stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save audit remarks applications progress

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-04 22:49:53 +02:00
parent 8862e112c4
commit eca4e964d3
48 changed files with 1850 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/implplan/SPRINT_20260104_001_BE_determinism_timeprovider_injection.md
View File

@@ -72,9 +72,9 @@
| 16 | DET-016 | DONE | DET-002, DET-003 | Guild | Refactor VulnExplorer module (1 file: VexDecisionStore) |
| 17 | DET-017 | DONE | DET-002, DET-003 | Guild | Refactor Zastava module (~48 matches remaining) |
| 18 | DET-018 | DONE | DET-004 to DET-017 | Guild | Final audit: verify sprint-scoped modules (Libraries only) have deterministic TimeProvider injection. Remaining scope documented below. |
| 19 | DET-019 | TODO | DET-018 | Guild | Follow-up: Scanner.WebService determinism refactoring (~40 DateTimeOffset.UtcNow usages) |
| 20 | DET-020 | TODO | DET-018 | Guild | Follow-up: Scanner.Analyzers.Native determinism refactoring (~4 DateTimeOffset.UtcNow usages) |
| 21 | DET-021 | TODO | DET-018 | Guild | Follow-up: Other modules (AdvisoryAI, Authority, AirGap, Attestor, Cli, Concelier, Excititor, etc.) - full codebase determinism sweep |
| 19 | DET-019 | DONE | DET-018 | Guild | Follow-up: Scanner.WebService determinism refactoring (~40 DateTimeOffset.UtcNow usages) - 12 endpoint/service files + 2 dependency library files fixed |
| 20 | DET-020 | DONE | DET-018 | Guild | Follow-up: Scanner.Analyzers.Native determinism refactoring - hardening extractors (ELF/MachO/PE), OfflineBuildIdIndex, and RuntimeCapture adapters (eBPF/DYLD/ETW) complete. |
| 21 | DET-021 | DOING | DET-018 | Guild | Follow-up: Other modules (AdvisoryAI, Authority, AirGap, Attestor, Cli, Concelier, Excititor, etc.) - full codebase determinism sweep. Sub-tasks: (a) AirGap DONE, (b) EvidenceLocker DONE, (c) IssuerDirectory DONE, (d) Remaining modules pending |
## Implementation Pattern
@@ -139,6 +139,9 @@ services.AddSingleton<IGuidProvider, SystemGuidProvider>();
| 2026-01-06 | DET-011 continued: Additional Scanner production files refactored - IAssumptionCollector.cs/AssumptionCollector (TimeProvider constructor), FalsificationConditions.cs/DefaultFalsificationConditionGenerator (TimeProvider constructor), SbomDiffEngine.cs (TimeProvider constructor), ReachabilityUnionWriter.cs (TimeProvider constructor, WriteMetaAsync), PostgresReachabilityCache.cs (TimeProvider constructor, GetAsync TTL calculation, SetAsync expiry calculation). Scanner __Libraries reduced from 61 to 35 DateTimeOffset.UtcNow matches. Remaining are in: Binary analysis (6 files), Language analyzers (Java/DotNet/Deno/Native - 5 files), Benchmark/Claims (2 files), SmartDiff VexEvidence.IsValid property comparison, and test files. | Agent |
| 2026-01-06 | DET-011 continued: Binary analysis module refactored (IFingerprintIndex.cs - InMemoryFingerprintIndex with TimeProvider constructor + _lastUpdated, VulnerableFingerprintIndex with TimeProvider, BinaryIntelligenceAnalyzer.cs, VulnerableFunctionMatcher.cs, BinaryAnalysisResult.cs/BinaryAnalysisResultBuilder, FingerprintCorpusBuilder.cs, BaselineAnalyzer.cs, EpssEvidence.cs). Language analyzers refactored (DotNetCallgraphBuilder.cs, JavaCallgraphBuilder.cs, NativeCallgraphBuilder.cs, DenoRuntimeTraceRecorder.cs, JavaEntrypointAocWriter.cs). Core services refactored (CbomAggregationService.cs, SecretDetectionSettings.cs factory methods). Benchmark/Claims refactored (MetricsCalculator.cs, BattlecardGenerator.cs). SmartDiff VexEvidence.cs - added IsValidAt(DateTimeOffset) method, IsValid property uses TimeProvider. Risk module fixed (RiskExplainer, RiskAggregator constructors). BoundaryExtractionContext.cs - restored deprecated Empty property, added CreateEmpty factory. All Scanner __Libraries now build successfully with 3 acceptable remaining usages (test file, parsing fallback, existing TimeProvider fallback). DET-011 COMPLETE. | Agent |
| 2026-01-06 | DET-018 Final audit complete. Sprint scope was __Libraries modules. Remaining in codebase: Scanner.WebService (~40 usages), Scanner.Analyzers.Native (~4 usages), plus other modules (AdvisoryAI 30+, Authority 40+, AirGap 12+, Attestor 25+, Cli 80+, Concelier 15+, etc.) requiring follow-up sprints. DET-019/020/021 created for follow-up work. | Agent |
| 2026-01-04 | DET-019 complete: Scanner.WebService refactored - 12 endpoint/service files (EpssEndpoints, EvidenceEndpoints, SmartDiffEndpoints, UnknownsEndpoints, WitnessEndpoints, TriageInboxEndpoints, ProofBundleEndpoints, ReportSigner, ScoreReplayService, TestManifestRepository, SliceQueryService, UnifiedEvidenceService) plus dependency fixes in Scanner.Sources (SourceTriggerDispatcher, SourceContracts) and Scanner.WebService (EvidenceBundleExporter, GatingReasonService). All builds verified. | Agent |
| 2026-01-04 | DET-020 in progress: Scanner.Analyzers.Native hardening extractors refactored - ElfHardeningExtractor, MachoHardeningExtractor, PeHardeningExtractor with TimeProvider injection. OfflineBuildIdIndex refactored. Build verified. RuntimeCapture adapters (LinuxEbpfCaptureAdapter, MacOsDyldCaptureAdapter, WindowsEtwCaptureAdapter) pending - require TimeProvider and IGuidProvider injection for 18+ usages across eBPF/DYLD/ETW tracing. | Agent |
| 2026-01-04 | DET-020 complete: RuntimeCapture adapters refactored - LinuxEbpfCaptureAdapter, MacOsDyldCaptureAdapter, WindowsEtwCaptureAdapter with TimeProvider and IGuidProvider injection (SessionId, StartTime, EndTime, Timestamp fields). RuntimeEvidenceAggregator.MergeWithStaticAnalysis updated with optional TimeProvider parameter. StackTraceCapture.CollapsedStack.Parse updated with optional TimeProvider parameter. Added StellaOps.Determinism.Abstractions reference to project. All builds verified. | Agent |
## Decisions & Risks
- **Decision:** Defer determinism refactoring from MAINT audit to dedicated sprint for focused, systematic approach.

542
docs/implplan/archived/SPRINT_20260104_002_SCANNER_secret_leak_detection_core.md Normal file
View File

@@ -0,0 +1,542 @@
# Sprint 20260104_002_SCANNER - Secret Leak Detection Core Analyzer
## Topic & Scope
Implement the core `StellaOps.Scanner.Analyzers.Secrets` plugin that detects accidentally committed secrets in container layers during scans. This is the foundational sprint for secret leak detection capability.
**Key deliverables:**
1. **Secrets Analyzer Plugin**: Core analyzer that executes regex/entropy-based detection rules
2. **Rule Engine**: Rule definition models, matching logic, and deterministic execution
3. **Masking Engine**: Payload masking to ensure secrets never leak in outputs
4. **Evidence Emission**: `secret.leak` evidence type integration with ScanAnalysisStore
5. **Feature Flag**: Experimental toggle for gradual rollout
**Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/`
## Dependencies & Concurrency
- **Depends on**: Surface.Secrets, Surface.Validation, Surface.Env (already implemented)
- **Required by**: Sprint 20260104_003 (Rule Bundle Infrastructure), Sprint 20260104_004 (Policy DSL)
- **Parallel work**: Tasks SLD-001 through SLD-008 can be developed concurrently
- **Integration tasks** (SLD-009+) require prior tasks complete
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/scanner/architecture.md
- docs/modules/scanner/design/surface-secrets.md
- docs/modules/scanner/operations/secret-leak-detection.md (target spec)
- CLAUDE.md (especially Section 8: Code Quality & Determinism Rules)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SLD-001 | DONE | None | Scanner Guild | Create project structure and csproj |
| 2 | SLD-002 | DONE | None | Scanner Guild | Define SecretRule and SecretRuleset models |
| 3 | SLD-003 | DONE | None | Scanner Guild | Implement ISecretDetector interface and RegexDetector |
| 4 | SLD-004 | DONE | None | Scanner Guild | Implement EntropyDetector for high-entropy string detection |
| 5 | SLD-005 | DONE | None | Scanner Guild | Implement PayloadMasker with configurable masking strategies |
| 6 | SLD-006 | DONE | None | Scanner Guild | Define SecretLeakEvidence record and finding model |
| 7 | SLD-007 | DONE | SLD-002 | Scanner Guild | Implement RulesetLoader with JSON parsing |
| 8 | SLD-008 | DONE | None | Scanner Guild | Add SecretsAnalyzerOptions with feature flag support |
| 9 | SLD-009 | DONE | SLD-003,SLD-004 | Scanner Guild | Implement CompositeSecretDetector combining regex and entropy |
| 10 | SLD-010 | DONE | SLD-006,SLD-009 | Scanner Guild | Implement SecretsAnalyzer (ILanguageAnalyzer) |
| 11 | SLD-011 | DONE | SLD-010 | Scanner Guild | Add SecretsAnalyzerHost for plugin lifecycle |
| 12 | SLD-012 | DONE | SLD-011 | Scanner Guild | Integrate with Scanner Worker pipeline |
| 13 | SLD-013 | DONE | SLD-010 | Scanner Guild | Add DI registration in ServiceCollectionExtensions |
| 14 | SLD-014 | DONE | All | Scanner Guild | Add comprehensive unit tests |
| 15 | SLD-015 | DONE | SLD-014 | Scanner Guild | Add integration tests with test fixtures |
| 16 | SLD-016 | DONE | All | Scanner Guild | Create AGENTS.md for module |
## Task Details
### SLD-001: Project Structure
Create the project skeleton following Scanner conventions:
```
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/
├── StellaOps.Scanner.Analyzers.Secrets.csproj
├── AGENTS.md
├── AssemblyInfo.cs
├── Detectors/
│ ├── ISecretDetector.cs
│ ├── RegexDetector.cs
│ ├── EntropyDetector.cs
│ └── CompositeSecretDetector.cs
├── Rules/
│ ├── SecretRule.cs
│ ├── SecretRuleset.cs
│ └── RulesetLoader.cs
├── Masking/
│ ├── IPayloadMasker.cs
│ └── PayloadMasker.cs
├── Evidence/
│ ├── SecretLeakEvidence.cs
│ └── SecretFinding.cs
├── SecretsAnalyzer.cs
├── SecretsAnalyzerHost.cs
├── SecretsAnalyzerOptions.cs
└── ServiceCollectionExtensions.cs
```
csproj should reference:
- StellaOps.Scanner.Core
- StellaOps.Scanner.Surface
- StellaOps.Evidence.Core
### SLD-002: Rule Models
Define the rule structure for secret detection:
```csharp
/// <summary>
/// A single secret detection rule.
/// </summary>
public sealed record SecretRule
{
public required string Id { get; init; } // e.g., "stellaops.secrets.aws-access-key"
public required string Version { get; init; } // e.g., "2025.11.0"
public required string Name { get; init; } // Human-readable name
public required string Description { get; init; }
public required SecretRuleType Type { get; init; } // Regex, Entropy, Composite
public required string Pattern { get; init; } // Regex pattern or entropy config
public required SecretSeverity Severity { get; init; }
public required SecretConfidence Confidence { get; init; }
public string? MaskingHint { get; init; } // e.g., "prefix:4,suffix:2"
public ImmutableArray<string> Keywords { get; init; } // Pre-filter keywords
public ImmutableArray<string> FilePatterns { get; init; } // Glob patterns for file filtering
public bool Enabled { get; init; } = true;
}
public enum SecretRuleType { Regex, Entropy, Composite }
public enum SecretSeverity { Low, Medium, High, Critical }
public enum SecretConfidence { Low, Medium, High }
/// <summary>
/// A versioned collection of secret detection rules.
/// </summary>
public sealed record SecretRuleset
{
public required string Id { get; init; } // e.g., "secrets.ruleset"
public required string Version { get; init; } // e.g., "2025.11"
public required DateTimeOffset CreatedAt { get; init; }
public required ImmutableArray<SecretRule> Rules { get; init; }
public string? Sha256Digest { get; init; } // Integrity hash
}
```
Location: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Rules/`
### SLD-003: Regex Detector
Implement regex-based secret detection:
```csharp
public interface ISecretDetector
{
string DetectorId { get; }
ValueTask<IReadOnlyList<SecretMatch>> DetectAsync(
ReadOnlyMemory<byte> content,
string filePath,
SecretRule rule,
CancellationToken ct = default);
}
public sealed record SecretMatch(
SecretRule Rule,
string FilePath,
int LineNumber,
int ColumnStart,
int ColumnEnd,
ReadOnlyMemory<byte> RawMatch, // For masking
double ConfidenceScore);
public sealed class RegexDetector : ISecretDetector
{
public string DetectorId => "regex";
// Implementation notes:
// - Use compiled regex for performance
// - Apply keyword pre-filter before regex matching
// - Respect file pattern filters
// - Track line/column for precise location
// - Never log raw match content
}
```
Location: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/Detectors/`
### SLD-004: Entropy Detector
Implement Shannon entropy-based detection for high-entropy strings:
```csharp
public sealed class EntropyDetector : ISecretDetector
{
public string DetectorId => "entropy";
// Implementation notes:
// - Calculate Shannon entropy for candidate strings
// - Default threshold: 4.5 bits per character
// - Minimum length: 16 characters
// - Skip common high-entropy non-secrets (UUIDs, hashes in comments)
// - Apply charset detection (base64, hex, alphanumeric)
}
public static class EntropyCalculator
{
/// <summary>
/// Calculates Shannon entropy in bits per character.
/// </summary>
public static double Calculate(ReadOnlySpan<byte> data)
{
// Use CultureInfo.InvariantCulture for all formatting
// Return 0.0 for empty input
}
}
```
### SLD-005: Payload Masker
Implement secure payload masking:
```csharp
public interface IPayloadMasker
{
/// <summary>
/// Masks a secret payload preserving prefix/suffix for identification.
/// </summary>
/// <param name="payload">The raw secret bytes</param>
/// <param name="hint">Optional masking hint from rule (e.g., "prefix:4,suffix:2")</param>
/// <returns>Masked string (e.g., "AKIA****B7")</returns>
string Mask(ReadOnlySpan<byte> payload, string? hint = null);
}
public sealed class PayloadMasker : IPayloadMasker
{
// Default: preserve first 4 and last 2 characters
// Replace middle with asterisks (max 8 asterisks)
// Minimum output length: 8 characters
// Never expose more than 6 characters total
public const int DefaultPrefixLength = 4;
public const int DefaultSuffixLength = 2;
public const int MaxMaskLength = 8;
public const char MaskChar = '*';
}
```
### SLD-006: Evidence Models
Define the evidence structure for policy integration:
```csharp
/// <summary>
/// Evidence record for a detected secret leak.
/// </summary>
public sealed record SecretLeakEvidence
{
public required string EvidenceType => "secret.leak";
public required string RuleId { get; init; }
public required string RuleVersion { get; init; }
public required SecretSeverity Severity { get; init; }
public required SecretConfidence Confidence { get; init; }
public required string FilePath { get; init; }
public required int LineNumber { get; init; }
public required string Mask { get; init; } // Masked payload
public required string BundleId { get; init; }
public required string BundleVersion { get; init; }
public required DateTimeOffset DetectedAt { get; init; }
public ImmutableDictionary<string, string>? Metadata { get; init; }
}
/// <summary>
/// Aggregated finding for a single secret match.
/// </summary>
public sealed record SecretFinding
{
public required Guid Id { get; init; }
public required SecretLeakEvidence Evidence { get; init; }
public required string ScanId { get; init; }
public required string TenantId { get; init; }
public required string ArtifactDigest { get; init; }
}
```
### SLD-007: Ruleset Loader
Implement deterministic ruleset loading:
```csharp
public interface IRulesetLoader
{
ValueTask<SecretRuleset> LoadAsync(
string rulesetPath,
CancellationToken ct = default);
ValueTask<SecretRuleset> LoadFromJsonlAsync(
Stream rulesStream,
string bundleId,
string bundleVersion,
CancellationToken ct = default);
}
public sealed class RulesetLoader : IRulesetLoader
{
// Implementation notes:
// - Parse secrets.ruleset.rules.jsonl (NDJSON format)
// - Validate rule schema on load
// - Sort rules by ID for deterministic ordering
// - Calculate and verify SHA-256 digest
// - Use CultureInfo.InvariantCulture for all parsing
// - Log bundle version on successful load
}
```
### SLD-008: Analyzer Options
Configuration options with feature flag:
```csharp
public sealed class SecretsAnalyzerOptions
{
/// <summary>
/// Enable secret leak detection (experimental feature).
/// </summary>
public bool Enabled { get; set; } = false;
/// <summary>
/// Path to the ruleset bundle directory.
/// </summary>
public string RulesetPath { get; set; } = "/opt/stellaops/plugins/scanner/analyzers/secrets";
/// <summary>
/// Minimum confidence level to report findings.
/// </summary>
public SecretConfidence MinConfidence { get; set; } = SecretConfidence.Medium;
/// <summary>
/// Maximum findings per scan (circuit breaker).
/// </summary>
public int MaxFindingsPerScan { get; set; } = 1000;
/// <summary>
/// File size limit for scanning (bytes).
/// </summary>
public long MaxFileSizeBytes { get; set; } = 10 * 1024 * 1024; // 10MB
/// <summary>
/// Enable entropy-based detection.
/// </summary>
public bool EnableEntropyDetection { get; set; } = true;
/// <summary>
/// Entropy threshold (bits per character).
/// </summary>
public double EntropyThreshold { get; set; } = 4.5;
}
```
### SLD-009: Composite Detector
Combine multiple detection strategies:
```csharp
public sealed class CompositeSecretDetector : ISecretDetector
{
private readonly IReadOnlyList<ISecretDetector> _detectors;
private readonly ILogger<CompositeSecretDetector> _logger;
public string DetectorId => "composite";
// Implementation notes:
// - Execute detectors in parallel where possible
// - Deduplicate overlapping matches
// - Merge confidence scores for overlapping detections
// - Respect per-rule detector type preference
}
```
### SLD-010: Secrets Analyzer
Main analyzer implementation:
```csharp
public sealed class SecretsAnalyzer : ILayerAnalyzer
{
public string AnalyzerId => "secrets";
public string DisplayName => "Secret Leak Detector";
// Implementation notes:
// - Check feature flag before processing
// - Load ruleset once at startup (cached)
// - Apply file pattern filters efficiently
// - Execute detection on text files only
// - Emit SecretLeakEvidence for each finding
// - Apply masking before any output
// - Track metrics: scanner.secret.finding_total
// - Add tracing span: scanner.secrets.scan
}
```
### SLD-011: Analyzer Host
Lifecycle management for the analyzer:
```csharp
public sealed class SecretsAnalyzerHost : IHostedService
{
// Implementation notes:
// - Load and validate ruleset on startup
// - Log bundle version and rule count
// - Verify DSSE signature if available
// - Graceful shutdown with finding flush
// - Emit startup log: "SecretsAnalyzerHost: Loaded bundle {version} with {count} rules"
}
```
### SLD-012: Worker Integration
Integrate with Scanner Worker pipeline:
```csharp
// In Scanner.Worker processing pipeline:
// 1. Add SecretsAnalyzer to analyzer chain (after language analyzers)
// 2. Gate execution on feature flag
// 3. Store findings in ScanAnalysisStore
// 4. Include in scan completion event
```
### SLD-013: DI Registration
```csharp
public static class ServiceCollectionExtensions
{
public static IServiceCollection AddSecretsAnalyzer(
this IServiceCollection services,
IConfiguration configuration)
{
services.AddOptions<SecretsAnalyzerOptions>()
.Bind(configuration.GetSection("Scanner:Analyzers:Secrets"))
.ValidateDataAnnotations()
.ValidateOnStart();
services.AddSingleton<IPayloadMasker, PayloadMasker>();
services.AddSingleton<IRulesetLoader, RulesetLoader>();
services.AddSingleton<ISecretDetector, RegexDetector>();
services.AddSingleton<ISecretDetector, EntropyDetector>();
services.AddSingleton<ISecretDetector, CompositeSecretDetector>();
services.AddSingleton<SecretsAnalyzer>();
services.AddHostedService<SecretsAnalyzerHost>();
return services;
}
}
```
### SLD-014: Unit Tests
Required test coverage in `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/`:
```
├── Detectors/
│ ├── RegexDetectorTests.cs
│ ├── EntropyDetectorTests.cs
│ ├── EntropyCalculatorTests.cs
│ └── CompositeSecretDetectorTests.cs
├── Rules/
│ ├── SecretRuleTests.cs
│ └── RulesetLoaderTests.cs
├── Masking/
│ └── PayloadMaskerTests.cs
├── Evidence/
│ └── SecretLeakEvidenceTests.cs
├── SecretsAnalyzerTests.cs
└── Fixtures/
├── aws-access-key.txt
├── github-token.txt
├── private-key.pem
└── test-ruleset.jsonl
```
Test requirements:
- All tests must be deterministic
- Use `[Trait("Category", "Unit")]` for unit tests
- Test masking never exposes full secrets
- Test entropy calculation with known inputs
- Test regex patterns match expected secrets
### SLD-015: Integration Tests
Integration tests with Scanner Worker:
```
├── SecretsAnalyzerIntegrationTests.cs
│ - Test full scan with secrets embedded
│ - Verify findings in ScanAnalysisStore
│ - Verify masking in output
│ - Test feature flag disables analyzer
├── RulesetLoadingTests.cs
│ - Test loading from file system
│ - Test invalid ruleset handling
│ - Test missing bundle handling
```
### SLD-016: Module AGENTS.md
Create `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/AGENTS.md` with:
- Mission statement
- Scope definition
- Required reading list
- Working agreements
- Security considerations
## Built-in Rule Examples
Initial rules to include in default bundle:
| Rule ID | Pattern Type | Description |
|---------|--------------|-------------|
| `stellaops.secrets.aws-access-key` | Regex | AWS Access Key ID (AKIA...) |
| `stellaops.secrets.aws-secret-key` | Regex + Entropy | AWS Secret Access Key |
| `stellaops.secrets.github-pat` | Regex | GitHub Personal Access Token |
| `stellaops.secrets.github-app` | Regex | GitHub App Token (ghs_, ghp_) |
| `stellaops.secrets.gitlab-pat` | Regex | GitLab Personal Access Token |
| `stellaops.secrets.private-key-rsa` | Regex | RSA Private Key (PEM) |
| `stellaops.secrets.private-key-ec` | Regex | EC Private Key (PEM) |
| `stellaops.secrets.jwt` | Regex + Entropy | JSON Web Token |
| `stellaops.secrets.basic-auth` | Regex | Basic Auth credentials in URLs |
| `stellaops.secrets.generic-api-key` | Entropy | High-entropy API key patterns |
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Use NDJSON for rule format | Line-based parsing, easy streaming, git-friendly diffs |
| Mask before any persistence | Defense in depth - secrets never stored |
| Feature flag default off | Safe rollout, tenant opt-in required |
| Entropy threshold 4.5 bits | Balance between false positives and detection rate |
| Max 1000 findings per scan | Circuit breaker prevents DoS on noisy images |
| Text files only | Binary secret detection deferred to future sprint |
## Metrics & Observability
| Metric | Type | Labels |
|--------|------|--------|
| `scanner.secret.finding_total` | Counter | tenant, ruleId, severity, confidence |
| `scanner.secret.scan_duration_seconds` | Histogram | tenant |
| `scanner.secret.rules_loaded` | Gauge | bundleVersion |
| `scanner.secret.files_scanned` | Counter | tenant |
## Execution Log
| Date | Action | Notes |
|------|--------|-------|
| 2026-01-04 | Sprint created | Based on gap analysis of secrets scanning support |
| 2026-01-04 | SLD-001 to SLD-014, SLD-016 completed | Full implementation: project structure, rule models, RegexDetector, EntropyDetector, PayloadMasker, SecretLeakEvidence, RulesetLoader, SecretsAnalyzerOptions, CompositeSecretDetector, SecretsAnalyzer, SecretsAnalyzerHost, ServiceCollectionExtensions, unit tests (EntropyCalculatorTests, PayloadMaskerTests, RegexDetectorTests, RulesetLoaderTests, SecretRuleTests, SecretRulesetTests), AGENTS.md. All builds verified. |
| 2026-01-04 | SLD-015 completed | Created integration test project with test fixtures (aws-access-key.txt, github-token.txt, private-key.pem, test-ruleset.jsonl) and SecretsAnalyzerIntegrationTests.cs covering full scan detection, feature flags, circuit breaker, masking, evidence fields, and determinism. All builds verified. **Sprint complete.** |

216
docs/implplan/archived/SPRINT_20260104_006_BE_secret_detection_config_api.md Normal file
View File

@@ -0,0 +1,216 @@
# Sprint 20260104_006_BE - Secret Detection Configuration API
## Topic & Scope
Backend APIs and data models for configuring secret detection behavior per tenant. This sprint provides the foundation for UI configuration of secret leak detection.
**Key deliverables:**
1. **Tenant Settings Model**: Per-tenant secret detection configuration
2. **Revelation Policy**: Control how detected secrets are displayed/masked
3. **Exception Management**: Allowlist patterns for false positives
4. **Configuration API**: CRUD endpoints for settings
**Working directory:** `src/Scanner/`, `src/Platform/`
## Dependencies & Concurrency
- **Depends on**: Sprint 20260104_001 (Core Analyzer), Sprint 20260104_002 (Rule Bundles)
- **Parallel with**: Sprint 20260104_007 (Alert Integration)
- **Blocks**: Sprint 20260104_008 (UI)
## Documentation Prerequisites
- docs/modules/scanner/operations/secret-leak-detection.md
- CLAUDE.md Section 8 (Determinism)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SDC-001 | DONE | None | Scanner Guild | Define SecretDetectionSettings domain model |
| 2 | SDC-002 | DONE | SDC-001 | Scanner Guild | Create SecretRevelationPolicy enum and config |
| 3 | SDC-003 | DONE | SDC-001 | Scanner Guild | Create SecretExceptionPattern model for allowlists |
| 4 | SDC-004 | DONE | SDC-001 | Platform Guild | Add persistence (Dapper migrations) |
| 5 | SDC-005 | DONE | SDC-004 | Platform Guild | Create Settings CRUD API endpoints |
| 6 | SDC-006 | DONE | SDC-005 | Platform Guild | Add OpenAPI spec for settings endpoints |
| 7 | SDC-007 | DONE | SDC-003 | Scanner Guild | Integrate exception patterns into SecretsAnalyzerHost |
| 8 | SDC-008 | DONE | SDC-002 | Scanner Guild | Implement revelation policy in findings output |
| 9 | SDC-009 | DONE | All | Scanner Guild | Add unit and integration tests |
## Task Details
### SDC-001: SecretDetectionSettings Domain Model
```csharp
public sealed record SecretDetectionSettings
{
public required Guid TenantId { get; init; }
public required bool Enabled { get; init; }
public required SecretRevelationPolicy RevelationPolicy { get; init; }
public required IReadOnlyList<string> EnabledRuleCategories { get; init; }
public required IReadOnlyList<SecretExceptionPattern> Exceptions { get; init; }
public required SecretAlertSettings AlertSettings { get; init; }
public required DateTimeOffset UpdatedAt { get; init; }
public required string UpdatedBy { get; init; }
}
```
Location: `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/`
### SDC-002: SecretRevelationPolicy
Control how detected secrets appear in different contexts:
```csharp
public enum SecretRevelationPolicy
{
/// <summary>
/// Show only that a secret was detected, no value shown.
/// Example: [SECRET_DETECTED: aws_access_key_id]
/// </summary>
FullMask = 0,
/// <summary>
/// Show first and last 4 characters.
/// Example: AKIA****WXYZ
/// </summary>
PartialReveal = 1,
/// <summary>
/// Show full value (requires elevated permissions).
/// Use only for debugging/incident response.
/// </summary>
FullReveal = 2
}
public sealed record RevelationPolicyConfig
{
/// <summary>Default policy for UI/API responses.</summary>
public SecretRevelationPolicy DefaultPolicy { get; init; } = SecretRevelationPolicy.PartialReveal;
/// <summary>Policy for exported reports (PDF, JSON).</summary>
public SecretRevelationPolicy ExportPolicy { get; init; } = SecretRevelationPolicy.FullMask;
/// <summary>Policy for logs and telemetry.</summary>
public SecretRevelationPolicy LogPolicy { get; init; } = SecretRevelationPolicy.FullMask;
/// <summary>Roles allowed to use FullReveal.</summary>
public IReadOnlyList<string> FullRevealRoles { get; init; } = ["security-admin", "incident-responder"];
/// <summary>Number of characters to show at start/end for PartialReveal.</summary>
public int PartialRevealChars { get; init; } = 4;
}
```
### SDC-003: SecretExceptionPattern (Allowlist)
```csharp
public sealed record SecretExceptionPattern
{
public required Guid Id { get; init; }
public required string Name { get; init; }
public required string Description { get; init; }
/// <summary>Regex pattern to match against detected secret value.</summary>
public required string Pattern { get; init; }
/// <summary>Optional: Only apply to specific rule IDs.</summary>
public IReadOnlyList<string>? ApplicableRuleIds { get; init; }
/// <summary>Optional: Only apply to specific file paths.</summary>
public string? FilePathGlob { get; init; }
/// <summary>Reason for exception (audit trail).</summary>
public required string Justification { get; init; }
/// <summary>Expiration date (null = permanent).</summary>
public DateTimeOffset? ExpiresAt { get; init; }
public required DateTimeOffset CreatedAt { get; init; }
public required string CreatedBy { get; init; }
}
```
### SDC-005: Settings API Endpoints
```
GET /api/v1/tenants/{tenantId}/settings/secret-detection
PUT /api/v1/tenants/{tenantId}/settings/secret-detection
PATCH /api/v1/tenants/{tenantId}/settings/secret-detection
GET /api/v1/tenants/{tenantId}/settings/secret-detection/exceptions
POST /api/v1/tenants/{tenantId}/settings/secret-detection/exceptions
DELETE /api/v1/tenants/{tenantId}/settings/secret-detection/exceptions/{exceptionId}
GET /api/v1/tenants/{tenantId}/settings/secret-detection/rule-categories
```
### SDC-008: Revelation Policy Implementation
```csharp
public static class SecretMasker
{
public static string Mask(string secretValue, SecretRevelationPolicy policy, int partialChars = 4)
{
return policy switch
{
SecretRevelationPolicy.FullMask => "[REDACTED]",
SecretRevelationPolicy.PartialReveal => MaskPartial(secretValue, partialChars),
SecretRevelationPolicy.FullReveal => secretValue,
_ => "[REDACTED]"
};
}
private static string MaskPartial(string value, int chars)
{
if (value.Length <= chars * 2)
return new string('*', value.Length);
var prefix = value[..chars];
var suffix = value[^chars..];
var masked = new string('*', Math.Min(value.Length - chars * 2, 8));
return $"{prefix}{masked}{suffix}";
}
}
```
## Directory Structure
```
src/Scanner/__Libraries/StellaOps.Scanner.Core/
├── Secrets/
│ ├── Configuration/
│ │ ├── SecretDetectionSettings.cs
│ │ ├── SecretRevelationPolicy.cs
│ │ ├── RevelationPolicyConfig.cs
│ │ ├── SecretExceptionPattern.cs
│ │ └── SecretAlertSettings.cs
│ └── Masking/
│ └── SecretMasker.cs
src/Platform/StellaOps.Platform.WebService/
├── Endpoints/
│ └── SecretDetectionSettingsEndpoints.cs
└── Persistence/
└── Migrations/
└── AddSecretDetectionSettings.cs
```
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Per-tenant settings | Multi-tenant isolation requirement |
| Role-based full reveal | Security: prevent accidental exposure |
| Exception expiration | Force periodic review of allowlists |
| Separate export/log policies | Defense in depth for sensitive data |
## Execution Log
| Date | Action | Notes |
|------|--------|-------|
| 2026-01-04 | Sprint created | Gap identified in secret detection feature |
| 2026-01-04 | SDC-001 to SDC-008 DONE | Domain models, persistence, API endpoints, exception matcher, masker implemented |
| 2026-01-04 | Files created | SecretDetectionSettings.cs, SecretRevelationPolicy.cs, SecretExceptionPattern.cs, SecretAlertSettings.cs, SecretMasker.cs, SecretExceptionMatcher.cs, migration 021_secret_detection_settings.sql, SecretDetectionSettingsRow.cs, ISecretDetectionSettingsRepository.cs, PostgresSecretDetectionSettingsRepository.cs, SecretDetectionConfigContracts.cs, SecretDetectionSettingsService.cs, SecretDetectionSettingsEndpoints.cs |
| 2026-01-04 | SDC-009 DONE | Unit tests created: SecretDetectionSettingsTests.cs, SecretMaskerTests.cs, SecretExceptionPatternTests.cs, SecretExceptionMatcherTests.cs - build verified |

298
docs/implplan/archived/SPRINT_20260104_007_BE_secret_detection_alerts.md Normal file
View File

@@ -0,0 +1,298 @@
# Sprint 20260104_007_BE - Secret Detection Alert Integration
## Topic & Scope
Integration between secret detection findings and the Notify service for real-time alerting when secrets are discovered in scans.
**Key deliverables:**
1. **Alert Routing**: Route secret findings to configured channels
2. **Alert Templates**: Formatted notifications for different channels
3. **Rate Limiting**: Prevent alert fatigue from mass findings
4. **Severity Mapping**: Map rule severity to alert priority
**Working directory:** `src/Scanner/`, `src/Notify/`
## Dependencies & Concurrency
- **Depends on**: Sprint 20260104_001 (Core Analyzer), Sprint 20260104_006 (Config API)
- **Parallel with**: Sprint 20260104_008 (UI)
- **Blocks**: Production deployment with alerting
## Documentation Prerequisites
- docs/modules/notify/architecture.md
- docs/modules/scanner/operations/secret-leak-detection.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SDA-001 | DONE | None | Scanner Guild | Define SecretAlertSettings model |
| 2 | SDA-002 | DONE | SDA-001 | Scanner Guild | Create SecretFindingAlertEvent |
| 3 | SDA-003 | DONE | SDA-002 | Notify Guild | Add secret-finding alert template |
| 4 | SDA-004 | DONE | SDA-003 | Notify Guild | Implement Slack/Teams formatters |
| 5 | SDA-005 | DONE | SDA-002 | Scanner Guild | Add alert emission to SecretsAnalyzerHost |
| 6 | SDA-006 | DONE | SDA-005 | Scanner Guild | Implement rate limiting / deduplication |
| 7 | SDA-007 | DONE | SDA-006 | Scanner Guild | Add severity-based routing |
| 8 | SDA-008 | DONE | SDA-001 | Platform Guild | Add alert settings to config API |
| 9 | SDA-009 | DONE | All | Scanner Guild | Add integration tests |
## Task Details
### SDA-001: SecretAlertSettings Model
```csharp
public sealed record SecretAlertSettings
{
/// <summary>Enable/disable alerting for this tenant.</summary>
public bool Enabled { get; init; } = true;
/// <summary>Minimum severity to trigger alert (Critical, High, Medium, Low).</summary>
public SecretSeverity MinimumAlertSeverity { get; init; } = SecretSeverity.High;
/// <summary>Alert destinations by channel type.</summary>
public IReadOnlyList<SecretAlertDestination> Destinations { get; init; } = [];
/// <summary>Rate limit: max alerts per scan.</summary>
public int MaxAlertsPerScan { get; init; } = 10;
/// <summary>Deduplication window: don't re-alert same secret within this period.</summary>
public TimeSpan DeduplicationWindow { get; init; } = TimeSpan.FromHours(24);
/// <summary>Include file path in alert (may reveal repo structure).</summary>
public bool IncludeFilePath { get; init; } = true;
/// <summary>Include masked secret value in alert.</summary>
public bool IncludeMaskedValue { get; init; } = true;
}
public sealed record SecretAlertDestination
{
public required Guid Id { get; init; }
public required AlertChannelType ChannelType { get; init; }
public required string ChannelId { get; init; } // Slack channel ID, email, webhook URL
public IReadOnlyList<SecretSeverity>? SeverityFilter { get; init; }
public IReadOnlyList<string>? RuleCategoryFilter { get; init; }
}
public enum AlertChannelType
{
Slack,
Teams,
Email,
Webhook,
PagerDuty
}
```
### SDA-002: SecretFindingAlertEvent
```csharp
public sealed record SecretFindingAlertEvent
{
public required Guid EventId { get; init; }
public required Guid TenantId { get; init; }
public required Guid ScanId { get; init; }
public required string ImageRef { get; init; }
public required SecretSeverity Severity { get; init; }
public required string RuleId { get; init; }
public required string RuleName { get; init; }
public required string RuleCategory { get; init; }
public required string FilePath { get; init; }
public required int LineNumber { get; init; }
public required string MaskedValue { get; init; }
public required DateTimeOffset DetectedAt { get; init; }
public required string ScanTriggeredBy { get; init; }
/// <summary>Deduplication key for rate limiting.</summary>
public string DeduplicationKey => $"{TenantId}:{RuleId}:{FilePath}:{LineNumber}";
}
```
### SDA-003: Alert Templates
**Slack Template:**
```json
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "🚨 Secret Detected in Container Scan"
}
},
{
"type": "section",
"fields": [
{ "type": "mrkdwn", "text": "*Severity:*\n{{severity}}" },
{ "type": "mrkdwn", "text": "*Rule:*\n{{ruleName}}" },
{ "type": "mrkdwn", "text": "*Image:*\n`{{imageRef}}`" },
{ "type": "mrkdwn", "text": "*File:*\n`{{filePath}}:{{lineNumber}}`" }
]
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Detected Value:*\n```{{maskedValue}}```"
}
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": { "type": "plain_text", "text": "View in StellaOps" },
"url": "{{findingUrl}}"
},
{
"type": "button",
"text": { "type": "plain_text", "text": "Add Exception" },
"url": "{{exceptionUrl}}"
}
]
}
]
}
```
### SDA-005: Alert Emission in SecretsAnalyzerHost
```csharp
public sealed class SecretsAnalyzerHost
{
private readonly ISecretAlertEmitter _alertEmitter;
private readonly ISecretAlertDeduplicator _deduplicator;
public async Task OnSecretFoundAsync(
SecretFinding finding,
ScanContext context,
CancellationToken ct)
{
var settings = await _settingsProvider.GetAlertSettingsAsync(context.TenantId, ct);
if (!settings.Enabled)
return;
if (finding.Severity < settings.MinimumAlertSeverity)
return;
var alertEvent = MapToAlertEvent(finding, context);
// Check deduplication
if (await _deduplicator.IsDuplicateAsync(alertEvent, settings.DeduplicationWindow, ct))
{
_logger.LogDebug("secret.alert.deduplicated key={key}", alertEvent.DeduplicationKey);
return;
}
// Rate limiting
var alertCount = await _alertEmitter.GetAlertCountForScanAsync(context.ScanId, ct);
if (alertCount >= settings.MaxAlertsPerScan)
{
_logger.LogWarning("secret.alert.rate_limited scan_id={scan_id} count={count}",
context.ScanId, alertCount);
return;
}
// Emit to configured destinations
await _alertEmitter.EmitAsync(alertEvent, settings.Destinations, ct);
}
}
```
### SDA-006: Rate Limiting & Deduplication
```csharp
public interface ISecretAlertDeduplicator
{
Task<bool> IsDuplicateAsync(
SecretFindingAlertEvent alert,
TimeSpan window,
CancellationToken ct);
Task RecordAlertAsync(
SecretFindingAlertEvent alert,
CancellationToken ct);
}
public sealed class ValkeySecretAlertDeduplicator : ISecretAlertDeduplicator
{
private readonly IValkeyConnection _valkey;
public async Task<bool> IsDuplicateAsync(
SecretFindingAlertEvent alert,
TimeSpan window,
CancellationToken ct)
{
var key = $"secret:alert:dedup:{alert.DeduplicationKey}";
var exists = await _valkey.ExistsAsync(key);
return exists;
}
public async Task RecordAlertAsync(
SecretFindingAlertEvent alert,
CancellationToken ct)
{
var key = $"secret:alert:dedup:{alert.DeduplicationKey}";
await _valkey.SetAsync(key, alert.EventId.ToString(), expiry: TimeSpan.FromHours(24));
}
}
```
## Severity Mapping
| Rule Severity | Alert Priority | Default Behavior |
|---------------|----------------|------------------|
| Critical | P1 / Immediate | Always alert, page on-call |
| High | P2 / Urgent | Alert to security channel |
| Medium | P3 / Normal | Alert if configured |
| Low | P4 / Info | No alert by default |
## Directory Structure
```
src/Scanner/__Libraries/StellaOps.Scanner.Core/
├── Secrets/
│ ├── Alerts/
│ │ ├── SecretAlertSettings.cs
│ │ ├── SecretFindingAlertEvent.cs
│ │ ├── ISecretAlertEmitter.cs
│ │ ├── ISecretAlertDeduplicator.cs
│ │ └── ValkeySecretAlertDeduplicator.cs
src/Notify/__Libraries/StellaOps.Notify.Engine/
├── Templates/
│ └── SecretFindingAlertTemplate.cs
├── Formatters/
│ ├── SlackSecretAlertFormatter.cs
│ └── TeamsSecretAlertFormatter.cs
```
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Valkey for deduplication | Fast, distributed, TTL support |
| Per-scan rate limit | Prevent alert storms on large findings |
| Masked values in alerts | Balance security awareness vs exposure |
| Severity-based routing | Different channels for different priorities |
## Execution Log
| Date | Action | Notes |
|------|--------|-------|
| 2026-01-04 | Sprint created | Alert integration for secret detection |
| 2026-01-04 | SDA-001 DONE | SecretAlertSettings already implemented in Sprint 006 (SecretAlertSettings.cs) |
| 2026-01-04 | SDA-008 DONE | Alert settings already included in SecretDetectionSettings config API |
| 2026-01-04 | SDA-002 DONE | Created SecretFindingAlertEvent.cs and SecretFindingInfo.cs |
| 2026-01-04 | SDA-005 DONE | Created ISecretAlertEmitter.cs and SecretAlertEmitter.cs |
| 2026-01-04 | SDA-006 DONE | Created ISecretAlertDeduplicator.cs interface |
| 2026-01-04 | SDA-007 DONE | Created ISecretAlertRouter.cs and SecretAlertRouter.cs |
| 2026-01-04 | SDA-003/004 DONE | Created SecretFindingAlertTemplates.cs with Slack, Teams, Email, Webhook, PagerDuty templates |
| 2026-01-04 | SDA-009 DONE | Unit tests: SecretFindingAlertEventTests, SecretAlertRouterTests, SecretAlertEmitterTests |

503
docs/implplan/archived/SPRINT_20260104_008_FE_secret_detection_ui.md Normal file
View File

@@ -0,0 +1,503 @@
# Sprint 20260104_008_FE - Secret Detection UI
## Topic & Scope
Frontend components for configuring and viewing secret detection findings. Provides tenant administrators with tools to manage detection settings, view findings, and configure alerts.
**Key deliverables:**
1. **Settings Page**: Configure secret detection for tenant
2. **Findings Viewer**: View detected secrets with proper masking
3. **Exception Manager**: Add/remove allowlist patterns
4. **Alert Configuration**: Set up notification channels
**Working directory:** `src/Web/StellaOps.Web/`
## Dependencies & Concurrency
- **Depends on**: Sprint 20260104_006 (Config API), Sprint 20260104_007 (Alerts)
- **Parallel with**: None (final UI sprint)
- **Blocks**: Feature release
## Documentation Prerequisites
- docs/modules/web/architecture.md
- Angular v17 component patterns
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SDU-001 | DONE | None | Frontend Guild | Create secret-detection feature module |
| 2 | SDU-002 | DONE | SDU-001 | Frontend Guild | Build settings page component |
| 3 | SDU-003 | DONE | SDU-002 | Frontend Guild | Add revelation policy selector |
| 4 | SDU-004 | DONE | SDU-002 | Frontend Guild | Build rule category toggles |
| 5 | SDU-005 | DONE | SDU-001 | Frontend Guild | Create findings list component |
| 6 | SDU-006 | DONE | SDU-005 | Frontend Guild | Implement masked value display |
| 7 | SDU-007 | DONE | SDU-005 | Frontend Guild | Add finding detail drawer (via exception-manager) |
| 8 | SDU-008 | DONE | SDU-001 | Frontend Guild | Build exception manager component |
| 9 | SDU-009 | DONE | SDU-008 | Frontend Guild | Create exception form with validation |
| 10 | SDU-010 | DONE | SDU-001 | Frontend Guild | Build alert destination config |
| 11 | SDU-011 | DONE | SDU-010 | Frontend Guild | Add channel test functionality |
| 12 | SDU-012 | DONE | All | Frontend Guild | Add E2E tests |
## Task Details
### SDU-002: Settings Page Component
```typescript
// secret-detection-settings.component.ts
@Component({
selector: 'app-secret-detection-settings',
template: `
<div class="settings-container">
<header class="settings-header">
<h1>Secret Detection</h1>
<mat-slide-toggle
[checked]="settings()?.enabled"
(change)="onEnabledChange($event)"
color="primary">
{{ settings()?.enabled ? 'Enabled' : 'Disabled' }}
</mat-slide-toggle>
</header>
<mat-tab-group>
<mat-tab label="General">
<app-revelation-policy-config
[policy]="settings()?.revelationPolicy"
(policyChange)="onPolicyChange($event)" />
<app-rule-category-selector
[categories]="availableCategories()"
[selected]="settings()?.enabledRuleCategories"
(selectionChange)="onCategoriesChange($event)" />
</mat-tab>
<mat-tab label="Exceptions">
<app-exception-manager
[exceptions]="settings()?.exceptions"
(add)="onAddException($event)"
(remove)="onRemoveException($event)" />
</mat-tab>
<mat-tab label="Alerts">
<app-alert-destination-config
[settings]="settings()?.alertSettings"
(settingsChange)="onAlertSettingsChange($event)" />
</mat-tab>
</mat-tab-group>
</div>
`
})
export class SecretDetectionSettingsComponent {
private settingsService = inject(SecretDetectionSettingsService);
settings = this.settingsService.settings;
availableCategories = this.settingsService.availableCategories;
// ... handlers
}
```
### SDU-003: Revelation Policy Selector
```typescript
// revelation-policy-config.component.ts
@Component({
selector: 'app-revelation-policy-config',
template: `
<mat-card>
<mat-card-header>
<mat-card-title>Secret Revelation Policy</mat-card-title>
<mat-card-subtitle>
Control how detected secrets are displayed
</mat-card-subtitle>
</mat-card-header>
<mat-card-content>
<mat-radio-group
[value]="policy()?.defaultPolicy"
(change)="onDefaultPolicyChange($event)">
<mat-radio-button value="FullMask">
<div class="policy-option">
<strong>Full Mask</strong>
<span class="example">[REDACTED]</span>
<p>No secret value shown. Safest option.</p>
</div>
</mat-radio-button>
<mat-radio-button value="PartialReveal">
<div class="policy-option">
<strong>Partial Reveal</strong>
<span class="example">AKIA****WXYZ</span>
<p>Show first/last 4 characters. Helps identify specific secrets.</p>
</div>
</mat-radio-button>
<mat-radio-button value="FullReveal" [disabled]="!canFullReveal()">
<div class="policy-option">
<strong>Full Reveal</strong>
<span class="example">AKIAIOSFODNN7EXAMPLE</span>
<p>Show complete value. Requires security-admin role.</p>
</div>
</mat-radio-button>
</mat-radio-group>
<mat-divider />
<h4>Context-Specific Policies</h4>
<div class="context-policies">
<mat-form-field>
<mat-label>Export Reports</mat-label>
<mat-select [value]="policy()?.exportPolicy">
<mat-option value="FullMask">Full Mask</mat-option>
<mat-option value="PartialReveal">Partial Reveal</mat-option>
</mat-select>
</mat-form-field>
<mat-form-field>
<mat-label>Logs & Telemetry</mat-label>
<mat-select [value]="policy()?.logPolicy" disabled>
<mat-option value="FullMask">Full Mask (Enforced)</mat-option>
</mat-select>
<mat-hint>Secrets are never logged in full</mat-hint>
</mat-form-field>
</div>
</mat-card-content>
</mat-card>
`
})
```
### SDU-005: Findings List Component
```typescript
// secret-findings-list.component.ts
@Component({
selector: 'app-secret-findings-list',
template: `
<div class="findings-container">
<header class="findings-header">
<h2>Secret Findings</h2>
<div class="filters">
<mat-form-field>
<mat-label>Severity</mat-label>
<mat-select multiple [(value)]="severityFilter">
<mat-option value="Critical">Critical</mat-option>
<mat-option value="High">High</mat-option>
<mat-option value="Medium">Medium</mat-option>
<mat-option value="Low">Low</mat-option>
</mat-select>
</mat-form-field>
<mat-form-field>
<mat-label>Status</mat-label>
<mat-select [(value)]="statusFilter">
<mat-option value="Open">Open</mat-option>
<mat-option value="Dismissed">Dismissed</mat-option>
<mat-option value="Excepted">Excepted</mat-option>
</mat-select>
</mat-form-field>
</div>
</header>
<table mat-table [dataSource]="findings()">
<ng-container matColumnDef="severity">
<th mat-header-cell *matHeaderCellDef>Severity</th>
<td mat-cell *matCellDef="let finding">
<app-severity-badge [severity]="finding.severity" />
</td>
</ng-container>
<ng-container matColumnDef="rule">
<th mat-header-cell *matHeaderCellDef>Rule</th>
<td mat-cell *matCellDef="let finding">
<div class="rule-info">
<span class="rule-name">{{ finding.ruleName }}</span>
<span class="rule-category">{{ finding.ruleCategory }}</span>
</div>
</td>
</ng-container>
<ng-container matColumnDef="location">
<th mat-header-cell *matHeaderCellDef>Location</th>
<td mat-cell *matCellDef="let finding">
<code class="file-path">{{ finding.filePath }}:{{ finding.lineNumber }}</code>
</td>
</ng-container>
<ng-container matColumnDef="value">
<th mat-header-cell *matHeaderCellDef>Detected Value</th>
<td mat-cell *matCellDef="let finding">
<app-masked-secret-value
[value]="finding.value"
[policy]="revelationPolicy()"
[canReveal]="canRevealSecrets()" />
</td>
</ng-container>
<ng-container matColumnDef="actions">
<th mat-header-cell *matHeaderCellDef></th>
<td mat-cell *matCellDef="let finding">
<button mat-icon-button [matMenuTriggerFor]="actionMenu">
<mat-icon>more_vert</mat-icon>
</button>
<mat-menu #actionMenu>
<button mat-menu-item (click)="viewDetails(finding)">
<mat-icon>visibility</mat-icon>
View Details
</button>
<button mat-menu-item (click)="dismiss(finding)">
<mat-icon>cancel</mat-icon>
Dismiss
</button>
<button mat-menu-item (click)="addException(finding)">
<mat-icon>playlist_add</mat-icon>
Add Exception
</button>
</mat-menu>
</td>
</ng-container>
<tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
<tr mat-row *matRowDef="let row; columns: displayedColumns"
(click)="viewDetails(row)"></tr>
</table>
</div>
`
})
```
### SDU-006: Masked Value Display
```typescript
// masked-secret-value.component.ts
@Component({
selector: 'app-masked-secret-value',
template: `
<div class="masked-value" [class.revealed]="isRevealed()">
<code>{{ displayValue() }}</code>
@if (canReveal() && !isRevealed()) {
<button
mat-icon-button
matTooltip="Reveal value (logged)"
(click)="reveal()">
<mat-icon>visibility</mat-icon>
</button>
}
@if (isRevealed()) {
<button
mat-icon-button
matTooltip="Hide value"
(click)="hide()">
<mat-icon>visibility_off</mat-icon>
</button>
<button
mat-icon-button
matTooltip="Copy to clipboard"
(click)="copy()">
<mat-icon>content_copy</mat-icon>
</button>
}
</div>
`,
styles: [`
.masked-value {
font-family: monospace;
display: flex;
align-items: center;
gap: 8px;
}
.revealed code {
background: #fff3cd;
padding: 4px 8px;
border-radius: 4px;
}
`]
})
export class MaskedSecretValueComponent {
value = input.required<string>();
policy = input.required<SecretRevelationPolicy>();
canReveal = input<boolean>(false);
private revealed = signal(false);
isRevealed = computed(() => this.revealed() && this.canReveal());
displayValue = computed(() => {
if (this.isRevealed()) {
return this.value();
}
return this.maskValue(this.value(), this.policy());
});
reveal() {
// Log reveal action for audit
this.auditService.logSecretReveal(this.value());
this.revealed.set(true);
}
hide() {
this.revealed.set(false);
}
private maskValue(value: string, policy: SecretRevelationPolicy): string {
switch (policy) {
case 'FullMask':
return '[REDACTED]';
case 'PartialReveal':
if (value.length <= 8) return '*'.repeat(value.length);
return `${value.slice(0, 4)}${'*'.repeat(Math.min(8, value.length - 8))}${value.slice(-4)}`;
default:
return '[REDACTED]';
}
}
}
```
### SDU-010: Alert Destination Configuration
```typescript
// alert-destination-config.component.ts
@Component({
selector: 'app-alert-destination-config',
template: `
<mat-card>
<mat-card-header>
<mat-card-title>Alert Destinations</mat-card-title>
</mat-card-header>
<mat-card-content>
<div class="alert-settings">
<mat-slide-toggle [(ngModel)]="settings().enabled">
Enable Alerts
</mat-slide-toggle>
<mat-form-field>
<mat-label>Minimum Severity</mat-label>
<mat-select [(value)]="settings().minimumAlertSeverity">
<mat-option value="Critical">Critical only</mat-option>
<mat-option value="High">High and above</mat-option>
<mat-option value="Medium">Medium and above</mat-option>
<mat-option value="Low">All findings</mat-option>
</mat-select>
</mat-form-field>
</div>
<mat-divider />
<h4>Configured Channels</h4>
<div class="destinations-list">
@for (dest of settings().destinations; track dest.id) {
<mat-card class="destination-card">
<div class="destination-info">
<mat-icon>{{ getChannelIcon(dest.channelType) }}</mat-icon>
<span>{{ dest.channelType }}</span>
<code>{{ dest.channelId }}</code>
</div>
<div class="destination-actions">
<button mat-icon-button (click)="testChannel(dest)">
<mat-icon>send</mat-icon>
</button>
<button mat-icon-button color="warn" (click)="removeDestination(dest)">
<mat-icon>delete</mat-icon>
</button>
</div>
</mat-card>
}
</div>
<button mat-stroked-button (click)="addDestination()">
<mat-icon>add</mat-icon>
Add Destination
</button>
</mat-card-content>
</mat-card>
`
})
```
## UI Mockups
### Settings Page Layout
```
┌─────────────────────────────────────────────────────────────┐
│ Secret Detection [Enabled ●] │
├─────────────────────────────────────────────────────────────┤
│ [General] [Exceptions] [Alerts] │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌─ Revelation Policy ─────────────────────────────────┐ │
│ │ ○ Full Mask [REDACTED] │ │
│ │ ● Partial Reveal AKIA****WXYZ │ │
│ │ ○ Full Reveal (requires security-admin) │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
│ ┌─ Rule Categories ───────────────────────────────────┐ │
│ │ ☑ AWS Credentials ☑ GCP Service Accounts │ │
│ │ ☑ Generic API Keys ☑ Private Keys │ │
│ │ ☐ Internal Tokens ☑ Database Credentials │ │
│ └─────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
```
### Findings List
```
┌─────────────────────────────────────────────────────────────┐
│ Secret Findings │
│ Severity: [All ▼] Status: [Open ▼] Image: [All ▼] │
├─────────────────────────────────────────────────────────────┤
│ SEV │ RULE │ LOCATION │ VALUE │
├─────────────────────────────────────────────────────────────┤
│ 🔴 │ AWS Access Key │ config.yaml:42 │ AKIA****XYZ │
│ 🟠 │ Generic API Key │ .env:15 │ sk_l****abc │
│ 🟡 │ Private Key │ certs/server.key │ [REDACTED] │
└─────────────────────────────────────────────────────────────┘
```
## Directory Structure
```
src/Web/StellaOps.Web/src/app/
├── features/
│ └── secret-detection/
│ ├── secret-detection.module.ts
│ ├── secret-detection.routes.ts
│ ├── pages/
│ │ ├── settings/
│ │ │ └── secret-detection-settings.component.ts
│ │ └── findings/
│ │ └── secret-findings-list.component.ts
│ ├── components/
│ │ ├── revelation-policy-config/
│ │ ├── rule-category-selector/
│ │ ├── exception-manager/
│ │ ├── alert-destination-config/
│ │ ├── masked-secret-value/
│ │ └── finding-detail-drawer/
│ └── services/
│ ├── secret-detection-settings.service.ts
│ └── secret-findings.service.ts
```
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Angular Material | Consistent with existing UI |
| Signal-based state | Modern Angular patterns |
| Audit logging on reveal | Compliance requirement |
| Lazy-loaded module | Performance optimization |
## Execution Log
| Date | Action | Notes |
|------|--------|-------|
| 2026-01-04 | Sprint created | UI components for secret detection |
| 2026-01-05 | SDU-001 to SDU-010 completed | Feature module, settings page, revelation policy, rule toggles, findings list, masked display, exception manager, alert config all implemented |
| 2026-01-05 | SDU-011 completed | Channel test functionality added to alert config |
| 2026-01-05 | SDU-012 completed | E2E tests created in e2e/secret-detection.e2e.spec.ts |
| 2026-01-05 | Sprint COMPLETE | All 12 tasks done |

10
src/AirGap/StellaOps.AirGap.Importer/Quarantine/FileSystemQuarantineService.cs
View File

@@ -4,6 +4,7 @@ using System.Text.RegularExpressions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.AirGap.Importer.Telemetry;
using StellaOps.Determinism;
namespace StellaOps.AirGap.Importer.Quarantine;
@@ -17,15 +18,18 @@ public sealed class FileSystemQuarantineService : IQuarantineService
private readonly QuarantineOptions _options;
private readonly ILogger<FileSystemQuarantineService> _logger;
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
public FileSystemQuarantineService(
IOptions<QuarantineOptions> options,
ILogger<FileSystemQuarantineService> logger,
TimeProvider timeProvider)
TimeProvider timeProvider,
IGuidProvider? guidProvider = null)
{
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
public async Task<QuarantineResult> QuarantineAsync(
@@ -74,7 +78,7 @@ public sealed class FileSystemQuarantineService : IQuarantineService
var now = _timeProvider.GetUtcNow();
var timestamp = now.ToString("yyyyMMdd-HHmmss", CultureInfo.InvariantCulture);
var sanitizedReason = SanitizeForPathSegment(request.ReasonCode);
var quarantineId = $"{timestamp}-{sanitizedReason}-{Guid.NewGuid():N}";
var quarantineId = $"{timestamp}-{sanitizedReason}-{_guidProvider.NewGuid():N}";
var quarantinePath = Path.Combine(tenantRoot, quarantineId);
@@ -250,7 +254,7 @@ public sealed class FileSystemQuarantineService : IQuarantineService
var removedPath = Path.Combine(removedRoot, quarantineId);
if (Directory.Exists(removedPath))
{
removedPath = Path.Combine(removedRoot, $"{quarantineId}-{Guid.NewGuid():N}");
removedPath = Path.Combine(removedRoot, $"{quarantineId}-{_guidProvider.NewGuid():N}");
}
Directory.Move(entryPath, removedPath);

1
src/AirGap/StellaOps.AirGap.Importer/StellaOps.AirGap.Importer.csproj
View File

@@ -18,5 +18,6 @@
<ProjectReference Include="..\\..\\Attestor\\StellaOps.Attestor.Envelope\\StellaOps.Attestor.Envelope.csproj" />
<ProjectReference Include="..\\..\\__Libraries\\StellaOps.Cryptography\\StellaOps.Cryptography.csproj" />
<ProjectReference Include="..\\..\\__Libraries\\StellaOps.Cryptography.Plugin.OfflineVerification\\StellaOps.Cryptography.Plugin.OfflineVerification.csproj" />
<ProjectReference Include="..\\..\\__Libraries\\StellaOps.Determinism.Abstractions\\StellaOps.Determinism.Abstractions.csproj" />
</ItemGroup>
</Project>

7
src/AirGap/StellaOps.AirGap.Importer/Validation/RuleBundleValidator.cs
View File

@@ -23,15 +23,18 @@ public sealed class RuleBundleValidator
private readonly DsseVerifier _dsseVerifier;
private readonly IVersionMonotonicityChecker _monotonicityChecker;
private readonly ILogger<RuleBundleValidator> _logger;
private readonly TimeProvider _timeProvider;
public RuleBundleValidator(
DsseVerifier dsseVerifier,
IVersionMonotonicityChecker monotonicityChecker,
ILogger<RuleBundleValidator> logger)
ILogger<RuleBundleValidator> logger,
TimeProvider? timeProvider = null)
{
_dsseVerifier = dsseVerifier ?? throw new ArgumentNullException(nameof(dsseVerifier));
_monotonicityChecker = monotonicityChecker ?? throw new ArgumentNullException(nameof(monotonicityChecker));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_timeProvider = timeProvider ?? TimeProvider.System;
}
/// <summary>
@@ -157,7 +160,7 @@ public sealed class RuleBundleValidator
BundleVersion incomingVersion;
try
{
incomingVersion = BundleVersion.Parse(request.Version, request.CreatedAt ?? DateTimeOffset.UtcNow);
incomingVersion = BundleVersion.Parse(request.Version, request.CreatedAt ?? _timeProvider.GetUtcNow());
}
catch (Exception ex)
{

15
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/ConcelierAdvisoryImportTarget.cs
View File

@@ -12,6 +12,7 @@ using System.Text.Json;
using StellaOps.AirGap.Bundle.Models;
using StellaOps.Concelier.Core.Raw;
using StellaOps.Concelier.RawModels;
using StellaOps.Determinism;
namespace StellaOps.AirGap.Bundle.Services;
@@ -134,12 +135,22 @@ public sealed class InMemoryAdvisoryRawRepository : IAdvisoryRawRepository
{
private readonly Dictionary<string, AdvisoryRawRecord> _records = new();
private readonly object _lock = new();
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
public InMemoryAdvisoryRawRepository(
TimeProvider? timeProvider = null,
IGuidProvider? guidProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
public Task<AdvisoryRawUpsertResult> UpsertAsync(AdvisoryRawDocument document, CancellationToken cancellationToken)
{
var contentHash = ComputeHash(document);
var key = $"{document.Tenant}:{contentHash}";
var now = DateTimeOffset.UtcNow;
var now = _timeProvider.GetUtcNow();
lock (_lock)
{
@@ -149,7 +160,7 @@ public sealed class InMemoryAdvisoryRawRepository : IAdvisoryRawRepository
}
var record = new AdvisoryRawRecord(
Id: Guid.NewGuid().ToString(),
Id: _guidProvider.NewGuid().ToString(),
Document: document,
IngestedAt: now,
CreatedAt: now);

9
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/ExcititorVexImportTarget.cs
View File

@@ -10,6 +10,7 @@ using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using StellaOps.AirGap.Bundle.Models;
using StellaOps.Determinism;
using StellaOps.Excititor.Core;
using StellaOps.Excititor.Core.Storage;
@@ -161,10 +162,14 @@ public sealed class InMemoryVexRawDocumentSink : IVexRawDocumentSink, IVexRawSto
private readonly Dictionary<string, VexRawRecord> _records = new();
private readonly string _tenant;
private readonly object _lock = new();
private readonly TimeProvider _timeProvider;
public InMemoryVexRawDocumentSink(string tenant = "default")
public InMemoryVexRawDocumentSink(
string tenant = "default",
TimeProvider? timeProvider = null)
{
_tenant = tenant;
_timeProvider = timeProvider ?? TimeProvider.System;
}
public ValueTask StoreAsync(VexRawDocument document, CancellationToken cancellationToken)
@@ -183,7 +188,7 @@ public sealed class InMemoryVexRawDocumentSink : IVexRawDocumentSink, IVexRawSto
Metadata: document.Metadata,
Content: document.Content,
InlineContent: true,
RecordedAt: DateTimeOffset.UtcNow);
RecordedAt: _timeProvider.GetUtcNow());
}
}

33
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/KnowledgeSnapshotImporter.cs
View File

@@ -9,6 +9,7 @@ using System.IO.Compression;
using System.Formats.Tar;
using System.Text.Json;
using StellaOps.AirGap.Bundle.Models;
using StellaOps.Determinism;
namespace StellaOps.AirGap.Bundle.Services;
@@ -25,15 +26,21 @@ public sealed class KnowledgeSnapshotImporter : IKnowledgeSnapshotImporter
private readonly IAdvisoryImportTarget? _advisoryTarget;
private readonly IVexImportTarget? _vexTarget;
private readonly IPolicyImportTarget? _policyTarget;
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
public KnowledgeSnapshotImporter(
IAdvisoryImportTarget? advisoryTarget = null,
IVexImportTarget? vexTarget = null,
IPolicyImportTarget? policyTarget = null)
IPolicyImportTarget? policyTarget = null,
TimeProvider? timeProvider = null,
IGuidProvider? guidProvider = null)
{
_advisoryTarget = advisoryTarget;
_vexTarget = vexTarget;
_policyTarget = policyTarget;
_timeProvider = timeProvider ?? TimeProvider.System;
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
/// <summary>
@@ -48,10 +55,10 @@ public sealed class KnowledgeSnapshotImporter : IKnowledgeSnapshotImporter
if (!File.Exists(request.BundlePath))
{
return SnapshotImportResult.Failed("Bundle file not found");
return SnapshotImportResult.Failed("Bundle file not found", _timeProvider);
}
var tempDir = Path.Combine(Path.GetTempPath(), $"import-{Guid.NewGuid():N}");
var tempDir = Path.Combine(Path.GetTempPath(), $"import-{_guidProvider.NewGuid():N}");
Directory.CreateDirectory(tempDir);
try
@@ -63,21 +70,21 @@ public sealed class KnowledgeSnapshotImporter : IKnowledgeSnapshotImporter
var manifestPath = Path.Combine(tempDir, "manifest.json");
if (!File.Exists(manifestPath))
{
return SnapshotImportResult.Failed("Manifest not found in bundle");
return SnapshotImportResult.Failed("Manifest not found in bundle", _timeProvider);
}
var manifestBytes = await File.ReadAllBytesAsync(manifestPath, cancellationToken);
var manifest = JsonSerializer.Deserialize<KnowledgeSnapshotManifest>(manifestBytes, JsonOptions);
if (manifest is null)
{
return SnapshotImportResult.Failed("Failed to parse manifest");
return SnapshotImportResult.Failed("Failed to parse manifest", _timeProvider);
}
var result = new SnapshotImportResult
{
Success = true,
BundleId = manifest.BundleId,
StartedAt = DateTimeOffset.UtcNow
StartedAt = _timeProvider.GetUtcNow()
};
var errors = new List<string>();
@@ -148,7 +155,7 @@ public sealed class KnowledgeSnapshotImporter : IKnowledgeSnapshotImporter
result = result with
{
CompletedAt = DateTimeOffset.UtcNow,
CompletedAt = _timeProvider.GetUtcNow(),
Statistics = stats,
Errors = errors.Count > 0 ? [.. errors] : null,
Success = errors.Count == 0 || !request.FailOnAnyError
@@ -158,7 +165,7 @@ public sealed class KnowledgeSnapshotImporter : IKnowledgeSnapshotImporter
}
catch (Exception ex)
{
return SnapshotImportResult.Failed($"Import failed: {ex.Message}");
return SnapshotImportResult.Failed($"Import failed: {ex.Message}", _timeProvider);
}
finally
{
@@ -422,13 +429,17 @@ public sealed record SnapshotImportResult
public IReadOnlyList<string>? Errors { get; init; }
public string? Error { get; init; }
public static SnapshotImportResult Failed(string error) => new()
public static SnapshotImportResult Failed(string error, TimeProvider? timeProvider = null)
{
var now = (timeProvider ?? TimeProvider.System).GetUtcNow();
return new()
{
Success = false,
Error = error,
StartedAt = DateTimeOffset.UtcNow,
CompletedAt = DateTimeOffset.UtcNow
StartedAt = now,
CompletedAt = now
};
}
}
public sealed record ImportStatistics

8
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/PolicyRegistryImportTarget.cs
View File

@@ -9,6 +9,7 @@ using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using StellaOps.AirGap.Bundle.Models;
using StellaOps.Determinism;
namespace StellaOps.AirGap.Bundle.Services;
@@ -26,13 +27,16 @@ public sealed class PolicyRegistryImportTarget : IPolicyImportTarget
private readonly IPolicyPackImportStore _store;
private readonly string _tenantId;
private readonly TimeProvider _timeProvider;
public PolicyRegistryImportTarget(
IPolicyPackImportStore store,
string tenantId = "default")
string tenantId = "default",
TimeProvider? timeProvider = null)
{
_store = store ?? throw new ArgumentNullException(nameof(store));
_tenantId = tenantId;
_timeProvider = timeProvider ?? TimeProvider.System;
}
/// <inheritdoc />
@@ -83,7 +87,7 @@ public sealed class PolicyRegistryImportTarget : IPolicyImportTarget
Version: data.Version ?? "1.0.0",
Content: data.Content,
Metadata: bundle.Metadata,
ImportedAt: DateTimeOffset.UtcNow);
ImportedAt: _timeProvider.GetUtcNow());
await _store.SaveAsync(pack, cancellationToken);
created++;

1
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/StellaOps.AirGap.Bundle.csproj
View File

@@ -9,6 +9,7 @@
<ItemGroup>
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Canonical.Json\StellaOps.Canonical.Json.csproj" />
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Determinism.Abstractions\StellaOps.Determinism.Abstractions.csproj" />
<ProjectReference Include="..\..\..\Concelier\__Libraries\StellaOps.Concelier.Core\StellaOps.Concelier.Core.csproj" />
<ProjectReference Include="..\..\..\Concelier\__Libraries\StellaOps.Concelier.RawModels\StellaOps.Concelier.RawModels.csproj" />
<ProjectReference Include="..\..\..\Excititor\__Libraries\StellaOps.Excititor.Core\StellaOps.Excititor.Core.csproj" />

9
src/EvidenceLocker/StellaOps.EvidenceLocker/Api/VerdictEndpoints.cs
View File

@@ -67,6 +67,7 @@ public static class VerdictEndpoints
private static async Task<IResult> StoreVerdictAsync(
[FromBody] StoreVerdictRequest request,
[FromServices] IVerdictRepository repository,
[FromServices] TimeProvider timeProvider,
[FromServices] ILogger<VerdictEndpointsLogger> logger,
CancellationToken cancellationToken)
{
@@ -105,7 +106,7 @@ public static class VerdictEndpoints
PredicateDigest = request.PredicateDigest,
DeterminismHash = request.DeterminismHash,
RekorLogIndex = request.RekorLogIndex,
CreatedAt = DateTimeOffset.UtcNow
CreatedAt = timeProvider.GetUtcNow()
};
// Store in repository
@@ -253,6 +254,7 @@ public static class VerdictEndpoints
private static async Task<IResult> VerifyVerdictAsync(
string verdictId,
[FromServices] IVerdictRepository repository,
[FromServices] TimeProvider timeProvider,
[FromServices] ILogger<VerdictEndpointsLogger> logger,
CancellationToken cancellationToken)
{
@@ -270,11 +272,12 @@ public static class VerdictEndpoints
// TODO: Implement actual signature verification
// For now, return a placeholder response
var now = timeProvider.GetUtcNow();
var response = new VerifyVerdictResponse
{
VerdictId = verdictId,
SignatureValid = true, // TODO: Implement verification
VerifiedAt = DateTimeOffset.UtcNow,
VerifiedAt = now,
Verifications = new[]
{
new SignatureVerification
@@ -289,7 +292,7 @@ public static class VerdictEndpoints
{
LogIndex = record.RekorLogIndex.Value,
InclusionProofValid = true, // TODO: Implement verification
VerifiedAt = DateTimeOffset.UtcNow
VerifiedAt = now
}
: null
};

10
src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidenceSnapshotService.cs
View File

@@ -19,6 +19,7 @@ using StellaOps.EvidenceLocker.Core.Signing;
using StellaOps.EvidenceLocker.Core.Incident;
using StellaOps.EvidenceLocker.Core.Timeline;
using StellaOps.EvidenceLocker.Core.Storage;
using StellaOps.Determinism;
namespace StellaOps.EvidenceLocker.Infrastructure.Services;
@@ -37,6 +38,7 @@ public sealed class EvidenceSnapshotService
private readonly IIncidentModeState _incidentMode;
private readonly IEvidenceObjectStore _objectStore;
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
private readonly ILogger<EvidenceSnapshotService> _logger;
private readonly QuotaOptions _quotas;
@@ -49,7 +51,8 @@ public sealed class EvidenceSnapshotService
IEvidenceObjectStore objectStore,
TimeProvider timeProvider,
IOptions<EvidenceLockerOptions> options,
ILogger<EvidenceSnapshotService> logger)
ILogger<EvidenceSnapshotService> logger,
IGuidProvider? guidProvider = null)
{
_repository = repository ?? throw new ArgumentNullException(nameof(repository));
_bundleBuilder = bundleBuilder ?? throw new ArgumentNullException(nameof(bundleBuilder));
@@ -61,6 +64,7 @@ public sealed class EvidenceSnapshotService
ArgumentNullException.ThrowIfNull(options);
_quotas = options.Value.Quotas ?? throw new InvalidOperationException("Quota options are required.");
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
public async Task<EvidenceSnapshotResult> CreateSnapshotAsync(
@@ -76,7 +80,7 @@ public sealed class EvidenceSnapshotService
ArgumentNullException.ThrowIfNull(request);
ValidateRequest(request);
var bundleId = EvidenceBundleId.FromGuid(Guid.NewGuid());
var bundleId = EvidenceBundleId.FromGuid(_guidProvider.NewGuid());
var createdAt = _timeProvider.GetUtcNow();
var storageKey = $"tenants/{tenantId.Value:N}/bundles/{bundleId.Value:N}/bundle.tgz";
var incidentSnapshot = _incidentMode.Current;
@@ -245,7 +249,7 @@ public sealed class EvidenceSnapshotService
}
}
var holdId = EvidenceHoldId.FromGuid(Guid.NewGuid());
var holdId = EvidenceHoldId.FromGuid(_guidProvider.NewGuid());
var createdAt = _timeProvider.GetUtcNow();
var hold = new EvidenceHold(
holdId,

1
src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj
View File

@@ -14,6 +14,7 @@
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Cryptography.DependencyInjection\StellaOps.Cryptography.DependencyInjection.csproj" />
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Cryptography.Plugin.BouncyCastle\StellaOps.Cryptography.Plugin.BouncyCastle.csproj" />
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Determinism.Abstractions\StellaOps.Determinism.Abstractions.csproj" />
</ItemGroup>
<ItemGroup>

13
src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/FileSystemEvidenceObjectStore.cs
View File

@@ -3,6 +3,7 @@ using Microsoft.Extensions.Logging;
using StellaOps.EvidenceLocker.Core.Configuration;
using StellaOps.EvidenceLocker.Core.Domain;
using StellaOps.EvidenceLocker.Core.Storage;
using StellaOps.Determinism;
namespace StellaOps.EvidenceLocker.Infrastructure.Storage;
@@ -11,11 +12,15 @@ internal sealed class FileSystemEvidenceObjectStore : IEvidenceObjectStore
private readonly string _rootPath;
private readonly bool _enforceWriteOnce;
private readonly ILogger<FileSystemEvidenceObjectStore> _logger;
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
public FileSystemEvidenceObjectStore(
FileSystemStoreOptions options,
bool enforceWriteOnce,
ILogger<FileSystemEvidenceObjectStore> logger)
ILogger<FileSystemEvidenceObjectStore> logger,
TimeProvider? timeProvider = null,
IGuidProvider? guidProvider = null)
{
ArgumentNullException.ThrowIfNull(options);
ArgumentException.ThrowIfNullOrWhiteSpace(options.RootPath);
@@ -23,6 +28,8 @@ internal sealed class FileSystemEvidenceObjectStore : IEvidenceObjectStore
_rootPath = Path.GetFullPath(options.RootPath);
_enforceWriteOnce = enforceWriteOnce;
_logger = logger;
_timeProvider = timeProvider ?? TimeProvider.System;
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
Directory.CreateDirectory(_rootPath);
}
@@ -33,8 +40,8 @@ internal sealed class FileSystemEvidenceObjectStore : IEvidenceObjectStore
ArgumentNullException.ThrowIfNull(options);
var writeOnce = _enforceWriteOnce || options.EnforceWriteOnce;
var utcNow = DateTimeOffset.UtcNow;
var tempFilePath = Path.Combine(_rootPath, ".tmp", Guid.NewGuid().ToString("N"));
var utcNow = _timeProvider.GetUtcNow();
var tempFilePath = Path.Combine(_rootPath, ".tmp", _guidProvider.NewGuid().ToString("N"));
Directory.CreateDirectory(Path.GetDirectoryName(tempFilePath)!);

13
src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/S3EvidenceObjectStore.cs
View File

@@ -6,6 +6,7 @@ using Microsoft.Extensions.Logging;
using StellaOps.EvidenceLocker.Core.Configuration;
using StellaOps.EvidenceLocker.Core.Domain;
using StellaOps.EvidenceLocker.Core.Storage;
using StellaOps.Determinism;
namespace StellaOps.EvidenceLocker.Infrastructure.Storage;
@@ -15,17 +16,23 @@ internal sealed class S3EvidenceObjectStore : IEvidenceObjectStore, IDisposable
private readonly AmazonS3StoreOptions _options;
private readonly bool _enforceWriteOnce;
private readonly ILogger<S3EvidenceObjectStore> _logger;
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
public S3EvidenceObjectStore(
IAmazonS3 s3,
AmazonS3StoreOptions options,
bool enforceWriteOnce,
ILogger<S3EvidenceObjectStore> logger)
ILogger<S3EvidenceObjectStore> logger,
TimeProvider? timeProvider = null,
IGuidProvider? guidProvider = null)
{
_s3 = s3 ?? throw new ArgumentNullException(nameof(s3));
_options = options ?? throw new ArgumentNullException(nameof(options));
_enforceWriteOnce = enforceWriteOnce;
_logger = logger;
_timeProvider = timeProvider ?? TimeProvider.System;
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
public async Task<EvidenceObjectMetadata> StoreAsync(
@@ -37,7 +44,7 @@ internal sealed class S3EvidenceObjectStore : IEvidenceObjectStore, IDisposable
ArgumentNullException.ThrowIfNull(options);
var writeOnce = _enforceWriteOnce || options.EnforceWriteOnce;
var tempFilePath = Path.Combine(Path.GetTempPath(), $"evidence-{Guid.NewGuid():N}.tmp");
var tempFilePath = Path.Combine(Path.GetTempPath(), $"evidence-{_guidProvider.NewGuid():N}.tmp");
using var sha = SHA256.Create();
long totalBytes = 0;
@@ -83,7 +90,7 @@ internal sealed class S3EvidenceObjectStore : IEvidenceObjectStore, IDisposable
SizeBytes: totalBytes,
Sha256: sha256,
ETag: eTag,
CreatedAt: DateTimeOffset.UtcNow);
CreatedAt: _timeProvider.GetUtcNow());
}
public async Task<Stream> OpenReadAsync(string storageKey, CancellationToken cancellationToken)

12
src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Timeline/TimelineIndexerEvidenceTimelinePublisher.cs
View File

@@ -15,6 +15,7 @@ using StellaOps.EvidenceLocker.Core.Configuration;
using StellaOps.EvidenceLocker.Core.Domain;
using StellaOps.EvidenceLocker.Core.Incident;
using StellaOps.EvidenceLocker.Core.Timeline;
using StellaOps.Determinism;
namespace StellaOps.EvidenceLocker.Infrastructure.Timeline;
@@ -29,12 +30,14 @@ internal sealed class TimelineIndexerEvidenceTimelinePublisher : IEvidenceTimeli
private readonly TimelineOptions _options;
private readonly ILogger<TimelineIndexerEvidenceTimelinePublisher> _logger;
private readonly Uri _endpoint;
private readonly IGuidProvider _guidProvider;
public TimelineIndexerEvidenceTimelinePublisher(
HttpClient httpClient,
IOptions<EvidenceLockerOptions> options,
TimeProvider timeProvider,
ILogger<TimelineIndexerEvidenceTimelinePublisher> logger)
ILogger<TimelineIndexerEvidenceTimelinePublisher> logger,
IGuidProvider? guidProvider = null)
{
_httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
ArgumentNullException.ThrowIfNull(options);
@@ -53,6 +56,7 @@ internal sealed class TimelineIndexerEvidenceTimelinePublisher : IEvidenceTimeli
_endpoint = new Uri(_options.Endpoint, UriKind.Absolute);
ArgumentNullException.ThrowIfNull(timeProvider);
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
public async Task PublishBundleSealedAsync(
@@ -85,7 +89,7 @@ internal sealed class TimelineIndexerEvidenceTimelinePublisher : IEvidenceTimeli
private TimelineEventEnvelope BuildBundleEvent(EvidenceBundleSignature signature, EvidenceBundleManifest manifest, string rootHash)
{
var eventId = Guid.NewGuid();
var eventId = _guidProvider.NewGuid();
var occurredAt = signature.TimestampedAt ?? signature.SignedAt;
var attributes = new SortedDictionary<string, string>(StringComparer.Ordinal)
{
@@ -139,7 +143,7 @@ internal sealed class TimelineIndexerEvidenceTimelinePublisher : IEvidenceTimeli
private TimelineEventEnvelope BuildHoldEvent(EvidenceHold hold)
{
var eventId = Guid.NewGuid();
var eventId = _guidProvider.NewGuid();
var occurredAt = hold.CreatedAt;
var attributes = new SortedDictionary<string, string>(StringComparer.Ordinal)
{
@@ -175,7 +179,7 @@ internal sealed class TimelineIndexerEvidenceTimelinePublisher : IEvidenceTimeli
private TimelineEventEnvelope BuildIncidentEvent(IncidentModeChange change)
{
var eventId = Guid.NewGuid();
var eventId = _guidProvider.NewGuid();
var attributes = new SortedDictionary<string, string>(StringComparer.Ordinal)
{
["state"] = change.IsActive ? "enabled" : "disabled",

2
src/EvidenceLocker/StellaOps.EvidenceLocker/Storage/IVerdictRepository.cs
View File

@@ -63,7 +63,7 @@ public sealed record VerdictAttestationRecord
public required string PredicateDigest { get; init; }
public string? DeterminismHash { get; init; }
public long? RekorLogIndex { get; init; }
public DateTimeOffset CreatedAt { get; init; } = DateTimeOffset.UtcNow;
public required DateTimeOffset CreatedAt { get; init; }
}
/// <summary>

10
src/IssuerDirectory/StellaOps.IssuerDirectory/StellaOps.IssuerDirectory.Core/Services/IssuerKeyService.cs
View File

@@ -1,5 +1,6 @@
using System.Security.Cryptography;
using Microsoft.Extensions.Logging;
using StellaOps.Determinism;
using StellaOps.IssuerDirectory.Core.Abstractions;
using StellaOps.IssuerDirectory.Core.Domain;
using StellaOps.IssuerDirectory.Core.Observability;
@@ -16,6 +17,7 @@ public sealed class IssuerKeyService
private readonly IIssuerKeyRepository _keyRepository;
private readonly IIssuerAuditSink _auditSink;
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
private readonly ILogger<IssuerKeyService> _logger;
public IssuerKeyService(
@@ -23,13 +25,15 @@ public sealed class IssuerKeyService
IIssuerKeyRepository keyRepository,
IIssuerAuditSink auditSink,
TimeProvider timeProvider,
ILogger<IssuerKeyService> logger)
ILogger<IssuerKeyService> logger,
IGuidProvider? guidProvider = null)
{
_issuerRepository = issuerRepository ?? throw new ArgumentNullException(nameof(issuerRepository));
_keyRepository = keyRepository ?? throw new ArgumentNullException(nameof(keyRepository));
_auditSink = auditSink ?? throw new ArgumentNullException(nameof(auditSink));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
public async Task<IReadOnlyCollection<IssuerKeyRecord>> ListAsync(
@@ -101,7 +105,7 @@ public sealed class IssuerKeyService
var now = _timeProvider.GetUtcNow();
var record = IssuerKeyRecord.Create(
Guid.NewGuid().ToString("n"),
_guidProvider.NewGuid().ToString("n"),
issuerId,
tenantId,
type,
@@ -205,7 +209,7 @@ public sealed class IssuerKeyService
.ConfigureAwait(false);
var replacement = IssuerKeyRecord.Create(
Guid.NewGuid().ToString("n"),
_guidProvider.NewGuid().ToString("n"),
issuerId,
tenantId,
newType,

3
src/IssuerDirectory/StellaOps.IssuerDirectory/StellaOps.IssuerDirectory.Core/StellaOps.IssuerDirectory.Core.csproj
View File

@@ -9,4 +9,7 @@
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Determinism.Abstractions\StellaOps.Determinism.Abstractions.csproj" />
</ItemGroup>
</Project>

11
src/Scanner/StellaOps.Scanner.Analyzers.Native/Hardening/ElfHardeningExtractor.cs
View File

@@ -11,6 +11,13 @@ namespace StellaOps.Scanner.Analyzers.Native.Hardening;
/// </summary>
public sealed class ElfHardeningExtractor : IHardeningExtractor
{
private readonly TimeProvider _timeProvider;
public ElfHardeningExtractor(TimeProvider? timeProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
}
// ELF magic bytes
private static readonly byte[] ElfMagic = [0x7F, 0x45, 0x4C, 0x46]; // \x7FELF
@@ -596,7 +603,7 @@ public sealed class ElfHardeningExtractor : IHardeningExtractor
#endregion
private static BinaryHardeningFlags CreateResult(
private BinaryHardeningFlags CreateResult(
string path,
string digest,
List<HardeningFlag> flags,
@@ -623,7 +630,7 @@ public sealed class ElfHardeningExtractor : IHardeningExtractor
Flags: [.. flags],
HardeningScore: Math.Round(score, 2),
MissingFlags: [.. missing],
ExtractedAt: DateTimeOffset.UtcNow);
ExtractedAt: _timeProvider.GetUtcNow());
}
private static ushort ReadUInt16(ReadOnlySpan<byte> span, bool littleEndian)

11
src/Scanner/StellaOps.Scanner.Analyzers.Native/Hardening/MachoHardeningExtractor.cs
View File

@@ -17,6 +17,13 @@ namespace StellaOps.Scanner.Analyzers.Native.Hardening;
/// </summary>
public sealed class MachoHardeningExtractor : IHardeningExtractor
{
private readonly TimeProvider _timeProvider;
public MachoHardeningExtractor(TimeProvider? timeProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
}
// Mach-O magic numbers
private const uint MH_MAGIC = 0xFEEDFACE; // 32-bit
private const uint MH_CIGAM = 0xCEFAEDFE; // 32-bit (reversed)
@@ -257,7 +264,7 @@ public sealed class MachoHardeningExtractor : IHardeningExtractor
: BinaryPrimitives.ReadUInt32BigEndian(data.AsSpan(offset, 4));
}
private static BinaryHardeningFlags CreateResult(
private BinaryHardeningFlags CreateResult(
string path,
string digest,
List<HardeningFlag> flags,
@@ -283,6 +290,6 @@ public sealed class MachoHardeningExtractor : IHardeningExtractor
Flags: [.. flags],
HardeningScore: Math.Round(score, 2),
MissingFlags: [.. missing],
ExtractedAt: DateTimeOffset.UtcNow);
ExtractedAt: _timeProvider.GetUtcNow());
}
}

11
src/Scanner/StellaOps.Scanner.Analyzers.Native/Hardening/PeHardeningExtractor.cs
View File

@@ -19,6 +19,13 @@ namespace StellaOps.Scanner.Analyzers.Native.Hardening;
/// </summary>
public sealed class PeHardeningExtractor : IHardeningExtractor
{
private readonly TimeProvider _timeProvider;
public PeHardeningExtractor(TimeProvider? timeProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
}
// PE magic bytes: MZ (DOS header)
private const ushort DOS_MAGIC = 0x5A4D; // "MZ"
private const uint PE_SIGNATURE = 0x00004550; // "PE\0\0"
@@ -233,7 +240,7 @@ public sealed class PeHardeningExtractor : IHardeningExtractor
}
}
private static BinaryHardeningFlags CreateResult(
private BinaryHardeningFlags CreateResult(
string path,
string digest,
List<HardeningFlag> flags,
@@ -259,6 +266,6 @@ public sealed class PeHardeningExtractor : IHardeningExtractor
Flags: [.. flags],
HardeningScore: Math.Round(score, 2),
MissingFlags: [.. missing],
ExtractedAt: DateTimeOffset.UtcNow);
ExtractedAt: _timeProvider.GetUtcNow());
}
}

7
src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/OfflineBuildIdIndex.cs
View File

@@ -17,6 +17,7 @@ public sealed class OfflineBuildIdIndex : IBuildIdIndex
private readonly BuildIdIndexOptions _options;
private readonly ILogger<OfflineBuildIdIndex> _logger;
private readonly IDsseSigningService? _dsseSigningService;
private readonly TimeProvider _timeProvider;
private FrozenDictionary<string, BuildIdLookupResult> _index = FrozenDictionary<string, BuildIdLookupResult>.Empty;
private bool _isLoaded;
@@ -31,7 +32,8 @@ public sealed class OfflineBuildIdIndex : IBuildIdIndex
public OfflineBuildIdIndex(
IOptions<BuildIdIndexOptions> options,
ILogger<OfflineBuildIdIndex> logger,
IDsseSigningService? dsseSigningService = null)
IDsseSigningService? dsseSigningService = null,
TimeProvider? timeProvider = null)
{
ArgumentNullException.ThrowIfNull(options);
ArgumentNullException.ThrowIfNull(logger);
@@ -39,6 +41,7 @@ public sealed class OfflineBuildIdIndex : IBuildIdIndex
_options = options.Value;
_logger = logger;
_dsseSigningService = dsseSigningService;
_timeProvider = timeProvider ?? TimeProvider.System;
}
/// <inheritdoc />
@@ -176,7 +179,7 @@ public sealed class OfflineBuildIdIndex : IBuildIdIndex
// Check index freshness
if (_options.MaxIndexAge > TimeSpan.Zero)
{
var oldestAllowed = DateTimeOffset.UtcNow - _options.MaxIndexAge;
var oldestAllowed = _timeProvider.GetUtcNow() - _options.MaxIndexAge;
var latestEntry = entries.Values.MaxBy(e => e.IndexedAt);
if (latestEntry is not null && latestEntry.IndexedAt < oldestAllowed)
{

22
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/LinuxEbpfCaptureAdapter.cs
View File

@@ -4,6 +4,7 @@ using System.Runtime.InteropServices;
using System.Runtime.Versioning;
using System.Text;
using System.Text.RegularExpressions;
using StellaOps.Determinism;
namespace StellaOps.Scanner.Analyzers.Native.RuntimeCapture;
@@ -22,6 +23,8 @@ namespace StellaOps.Scanner.Analyzers.Native.RuntimeCapture;
[SupportedOSPlatform("linux")]
public sealed class LinuxEbpfCaptureAdapter : IRuntimeCaptureAdapter
{
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
private readonly ConcurrentBag<RuntimeLoadEvent> _events = [];
private readonly object _stateLock = new();
private CaptureState _state = CaptureState.Idle;
@@ -33,6 +36,17 @@ public sealed class LinuxEbpfCaptureAdapter : IRuntimeCaptureAdapter
private long _droppedEvents;
private int _redactedPaths;
/// <summary>
/// Creates a new Linux eBPF capture adapter.
/// </summary>
/// <param name="timeProvider">Optional time provider for deterministic timestamps.</param>
/// <param name="guidProvider">Optional GUID provider for deterministic session IDs.</param>
public LinuxEbpfCaptureAdapter(TimeProvider? timeProvider = null, IGuidProvider? guidProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
/// <inheritdoc />
public string AdapterId => "linux-ebpf-dlopen";
@@ -152,8 +166,8 @@ public sealed class LinuxEbpfCaptureAdapter : IRuntimeCaptureAdapter
_events.Clear();
_droppedEvents = 0;
_redactedPaths = 0;
SessionId = Guid.NewGuid().ToString("N");
_startTime = DateTime.UtcNow;
SessionId = _guidProvider.NewGuid().ToString("N");
_startTime = _timeProvider.GetUtcNow().UtcDateTime;
_captureCts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
try
@@ -243,7 +257,7 @@ public sealed class LinuxEbpfCaptureAdapter : IRuntimeCaptureAdapter
var session = new RuntimeCaptureSession(
SessionId: SessionId ?? "unknown",
StartTime: _startTime,
EndTime: DateTime.UtcNow,
EndTime: _timeProvider.GetUtcNow().UtcDateTime,
Platform: Platform,
CaptureMethod: CaptureMethod,
TargetProcessId: _options?.TargetProcessId,
@@ -405,7 +419,7 @@ public sealed class LinuxEbpfCaptureAdapter : IRuntimeCaptureAdapter
if (parts[0] == "DLOPEN" && parts.Length >= 5)
{
return new RuntimeLoadEvent(
Timestamp: DateTime.UtcNow,
Timestamp: _timeProvider.GetUtcNow().UtcDateTime,
ProcessId: int.Parse(parts[1]),
ThreadId: int.Parse(parts[2]),
LoadType: RuntimeLoadType.Dlopen,

22
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/MacOsDyldCaptureAdapter.cs
View File

@@ -3,6 +3,7 @@ using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Runtime.Versioning;
using System.Text.RegularExpressions;
using StellaOps.Determinism;
namespace StellaOps.Scanner.Analyzers.Native.RuntimeCapture;
@@ -23,6 +24,8 @@ namespace StellaOps.Scanner.Analyzers.Native.RuntimeCapture;
[SupportedOSPlatform("macos")]
public sealed class MacOsDyldCaptureAdapter : IRuntimeCaptureAdapter
{
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
private readonly ConcurrentBag<RuntimeLoadEvent> _events = [];
private readonly object _stateLock = new();
private CaptureState _state = CaptureState.Idle;
@@ -34,6 +37,17 @@ public sealed class MacOsDyldCaptureAdapter : IRuntimeCaptureAdapter
private long _droppedEvents;
private int _redactedPaths;
/// <summary>
/// Creates a new macOS dyld capture adapter.
/// </summary>
/// <param name="timeProvider">Optional time provider for deterministic timestamps.</param>
/// <param name="guidProvider">Optional GUID provider for deterministic session IDs.</param>
public MacOsDyldCaptureAdapter(TimeProvider? timeProvider = null, IGuidProvider? guidProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
/// <inheritdoc />
public string AdapterId => "macos-dyld-interpose";
@@ -156,8 +170,8 @@ public sealed class MacOsDyldCaptureAdapter : IRuntimeCaptureAdapter
_events.Clear();
_droppedEvents = 0;
_redactedPaths = 0;
SessionId = Guid.NewGuid().ToString("N");
_startTime = DateTime.UtcNow;
SessionId = _guidProvider.NewGuid().ToString("N");
_startTime = _timeProvider.GetUtcNow().UtcDateTime;
_captureCts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
try
@@ -247,7 +261,7 @@ public sealed class MacOsDyldCaptureAdapter : IRuntimeCaptureAdapter
var session = new RuntimeCaptureSession(
SessionId: SessionId ?? "unknown",
StartTime: _startTime,
EndTime: DateTime.UtcNow,
EndTime: _timeProvider.GetUtcNow().UtcDateTime,
Platform: Platform,
CaptureMethod: CaptureMethod,
TargetProcessId: _options?.TargetProcessId,
@@ -417,7 +431,7 @@ public sealed class MacOsDyldCaptureAdapter : IRuntimeCaptureAdapter
: RuntimeLoadType.MacOsDlopen;
return new RuntimeLoadEvent(
Timestamp: DateTime.UtcNow,
Timestamp: _timeProvider.GetUtcNow().UtcDateTime,
ProcessId: int.Parse(parts[1]),
ThreadId: int.Parse(parts[2]),
LoadType: loadType,

7
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeEvidenceAggregator.cs
View File

@@ -48,11 +48,13 @@ public static class RuntimeEvidenceAggregator
/// <param name="runtimeEvidence">Runtime capture evidence.</param>
/// <param name="staticEdges">Static analysis dependency edges.</param>
/// <param name="heuristicEdges">Heuristic analysis edges.</param>
/// <param name="timeProvider">Optional time provider for deterministic timestamps.</param>
/// <returns>Merged evidence document.</returns>
public static MergedEvidence MergeWithStaticAnalysis(
RuntimeEvidence runtimeEvidence,
IEnumerable<Observations.NativeObservationDeclaredEdge> staticEdges,
IEnumerable<Observations.NativeObservationHeuristicEdge> heuristicEdges)
IEnumerable<Observations.NativeObservationHeuristicEdge> heuristicEdges,
TimeProvider? timeProvider = null)
{
var staticList = staticEdges.ToList();
var heuristicList = heuristicEdges.ToList();
@@ -140,6 +142,7 @@ public static class RuntimeEvidenceAggregator
}
}
var tp = timeProvider ?? TimeProvider.System;
return new MergedEvidence(
ConfirmedEdges: confirmedEdges,
StaticOnlyEdges: staticOnlyEdges,
@@ -148,7 +151,7 @@ public static class RuntimeEvidenceAggregator
TotalRuntimeEvents: runtimeEvidence.Sessions.Sum(s => s.Events.Count),
TotalDroppedEvents: runtimeEvidence.Sessions.Sum(s => s.TotalEventsDropped),
CaptureStartTime: runtimeEvidence.Sessions.Min(s => s.StartTime),
CaptureEndTime: runtimeEvidence.Sessions.Max(s => s.EndTime ?? DateTime.UtcNow));
CaptureEndTime: runtimeEvidence.Sessions.Max(s => s.EndTime ?? tp.GetUtcNow().UtcDateTime));
}
/// <summary>

7
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/StackTraceCapture.cs
View File

@@ -273,7 +273,9 @@ public sealed record CollapsedStack
/// Parses a collapsed stack line.
/// Format: "container@digest;buildid=xxx;func;... count"
/// </summary>
public static CollapsedStack? Parse(string line)
/// <param name="line">The collapsed stack line to parse.</param>
/// <param name="timeProvider">Optional time provider for deterministic timestamps.</param>
public static CollapsedStack? Parse(string line, TimeProvider? timeProvider = null)
{
if (string.IsNullOrWhiteSpace(line))
return null;
@@ -305,7 +307,8 @@ public sealed record CollapsedStack
}
}
var now = DateTime.UtcNow;
var tp = timeProvider ?? TimeProvider.System;
var now = tp.GetUtcNow().UtcDateTime;
return new CollapsedStack
{
ContainerIdentifier = container,

22
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/WindowsEtwCaptureAdapter.cs
View File

@@ -4,6 +4,7 @@ using System.Runtime.InteropServices;
using System.Runtime.Versioning;
using System.Security.Principal;
using System.Text.RegularExpressions;
using StellaOps.Determinism;
namespace StellaOps.Scanner.Analyzers.Native.RuntimeCapture;
@@ -21,6 +22,8 @@ namespace StellaOps.Scanner.Analyzers.Native.RuntimeCapture;
[SupportedOSPlatform("windows")]
public sealed class WindowsEtwCaptureAdapter : IRuntimeCaptureAdapter
{
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
private readonly ConcurrentBag<RuntimeLoadEvent> _events = [];
private readonly object _stateLock = new();
private CaptureState _state = CaptureState.Idle;
@@ -34,6 +37,17 @@ public sealed class WindowsEtwCaptureAdapter : IRuntimeCaptureAdapter
private long _droppedEvents;
private int _redactedPaths;
/// <summary>
/// Creates a new Windows ETW capture adapter.
/// </summary>
/// <param name="timeProvider">Optional time provider for deterministic timestamps.</param>
/// <param name="guidProvider">Optional GUID provider for deterministic session IDs.</param>
public WindowsEtwCaptureAdapter(TimeProvider? timeProvider = null, IGuidProvider? guidProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
}
/// <inheritdoc />
public string AdapterId => "windows-etw-imageload";
@@ -146,8 +160,8 @@ public sealed class WindowsEtwCaptureAdapter : IRuntimeCaptureAdapter
_events.Clear();
_droppedEvents = 0;
_redactedPaths = 0;
SessionId = Guid.NewGuid().ToString("N");
_startTime = DateTime.UtcNow;
SessionId = _guidProvider.NewGuid().ToString("N");
_startTime = _timeProvider.GetUtcNow().UtcDateTime;
_captureCts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
try
@@ -240,7 +254,7 @@ public sealed class WindowsEtwCaptureAdapter : IRuntimeCaptureAdapter
var session = new RuntimeCaptureSession(
SessionId: SessionId ?? "unknown",
StartTime: _startTime,
EndTime: DateTime.UtcNow,
EndTime: _timeProvider.GetUtcNow().UtcDateTime,
Platform: Platform,
CaptureMethod: CaptureMethod,
TargetProcessId: _options?.TargetProcessId,
@@ -480,7 +494,7 @@ public sealed class WindowsEtwCaptureAdapter : IRuntimeCaptureAdapter
: RuntimeLoadType.LoadLibrary;
var evt = new RuntimeLoadEvent(
Timestamp: DateTime.UtcNow,
Timestamp: _timeProvider.GetUtcNow().UtcDateTime,
ProcessId: processId,
ThreadId: 0,
LoadType: loadType,

1
src/Scanner/StellaOps.Scanner.Analyzers.Native/StellaOps.Scanner.Analyzers.Native.csproj
View File

@@ -15,6 +15,7 @@
<ItemGroup>
<ProjectReference Include="..\\__Libraries\\StellaOps.Scanner.ProofSpine\\StellaOps.Scanner.ProofSpine.csproj" />
<ProjectReference Include="..\\..\\__Libraries\\StellaOps.Determinism.Abstractions\\StellaOps.Determinism.Abstractions.csproj" />
</ItemGroup>
<ItemGroup>

6
src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs
View File

@@ -151,6 +151,7 @@ public static class EpssEndpoints
private static async Task<IResult> GetHistory(
[FromRoute] string cveId,
[FromServices] IEpssProvider epssProvider,
[FromServices] TimeProvider timeProvider,
[FromQuery] string? startDate = null,
[FromQuery] string? endDate = null,
[FromQuery] int days = 30,
@@ -183,7 +184,7 @@ public static class EpssEndpoints
else
{
// Default to last N days
end = DateOnly.FromDateTime(DateTime.UtcNow);
end = DateOnly.FromDateTime(timeProvider.GetUtcNow().UtcDateTime);
start = end.AddDays(-days);
}
@@ -213,6 +214,7 @@ public static class EpssEndpoints
/// </summary>
private static async Task<IResult> GetStatus(
[FromServices] IEpssProvider epssProvider,
[FromServices] TimeProvider timeProvider,
CancellationToken cancellationToken)
{
var isAvailable = await epssProvider.IsAvailableAsync(cancellationToken);
@@ -222,7 +224,7 @@ public static class EpssEndpoints
{
Available = isAvailable,
LatestModelDate = modelDate?.ToString("yyyy-MM-dd"),
LastCheckedUtc = DateTimeOffset.UtcNow
LastCheckedUtc = timeProvider.GetUtcNow()
});
}
}

3
src/Scanner/StellaOps.Scanner.WebService/Endpoints/EvidenceEndpoints.cs
View File

@@ -60,6 +60,7 @@ internal static class EvidenceEndpoints
string scanId,
string findingId,
IEvidenceCompositionService evidenceService,
TimeProvider timeProvider,
HttpContext context,
CancellationToken cancellationToken)
{
@@ -108,7 +109,7 @@ internal static class EvidenceEndpoints
}
else if (evidence.Freshness.ExpiresAt.HasValue)
{
var timeUntilExpiry = evidence.Freshness.ExpiresAt.Value - DateTimeOffset.UtcNow;
var timeUntilExpiry = evidence.Freshness.ExpiresAt.Value - timeProvider.GetUtcNow();
if (timeUntilExpiry <= TimeSpan.FromDays(1))
{
context.Response.Headers["X-Evidence-Warning"] = "near-expiry";

3
src/Scanner/StellaOps.Scanner.WebService/Endpoints/SmartDiffEndpoints.cs
View File

@@ -270,6 +270,7 @@ internal static class SmartDiffEndpoints
string candidateId,
ReviewRequest request,
IVexCandidateStore store,
TimeProvider timeProvider,
HttpContext httpContext,
CancellationToken ct = default)
{
@@ -282,7 +283,7 @@ internal static class SmartDiffEndpoints
var review = new VexCandidateReview(
Action: action,
Reviewer: reviewer,
ReviewedAt: DateTimeOffset.UtcNow,
ReviewedAt: timeProvider.GetUtcNow(),
Comment: request.Comment);
var success = await store.ReviewCandidateAsync(candidateId, review, ct);

3
src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/ProofBundleEndpoints.cs
View File

@@ -41,6 +41,7 @@ internal static class ProofBundleEndpoints
private static async Task<IResult> HandleGenerateProofBundleAsync(
[FromBody] ProofBundleRequest request,
[FromServices] IProofBundleGenerator bundleGenerator,
[FromServices] TimeProvider timeProvider,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(bundleGenerator);
@@ -67,7 +68,7 @@ internal static class ProofBundleEndpoints
{
PathId = request.PathId,
Bundle = bundle,
GeneratedAt = DateTimeOffset.UtcNow
GeneratedAt = timeProvider.GetUtcNow()
};
return Results.Ok(response);

3
src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/TriageInboxEndpoints.cs
View File

@@ -50,6 +50,7 @@ internal static class TriageInboxEndpoints
[FromQuery] string? filter,
[FromServices] IExploitPathGroupingService groupingService,
[FromServices] IFindingQueryService findingService,
[FromServices] TimeProvider timeProvider,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(groupingService);
@@ -77,7 +78,7 @@ internal static class TriageInboxEndpoints
FilteredPaths = filteredPaths.Count,
Filter = filter,
Paths = filteredPaths,
GeneratedAt = DateTimeOffset.UtcNow
GeneratedAt = timeProvider.GetUtcNow()
};
return Results.Ok(response);

8
src/Scanner/StellaOps.Scanner.WebService/Endpoints/UnknownsEndpoints.cs
View File

@@ -55,6 +55,7 @@ internal static class UnknownsEndpoints
[FromQuery] int? limit,
IUnknownRepository repository,
IUnknownRanker ranker,
TimeProvider timeProvider,
CancellationToken cancellationToken)
{
// Validate and default pagination
@@ -95,9 +96,10 @@ internal static class UnknownsEndpoints
PageSize: pageSize);
var result = await repository.ListUnknownsAsync(query, cancellationToken);
var now = timeProvider.GetUtcNow();
return Results.Ok(new UnknownsListResponse(
Items: result.Items.Select(UnknownItemResponse.FromUnknownItem).ToList(),
Items: result.Items.Select(item => UnknownItemResponse.FromUnknownItem(item, now)).ToList(),
TotalCount: result.TotalCount,
Page: pageNum,
PageSize: pageSize,
@@ -195,7 +197,7 @@ public sealed record UnknownItemResponse(
ContainmentResponse? Containment,
DateTimeOffset CreatedAt)
{
public static UnknownItemResponse FromUnknownItem(UnknownItem item) => new(
public static UnknownItemResponse FromUnknownItem(UnknownItem item, DateTimeOffset now) => new(
Id: Guid.TryParse(item.Id, out var id) ? id : Guid.Empty,
SubjectRef: item.ArtifactPurl ?? item.ArtifactDigest,
Kind: string.Join(",", item.Reasons),
@@ -209,7 +211,7 @@ public sealed record UnknownItemResponse(
Containment: item.Containment != null
? new ContainmentResponse(item.Containment.Seccomp, item.Containment.Fs)
: null,
CreatedAt: DateTimeOffset.UtcNow); // Would come from Unknown.SysFrom
CreatedAt: now); // Would come from Unknown.SysFrom
}
/// <summary>

6
src/Scanner/StellaOps.Scanner.WebService/Endpoints/WitnessEndpoints.cs
View File

@@ -120,6 +120,7 @@ internal static class WitnessEndpoints
private static async Task<IResult> HandleVerifyWitnessAsync(
Guid witnessId,
IWitnessRepository repository,
TimeProvider timeProvider,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(repository);
@@ -161,10 +162,11 @@ internal static class WitnessEndpoints
}
// Record verification attempt
var now = timeProvider.GetUtcNow();
await repository.RecordVerificationAsync(new WitnessVerificationRecord
{
WitnessId = witnessId,
VerifiedAt = DateTimeOffset.UtcNow,
VerifiedAt = now,
VerifiedBy = "api",
VerificationStatus = verificationStatus,
VerificationError = verificationError
@@ -176,7 +178,7 @@ internal static class WitnessEndpoints
WitnessHash = witness.WitnessHash,
Status = verificationStatus,
Error = verificationError,
VerifiedAt = DateTimeOffset.UtcNow,
VerifiedAt = now,
IsSigned = !string.IsNullOrEmpty(witness.DsseEnvelope)
});
}

6
src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs
View File

@@ -306,7 +306,7 @@ public sealed class EvidenceBundleExporter : IEvidenceBundleExporter
return sb.ToString();
}
private static async Task PrepareEvidenceFilesAsync(
private async Task PrepareEvidenceFilesAsync(
UnifiedEvidenceResponseDto evidence,
List<(string path, MemoryStream stream, string contentType)> streams,
List<ArchiveFileEntry> entries,
@@ -621,7 +621,7 @@ public sealed class EvidenceBundleExporter : IEvidenceBundleExporter
}
}
private static async Task CreateTarGzArchiveAsync(
private async Task CreateTarGzArchiveAsync(
string findingId,
List<(string path, MemoryStream stream, string contentType)> files,
Stream outputStream,
@@ -660,7 +660,7 @@ public sealed class EvidenceBundleExporter : IEvidenceBundleExporter
await gzipStream.WriteAsync(endBlocks, ct).ConfigureAwait(false);
}
private static byte[] CreateTarHeader(string name, long size)
private byte[] CreateTarHeader(string name, long size)
{
var header = new byte[512];

2
src/Scanner/StellaOps.Scanner.WebService/Services/GatingReasonService.cs
View File

@@ -230,7 +230,7 @@ public sealed class GatingReasonService : IGatingReasonService
/// <summary>
/// Computes a composite trust score for a VEX record.
/// </summary>
private static double ComputeVexTrustScore(TriageEffectiveVex vex)
private double ComputeVexTrustScore(TriageEffectiveVex vex)
{
// Weighted combination of trust factors
const double IssuerWeight = 0.4;

5
src/Scanner/StellaOps.Scanner.WebService/Services/ReportSigner.cs
View File

@@ -29,6 +29,7 @@ public sealed class ReportSigner : IReportSigner
private readonly ILogger<ReportSigner> logger;
private readonly ICryptoProviderRegistry cryptoRegistry;
private readonly ICryptoHmac cryptoHmac;
private readonly TimeProvider timeProvider;
private readonly ICryptoProvider? provider;
private readonly CryptoKeyReference? keyReference;
private readonly CryptoSignerResolution? signerResolution;
@@ -38,11 +39,13 @@ public sealed class ReportSigner : IReportSigner
IOptions<ScannerWebServiceOptions> options,
ICryptoProviderRegistry cryptoRegistry,
ICryptoHmac cryptoHmac,
TimeProvider timeProvider,
ILogger<ReportSigner> logger)
{
ArgumentNullException.ThrowIfNull(options);
this.cryptoRegistry = cryptoRegistry ?? throw new ArgumentNullException(nameof(cryptoRegistry));
this.cryptoHmac = cryptoHmac ?? throw new ArgumentNullException(nameof(cryptoHmac));
this.timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
var value = options.Value ?? new ScannerWebServiceOptions();
@@ -79,7 +82,7 @@ public sealed class ReportSigner : IReportSigner
reference,
canonicalAlgorithm,
privateKey,
createdAt: DateTimeOffset.UtcNow);
createdAt: timeProvider.GetUtcNow());
provider.UpsertSigningKey(signingKeyDescriptor);

7
src/Scanner/StellaOps.Scanner.WebService/Services/ScoreReplayService.cs
View File

@@ -23,6 +23,7 @@ public sealed class ScoreReplayService : IScoreReplayService
private readonly IProofBundleWriter _bundleWriter;
private readonly IScanManifestSigner _manifestSigner;
private readonly IScoringService _scoringService;
private readonly TimeProvider _timeProvider;
private readonly ILogger<ScoreReplayService> _logger;
public ScoreReplayService(
@@ -31,6 +32,7 @@ public sealed class ScoreReplayService : IScoreReplayService
IProofBundleWriter bundleWriter,
IScanManifestSigner manifestSigner,
IScoringService scoringService,
TimeProvider timeProvider,
ILogger<ScoreReplayService> logger)
{
_manifestRepository = manifestRepository ?? throw new ArgumentNullException(nameof(manifestRepository));
@@ -38,6 +40,7 @@ public sealed class ScoreReplayService : IScoreReplayService
_bundleWriter = bundleWriter ?? throw new ArgumentNullException(nameof(bundleWriter));
_manifestSigner = manifestSigner ?? throw new ArgumentNullException(nameof(manifestSigner));
_scoringService = scoringService ?? throw new ArgumentNullException(nameof(scoringService));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
@@ -99,7 +102,7 @@ public sealed class ScoreReplayService : IScoreReplayService
RootHash: bundle.RootHash,
BundleUri: bundle.BundleUri,
ManifestHash: manifest.ComputeHash(),
ReplayedAt: DateTimeOffset.UtcNow,
ReplayedAt: _timeProvider.GetUtcNow(),
Deterministic: manifest.Deterministic);
}
finally
@@ -164,7 +167,7 @@ public sealed class ScoreReplayService : IScoreReplayService
ComputedRootHash: computedRootHash,
ManifestValid: manifestVerify.IsValid,
LedgerValid: ledgerValid,
VerifiedAt: DateTimeOffset.UtcNow,
VerifiedAt: _timeProvider.GetUtcNow(),
ErrorMessage: string.Join("; ", errors));
}

5
src/Scanner/StellaOps.Scanner.WebService/Services/SliceQueryService.cs
View File

@@ -40,6 +40,7 @@ public sealed class SliceQueryService : ISliceQueryService
private readonly SliceHasher _hasher;
private readonly IFileContentAddressableStore _cas;
private readonly IScanMetadataRepository _scanRepo;
private readonly TimeProvider _timeProvider;
private readonly SliceQueryServiceOptions _options;
private readonly ILogger<SliceQueryService> _logger;
@@ -51,6 +52,7 @@ public sealed class SliceQueryService : ISliceQueryService
SliceHasher hasher,
IFileContentAddressableStore cas,
IScanMetadataRepository scanRepo,
TimeProvider timeProvider,
IOptions<SliceQueryServiceOptions> options,
ILogger<SliceQueryService> logger)
{
@@ -61,6 +63,7 @@ public sealed class SliceQueryService : ISliceQueryService
_hasher = hasher ?? throw new ArgumentNullException(nameof(hasher));
_cas = cas ?? throw new ArgumentNullException(nameof(cas));
_scanRepo = scanRepo ?? throw new ArgumentNullException(nameof(scanRepo));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_options = options?.Value ?? new SliceQueryServiceOptions();
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
@@ -121,7 +124,7 @@ public sealed class SliceQueryService : ISliceQueryService
PathWitnesses = slice.Verdict.PathWitnesses.IsDefaultOrEmpty
? Array.Empty<string>()
: slice.Verdict.PathWitnesses.ToList(),
CachedAt = DateTimeOffset.UtcNow
CachedAt = _timeProvider.GetUtcNow()
};
await _cache.SetAsync(cacheKey, cacheEntry, TimeSpan.FromHours(1), cancellationToken).ConfigureAwait(false);
}

8
src/Scanner/StellaOps.Scanner.WebService/Services/TestManifestRepository.cs
View File

@@ -64,6 +64,12 @@ public sealed class TestProofBundleRepository : StellaOps.Scanner.Storage.Reposi
{
private readonly ConcurrentDictionary<string, ProofBundleRow> _bundlesByRootHash = new(StringComparer.OrdinalIgnoreCase);
private readonly ConcurrentDictionary<Guid, List<ProofBundleRow>> _bundlesByScanId = new();
private readonly TimeProvider _timeProvider;
public TestProofBundleRepository(TimeProvider timeProvider)
{
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
}
public Task<ProofBundleRow?> GetByRootHashAsync(string rootHash, CancellationToken cancellationToken = default)
{
@@ -113,7 +119,7 @@ public sealed class TestProofBundleRepository : StellaOps.Scanner.Storage.Reposi
{
cancellationToken.ThrowIfCancellationRequested();
var now = DateTimeOffset.UtcNow;
var now = _timeProvider.GetUtcNow();
var expired = _bundlesByRootHash.Values
.Where(b => b.ExpiresAt.HasValue && b.ExpiresAt.Value < now)
.ToList();

15
src/Scanner/StellaOps.Scanner.WebService/Services/UnifiedEvidenceService.cs
View File

@@ -22,6 +22,7 @@ public sealed class UnifiedEvidenceService : IUnifiedEvidenceService
private readonly TriageDbContext _dbContext;
private readonly IGatingReasonService _gatingService;
private readonly IReplayCommandService _replayService;
private readonly TimeProvider _timeProvider;
private readonly ILogger<UnifiedEvidenceService> _logger;
private const double DefaultPolicyTrustThreshold = 0.7;
@@ -30,11 +31,13 @@ public sealed class UnifiedEvidenceService : IUnifiedEvidenceService
TriageDbContext dbContext,
IGatingReasonService gatingService,
IReplayCommandService replayService,
TimeProvider timeProvider,
ILogger<UnifiedEvidenceService> logger)
{
_dbContext = dbContext ?? throw new ArgumentNullException(nameof(dbContext));
_gatingService = gatingService ?? throw new ArgumentNullException(nameof(gatingService));
_replayService = replayService ?? throw new ArgumentNullException(nameof(replayService));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
@@ -106,7 +109,7 @@ public sealed class UnifiedEvidenceService : IUnifiedEvidenceService
ReplayCommand = replayResponse?.FullCommand?.Command,
ShortReplayCommand = replayResponse?.ShortCommand?.Command,
EvidenceBundleUrl = replayResponse?.Bundle?.DownloadUri,
GeneratedAt = DateTimeOffset.UtcNow,
GeneratedAt = _timeProvider.GetUtcNow(),
CacheKey = cacheKey
};
}
@@ -277,11 +280,11 @@ public sealed class UnifiedEvidenceService : IUnifiedEvidenceService
AttestationsVerified = hasAttestations,
EvidenceComplete = hasVex && hasReachability,
Issues = issues.Count > 0 ? issues : null,
VerifiedAt = DateTimeOffset.UtcNow
VerifiedAt = _timeProvider.GetUtcNow()
};
}
private static double ComputeVexTrustScore(TriageEffectiveVex vex)
private double ComputeVexTrustScore(TriageEffectiveVex vex)
{
const double IssuerWeight = 0.4;
const double RecencyWeight = 0.2;
@@ -289,7 +292,7 @@ public sealed class UnifiedEvidenceService : IUnifiedEvidenceService
const double EvidenceWeight = 0.2;
var issuerTrust = GetIssuerTrust(vex.Issuer);
var recencyTrust = GetRecencyTrust((DateTimeOffset?)vex.ValidFrom);
var recencyTrust = GetRecencyTrust((DateTimeOffset?)vex.ValidFrom, _timeProvider.GetUtcNow());
var justificationTrust = GetJustificationTrust(vex.PrunedSourcesJson);
var evidenceTrust = !string.IsNullOrEmpty(vex.DsseEnvelopeHash) ? 0.8 : 0.3;
@@ -309,10 +312,10 @@ public sealed class UnifiedEvidenceService : IUnifiedEvidenceService
_ => 0.5
};
private static double GetRecencyTrust(DateTimeOffset? timestamp)
private static double GetRecencyTrust(DateTimeOffset? timestamp, DateTimeOffset now)
{
if (timestamp is null) return 0.3;
var age = DateTimeOffset.UtcNow - timestamp.Value;
var age = now - timestamp.Value;
return age.TotalDays switch { <= 7 => 1.0, <= 30 => 0.9, <= 90 => 0.7, <= 365 => 0.5, _ => 0.3 };
}

2
src/Scanner/__Libraries/StellaOps.Scanner.Sources/Contracts/SourceContracts.cs
View File

@@ -267,7 +267,7 @@ public sealed record SourceRunResponse
Status = run.Status,
StartedAt = run.StartedAt,
CompletedAt = run.CompletedAt,
DurationMs = run.DurationMs,
DurationMs = run.GetDurationMs(),
ItemsDiscovered = run.ItemsDiscovered,
ItemsScanned = run.ItemsScanned,
ItemsSucceeded = run.ItemsSucceeded,

26
src/Scanner/__Libraries/StellaOps.Scanner.Sources/Triggers/SourceTriggerDispatcher.cs
View File

@@ -84,8 +84,9 @@ public sealed class SourceTriggerDispatcher : ISourceTriggerDispatcher
source.TenantId,
context.Trigger,
context.CorrelationId,
_timeProvider,
context.TriggerDetails);
failedRun.Fail(canTrigger.Error!);
failedRun.Fail(canTrigger.Error!, _timeProvider);
await _runRepository.CreateAsync(failedRun, ct);
return new TriggerDispatchResult
@@ -102,6 +103,7 @@ public sealed class SourceTriggerDispatcher : ISourceTriggerDispatcher
source.TenantId,
context.Trigger,
context.CorrelationId,
_timeProvider,
context.TriggerDetails);
await _runRepository.CreateAsync(run, ct);
@@ -112,7 +114,7 @@ public sealed class SourceTriggerDispatcher : ISourceTriggerDispatcher
var handler = GetHandler(source.SourceType);
if (handler == null)
{
run.Fail($"No handler registered for source type {source.SourceType}");
run.Fail($"No handler registered for source type {source.SourceType}", _timeProvider);
await _runRepository.UpdateAsync(run, ct);
return new TriggerDispatchResult
{
@@ -133,9 +135,9 @@ public sealed class SourceTriggerDispatcher : ISourceTriggerDispatcher
if (targets.Count == 0)
{
run.Complete();
run.Complete(_timeProvider);
await _runRepository.UpdateAsync(run, ct);
source.RecordSuccessfulRun(_timeProvider.GetUtcNow());
source.RecordSuccessfulRun(_timeProvider.GetUtcNow(), _timeProvider);
await _sourceRepository.UpdateAsync(source, ct);
return new TriggerDispatchResult
@@ -176,13 +178,13 @@ public sealed class SourceTriggerDispatcher : ISourceTriggerDispatcher
// 7. Complete or fail based on results
if (run.ItemsFailed == run.ItemsDiscovered)
{
run.Fail("All targets failed to queue");
source.RecordFailedRun(_timeProvider.GetUtcNow(), run.ErrorMessage!);
run.Fail("All targets failed to queue", _timeProvider);
source.RecordFailedRun(_timeProvider.GetUtcNow(), run.ErrorMessage!, _timeProvider);
}
else
{
run.Complete();
source.RecordSuccessfulRun(_timeProvider.GetUtcNow());
run.Complete(_timeProvider);
source.RecordSuccessfulRun(_timeProvider.GetUtcNow(), _timeProvider);
}
await _runRepository.UpdateAsync(run, ct);
@@ -199,10 +201,10 @@ public sealed class SourceTriggerDispatcher : ISourceTriggerDispatcher
{
_logger.LogError(ex, "Dispatch failed for source {SourceId}", sourceId);
run.Fail(ex.Message);
run.Fail(ex.Message, _timeProvider);
await _runRepository.UpdateAsync(run, ct);
source.RecordFailedRun(_timeProvider.GetUtcNow(), ex.Message);
source.RecordFailedRun(_timeProvider.GetUtcNow(), ex.Message, _timeProvider);
await _sourceRepository.UpdateAsync(source, ct);
return new TriggerDispatchResult
@@ -266,7 +268,7 @@ public sealed class SourceTriggerDispatcher : ISourceTriggerDispatcher
return _handlers.FirstOrDefault(h => h.SourceType == sourceType);
}
private static (bool Success, string? Error) CanTrigger(SbomSource source, TriggerContext context)
private (bool Success, string? Error) CanTrigger(SbomSource source, TriggerContext context)
{
if (source.Status == SbomSourceStatus.Disabled)
{
@@ -292,7 +294,7 @@ public sealed class SourceTriggerDispatcher : ISourceTriggerDispatcher
}
}
if (source.IsRateLimited())
if (source.IsRateLimited(_timeProvider))
{
return (false, "Source is rate limited");
}