feat(cli): Implement crypto plugin CLI architecture with regional compliance

Sprint: SPRINT_4100_0006_0001 Status: COMPLETED Implemented plugin-based crypto command architecture for regional compliance with build-time distribution selection (GOST/eIDAS/SM) and runtime validation. ## New Commands - `stella crypto sign` - Sign artifacts with regional crypto providers - `stella crypto verify` - Verify signatures with trust policy support - `stella crypto profiles` - List available crypto providers & capabilities ## Build-Time Distribution Selection ```bash # International (default - BouncyCastle) dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj # Russia distribution (GOST R 34.10-2012) dotnet build -p:StellaOpsEnableGOST=true # EU distribution (eIDAS Regulation 910/2014) dotnet build -p:StellaOpsEnableEIDAS=true # China distribution (SM2/SM3/SM4) dotnet build -p:StellaOpsEnableSM=true ``` ## Key Features - Build-time conditional compilation prevents export control violations - Runtime crypto profile validation on CLI startup - 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev) - Comprehensive configuration with environment variable substitution - Integration tests with distribution-specific assertions - Full migration path from deprecated `cryptoru` CLI ## Files Added - src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs - src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs - src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs - src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example - src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs - docs/cli/crypto-commands.md - docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md ## Files Modified - src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs) - src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation) - src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring) - src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix) ## Compliance - GOST (Russia): GOST R 34.10-2012, FSB certified - eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES - SM (China): GM/T 0003-2012 (SM2), OSCCA certified ## Migration `cryptoru` CLI deprecated → sunset date: 2025-07-01 - `cryptoru providers` → `stella crypto profiles` - `cryptoru sign` → `stella crypto sign` ## Testing ✅ All crypto code compiles successfully ✅ Integration tests pass ✅ Build verification for all distributions (international/GOST/eIDAS/SM) Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 13:13:00 +02:00
parent c8a871dd30
commit ef933db0d8
97 changed files with 17455 additions and 52 deletions
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs
@@ -0,0 +1,143 @@
+// Copyright (c) StellaOps. Licensed under AGPL-3.0-or-later.
+
+namespace StellaOps.Scanner.Core.Configuration;
+
+/// <summary>
+/// Configuration for Proof of Exposure (PoE) artifact generation.
+/// </summary>
+public record PoEConfiguration
+{
+    /// <summary>
+    /// Enable PoE generation. Default: false.
+    /// </summary>
+    public bool Enabled { get; init; } = false;
+
+    /// <summary>
+    /// Maximum depth for subgraph extraction (hops from entry to sink). Default: 10.
+    /// </summary>
+    public int MaxDepth { get; init; } = 10;
+
+    /// <summary>
+    /// Maximum number of paths to include in each PoE. Default: 5.
+    /// </summary>
+    public int MaxPaths { get; init; } = 5;
+
+    /// <summary>
+    /// Include guard predicates (feature flags, platform conditionals) in edges. Default: true.
+    /// </summary>
+    public bool IncludeGuards { get; init; } = true;
+
+    /// <summary>
+    /// Only emit PoE for vulnerabilities with reachability=true. Default: true.
+    /// Set to false to emit PoE for all vulnerabilities (including unreachable ones with empty paths).
+    /// </summary>
+    public bool EmitOnlyReachable { get; init; } = true;
+
+    /// <summary>
+    /// Attach PoE artifacts to OCI images. Default: false.
+    /// Requires OCI registry write access.
+    /// </summary>
+    public bool AttachToOci { get; init; } = false;
+
+    /// <summary>
+    /// Submit PoE DSSE envelopes to Rekor transparency log. Default: false.
+    /// </summary>
+    public bool SubmitToRekor { get; init; } = false;
+
+    /// <summary>
+    /// Path pruning strategy. Default: ShortestWithConfidence.
+    /// </summary>
+    public string PruneStrategy { get; init; } = "ShortestWithConfidence";
+
+    /// <summary>
+    /// Require runtime confirmation for high-risk findings. Default: false.
+    /// When true, only runtime-observed paths are included in PoE.
+    /// </summary>
+    public bool RequireRuntimeConfirmation { get; init; } = false;
+
+    /// <summary>
+    /// Signing key ID for DSSE envelopes. Default: "scanner-signing-2025".
+    /// </summary>
+    public string SigningKeyId { get; init; } = "scanner-signing-2025";
+
+    /// <summary>
+    /// Include SBOM reference in PoE evidence block. Default: true.
+    /// </summary>
+    public bool IncludeSbomRef { get; init; } = true;
+
+    /// <summary>
+    /// Include VEX claim URI in PoE evidence block. Default: false.
+    /// </summary>
+    public bool IncludeVexClaimUri { get; init; } = false;
+
+    /// <summary>
+    /// Include runtime facts URI in PoE evidence block. Default: false.
+    /// </summary>
+    public bool IncludeRuntimeFactsUri { get; init; } = false;
+
+    /// <summary>
+    /// Prettify PoE JSON (2-space indentation). Default: true.
+    /// Set to false for minimal file size.
+    /// </summary>
+    public bool PrettifyJson { get; init; } = true;
+
+    /// <summary>
+    /// Get default configuration (disabled).
+    /// </summary>
+    public static PoEConfiguration Default => new();
+
+    /// <summary>
+    /// Get enabled configuration with defaults.
+    /// </summary>
+    public static PoEConfiguration EnabledDefault => new() { Enabled = true };
+
+    /// <summary>
+    /// Get strict configuration (high-assurance environments).
+    /// </summary>
+    public static PoEConfiguration Strict => new()
+    {
+        Enabled = true,
+        MaxDepth = 8,
+        MaxPaths = 1,
+        RequireRuntimeConfirmation = true,
+        SubmitToRekor = true,
+        AttachToOci = true,
+        PruneStrategy = "ShortestOnly"
+    };
+
+    /// <summary>
+    /// Get comprehensive configuration (maximum context).
+    /// </summary>
+    public static PoEConfiguration Comprehensive => new()
+    {
+        Enabled = true,
+        MaxDepth = 15,
+        MaxPaths = 10,
+        IncludeSbomRef = true,
+        IncludeVexClaimUri = true,
+        IncludeRuntimeFactsUri = true,
+        PruneStrategy = "RuntimeFirst"
+    };
+}
+
+/// <summary>
+/// Scanner configuration root with PoE settings.
+/// </summary>
+public record ScannerConfiguration
+{
+    /// <summary>
+    /// Reachability analysis configuration.
+    /// </summary>
+    public ReachabilityConfiguration Reachability { get; init; } = new();
+}
+
+/// <summary>
+/// Reachability configuration.
+/// </summary>
+public record ReachabilityConfiguration
+{
+    /// <summary>
+    /// Proof of Exposure configuration.
+    /// </summary>
+    public PoEConfiguration PoE { get; init; } = PoEConfiguration.Default;
+}
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScanAnalysisKeys.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScanAnalysisKeys.cs
@@ -45,4 +45,9 @@ public static class ScanAnalysisKeys
    public const string ReplaySealedBundleMetadata = "analysis.replay.sealed.bundle";

    public const string BinaryVulnerabilityFindings = "analysis.binary.findings";
+
+    // Sprint: SPRINT_3500_0001_0001 - Proof of Exposure
+    public const string VulnerabilityMatches = "analysis.poe.vulnerability.matches";
+    public const string PoEResults = "analysis.poe.results";
+    public const string PoEConfiguration = "analysis.poe.configuration";
 }
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Models/PoEModels.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Models/PoEModels.cs
@@ -180,3 +180,60 @@ public record EvidenceInfo(
    [property: JsonPropertyName("vexClaimUri")] string? VexClaimUri = null,
    [property: JsonPropertyName("runtimeFactsUri")] string? RuntimeFactsUri = null
 );
+
+/// <summary>
+/// Represents a matched vulnerability for PoE generation.
+/// </summary>
+/// <param name="VulnId">Vulnerability identifier (CVE, GHSA, etc.)</param>
+/// <param name="ComponentRef">Component package URL (PURL)</param>
+/// <param name="IsReachable">Whether the vulnerability is reachable from entry points</param>
+/// <param name="Severity">Vulnerability severity (Critical, High, Medium, Low, Info)</param>
+[method: JsonConstructor]
+public record VulnerabilityMatch(
+    [property: JsonPropertyName("vulnId")] string VulnId,
+    [property: JsonPropertyName("componentRef")] string ComponentRef,
+    [property: JsonPropertyName("isReachable")] bool IsReachable,
+    [property: JsonPropertyName("severity")] string Severity
+);
+
+/// <summary>
+/// Scan context for PoE generation.
+/// </summary>
+/// <param name="ScanId">Unique scan identifier</param>
+/// <param name="GraphHash">BLAKE3 hash of the reachability graph</param>
+/// <param name="BuildId">GNU build ID or equivalent</param>
+/// <param name="ImageDigest">Container image digest</param>
+/// <param name="PolicyId">Policy identifier</param>
+/// <param name="PolicyDigest">Policy content digest</param>
+/// <param name="ScannerVersion">Scanner version</param>
+/// <param name="ConfigPath">Scanner configuration path</param>
+[method: JsonConstructor]
+public record ScanContext(
+    [property: JsonPropertyName("scanId")] string ScanId,
+    [property: JsonPropertyName("graphHash")] string GraphHash,
+    [property: JsonPropertyName("buildId")] string BuildId,
+    [property: JsonPropertyName("imageDigest")] string ImageDigest,
+    [property: JsonPropertyName("policyId")] string PolicyId,
+    [property: JsonPropertyName("policyDigest")] string PolicyDigest,
+    [property: JsonPropertyName("scannerVersion")] string ScannerVersion,
+    [property: JsonPropertyName("configPath")] string ConfigPath
+);
+
+/// <summary>
+/// Result from PoE generation for a single vulnerability.
+/// </summary>
+/// <param name="VulnId">Vulnerability identifier</param>
+/// <param name="ComponentRef">Component package URL</param>
+/// <param name="PoEHash">Content hash of the PoE artifact</param>
+/// <param name="PoERef">CAS reference to the PoE artifact</param>
+/// <param name="IsSigned">Whether the PoE is cryptographically signed</param>
+/// <param name="PathCount">Number of paths in the subgraph</param>
+[method: JsonConstructor]
+public record PoEResult(
+    [property: JsonPropertyName("vulnId")] string VulnId,
+    [property: JsonPropertyName("componentRef")] string ComponentRef,
+    [property: JsonPropertyName("poeHash")] string PoEHash,
+    [property: JsonPropertyName("poeRef")] string? PoERef,
+    [property: JsonPropertyName("isSigned")] bool IsSigned,
+    [property: JsonPropertyName("pathCount")] int? PathCount = null
+);