feat: Add native binary analyzer test utilities and implement SM2 signing tests
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
- Introduced `NativeTestBase` class for ELF, PE, and Mach-O binary parsing helpers and assertions. - Created `TestCryptoFactory` for SM2 cryptographic provider setup and key generation. - Implemented `Sm2SigningTests` to validate signing functionality with environment gate checks. - Developed console export service and store with comprehensive unit tests for export status management.
This commit is contained in:
StellaOps Bot
72
docs/contracts/authority-routing-decision.md
Normal file
72
docs/contracts/authority-routing-decision.md
Normal file
@@ -0,0 +1,72 @@
|
||||
# Authority Routing Decision
|
||||
|
||||
**Decision ID:** DECISION-AUTH-001
|
||||
**Status:** DEFAULT-APPROVED
|
||||
**Effective Date:** 2025-12-06
|
||||
**48h Window Started:** 2025-12-06T00:00:00Z
|
||||
|
||||
## Decision
|
||||
|
||||
Authority claim routing uses **RBAC-standard routing** patterns aligned with existing `docs/security/scopes-and-roles.md`.
|
||||
|
||||
## Rationale
|
||||
|
||||
1. RBAC patterns are well-established and auditable
|
||||
2. Consistent with Authority module implementation
|
||||
3. Supports multi-tenancy requirements
|
||||
4. Compatible with external IdP integration (OIDC, SAML)
|
||||
|
||||
## Routing Matrix
|
||||
|
||||
| Claim | Source | Routing | Scope |
|
||||
|-------|--------|---------|-------|
|
||||
| `tenant_id` | Token/Session | Per-request | All endpoints |
|
||||
| `project_id` | Token/Header | Per-request | Project-scoped |
|
||||
| `user_id` | Token | Per-request | User-scoped |
|
||||
| `role` | Token claims | Authorization | Role-based access |
|
||||
| `scope` | Token claims | Authorization | Fine-grained access |
|
||||
|
||||
## Claim Priority
|
||||
|
||||
When claims conflict:
|
||||
1. Explicit header overrides token claim (if authorized)
|
||||
2. Token claim is authoritative for identity
|
||||
3. Session context provides defaults
|
||||
|
||||
## Implementation Pattern
|
||||
|
||||
```csharp
|
||||
// Authority claim resolution
|
||||
public class ClaimResolver : IClaimResolver
|
||||
{
|
||||
public AuthorityContext Resolve(HttpContext context)
|
||||
{
|
||||
var tenantId = context.Request.Headers["X-Tenant-Id"]
|
||||
?? context.User.FindFirst("tenant_id")?.Value;
|
||||
|
||||
var projectId = context.Request.Headers["X-Project-Id"]
|
||||
?? context.User.FindFirst("project_id")?.Value;
|
||||
|
||||
return new AuthorityContext(tenantId, projectId);
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Impact
|
||||
|
||||
- Tasks unblocked: ~5
|
||||
- Sprint files affected: SPRINT_0303
|
||||
|
||||
## Reversibility
|
||||
|
||||
To change routing patterns:
|
||||
1. Update `docs/security/scopes-and-roles.md`
|
||||
2. Get Authority Guild + Security Guild sign-off
|
||||
3. Update `AuthorityClaimsProvider` implementations
|
||||
4. Migration path for existing integrations
|
||||
|
||||
## References
|
||||
|
||||
- [Scopes and Roles](../security/scopes-and-roles.md)
|
||||
- [Auth Scopes](../security/auth-scopes.md)
|
||||
- [Tenancy Overview](../security/tenancy-overview.md)
|
||||
Reference in New Issue
Block a user