Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

docs/implplan/permament/SPRINT_20251229_049_BE_csproj_audit_report.md

@@ -73,7 +73,7 @@
 ## Rebaseline Restart (2026-01-08)
 - Tracker resequenced to current 850 csproj inventory; audits restart linearly from DevOps services.
 - New findings are recorded under "Findings (Rebaseline 2026-01-08 restart)" until the pass completes.
-- Revalidated AUDIT-0001 to AUDIT-0103 (SimCryptoService, SimCryptoSmoke, CryptoProLinuxApi, NuGet prime v10/v9, SDK templates, Excititor connector template, Router doc samples + tests, Determinism analyzers/tests, AuditPack tests, Auth.Security tests, Canonicalization tests, Configuration tests, Cryptography.Kms tests, OfflineVerification plugin tests, Cryptography tests, DeltaVerdict tests, Eventing tests, Evidence.Persistence tests, Evidence tests, HybridLogicalClock tests, Infrastructure.Postgres tests, Metrics tests, Microservice.AspNetCore tests, Plugin tests, Provcache tests, Provenance tests, ReachGraph tests, Replay.Core tests, Replay tests, Signals tests, Spdx3 tests, Testing.Determinism tests, Testing.Manifests tests, TestKit tests, VersionComparison tests, Audit.ReplayToken, AuditPack, Auth.Security, Canonical.Json tests, Canonical.Json, Canonicalization, Configuration, Cryptography.DependencyInjection, Cryptography.Kms, Cryptography.Plugin.BouncyCastle, Cryptography.Plugin.CryptoPro, GostCryptography third-party library/tests, Cryptography.Plugin.EIDAS.Tests, Cryptography.Plugin.EIDAS, Cryptography.Plugin.OfflineVerification, Cryptography.Plugin.OpenSslGost, Cryptography.Plugin.Pkcs11Gost, Cryptography.Plugin.PqSoft, Cryptography.Plugin.SimRemote, Cryptography.Plugin.SmRemote.Tests, Cryptography.Plugin.SmRemote, Cryptography.Plugin.SmSoft.Tests, Cryptography.Plugin.SmSoft, Cryptography.Plugin.WineCsp, Cryptography.PluginLoader.Tests, Cryptography.PluginLoader, Cryptography.Providers.OfflineVerification, Cryptography.Tests (libraries), Cryptography (library), DeltaVerdict, DependencyInjection, Determinism.Abstractions, DistroIntel, Eventing, Evidence.Bundle, Evidence.Core.Tests, Evidence.Core, Evidence.Persistence, Evidence, Facet.Tests, Facet, HybridLogicalClock Benchmarks, HybridLogicalClock Tests, HybridLogicalClock, Infrastructure.EfCore, Infrastructure.Postgres, Ingestion.Telemetry, StellaOps.Interop, IssuerDirectory.Client, StellaOps.Metrics, Orchestrator.Schemas, StellaOps.Plugin, StellaOps.Policy.Tools, PolicyAuthoritySignals.Contracts, Provcache, Provcache.Api, Provcache.Postgres, Provcache.Valkey, Provenance, ReachGraph.Cache).
+- Revalidated AUDIT-0001 to AUDIT-0104 (SimCryptoService, SimCryptoSmoke, CryptoProLinuxApi, NuGet prime v10/v9, SDK templates, Excititor connector template, Router doc samples + tests, Determinism analyzers/tests, AuditPack tests, Auth.Security tests, Canonicalization tests, Configuration tests, Cryptography.Kms tests, OfflineVerification plugin tests, Cryptography tests, DeltaVerdict tests, Eventing tests, Evidence.Persistence tests, Evidence tests, HybridLogicalClock tests, Infrastructure.Postgres tests, Metrics tests, Microservice.AspNetCore tests, Plugin tests, Provcache tests, Provenance tests, ReachGraph tests, Replay.Core tests, Replay tests, Signals tests, Spdx3 tests, Testing.Determinism tests, Testing.Manifests tests, TestKit tests, VersionComparison tests, Audit.ReplayToken, AuditPack, Auth.Security, Canonical.Json tests, Canonical.Json, Canonicalization, Configuration, Cryptography.DependencyInjection, Cryptography.Kms, Cryptography.Plugin.BouncyCastle, Cryptography.Plugin.CryptoPro, GostCryptography third-party library/tests, Cryptography.Plugin.EIDAS.Tests, Cryptography.Plugin.EIDAS, Cryptography.Plugin.OfflineVerification, Cryptography.Plugin.OpenSslGost, Cryptography.Plugin.Pkcs11Gost, Cryptography.Plugin.PqSoft, Cryptography.Plugin.SimRemote, Cryptography.Plugin.SmRemote.Tests, Cryptography.Plugin.SmRemote, Cryptography.Plugin.SmSoft.Tests, Cryptography.Plugin.SmSoft, Cryptography.Plugin.WineCsp, Cryptography.PluginLoader.Tests, Cryptography.PluginLoader, Cryptography.Providers.OfflineVerification, Cryptography.Tests (libraries), Cryptography (library), DeltaVerdict, DependencyInjection, Determinism.Abstractions, DistroIntel, Eventing, Evidence.Bundle, Evidence.Core.Tests, Evidence.Core, Evidence.Persistence, Evidence, Facet.Tests, Facet, HybridLogicalClock Benchmarks, HybridLogicalClock Tests, HybridLogicalClock, Infrastructure.EfCore, Infrastructure.Postgres, Ingestion.Telemetry, StellaOps.Interop, IssuerDirectory.Client, StellaOps.Metrics, Orchestrator.Schemas, StellaOps.Plugin, StellaOps.Policy.Tools, PolicyAuthoritySignals.Contracts, Provcache, Provcache.Api, Provcache.Postgres, Provcache.Valkey, Provenance, ReachGraph.Cache, ReachGraph.Persistence).
 ## Findings (Rebaseline 2026-01-08 restart)
 ### devops/services/crypto/sim-crypto-service/SimCryptoService.csproj
 - MAINT: Shared ECDsa instance is reused across requests; ECDsa is not thread-safe and can race under concurrency. `devops/services/crypto/sim-crypto-service/Program.cs`
@@ -791,6 +791,19 @@
 - TEST: No tests cover in-memory repository ordering/filtering beyond a single continuation token or empty-store behavior. `src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/InMemoryAttestorEntryRepositoryTests.cs` `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Storage/InMemoryAttestorEntryRepository.cs`
 - TEST: No tests validate DefaultDsseCanonicalizer behavior for empty signatures or missing payload fields. `src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/DefaultDsseCanonicalizerTests.cs` `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Submission/DefaultDsseCanonicalizer.cs`
 - Disposition: revalidated 2026-01-07 (test project; apply waived); coverage extended 2026-01-08 for AUDIT-0055-A.
+- MAINT: PostgresRekorSubmissionQueue generates ids with Guid.NewGuid; inject IGuidGenerator for deterministic IDs and testability. `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Queue/PostgresRekorSubmissionQueue.cs`
+- MAINT: PostgresRekorSubmissionQueue computes wait time using GetDateTime on created_at, which drops offset and can skew metrics; prefer DateTimeOffset via GetFieldValue<DateTimeOffset>. `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Queue/PostgresRekorSubmissionQueue.cs`
+- QUALITY: HttpRekorClient parses checkpoint timestamps with DateTimeOffset.TryParse without InvariantCulture, making parsing locale-dependent. `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/HttpRekorClient.cs`
+- SECURITY: HttpRekorClient VerifyInclusionAsync never validates checkpoint signatures and always reports checkpointSignatureValid=false; ensure downstream treats checkpoint as unverified or implement signature validation. `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/HttpRekorClient.cs`
+- MAINT: Rekor backend construction logic is duplicated between verification and retry worker; centralize to avoid drift. `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Verification/AttestorVerificationService.cs` `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Workers/RekorRetryWorker.cs`
+- TEST: Infrastructure tests exist but do not cover Rekor queue persistence/backoff, archive store metadata serialization, or submission/verification flows. `src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests`
+- Disposition: revalidated 2026-01-06; apply reopened for remaining gaps.
+### src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/StellaOps.Attestor.Infrastructure.Tests.csproj
+- MAINT: No new issues on revalidation; tests use fixed timestamps and deterministic inputs. `src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/DefaultDsseCanonicalizerTests.cs` `src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/InMemoryAttestorEntryRepositoryTests.cs`
+- TEST: Coverage is limited to DSSE signature ordering, missing Rekor log index failure, and continuation-token paging; no tests cover Rekor submission success/conflict, proof parsing, or inclusion verification success/failure paths. `src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/HttpRekorClientTests.cs` `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/HttpRekorClient.cs`
+- TEST: No tests cover in-memory repository ordering/filtering beyond a single continuation token or empty-store behavior. `src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/InMemoryAttestorEntryRepositoryTests.cs` `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Storage/InMemoryAttestorEntryRepository.cs`
+- TEST: No tests validate DefaultDsseCanonicalizer behavior for empty signatures or missing payload fields. `src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/DefaultDsseCanonicalizerTests.cs` `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Submission/DefaultDsseCanonicalizer.cs`
+- Disposition: revalidated 2026-01-07 (test project; apply waived).
 ### src/Attestor/__Libraries/StellaOps.Attestor.Oci/StellaOps.Attestor.Oci.csproj
 - QUALITY: OrasAttestationAttacher assumes imageRef.Digest is populated; when tag-only references are parsed, Digest is empty and no ResolveTagAsync call occurs, so attach/list/fetch/remove can target an empty digest. `src/Attestor/__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs`
 - QUALITY: ListAsync parses created timestamps with DateTimeOffset.TryParse without InvariantCulture, making ordering locale-dependent. `src/Attestor/__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs`
@@ -4255,6 +4268,7 @@
 - MAINT: CreateGlobRegex uses a control-character placeholder for "**", violating ASCII-only rules and making the regex brittle. `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs`
 - Proposed changes (pending approval): enforce authn/z with tenant-aware policies, scope cache by tenant, inject TimeProvider, add request validation and bounds, and replace the glob placeholder with ASCII plus tests.
 - Disposition: pending implementation (non-test project; revalidated 2026-01-08; apply recommendations remain open).
+- Disposition: pending implementation (non-test project; revalidated 2026-01-07; apply recommendations remain open).
 ### src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/StellaOps.ReachGraph.WebService.Tests.csproj
 - TEST: Coverage exists for upsert idempotency, get by digest/not found, slice by CVE/package, replay match, list by artifact, and delete. `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
 - TEST: No coverage for entrypoint/file slices, invalid direction/depth, missing tenant header, or replay mismatch paths. `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
@@ -4341,6 +4355,7 @@
 - TEST: No tests cover replay token endpoints, tenant header enforcement, or verdict replay endpoints. `src/Replay/StellaOps.Replay.WebService`
 - Proposed changes (pending approval): enforce scopes from config, validate tenant against claims, clamp expiration, require authorization and path allowlisting for verdict replay, and add endpoint tests.
 - Disposition: pending implementation (non-test project; revalidated 2026-01-08; apply recommendations remain open).
+- Disposition: pending implementation (non-test project; revalidated 2026-01-07; apply recommendations remain open).
 ### src/__Libraries/StellaOps.Resolver/StellaOps.Resolver.csproj
 - MAINT: DeterministicResolver.Run uses DateTimeOffset.UtcNow; should use injected TimeProvider or require explicit resolvedAt for deterministic runs. `src/__Libraries/StellaOps.Resolver/DeterministicResolver.cs`
 - Proposed changes (pending approval): inject TimeProvider and remove the DateTimeOffset.UtcNow default.