stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Add DigestUpsertRequest and LockEntity models
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details

Browse Source 
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
This commit is contained in:
StellaOps Bot
2025-12-03 07:51:50 +02:00
parent 37cba83708
commit e923880694
171 changed files with 6567 additions and 2952 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Web/StellaOps.Web/TASKS.md
View File

@@ -5,7 +5,7 @@
| WEB-AOC-19-002 | DONE (2025-11-30) | Added provenance builder, checksum utilities, and DSSE/CMS signature verification helpers with unit tests. |
| WEB-AOC-19-003 | DONE (2025-11-30) | Added client-side guard validator (forbidden/derived/unknown fields, provenance/signature checks) with unit fixtures. |
| WEB-CONSOLE-23-002 | DOING (2025-12-01) | Console status polling + SSE run stream client/store/UI added; tests pending once env fixed. |
| WEB-RISK-66-001 | DOING (2025-12-02) | Added risk + vuln gateway HTTP clients (shared trace util), store, `/risk` dashboard with filters/empty state/vuln link, auth guard; added `/vulnerabilities/:vulnId` detail + specs; providers switch via quickstart; awaiting gateway endpoints/test harness. |
| WEB-RISK-66-001 | BLOCKED (2025-12-03) | Same implementation landed; npm ci hangs so Angular tests cant run; waiting on stable install environment and gateway endpoints to validate. |
| WEB-EXC-25-001 | TODO | Exceptions workflow CRUD pending policy scopes. |
| WEB-TEN-47-CONTRACT | DONE (2025-12-01) | Gateway tenant auth/ABAC contract doc v1.0 published (`docs/api/gateway/tenant-auth.md`). |
| WEB-VULN-29-LEDGER-DOC | DONE (2025-12-01) | Findings Ledger proxy contract doc v1.0 with idempotency + retries (`docs/api/gateway/findings-ledger-proxy.md`). |

52
src/Web/StellaOps.Web/scripts/chrome-path.js
View File

@@ -87,15 +87,49 @@ function expandNestedArchives(rootDir = join(__dirname, '..')) {
return candidates;
}
function candidatePaths(rootDir = join(__dirname, '..')) {
const { env } = process;
const baseCandidates = [
env.STELLAOPS_CHROMIUM_BIN,
env.CHROME_BIN,
env.PUPPETEER_EXECUTABLE_PATH,
'/usr/bin/chromium-browser',
'/usr/bin/chromium',
'/usr/bin/google-chrome',
function candidatePaths(rootDir = join(__dirname, '..')) {
const { env } = process;
const playwrightBase = join(rootDir, 'node_modules', 'playwright-core', '.local-browsers');
const homePlaywrightBase = env.HOME ? join(env.HOME, '.cache', 'ms-playwright') : null;
let playwrightChromium = [];
try {
if (existsSync(playwrightBase)) {
playwrightChromium = readdirSync(playwrightBase)
.filter((d) => d.startsWith('chromium-'))
.map((d) => join(playwrightBase, d, 'chrome-linux', 'chrome'))
.concat(
readdirSync(playwrightBase)
.filter((d) => d.startsWith('chromium-'))
.map((d) => join(playwrightBase, d, 'chrome-win', 'chrome.exe')),
readdirSync(playwrightBase)
.filter((d) => d.startsWith('chromium-'))
.map((d) => join(playwrightBase, d, 'chrome-mac', 'Chromium.app', 'Contents', 'MacOS', 'Chromium'))
);
}
} catch {
playwrightChromium = [];
}
let homeChromium = [];
try {
if (homePlaywrightBase && existsSync(homePlaywrightBase)) {
homeChromium = readdirSync(homePlaywrightBase)
.filter((d) => d.startsWith('chromium'))
.map((d) => join(homePlaywrightBase, d, 'chrome-linux', 'chrome'));
}
} catch {
homeChromium = [];
}
const baseCandidates = [
env.STELLAOPS_CHROMIUM_BIN,
env.CHROME_BIN,
env.PUPPETEER_EXECUTABLE_PATH,
...playwrightChromium,
...homeChromium,
'/usr/bin/chromium-browser',
'/usr/bin/chromium',
'/usr/bin/google-chrome',
'/usr/bin/google-chrome-stable',
join(rootDir, ...linuxArchivePath),
join(rootDir, ...windowsArchivePath),