docs re-org, audit fixes, build fixes

2026-01-05 09:35:33 +02:00
parent eca4e964d3
commit dfab8a29c3
173 changed files with 1276 additions and 560 deletions
--- a/src/Cli/StellaOps.Cli/Services/ForensicVerifier.cs
+++ b/src/Cli/StellaOps.Cli/Services/ForensicVerifier.cs
@@ -26,10 +26,12 @@ internal sealed class ForensicVerifier : IForensicVerifier
    };

    private readonly ILogger<ForensicVerifier> _logger;
+    private readonly TimeProvider _timeProvider;

-    public ForensicVerifier(ILogger<ForensicVerifier> logger)
+    public ForensicVerifier(ILogger<ForensicVerifier> logger, TimeProvider? timeProvider = null)
    {
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
    }

    public async Task<ForensicVerificationResult> VerifyBundleAsync(
@@ -42,7 +44,7 @@ internal sealed class ForensicVerifier : IForensicVerifier

        var errors = new List<ForensicVerificationError>();
        var warnings = new List<string>();
-        var verifiedAt = DateTimeOffset.UtcNow;
+        var verifiedAt = _timeProvider.GetUtcNow();

        _logger.LogDebug("Verifying forensic bundle at {BundlePath}", bundlePath);

@@ -440,7 +442,7 @@ internal sealed class ForensicVerifier : IForensicVerifier
            matchingRoot.PublicKey);

        // Check time validity
-        var now = DateTimeOffset.UtcNow;
+        var now = _timeProvider.GetUtcNow();
        var timeValid = (!matchingRoot.NotBefore.HasValue || now >= matchingRoot.NotBefore.Value) &&
                        (!matchingRoot.NotAfter.HasValue || now <= matchingRoot.NotAfter.Value);

--- a/src/Cli/StellaOps.Cli/Services/ImageAttestationVerifier.cs
+++ b/src/Cli/StellaOps.Cli/Services/ImageAttestationVerifier.cs
@@ -17,17 +17,20 @@ public sealed class ImageAttestationVerifier : IImageAttestationVerifier
    private readonly ITrustPolicyLoader _trustPolicyLoader;
    private readonly IDsseSignatureVerifier _dsseVerifier;
    private readonly ILogger<ImageAttestationVerifier> _logger;
+    private readonly TimeProvider _timeProvider;

    public ImageAttestationVerifier(
        IOciRegistryClient registryClient,
        ITrustPolicyLoader trustPolicyLoader,
        IDsseSignatureVerifier dsseVerifier,
-        ILogger<ImageAttestationVerifier> logger)
+        ILogger<ImageAttestationVerifier> logger,
+        TimeProvider? timeProvider = null)
    {
        _registryClient = registryClient ?? throw new ArgumentNullException(nameof(registryClient));
        _trustPolicyLoader = trustPolicyLoader ?? throw new ArgumentNullException(nameof(trustPolicyLoader));
        _dsseVerifier = dsseVerifier ?? throw new ArgumentNullException(nameof(dsseVerifier));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
    }

    public async Task<ImageVerificationResult> VerifyAsync(
@@ -51,7 +54,7 @@ public sealed class ImageAttestationVerifier : IImageAttestationVerifier
            ImageDigest = digest,
            Registry = reference.Registry,
            Repository = reference.Repository,
-            VerifiedAt = DateTimeOffset.UtcNow
+            VerifiedAt = _timeProvider.GetUtcNow()
        };

        OciReferrersResponse referrers;
@@ -191,7 +194,7 @@ public sealed class ImageAttestationVerifier : IImageAttestationVerifier
                    Digest = candidate.Digest,
                    SignerIdentity = verification.KeyId,
                    Message = verification.Error ?? "Signature verification failed",
-                    VerifiedAt = DateTimeOffset.UtcNow
+                    VerifiedAt = _timeProvider.GetUtcNow()
                };
            }

@@ -206,7 +209,7 @@ public sealed class ImageAttestationVerifier : IImageAttestationVerifier
                    Digest = candidate.Digest,
                    SignerIdentity = signerKeyId,
                    Message = "Signer not allowed by trust policy",
-                    VerifiedAt = DateTimeOffset.UtcNow
+                    VerifiedAt = _timeProvider.GetUtcNow()
                };
            }

@@ -220,14 +223,14 @@ public sealed class ImageAttestationVerifier : IImageAttestationVerifier
                    Digest = candidate.Digest,
                    SignerIdentity = signerKeyId,
                    Message = "Rekor receipt missing",
-                    VerifiedAt = DateTimeOffset.UtcNow
+                    VerifiedAt = _timeProvider.GetUtcNow()
                };
            }

            if (policy.MaxAge.HasValue)
            {
                var created = GetCreatedAt(candidate);
-                if (created.HasValue && DateTimeOffset.UtcNow - created.Value > policy.MaxAge.Value)
+                if (created.HasValue && _timeProvider.GetUtcNow() - created.Value > policy.MaxAge.Value)
                {
                    return new AttestationVerification
                    {
@@ -237,7 +240,7 @@ public sealed class ImageAttestationVerifier : IImageAttestationVerifier
                        Digest = candidate.Digest,
                        SignerIdentity = signerKeyId,
                        Message = "Attestation exceeded max age",
-                        VerifiedAt = DateTimeOffset.UtcNow
+                        VerifiedAt = _timeProvider.GetUtcNow()
                    };
                }
            }
@@ -250,7 +253,7 @@ public sealed class ImageAttestationVerifier : IImageAttestationVerifier
                Digest = candidate.Digest,
                SignerIdentity = signerKeyId,
                Message = "Signature valid",
-                VerifiedAt = DateTimeOffset.UtcNow
+                VerifiedAt = _timeProvider.GetUtcNow()
            };
        }
        catch (Exception ex)