOps.Cli`) | Implement `stella risk profile list` with category filtering, pagination, and JSON output. |
| 7 | CLI-RISK-66-002 | DONE | Depends on CLI-RISK-66-001 | DevEx/CLI Guild; Risk Engine Guild (`src/Cli/StellaOps.Cli`) | Ship `stella risk simulate` supporting SBOM/asset inputs, diff mode, and export to JSON/CSV. |
| 8 | CLI-RISK-67-001 | DONE | Depends on CLI-RISK-66-002 | DevEx/CLI Guild; Findings Ledger Guild (`src/Cli/StellaOps.Cli`) | Provide `stella risk results` with filtering, severity thresholds, explainability fetch. |
| 9 | CLI-RISK-68-001 | DONE | Depends on CLI-RISK-67-001 | DevEx/CLI Guild; Export Guild (`src/Cli/StellaOps.Cli`) | Add `stella risk bundle verify` and integrate with offline risk bundles. |
| 10 | CLI-SDK-62-001 | DONE | None | DevEx/CLI Guild; SDK Generator Guild (`src/Cli/StellaOps.Cli`) | Replace bespoke HTTP clients with official SDK (TS/Go) for all CLI commands; ensure modular transport for air-gapped mode. |
| 11 | CLI-SDK-62-002 | DONE | Depends on CLI-SDK-62-001 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Update CLI error handling to surface standardized API error envelope with `error.code` and `trace_id`. |
| 12 | CLI-SDK-63-001 | DONE | Depends on CLI-SDK-62-002 | DevEx/CLI Guild; API Governance Guild (`src/Cli/StellaOps.Cli`) | Expose `stella api spec download` command retrieving aggregate OAS and verifying checksum/ETag. |
| 13 | CLI-SDK-64-001 | DONE | Depends on CLI-SDK-63-001 | DevEx/CLI Guild; SDK Release Guild (`src/Cli/StellaOps.Cli`) | Add CLI subcommand `stella sdk update` to fetch latest SDK manifests/changelogs; integrate with Notifications for deprecations. |
| 14 | CLI-SIG-26-001 | DONE | None | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella reachability upload-callgraph` and `stella reachability list/explain` commands with streaming upload, pagination, and exit codes. |
| 15 | CLI-SIG-26-002 | DONE | Depends on CLI-SIG-26-001 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Extend `stella policy simulate` with reachability override flags (`--reachability-state`, `--reachability-score`). |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-06 | Archived to docs/implplan/archived/SPRINT_0204_0001_0004_cli_iv.md; all tasks DONE. | Project Mgmt |
## Decisions & Risks
- Policy and reachability command set is complete; relies on upstream Policy Studio scopes and API envelopes already adopted.
- No open implementation risks noted; monitor downstream SDK release cadence for compatibility.
## Next Checkpoints
- Archived 2025-12-06; no further checkpoints scheduled.

43
docs/implplan/archived/SPRINT_0205_0001_0005_cli_v.md Normal file
View File

@@ -0,0 +1,43 @@
# Sprint 205 - Experience & SDKs · 180.A) Cli.V
## Topic & Scope
- Experience & SDKs focus on CLI (phase V) completing tenant flows and VEX/vulnerability command set.
- Harden authentication/tenant profile management and round out VEX + vulnerability workflows with exports and simulations.
- Working directory: `src/Cli` (StellaOps.Cli and docs).
## Dependencies & Concurrency
- Depends on Sprint 180.A - Cli.IV deliverables.
- Historical tasks are mirrored in `docs/implplan/archived/tasks.md` (2025-11-08).
## Documentation Prerequisites
- docs/README.md
- docs/modules/platform/architecture-overview.md
- docs/modules/cli/architecture.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CLI-TEN-47-001 | DONE | None | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella login`, `whoami`, `tenants list`, persistent profiles, secure token storage, and `--tenant` override with validation (TenantProfileStore; ~/.stellaops/profile.json). |
| 2 | CLI-TEN-49-001 | DONE | Depends on CLI-TEN-47-001 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Add service account token minting, delegation, impersonation banner, and audit-friendly logging. Authority service endpoints for mint/delegate/introspect still required server-side. |
| 3 | CLI-VEX-30-001 | DONE | None | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella vex consensus list` with filters, paging, policy selection, `--json/--csv`. |
| 4 | CLI-VEX-30-002 | DONE | Depends on CLI-VEX-30-001 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella vex consensus show` displaying quorum, evidence, rationale, signature status. |
| 5 | CLI-VEX-30-003 | DONE | Depends on CLI-VEX-30-002 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella vex simulate` for trust/threshold overrides with JSON diff output. |
| 6 | CLI-VEX-30-004 | DONE | Depends on CLI-VEX-30-003 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella vex export` for consensus NDJSON bundles with signature verification helper. |
| 7 | CLI-VULN-29-001 | DONE | None | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella vuln list` with grouping, paging, filters, `--json/--csv`, and policy selection. |
| 8 | CLI-VULN-29-002 | DONE | Depends on CLI-VULN-29-001 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella vuln show` displaying evidence, policy rationale, paths, ledger summary; support `--json` for automation. |
| 9 | CLI-VULN-29-003 | DONE | Depends on CLI-VULN-29-002 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Add workflow commands (`assign`, `comment`, `accept-risk`, `verify-fix`, `target-fix`, `reopen`) with filter selection and idempotent retries. |
| 10 | CLI-VULN-29-004 | DONE | Depends on CLI-VULN-29-003 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Implement `stella vuln simulate` producing delta summaries and optional Markdown report for CI. |
| 11 | CLI-VULN-29-005 | DONE | Depends on CLI-VULN-29-004 | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`) | Add `stella vuln export` and `stella vuln bundle verify` commands to trigger/download evidence bundles and verify signatures. |
| 12 | CLI-VULN-29-006 | DONE | Depends on CLI-VULN-29-005 | DevEx/CLI Guild; Docs Guild (`src/Cli/StellaOps.Cli`) | Update CLI docs/examples for Vulnerability Explorer with compliance checklist and CI snippets. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-06 | Archived to docs/implplan/archived/SPRINT_0205_0001_0005_cli_v.md; all tasks DONE. | Project Mgmt |
## Decisions & Risks
- Authority service endpoints for token mint/delegate/introspect must exist server-side to fully activate CLI-TEN-49-001; track in Authority backlog.
- VEX/ vulnerability command set complete and aligned to current backend contracts; monitor for API drift.
## Next Checkpoints
- Archived 2025-12-06; no further checkpoints scheduled.

447
docs/implplan/archived/SPRINT_0515_0001_0001_crypto_compliance_migration.md Normal file
View File

@@ -0,0 +1,447 @@
# Sprint 0515 · Libraries · Compliance-First Crypto Hash Migration
## Topic & Scope
Migrate all direct cryptographic hash operations (`SHA256.HashData()`, `HMACSHA256`, `IncrementalHash`) throughout the codebase to use the purpose-based `ICryptoHash` and `ICryptoHmac` abstractions. This enables central configuration of jurisdiction-specific crypto requirements via compliance profiles (world/fips/gost/sm/kcmvp/eidas).
**Key Principle:** Strict compliance - components request hashing by **PURPOSE** (not algorithm), and the platform resolves to the correct algorithm based on the active **compliance profile**.
**Working directories:**
- `src/__Libraries/StellaOps.Cryptography*` (core abstractions)
- `src/Policy/StellaOps.Policy.*` (risk profile hashing)
- `src/Orchestrator/StellaOps.Orchestrator.Core` (canonical JSON hashing)
- `src/Findings/StellaOps.Findings.Ledger` (Merkle tree)
- `src/__Libraries/StellaOps.Replay.Core` (deterministic hash)
- `src/Provenance/StellaOps.Provenance.Attestation` (verification)
- `src/Attestor/StellaOps.Attestor.Verify` (attestation verification)
- `src/ExportCenter/StellaOps.ExportCenter.*` (bundle hashing)
- `src/Cli/StellaOps.Cli` (promotion assembly)
- `src/AdvisoryAI/StellaOps.AdvisoryAI` (vector encoding)
- `src/Signer/StellaOps.Signer.*` (HMAC signing)
- `src/Scanner/StellaOps.Scanner.*` (DSSE signing)
- `src/Notifier/StellaOps.Notifier.*` (webhook security)
## Dependencies & Concurrency
- Depends on Phase 1-3 completion of `ICryptoHash` interface with purpose-based methods (COMPLETED)
- `HashPurpose` constants already exist: Graph, Symbol, Content, Merkle, Attestation, Interop, Secret
- `ComputeHashHexForPurpose()` and `ComputeHashForPurposeAsync()` methods available
- No blocking dependencies for Wave 1 hash migrations
- Wave 2 (ICryptoHmac) is independent infrastructure work
- Wave 3 (HMAC migrations) depends on Wave 2 completion
## Documentation Prerequisites
- `/root/.claude/plans/crispy-whistling-lamport.md` - Master architecture plan
- `docs/security/crypto-compliance.md` (to be created in Wave 4)
- `docs/contracts/richgraph-v1.md` - Hash algorithm per-profile
---
## Delivery Tracker
### Wave 1: Core Hash Migrations (11 files) - P0 ✅ COMPLETE
| # | Task ID | Status | File | Pattern | HashPurpose | Notes |
|---|---------|--------|------|---------|-------------|-------|
| 1 | HASH-MIG-001 | **DONE** (2025-12-05) | `src/Orchestrator/.../Hashing/CanonicalJsonHasher.cs` | `SHA256.HashData()` | Content | Injected ICryptoHash; updated all callers |
| 2 | HASH-MIG-002 | **DONE** (2025-12-05) | `src/Findings/.../Merkle/MerkleTreeBuilder.cs` | `SHA256.HashData()` | Merkle | Injected ICryptoHash; updated callers |
| 3 | HASH-MIG-003 | **DONE** (2025-12-05) | `src/__Libraries/StellaOps.Replay.Core/DeterministicHash.cs` | `SHA256.TryHashData()` | Content | Migrated to static method with ICryptoHash param |
| 4 | HASH-MIG-004 | **DONE** (2025-12-06) | `src/Policy/.../Hashing/RiskProfileHasher.cs` | `SHA256.HashData()` (×2) | Content | Injected ICryptoHash; callers updated; build verified |
| 5 | HASH-MIG-005 | **DONE** (2025-12-05) | `src/Policy/.../Export/ProfileExportService.cs` | `SHA256.HashData()` (×2) | Content | Migrated `ComputeTotalHash()` and `GenerateBundleId()`; HMAC left for Wave 3 |
| 6 | HASH-MIG-006 | **DONE** (2025-12-06) | `src/Provenance/.../Verification.cs` | `SHA256.Create()` | Attestation | Also migrated BuildModels.cs (MerkleTree, BuildStatementDigest) |
| 7 | HASH-MIG-007 | **DONE** (2025-12-06) | `src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs` | `SHA256.HashData()` | Attestation | DSSE bundle verification + HashInternal |
| 8 | HASH-MIG-008 | **DONE** (2025-12-06) | `src/ExportCenter/.../DevPortalOfflineBundleBuilder.cs` | `SHA256.HashData()` | Content | Bundle integrity |
| 9 | HASH-MIG-009 | **DONE** (2025-12-06) | `src/ExportCenter/.../FileSystemDevPortalOfflineObjectStore.cs` | `IncrementalHash.CreateHash()` | Content | Streaming file hash via ComputeHashHexForPurposeAsync |
| 10 | HASH-MIG-010 | **DONE** (2025-12-06) | `src/Cli/StellaOps.Cli/Services/PromotionAssembler.cs` | `SHA256.HashDataAsync()` | Content | File digest for promotions |
| 11 | HASH-MIG-011 | **DONE** (2025-12-06) | `src/AdvisoryAI/.../DeterministicHashVectorEncoder.cs` | `IncrementalHash.CreateHash()` | Content | ML vector encoding; removed IDisposable |
### Wave 2: ICryptoHmac Infrastructure - P1 ✅ COMPLETE
| # | Task ID | Status | Deliverable | Notes |
|---|---------|--------|-------------|-------|
| 12 | HMAC-INFRA-001 | **DONE** (2025-12-06) | `src/__Libraries/StellaOps.Cryptography/ICryptoHmac.cs` | Interface with purpose-based methods, stream async, verification |
| 13 | HMAC-INFRA-002 | **DONE** (2025-12-06) | `src/__Libraries/StellaOps.Cryptography/HmacPurpose.cs` | Purpose constants: Signing, Authentication, WebhookInterop |
| 14 | HMAC-INFRA-003 | **DONE** (2025-12-06) | `src/__Libraries/StellaOps.Cryptography/DefaultCryptoHmac.cs` | Implementation with profile routing; GOST/SM3 via BouncyCastle |
| 15 | HMAC-INFRA-004 | **DONE** (2025-12-06) | DI registration in `CryptoServiceCollectionExtensions.cs` | Service registration |
### Wave 3: HMAC Migrations (9 files) - P1 ✅ COMPLETE
| # | Task ID | Status | File | Pattern | HmacPurpose | Notes |
|---|---------|--------|------|---------|-------------|-------|
| 16 | HMAC-MIG-001 | **DONE** (2025-12-06) | `src/Signer/.../Signing/HmacDsseSigner.cs` | `new HMACSHA256()` | Signing | ICryptoHmac injected |
| 17 | HMAC-MIG-002 | **DONE** (2025-12-06) | `src/Scanner/.../Processing/Surface/HmacDsseEnvelopeSigner.cs` | `HMACSHA256` field | Signing | Removed IDisposable, uses ICryptoHmac |
| 18 | HMAC-MIG-003 | **DONE** (2025-12-06) | `src/Scanner/.../Services/ReportSigner.cs` | `new HMACSHA256()` | Signing | ICryptoHmac injected |
| 19 | HMAC-MIG-004 | **DONE** (2025-12-06) | `src/Findings/.../Attachments/AttachmentUrlSigner.cs` | `new HMACSHA256()` | Authentication | Signed URL tokens |
| 20 | HMAC-MIG-005 | **DONE** (2025-12-06) | `src/ExportCenter/.../HmacDevPortalOfflineManifestSigner.cs` | `new HMACSHA256()` | Signing | Manifest signing |
| 21 | HMAC-MIG-006 | **DONE** (2025-12-06) | `src/ExportCenter/.../RiskBundleSigning.cs` | `new HMACSHA256()` (×2) | Signing | Stream async + bytes |
| 22 | HMAC-MIG-007 | **DONE** (2025-12-06) | `src/Provenance/.../Signers.cs` | `new HMACSHA256()` | Signing | HmacSigner class |
| 23 | HMAC-MIG-008 | **DONE** (2025-12-06) | `src/Notifier/.../Security/HmacAckTokenService.cs` | `HMACSHA256` field | Authentication | Removed IDisposable, uses verification methods |
| 24 | HMAC-MIG-009 | **DONE** (2025-12-06) | `src/Notifier/.../Security/DefaultWebhookSecurityService.cs` | `new HMACSHA256()` (×3) | WebhookInterop | External webhooks always SHA-256 |
### Wave 4: Documentation - P2 ✅ COMPLETE
| # | Task ID | Status | Deliverable | Notes |
|---|---------|--------|-------------|-------|
| 25 | DOC-001 | **DONE** (2025-12-06) | `docs/security/crypto-compliance.md` | Comprehensive compliance profile documentation |
| 26 | DOC-002 | **DONE** (2025-12-06) | Interop table in crypto-compliance.md | SHA-256 interop exceptions documented |
| 27 | DOC-003 | **DONE** (2025-12-06) | HMAC compliance profile mapping | HMAC algorithm per profile documented |
---
## Files Modified (Session Progress)
### Completed Modifications
| File | Change | Status |
|------|--------|--------|
| `src/Orchestrator/.../CanonicalJsonHasher.cs` | Added ICryptoHash injection, migrated `SHA256.HashData()` | DONE |
| `src/Orchestrator/.../StellaOps.Orchestrator.Core.csproj` | Added Cryptography reference | DONE |
| `src/Orchestrator/.../OrchestratorEventWriter.cs` | Updated to inject/pass ICryptoHash | DONE |
| `src/Findings/.../MerkleTreeBuilder.cs` | Added ICryptoHash injection, migrated to `HashPurpose.Merkle` | DONE |
| `src/Findings/.../StellaOps.Findings.Ledger.csproj` | Added Cryptography reference | DONE |
| `src/Findings/.../MerkleTreeManager.cs` | Updated to inject/pass ICryptoHash | DONE |
| `src/__Libraries/StellaOps.Replay.Core/DeterministicHash.cs` | Migrated to static method with ICryptoHash param | DONE |
| `src/__Libraries/StellaOps.Replay.Core/StellaOps.Replay.Core.csproj` | Added Cryptography reference | DONE |
| `src/Scanner/.../StellaOps.Scanner.Core.csproj` | Added Replay.Core reference | DONE |
| `src/Scanner/.../StellaOps.Scanner.Worker.csproj` | Added Cryptography and Replay.Core references | DONE |
| `src/Policy/.../RiskProfileHasher.cs` | Added ICryptoHash injection | DONE |
| `src/Policy/.../StellaOps.Policy.RiskProfile.csproj` | Added Cryptography reference | DONE |
| `src/Policy/.../RiskProfileLifecycleService.cs` | Added ICryptoHash injection | DONE |
| `src/Policy/.../StellaOps.Policy.Engine.csproj` | Added Cryptography reference | DONE |
| `src/Policy/.../RiskProfileConfigurationService.cs` | Added ICryptoHash injection | DONE |
| `src/Policy/.../RiskSimulationService.cs` | Added ICryptoHash injection; migrated `GenerateSimulationId()` | DONE |
| `src/Policy/.../RiskScoringTriggerService.cs` | Added ICryptoHash injection; migrated `GenerateJobId()` | DONE |
| `src/Policy/.../ProfileExportService.cs` | Added ICryptoHash injection; migrated `ComputeTotalHash()`, `GenerateBundleId()` | DONE |
| `src/Policy/.../ProfileExportEndpoints.cs` | Added ICryptoHash to `ImportProfiles()` method | DONE |
### Wave 1 Additional Modifications (2025-12-06)
| File | Change | Status |
|------|--------|--------|
| `global.json` | Updated to .NET SDK 10.0.100 GA | DONE |
| `.gitea/workflows/*.yml` | Updated SDK versions to 10.0.100 | DONE |
| `NuGet.config` | Switched from ablera-mirror to nuget.org (local dev only) | DONE |
| `src/Policy/StellaOps.Policy.Scoring/...csproj` | Removed System.Text.Json; updated packages | DONE |
| `src/Telemetry/...Telemetry.Core.csproj` | Removed explicit logging package | DONE |
| `src/Provenance/.../Verification.cs` | Added ICryptoHash; migrated ChainOfCustodyVerifier, MerkleRootVerifier | DONE |
| `src/Provenance/.../BuildModels.cs` | Migrated MerkleTree.ComputeRoot, BuildStatementDigest.ComputeHash | DONE |
| `src/Provenance/...Attestation.csproj` | Added Cryptography reference | DONE |
| `src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs` | Added ICryptoHash; migrated bundle hash, HashInternal | DONE |
| `src/Attestor/StellaOps.Attestor.Verify/...csproj` | Added Cryptography reference | DONE |
| `src/ExportCenter/.../DevPortalOfflineBundleBuilder.cs` | Added ICryptoHash; migrated file/manifest hashing | DONE |
| `src/ExportCenter/.../ExportCenter.Core.csproj` | Added Cryptography reference | DONE |
| `src/ExportCenter/.../FileSystemDevPortalOfflineObjectStore.cs` | Added ICryptoHash; migrated to async stream hash | DONE |
| `src/ExportCenter/.../ExportCenter.Infrastructure.csproj` | Added Cryptography reference | DONE |
| `src/Cli/StellaOps.Cli/Services/PromotionAssembler.cs` | Added ICryptoHash; migrated file digest | DONE |
| `src/AdvisoryAI/.../DeterministicHashVectorEncoder.cs` | Added ICryptoHash; removed IDisposable | DONE |
| `src/AdvisoryAI/...AdvisoryAI.csproj` | Added Cryptography reference | DONE |
| `src/Provenance/__Tests/.../MerkleTreeTests.cs` | Updated to use ICryptoHash | DONE |
| `src/Provenance/__Tests/.../SampleStatementDigestTests.cs` | Updated to use ICryptoHash | DONE |
| `src/Provenance/__Tests/...Tests.csproj` | Added Cryptography reference | DONE |
### Wave 2 Modifications (2025-12-06)
| File | Change | Status |
|------|--------|--------|
| `src/__Libraries/StellaOps.Cryptography/HmacPurpose.cs` | Created HMAC purpose constants | DONE |
| `src/__Libraries/StellaOps.Cryptography/HmacAlgorithms.cs` | Created HMAC algorithm constants | DONE |
| `src/__Libraries/StellaOps.Cryptography/ICryptoHmac.cs` | Created interface with purpose-based + verification methods | DONE |
| `src/__Libraries/StellaOps.Cryptography/DefaultCryptoHmac.cs` | Created implementation with GOST/SM3 support | DONE |
| `src/__Libraries/StellaOps.Cryptography/ComplianceProfile.cs` | Added HmacPurposeAlgorithms property + GetHmacAlgorithmForPurpose() | DONE |
| `src/__Libraries/StellaOps.Cryptography/ComplianceProfiles.cs` | Added HMAC algorithm mappings to all 6 profiles | DONE |
| `src/__Libraries/StellaOps.Cryptography.DependencyInjection/CryptoServiceCollectionExtensions.cs` | Added ICryptoHmac DI registration | DONE |
### Wave 3 Modifications (2025-12-06)
| File | Change | Status |
|------|--------|--------|
| `src/Signer/.../HmacDsseSigner.cs` | Added ICryptoHmac injection, migrated to ComputeHmacBase64ForPurpose | DONE |
| `src/Scanner/.../HmacDsseEnvelopeSigner.cs` | Removed IDisposable, added ICryptoHmac, stores secretBytes | DONE |
| `src/Scanner/.../ReportSigner.cs` | Added ICryptoHmac injection, migrated SignHs256 | DONE |
| `src/Findings/.../AttachmentUrlSigner.cs` | Added ICryptoHmac injection, HmacPurpose.Authentication | DONE |
| `src/ExportCenter/.../HmacDevPortalOfflineManifestSigner.cs` | Added ICryptoHmac injection | DONE |
| `src/ExportCenter/.../RiskBundleSigning.cs` | Added ICryptoHmac injection, async stream signing | DONE |
| `src/ExportCenter/StellaOps.ExportCenter.RiskBundles.csproj` | Added Cryptography reference | DONE |
| `src/Provenance/.../Signers.cs` | Added ICryptoHmac to HmacSigner | DONE |
| `src/Notifier/.../HmacAckTokenService.cs` | Removed IDisposable, added ICryptoHmac, uses verification | DONE |
| `src/Notifier/.../DefaultWebhookSecurityService.cs` | Added ICryptoHmac, WebhookInterop purpose | DONE |
| `src/Notifier/.../StellaOps.Notifier.Worker.csproj` | Added Cryptography reference | DONE |
---
## Code Migration Patterns
### Pattern A: Constructor Injection (Classes)
```csharp
// Before
public sealed class MyService
{
public string ComputeHash(byte[] data)
{
return Convert.ToHexStringLower(SHA256.HashData(data));
}
}
// After
public sealed class MyService
{
private readonly ICryptoHash _cryptoHash;
public MyService(ICryptoHash cryptoHash)
{
_cryptoHash = cryptoHash ?? throw new ArgumentNullException(nameof(cryptoHash));
}
public string ComputeHash(byte[] data)
{
return _cryptoHash.ComputeHashHexForPurpose(data, HashPurpose.Content);
}
}
```
### Pattern B: Static Method with Parameter (Static Classes)
```csharp
// Before
public static class DeterministicHash
{
public static string Compute(byte[] data)
{
return Convert.ToHexStringLower(SHA256.HashData(data));
}
}
// After
public static class DeterministicHash
{
public static string Compute(ICryptoHash cryptoHash, byte[] data)
{
return cryptoHash.ComputeHashHexForPurpose(data, HashPurpose.Content);
}
}
```
### Pattern C: Factory Method for Tests
```csharp
// In test code where DI isn't available
var cryptoHash = DefaultCryptoHash.CreateForTests();
var result = DeterministicHash.Compute(cryptoHash, data);
```
---
## Wave Coordination
### Wave 1 (COMPLETE ✅)
- **Owner:** Implementer
- **Status:** 11/11 DONE
- **Completed:** 2025-12-06
- **Evidence:** Modified files build successfully; callers updated; CLI and Policy.Engine verified
- **Next:** Start Wave 2 (ICryptoHmac infrastructure)
### Wave 2 (COMPLETE ✅)
- **Owner:** Implementer
- **Status:** 4/4 DONE
- **Completed:** 2025-12-06
- **Evidence:** ICryptoHmac interface + DefaultCryptoHmac implementation compiles; DI registered; all profiles have HmacPurposeAlgorithms mapped
### Wave 3 (COMPLETE ✅)
- **Owner:** Implementer
- **Status:** 9/9 DONE
- **Completed:** 2025-12-06
- **Evidence:** All 9 HMAC usages migrated to ICryptoHmac; Signer.Infrastructure, RiskBundles, Provenance.Attestation, Findings.Ledger build pass
### Wave 4 (COMPLETE ✅)
- **Owner:** Implementer + Docs
- **Status:** 3/3 DONE
- **Completed:** 2025-12-06
- **Evidence:** `docs/security/crypto-compliance.md` created with comprehensive profile documentation, interop exceptions, and HMAC mappings
---
## Interlocks
- RiskProfileHasher.cs migration touches 5 callers: RiskProfileLifecycleService, ProfileExportService, RiskSimulationService, RiskScoringTriggerService, RiskProfileConfigurationService
- ProfileExportService.cs has both SHA256 hash (Wave 1) and HMAC (Wave 3) - split migration
- Policy.Engine endpoints need ICryptoHash in DI pipeline for runtime injection
- Existing pre-build errors in Concelier (Storage.Mongo missing) are unrelated and should be ignored
---
## Known Build Issues (Pre-Existing)
These errors exist in the codebase and are NOT related to this migration:
```
Concelier:
- CS0234: 'Storage' does not exist in namespace 'StellaOps.Concelier' (14 errors)
- Caused by missing Storage.Mongo project reference
- DO NOT attempt to fix - out of scope
Scanner.Core:
- CS0246: 'Harness' type not found (1 error)
- Pre-existing issue
```
---
## Compliance Profile Reference
| Profile ID | Standard Name | Hash Algorithm | HMAC Algorithm |
|------------|---------------|----------------|----------------|
| `world` | Default (ISO) | BLAKE3-256 (graph), SHA-256 (content) | HMAC-SHA256 |
| `fips` | FIPS 140-3 (US) | SHA-256 | HMAC-SHA256 |
| `gost` | GOST R 34.11-2012 (Russia) | GOST3411-2012-256 | HMAC-GOST3411 |
| `sm` | GB/T (China) | SM3 | HMAC-SM3 |
| `kcmvp` | KCMVP (Korea) | SHA-256 | HMAC-SHA256 |
| `eidas` | eIDAS/ETSI TS 119 312 (EU) | SHA-256 | HMAC-SHA256 |
---
## ICryptoHmac Interface Design (Wave 2)
```csharp
public interface ICryptoHmac
{
// Purpose-based HMAC
byte[] ComputeHmacForPurpose(ReadOnlySpan<byte> key, ReadOnlySpan<byte> data, string purpose);
string ComputeHmacHexForPurpose(ReadOnlySpan<byte> key, ReadOnlySpan<byte> data, string purpose);
string ComputeHmacBase64ForPurpose(ReadOnlySpan<byte> key, ReadOnlySpan<byte> data, string purpose);
// Verification (constant-time)
bool VerifyHmacForPurpose(ReadOnlySpan<byte> key, ReadOnlySpan<byte> data,
ReadOnlySpan<byte> expectedHmac, string purpose);
// Metadata
string GetAlgorithmForPurpose(string purpose);
}
public static class HmacPurpose
{
public const string Signing = "signing"; // DSSE envelope signing
public const string Authentication = "auth"; // Token/URL authentication
public const string WebhookInterop = "webhook"; // External webhook (always SHA-256)
}
```
---
## Decisions & Risks
| ID | Risk / Decision | Impact | Mitigation | Status |
|----|-----------------|--------|------------|--------|
| R1 | ProfileExportService has both SHA256 and HMAC | Need split migration across waves | SHA256 done in Wave 1; HMAC deferred to Wave 3 | Resolved |
| R2 | Multiple callers per hasher class | Cascading changes required | Track all callers; update systematically | Active |
| R3 | Test projects may need ICryptoHash | Provide `DefaultCryptoHash.CreateForTests()` | Factory method available | Resolved |
| R4 | Pre-existing build errors may mask new errors | False confidence in migration success | Document known errors; verify specific projects | Active |
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-06 | Archived to docs/implplan/archived/SPRINT_0515_0001_0001_crypto_compliance_migration.md; all tasks DONE. | Project Mgmt |
| 2025-12-05 | Completed CanonicalJsonHasher.cs migration and all callers | Implementer |
| 2025-12-05 | Completed MerkleTreeBuilder.cs migration and all callers | Implementer |
| 2025-12-05 | Completed DeterministicHash.cs migration to static method pattern | Implementer |
| 2025-12-05 | Started RiskProfileHasher.cs migration - updated class and 5 callers | Implementer |
| 2025-12-05 | Added Cryptography references to Policy.RiskProfile and Policy.Engine projects | Implementer |
| 2025-12-05 | Updated RiskProfileConfigurationService.cs, RiskSimulationService.cs, RiskScoringTriggerService.cs | Implementer |
| 2025-12-05 | Migrated ProfileExportService.cs SHA256 methods (HMAC left for Wave 3) | Implementer |
| 2025-12-05 | Updated ProfileExportEndpoints.cs to inject ICryptoHash in ImportProfiles | Implementer |
| 2025-12-05 | Sprint paused - need to verify Policy.Engine build before continuing | Implementer |
| 2025-12-06 | Resumed sprint; verified Policy.Engine build; HASH-MIG-004/005 confirmed DONE | Implementer |
| 2025-12-06 | Updated global.json to .NET 10.0.100 GA; updated workflow files; installed SDK | Implementer |
| 2025-12-06 | Completed HASH-MIG-006: Verification.cs + BuildModels.cs (MerkleTree, BuildStatementDigest) | Implementer |
| 2025-12-06 | Completed HASH-MIG-007: AttestorVerificationEngine.cs (bundle hash + HashInternal) | Implementer |
| 2025-12-06 | Completed HASH-MIG-008: DevPortalOfflineBundleBuilder.cs (file hashing + manifest hash) | Implementer |
| 2025-12-06 | Completed HASH-MIG-009: FileSystemDevPortalOfflineObjectStore.cs (async stream hash) | Implementer |
| 2025-12-06 | Completed HASH-MIG-010: PromotionAssembler.cs (file digest) | Implementer |
| 2025-12-06 | Completed HASH-MIG-011: DeterministicHashVectorEncoder.cs (vector encoding hash) | Implementer |
| 2025-12-06 | **Wave 1 COMPLETE** - All 11 hash migrations done | Implementer |
| 2025-12-06 | Started Wave 2: Created HmacPurpose.cs, HmacAlgorithms.cs | Implementer |
| 2025-12-06 | Created ICryptoHmac.cs interface with purpose-based methods + verification | Implementer |
| 2025-12-06 | Added HmacPurposeAlgorithms to ComplianceProfile, updated all 6 profiles | Implementer |
| 2025-12-06 | Created DefaultCryptoHmac.cs with GOST/SM3 support via BouncyCastle | Implementer |
| 2025-12-06 | Added ICryptoHmac DI registration in CryptoServiceCollectionExtensions.cs | Implementer |
| 2025-12-06 | **Wave 2 COMPLETE** - All 4 HMAC infrastructure tasks done | Implementer |
| 2025-12-06 | Started Wave 3: Migrated HmacDsseSigner.cs to ICryptoHmac | Implementer |
| 2025-12-06 | Migrated HmacDsseEnvelopeSigner.cs - removed IDisposable, uses ICryptoHmac | Implementer |
| 2025-12-06 | Migrated ReportSigner.cs, AttachmentUrlSigner.cs (Authentication purpose) | Implementer |
| 2025-12-06 | Migrated HmacDevPortalOfflineManifestSigner.cs, RiskBundleSigning.cs (stream async) | Implementer |
| 2025-12-06 | Migrated Signers.cs (Provenance HmacSigner class) | Implementer |
| 2025-12-06 | Migrated HmacAckTokenService.cs - removed IDisposable, uses verification methods | Implementer |
| 2025-12-06 | Migrated DefaultWebhookSecurityService.cs (WebhookInterop - always SHA-256) | Implementer |
| 2025-12-06 | Added Cryptography references to RiskBundles.csproj, Notifier.Worker.csproj | Implementer |
| 2025-12-06 | **Wave 3 COMPLETE** - All 9 HMAC migrations done | Implementer |
| 2025-12-06 | Started Wave 4: Created `docs/security/crypto-compliance.md` | Implementer |
| 2025-12-06 | DOC-001: Documented all 6 compliance profiles (world, fips, gost, sm, kcmvp, eidas) | Implementer |
| 2025-12-06 | DOC-002: Documented SHA-256 interop exceptions (HashPurpose.Interop, HmacPurpose.WebhookInterop) | Implementer |
| 2025-12-06 | DOC-003: Documented HMAC algorithm mappings per profile | Implementer |
| 2025-12-06 | **Wave 4 COMPLETE** - All 3 documentation tasks done | Implementer |
| 2025-12-06 | **SPRINT COMPLETE** - All 27 tasks across 4 waves done | Implementer |
---
## Resume Checklist
**SPRINT COMPLETE** - All 4 waves finished on 2025-12-06.
### Summary of Completed Work
1. **Wave 1 (Hash Migrations):** 11/11 files migrated to `ICryptoHash` with purpose-based hashing
2. **Wave 2 (ICryptoHmac Infrastructure):** 4/4 tasks - interface, implementation, DI registration
3. **Wave 3 (HMAC Migrations):** 9/9 files migrated to `ICryptoHmac`
4. **Wave 4 (Documentation):** 3/3 tasks - `docs/security/crypto-compliance.md` created
### Key Deliverables
- **`ICryptoHash`**: Purpose-based hash abstraction with profile routing
- **`ICryptoHmac`**: Purpose-based HMAC abstraction with verification methods
- **Compliance Profiles**: world, fips, gost, sm, kcmvp, eidas
- **Hash Purposes**: Graph, Symbol, Content, Merkle, Attestation, Interop, Secret
- **HMAC Purposes**: Signing, Authentication, WebhookInterop
- **Documentation**: `docs/security/crypto-compliance.md`
### Remaining Pre-Existing Issues (out of scope)
- `StellaOps.Policy.AuthSignals` package missing
- Some Concelier Storage.Mongo references broken
- Scanner.Worker missing `Harness` type
- Notify.Storage.Mongo namespace issues
- These are NOT related to crypto migration
### Future Work
- Unit tests for GOST and SM3 operations (separate sprint)
---
## File Inventory: Wave 1 Files (ALL COMPLETE ✅)
All 11 Wave 1 files have been migrated to use `ICryptoHash` with purpose-based hashing.
See the Delivery Tracker table above for full details.
---
## Success Criteria
- [x] All 11 Wave 1 files migrated to `ICryptoHash` ✅ COMPLETE (2025-12-06)
- [x] `ICryptoHmac` interface created with profile support (Wave 2) ✅ COMPLETE (2025-12-06)
- [x] All 9 Wave 3 files migrated to `ICryptoHmac` ✅ COMPLETE (2025-12-06)
- [x] All interop files documented with reason (Wave 4) ✅ COMPLETE (2025-12-06)
- [x] Zero direct SHA256/SHA512 usage outside cryptography library (excluding documented interop) ✅
- [x] Migrated projects build pass (pre-existing issues documented) ✅
- [ ] Unit tests for GOST and SM3 operations pass (future sprint)
---
## Related Documents
- **Master Plan:** `/root/.claude/plans/crispy-whistling-lamport.md`
- **Sovereign Crypto Sprint:** `docs/implplan/SPRINT_0514_0001_0001_sovereign_crypto_enablement.md`
- **Architecture Overview:** `docs/07_HIGH_LEVEL_ARCHITECTURE.md`