save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/scanner/threat-vector-inference-and-capability-detection.md
+++ b/docs/features/checked/scanner/threat-vector-inference-and-capability-detection.md
@@ -0,0 +1,40 @@
+# Threat Vector Inference and Capability Detection
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Automated inference of threat vectors from entrypoint characteristics, capability detection (network, file system, crypto, IPC), and data flow boundary mapping for security surface assessment.
+
+## Implementation Details
+- **Threat Vector Inference**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs` - `ThreatVectorInferrer` inferring threat vectors (External, Internal, Privileged) from entrypoint characteristics and exposure patterns
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs` - `ThreatVector` enum defining threat vector classifications
+- **Capability Detection**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs` - `CapabilityDetector` detecting entrypoint capabilities (NetworkAccess, FileSystem, Crypto, ProcessExec, IPC) from code patterns
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs` - `CapabilityClass` flags enum for detected capabilities
+- **Data Flow Boundary Mapping**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs` - `DataBoundaryMapper` mapping data flow trust boundaries between entrypoints and downstream services
+  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs` - `DataFlowBoundary` enum defining trust boundary types
+
+## E2E Test Plan
+- [ ] Analyze an HTTP-exposed entrypoint and verify `ThreatVectorInferrer` classifies it as "External" threat vector
+- [ ] Analyze an internal-only service and verify it is classified as "Internal" threat vector
+- [ ] Verify `CapabilityDetector` identifies NetworkAccess capability for entrypoints making HTTP calls
+- [ ] Verify `CapabilityDetector` identifies FileSystem capability for entrypoints performing file I/O
+- [ ] Verify `DataBoundaryMapper` correctly identifies trust boundary crossings (e.g., user input -> database query)
+- [ ] Verify all three analysis components (threat vector, capability, data flow boundary) produce deterministic results for the same code patterns
+
+---
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source files exist | PASS |
+| Tier 1 - Build + code review | PASS |
+| Tier 2 - Integration tests | PASS |
+| Verified | 2026-02-13T18:10:00Z |