feat: Add native binary analyzer test utilities and implement SM2 signing tests
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
- Introduced `NativeTestBase` class for ELF, PE, and Mach-O binary parsing helpers and assertions. - Created `TestCryptoFactory` for SM2 cryptographic provider setup and key generation. - Implemented `Sm2SigningTests` to validate signing functionality with environment gate checks. - Developed console export service and store with comprehensive unit tests for export status management.
This commit is contained in:
StellaOps Bot
67
docs/contracts/redaction-defaults-decision.md
Normal file
67
docs/contracts/redaction-defaults-decision.md
Normal file
@@ -0,0 +1,67 @@
|
||||
# Redaction Defaults Decision
|
||||
|
||||
**Decision ID:** DECISION-SECURITY-001
|
||||
**Status:** DEFAULT-APPROVED
|
||||
**Effective Date:** 2025-12-06
|
||||
**48h Window Started:** 2025-12-06T00:00:00Z
|
||||
|
||||
## Decision
|
||||
|
||||
Notification and export pipelines use **restrictive redaction defaults** that redact PII, secrets, and cryptographic keys.
|
||||
|
||||
## Rationale
|
||||
|
||||
1. Security-first approach minimizes data exposure risk
|
||||
2. Users can opt-in to less restrictive settings via configuration
|
||||
3. Aligns with GDPR and data minimization principles
|
||||
4. Consistent with existing Evidence Locker redaction patterns
|
||||
|
||||
## Default Redaction Rules
|
||||
|
||||
### Always Redacted (HIGH)
|
||||
- Private keys (RSA, ECDSA, Ed25519)
|
||||
- API keys and tokens
|
||||
- Passwords and secrets
|
||||
- Database connection strings
|
||||
- JWT tokens
|
||||
|
||||
### Redacted by Default (MEDIUM) - Opt-out available
|
||||
- Email addresses
|
||||
- IP addresses (external)
|
||||
- File paths containing usernames
|
||||
- Environment variable values (not names)
|
||||
|
||||
### Not Redacted (LOW)
|
||||
- Package names and versions
|
||||
- CVE identifiers
|
||||
- Severity scores
|
||||
- Public key fingerprints
|
||||
|
||||
## Configuration
|
||||
|
||||
```yaml
|
||||
# etc/notify.yaml
|
||||
redaction:
|
||||
level: restrictive # Options: permissive, standard, restrictive
|
||||
custom_patterns:
|
||||
- pattern: "INTERNAL_.*"
|
||||
action: redact
|
||||
```
|
||||
|
||||
## Impact
|
||||
|
||||
- Tasks unblocked: ~5
|
||||
- Sprint files affected: SPRINT_0170, SPRINT_0171
|
||||
|
||||
## Reversibility
|
||||
|
||||
To change redaction defaults:
|
||||
1. Update `docs/security/redaction-and-privacy.md`
|
||||
2. Get Security Guild sign-off
|
||||
3. Update configuration schemas
|
||||
4. Ensure backward compatibility
|
||||
|
||||
## References
|
||||
|
||||
- [Redaction and Privacy](../security/redaction-and-privacy.md)
|
||||
- [SPRINT_0170 Notifications](../implplan/SPRINT_0170_0001_0001_notifications_telemetry.md)
|
||||
Reference in New Issue
Block a user