wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10

2026-02-23 15:30:50 +02:00
parent bd8fee6ed8
commit e746577380
1424 changed files with 81225 additions and 25251 deletions
--- a/src/Attestor/StellaOps.Attestor.WebService/Endpoints/VerdictEndpoints.cs
+++ b/src/Attestor/StellaOps.Attestor.WebService/Endpoints/VerdictEndpoints.cs
@@ -30,7 +30,8 @@ public static class VerdictEndpoints
        group.MapPost("/", CreateVerdict)
            .WithName("CreateVerdict")
            .WithSummary("Append a new verdict to the ledger")
-            .WithDescription("Creates a new verdict entry with cryptographic chain linking")
+            .WithDescription("Appends a new release verdict to the immutable hash-chained ledger. Each entry records the decision (approve/reject), policy bundle ID, verifier image digest, and signer key ID. Returns 409 Conflict if chain integrity would be violated. Requires attestor:write scope.")
+            .RequireAuthorization("attestor:write")
            .Produces<CreateVerdictResponse>(StatusCodes.Status201Created)
            .Produces(StatusCodes.Status400BadRequest)
            .Produces(StatusCodes.Status401Unauthorized)
@@ -39,25 +40,30 @@ public static class VerdictEndpoints
        group.MapGet("/", QueryVerdicts)
            .WithName("QueryVerdicts")
            .WithSummary("Query verdicts by bom-ref")
-            .WithDescription("Returns all verdicts for a given package/artifact reference")
+            .WithDescription("Returns all verdict ledger entries for a specific package bom-ref (PURL or container digest), filtered by tenant. Results are ordered chronologically for chain traversal. Requires attestor:read scope.")
+            .RequireAuthorization("attestor:read")
            .Produces<IReadOnlyList<VerdictResponse>>();

        group.MapGet("/{hash}", GetVerdictByHash)
            .WithName("GetVerdictByHash")
            .WithSummary("Get a verdict by its hash")
-            .WithDescription("Returns a specific verdict entry by its SHA-256 hash")
+            .WithDescription("Returns a specific verdict ledger entry identified by its SHA-256 hash digest. Returns 404 if no entry exists with the given hash. Requires attestor:read scope.")
+            .RequireAuthorization("attestor:read")
            .Produces<VerdictResponse>()
            .Produces(StatusCodes.Status404NotFound);

        group.MapGet("/chain/verify", VerifyChain)
            .WithName("VerifyChainIntegrity")
            .WithSummary("Verify ledger chain integrity")
-            .WithDescription("Walks the hash chain to verify cryptographic integrity")
+            .WithDescription("Walks the full verdict ledger hash chain for the tenant and verifies that every entry's previous-hash pointer is cryptographically valid. Returns a structured result with the total entries checked and any integrity violations found. Requires attestor:read scope.")
+            .RequireAuthorization("attestor:read")
            .Produces<ChainVerificationResult>();

        group.MapGet("/latest", GetLatestVerdict)
            .WithName("GetLatestVerdict")
            .WithSummary("Get the latest verdict for a bom-ref")
+            .WithDescription("Returns the most recent verdict ledger entry for a specific bom-ref in the tenant. Useful for gating deployments based on the last-known release decision. Returns 404 if no verdict has been recorded. Requires attestor:read scope.")
+            .RequireAuthorization("attestor:read")
            .Produces<VerdictResponse>()
            .Produces(StatusCodes.Status404NotFound);
    }