stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add unit tests for VexLens normalizer, CPE parser, product mapper, and PURL parser

Browse Source 
- Implemented comprehensive tests for VexLensNormalizer including format detection and normalization scenarios.
- Added tests for CpeParser covering CPE 2.3 and 2.2 formats, invalid inputs, and canonical key generation.
- Created tests for ProductMapper to validate parsing and matching logic across different strictness levels.
- Developed tests for PurlParser to ensure correct parsing of various PURL formats and validation of identifiers.
- Introduced stubs for Monaco editor and worker to facilitate testing in the web application.
- Updated project file for the test project to include necessary dependencies.
This commit is contained in:
StellaOps Bot
2025-12-06 16:28:12 +02:00
parent 2b892ad1b2
commit efd6850c38
132 changed files with 16675 additions and 5428 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/Concelier/StellaOps.Concelier.sln
View File

@@ -21,8 +21,6 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.DependencyInjecti
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Aoc", "..\Aoc\__Libraries\StellaOps.Aoc\StellaOps.Aoc.csproj", "{A6802486-A8D3-4623-8D81-04ED23F9D312}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Concelier.Storage.Mongo", "__Libraries\StellaOps.Concelier.Storage.Mongo\StellaOps.Concelier.Storage.Mongo.csproj", "{C926373D-5ACB-4E62-96D5-264EF4C61BE5}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Concelier.Connector.Common", "__Libraries\StellaOps.Concelier.Connector.Common\StellaOps.Concelier.Connector.Common.csproj", "{2D68125A-0ACD-4015-A8FA-B54284B8A3CB}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Concelier.Merge", "__Libraries\StellaOps.Concelier.Merge\StellaOps.Concelier.Merge.csproj", "{7760219F-6C19-4B61-9015-73BB02005C0B}"
@@ -179,8 +177,6 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Concelier.Normali
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Concelier.RawModels.Tests", "__Tests\StellaOps.Concelier.RawModels.Tests\StellaOps.Concelier.RawModels.Tests.csproj", "{7B995CBB-3D20-4509-9300-EC012C18C4B4}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Concelier.Storage.Mongo.Tests", "__Tests\StellaOps.Concelier.Storage.Mongo.Tests\StellaOps.Concelier.Storage.Mongo.Tests.csproj", "{9006A5A2-01D8-4A70-AEA7-B7B1987C4A62}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Concelier.WebService.Tests", "__Tests\StellaOps.Concelier.WebService.Tests\StellaOps.Concelier.WebService.Tests.csproj", "{664A2577-6DA1-42DA-A213-3253017FA4BF}"
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "__Analyzers", "__Analyzers", "{176B5A8A-7857-3ECD-1128-3C721BC7F5C6}"

11
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/Documents/DocumentRecord.cs
View File

@@ -1,11 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo.Documents;
/// <summary>
/// Stub record for document storage. (Placeholder for full implementation)
/// </summary>
public sealed record DocumentRecord
{
public string Id { get; init; } = string.Empty;
public string TenantId { get; init; } = string.Empty;
public string Source { get; init; } = string.Empty;
}

8
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/IDocumentStore.cs
View File

@@ -1,8 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo;
/// <summary>
/// Stub interface for document storage. (Placeholder for full implementation)
/// </summary>
public interface IDocumentStore
{
}

8
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ISourceStateRepository.cs
View File

@@ -1,8 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo;
/// <summary>
/// Stub interface for source state repository. (Placeholder for full implementation)
/// </summary>
public interface ISourceStateRepository
{
}

10
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/MongoStorageOptions.cs
View File

@@ -1,10 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo;
/// <summary>
/// Stub options for MongoDB storage. (Placeholder for full implementation)
/// </summary>
public sealed class MongoStorageOptions
{
public string ConnectionString { get; set; } = string.Empty;
public string DatabaseName { get; set; } = string.Empty;
}

313
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/GridFsMigrationService.cs
View File

@@ -1,313 +0,0 @@
using System.Security.Cryptography;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using MongoDB.Bson;
using MongoDB.Driver;
using MongoDB.Driver.GridFS;
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Service for migrating raw payloads from GridFS to S3-compatible object storage.
/// </summary>
public sealed class GridFsMigrationService
{
private readonly IGridFSBucket _gridFs;
private readonly IObjectStore _objectStore;
private readonly IMigrationTracker _migrationTracker;
private readonly ObjectStorageOptions _options;
private readonly TimeProvider _timeProvider;
private readonly ILogger<GridFsMigrationService> _logger;
public GridFsMigrationService(
IGridFSBucket gridFs,
IObjectStore objectStore,
IMigrationTracker migrationTracker,
IOptions<ObjectStorageOptions> options,
TimeProvider timeProvider,
ILogger<GridFsMigrationService> logger)
{
_gridFs = gridFs ?? throw new ArgumentNullException(nameof(gridFs));
_objectStore = objectStore ?? throw new ArgumentNullException(nameof(objectStore));
_migrationTracker = migrationTracker ?? throw new ArgumentNullException(nameof(migrationTracker));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_timeProvider = timeProvider ?? TimeProvider.System;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <summary>
/// Migrates a single GridFS document to object storage.
/// </summary>
public async Task<MigrationResult> MigrateAsync(
string gridFsId,
string tenantId,
string sourceId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentException.ThrowIfNullOrWhiteSpace(sourceId);
// Check if already migrated
if (await _migrationTracker.IsMigratedAsync(gridFsId, cancellationToken).ConfigureAwait(false))
{
_logger.LogDebug("GridFS {GridFsId} already migrated, skipping", gridFsId);
return MigrationResult.AlreadyMigrated(gridFsId);
}
try
{
// Download from GridFS
var objectId = ObjectId.Parse(gridFsId);
using var downloadStream = new MemoryStream();
await _gridFs.DownloadToStreamAsync(objectId, downloadStream, cancellationToken: cancellationToken)
.ConfigureAwait(false);
var data = downloadStream.ToArray();
var sha256 = ComputeSha256(data);
// Get GridFS file info
var filter = Builders<GridFSFileInfo>.Filter.Eq("_id", objectId);
var fileInfo = await _gridFs.Find(filter)
.FirstOrDefaultAsync(cancellationToken)
.ConfigureAwait(false);
var ingestedAt = fileInfo?.UploadDateTime ?? _timeProvider.GetUtcNow().UtcDateTime;
// Create provenance metadata
var provenance = new ProvenanceMetadata
{
SourceId = sourceId,
IngestedAt = new DateTimeOffset(ingestedAt, TimeSpan.Zero),
TenantId = tenantId,
OriginalFormat = DetectFormat(fileInfo?.Filename),
OriginalSize = data.Length,
GridFsLegacyId = gridFsId,
Transformations =
[
new TransformationRecord
{
Type = TransformationType.Migration,
Timestamp = _timeProvider.GetUtcNow(),
Agent = "concelier-gridfs-migration-v1"
}
]
};
// Store in object storage
var reference = await _objectStore.StoreAsync(
tenantId,
data,
provenance,
GetContentType(fileInfo?.Filename),
cancellationToken).ConfigureAwait(false);
// Record migration
await _migrationTracker.RecordMigrationAsync(
gridFsId,
reference.Pointer,
MigrationStatus.Migrated,
cancellationToken).ConfigureAwait(false);
_logger.LogInformation(
"Migrated GridFS {GridFsId} to {Bucket}/{Key}, size {Size} bytes",
gridFsId, reference.Pointer.Bucket, reference.Pointer.Key, data.Length);
return MigrationResult.Success(gridFsId, reference);
}
catch (GridFSFileNotFoundException)
{
_logger.LogWarning("GridFS file not found: {GridFsId}", gridFsId);
return MigrationResult.NotFound(gridFsId);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to migrate GridFS {GridFsId}", gridFsId);
return MigrationResult.Failed(gridFsId, ex.Message);
}
}
/// <summary>
/// Verifies a migrated document by comparing hashes.
/// </summary>
public async Task<bool> VerifyMigrationAsync(
string gridFsId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var record = await _migrationTracker.GetByGridFsIdAsync(gridFsId, cancellationToken)
.ConfigureAwait(false);
if (record is null)
{
_logger.LogWarning("No migration record found for {GridFsId}", gridFsId);
return false;
}
// Download original from GridFS
var objectId = ObjectId.Parse(gridFsId);
using var downloadStream = new MemoryStream();
try
{
await _gridFs.DownloadToStreamAsync(objectId, downloadStream, cancellationToken: cancellationToken)
.ConfigureAwait(false);
}
catch (GridFSFileNotFoundException)
{
_logger.LogWarning("Original GridFS file not found for verification: {GridFsId}", gridFsId);
return false;
}
var originalHash = ComputeSha256(downloadStream.ToArray());
// Verify the migrated object
var reference = PayloadReference.CreateObjectStorage(record.Pointer, new ProvenanceMetadata
{
SourceId = string.Empty,
IngestedAt = record.MigratedAt,
TenantId = string.Empty,
});
var verified = await _objectStore.VerifyIntegrityAsync(reference, cancellationToken)
.ConfigureAwait(false);
if (verified && string.Equals(originalHash, record.Pointer.Sha256, StringComparison.OrdinalIgnoreCase))
{
await _migrationTracker.MarkVerifiedAsync(gridFsId, cancellationToken).ConfigureAwait(false);
_logger.LogInformation("Verified migration for {GridFsId}", gridFsId);
return true;
}
_logger.LogWarning(
"Verification failed for {GridFsId}: original hash {Original}, stored hash {Stored}",
gridFsId, originalHash, record.Pointer.Sha256);
return false;
}
/// <summary>
/// Batches migration of multiple GridFS documents.
/// </summary>
public async Task<BatchMigrationResult> MigrateBatchAsync(
IEnumerable<GridFsMigrationRequest> requests,
CancellationToken cancellationToken = default)
{
var results = new List<MigrationResult>();
foreach (var request in requests)
{
if (cancellationToken.IsCancellationRequested)
{
break;
}
var result = await MigrateAsync(
request.GridFsId,
request.TenantId,
request.SourceId,
cancellationToken).ConfigureAwait(false);
results.Add(result);
}
return new BatchMigrationResult(results);
}
private static string ComputeSha256(byte[] data)
{
var hash = SHA256.HashData(data);
return Convert.ToHexStringLower(hash);
}
private static OriginalFormat? DetectFormat(string? filename)
{
if (string.IsNullOrEmpty(filename))
{
return null;
}
return Path.GetExtension(filename).ToLowerInvariant() switch
{
".json" => OriginalFormat.Json,
".xml" => OriginalFormat.Xml,
".csv" => OriginalFormat.Csv,
".ndjson" => OriginalFormat.Ndjson,
".yaml" or ".yml" => OriginalFormat.Yaml,
_ => null
};
}
private static string GetContentType(string? filename)
{
if (string.IsNullOrEmpty(filename))
{
return "application/octet-stream";
}
return Path.GetExtension(filename).ToLowerInvariant() switch
{
".json" => "application/json",
".xml" => "application/xml",
".csv" => "text/csv",
".ndjson" => "application/x-ndjson",
".yaml" or ".yml" => "application/x-yaml",
_ => "application/octet-stream"
};
}
}
/// <summary>
/// Request to migrate a GridFS document.
/// </summary>
public sealed record GridFsMigrationRequest(
string GridFsId,
string TenantId,
string SourceId);
/// <summary>
/// Result of a single migration.
/// </summary>
public sealed record MigrationResult
{
public required string GridFsId { get; init; }
public required MigrationResultStatus Status { get; init; }
public PayloadReference? Reference { get; init; }
public string? ErrorMessage { get; init; }
public static MigrationResult Success(string gridFsId, PayloadReference reference)
=> new() { GridFsId = gridFsId, Status = MigrationResultStatus.Success, Reference = reference };
public static MigrationResult AlreadyMigrated(string gridFsId)
=> new() { GridFsId = gridFsId, Status = MigrationResultStatus.AlreadyMigrated };
public static MigrationResult NotFound(string gridFsId)
=> new() { GridFsId = gridFsId, Status = MigrationResultStatus.NotFound };
public static MigrationResult Failed(string gridFsId, string errorMessage)
=> new() { GridFsId = gridFsId, Status = MigrationResultStatus.Failed, ErrorMessage = errorMessage };
}
/// <summary>
/// Status of a migration result.
/// </summary>
public enum MigrationResultStatus
{
Success,
AlreadyMigrated,
NotFound,
Failed
}
/// <summary>
/// Result of a batch migration.
/// </summary>
public sealed record BatchMigrationResult(IReadOnlyList<MigrationResult> Results)
{
public int TotalCount => Results.Count;
public int SuccessCount => Results.Count(r => r.Status == MigrationResultStatus.Success);
public int AlreadyMigratedCount => Results.Count(r => r.Status == MigrationResultStatus.AlreadyMigrated);
public int NotFoundCount => Results.Count(r => r.Status == MigrationResultStatus.NotFound);
public int FailedCount => Results.Count(r => r.Status == MigrationResultStatus.Failed);
}

60
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/IMigrationTracker.cs
View File

@@ -1,60 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Tracks GridFS to S3 migrations.
/// </summary>
public interface IMigrationTracker
{
/// <summary>
/// Records a migration attempt.
/// </summary>
Task<MigrationRecord> RecordMigrationAsync(
string gridFsId,
ObjectPointer pointer,
MigrationStatus status,
CancellationToken cancellationToken = default);
/// <summary>
/// Updates a migration record status.
/// </summary>
Task UpdateStatusAsync(
string gridFsId,
MigrationStatus status,
string? errorMessage = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Marks a migration as verified.
/// </summary>
Task MarkVerifiedAsync(
string gridFsId,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets a migration record by GridFS ID.
/// </summary>
Task<MigrationRecord?> GetByGridFsIdAsync(
string gridFsId,
CancellationToken cancellationToken = default);
/// <summary>
/// Lists pending migrations.
/// </summary>
Task<IReadOnlyList<MigrationRecord>> ListPendingAsync(
int limit = 100,
CancellationToken cancellationToken = default);
/// <summary>
/// Lists migrations needing verification.
/// </summary>
Task<IReadOnlyList<MigrationRecord>> ListNeedingVerificationAsync(
int limit = 100,
CancellationToken cancellationToken = default);
/// <summary>
/// Checks if a GridFS ID has been migrated.
/// </summary>
Task<bool> IsMigratedAsync(
string gridFsId,
CancellationToken cancellationToken = default);
}

98
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/IObjectStore.cs
View File

@@ -1,98 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Abstraction for S3-compatible object storage operations.
/// </summary>
public interface IObjectStore
{
/// <summary>
/// Stores a payload, returning a reference (either inline or object storage).
/// Automatically decides based on size thresholds.
/// </summary>
/// <param name="tenantId">Tenant identifier for bucket selection.</param>
/// <param name="data">Payload data to store.</param>
/// <param name="provenance">Provenance metadata for the payload.</param>
/// <param name="contentType">MIME type of the content.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Reference to the stored payload.</returns>
Task<PayloadReference> StoreAsync(
string tenantId,
ReadOnlyMemory<byte> data,
ProvenanceMetadata provenance,
string contentType = "application/json",
CancellationToken cancellationToken = default);
/// <summary>
/// Stores a payload from a stream.
/// </summary>
/// <param name="tenantId">Tenant identifier for bucket selection.</param>
/// <param name="stream">Stream containing payload data.</param>
/// <param name="provenance">Provenance metadata for the payload.</param>
/// <param name="contentType">MIME type of the content.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Reference to the stored payload.</returns>
Task<PayloadReference> StoreStreamAsync(
string tenantId,
Stream stream,
ProvenanceMetadata provenance,
string contentType = "application/json",
CancellationToken cancellationToken = default);
/// <summary>
/// Retrieves a payload by its reference.
/// </summary>
/// <param name="reference">Reference to the payload.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Payload data, or null if not found.</returns>
Task<byte[]?> RetrieveAsync(
PayloadReference reference,
CancellationToken cancellationToken = default);
/// <summary>
/// Retrieves a payload as a stream.
/// </summary>
/// <param name="reference">Reference to the payload.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Stream containing payload data, or null if not found.</returns>
Task<Stream?> RetrieveStreamAsync(
PayloadReference reference,
CancellationToken cancellationToken = default);
/// <summary>
/// Checks if an object exists.
/// </summary>
/// <param name="pointer">Object pointer to check.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if object exists.</returns>
Task<bool> ExistsAsync(
ObjectPointer pointer,
CancellationToken cancellationToken = default);
/// <summary>
/// Deletes an object.
/// </summary>
/// <param name="pointer">Object pointer to delete.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task DeleteAsync(
ObjectPointer pointer,
CancellationToken cancellationToken = default);
/// <summary>
/// Ensures the tenant bucket exists.
/// </summary>
/// <param name="tenantId">Tenant identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
Task EnsureBucketExistsAsync(
string tenantId,
CancellationToken cancellationToken = default);
/// <summary>
/// Verifies a payload's integrity by comparing its hash.
/// </summary>
/// <param name="reference">Reference to verify.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if hash matches.</returns>
Task<bool> VerifyIntegrityAsync(
PayloadReference reference,
CancellationToken cancellationToken = default);
}

63
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/MigrationRecord.cs
View File

@@ -1,63 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Record of a migration from GridFS to S3.
/// </summary>
public sealed record MigrationRecord
{
/// <summary>
/// Original GridFS ObjectId.
/// </summary>
public required string GridFsId { get; init; }
/// <summary>
/// Pointer to the migrated object.
/// </summary>
public required ObjectPointer Pointer { get; init; }
/// <summary>
/// Timestamp when migration was performed.
/// </summary>
public required DateTimeOffset MigratedAt { get; init; }
/// <summary>
/// Current status of the migration.
/// </summary>
public required MigrationStatus Status { get; init; }
/// <summary>
/// Timestamp when content hash was verified post-migration.
/// </summary>
public DateTimeOffset? VerifiedAt { get; init; }
/// <summary>
/// Whether GridFS tombstone still exists for rollback.
/// </summary>
public bool RollbackAvailable { get; init; } = true;
/// <summary>
/// Error message if migration failed.
/// </summary>
public string? ErrorMessage { get; init; }
}
/// <summary>
/// Status of a GridFS to S3 migration.
/// </summary>
public enum MigrationStatus
{
/// <summary>Migration pending.</summary>
Pending,
/// <summary>Migration completed.</summary>
Migrated,
/// <summary>Migration verified via hash comparison.</summary>
Verified,
/// <summary>Migration failed.</summary>
Failed,
/// <summary>Original GridFS tombstoned.</summary>
Tombstoned
}

232
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/MongoMigrationTracker.cs
View File

@@ -1,232 +0,0 @@
using Microsoft.Extensions.Logging;
using MongoDB.Bson;
using MongoDB.Bson.Serialization.Attributes;
using MongoDB.Driver;
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// MongoDB-backed migration tracker for GridFS to S3 migrations.
/// </summary>
public sealed class MongoMigrationTracker : IMigrationTracker
{
private const string CollectionName = "object_storage_migrations";
private readonly IMongoCollection<MigrationDocument> _collection;
private readonly TimeProvider _timeProvider;
private readonly ILogger<MongoMigrationTracker> _logger;
public MongoMigrationTracker(
IMongoDatabase database,
TimeProvider timeProvider,
ILogger<MongoMigrationTracker> logger)
{
ArgumentNullException.ThrowIfNull(database);
_collection = database.GetCollection<MigrationDocument>(CollectionName);
_timeProvider = timeProvider ?? TimeProvider.System;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<MigrationRecord> RecordMigrationAsync(
string gridFsId,
ObjectPointer pointer,
MigrationStatus status,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
ArgumentNullException.ThrowIfNull(pointer);
var now = _timeProvider.GetUtcNow();
var document = new MigrationDocument
{
GridFsId = gridFsId,
Bucket = pointer.Bucket,
Key = pointer.Key,
Sha256 = pointer.Sha256,
Size = pointer.Size,
ContentType = pointer.ContentType,
Encoding = pointer.Encoding.ToString().ToLowerInvariant(),
MigratedAt = now.UtcDateTime,
Status = status.ToString().ToLowerInvariant(),
RollbackAvailable = true,
};
await _collection.InsertOneAsync(document, cancellationToken: cancellationToken)
.ConfigureAwait(false);
_logger.LogInformation(
"Recorded migration for GridFS {GridFsId} to {Bucket}/{Key}",
gridFsId, pointer.Bucket, pointer.Key);
return ToRecord(document);
}
public async Task UpdateStatusAsync(
string gridFsId,
MigrationStatus status,
string? errorMessage = null,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var filter = Builders<MigrationDocument>.Filter.Eq(d => d.GridFsId, gridFsId);
var update = Builders<MigrationDocument>.Update
.Set(d => d.Status, status.ToString().ToLowerInvariant())
.Set(d => d.ErrorMessage, errorMessage);
await _collection.UpdateOneAsync(filter, update, cancellationToken: cancellationToken)
.ConfigureAwait(false);
_logger.LogDebug("Updated migration status for {GridFsId} to {Status}", gridFsId, status);
}
public async Task MarkVerifiedAsync(
string gridFsId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var now = _timeProvider.GetUtcNow();
var filter = Builders<MigrationDocument>.Filter.Eq(d => d.GridFsId, gridFsId);
var update = Builders<MigrationDocument>.Update
.Set(d => d.Status, MigrationStatus.Verified.ToString().ToLowerInvariant())
.Set(d => d.VerifiedAt, now.UtcDateTime);
await _collection.UpdateOneAsync(filter, update, cancellationToken: cancellationToken)
.ConfigureAwait(false);
_logger.LogDebug("Marked migration as verified for {GridFsId}", gridFsId);
}
public async Task<MigrationRecord?> GetByGridFsIdAsync(
string gridFsId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var filter = Builders<MigrationDocument>.Filter.Eq(d => d.GridFsId, gridFsId);
var document = await _collection.Find(filter)
.FirstOrDefaultAsync(cancellationToken)
.ConfigureAwait(false);
return document is null ? null : ToRecord(document);
}
public async Task<IReadOnlyList<MigrationRecord>> ListPendingAsync(
int limit = 100,
CancellationToken cancellationToken = default)
{
var filter = Builders<MigrationDocument>.Filter.Eq(
d => d.Status, MigrationStatus.Pending.ToString().ToLowerInvariant());
var documents = await _collection.Find(filter)
.Limit(limit)
.ToListAsync(cancellationToken)
.ConfigureAwait(false);
return documents.Select(ToRecord).ToList();
}
public async Task<IReadOnlyList<MigrationRecord>> ListNeedingVerificationAsync(
int limit = 100,
CancellationToken cancellationToken = default)
{
var filter = Builders<MigrationDocument>.Filter.Eq(
d => d.Status, MigrationStatus.Migrated.ToString().ToLowerInvariant());
var documents = await _collection.Find(filter)
.Limit(limit)
.ToListAsync(cancellationToken)
.ConfigureAwait(false);
return documents.Select(ToRecord).ToList();
}
public async Task<bool> IsMigratedAsync(
string gridFsId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(gridFsId);
var filter = Builders<MigrationDocument>.Filter.And(
Builders<MigrationDocument>.Filter.Eq(d => d.GridFsId, gridFsId),
Builders<MigrationDocument>.Filter.In(d => d.Status, new[]
{
MigrationStatus.Migrated.ToString().ToLowerInvariant(),
MigrationStatus.Verified.ToString().ToLowerInvariant()
}));
var count = await _collection.CountDocumentsAsync(filter, cancellationToken: cancellationToken)
.ConfigureAwait(false);
return count > 0;
}
private static MigrationRecord ToRecord(MigrationDocument document)
{
return new MigrationRecord
{
GridFsId = document.GridFsId,
Pointer = new ObjectPointer
{
Bucket = document.Bucket,
Key = document.Key,
Sha256 = document.Sha256,
Size = document.Size,
ContentType = document.ContentType,
Encoding = Enum.Parse<ContentEncoding>(document.Encoding, ignoreCase: true),
},
MigratedAt = new DateTimeOffset(document.MigratedAt, TimeSpan.Zero),
Status = Enum.Parse<MigrationStatus>(document.Status, ignoreCase: true),
VerifiedAt = document.VerifiedAt.HasValue
? new DateTimeOffset(document.VerifiedAt.Value, TimeSpan.Zero)
: null,
RollbackAvailable = document.RollbackAvailable,
ErrorMessage = document.ErrorMessage,
};
}
[BsonIgnoreExtraElements]
private sealed class MigrationDocument
{
[BsonId]
[BsonRepresentation(BsonType.ObjectId)]
public string? Id { get; set; }
[BsonElement("gridFsId")]
public required string GridFsId { get; set; }
[BsonElement("bucket")]
public required string Bucket { get; set; }
[BsonElement("key")]
public required string Key { get; set; }
[BsonElement("sha256")]
public required string Sha256 { get; set; }
[BsonElement("size")]
public required long Size { get; set; }
[BsonElement("contentType")]
public required string ContentType { get; set; }
[BsonElement("encoding")]
public required string Encoding { get; set; }
[BsonElement("migratedAt")]
public required DateTime MigratedAt { get; set; }
[BsonElement("status")]
public required string Status { get; set; }
[BsonElement("verifiedAt")]
public DateTime? VerifiedAt { get; set; }
[BsonElement("rollbackAvailable")]
public bool RollbackAvailable { get; set; }
[BsonElement("errorMessage")]
public string? ErrorMessage { get; set; }
}
}

52
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/ObjectPointer.cs
View File

@@ -1,52 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Deterministic pointer to an object in S3-compatible storage.
/// </summary>
public sealed record ObjectPointer
{
/// <summary>
/// S3 bucket name (tenant-prefixed).
/// </summary>
public required string Bucket { get; init; }
/// <summary>
/// Object key (deterministic, content-addressed).
/// </summary>
public required string Key { get; init; }
/// <summary>
/// SHA-256 hash of object content (hex encoded).
/// </summary>
public required string Sha256 { get; init; }
/// <summary>
/// Object size in bytes.
/// </summary>
public required long Size { get; init; }
/// <summary>
/// MIME type of the object.
/// </summary>
public string ContentType { get; init; } = "application/octet-stream";
/// <summary>
/// Content encoding if compressed.
/// </summary>
public ContentEncoding Encoding { get; init; } = ContentEncoding.Identity;
}
/// <summary>
/// Content encoding for stored objects.
/// </summary>
public enum ContentEncoding
{
/// <summary>No compression.</summary>
Identity,
/// <summary>Gzip compression.</summary>
Gzip,
/// <summary>Zstandard compression.</summary>
Zstd
}

75
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/ObjectStorageOptions.cs
View File

@@ -1,75 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Configuration options for S3-compatible object storage.
/// </summary>
public sealed class ObjectStorageOptions
{
/// <summary>
/// Configuration section name.
/// </summary>
public const string SectionName = "Concelier:ObjectStorage";
/// <summary>
/// S3-compatible endpoint URL (MinIO, AWS S3, etc.).
/// </summary>
public string Endpoint { get; set; } = "http://localhost:9000";
/// <summary>
/// Storage region (use 'us-east-1' for MinIO).
/// </summary>
public string Region { get; set; } = "us-east-1";
/// <summary>
/// Use path-style addressing (required for MinIO).
/// </summary>
public bool UsePathStyle { get; set; } = true;
/// <summary>
/// Prefix for tenant bucket names.
/// </summary>
public string BucketPrefix { get; set; } = "stellaops-concelier-";
/// <summary>
/// Maximum object size in bytes (default 5GB).
/// </summary>
public long MaxObjectSize { get; set; } = 5L * 1024 * 1024 * 1024;
/// <summary>
/// Objects larger than this (bytes) will be compressed.
/// Default: 1MB.
/// </summary>
public int CompressionThreshold { get; set; } = 1024 * 1024;
/// <summary>
/// Objects smaller than this (bytes) will be stored inline.
/// Default: 64KB.
/// </summary>
public int InlineThreshold { get; set; } = 64 * 1024;
/// <summary>
/// Whether object storage is enabled. When false, uses GridFS fallback.
/// </summary>
public bool Enabled { get; set; } = false;
/// <summary>
/// AWS access key ID (or MinIO access key).
/// </summary>
public string? AccessKeyId { get; set; }
/// <summary>
/// AWS secret access key (or MinIO secret key).
/// </summary>
public string? SecretAccessKey { get; set; }
/// <summary>
/// Gets the bucket name for a tenant.
/// </summary>
public string GetBucketName(string tenantId)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
// Normalize tenant ID to lowercase and replace invalid characters
var normalized = tenantId.ToLowerInvariant().Replace('_', '-');
return $"{BucketPrefix}{normalized}";
}
}

128
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/ObjectStorageServiceCollectionExtensions.cs
View File

@@ -1,128 +0,0 @@
using Amazon;
using Amazon.Runtime;
using Amazon.S3;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.Extensions.Options;
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Extension methods for registering object storage services.
/// </summary>
public static class ObjectStorageServiceCollectionExtensions
{
/// <summary>
/// Adds object storage services for Concelier raw payload storage.
/// </summary>
public static IServiceCollection AddConcelierObjectStorage(
this IServiceCollection services,
IConfiguration configuration)
{
ArgumentNullException.ThrowIfNull(services);
ArgumentNullException.ThrowIfNull(configuration);
// Bind options
services.Configure<ObjectStorageOptions>(
configuration.GetSection(ObjectStorageOptions.SectionName));
// Register TimeProvider if not already registered
services.TryAddSingleton(TimeProvider.System);
// Register S3 client
services.TryAddSingleton<IAmazonS3>(sp =>
{
var options = sp.GetRequiredService<IOptions<ObjectStorageOptions>>().Value;
var config = new AmazonS3Config
{
RegionEndpoint = RegionEndpoint.GetBySystemName(options.Region),
ForcePathStyle = options.UsePathStyle,
};
if (!string.IsNullOrEmpty(options.Endpoint))
{
config.ServiceURL = options.Endpoint;
}
if (!string.IsNullOrEmpty(options.AccessKeyId) &&
!string.IsNullOrEmpty(options.SecretAccessKey))
{
var credentials = new BasicAWSCredentials(
options.AccessKeyId,
options.SecretAccessKey);
return new AmazonS3Client(credentials, config);
}
// Use default credentials chain (env vars, IAM role, etc.)
return new AmazonS3Client(config);
});
// Register object store
services.TryAddSingleton<IObjectStore, S3ObjectStore>();
// Register migration tracker
services.TryAddSingleton<IMigrationTracker, MongoMigrationTracker>();
// Register migration service
services.TryAddSingleton<GridFsMigrationService>();
return services;
}
/// <summary>
/// Adds object storage services with explicit options.
/// </summary>
public static IServiceCollection AddConcelierObjectStorage(
this IServiceCollection services,
Action<ObjectStorageOptions> configureOptions)
{
ArgumentNullException.ThrowIfNull(services);
ArgumentNullException.ThrowIfNull(configureOptions);
services.Configure(configureOptions);
// Register TimeProvider if not already registered
services.TryAddSingleton(TimeProvider.System);
// Register S3 client
services.TryAddSingleton<IAmazonS3>(sp =>
{
var options = sp.GetRequiredService<IOptions<ObjectStorageOptions>>().Value;
var config = new AmazonS3Config
{
RegionEndpoint = RegionEndpoint.GetBySystemName(options.Region),
ForcePathStyle = options.UsePathStyle,
};
if (!string.IsNullOrEmpty(options.Endpoint))
{
config.ServiceURL = options.Endpoint;
}
if (!string.IsNullOrEmpty(options.AccessKeyId) &&
!string.IsNullOrEmpty(options.SecretAccessKey))
{
var credentials = new BasicAWSCredentials(
options.AccessKeyId,
options.SecretAccessKey);
return new AmazonS3Client(credentials, config);
}
return new AmazonS3Client(config);
});
// Register object store
services.TryAddSingleton<IObjectStore, S3ObjectStore>();
// Register migration tracker
services.TryAddSingleton<IMigrationTracker, MongoMigrationTracker>();
// Register migration service
services.TryAddSingleton<GridFsMigrationService>();
return services;
}
}

79
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/PayloadReference.cs
View File

@@ -1,79 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Reference to a large payload stored in object storage (used in advisory_observations).
/// </summary>
public sealed record PayloadReference
{
/// <summary>
/// Discriminator for payload type.
/// </summary>
public const string TypeDiscriminator = "object-storage-ref";
/// <summary>
/// Type discriminator value.
/// </summary>
public string Type { get; init; } = TypeDiscriminator;
/// <summary>
/// Pointer to the object in storage.
/// </summary>
public required ObjectPointer Pointer { get; init; }
/// <summary>
/// Provenance metadata for the payload.
/// </summary>
public required ProvenanceMetadata Provenance { get; init; }
/// <summary>
/// If true, payload is small enough to be inline (not in object storage).
/// </summary>
public bool Inline { get; init; }
/// <summary>
/// Base64-encoded inline data (only if Inline=true and size less than threshold).
/// </summary>
public string? InlineData { get; init; }
/// <summary>
/// Creates a reference for inline data.
/// </summary>
public static PayloadReference CreateInline(
byte[] data,
string sha256,
ProvenanceMetadata provenance,
string contentType = "application/octet-stream")
{
return new PayloadReference
{
Pointer = new ObjectPointer
{
Bucket = string.Empty,
Key = string.Empty,
Sha256 = sha256,
Size = data.Length,
ContentType = contentType,
Encoding = ContentEncoding.Identity,
},
Provenance = provenance,
Inline = true,
InlineData = Convert.ToBase64String(data),
};
}
/// <summary>
/// Creates a reference for object storage data.
/// </summary>
public static PayloadReference CreateObjectStorage(
ObjectPointer pointer,
ProvenanceMetadata provenance)
{
return new PayloadReference
{
Pointer = pointer,
Provenance = provenance,
Inline = false,
InlineData = null,
};
}
}

86
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/ProvenanceMetadata.cs
View File

@@ -1,86 +0,0 @@
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// Provenance metadata preserved from original ingestion.
/// </summary>
public sealed record ProvenanceMetadata
{
/// <summary>
/// Identifier of the original data source (URI).
/// </summary>
public required string SourceId { get; init; }
/// <summary>
/// UTC timestamp of original ingestion.
/// </summary>
public required DateTimeOffset IngestedAt { get; init; }
/// <summary>
/// Tenant identifier for multi-tenant isolation.
/// </summary>
public required string TenantId { get; init; }
/// <summary>
/// Original format before normalization.
/// </summary>
public OriginalFormat? OriginalFormat { get; init; }
/// <summary>
/// Original size before any transformation.
/// </summary>
public long? OriginalSize { get; init; }
/// <summary>
/// List of transformations applied.
/// </summary>
public IReadOnlyList<TransformationRecord> Transformations { get; init; } = [];
/// <summary>
/// Original GridFS ObjectId for migration tracking.
/// </summary>
public string? GridFsLegacyId { get; init; }
}
/// <summary>
/// Original format of ingested data.
/// </summary>
public enum OriginalFormat
{
Json,
Xml,
Csv,
Ndjson,
Yaml
}
/// <summary>
/// Record of a transformation applied to the payload.
/// </summary>
public sealed record TransformationRecord
{
/// <summary>
/// Type of transformation.
/// </summary>
public required TransformationType Type { get; init; }
/// <summary>
/// Timestamp when transformation was applied.
/// </summary>
public required DateTimeOffset Timestamp { get; init; }
/// <summary>
/// Agent/service that performed the transformation.
/// </summary>
public required string Agent { get; init; }
}
/// <summary>
/// Types of transformations that can be applied.
/// </summary>
public enum TransformationType
{
Compression,
Normalization,
Redaction,
Migration
}

320
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/ObjectStorage/S3ObjectStore.cs
View File

@@ -1,320 +0,0 @@
using System.IO.Compression;
using System.Security.Cryptography;
using Amazon.S3;
using Amazon.S3.Model;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
namespace StellaOps.Concelier.Storage.Mongo.ObjectStorage;
/// <summary>
/// S3-compatible object store implementation for raw advisory payloads.
/// </summary>
public sealed class S3ObjectStore : IObjectStore
{
private readonly IAmazonS3 _s3;
private readonly ObjectStorageOptions _options;
private readonly TimeProvider _timeProvider;
private readonly ILogger<S3ObjectStore> _logger;
public S3ObjectStore(
IAmazonS3 s3,
IOptions<ObjectStorageOptions> options,
TimeProvider timeProvider,
ILogger<S3ObjectStore> logger)
{
_s3 = s3 ?? throw new ArgumentNullException(nameof(s3));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_timeProvider = timeProvider ?? TimeProvider.System;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<PayloadReference> StoreAsync(
string tenantId,
ReadOnlyMemory<byte> data,
ProvenanceMetadata provenance,
string contentType = "application/json",
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentNullException.ThrowIfNull(provenance);
var dataArray = data.ToArray();
var sha256 = ComputeSha256(dataArray);
// Use inline storage for small payloads
if (dataArray.Length < _options.InlineThreshold)
{
_logger.LogDebug(
"Storing inline payload for tenant {TenantId}, size {Size} bytes",
tenantId, dataArray.Length);
return PayloadReference.CreateInline(dataArray, sha256, provenance, contentType);
}
// Store in S3
var bucket = _options.GetBucketName(tenantId);
await EnsureBucketExistsAsync(tenantId, cancellationToken).ConfigureAwait(false);
var shouldCompress = dataArray.Length >= _options.CompressionThreshold;
var encoding = ContentEncoding.Identity;
byte[] payloadToStore = dataArray;
if (shouldCompress)
{
payloadToStore = CompressGzip(dataArray);
encoding = ContentEncoding.Gzip;
_logger.LogDebug(
"Compressed payload from {OriginalSize} to {CompressedSize} bytes",
dataArray.Length, payloadToStore.Length);
}
var key = GenerateKey(sha256, provenance.IngestedAt, contentType, encoding);
var request = new PutObjectRequest
{
BucketName = bucket,
Key = key,
InputStream = new MemoryStream(payloadToStore),
ContentType = encoding == ContentEncoding.Gzip ? "application/gzip" : contentType,
AutoCloseStream = true,
};
// Add metadata
request.Metadata["x-stellaops-sha256"] = sha256;
request.Metadata["x-stellaops-original-size"] = dataArray.Length.ToString();
request.Metadata["x-stellaops-encoding"] = encoding.ToString().ToLowerInvariant();
request.Metadata["x-stellaops-source-id"] = provenance.SourceId;
request.Metadata["x-stellaops-ingested-at"] = provenance.IngestedAt.ToString("O");
await _s3.PutObjectAsync(request, cancellationToken).ConfigureAwait(false);
_logger.LogDebug(
"Stored object {Bucket}/{Key}, size {Size} bytes, encoding {Encoding}",
bucket, key, payloadToStore.Length, encoding);
var pointer = new ObjectPointer
{
Bucket = bucket,
Key = key,
Sha256 = sha256,
Size = payloadToStore.Length,
ContentType = contentType,
Encoding = encoding,
};
return PayloadReference.CreateObjectStorage(pointer, provenance);
}
public async Task<PayloadReference> StoreStreamAsync(
string tenantId,
Stream stream,
ProvenanceMetadata provenance,
string contentType = "application/json",
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
ArgumentNullException.ThrowIfNull(stream);
ArgumentNullException.ThrowIfNull(provenance);
// Read stream to memory for hash computation
using var memoryStream = new MemoryStream();
await stream.CopyToAsync(memoryStream, cancellationToken).ConfigureAwait(false);
var data = memoryStream.ToArray();
return await StoreAsync(tenantId, data, provenance, contentType, cancellationToken)
.ConfigureAwait(false);
}
public async Task<byte[]?> RetrieveAsync(
PayloadReference reference,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(reference);
// Handle inline data
if (reference.Inline && reference.InlineData is not null)
{
return Convert.FromBase64String(reference.InlineData);
}
var stream = await RetrieveStreamAsync(reference, cancellationToken).ConfigureAwait(false);
if (stream is null)
{
return null;
}
using (stream)
{
using var memoryStream = new MemoryStream();
await stream.CopyToAsync(memoryStream, cancellationToken).ConfigureAwait(false);
return memoryStream.ToArray();
}
}
public async Task<Stream?> RetrieveStreamAsync(
PayloadReference reference,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(reference);
// Handle inline data
if (reference.Inline && reference.InlineData is not null)
{
return new MemoryStream(Convert.FromBase64String(reference.InlineData));
}
var pointer = reference.Pointer;
try
{
var response = await _s3.GetObjectAsync(pointer.Bucket, pointer.Key, cancellationToken)
.ConfigureAwait(false);
Stream resultStream = response.ResponseStream;
// Decompress if needed
if (pointer.Encoding == ContentEncoding.Gzip)
{
var decompressed = new MemoryStream();
using (var gzip = new GZipStream(response.ResponseStream, CompressionMode.Decompress))
{
await gzip.CopyToAsync(decompressed, cancellationToken).ConfigureAwait(false);
}
decompressed.Position = 0;
resultStream = decompressed;
}
return resultStream;
}
catch (AmazonS3Exception ex) when (ex.StatusCode == System.Net.HttpStatusCode.NotFound)
{
_logger.LogWarning("Object not found: {Bucket}/{Key}", pointer.Bucket, pointer.Key);
return null;
}
}
public async Task<bool> ExistsAsync(
ObjectPointer pointer,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(pointer);
try
{
var metadata = await _s3.GetObjectMetadataAsync(pointer.Bucket, pointer.Key, cancellationToken)
.ConfigureAwait(false);
return metadata.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
catch (AmazonS3Exception ex) when (ex.StatusCode == System.Net.HttpStatusCode.NotFound)
{
return false;
}
}
public async Task DeleteAsync(
ObjectPointer pointer,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(pointer);
await _s3.DeleteObjectAsync(pointer.Bucket, pointer.Key, cancellationToken)
.ConfigureAwait(false);
_logger.LogDebug("Deleted object {Bucket}/{Key}", pointer.Bucket, pointer.Key);
}
public async Task EnsureBucketExistsAsync(
string tenantId,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenantId);
var bucket = _options.GetBucketName(tenantId);
try
{
await _s3.EnsureBucketExistsAsync(bucket).ConfigureAwait(false);
_logger.LogDebug("Ensured bucket exists: {Bucket}", bucket);
}
catch (AmazonS3Exception ex)
{
_logger.LogError(ex, "Failed to ensure bucket exists: {Bucket}", bucket);
throw;
}
}
public async Task<bool> VerifyIntegrityAsync(
PayloadReference reference,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(reference);
var data = await RetrieveAsync(reference, cancellationToken).ConfigureAwait(false);
if (data is null)
{
return false;
}
var computedHash = ComputeSha256(data);
var matches = string.Equals(computedHash, reference.Pointer.Sha256, StringComparison.OrdinalIgnoreCase);
if (!matches)
{
_logger.LogWarning(
"Integrity check failed for {Bucket}/{Key}: expected {Expected}, got {Actual}",
reference.Pointer.Bucket, reference.Pointer.Key,
reference.Pointer.Sha256, computedHash);
}
return matches;
}
private static string ComputeSha256(byte[] data)
{
var hash = SHA256.HashData(data);
return Convert.ToHexStringLower(hash);
}
private static byte[] CompressGzip(byte[] data)
{
using var output = new MemoryStream();
using (var gzip = new GZipStream(output, CompressionLevel.Optimal, leaveOpen: true))
{
gzip.Write(data);
}
return output.ToArray();
}
private static string GenerateKey(
string sha256,
DateTimeOffset ingestedAt,
string contentType,
ContentEncoding encoding)
{
var date = ingestedAt.UtcDateTime;
var extension = GetExtension(contentType, encoding);
// Format: advisories/raw/YYYY/MM/DD/sha256-{hash}.{extension}
return $"advisories/raw/{date:yyyy}/{date:MM}/{date:dd}/sha256-{sha256[..16]}{extension}";
}
private static string GetExtension(string contentType, ContentEncoding encoding)
{
var baseExt = contentType switch
{
"application/json" => ".json",
"application/xml" or "text/xml" => ".xml",
"text/csv" => ".csv",
"application/x-ndjson" => ".ndjson",
"application/x-yaml" or "text/yaml" => ".yaml",
_ => ".bin"
};
return encoding switch
{
ContentEncoding.Gzip => baseExt + ".gz",
ContentEncoding.Zstd => baseExt + ".zst",
_ => baseExt
};
}
}

82
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/AdvisoryConflictStoreTests.cs
View File

@@ -1,82 +0,0 @@
using System;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using MongoDB.Bson;
using MongoDB.Driver;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Conflicts;
using StellaOps.Concelier.Testing;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class AdvisoryConflictStoreTests
{
private readonly IMongoDatabase _database;
public AdvisoryConflictStoreTests(MongoIntegrationFixture fixture)
{
_database = fixture.Database ?? throw new ArgumentNullException(nameof(fixture.Database));
}
[Fact]
public async Task InsertAndRetrieve_PersistsConflicts()
{
var store = new AdvisoryConflictStore(_database);
var vulnerabilityKey = $"CVE-{Guid.NewGuid():N}";
var baseTime = DateTimeOffset.UtcNow;
var statementIds = new[] { Guid.NewGuid(), Guid.NewGuid() };
var conflict = new AdvisoryConflictRecord(
Guid.NewGuid(),
vulnerabilityKey,
new byte[] { 0x10, 0x20 },
baseTime,
baseTime.AddSeconds(30),
statementIds,
new BsonDocument("explanation", "first-pass"));
await store.InsertAsync(new[] { conflict }, CancellationToken.None);
var results = await store.GetConflictsAsync(vulnerabilityKey, null, CancellationToken.None);
Assert.Single(results);
Assert.Equal(conflict.Id, results[0].Id);
Assert.Equal(statementIds, results[0].StatementIds);
}
[Fact]
public async Task GetConflicts_AsOfFilters()
{
var store = new AdvisoryConflictStore(_database);
var vulnerabilityKey = $"CVE-{Guid.NewGuid():N}";
var baseTime = DateTimeOffset.UtcNow;
var earlyConflict = new AdvisoryConflictRecord(
Guid.NewGuid(),
vulnerabilityKey,
new byte[] { 0x01 },
baseTime,
baseTime.AddSeconds(10),
new[] { Guid.NewGuid() },
new BsonDocument("stage", "early"));
var lateConflict = new AdvisoryConflictRecord(
Guid.NewGuid(),
vulnerabilityKey,
new byte[] { 0x02 },
baseTime.AddMinutes(10),
baseTime.AddMinutes(10).AddSeconds(15),
new[] { Guid.NewGuid() },
new BsonDocument("stage", "late"));
await store.InsertAsync(new[] { earlyConflict, lateConflict }, CancellationToken.None);
var results = await store.GetConflictsAsync(vulnerabilityKey, baseTime.AddMinutes(1), CancellationToken.None);
Assert.Single(results);
Assert.Equal("early", results[0].Details["stage"].AsString);
}
}

96
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/AdvisoryStatementStoreTests.cs
View File

@@ -1,96 +0,0 @@
using System;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using MongoDB.Bson;
using MongoDB.Driver;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Statements;
using StellaOps.Concelier.Testing;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class AdvisoryStatementStoreTests
{
private readonly IMongoDatabase _database;
public AdvisoryStatementStoreTests(MongoIntegrationFixture fixture)
{
_database = fixture.Database ?? throw new ArgumentNullException(nameof(fixture.Database));
}
[Fact]
public async Task InsertAndRetrieve_WritesImmutableStatements()
{
var store = new AdvisoryStatementStore(_database);
var vulnerabilityKey = $"CVE-{Guid.NewGuid():N}";
var baseTime = DateTimeOffset.UtcNow;
var statements = new[]
{
new AdvisoryStatementRecord(
Guid.NewGuid(),
vulnerabilityKey,
vulnerabilityKey,
new byte[] { 0x01 },
baseTime,
baseTime.AddSeconds(5),
new BsonDocument("version", "A"),
new[] { Guid.NewGuid() }),
new AdvisoryStatementRecord(
Guid.NewGuid(),
vulnerabilityKey,
vulnerabilityKey,
new byte[] { 0x02 },
baseTime.AddMinutes(1),
baseTime.AddMinutes(1).AddSeconds(5),
new BsonDocument("version", "B"),
Array.Empty<Guid>()),
};
await store.InsertAsync(statements, CancellationToken.None);
var results = await store.GetStatementsAsync(vulnerabilityKey, null, CancellationToken.None);
Assert.Equal(2, results.Count);
Assert.Equal(statements[1].Id, results[0].Id); // sorted by AsOf desc
Assert.True(results.All(record => record.Payload.Contains("version")));
}
[Fact]
public async Task GetStatements_AsOfFiltersResults()
{
var store = new AdvisoryStatementStore(_database);
var vulnerabilityKey = $"CVE-{Guid.NewGuid():N}";
var baseTime = DateTimeOffset.UtcNow;
var early = new AdvisoryStatementRecord(
Guid.NewGuid(),
vulnerabilityKey,
vulnerabilityKey,
new byte[] { 0xAA },
baseTime,
baseTime.AddSeconds(10),
new BsonDocument("state", "early"),
Array.Empty<Guid>());
var late = new AdvisoryStatementRecord(
Guid.NewGuid(),
vulnerabilityKey,
vulnerabilityKey,
new byte[] { 0xBB },
baseTime.AddMinutes(5),
baseTime.AddMinutes(5).AddSeconds(10),
new BsonDocument("state", "late"),
Array.Empty<Guid>());
await store.InsertAsync(new[] { early, late }, CancellationToken.None);
var results = await store.GetStatementsAsync(vulnerabilityKey, baseTime.AddMinutes(1), CancellationToken.None);
Assert.Single(results);
Assert.Equal("early", results[0].Payload["state"].AsString);
}
}

200
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/AdvisoryStorePerformanceTests.cs
View File

@@ -1,200 +0,0 @@
using System.Diagnostics;
using System.Linq;
using System.Threading;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Concelier.Models;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Advisories;
using StellaOps.Concelier.Storage.Mongo.Aliases;
using StellaOps.Concelier.Storage.Mongo.Migrations;
using Xunit;
using Xunit.Abstractions;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class AdvisoryStorePerformanceTests : IClassFixture<MongoIntegrationFixture>
{
private const int LargeAdvisoryCount = 30;
private const int AliasesPerAdvisory = 24;
private const int ReferencesPerAdvisory = 180;
private const int AffectedPackagesPerAdvisory = 140;
private const int VersionRangesPerPackage = 4;
private const int CvssMetricsPerAdvisory = 24;
private const int ProvenanceEntriesPerAdvisory = 16;
private static readonly string LargeSummary = new('A', 128 * 1024);
private static readonly DateTimeOffset BasePublished = new(2024, 1, 1, 0, 0, 0, TimeSpan.Zero);
private static readonly DateTimeOffset BaseRecorded = new(2024, 1, 1, 0, 0, 0, TimeSpan.Zero);
private static readonly TimeSpan TotalBudget = TimeSpan.FromSeconds(28);
private const double UpsertBudgetPerAdvisoryMs = 500;
private const double FetchBudgetPerAdvisoryMs = 200;
private const double FindBudgetPerAdvisoryMs = 200;
private readonly MongoIntegrationFixture _fixture;
private readonly ITestOutputHelper _output;
public AdvisoryStorePerformanceTests(MongoIntegrationFixture fixture, ITestOutputHelper output)
{
_fixture = fixture;
_output = output;
}
[Fact]
public async Task UpsertAndQueryLargeAdvisories_CompletesWithinBudget()
{
var databaseName = $"concelier-performance-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
try
{
var migrationRunner = new MongoMigrationRunner(
database,
Array.Empty<IMongoMigration>(),
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
var bootstrapper = new MongoBootstrapper(
database,
Options.Create(new MongoStorageOptions()),
NullLogger<MongoBootstrapper>.Instance,
migrationRunner);
await bootstrapper.InitializeAsync(CancellationToken.None);
var aliasStore = new AliasStore(database, NullLogger<AliasStore>.Instance);
var store = new AdvisoryStore(
database,
aliasStore,
NullLogger<AdvisoryStore>.Instance,
Options.Create(new MongoStorageOptions()),
TimeProvider.System);
using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(45));
// Warm up collections (indexes, serialization caches) so perf timings exclude one-time setup work.
var warmup = CreateLargeAdvisory(-1);
await store.UpsertAsync(warmup, cts.Token);
_ = await store.FindAsync(warmup.AdvisoryKey, cts.Token);
_ = await store.GetRecentAsync(1, cts.Token);
var advisories = Enumerable.Range(0, LargeAdvisoryCount)
.Select(CreateLargeAdvisory)
.ToArray();
var upsertWatch = Stopwatch.StartNew();
foreach (var advisory in advisories)
{
await store.UpsertAsync(advisory, cts.Token);
}
upsertWatch.Stop();
var upsertPerAdvisory = upsertWatch.Elapsed.TotalMilliseconds / LargeAdvisoryCount;
var fetchWatch = Stopwatch.StartNew();
var recent = await store.GetRecentAsync(LargeAdvisoryCount, cts.Token);
fetchWatch.Stop();
var fetchPerAdvisory = fetchWatch.Elapsed.TotalMilliseconds / LargeAdvisoryCount;
Assert.Equal(LargeAdvisoryCount, recent.Count);
var findWatch = Stopwatch.StartNew();
foreach (var advisory in advisories)
{
var fetched = await store.FindAsync(advisory.AdvisoryKey, cts.Token);
Assert.NotNull(fetched);
}
findWatch.Stop();
var findPerAdvisory = findWatch.Elapsed.TotalMilliseconds / LargeAdvisoryCount;
var totalElapsed = upsertWatch.Elapsed + fetchWatch.Elapsed + findWatch.Elapsed;
_output.WriteLine($"Upserted {LargeAdvisoryCount} large advisories in {upsertWatch.Elapsed} ({upsertPerAdvisory:F2} ms/doc).");
_output.WriteLine($"Fetched recent advisories in {fetchWatch.Elapsed} ({fetchPerAdvisory:F2} ms/doc).");
_output.WriteLine($"Looked up advisories individually in {findWatch.Elapsed} ({findPerAdvisory:F2} ms/doc).");
_output.WriteLine($"Total elapsed {totalElapsed}.");
Assert.True(upsertPerAdvisory <= UpsertBudgetPerAdvisoryMs, $"Upsert exceeded {UpsertBudgetPerAdvisoryMs} ms per advisory: {upsertPerAdvisory:F2} ms.");
Assert.True(fetchPerAdvisory <= FetchBudgetPerAdvisoryMs, $"GetRecent exceeded {FetchBudgetPerAdvisoryMs} ms per advisory: {fetchPerAdvisory:F2} ms.");
Assert.True(findPerAdvisory <= FindBudgetPerAdvisoryMs, $"Find exceeded {FindBudgetPerAdvisoryMs} ms per advisory: {findPerAdvisory:F2} ms.");
Assert.True(totalElapsed <= TotalBudget, $"Mongo advisory operations exceeded total budget {TotalBudget}: {totalElapsed}.");
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
private static Advisory CreateLargeAdvisory(int index)
{
var baseKey = $"ADV-LARGE-{index:D4}";
var published = BasePublished.AddDays(index);
var modified = published.AddHours(6);
var aliases = Enumerable.Range(0, AliasesPerAdvisory)
.Select(i => $"ALIAS-{baseKey}-{i:D4}")
.ToArray();
var provenance = Enumerable.Range(0, ProvenanceEntriesPerAdvisory)
.Select(i => new AdvisoryProvenance(
source: i % 2 == 0 ? "nvd" : "vendor",
kind: i % 3 == 0 ? "normalized" : "enriched",
value: $"prov-{baseKey}-{i:D3}",
recordedAt: BaseRecorded.AddDays(i)))
.ToArray();
var references = Enumerable.Range(0, ReferencesPerAdvisory)
.Select(i => new AdvisoryReference(
url: $"https://vuln.example.com/{baseKey}/ref/{i:D4}",
kind: i % 2 == 0 ? "advisory" : "article",
sourceTag: $"tag-{i % 7}",
summary: $"Reference {baseKey} #{i}",
provenance: provenance[i % provenance.Length]))
.ToArray();
var affectedPackages = Enumerable.Range(0, AffectedPackagesPerAdvisory)
.Select(i => new AffectedPackage(
type: i % 3 == 0 ? AffectedPackageTypes.Rpm : AffectedPackageTypes.Deb,
identifier: $"pkg/{baseKey}/{i:D4}",
platform: i % 4 == 0 ? "linux/x86_64" : "linux/aarch64",
versionRanges: Enumerable.Range(0, VersionRangesPerPackage)
.Select(r => new AffectedVersionRange(
rangeKind: r % 2 == 0 ? "semver" : "evr",
introducedVersion: $"1.{index}.{i}.{r}",
fixedVersion: $"2.{index}.{i}.{r}",
lastAffectedVersion: $"1.{index}.{i}.{r}",
rangeExpression: $">=1.{index}.{i}.{r} <2.{index}.{i}.{r}",
provenance: provenance[(i + r) % provenance.Length]))
.ToArray(),
statuses: Array.Empty<AffectedPackageStatus>(),
provenance: new[]
{
provenance[i % provenance.Length],
provenance[(i + 3) % provenance.Length],
}))
.ToArray();
var cvssMetrics = Enumerable.Range(0, CvssMetricsPerAdvisory)
.Select(i => new CvssMetric(
version: i % 2 == 0 ? "3.1" : "2.0",
vector: $"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:{(i % 3 == 0 ? "H" : "L")}",
baseScore: Math.Max(0, 9.8 - i * 0.2),
baseSeverity: i % 3 == 0 ? "critical" : "high",
provenance: provenance[i % provenance.Length]))
.ToArray();
return new Advisory(
advisoryKey: baseKey,
title: $"Large advisory {baseKey}",
summary: LargeSummary,
language: "en",
published: published,
modified: modified,
severity: "critical",
exploitKnown: index % 2 == 0,
aliases: aliases,
references: references,
affectedPackages: affectedPackages,
cvssMetrics: cvssMetrics,
provenance: provenance);
}
}

305
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/AdvisoryStoreTests.cs
View File

@@ -1,305 +0,0 @@
using System;
using System.Collections.Generic;
using System.Linq;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using MongoDB.Driver;
using StellaOps.Concelier.Models;
using StellaOps.Concelier.Storage.Mongo.Advisories;
using StellaOps.Concelier.Storage.Mongo.Aliases;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class AdvisoryStoreTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public AdvisoryStoreTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task UpsertAndFetchAdvisory()
{
await DropCollectionAsync(MongoStorageDefaults.Collections.Advisory);
await DropCollectionAsync(MongoStorageDefaults.Collections.Alias);
var aliasStore = new AliasStore(_fixture.Database, NullLogger<AliasStore>.Instance);
var store = new AdvisoryStore(
_fixture.Database,
aliasStore,
NullLogger<AdvisoryStore>.Instance,
Options.Create(new MongoStorageOptions()),
TimeProvider.System);
var advisory = new Advisory(
advisoryKey: "ADV-1",
title: "Sample Advisory",
summary: "Demo",
language: "en",
published: DateTimeOffset.UtcNow,
modified: DateTimeOffset.UtcNow,
severity: "medium",
exploitKnown: false,
aliases: new[] { "ALIAS-1" },
references: Array.Empty<AdvisoryReference>(),
affectedPackages: Array.Empty<AffectedPackage>(),
cvssMetrics: Array.Empty<CvssMetric>(),
provenance: Array.Empty<AdvisoryProvenance>());
await store.UpsertAsync(advisory, CancellationToken.None);
var fetched = await store.FindAsync("ADV-1", CancellationToken.None);
Assert.NotNull(fetched);
Assert.Equal(advisory.AdvisoryKey, fetched!.AdvisoryKey);
var recent = await store.GetRecentAsync(5, CancellationToken.None);
Assert.NotEmpty(recent);
var aliases = await aliasStore.GetByAdvisoryAsync("ADV-1", CancellationToken.None);
Assert.Contains(aliases, record => record.Scheme == AliasStoreConstants.PrimaryScheme && record.Value == "ADV-1");
Assert.Contains(aliases, record => record.Value == "ALIAS-1");
}
[Fact]
public async Task RangePrimitives_RoundTripThroughMongo()
{
await DropCollectionAsync(MongoStorageDefaults.Collections.Advisory);
await DropCollectionAsync(MongoStorageDefaults.Collections.Alias);
var aliasStore = new AliasStore(_fixture.Database, NullLogger<AliasStore>.Instance);
var store = new AdvisoryStore(
_fixture.Database,
aliasStore,
NullLogger<AdvisoryStore>.Instance,
Options.Create(new MongoStorageOptions()),
TimeProvider.System);
var recordedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero);
var provenance = new AdvisoryProvenance("source-x", "mapper", "payload-123", recordedAt);
var rangePrimitives = new RangePrimitives(
new SemVerPrimitive(
Introduced: "1.0.0",
IntroducedInclusive: true,
Fixed: "1.2.0",
FixedInclusive: false,
LastAffected: "1.1.5",
LastAffectedInclusive: true,
ConstraintExpression: ">=1.0.0 <1.2.0"),
new NevraPrimitive(
Introduced: new NevraComponent("pkg", 0, "1.0.0", "1", "x86_64"),
Fixed: new NevraComponent("pkg", 1, "1.2.0", "2", "x86_64"),
LastAffected: null),
new EvrPrimitive(
Introduced: new EvrComponent(1, "1.0.0", "1"),
Fixed: null,
LastAffected: new EvrComponent(1, "1.1.5", null)),
new Dictionary<string, string>(StringComparer.Ordinal)
{
["channel"] = "stable",
["notesHash"] = "abc123",
});
var versionRange = new AffectedVersionRange(
rangeKind: "semver",
introducedVersion: "1.0.0",
fixedVersion: "1.2.0",
lastAffectedVersion: "1.1.5",
rangeExpression: ">=1.0.0 <1.2.0",
provenance,
rangePrimitives);
var affectedPackage = new AffectedPackage(
type: "semver",
identifier: "pkg@1.x",
platform: "linux",
versionRanges: new[] { versionRange },
statuses: Array.Empty<AffectedPackageStatus>(),
provenance: new[] { provenance });
var advisory = new Advisory(
advisoryKey: "ADV-RANGE-1",
title: "Sample Range Primitive",
summary: "Testing range primitive persistence.",
language: "en",
published: recordedAt,
modified: recordedAt,
severity: "medium",
exploitKnown: false,
aliases: new[] { "CVE-2025-0001" },
references: Array.Empty<AdvisoryReference>(),
affectedPackages: new[] { affectedPackage },
cvssMetrics: Array.Empty<CvssMetric>(),
provenance: new[] { provenance });
await store.UpsertAsync(advisory, CancellationToken.None);
var fetched = await store.FindAsync("ADV-RANGE-1", CancellationToken.None);
Assert.NotNull(fetched);
var fetchedPackage = Assert.Single(fetched!.AffectedPackages);
var fetchedRange = Assert.Single(fetchedPackage.VersionRanges);
Assert.Equal(versionRange.RangeKind, fetchedRange.RangeKind);
Assert.Equal(versionRange.IntroducedVersion, fetchedRange.IntroducedVersion);
Assert.Equal(versionRange.FixedVersion, fetchedRange.FixedVersion);
Assert.Equal(versionRange.LastAffectedVersion, fetchedRange.LastAffectedVersion);
Assert.Equal(versionRange.RangeExpression, fetchedRange.RangeExpression);
Assert.Equal(versionRange.Provenance.Source, fetchedRange.Provenance.Source);
Assert.Equal(versionRange.Provenance.Kind, fetchedRange.Provenance.Kind);
Assert.Equal(versionRange.Provenance.Value, fetchedRange.Provenance.Value);
Assert.Equal(versionRange.Provenance.DecisionReason, fetchedRange.Provenance.DecisionReason);
Assert.Equal(versionRange.Provenance.RecordedAt, fetchedRange.Provenance.RecordedAt);
Assert.True(versionRange.Provenance.FieldMask.SequenceEqual(fetchedRange.Provenance.FieldMask));
Assert.NotNull(fetchedRange.Primitives);
Assert.Equal(rangePrimitives.SemVer, fetchedRange.Primitives!.SemVer);
Assert.Equal(rangePrimitives.Nevra, fetchedRange.Primitives.Nevra);
Assert.Equal(rangePrimitives.Evr, fetchedRange.Primitives.Evr);
Assert.Equal(rangePrimitives.VendorExtensions, fetchedRange.Primitives.VendorExtensions);
}
[Fact]
public async Task UpsertAsync_SkipsNormalizedVersionsWhenFeatureDisabled()
{
await DropCollectionAsync(MongoStorageDefaults.Collections.Advisory);
await DropCollectionAsync(MongoStorageDefaults.Collections.Alias);
var aliasStore = new AliasStore(_fixture.Database, NullLogger<AliasStore>.Instance);
var store = new AdvisoryStore(
_fixture.Database,
aliasStore,
NullLogger<AdvisoryStore>.Instance,
Options.Create(new MongoStorageOptions { EnableSemVerStyle = false }),
TimeProvider.System);
var advisory = CreateNormalizedAdvisory("ADV-NORM-DISABLED");
await store.UpsertAsync(advisory, CancellationToken.None);
var document = await _fixture.Database
.GetCollection<AdvisoryDocument>(MongoStorageDefaults.Collections.Advisory)
.Find(x => x.AdvisoryKey == advisory.AdvisoryKey)
.FirstOrDefaultAsync();
Assert.NotNull(document);
Assert.True(document!.NormalizedVersions is null || document.NormalizedVersions.Count == 0);
}
[Fact]
public async Task UpsertAsync_PopulatesNormalizedVersionsWhenFeatureEnabled()
{
await DropCollectionAsync(MongoStorageDefaults.Collections.Advisory);
await DropCollectionAsync(MongoStorageDefaults.Collections.Alias);
var aliasStore = new AliasStore(_fixture.Database, NullLogger<AliasStore>.Instance);
var store = new AdvisoryStore(
_fixture.Database,
aliasStore,
NullLogger<AdvisoryStore>.Instance,
Options.Create(new MongoStorageOptions { EnableSemVerStyle = true }),
TimeProvider.System);
var advisory = CreateNormalizedAdvisory("ADV-NORM-ENABLED");
await store.UpsertAsync(advisory, CancellationToken.None);
var document = await _fixture.Database
.GetCollection<AdvisoryDocument>(MongoStorageDefaults.Collections.Advisory)
.Find(x => x.AdvisoryKey == advisory.AdvisoryKey)
.FirstOrDefaultAsync();
Assert.NotNull(document);
var normalizedCollection = document!.NormalizedVersions;
Assert.NotNull(normalizedCollection);
var normalized = Assert.Single(normalizedCollection!);
Assert.Equal("pkg:npm/example", normalized.PackageId);
Assert.Equal(AffectedPackageTypes.SemVer, normalized.PackageType);
Assert.Equal(NormalizedVersionSchemes.SemVer, normalized.Scheme);
Assert.Equal(NormalizedVersionRuleTypes.Range, normalized.Type);
Assert.Equal("range", normalized.Style);
Assert.Equal("1.0.0", normalized.Min);
Assert.True(normalized.MinInclusive);
Assert.Equal("2.0.0", normalized.Max);
Assert.False(normalized.MaxInclusive);
Assert.Null(normalized.Value);
Assert.Equal("ghsa:pkg:npm/example", normalized.Notes);
Assert.Equal("range-decision", normalized.DecisionReason);
Assert.Equal(">= 1.0.0 < 2.0.0", normalized.Constraint);
Assert.Equal("ghsa", normalized.Source);
Assert.Equal(new DateTime(2025, 10, 9, 0, 0, 0, DateTimeKind.Utc), normalized.RecordedAtUtc);
}
private static Advisory CreateNormalizedAdvisory(string advisoryKey)
{
var recordedAt = new DateTimeOffset(2025, 10, 9, 0, 0, 0, TimeSpan.Zero);
var rangeProvenance = new AdvisoryProvenance(
source: "ghsa",
kind: "affected-range",
value: "pkg:npm/example",
recordedAt: recordedAt,
fieldMask: new[] { "affectedpackages[].versionranges[]" },
decisionReason: "range-decision");
var semverPrimitive = new SemVerPrimitive(
Introduced: "1.0.0",
IntroducedInclusive: true,
Fixed: "2.0.0",
FixedInclusive: false,
LastAffected: null,
LastAffectedInclusive: false,
ConstraintExpression: ">= 1.0.0 < 2.0.0");
var normalizedRule = semverPrimitive.ToNormalizedVersionRule("ghsa:pkg:npm/example")!;
var versionRange = new AffectedVersionRange(
rangeKind: "semver",
introducedVersion: "1.0.0",
fixedVersion: "2.0.0",
lastAffectedVersion: null,
rangeExpression: ">= 1.0.0 < 2.0.0",
provenance: rangeProvenance,
primitives: new RangePrimitives(semverPrimitive, null, null, null));
var package = new AffectedPackage(
type: AffectedPackageTypes.SemVer,
identifier: "pkg:npm/example",
platform: "npm",
versionRanges: new[] { versionRange },
statuses: Array.Empty<AffectedPackageStatus>(),
provenance: new[] { rangeProvenance },
normalizedVersions: new[] { normalizedRule });
var advisoryProvenance = new AdvisoryProvenance(
source: "ghsa",
kind: "document",
value: advisoryKey,
recordedAt: recordedAt,
fieldMask: new[] { "advisory" },
decisionReason: "document-decision");
return new Advisory(
advisoryKey: advisoryKey,
title: "Normalized advisory",
summary: "Contains normalized versions for storage testing.",
language: "en",
published: recordedAt,
modified: recordedAt,
severity: "medium",
exploitKnown: false,
aliases: new[] { $"{advisoryKey}-ALIAS" },
references: Array.Empty<AdvisoryReference>(),
affectedPackages: new[] { package },
cvssMetrics: Array.Empty<CvssMetric>(),
provenance: new[] { advisoryProvenance });
}
private async Task DropCollectionAsync(string collectionName)
{
try
{
await _fixture.Database.DropCollectionAsync(collectionName);
}
catch (MongoDB.Driver.MongoCommandException ex) when (ex.CodeName == "NamespaceNotFound" || ex.Message.Contains("ns not found", StringComparison.OrdinalIgnoreCase))
{
// ignore missing collection
}
}
}

60
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/AliasStoreTests.cs
View File

@@ -1,60 +0,0 @@
using System;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging.Abstractions;
using MongoDB.Driver;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Aliases;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class AliasStoreTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public AliasStoreTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task ReplaceAsync_UpsertsAliases_AndDetectsCollision()
{
await DropAliasCollectionAsync();
var store = new AliasStore(_fixture.Database, NullLogger<AliasStore>.Instance);
var timestamp = DateTimeOffset.UtcNow;
await store.ReplaceAsync(
"ADV-1",
new[] { new AliasEntry("CVE", "CVE-2025-1234"), new AliasEntry(AliasStoreConstants.PrimaryScheme, "ADV-1") },
timestamp,
CancellationToken.None);
var firstAliases = await store.GetByAdvisoryAsync("ADV-1", CancellationToken.None);
Assert.Contains(firstAliases, record => record.Scheme == "CVE" && record.Value == "CVE-2025-1234");
var result = await store.ReplaceAsync(
"ADV-2",
new[] { new AliasEntry("CVE", "CVE-2025-1234"), new AliasEntry(AliasStoreConstants.PrimaryScheme, "ADV-2") },
timestamp.AddMinutes(1),
CancellationToken.None);
Assert.NotEmpty(result.Collisions);
var collision = Assert.Single(result.Collisions);
Assert.Equal("CVE", collision.Scheme);
Assert.Contains("ADV-1", collision.AdvisoryKeys);
Assert.Contains("ADV-2", collision.AdvisoryKeys);
}
private async Task DropAliasCollectionAsync()
{
try
{
await _fixture.Database.DropCollectionAsync(MongoStorageDefaults.Collections.Alias);
}
catch (MongoDB.Driver.MongoCommandException ex) when (ex.CodeName == "NamespaceNotFound" || ex.Message.Contains("ns not found", StringComparison.OrdinalIgnoreCase))
{
}
}
}

51
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/DocumentStoreTests.cs
View File

@@ -1,51 +0,0 @@
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Concelier.Storage.Mongo.Documents;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class DocumentStoreTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public DocumentStoreTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task UpsertAndLookupDocument()
{
var store = new DocumentStore(_fixture.Database, NullLogger<DocumentStore>.Instance);
var id = Guid.NewGuid();
var record = new DocumentRecord(
id,
"source",
"https://example.com/advisory.json",
DateTimeOffset.UtcNow,
"sha123",
"pending",
"application/json",
new Dictionary<string, string> { ["etag"] = "abc" },
new Dictionary<string, string> { ["note"] = "test" },
"etag-value",
DateTimeOffset.UtcNow,
null,
DateTimeOffset.UtcNow.AddDays(30));
var upserted = await store.UpsertAsync(record, CancellationToken.None);
Assert.Equal(id, upserted.Id);
var fetched = await store.FindBySourceAndUriAsync("source", "https://example.com/advisory.json", CancellationToken.None);
Assert.NotNull(fetched);
Assert.Equal("pending", fetched!.Status);
Assert.Equal("test", fetched.Metadata!["note"]);
var statusUpdated = await store.UpdateStatusAsync(id, "processed", CancellationToken.None);
Assert.True(statusUpdated);
var refreshed = await store.FindAsync(id, CancellationToken.None);
Assert.NotNull(refreshed);
Assert.Equal("processed", refreshed!.Status);
}
}

40
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/DtoStoreTests.cs
View File

@@ -1,40 +0,0 @@
using Microsoft.Extensions.Logging.Abstractions;
using MongoDB.Bson;
using StellaOps.Concelier.Storage.Mongo.Dtos;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class DtoStoreTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public DtoStoreTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task UpsertAndLookupDto()
{
var store = new DtoStore(_fixture.Database, NullLogger<DtoStore>.Instance);
var record = new DtoRecord(
Guid.NewGuid(),
Guid.NewGuid(),
"source",
"1.0",
new BsonDocument("value", 1),
DateTimeOffset.UtcNow);
var upserted = await store.UpsertAsync(record, CancellationToken.None);
Assert.Equal(record.DocumentId, upserted.DocumentId);
var fetched = await store.FindByDocumentIdAsync(record.DocumentId, CancellationToken.None);
Assert.NotNull(fetched);
Assert.Equal(1, fetched!.Payload["value"].AsInt32);
var bySource = await store.GetBySourceAsync("source", 10, CancellationToken.None);
Assert.Single(bySource);
Assert.Equal(record.DocumentId, bySource[0].DocumentId);
}
}

208
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/ExportStateManagerTests.cs
View File

@@ -1,208 +0,0 @@
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using StellaOps.Concelier.Storage.Mongo.Exporting;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
public sealed class ExportStateManagerTests
{
[Fact]
public async Task StoreFullExportInitializesBaseline()
{
var store = new InMemoryExportStateStore();
var timeProvider = new TestTimeProvider(DateTimeOffset.Parse("2024-07-20T12:00:00Z"));
var manager = new ExportStateManager(store, timeProvider);
var record = await manager.StoreFullExportAsync(
exporterId: "export:json",
exportId: "20240720T120000Z",
exportDigest: "sha256:abcd",
cursor: "cursor-1",
targetRepository: "registry.local/json",
exporterVersion: "1.0.0",
resetBaseline: true,
manifest: Array.Empty<ExportFileRecord>(),
cancellationToken: CancellationToken.None);
Assert.Equal("export:json", record.Id);
Assert.Equal("20240720T120000Z", record.BaseExportId);
Assert.Equal("sha256:abcd", record.BaseDigest);
Assert.Equal("sha256:abcd", record.LastFullDigest);
Assert.Null(record.LastDeltaDigest);
Assert.Equal("cursor-1", record.ExportCursor);
Assert.Equal("registry.local/json", record.TargetRepository);
Assert.Equal("1.0.0", record.ExporterVersion);
Assert.Equal(timeProvider.Now, record.UpdatedAt);
}
[Fact]
public async Task StoreFullExport_ResetBaselineOverridesExisting()
{
var store = new InMemoryExportStateStore();
var timeProvider = new TestTimeProvider(DateTimeOffset.Parse("2024-07-20T12:00:00Z"));
var manager = new ExportStateManager(store, timeProvider);
await manager.StoreFullExportAsync(
exporterId: "export:json",
exportId: "20240720T120000Z",
exportDigest: "sha256:base",
cursor: "cursor-base",
targetRepository: null,
exporterVersion: "1.0.0",
resetBaseline: true,
manifest: Array.Empty<ExportFileRecord>(),
cancellationToken: CancellationToken.None);
timeProvider.Advance(TimeSpan.FromMinutes(5));
var withoutReset = await manager.StoreFullExportAsync(
exporterId: "export:json",
exportId: "20240720T120500Z",
exportDigest: "sha256:new",
cursor: "cursor-new",
targetRepository: null,
exporterVersion: "1.0.1",
resetBaseline: false,
manifest: Array.Empty<ExportFileRecord>(),
cancellationToken: CancellationToken.None);
Assert.Equal("20240720T120000Z", withoutReset.BaseExportId);
Assert.Equal("sha256:base", withoutReset.BaseDigest);
Assert.Equal("sha256:new", withoutReset.LastFullDigest);
Assert.Equal("cursor-new", withoutReset.ExportCursor);
Assert.Equal(timeProvider.Now, withoutReset.UpdatedAt);
timeProvider.Advance(TimeSpan.FromMinutes(5));
var reset = await manager.StoreFullExportAsync(
exporterId: "export:json",
exportId: "20240720T121000Z",
exportDigest: "sha256:final",
cursor: "cursor-final",
targetRepository: null,
exporterVersion: "1.0.2",
resetBaseline: true,
manifest: Array.Empty<ExportFileRecord>(),
cancellationToken: CancellationToken.None);
Assert.Equal("20240720T121000Z", reset.BaseExportId);
Assert.Equal("sha256:final", reset.BaseDigest);
Assert.Equal("sha256:final", reset.LastFullDigest);
Assert.Null(reset.LastDeltaDigest);
Assert.Equal("cursor-final", reset.ExportCursor);
Assert.Equal(timeProvider.Now, reset.UpdatedAt);
}
[Fact]
public async Task StoreFullExport_ResetsBaselineWhenRepositoryChanges()
{
var store = new InMemoryExportStateStore();
var timeProvider = new TestTimeProvider(DateTimeOffset.Parse("2024-07-21T08:00:00Z"));
var manager = new ExportStateManager(store, timeProvider);
await manager.StoreFullExportAsync(
exporterId: "export:json",
exportId: "20240721T080000Z",
exportDigest: "sha256:base",
cursor: "cursor-base",
targetRepository: "registry/v1/json",
exporterVersion: "1.0.0",
resetBaseline: true,
manifest: Array.Empty<ExportFileRecord>(),
cancellationToken: CancellationToken.None);
timeProvider.Advance(TimeSpan.FromMinutes(10));
var updated = await manager.StoreFullExportAsync(
exporterId: "export:json",
exportId: "20240721T081000Z",
exportDigest: "sha256:new",
cursor: "cursor-new",
targetRepository: "registry/v2/json",
exporterVersion: "1.1.0",
resetBaseline: false,
manifest: Array.Empty<ExportFileRecord>(),
cancellationToken: CancellationToken.None);
Assert.Equal("20240721T081000Z", updated.BaseExportId);
Assert.Equal("sha256:new", updated.BaseDigest);
Assert.Equal("sha256:new", updated.LastFullDigest);
Assert.Equal("registry/v2/json", updated.TargetRepository);
}
[Fact]
public async Task StoreDeltaExportRequiresBaseline()
{
var store = new InMemoryExportStateStore();
var manager = new ExportStateManager(store);
await Assert.ThrowsAsync<InvalidOperationException>(() => manager.StoreDeltaExportAsync(
exporterId: "export:json",
deltaDigest: "sha256:def",
cursor: null,
exporterVersion: "1.0.1",
manifest: Array.Empty<ExportFileRecord>(),
cancellationToken: CancellationToken.None));
}
[Fact]
public async Task StoreDeltaExportUpdatesExistingState()
{
var store = new InMemoryExportStateStore();
var timeProvider = new TestTimeProvider(DateTimeOffset.Parse("2024-07-20T12:00:00Z"));
var manager = new ExportStateManager(store, timeProvider);
await manager.StoreFullExportAsync(
exporterId: "export:json",
exportId: "20240720T120000Z",
exportDigest: "sha256:abcd",
cursor: "cursor-1",
targetRepository: null,
exporterVersion: "1.0.0",
resetBaseline: true,
manifest: Array.Empty<ExportFileRecord>(),
cancellationToken: CancellationToken.None);
timeProvider.Advance(TimeSpan.FromMinutes(10));
var delta = await manager.StoreDeltaExportAsync(
exporterId: "export:json",
deltaDigest: "sha256:ef01",
cursor: "cursor-2",
exporterVersion: "1.0.1",
manifest: Array.Empty<ExportFileRecord>(),
cancellationToken: CancellationToken.None);
Assert.Equal("sha256:ef01", delta.LastDeltaDigest);
Assert.Equal("cursor-2", delta.ExportCursor);
Assert.Equal("1.0.1", delta.ExporterVersion);
Assert.Equal(timeProvider.Now, delta.UpdatedAt);
Assert.Equal("sha256:abcd", delta.LastFullDigest);
}
private sealed class InMemoryExportStateStore : IExportStateStore
{
private readonly Dictionary<string, ExportStateRecord> _records = new(StringComparer.Ordinal);
public Task<ExportStateRecord?> FindAsync(string id, CancellationToken cancellationToken)
{
_records.TryGetValue(id, out var record);
return Task.FromResult<ExportStateRecord?>(record);
}
public Task<ExportStateRecord> UpsertAsync(ExportStateRecord record, CancellationToken cancellationToken)
{
_records[record.Id] = record;
return Task.FromResult(record);
}
}
private sealed class TestTimeProvider : TimeProvider
{
public TestTimeProvider(DateTimeOffset start) => Now = start;
public DateTimeOffset Now { get; private set; }
public void Advance(TimeSpan delta) => Now = Now.Add(delta);
public override DateTimeOffset GetUtcNow() => Now;
}
}

42
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/ExportStateStoreTests.cs
View File

@@ -1,42 +0,0 @@
using System;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Concelier.Storage.Mongo.Exporting;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class ExportStateStoreTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public ExportStateStoreTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task UpsertAndFetchExportState()
{
var store = new ExportStateStore(_fixture.Database, NullLogger<ExportStateStore>.Instance);
var record = new ExportStateRecord(
Id: "json",
BaseExportId: "base",
BaseDigest: "sha-base",
LastFullDigest: "sha-full",
LastDeltaDigest: null,
ExportCursor: "cursor",
TargetRepository: "repo",
ExporterVersion: "1.0",
UpdatedAt: DateTimeOffset.UtcNow,
Files: Array.Empty<ExportFileRecord>());
var saved = await store.UpsertAsync(record, CancellationToken.None);
Assert.Equal("json", saved.Id);
Assert.Empty(saved.Files);
var fetched = await store.FindAsync("json", CancellationToken.None);
Assert.NotNull(fetched);
Assert.Equal("sha-full", fetched!.LastFullDigest);
Assert.Empty(fetched.Files);
}
}

174
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Linksets/ConcelierMongoLinksetStoreTests.cs
View File

@@ -1,174 +0,0 @@
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.Linq;
using System.Reflection;
using System.Threading;
using System.Threading.Tasks;
using MongoDB.Driver;
using StellaOps.Concelier.Core.Linksets;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Linksets;
using StellaOps.Concelier.Testing;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests.Linksets;
public sealed class ConcelierMongoLinksetStoreTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public ConcelierMongoLinksetStoreTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public void MapToDocument_StoresConfidenceAndConflicts()
{
var linkset = new AdvisoryLinkset(
"tenant",
"ghsa",
"GHSA-1234",
ImmutableArray.Create("obs-1", "obs-2"),
null,
new AdvisoryLinksetProvenance(new[] { "h1", "h2" }, "tool", "policy"),
0.82,
new List<AdvisoryLinksetConflict>
{
new("severity", "disagree", new[] { "HIGH", "MEDIUM" }, new[] { "source-a", "source-b" })
},
DateTimeOffset.UtcNow,
"job-1");
var method = typeof(ConcelierMongoLinksetStore).GetMethod(
"MapToDocument",
BindingFlags.NonPublic | BindingFlags.Static);
Assert.NotNull(method);
var document = (AdvisoryLinksetDocument)method!.Invoke(null, new object?[] { linkset })!;
Assert.Equal(linkset.Confidence, document.Confidence);
Assert.NotNull(document.Conflicts);
Assert.Single(document.Conflicts!);
Assert.Equal("severity", document.Conflicts![0].Field);
Assert.Equal("disagree", document.Conflicts![0].Reason);
Assert.Equal(new[] { "source-a", "source-b" }, document.Conflicts![0].SourceIds);
}
[Fact]
public void FromDocument_RestoresConfidenceAndConflicts()
{
var doc = new AdvisoryLinksetDocument
{
TenantId = "tenant",
Source = "ghsa",
AdvisoryId = "GHSA-1234",
Observations = new List<string> { "obs-1" },
Confidence = 0.5,
Conflicts = new List<AdvisoryLinksetConflictDocument>
{
new()
{
Field = "references",
Reason = "mismatch",
Values = new List<string> { "url1", "url2" },
SourceIds = new List<string> { "src-a", "src-b" }
}
},
CreatedAt = DateTime.UtcNow
};
var method = typeof(ConcelierMongoLinksetStore).GetMethod(
"FromDocument",
BindingFlags.NonPublic | BindingFlags.Static);
Assert.NotNull(method);
var model = (AdvisoryLinkset)method!.Invoke(null, new object?[] { doc })!;
Assert.Equal(0.5, model.Confidence);
Assert.NotNull(model.Conflicts);
Assert.Single(model.Conflicts!);
Assert.Equal("references", model.Conflicts![0].Field);
Assert.Equal(new[] { "src-a", "src-b" }, model.Conflicts![0].SourceIds);
}
[Fact]
public async Task FindByTenantAsync_OrdersByCreatedAtThenAdvisoryId()
{
await _fixture.Database.DropCollectionAsync(MongoStorageDefaults.Collections.AdvisoryLinksets);
var collection = _fixture.Database.GetCollection<AdvisoryLinksetDocument>(MongoStorageDefaults.Collections.AdvisoryLinksets);
var store = new ConcelierMongoLinksetStore(collection);
var now = DateTimeOffset.UtcNow;
var linksets = new[]
{
new AdvisoryLinkset("Tenant-A", "src", "ADV-002", ImmutableArray.Create("obs-1"), null, null, null, null, now, "job-1"),
new AdvisoryLinkset("Tenant-A", "src", "ADV-001", ImmutableArray.Create("obs-2"), null, null, null, null, now, "job-2"),
new AdvisoryLinkset("Tenant-A", "src", "ADV-003", ImmutableArray.Create("obs-3"), null, null, null, null, now.AddMinutes(-5), "job-3")
};
foreach (var linkset in linksets)
{
await store.UpsertAsync(linkset, CancellationToken.None);
}
var results = await store.FindByTenantAsync("TENANT-A", null, null, cursor: null, limit: 10, cancellationToken: CancellationToken.None);
Assert.Equal(new[] { "ADV-001", "ADV-002", "ADV-003" }, results.Select(r => r.AdvisoryId));
}
[Fact]
public async Task FindByTenantAsync_AppliesCursorForDeterministicPaging()
{
await _fixture.Database.DropCollectionAsync(MongoStorageDefaults.Collections.AdvisoryLinksets);
var collection = _fixture.Database.GetCollection<AdvisoryLinksetDocument>(MongoStorageDefaults.Collections.AdvisoryLinksets);
var store = new ConcelierMongoLinksetStore(collection);
var now = DateTimeOffset.UtcNow;
var firstPage = new[]
{
new AdvisoryLinkset("tenant-a", "src", "ADV-010", ImmutableArray.Create("obs-1"), null, null, null, null, now, "job-1"),
new AdvisoryLinkset("tenant-a", "src", "ADV-020", ImmutableArray.Create("obs-2"), null, null, null, null, now, "job-2"),
new AdvisoryLinkset("tenant-a", "src", "ADV-030", ImmutableArray.Create("obs-3"), null, null, null, null, now.AddMinutes(-10), "job-3")
};
foreach (var linkset in firstPage)
{
await store.UpsertAsync(linkset, CancellationToken.None);
}
var initial = await store.FindByTenantAsync("tenant-a", null, null, cursor: null, limit: 10, cancellationToken: CancellationToken.None);
var cursor = new AdvisoryLinksetCursor(initial[1].CreatedAt, initial[1].AdvisoryId);
var paged = await store.FindByTenantAsync("tenant-a", null, null, cursor, limit: 10, cancellationToken: CancellationToken.None);
Assert.Single(paged);
Assert.Equal("ADV-030", paged[0].AdvisoryId);
}
[Fact]
public async Task Upsert_NormalizesTenantToLowerInvariant()
{
await _fixture.Database.DropCollectionAsync(MongoStorageDefaults.Collections.AdvisoryLinksets);
var collection = _fixture.Database.GetCollection<AdvisoryLinksetDocument>(MongoStorageDefaults.Collections.AdvisoryLinksets);
var store = new ConcelierMongoLinksetStore(collection);
var linkset = new AdvisoryLinkset("Tenant-A", "ghsa", "GHSA-1", ImmutableArray.Create("obs-1"), null, null, null, null, DateTimeOffset.UtcNow, "job-1");
await store.UpsertAsync(linkset, CancellationToken.None);
var fetched = await collection.Find(Builders<AdvisoryLinksetDocument>.Filter.Empty).FirstOrDefaultAsync();
Assert.NotNull(fetched);
Assert.Equal("tenant-a", fetched!.TenantId);
var results = await store.FindByTenantAsync("TENANT-A", null, null, cursor: null, limit: 10, cancellationToken: CancellationToken.None);
Assert.Single(results);
Assert.Equal("GHSA-1", results[0].AdvisoryId);
}
}

35
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/MergeEventStoreTests.cs
View File

@@ -1,35 +0,0 @@
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Concelier.Storage.Mongo.MergeEvents;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class MergeEventStoreTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public MergeEventStoreTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task AppendAndReadMergeEvents()
{
var store = new MergeEventStore(_fixture.Database, NullLogger<MergeEventStore>.Instance);
var record = new MergeEventRecord(
Guid.NewGuid(),
"ADV-1",
new byte[] { 0x01 },
new byte[] { 0x02 },
DateTimeOffset.UtcNow,
new List<Guid> { Guid.NewGuid() },
Array.Empty<MergeFieldDecision>());
await store.AppendAsync(record, CancellationToken.None);
var recent = await store.GetRecentAsync("ADV-1", 10, CancellationToken.None);
Assert.Single(recent);
Assert.Equal(record.AfterHash, recent[0].AfterHash);
}
}

40
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Migrations/EnsureAdvisoryLinksetsTenantLowerMigrationTests.cs
View File

@@ -1,40 +0,0 @@
using System.Threading.Tasks;
using MongoDB.Bson;
using MongoDB.Driver;
using StellaOps.Concelier.Storage.Mongo.Migrations;
using StellaOps.Concelier.Testing;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests.Migrations;
[Collection("mongo-fixture")]
public sealed class EnsureAdvisoryLinksetsTenantLowerMigrationTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public EnsureAdvisoryLinksetsTenantLowerMigrationTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task ApplyAsync_LowersTenantIds()
{
await _fixture.Database.DropCollectionAsync(MongoStorageDefaults.Collections.AdvisoryLinksets);
var collection = _fixture.Database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryLinksets);
await collection.InsertManyAsync(new[]
{
new BsonDocument { { "TenantId", "Tenant-A" }, { "Source", "src" }, { "AdvisoryId", "ADV-1" }, { "Observations", new BsonArray() } },
new BsonDocument { { "TenantId", "tenant-b" }, { "Source", "src" }, { "AdvisoryId", "ADV-2" }, { "Observations", new BsonArray() } },
new BsonDocument { { "Source", "src" }, { "AdvisoryId", "ADV-3" }, { "Observations", new BsonArray() } } // missing tenant should be ignored
});
var migration = new EnsureAdvisoryLinksetsTenantLowerMigration();
await migration.ApplyAsync(_fixture.Database, default);
var all = await collection.Find(FilterDefinition<BsonDocument>.Empty).ToListAsync();
Assert.Contains(all, doc => doc["TenantId"] == "tenant-a");
Assert.Contains(all, doc => doc["TenantId"] == "tenant-b");
}
}

346
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Migrations/EnsureAdvisoryObservationsRawLinksetMigrationTests.cs
View File

@@ -1,346 +0,0 @@
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.Linq;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging.Abstractions;
using MongoDB.Bson;
using MongoDB.Bson.Serialization;
using MongoDB.Driver;
using StellaOps.Concelier.RawModels;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Migrations;
using StellaOps.Concelier.Storage.Mongo.Observations;
using StellaOps.Concelier.Storage.Mongo.Raw;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests.Migrations;
[Collection("mongo-fixture")]
public sealed class EnsureAdvisoryObservationsRawLinksetMigrationTests
{
private readonly MongoIntegrationFixture _fixture;
public EnsureAdvisoryObservationsRawLinksetMigrationTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task ApplyAsync_BackfillsRawLinksetFromRawDocument()
{
var databaseName = $"concelier-rawlinkset-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.AdvisoryObservations);
try
{
var rawRepository = new MongoAdvisoryRawRepository(
database,
TimeProvider.System,
NullLogger<MongoAdvisoryRawRepository>.Instance);
var rawDocument = RawDocumentFactory.CreateAdvisory(
tenant: "tenant-a",
source: new RawSourceMetadata("Vendor-X", "connector-y", "1.0.0", "stable"),
upstream: new RawUpstreamMetadata(
UpstreamId: "GHSA-2025-0001",
DocumentVersion: "v1",
RetrievedAt: DateTimeOffset.Parse("2025-10-29T12:34:56Z"),
ContentHash: "sha256:abc123",
Signature: new RawSignatureMetadata(true, "dsse", "key1", "sig1"),
Provenance: ImmutableDictionary.CreateRange(new[] { new KeyValuePair<string, string>("api", "https://example.test/api") })),
content: new RawContent(
Format: "OSV",
SpecVersion: "1.0.0",
Raw: ParseJsonElement("""{"id":"GHSA-2025-0001"}"""),
Encoding: null),
identifiers: new RawIdentifiers(
Aliases: ImmutableArray.Create("CVE-2025-0001", "cve-2025-0001"),
PrimaryId: "CVE-2025-0001"),
linkset: new RawLinkset
{
Aliases = ImmutableArray.Create("GHSA-xxxx-yyyy"),
PackageUrls = ImmutableArray.Create("pkg:npm/example@1.0.0"),
Cpes = ImmutableArray.Create("cpe:/a:example:product:1.0"),
References = ImmutableArray.Create(new RawReference("advisory", "https://example.test/advisory", "vendor")),
ReconciledFrom = ImmutableArray.Create("connector-y"),
Notes = ImmutableDictionary.CreateRange(new[] { new KeyValuePair<string, string>("range-fixed", "1.0.1") })
},
advisoryKey: "CVE-2025-0001",
links: ImmutableArray.Create(
new RawLink("CVE", "CVE-2025-0001"),
new RawLink("GHSA", "GHSA-2025-0001"),
new RawLink("PRIMARY", "CVE-2025-0001")));
await rawRepository.UpsertAsync(rawDocument, CancellationToken.None);
var expectedRawLinkset = BuildRawLinkset(rawDocument.Identifiers, rawDocument.Linkset);
var canonicalAliases = ImmutableArray.Create("cve-2025-0001", "ghsa-xxxx-yyyy");
var canonicalPurls = rawDocument.Linkset.PackageUrls;
var canonicalCpes = rawDocument.Linkset.Cpes;
var canonicalReferences = rawDocument.Linkset.References;
var observationId = "tenant-a:vendor-x:ghsa-2025-0001:sha256-abc123";
var observationBson = BuildObservationDocument(
observationId,
rawDocument,
canonicalAliases,
canonicalPurls,
canonicalCpes,
canonicalReferences,
rawDocument.Upstream.RetrievedAt,
includeRawLinkset: false);
await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryObservations)
.InsertOneAsync(observationBson);
var migration = new EnsureAdvisoryObservationsRawLinksetMigration();
await migration.ApplyAsync(database, CancellationToken.None);
var storedBson = await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryObservations)
.Find(Builders<BsonDocument>.Filter.Eq("_id", observationId))
.FirstOrDefaultAsync();
Assert.NotNull(storedBson);
Assert.True(storedBson.TryGetValue("rawLinkset", out var rawLinksetValue));
var storedDocument = BsonSerializer.Deserialize<AdvisoryObservationDocument>(storedBson);
var storedObservation = AdvisoryObservationDocumentFactory.ToModel(storedDocument);
Assert.True(expectedRawLinkset.Aliases.SequenceEqual(storedObservation.RawLinkset.Aliases, StringComparer.Ordinal));
Assert.True(expectedRawLinkset.PackageUrls.SequenceEqual(storedObservation.RawLinkset.PackageUrls, StringComparer.Ordinal));
Assert.True(expectedRawLinkset.Cpes.SequenceEqual(storedObservation.RawLinkset.Cpes, StringComparer.Ordinal));
Assert.True(expectedRawLinkset.References.SequenceEqual(storedObservation.RawLinkset.References));
Assert.Equal(expectedRawLinkset.Notes, storedObservation.RawLinkset.Notes);
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task ApplyAsync_ThrowsWhenRawDocumentMissing()
{
var databaseName = $"concelier-rawlinkset-missing-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.AdvisoryObservations);
try
{
var rawDocument = RawDocumentFactory.CreateAdvisory(
tenant: "tenant-b",
source: new RawSourceMetadata("Vendor-Y", "connector-z", "2.0.0", "stable"),
upstream: new RawUpstreamMetadata(
UpstreamId: "GHSA-9999-0001",
DocumentVersion: "v2",
RetrievedAt: DateTimeOffset.Parse("2025-10-30T00:00:00Z"),
ContentHash: "sha256:def456",
Signature: new RawSignatureMetadata(false),
Provenance: ImmutableDictionary<string, string>.Empty),
content: new RawContent(
Format: "OSV",
SpecVersion: "1.0.0",
Raw: ParseJsonElement("""{"id":"GHSA-9999-0001"}"""),
Encoding: null),
identifiers: new RawIdentifiers(
Aliases: ImmutableArray<string>.Empty,
PrimaryId: "GHSA-9999-0001"),
linkset: new RawLinkset(),
advisoryKey: "GHSA-9999-0001",
links: ImmutableArray.Create(
new RawLink("GHSA", "GHSA-9999-0001"),
new RawLink("PRIMARY", "GHSA-9999-0001")));
var observationId = "tenant-b:vendor-y:ghsa-9999-0001:sha256-def456";
var document = BuildObservationDocument(
observationId,
rawDocument,
ImmutableArray<string>.Empty,
ImmutableArray<string>.Empty,
ImmutableArray<string>.Empty,
ImmutableArray<RawReference>.Empty,
rawDocument.Upstream.RetrievedAt,
includeRawLinkset: false);
await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryObservations)
.InsertOneAsync(document);
var migration = new EnsureAdvisoryObservationsRawLinksetMigration();
await Assert.ThrowsAsync<InvalidOperationException>(
() => migration.ApplyAsync(database, CancellationToken.None));
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
private static BsonDocument BuildObservationDocument(
string observationId,
AdvisoryRawDocument rawDocument,
ImmutableArray<string> canonicalAliases,
ImmutableArray<string> canonicalPurls,
ImmutableArray<string> canonicalCpes,
ImmutableArray<RawReference> canonicalReferences,
DateTimeOffset createdAt,
bool includeRawLinkset,
RawLinkset? rawLinkset = null)
{
var sourceDocument = new BsonDocument
{
{ "vendor", rawDocument.Source.Vendor },
{ "stream", string.IsNullOrWhiteSpace(rawDocument.Source.Stream) ? rawDocument.Source.Connector : rawDocument.Source.Stream! },
{ "api", rawDocument.Upstream.Provenance.TryGetValue("api", out var api) ? api : rawDocument.Source.Connector }
};
if (!string.IsNullOrWhiteSpace(rawDocument.Source.ConnectorVersion))
{
sourceDocument["collectorVersion"] = rawDocument.Source.ConnectorVersion;
}
var signatureDocument = new BsonDocument
{
{ "present", rawDocument.Upstream.Signature.Present }
};
if (!string.IsNullOrWhiteSpace(rawDocument.Upstream.Signature.Format))
{
signatureDocument["format"] = rawDocument.Upstream.Signature.Format;
}
if (!string.IsNullOrWhiteSpace(rawDocument.Upstream.Signature.KeyId))
{
signatureDocument["keyId"] = rawDocument.Upstream.Signature.KeyId;
}
if (!string.IsNullOrWhiteSpace(rawDocument.Upstream.Signature.Signature))
{
signatureDocument["signature"] = rawDocument.Upstream.Signature.Signature;
}
var upstreamDocument = new BsonDocument
{
{ "upstream_id", rawDocument.Upstream.UpstreamId },
{ "document_version", rawDocument.Upstream.DocumentVersion },
{ "fetchedAt", rawDocument.Upstream.RetrievedAt.UtcDateTime },
{ "receivedAt", rawDocument.Upstream.RetrievedAt.UtcDateTime },
{ "contentHash", rawDocument.Upstream.ContentHash },
{ "signature", signatureDocument },
{ "metadata", new BsonDocument(rawDocument.Upstream.Provenance) }
};
var contentDocument = new BsonDocument
{
{ "format", rawDocument.Content.Format },
{ "raw", BsonDocument.Parse(rawDocument.Content.Raw.GetRawText()) }
};
if (!string.IsNullOrWhiteSpace(rawDocument.Content.SpecVersion))
{
contentDocument["specVersion"] = rawDocument.Content.SpecVersion;
}
var canonicalLinkset = new BsonDocument
{
{ "aliases", new BsonArray(canonicalAliases) },
{ "purls", new BsonArray(canonicalPurls) },
{ "cpes", new BsonArray(canonicalCpes) },
{ "references", new BsonArray(canonicalReferences.Select(reference => new BsonDocument
{
{ "type", reference.Type },
{ "url", reference.Url }
})) }
};
var document = new BsonDocument
{
{ "_id", observationId },
{ "tenant", rawDocument.Tenant },
{ "source", sourceDocument },
{ "upstream", upstreamDocument },
{ "content", contentDocument },
{ "linkset", canonicalLinkset },
{ "createdAt", createdAt.UtcDateTime },
{ "attributes", new BsonDocument() }
};
if (includeRawLinkset)
{
var actualRawLinkset = rawLinkset ?? throw new ArgumentNullException(nameof(rawLinkset));
document["rawLinkset"] = new BsonDocument
{
{ "aliases", new BsonArray(actualRawLinkset.Aliases) },
{ "purls", new BsonArray(actualRawLinkset.PackageUrls) },
{ "cpes", new BsonArray(actualRawLinkset.Cpes) },
{ "references", new BsonArray(actualRawLinkset.References.Select(reference => new BsonDocument
{
{ "type", reference.Type },
{ "url", reference.Url },
{ "source", reference.Source }
})) },
{ "reconciled_from", new BsonArray(actualRawLinkset.ReconciledFrom) },
{ "notes", new BsonDocument(actualRawLinkset.Notes) }
};
}
return document;
}
private static JsonElement ParseJsonElement(string json)
{
using var document = JsonDocument.Parse(json);
return document.RootElement.Clone();
}
private static RawLinkset BuildRawLinkset(RawIdentifiers identifiers, RawLinkset linkset)
{
var aliasBuilder = ImmutableArray.CreateBuilder<string>();
if (!string.IsNullOrWhiteSpace(identifiers.PrimaryId))
{
aliasBuilder.Add(identifiers.PrimaryId);
}
if (!identifiers.Aliases.IsDefaultOrEmpty)
{
foreach (var alias in identifiers.Aliases)
{
if (!string.IsNullOrEmpty(alias))
{
aliasBuilder.Add(alias);
}
}
}
if (!linkset.Aliases.IsDefaultOrEmpty)
{
foreach (var alias in linkset.Aliases)
{
if (!string.IsNullOrEmpty(alias))
{
aliasBuilder.Add(alias);
}
}
}
static ImmutableArray<string> EnsureArray(ImmutableArray<string> values)
=> values.IsDefault ? ImmutableArray<string>.Empty : values;
static ImmutableArray<RawReference> EnsureReferences(ImmutableArray<RawReference> values)
=> values.IsDefault ? ImmutableArray<RawReference>.Empty : values;
return linkset with
{
Aliases = aliasBuilder.ToImmutable(),
PackageUrls = EnsureArray(linkset.PackageUrls),
Cpes = EnsureArray(linkset.Cpes),
References = EnsureReferences(linkset.References),
ReconciledFrom = EnsureArray(linkset.ReconciledFrom),
Notes = linkset.Notes ?? ImmutableDictionary<string, string>.Empty
};
}
}

706
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Migrations/MongoMigrationRunnerTests.cs
View File

@@ -1,706 +0,0 @@
using System;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using MongoDB.Bson;
using MongoDB.Driver;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Migrations;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests.Migrations;
[Collection("mongo-fixture")]
public sealed class MongoMigrationRunnerTests
{
private readonly MongoIntegrationFixture _fixture;
public MongoMigrationRunnerTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task RunAsync_AppliesPendingMigrationsOnce()
{
var databaseName = $"concelier-migrations-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
try
{
var migration = new TestMigration();
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
await runner.RunAsync(CancellationToken.None);
Assert.Equal(1, migration.ApplyCount);
var count = await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.Migrations)
.CountDocumentsAsync(FilterDefinition<BsonDocument>.Empty);
Assert.Equal(1, count);
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureDocumentExpiryIndexesMigration_CreatesTtlIndexWhenRetentionEnabled()
{
var databaseName = $"concelier-doc-ttl-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Document);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
try
{
var options = Options.Create(new MongoStorageOptions
{
RawDocumentRetention = TimeSpan.FromDays(45),
RawDocumentRetentionTtlGrace = TimeSpan.FromHours(12),
});
var migration = new EnsureDocumentExpiryIndexesMigration(options);
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
var indexes = await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.Document)
.Indexes.ListAsync();
var indexList = await indexes.ToListAsync();
var ttlIndex = indexList.Single(x => x["name"].AsString == "document_expiresAt_ttl");
Assert.Equal(0, ttlIndex["expireAfterSeconds"].ToDouble());
Assert.True(ttlIndex["partialFilterExpression"].AsBsonDocument["expiresAt"].AsBsonDocument["$exists"].ToBoolean());
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureDocumentExpiryIndexesMigration_DropsTtlIndexWhenRetentionDisabled()
{
var databaseName = $"concelier-doc-notl-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Document);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
try
{
var collection = database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.Document);
var keys = Builders<BsonDocument>.IndexKeys.Ascending("expiresAt");
var options = new CreateIndexOptions<BsonDocument>
{
Name = "document_expiresAt_ttl",
ExpireAfter = TimeSpan.Zero,
PartialFilterExpression = Builders<BsonDocument>.Filter.Exists("expiresAt", true),
};
await collection.Indexes.CreateOneAsync(new CreateIndexModel<BsonDocument>(keys, options));
var migration = new EnsureDocumentExpiryIndexesMigration(Options.Create(new MongoStorageOptions
{
RawDocumentRetention = TimeSpan.Zero,
}));
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
var indexes = await collection.Indexes.ListAsync();
var indexList = await indexes.ToListAsync();
Assert.DoesNotContain(indexList, x => x["name"].AsString == "document_expiresAt_ttl");
var nonTtl = indexList.Single(x => x["name"].AsString == "document_expiresAt");
Assert.False(nonTtl.Contains("expireAfterSeconds"));
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureGridFsExpiryIndexesMigration_CreatesTtlIndexWhenRetentionEnabled()
{
var databaseName = $"concelier-gridfs-ttl-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync("documents.files");
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
try
{
var migration = new EnsureGridFsExpiryIndexesMigration(Options.Create(new MongoStorageOptions
{
RawDocumentRetention = TimeSpan.FromDays(30),
}));
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
var indexes = await database.GetCollection<BsonDocument>("documents.files").Indexes.ListAsync();
var indexList = await indexes.ToListAsync();
var ttlIndex = indexList.Single(x => x["name"].AsString == "gridfs_files_expiresAt_ttl");
Assert.Equal(0, ttlIndex["expireAfterSeconds"].ToDouble());
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureGridFsExpiryIndexesMigration_DropsTtlIndexWhenRetentionDisabled()
{
var databaseName = $"concelier-gridfs-notl-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync("documents.files");
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
try
{
var collection = database.GetCollection<BsonDocument>("documents.files");
var keys = Builders<BsonDocument>.IndexKeys.Ascending("metadata.expiresAt");
var options = new CreateIndexOptions<BsonDocument>
{
Name = "gridfs_files_expiresAt_ttl",
ExpireAfter = TimeSpan.Zero,
PartialFilterExpression = Builders<BsonDocument>.Filter.Exists("metadata.expiresAt", true),
};
await collection.Indexes.CreateOneAsync(new CreateIndexModel<BsonDocument>(keys, options));
var migration = new EnsureGridFsExpiryIndexesMigration(Options.Create(new MongoStorageOptions
{
RawDocumentRetention = TimeSpan.Zero,
}));
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
var indexes = await collection.Indexes.ListAsync();
var indexList = await indexes.ToListAsync();
Assert.DoesNotContain(indexList, x => x["name"].AsString == "gridfs_files_expiresAt_ttl");
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureAdvisoryEventCollectionsMigration_CreatesIndexes()
{
var databaseName = $"concelier-advisory-events-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.AdvisoryStatements);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.AdvisoryConflicts);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Migrations);
try
{
var migration = new EnsureAdvisoryEventCollectionsMigration();
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
var statementIndexes = await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryStatements)
.Indexes
.ListAsync();
var statementIndexNames = (await statementIndexes.ToListAsync()).Select(x => x["name"].AsString).ToArray();
Assert.Contains("advisory_statements_vulnerability_asof_desc", statementIndexNames);
Assert.Contains("advisory_statements_statementHash_unique", statementIndexNames);
var conflictIndexes = await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryConflicts)
.Indexes
.ListAsync();
var conflictIndexNames = (await conflictIndexes.ToListAsync()).Select(x => x["name"].AsString).ToArray();
Assert.Contains("advisory_conflicts_vulnerability_asof_desc", conflictIndexNames);
Assert.Contains("advisory_conflicts_conflictHash_unique", conflictIndexNames);
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
private sealed class TestMigration : IMongoMigration
{
public int ApplyCount { get; private set; }
public string Id => "999_test";
public string Description => "test migration";
public Task ApplyAsync(IMongoDatabase database, CancellationToken cancellationToken)
{
ApplyCount++;
return Task.CompletedTask;
}
}
[Fact]
public async Task EnsureAdvisoryRawValidatorMigration_AppliesSchemaWithDefaultOptions()
{
var databaseName = $"concelier-advisory-validator-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
try
{
var migration = new EnsureAdvisoryRawValidatorMigration(Options.Create(new MongoStorageOptions
{
AdvisoryRawValidator = new MongoCollectionValidatorOptions
{
Level = MongoValidationLevel.Moderate,
Action = MongoValidationAction.Warn,
},
}));
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
var collectionInfo = await GetCollectionInfoAsync(database, MongoStorageDefaults.Collections.AdvisoryRaw);
var options = collectionInfo["options"].AsBsonDocument;
Assert.Equal("moderate", options["validationLevel"].AsString);
Assert.Equal("warn", options["validationAction"].AsString);
var schema = options["validator"]["$jsonSchema"].AsBsonDocument;
var required = schema["required"].AsBsonArray.Select(x => x.AsString).ToArray();
Assert.Contains("tenant", required);
Assert.Contains("source", required);
Assert.Contains("upstream", required);
Assert.Contains("content", required);
Assert.Contains("linkset", required);
var patternProperties = schema["patternProperties"].AsBsonDocument;
Assert.True(patternProperties.Contains("^(?i)(severity|cvss|cvss_vector|merged_from|consensus_provider|reachability|asset_criticality|risk_score)$"));
Assert.True(patternProperties.Contains("^(?i)effective_"));
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureAdvisoryRawValidatorMigration_HonorsValidationToggles()
{
var databaseName = $"advraw-validator-off-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
try
{
// Pre-create collection to exercise collMod path.
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.AdvisoryRaw);
var migration = new EnsureAdvisoryRawValidatorMigration(Options.Create(new MongoStorageOptions
{
AdvisoryRawValidator = new MongoCollectionValidatorOptions
{
Level = MongoValidationLevel.Off,
Action = MongoValidationAction.Error,
},
}));
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
var collectionInfo = await GetCollectionInfoAsync(database, MongoStorageDefaults.Collections.AdvisoryRaw);
var options = collectionInfo["options"].AsBsonDocument;
Assert.Equal("off", options["validationLevel"].AsString);
Assert.Equal("error", options["validationAction"].AsString);
Assert.True(options.Contains("validator"));
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureAdvisoryRawIdempotencyIndexMigration_CreatesUniqueIndex()
{
var databaseName = $"advraw-idx-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.AdvisoryRaw);
try
{
var collection = database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryRaw);
await collection.InsertOneAsync(
CreateAdvisoryRawDocument(
id: "advisory_raw:test:alpha:v1",
vendor: "test",
upstreamId: "ALPHA",
contentHash: "sha256:abc",
tenant: "tenant-a",
retrievedAt: new DateTime(2025, 1, 1, 0, 0, 0, DateTimeKind.Utc)));
var migration = new EnsureAdvisoryRawIdempotencyIndexMigration();
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
using var cursor = await collection.Indexes.ListAsync();
var indexes = await cursor.ToListAsync();
var idempotencyIndex = indexes.Single(x => x["name"].AsString == "advisory_raw_idempotency");
Assert.True(idempotencyIndex["unique"].ToBoolean());
var key = idempotencyIndex["key"].AsBsonDocument;
Assert.Collection(
key.Elements,
element =>
{
Assert.Equal("source.vendor", element.Name);
Assert.Equal(1, element.Value.AsInt32);
},
element =>
{
Assert.Equal("upstream.upstream_id", element.Name);
Assert.Equal(1, element.Value.AsInt32);
},
element =>
{
Assert.Equal("upstream.content_hash", element.Name);
Assert.Equal(1, element.Value.AsInt32);
},
element =>
{
Assert.Equal("tenant", element.Name);
Assert.Equal(1, element.Value.AsInt32);
});
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureAdvisoryRawIdempotencyIndexMigration_ThrowsWhenDuplicatesExist()
{
var databaseName = $"advraw-idx-dup-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.AdvisoryRaw);
try
{
var collection = database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryRaw);
await collection.InsertManyAsync(new[]
{
CreateAdvisoryRawDocument(
id: "advisory_raw:test:beta:v1",
vendor: "test",
upstreamId: "BETA",
contentHash: "sha256:def",
tenant: "tenant-b",
retrievedAt: new DateTime(2025, 2, 1, 0, 0, 0, DateTimeKind.Utc)),
CreateAdvisoryRawDocument(
id: "advisory_raw:test:beta:v2",
vendor: "test",
upstreamId: "BETA",
contentHash: "sha256:def",
tenant: "tenant-b",
retrievedAt: new DateTime(2025, 2, 2, 0, 0, 0, DateTimeKind.Utc)),
});
var migration = new EnsureAdvisoryRawIdempotencyIndexMigration();
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
var exception = await Assert.ThrowsAsync<InvalidOperationException>(() => runner.RunAsync(CancellationToken.None));
Assert.Contains("duplicate", exception.Message, StringComparison.OrdinalIgnoreCase);
Assert.Contains("advisory_raw", exception.Message, StringComparison.OrdinalIgnoreCase);
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureAdvisorySupersedesBackfillMigration_BackfillsSupersedesAndCreatesView()
{
var databaseName = $"advraw-supersedes-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync(MongoStorageDefaults.Collections.Advisory);
await database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.Advisory)
.InsertOneAsync(new BsonDocument("advisoryKey", "legacy"), cancellationToken: CancellationToken.None);
var rawCollection = database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryRaw);
await rawCollection.InsertManyAsync(new[]
{
CreateAdvisoryRawDocument(
id: "advisory_raw:test:gamma:v1",
vendor: "test",
upstreamId: "GAMMA",
contentHash: "sha256:111",
tenant: "tenant-c",
retrievedAt: new DateTime(2024, 12, 1, 0, 0, 0, DateTimeKind.Utc)),
CreateAdvisoryRawDocument(
id: "advisory_raw:test:gamma:v2",
vendor: "test",
upstreamId: "GAMMA",
contentHash: "sha256:222",
tenant: "tenant-c",
retrievedAt: new DateTime(2024, 12, 10, 0, 0, 0, DateTimeKind.Utc)),
CreateAdvisoryRawDocument(
id: "advisory_raw:test:gamma:v3",
vendor: "test",
upstreamId: "GAMMA",
contentHash: "sha256:333",
tenant: "tenant-c",
retrievedAt: new DateTime(2024, 12, 20, 0, 0, 0, DateTimeKind.Utc)),
});
try
{
var migration = new EnsureAdvisorySupersedesBackfillMigration();
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
var info = await GetCollectionInfoAsync(database, MongoStorageDefaults.Collections.Advisory);
Assert.NotNull(info);
Assert.Equal("view", info!["type"].AsString);
Assert.True(ViewTargets(info!, "advisory_backup_20251028"));
var docs = await rawCollection
.Find(Builders<BsonDocument>.Filter.Empty)
.Sort(Builders<BsonDocument>.Sort.Ascending("_id"))
.ToListAsync();
Assert.Equal(BsonNull.Value, docs[0].GetValue("supersedes", BsonNull.Value));
Assert.Equal("advisory_raw:test:gamma:v1", docs[1]["supersedes"].AsString);
Assert.Equal("advisory_raw:test:gamma:v2", docs[2]["supersedes"].AsString);
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task EnsureAdvisorySupersedesBackfillMigration_IsIdempotentWhenViewExists()
{
var databaseName = $"advraw-supersedes-idem-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
await database.CreateCollectionAsync("advisory_backup_20251028");
await database.RunCommandAsync<BsonDocument>(new BsonDocument
{
{ "create", MongoStorageDefaults.Collections.Advisory },
{ "viewOn", "advisory_backup_20251028" },
});
var rawCollection = database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryRaw);
await rawCollection.InsertManyAsync(new[]
{
CreateAdvisoryRawDocument(
id: "advisory_raw:test:delta:v1",
vendor: "test",
upstreamId: "DELTA",
contentHash: "sha256:aaa",
tenant: "tenant-d",
retrievedAt: new DateTime(2024, 11, 1, 0, 0, 0, DateTimeKind.Utc)),
CreateAdvisoryRawDocument(
id: "advisory_raw:test:delta:v2",
vendor: "test",
upstreamId: "DELTA",
contentHash: "sha256:bbb",
tenant: "tenant-d",
retrievedAt: new DateTime(2024, 11, 3, 0, 0, 0, DateTimeKind.Utc)),
});
await rawCollection.UpdateOneAsync(
Builders<BsonDocument>.Filter.Eq("_id", "advisory_raw:test:delta:v2"),
Builders<BsonDocument>.Update.Set("supersedes", "advisory_raw:test:delta:v1"));
try
{
var migration = new EnsureAdvisorySupersedesBackfillMigration();
var runner = new MongoMigrationRunner(
database,
new IMongoMigration[] { migration },
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
await runner.RunAsync(CancellationToken.None);
await runner.RunAsync(CancellationToken.None);
var info = await GetCollectionInfoAsync(database, MongoStorageDefaults.Collections.Advisory);
Assert.NotNull(info);
Assert.Equal("view", info!["type"].AsString);
Assert.True(ViewTargets(info!, "advisory_backup_20251028"));
var docs = await rawCollection.Find(Builders<BsonDocument>.Filter.Empty).ToListAsync();
Assert.Equal(BsonNull.Value, docs.Single(d => d["_id"].AsString == "advisory_raw:test:delta:v1").GetValue("supersedes", BsonNull.Value));
Assert.Equal("advisory_raw:test:delta:v1", docs.Single(d => d["_id"].AsString == "advisory_raw:test:delta:v2")["supersedes"].AsString);
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
private static async Task<BsonDocument> GetCollectionInfoAsync(IMongoDatabase database, string name)
{
var command = new BsonDocument
{
{ "listCollections", 1 },
{ "filter", new BsonDocument("name", name) },
};
var result = await database.RunCommandAsync<BsonDocument>(command);
var batch = result["cursor"]["firstBatch"].AsBsonArray;
return batch.Single().AsBsonDocument;
}
private static bool ViewTargets(BsonDocument info, string expectedSource)
{
if (!info.TryGetValue("options", out var options) || options is not BsonDocument optionsDoc)
{
return false;
}
return optionsDoc.TryGetValue("viewOn", out var viewOn) && string.Equals(viewOn.AsString, expectedSource, StringComparison.Ordinal);
}
private static BsonDocument CreateAdvisoryRawDocument(string id, string vendor, string upstreamId, string contentHash, string tenant, DateTime retrievedAt)
{
return new BsonDocument
{
{ "_id", id },
{ "tenant", tenant },
{
"source",
new BsonDocument
{
{ "vendor", vendor },
{ "connector", "test-connector" },
{ "version", "1.0.0" },
}
},
{
"upstream",
new BsonDocument
{
{ "upstream_id", upstreamId },
{ "document_version", "1" },
{ "retrieved_at", retrievedAt },
{ "content_hash", contentHash },
{ "signature", new BsonDocument { { "present", false } } },
{ "provenance", new BsonDocument { { "http.method", "GET" } } },
}
},
{
"content",
new BsonDocument
{
{ "format", "csaf" },
{ "raw", new BsonDocument("id", upstreamId) },
}
},
{
"identifiers",
new BsonDocument
{
{ "aliases", new BsonArray(new[] { upstreamId }) },
{ "primary", upstreamId },
}
},
{
"linkset",
new BsonDocument
{
{ "aliases", new BsonArray() },
{ "purls", new BsonArray() },
{ "cpes", new BsonArray() },
{ "references", new BsonArray() },
{ "reconciled_from", new BsonArray() },
{ "notes", new BsonDocument() },
}
},
{ "advisory_key", upstreamId.ToUpperInvariant() },
{
"links",
new BsonArray
{
new BsonDocument
{
{ "scheme", "PRIMARY" },
{ "value", upstreamId.ToUpperInvariant() }
}
}
},
{ "created_at", retrievedAt },
{ "ingested_at", retrievedAt },
{ "supersedes", BsonNull.Value }
};
}
}

223
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/MongoAdvisoryEventRepositoryTests.cs
View File

@@ -1,223 +0,0 @@
using System;
using System.Collections.Immutable;
using System.Linq;
using System.Text;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using MongoDB.Bson;
using MongoDB.Driver;
using StellaOps.Concelier.Core.Events;
using StellaOps.Concelier.Models;
using StellaOps.Concelier.Storage.Mongo.Conflicts;
using StellaOps.Concelier.Storage.Mongo.Events;
using StellaOps.Concelier.Storage.Mongo.Statements;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Testing;
using StellaOps.Cryptography;
using StellaOps.Provenance.Mongo;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class MongoAdvisoryEventRepositoryTests
{
private readonly IMongoDatabase _database;
private readonly MongoAdvisoryEventRepository _repository;
private static readonly ICryptoHash Hash = CryptoHashFactory.CreateDefault();
public MongoAdvisoryEventRepositoryTests(MongoIntegrationFixture fixture)
{
_database = fixture.Database ?? throw new ArgumentNullException(nameof(fixture.Database));
var statementStore = new AdvisoryStatementStore(_database);
var conflictStore = new AdvisoryConflictStore(_database);
_repository = new MongoAdvisoryEventRepository(statementStore, conflictStore);
}
[Fact]
public async Task InsertAndFetchStatements_RoundTripsCanonicalPayload()
{
var advisory = CreateSampleAdvisory("CVE-2025-7777", "Sample advisory");
var canonicalJson = CanonicalJsonSerializer.Serialize(advisory);
var digest = Hash.ComputeHash(Encoding.UTF8.GetBytes(canonicalJson), HashAlgorithms.Sha256);
var hash = ImmutableArray.Create(digest);
var entry = new AdvisoryStatementEntry(
Guid.NewGuid(),
"CVE-2025-7777",
"CVE-2025-7777",
canonicalJson,
hash,
DateTimeOffset.Parse("2025-10-19T14:00:00Z"),
DateTimeOffset.Parse("2025-10-19T14:05:00Z"),
ImmutableArray<Guid>.Empty);
await _repository.InsertStatementsAsync(new[] { entry }, CancellationToken.None);
var results = await _repository.GetStatementsAsync("CVE-2025-7777", null, CancellationToken.None);
var snapshot = Assert.Single(results);
Assert.Equal(entry.StatementId, snapshot.StatementId);
Assert.Equal(entry.CanonicalJson, snapshot.CanonicalJson);
Assert.True(entry.StatementHash.SequenceEqual(snapshot.StatementHash));
}
[Fact]
public async Task InsertAndFetchConflicts_PreservesDetails()
{
var detailJson = CanonicalJsonSerializer.Serialize(new ConflictPayload("severity", "mismatch"));
var digest = Hash.ComputeHash(Encoding.UTF8.GetBytes(detailJson), HashAlgorithms.Sha256);
var hash = ImmutableArray.Create(digest);
var statementIds = ImmutableArray.Create(Guid.NewGuid(), Guid.NewGuid());
var entry = new AdvisoryConflictEntry(
Guid.NewGuid(),
"CVE-2025-4242",
detailJson,
hash,
DateTimeOffset.Parse("2025-10-19T15:00:00Z"),
DateTimeOffset.Parse("2025-10-19T15:05:00Z"),
statementIds);
await _repository.InsertConflictsAsync(new[] { entry }, CancellationToken.None);
var results = await _repository.GetConflictsAsync("CVE-2025-4242", null, CancellationToken.None);
var conflict = Assert.Single(results);
Assert.Equal(entry.CanonicalJson, conflict.CanonicalJson);
Assert.True(entry.StatementIds.SequenceEqual(conflict.StatementIds));
Assert.True(entry.ConflictHash.SequenceEqual(conflict.ConflictHash));
}
[Fact]
public async Task InsertStatementsAsync_PersistsProvenanceMetadata()
{
var advisory = CreateSampleAdvisory("CVE-2025-8888", "Metadata coverage");
var canonicalJson = CanonicalJsonSerializer.Serialize(advisory);
var digest = Hash.ComputeHash(Encoding.UTF8.GetBytes(canonicalJson), HashAlgorithms.Sha256);
var hash = ImmutableArray.Create(digest);
var (dsse, trust) = CreateSampleDsseMetadata();
var entry = new AdvisoryStatementEntry(
Guid.NewGuid(),
"CVE-2025-8888",
"CVE-2025-8888",
canonicalJson,
hash,
DateTimeOffset.Parse("2025-10-20T10:00:00Z"),
DateTimeOffset.Parse("2025-10-20T10:05:00Z"),
ImmutableArray<Guid>.Empty,
dsse,
trust);
await _repository.InsertStatementsAsync(new[] { entry }, CancellationToken.None);
var statements = _database.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryStatements);
var stored = await statements
.Find(Builders<BsonDocument>.Filter.Eq("_id", entry.StatementId.ToString()))
.FirstOrDefaultAsync();
Assert.NotNull(stored);
var provenance = stored!["provenance"].AsBsonDocument["dsse"].AsBsonDocument;
Assert.Equal(dsse.EnvelopeDigest, provenance["envelopeDigest"].AsString);
Assert.Equal(dsse.Key.KeyId, provenance["key"].AsBsonDocument["keyId"].AsString);
var trustDoc = stored["trust"].AsBsonDocument;
Assert.Equal(trust.Verifier, trustDoc["verifier"].AsString);
Assert.Equal(trust.Witnesses, trustDoc["witnesses"].AsInt32);
var roundTrip = await _repository.GetStatementsAsync("CVE-2025-8888", null, CancellationToken.None);
var hydrated = Assert.Single(roundTrip);
Assert.NotNull(hydrated.Provenance);
Assert.NotNull(hydrated.Trust);
Assert.Equal(dsse.EnvelopeDigest, hydrated.Provenance!.EnvelopeDigest);
Assert.Equal(trust.Verifier, hydrated.Trust!.Verifier);
}
private static Advisory CreateSampleAdvisory(string key, string summary)
{
var provenance = new AdvisoryProvenance("nvd", "document", key, DateTimeOffset.Parse("2025-10-18T00:00:00Z"), new[] { ProvenanceFieldMasks.Advisory });
return new Advisory(
key,
key,
summary,
"en",
DateTimeOffset.Parse("2025-10-17T00:00:00Z"),
DateTimeOffset.Parse("2025-10-18T00:00:00Z"),
"medium",
exploitKnown: false,
aliases: new[] { key },
references: Array.Empty<AdvisoryReference>(),
affectedPackages: Array.Empty<AffectedPackage>(),
cvssMetrics: Array.Empty<CvssMetric>(),
provenance: new[] { provenance });
}
[Fact]
public async Task AttachStatementProvenanceAsync_BackfillsExistingRecord()
{
var advisory = CreateSampleAdvisory("CVE-2025-9999", "Backfill metadata");
var canonicalJson = CanonicalJsonSerializer.Serialize(advisory);
var digest = Hash.ComputeHash(Encoding.UTF8.GetBytes(canonicalJson), HashAlgorithms.Sha256);
var hash = ImmutableArray.Create(digest);
var entry = new AdvisoryStatementEntry(
Guid.NewGuid(),
"CVE-2025-9999",
"CVE-2025-9999",
canonicalJson,
hash,
DateTimeOffset.Parse("2025-10-21T10:00:00Z"),
DateTimeOffset.Parse("2025-10-21T10:05:00Z"),
ImmutableArray<Guid>.Empty);
await _repository.InsertStatementsAsync(new[] { entry }, CancellationToken.None);
var (dsse, trust) = CreateSampleDsseMetadata();
await _repository.AttachStatementProvenanceAsync(entry.StatementId, dsse, trust, CancellationToken.None);
var statements = await _repository.GetStatementsAsync("CVE-2025-9999", null, CancellationToken.None);
var updated = Assert.Single(statements);
Assert.NotNull(updated.Provenance);
Assert.NotNull(updated.Trust);
Assert.Equal(dsse.EnvelopeDigest, updated.Provenance!.EnvelopeDigest);
Assert.Equal(trust.Verifier, updated.Trust!.Verifier);
}
private static (DsseProvenance Provenance, TrustInfo Trust) CreateSampleDsseMetadata()
{
var provenance = new DsseProvenance
{
EnvelopeDigest = "sha256:deadbeef",
PayloadType = "application/vnd.in-toto+json",
Key = new DsseKeyInfo
{
KeyId = "cosign:SHA256-PKIX:TEST",
Issuer = "fulcio",
Algo = "ECDSA"
},
Rekor = new DsseRekorInfo
{
LogIndex = 42,
Uuid = Guid.Parse("2d4d5f7c-1111-4a01-b9cb-aa42022a0a8c").ToString(),
IntegratedTime = 1_700_000_000
}
};
var trust = new TrustInfo
{
Verified = true,
Verifier = "Authority@stella",
Witnesses = 2,
PolicyScore = 0.9
};
return (provenance, trust);
}
private sealed record ConflictPayload(string Type, string Reason);
}

143
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/MongoBootstrapperTests.cs
View File

@@ -1,143 +0,0 @@
using System;
using System.Linq;
using System.Threading;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using MongoDB.Bson;
using MongoDB.Driver;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Migrations;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class MongoBootstrapperTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public MongoBootstrapperTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task InitializeAsync_CreatesNormalizedIndexesWhenSemVerStyleEnabled()
{
var databaseName = $"concelier-bootstrap-semver-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
try
{
var runner = new MongoMigrationRunner(
database,
Array.Empty<IMongoMigration>(),
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
var bootstrapper = new MongoBootstrapper(
database,
Options.Create(new MongoStorageOptions { EnableSemVerStyle = true }),
NullLogger<MongoBootstrapper>.Instance,
runner);
await bootstrapper.InitializeAsync(CancellationToken.None);
var indexCursor = await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.Advisory)
.Indexes
.ListAsync();
var indexNames = (await indexCursor.ToListAsync()).Select(x => x["name"].AsString).ToArray();
Assert.Contains("advisory_normalizedVersions_pkg_scheme_type", indexNames);
Assert.Contains("advisory_normalizedVersions_value", indexNames);
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task InitializeAsync_DoesNotCreateNormalizedIndexesWhenFeatureDisabled()
{
var databaseName = $"concelier-bootstrap-no-semver-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
try
{
var runner = new MongoMigrationRunner(
database,
Array.Empty<IMongoMigration>(),
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
var bootstrapper = new MongoBootstrapper(
database,
Options.Create(new MongoStorageOptions { EnableSemVerStyle = false }),
NullLogger<MongoBootstrapper>.Instance,
runner);
await bootstrapper.InitializeAsync(CancellationToken.None);
var indexCursor = await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.Advisory)
.Indexes
.ListAsync();
var indexNames = (await indexCursor.ToListAsync()).Select(x => x["name"].AsString).ToArray();
Assert.DoesNotContain("advisory_normalizedVersions_pkg_scheme_type", indexNames);
Assert.DoesNotContain("advisory_normalizedVersions_value", indexNames);
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
[Fact]
public async Task InitializeAsync_CreatesAdvisoryEventIndexes()
{
var databaseName = $"concelier-bootstrap-events-{Guid.NewGuid():N}";
var database = _fixture.Client.GetDatabase(databaseName);
try
{
var runner = new MongoMigrationRunner(
database,
Array.Empty<IMongoMigration>(),
NullLogger<MongoMigrationRunner>.Instance,
TimeProvider.System);
var bootstrapper = new MongoBootstrapper(
database,
Options.Create(new MongoStorageOptions()),
NullLogger<MongoBootstrapper>.Instance,
runner);
await bootstrapper.InitializeAsync(CancellationToken.None);
var statementIndexes = await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryStatements)
.Indexes
.ListAsync();
var statementIndexNames = (await statementIndexes.ToListAsync()).Select(x => x["name"].AsString).ToArray();
Assert.Contains("advisory_statements_vulnerability_asof_desc", statementIndexNames);
Assert.Contains("advisory_statements_statementHash_unique", statementIndexNames);
var conflictIndexes = await database
.GetCollection<BsonDocument>(MongoStorageDefaults.Collections.AdvisoryConflicts)
.Indexes
.ListAsync();
var conflictIndexNames = (await conflictIndexes.ToListAsync()).Select(x => x["name"].AsString).ToArray();
Assert.Contains("advisory_conflicts_vulnerability_asof_desc", conflictIndexNames);
Assert.Contains("advisory_conflicts_conflictHash_unique", conflictIndexNames);
}
finally
{
await _fixture.Client.DropDatabaseAsync(databaseName);
}
}
}

113
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/MongoJobStoreTests.cs
View File

@@ -1,113 +0,0 @@
using Microsoft.Extensions.Logging.Abstractions;
using MongoDB.Driver;
using StellaOps.Concelier.Core.Jobs;
using StellaOps.Concelier.Storage.Mongo;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class MongoJobStoreTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public MongoJobStoreTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task CreateStartCompleteLifecycle()
{
await ResetCollectionAsync();
var collection = _fixture.Database.GetCollection<JobRunDocument>(MongoStorageDefaults.Collections.Jobs);
var store = new MongoJobStore(collection, NullLogger<MongoJobStore>.Instance);
var request = new JobRunCreateRequest(
Kind: "mongo:test",
Trigger: "unit",
Parameters: new Dictionary<string, object?> { ["scope"] = "lifecycle" },
ParametersHash: "abc",
Timeout: TimeSpan.FromSeconds(5),
LeaseDuration: TimeSpan.FromSeconds(2),
CreatedAt: DateTimeOffset.UtcNow);
var created = await store.CreateAsync(request, CancellationToken.None);
Assert.Equal(JobRunStatus.Pending, created.Status);
var started = await store.TryStartAsync(created.RunId, DateTimeOffset.UtcNow, CancellationToken.None);
Assert.NotNull(started);
Assert.Equal(JobRunStatus.Running, started!.Status);
var completed = await store.TryCompleteAsync(created.RunId, new JobRunCompletion(JobRunStatus.Succeeded, DateTimeOffset.UtcNow, null), CancellationToken.None);
Assert.NotNull(completed);
Assert.Equal(JobRunStatus.Succeeded, completed!.Status);
var recent = await store.GetRecentRunsAsync("mongo:test", 10, CancellationToken.None);
var snapshot = Assert.Single(recent);
Assert.Equal(JobRunStatus.Succeeded, snapshot.Status);
var active = await store.GetActiveRunsAsync(CancellationToken.None);
Assert.Empty(active);
var last = await store.GetLastRunAsync("mongo:test", CancellationToken.None);
Assert.NotNull(last);
Assert.Equal(completed.RunId, last!.RunId);
}
[Fact]
public async Task StartAndFailRunHonorsStateTransitions()
{
await ResetCollectionAsync();
var collection = _fixture.Database.GetCollection<JobRunDocument>(MongoStorageDefaults.Collections.Jobs);
var store = new MongoJobStore(collection, NullLogger<MongoJobStore>.Instance);
var request = new JobRunCreateRequest(
Kind: "mongo:failure",
Trigger: "unit",
Parameters: new Dictionary<string, object?>(),
ParametersHash: null,
Timeout: null,
LeaseDuration: null,
CreatedAt: DateTimeOffset.UtcNow);
var created = await store.CreateAsync(request, CancellationToken.None);
var firstStart = await store.TryStartAsync(created.RunId, DateTimeOffset.UtcNow, CancellationToken.None);
Assert.NotNull(firstStart);
// Second start attempt should be rejected once running.
var secondStart = await store.TryStartAsync(created.RunId, DateTimeOffset.UtcNow.AddSeconds(1), CancellationToken.None);
Assert.Null(secondStart);
var failure = await store.TryCompleteAsync(
created.RunId,
new JobRunCompletion(JobRunStatus.Failed, DateTimeOffset.UtcNow.AddSeconds(2), "boom"),
CancellationToken.None);
Assert.NotNull(failure);
Assert.Equal("boom", failure!.Error);
Assert.Equal(JobRunStatus.Failed, failure.Status);
}
[Fact]
public async Task CompletingUnknownRunReturnsNull()
{
await ResetCollectionAsync();
var collection = _fixture.Database.GetCollection<JobRunDocument>(MongoStorageDefaults.Collections.Jobs);
var store = new MongoJobStore(collection, NullLogger<MongoJobStore>.Instance);
var result = await store.TryCompleteAsync(Guid.NewGuid(), new JobRunCompletion(JobRunStatus.Succeeded, DateTimeOffset.UtcNow, null), CancellationToken.None);
Assert.Null(result);
}
private async Task ResetCollectionAsync()
{
try
{
await _fixture.Database.DropCollectionAsync(MongoStorageDefaults.Collections.Jobs);
}
catch (MongoCommandException ex) when (ex.CodeName == "NamespaceNotFound" || ex.Message.Contains("ns not found", StringComparison.OrdinalIgnoreCase))
{
}
}
}

55
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/MongoSourceStateRepositoryTests.cs
View File

@@ -1,55 +0,0 @@
using Microsoft.Extensions.Logging.Abstractions;
using MongoDB.Bson;
using StellaOps.Concelier.Storage.Mongo;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class MongoSourceStateRepositoryTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public MongoSourceStateRepositoryTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task UpsertAndUpdateCursorFlow()
{
var repository = new MongoSourceStateRepository(_fixture.Database, NullLogger<MongoSourceStateRepository>.Instance);
var sourceName = "nvd";
var record = new SourceStateRecord(
SourceName: sourceName,
Enabled: true,
Paused: false,
Cursor: new BsonDocument("page", 1),
LastSuccess: null,
LastFailure: null,
FailCount: 0,
BackoffUntil: null,
UpdatedAt: DateTimeOffset.UtcNow,
LastFailureReason: null);
var upserted = await repository.UpsertAsync(record, CancellationToken.None);
Assert.True(upserted.Enabled);
var cursor = new BsonDocument("page", 2);
var updated = await repository.UpdateCursorAsync(sourceName, cursor, DateTimeOffset.UtcNow, CancellationToken.None);
Assert.NotNull(updated);
Assert.Equal(0, updated!.FailCount);
Assert.Equal(2, updated.Cursor["page"].AsInt32);
var failure = await repository.MarkFailureAsync(sourceName, DateTimeOffset.UtcNow, TimeSpan.FromMinutes(5), "network timeout", CancellationToken.None);
Assert.NotNull(failure);
Assert.Equal(1, failure!.FailCount);
Assert.NotNull(failure.BackoffUntil);
Assert.Equal("network timeout", failure.LastFailureReason);
var fetched = await repository.TryGetAsync(sourceName, CancellationToken.None);
Assert.NotNull(fetched);
Assert.Equal(failure.BackoffUntil, fetched!.BackoffUntil);
Assert.Equal("network timeout", fetched.LastFailureReason);
}
}

95
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationDocumentFactoryTests.cs
View File

@@ -1,95 +0,0 @@
using System;
using System.Collections.Generic;
using MongoDB.Bson;
using StellaOps.Concelier.Storage.Mongo.Observations;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests.Observations;
public sealed class AdvisoryObservationDocumentFactoryTests
{
[Fact]
public void ToModel_MapsDocumentToModel()
{
var document = new AdvisoryObservationDocument
{
Id = "tenant-a:obs-1",
Tenant = "tenant-a",
CreatedAt = DateTime.SpecifyKind(DateTime.UtcNow, DateTimeKind.Utc),
Source = new AdvisoryObservationSourceDocument
{
Vendor = "vendor",
Stream = "stream",
Api = "https://api.example"
},
Upstream = new AdvisoryObservationUpstreamDocument
{
UpstreamId = "CVE-2025-1234",
DocumentVersion = "1",
FetchedAt = DateTime.SpecifyKind(DateTime.UtcNow.AddMinutes(-1), DateTimeKind.Utc),
ReceivedAt = DateTime.SpecifyKind(DateTime.UtcNow, DateTimeKind.Utc),
ContentHash = "sha256:abc",
Signature = new AdvisoryObservationSignatureDocument
{
Present = true,
Format = "pgp",
KeyId = "key",
Signature = "signature"
}
},
Content = new AdvisoryObservationContentDocument
{
Format = "CSAF",
SpecVersion = "2.0",
Raw = BsonDocument.Parse("{\"example\":true}")
},
Linkset = new AdvisoryObservationLinksetDocument
{
Aliases = new List<string> { "CVE-2025-1234" },
Purls = new List<string> { "pkg:generic/foo@1.0.0" },
Cpes = new List<string> { "cpe:/a:vendor:product:1" },
References = new List<AdvisoryObservationReferenceDocument>
{
new() { Type = "advisory", Url = "https://example.com" }
}
},
RawLinkset = new AdvisoryObservationRawLinksetDocument
{
Aliases = new List<string> { "CVE-2025-1234", "cve-2025-1234" },
Scopes = new List<string> { "runtime", "build" },
Relationships = new List<AdvisoryObservationRawRelationshipDocument>
{
new() { Type = "depends_on", Source = "componentA", Target = "componentB", Provenance = "sbom-manifest" }
},
PackageUrls = new List<string> { "pkg:generic/foo@1.0.0" },
Cpes = new List<string> { "cpe:/a:vendor:product:1" },
References = new List<AdvisoryObservationRawReferenceDocument>
{
new() { Type = "Advisory", Url = "https://example.com", Source = "vendor" }
},
ReconciledFrom = new List<string> { "source-a" },
Notes = new Dictionary<string, string> { ["note-key"] = "note-value" }
}
};
var observation = AdvisoryObservationDocumentFactory.ToModel(document);
Assert.Equal("tenant-a:obs-1", observation.ObservationId);
Assert.Equal("tenant-a", observation.Tenant);
Assert.Equal("CVE-2025-1234", observation.Upstream.UpstreamId);
Assert.Equal(new[] { "CVE-2025-1234" }, observation.Linkset.Aliases.ToArray());
Assert.Contains("pkg:generic/foo@1.0.0", observation.Linkset.Purls);
Assert.Equal("CSAF", observation.Content.Format);
Assert.True(observation.Content.Raw?["example"]?.GetValue<bool>());
Assert.Equal(document.Linkset.References![0].Type, observation.Linkset.References[0].Type);
Assert.Equal(new[] { "CVE-2025-1234", "cve-2025-1234" }, observation.RawLinkset.Aliases);
Assert.Equal(new[] { "runtime", "build" }, observation.RawLinkset.Scopes);
Assert.Equal("depends_on", observation.RawLinkset.Relationships[0].Type);
Assert.Equal("componentA", observation.RawLinkset.Relationships[0].Source);
Assert.Equal("componentB", observation.RawLinkset.Relationships[0].Target);
Assert.Equal("sbom-manifest", observation.RawLinkset.Relationships[0].Provenance);
Assert.Equal("Advisory", observation.RawLinkset.References[0].Type);
Assert.Equal("vendor", observation.RawLinkset.References[0].Source);
Assert.Equal("note-value", observation.RawLinkset.Notes["note-key"]);
}
}

260
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationStoreTests.cs
View File

@@ -1,260 +0,0 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using MongoDB.Bson;
using MongoDB.Driver;
using StellaOps.Concelier.Core.Observations;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Observations;
using StellaOps.Concelier.Testing;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests.Observations;
[Collection("mongo-fixture")]
public sealed class AdvisoryObservationStoreTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public AdvisoryObservationStoreTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task FindByFiltersAsync_FiltersByAliasAndTenant()
{
await ResetCollectionAsync();
var collection = _fixture.Database.GetCollection<AdvisoryObservationDocument>(MongoStorageDefaults.Collections.AdvisoryObservations);
await collection.InsertManyAsync(new[]
{
CreateDocument(
id: "tenant-a:nvd:alpha:1",
tenant: "tenant-a",
createdAt: new DateTime(2025, 1, 1, 0, 0, 0, DateTimeKind.Utc),
aliases: new[] { "CvE-2025-0001 " },
purls: new[] { "pkg:npm/demo@1.0.0" }),
CreateDocument(
id: "tenant-a:ghsa:beta:1",
tenant: "tenant-a",
createdAt: new DateTime(2025, 1, 2, 0, 0, 0, DateTimeKind.Utc),
aliases: new[] { " ghsa-xyz0", "cve-2025-0001" },
purls: new[] { "pkg:npm/demo@1.1.0" }),
CreateDocument(
id: "tenant-b:nvd:alpha:1",
tenant: "tenant-b",
createdAt: new DateTime(2025, 1, 3, 0, 0, 0, DateTimeKind.Utc),
aliases: new[] { "cve-2025-0001" },
purls: new[] { "pkg:npm/demo@2.0.0" })
});
var store = new AdvisoryObservationStore(collection);
var result = await store.FindByFiltersAsync(
tenant: "Tenant-A",
observationIds: Array.Empty<string>(),
aliases: new[] { " CVE-2025-0001 " },
purls: Array.Empty<string>(),
cpes: Array.Empty<string>(),
cursor: null,
limit: 5,
CancellationToken.None);
Assert.Equal(2, result.Count);
Assert.Equal("tenant-a:ghsa:beta:1", result[0].ObservationId);
Assert.Equal("tenant-a:nvd:alpha:1", result[1].ObservationId);
Assert.All(result, observation => Assert.Equal("tenant-a", observation.Tenant));
Assert.Equal("ghsa-xyz0", result[0].Linkset.Aliases[0]);
Assert.Equal("CvE-2025-0001", result[1].Linkset.Aliases[0]);
Assert.Equal(" ghsa-xyz0", result[0].RawLinkset.Aliases[0]);
Assert.Equal("CvE-2025-0001 ", result[1].RawLinkset.Aliases[0]);
}
[Fact]
public async Task FindByFiltersAsync_RespectsObservationIdsAndPurls()
{
await ResetCollectionAsync();
var collection = _fixture.Database.GetCollection<AdvisoryObservationDocument>(MongoStorageDefaults.Collections.AdvisoryObservations);
await collection.InsertManyAsync(new[]
{
CreateDocument(
id: "tenant-a:osv:alpha:1",
tenant: "tenant-a",
createdAt: new DateTime(2025, 2, 1, 0, 0, 0, DateTimeKind.Utc),
aliases: new[] { "cve-2025-0100" },
purls: new[] { "pkg:pypi/demo@2.0.0" },
cpes: new[] { "cpe:/a:vendor:product:2.0" }),
CreateDocument(
id: "tenant-a:osv:alpha:2",
tenant: "tenant-a",
createdAt: new DateTime(2025, 2, 2, 0, 0, 0, DateTimeKind.Utc),
aliases: new[] { "cve-2025-0100" },
purls: new[] { "pkg:pypi/demo@2.1.0" },
cpes: new[] { "cpe:/a:vendor:product:2.1" })
});
var store = new AdvisoryObservationStore(collection);
var result = await store.FindByFiltersAsync(
tenant: "tenant-a",
observationIds: new[] { "tenant-a:osv:alpha:1" },
aliases: Array.Empty<string>(),
purls: new[] { "pkg:pypi/demo@2.0.0" },
cpes: new[] { "cpe:/a:vendor:product:2.0" },
cursor: null,
limit: 5,
CancellationToken.None);
Assert.Single(result);
Assert.Equal("tenant-a:osv:alpha:1", result[0].ObservationId);
Assert.Equal(
new[] { "pkg:pypi/demo@2.0.0" },
result[0].Linkset.Purls.ToArray());
Assert.Equal(
new[] { "cpe:/a:vendor:product:2.0" },
result[0].Linkset.Cpes.ToArray());
}
[Fact]
public async Task FindByFiltersAsync_AppliesCursorForPagination()
{
await ResetCollectionAsync();
var collection = _fixture.Database.GetCollection<AdvisoryObservationDocument>(MongoStorageDefaults.Collections.AdvisoryObservations);
var createdAt = new DateTime(2025, 3, 1, 0, 0, 0, DateTimeKind.Utc);
await collection.InsertManyAsync(new[]
{
CreateDocument("tenant-a:source:1", "tenant-a", createdAt, aliases: new[] { "cve-1" }),
CreateDocument("tenant-a:source:2", "tenant-a", createdAt.AddMinutes(-1), aliases: new[] { "cve-2" }),
CreateDocument("tenant-a:source:3", "tenant-a", createdAt.AddMinutes(-2), aliases: new[] { "cve-3" })
});
var store = new AdvisoryObservationStore(collection);
var firstPage = await store.FindByFiltersAsync(
tenant: "tenant-a",
observationIds: Array.Empty<string>(),
aliases: Array.Empty<string>(),
purls: Array.Empty<string>(),
cpes: Array.Empty<string>(),
cursor: null,
limit: 2,
CancellationToken.None);
Assert.Equal(2, firstPage.Count);
Assert.Equal("tenant-a:source:1", firstPage[0].ObservationId);
Assert.Equal("tenant-a:source:2", firstPage[1].ObservationId);
var cursor = new AdvisoryObservationCursor(firstPage[1].CreatedAt, firstPage[1].ObservationId);
var secondPage = await store.FindByFiltersAsync(
tenant: "tenant-a",
observationIds: Array.Empty<string>(),
aliases: Array.Empty<string>(),
purls: Array.Empty<string>(),
cpes: Array.Empty<string>(),
cursor: cursor,
limit: 2,
CancellationToken.None);
Assert.Single(secondPage);
Assert.Equal("tenant-a:source:3", secondPage[0].ObservationId);
}
private static AdvisoryObservationDocument CreateDocument(
string id,
string tenant,
DateTime createdAt,
IEnumerable<string>? aliases = null,
IEnumerable<string>? purls = null,
IEnumerable<string>? cpes = null)
{
var canonicalAliases = aliases?
.Where(value => value is not null)
.Select(value => value.Trim())
.ToList();
var canonicalPurls = purls?
.Where(value => value is not null)
.Select(value => value.Trim())
.ToList();
var canonicalCpes = cpes?
.Where(value => value is not null)
.Select(value => value.Trim())
.ToList();
var rawAliases = aliases?
.Where(value => value is not null)
.ToList();
var rawPurls = purls?
.Where(value => value is not null)
.ToList();
var rawCpes = cpes?
.Where(value => value is not null)
.ToList();
return new AdvisoryObservationDocument
{
Id = id,
Tenant = tenant.ToLowerInvariant(),
CreatedAt = createdAt,
Source = new AdvisoryObservationSourceDocument
{
Vendor = "nvd",
Stream = "feed",
Api = "https://example.test/api"
},
Upstream = new AdvisoryObservationUpstreamDocument
{
UpstreamId = id,
DocumentVersion = null,
FetchedAt = createdAt,
ReceivedAt = createdAt,
ContentHash = $"sha256:{id}",
Signature = new AdvisoryObservationSignatureDocument
{
Present = false
},
Metadata = new Dictionary<string, string>(StringComparer.Ordinal)
},
Content = new AdvisoryObservationContentDocument
{
Format = "csaf",
SpecVersion = "2.0",
Raw = BsonDocument.Parse("""{"id": "%ID%"}""".Replace("%ID%", id)),
Metadata = new Dictionary<string, string>(StringComparer.Ordinal)
},
Linkset = new AdvisoryObservationLinksetDocument
{
Aliases = canonicalAliases,
Purls = canonicalPurls,
Cpes = canonicalCpes,
References = new List<AdvisoryObservationReferenceDocument>()
},
RawLinkset = new AdvisoryObservationRawLinksetDocument
{
Aliases = rawAliases,
PackageUrls = rawPurls,
Cpes = rawCpes,
References = new List<AdvisoryObservationRawReferenceDocument>()
},
Attributes = new Dictionary<string, string>(StringComparer.Ordinal)
};
}
private async Task ResetCollectionAsync()
{
try
{
await _fixture.Database.DropCollectionAsync(MongoStorageDefaults.Collections.AdvisoryObservations);
}
catch (MongoCommandException ex) when (ex.CodeName == "NamespaceNotFound" || ex.Message.Contains("ns not found", StringComparison.OrdinalIgnoreCase))
{
// Collection did not exist ignore.
}
}
}

100
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationTransportWorkerTests.cs
View File

@@ -1,100 +0,0 @@
using System;
using System.Collections.Immutable;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Concelier.Core.Observations;
using StellaOps.Concelier.Storage.Mongo.Observations;
using StellaOps.Concelier.Models.Observations;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests.Observations;
public class AdvisoryObservationTransportWorkerTests
{
[Fact]
public async Task Worker_publishes_outbox_entries_and_marks_published_once()
{
var evt = new AdvisoryObservationUpdatedEvent(
Guid.NewGuid(),
"tenant-1",
"obs-1",
"adv-1",
new Models.Observations.AdvisoryObservationSource("vendor", "stream", "api", "1.0.0"),
new AdvisoryObservationLinksetSummary(
ImmutableArray<string>.Empty,
ImmutableArray<string>.Empty,
ImmutableArray<string>.Empty,
ImmutableArray<string>.Empty,
ImmutableArray<AdvisoryObservationRelationshipSummary>.Empty),
"doc-sha",
"hash-1",
DateTimeOffset.UtcNow,
ReplayCursor: "cursor-1",
SupersedesId: null,
TraceId: "trace-1");
var outbox = new FakeOutbox(evt);
var transport = new FakeTransport();
var options = Options.Create(new AdvisoryObservationEventPublisherOptions
{
Enabled = true,
Transport = "nats",
Subject = "subject",
Stream = "stream",
NatsUrl = "nats://localhost:4222"
});
var worker = new AdvisoryObservationTransportWorker(outbox, transport, options, NullLogger<AdvisoryObservationTransportWorker>.Instance);
await worker.StartAsync(CancellationToken.None);
await Task.Delay(150, CancellationToken.None);
await worker.StopAsync(CancellationToken.None);
Assert.Equal(1, transport.Sent.Count);
Assert.Equal(evt.EventId, transport.Sent[0].EventId);
Assert.Equal(1, outbox.MarkedCount);
}
private sealed class FakeOutbox : IAdvisoryObservationEventOutbox
{
private readonly AdvisoryObservationUpdatedEvent _event;
private bool _dequeued;
public int MarkedCount { get; private set; }
public FakeOutbox(AdvisoryObservationUpdatedEvent @event)
{
_event = @event;
}
public Task<IReadOnlyCollection<AdvisoryObservationUpdatedEvent>> DequeueAsync(int take, CancellationToken cancellationToken)
{
if (_dequeued)
{
return Task.FromResult<IReadOnlyCollection<AdvisoryObservationUpdatedEvent>>(Array.Empty<AdvisoryObservationUpdatedEvent>());
}
_dequeued = true;
return Task.FromResult<IReadOnlyCollection<AdvisoryObservationUpdatedEvent>>(new[] { _event });
}
public Task MarkPublishedAsync(Guid eventId, DateTimeOffset publishedAt, CancellationToken cancellationToken)
{
MarkedCount++;
return Task.CompletedTask;
}
}
private sealed class FakeTransport : IAdvisoryObservationEventTransport
{
public List<AdvisoryObservationUpdatedEvent> Sent { get; } = new();
public Task SendAsync(AdvisoryObservationUpdatedEvent @event, CancellationToken cancellationToken)
{
Sent.Add(@event);
return Task.CompletedTask;
}
}
}

94
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationV1DocumentFactoryTests.cs
View File

@@ -1,94 +0,0 @@
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using MongoDB.Bson;
using StellaOps.Concelier.Models.Observations;
using StellaOps.Concelier.Storage.Mongo.Observations.V1;
using Xunit;
namespace StellaOps.Concelier.Storage.Mongo.Tests.Observations;
public sealed class AdvisoryObservationV1DocumentFactoryTests
{
[Fact]
public void ObservationIdBuilder_IsDeterministic()
{
var id1 = ObservationIdBuilder.Create("TENANT", "Ghsa", "GHSA-1234", "sha256:abc");
var id2 = ObservationIdBuilder.Create("tenant", "ghsa", "GHSA-1234", "sha256:abc");
Assert.Equal(id1, id2);
}
[Fact]
public void ToModel_MapsAndNormalizes()
{
var document = new AdvisoryObservationV1Document
{
Id = new ObjectId("6710f1f1a1b2c3d4e5f60708"),
TenantId = "TENANT-01",
Source = "GHSA",
AdvisoryId = "GHSA-2025-0001",
Title = "Test title",
Summary = "Summary",
Severities = new List<ObservationSeverityDocument>
{
new() { System = "cvssv3.1", Score = 7.5, Vector = "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }
},
Affected = new List<ObservationAffectedDocument>
{
new()
{
Purl = "pkg:nuget/foo@1.2.3",
Package = "foo",
Versions = new List<string>{ "1.2.3" },
Ranges = new List<ObservationVersionRangeDocument>
{
new()
{
Type = "ECOSYSTEM",
Events = new List<ObservationRangeEventDocument>
{
new(){ Event = "introduced", Value = "1.0.0" },
new(){ Event = "fixed", Value = "1.2.3" }
}
}
},
Ecosystem = "nuget",
Cpes = new List<string>{ "cpe:/a:foo:bar:1.2.3" }
}
},
References = new List<string>{ "https://example.test/advisory" },
Weaknesses = new List<string>{ "CWE-79" },
Published = new DateTime(2025, 11, 1, 0, 0, 0, DateTimeKind.Utc),
Modified = new DateTime(2025, 11, 10, 0, 0, 0, DateTimeKind.Utc),
IngestedAt = new DateTime(2025, 11, 12, 0, 0, 0, DateTimeKind.Utc),
Provenance = new ObservationProvenanceDocument
{
SourceArtifactSha = "sha256:abc",
FetchedAt = new DateTime(2025, 11, 12, 0, 0, 0, DateTimeKind.Utc),
IngestJobId = "job-1",
Signature = new ObservationSignatureDocument
{
Present = true,
Format = "dsse",
KeyId = "k1",
Signature = "sig"
}
}
};
var model = AdvisoryObservationV1DocumentFactory.ToModel(document);
Assert.Equal("6710f1f1a1b2c3d4e5f60708", model.ObservationId);
Assert.Equal("tenant-01", model.Tenant);
Assert.Equal("ghsa", model.Source);
Assert.Equal("GHSA-2025-0001", model.AdvisoryId);
Assert.Equal("Test title", model.Title);
Assert.Single(model.Severities);
Assert.Single(model.Affected);
Assert.Single(model.References);
Assert.Single(model.Weaknesses);
Assert.Equal(new DateTimeOffset(2025, 11, 12, 0, 0, 0, TimeSpan.Zero), model.IngestedAt);
Assert.NotNull(model.Provenance.Signature);
}
}

93
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/RawDocumentRetentionServiceTests.cs
View File

@@ -1,93 +0,0 @@
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Microsoft.Extensions.Time.Testing;
using MongoDB.Bson;
using MongoDB.Driver;
using MongoDB.Driver.GridFS;
using StellaOps.Concelier.Storage.Mongo;
using StellaOps.Concelier.Storage.Mongo.Documents;
using StellaOps.Concelier.Storage.Mongo.Dtos;
namespace StellaOps.Concelier.Storage.Mongo.Tests;
[Collection("mongo-fixture")]
public sealed class RawDocumentRetentionServiceTests : IClassFixture<MongoIntegrationFixture>
{
private readonly MongoIntegrationFixture _fixture;
public RawDocumentRetentionServiceTests(MongoIntegrationFixture fixture)
{
_fixture = fixture;
}
[Fact]
public async Task SweepExpiredDocumentsAsync_RemovesExpiredRawDocuments()
{
var database = _fixture.Database;
var documents = database.GetCollection<DocumentDocument>(MongoStorageDefaults.Collections.Document);
var dtos = database.GetCollection<DtoDocument>(MongoStorageDefaults.Collections.Dto);
var bucket = new GridFSBucket(database, new GridFSBucketOptions { BucketName = "documents" });
var now = new DateTimeOffset(2024, 10, 1, 12, 0, 0, TimeSpan.Zero);
var fakeTime = new FakeTimeProvider(now);
var options = Options.Create(new MongoStorageOptions
{
ConnectionString = _fixture.Runner.ConnectionString,
DatabaseName = database.DatabaseNamespace.DatabaseName,
RawDocumentRetention = TimeSpan.FromDays(1),
RawDocumentRetentionTtlGrace = TimeSpan.Zero,
RawDocumentRetentionSweepInterval = TimeSpan.FromMinutes(5),
});
var expiredId = Guid.NewGuid().ToString();
var gridFsId = await bucket.UploadFromBytesAsync("expired", new byte[] { 1, 2, 3 });
await documents.InsertOneAsync(new DocumentDocument
{
Id = expiredId,
SourceName = "nvd",
Uri = "https://example.test/cve",
FetchedAt = now.AddDays(-2).UtcDateTime,
Sha256 = "abc",
Status = "pending",
ExpiresAt = now.AddMinutes(-5).UtcDateTime,
GridFsId = gridFsId,
});
await dtos.InsertOneAsync(new DtoDocument
{
Id = Guid.NewGuid().ToString(),
DocumentId = expiredId,
SourceName = "nvd",
SchemaVersion = "schema",
Payload = new BsonDocument("value", 1),
ValidatedAt = now.UtcDateTime,
});
var freshId = Guid.NewGuid().ToString();
await documents.InsertOneAsync(new DocumentDocument
{
Id = freshId,
SourceName = "nvd",
Uri = "https://example.test/future",
FetchedAt = now.UtcDateTime,
Sha256 = "def",
Status = "pending",
ExpiresAt = now.AddHours(1).UtcDateTime,
GridFsId = null,
});
var service = new RawDocumentRetentionService(database, options, NullLogger<RawDocumentRetentionService>.Instance, fakeTime);
var removed = await service.SweepExpiredDocumentsAsync(CancellationToken.None);
Assert.Equal(1, removed);
Assert.Equal(0, await documents.CountDocumentsAsync(d => d.Id == expiredId));
Assert.Equal(0, await dtos.CountDocumentsAsync(d => d.DocumentId == expiredId));
Assert.Equal(1, await documents.CountDocumentsAsync(d => d.Id == freshId));
var filter = Builders<GridFSFileInfo>.Filter.Eq("_id", gridFsId);
using var cursor = await bucket.FindAsync(filter);
Assert.Empty(await cursor.ToListAsync());
}
}

17
src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/StellaOps.Concelier.Storage.Mongo.Tests.csproj
View File

@@ -1,17 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Update="Microsoft.Extensions.TimeProvider.Testing" Version="9.10.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="../../__Libraries/StellaOps.Concelier.Core/StellaOps.Concelier.Core.csproj" />
<ProjectReference Include="../../__Libraries/StellaOps.Concelier.Models/StellaOps.Concelier.Models.csproj" />
<ProjectReference Include="../../__Libraries/StellaOps.Concelier.Storage.Mongo/StellaOps.Concelier.Storage.Mongo.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj" />
</ItemGroup>
</Project>

35
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/BunLanguageAnalyzer.cs
View File

@@ -38,6 +38,12 @@ public sealed class BunLanguageAnalyzer : ILanguageAnalyzer
continue;
}
// Parse workspace info for direct dependency detection
var workspaceInfo = BunWorkspaceHelper.ParseWorkspaceInfo(projectRoot);
// Parse bunfig.toml for custom registry info
var bunConfig = BunConfigHelper.ParseConfig(projectRoot);
// Stage 3: Collect packages based on classification
IReadOnlyList<BunPackage> packages;
if (classification.Kind == BunInputKind.InstalledModules)
@@ -61,6 +67,35 @@ public sealed class BunLanguageAnalyzer : ILanguageAnalyzer
continue;
}
// Mark direct, patched dependencies and custom registries
foreach (var package in packages)
{
package.IsDirect = workspaceInfo.DirectDependencies.ContainsKey(package.Name);
if (workspaceInfo.PatchedDependencies.TryGetValue(package.Name, out var patchFile))
{
package.IsPatched = true;
package.PatchFile = patchFile;
}
// Check for custom registry (scoped or default)
if (bunConfig.HasCustomRegistry)
{
// Check scoped registry first (e.g., @company/pkg uses company's registry)
if (package.Name.StartsWith('@'))
{
var scope = package.Name.Split('/')[0];
if (bunConfig.ScopeRegistries.TryGetValue(scope, out var scopeRegistry))
{
package.CustomRegistry = scopeRegistry;
}
}
// Fall back to default custom registry if no scope match
package.CustomRegistry ??= bunConfig.DefaultRegistry;
}
}
// Stage 4: Normalize and emit
var normalized = BunPackageNormalizer.Normalize(packages);
foreach (var package in normalized.OrderBy(static p => p.ComponentKey, StringComparer.Ordinal))

166
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunConfigHelper.cs Normal file
View File

@@ -0,0 +1,166 @@
using System.Collections.Immutable;
using System.Text.RegularExpressions;
namespace StellaOps.Scanner.Analyzers.Lang.Bun.Internal;
/// <summary>
/// Helper for parsing bunfig.toml configuration files.
/// Provides registry and scope information for dependency source tracking.
/// </summary>
internal static partial class BunConfigHelper
{
/// <summary>
/// Configuration information from bunfig.toml.
/// </summary>
public sealed record BunConfig
{
public static readonly BunConfig Empty = new(
null,
ImmutableDictionary<string, string>.Empty);
public BunConfig(
string? defaultRegistry,
IReadOnlyDictionary<string, string> scopeRegistries)
{
DefaultRegistry = defaultRegistry;
ScopeRegistries = scopeRegistries;
}
/// <summary>
/// Default registry URL for packages (from install.registry).
/// </summary>
public string? DefaultRegistry { get; }
/// <summary>
/// Scoped registries mapping scope name to registry URL.
/// </summary>
public IReadOnlyDictionary<string, string> ScopeRegistries { get; }
/// <summary>
/// Returns true if any custom registry configuration exists.
/// </summary>
public bool HasCustomRegistry => DefaultRegistry is not null || ScopeRegistries.Count > 0;
}
/// <summary>
/// Parses bunfig.toml from the project root.
/// </summary>
public static BunConfig ParseConfig(string projectRoot)
{
ArgumentException.ThrowIfNullOrWhiteSpace(projectRoot);
var bunfigPath = Path.Combine(projectRoot, "bunfig.toml");
if (!File.Exists(bunfigPath))
{
return BunConfig.Empty;
}
try
{
var content = File.ReadAllText(bunfigPath);
return ParseToml(content);
}
catch (IOException)
{
return BunConfig.Empty;
}
}
/// <summary>
/// Simple TOML parser for bunfig.toml registry configuration.
/// Extracts [install] registry and [install.scopes] sections.
/// </summary>
private static BunConfig ParseToml(string content)
{
if (string.IsNullOrWhiteSpace(content))
{
return BunConfig.Empty;
}
string? defaultRegistry = null;
var scopeRegistries = new Dictionary<string, string>(StringComparer.Ordinal);
var lines = content.Split('\n');
var currentSection = string.Empty;
foreach (var rawLine in lines)
{
var line = rawLine.Trim();
// Skip comments and empty lines
if (string.IsNullOrEmpty(line) || line.StartsWith('#'))
{
continue;
}
// Section header
if (line.StartsWith('[') && line.EndsWith(']'))
{
currentSection = line[1..^1].Trim();
continue;
}
// Key-value pair
var equalsIndex = line.IndexOf('=');
if (equalsIndex > 0)
{
var key = line[..equalsIndex].Trim();
var value = line[(equalsIndex + 1)..].Trim();
// Remove quotes from value
value = StripQuotes(value);
// [install] registry = "..."
if (currentSection.Equals("install", StringComparison.OrdinalIgnoreCase) &&
key.Equals("registry", StringComparison.OrdinalIgnoreCase))
{
defaultRegistry = value;
}
// [install.scopes] "@scope" = { url = "..." } or "@scope" = "..."
else if (currentSection.Equals("install.scopes", StringComparison.OrdinalIgnoreCase))
{
var scopeName = StripQuotes(key);
var registryUrl = ExtractRegistryUrl(value);
if (!string.IsNullOrEmpty(scopeName) && !string.IsNullOrEmpty(registryUrl))
{
scopeRegistries[scopeName] = registryUrl;
}
}
}
}
return new BunConfig(
defaultRegistry,
scopeRegistries.ToImmutableDictionary(StringComparer.Ordinal));
}
private static string StripQuotes(string value)
{
if (value.Length >= 2)
{
if ((value.StartsWith('"') && value.EndsWith('"')) ||
(value.StartsWith('\'') && value.EndsWith('\'')))
{
return value[1..^1];
}
}
return value;
}
private static string? ExtractRegistryUrl(string value)
{
// Simple case: just a URL string
if (value.StartsWith("http", StringComparison.OrdinalIgnoreCase))
{
return value;
}
// Inline table: { url = "..." }
var urlMatch = UrlPattern().Match(value);
return urlMatch.Success ? urlMatch.Groups[1].Value : null;
}
[GeneratedRegex(@"url\s*=\s*[""']([^""']+)[""']", RegexOptions.IgnoreCase)]
private static partial Regex UrlPattern();
}

103
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunPackage.cs
View File

@@ -27,6 +27,48 @@ internal sealed class BunPackage
public string? Source { get; private init; }
public bool IsPrivate { get; private init; }
public bool IsDev { get; private init; }
public bool IsOptional { get; private init; }
public bool IsPeer { get; private init; }
/// <summary>
/// Source type: npm, git, tarball, file, link, workspace.
/// </summary>
public string SourceType { get; private init; } = "npm";
/// <summary>
/// Git commit hash for git dependencies.
/// </summary>
public string? GitCommit { get; private init; }
/// <summary>
/// Original specifier (e.g., "github:user/repo#tag").
/// </summary>
public string? Specifier { get; private init; }
/// <summary>
/// Direct dependencies of this package (for transitive analysis).
/// </summary>
public IReadOnlyList<string> Dependencies { get; private init; } = Array.Empty<string>();
/// <summary>
/// Whether this is a direct dependency (in root package.json) or transitive.
/// </summary>
public bool IsDirect { get; set; }
/// <summary>
/// Whether this package has been patched (via patchedDependencies or .patches directory).
/// </summary>
public bool IsPatched { get; set; }
/// <summary>
/// Path to the patch file if this package is patched.
/// </summary>
public string? PatchFile { get; set; }
/// <summary>
/// Custom registry URL if this package comes from a non-default registry.
/// </summary>
public string? CustomRegistry { get; set; }
/// <summary>
/// Logical path where this package was found (may be symlink).
@@ -67,7 +109,13 @@ internal sealed class BunPackage
Source = "node_modules",
Resolved = lockEntry?.Resolved,
Integrity = lockEntry?.Integrity,
IsDev = lockEntry?.IsDev ?? false
IsDev = lockEntry?.IsDev ?? false,
IsOptional = lockEntry?.IsOptional ?? false,
IsPeer = lockEntry?.IsPeer ?? false,
SourceType = lockEntry?.SourceType ?? "npm",
GitCommit = lockEntry?.GitCommit,
Specifier = lockEntry?.Specifier,
Dependencies = lockEntry?.Dependencies ?? Array.Empty<string>()
};
}
@@ -80,7 +128,13 @@ internal sealed class BunPackage
Source = source,
Resolved = entry.Resolved,
Integrity = entry.Integrity,
IsDev = entry.IsDev
IsDev = entry.IsDev,
IsOptional = entry.IsOptional,
IsPeer = entry.IsPeer,
SourceType = entry.SourceType,
GitCommit = entry.GitCommit,
Specifier = entry.Specifier,
Dependencies = entry.Dependencies
};
}
@@ -118,13 +172,58 @@ internal sealed class BunPackage
metadata["private"] = "true";
}
if (!string.IsNullOrEmpty(CustomRegistry))
{
metadata["customRegistry"] = CustomRegistry;
}
if (IsDev)
{
metadata["dev"] = "true";
}
if (IsDirect)
{
metadata["direct"] = "true";
}
if (!string.IsNullOrEmpty(GitCommit))
{
metadata["gitCommit"] = GitCommit;
}
if (IsOptional)
{
metadata["optional"] = "true";
}
metadata["packageManager"] = "bun";
if (IsPatched)
{
metadata["patched"] = "true";
}
if (!string.IsNullOrEmpty(PatchFile))
{
metadata["patchFile"] = NormalizePath(PatchFile);
}
if (IsPeer)
{
metadata["peer"] = "true";
}
if (SourceType != "npm")
{
metadata["sourceType"] = SourceType;
}
if (!string.IsNullOrEmpty(Specifier))
{
metadata["specifier"] = Specifier;
}
if (_occurrencePaths.Count > 1)
{
metadata["occurrences"] = string.Join(";", _occurrencePaths.Select(NormalizePath).Order(StringComparer.Ordinal));

414
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunWorkspaceHelper.cs Normal file
View File

@@ -0,0 +1,414 @@
using System.Collections.Immutable;
using System.Text.Json;
namespace StellaOps.Scanner.Analyzers.Lang.Bun.Internal;
/// <summary>
/// Helper for parsing workspace configuration and direct dependencies from package.json files.
/// </summary>
internal static class BunWorkspaceHelper
{
/// <summary>
/// Information about workspaces and direct dependencies in a Bun project.
/// </summary>
public sealed record WorkspaceInfo
{
public static readonly WorkspaceInfo Empty = new(
ImmutableHashSet<string>.Empty,
ImmutableHashSet<string>.Empty,
ImmutableDictionary<string, DependencyType>.Empty,
ImmutableDictionary<string, string>.Empty);
public WorkspaceInfo(
IReadOnlySet<string> workspacePatterns,
IReadOnlySet<string> workspacePaths,
IReadOnlyDictionary<string, DependencyType> directDependencies,
IReadOnlyDictionary<string, string> patchedDependencies)
{
WorkspacePatterns = workspacePatterns;
WorkspacePaths = workspacePaths;
DirectDependencies = directDependencies;
PatchedDependencies = patchedDependencies;
}
/// <summary>
/// Glob patterns for workspace members from root package.json.
/// </summary>
public IReadOnlySet<string> WorkspacePatterns { get; }
/// <summary>
/// Resolved paths to workspace member directories.
/// </summary>
public IReadOnlySet<string> WorkspacePaths { get; }
/// <summary>
/// Direct dependencies declared in root and workspace package.json files.
/// Key is package name, value is dependency type.
/// </summary>
public IReadOnlyDictionary<string, DependencyType> DirectDependencies { get; }
/// <summary>
/// Patched dependencies. Key is package name (or name@version), value is patch file path.
/// </summary>
public IReadOnlyDictionary<string, string> PatchedDependencies { get; }
}
[Flags]
public enum DependencyType
{
None = 0,
Production = 1,
Dev = 2,
Optional = 4,
Peer = 8
}
/// <summary>
/// Parses workspace configuration and direct dependencies from project root.
/// </summary>
public static WorkspaceInfo ParseWorkspaceInfo(string projectRoot)
{
ArgumentException.ThrowIfNullOrWhiteSpace(projectRoot);
var rootPackageJsonPath = Path.Combine(projectRoot, "package.json");
if (!File.Exists(rootPackageJsonPath))
{
return WorkspaceInfo.Empty;
}
try
{
var content = File.ReadAllText(rootPackageJsonPath);
using var document = JsonDocument.Parse(content);
var root = document.RootElement;
// Parse workspace patterns
var workspacePatterns = ParseWorkspacePatterns(root);
// Resolve workspace paths
var workspacePaths = ResolveWorkspacePaths(projectRoot, workspacePatterns);
// Parse direct dependencies from root
var directDependencies = new Dictionary<string, DependencyType>(StringComparer.Ordinal);
ParseDependencies(root, directDependencies);
// Parse direct dependencies from each workspace
foreach (var wsPath in workspacePaths)
{
var wsPackageJsonPath = Path.Combine(projectRoot, wsPath, "package.json");
if (File.Exists(wsPackageJsonPath))
{
try
{
var wsContent = File.ReadAllText(wsPackageJsonPath);
using var wsDocument = JsonDocument.Parse(wsContent);
ParseDependencies(wsDocument.RootElement, directDependencies);
}
catch (JsonException)
{
// Skip malformed workspace package.json
}
}
}
// Parse patched dependencies
var patchedDependencies = ParsePatchedDependencies(root, projectRoot);
return new WorkspaceInfo(
workspacePatterns.ToImmutableHashSet(StringComparer.Ordinal),
workspacePaths.ToImmutableHashSet(StringComparer.Ordinal),
directDependencies.ToImmutableDictionary(StringComparer.Ordinal),
patchedDependencies.ToImmutableDictionary(StringComparer.Ordinal));
}
catch (JsonException)
{
return WorkspaceInfo.Empty;
}
catch (IOException)
{
return WorkspaceInfo.Empty;
}
}
/// <summary>
/// Checks if a package name is a direct dependency.
/// </summary>
public static bool IsDirect(string packageName, IReadOnlyDictionary<string, DependencyType> directDependencies)
{
return directDependencies.ContainsKey(packageName);
}
private static HashSet<string> ParseWorkspacePatterns(JsonElement root)
{
var patterns = new HashSet<string>(StringComparer.Ordinal);
if (!root.TryGetProperty("workspaces", out var workspaces))
{
return patterns;
}
// workspaces can be an array of patterns
if (workspaces.ValueKind == JsonValueKind.Array)
{
foreach (var pattern in workspaces.EnumerateArray())
{
var patternStr = pattern.GetString();
if (!string.IsNullOrWhiteSpace(patternStr))
{
patterns.Add(patternStr);
}
}
}
// Or an object with "packages" array (npm/yarn format)
else if (workspaces.ValueKind == JsonValueKind.Object &&
workspaces.TryGetProperty("packages", out var packages) &&
packages.ValueKind == JsonValueKind.Array)
{
foreach (var pattern in packages.EnumerateArray())
{
var patternStr = pattern.GetString();
if (!string.IsNullOrWhiteSpace(patternStr))
{
patterns.Add(patternStr);
}
}
}
return patterns;
}
private static HashSet<string> ResolveWorkspacePaths(string projectRoot, IEnumerable<string> patterns)
{
var paths = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
foreach (var pattern in patterns)
{
// Handle glob patterns like "packages/*" or "apps/**"
if (pattern.Contains('*'))
{
var resolvedPaths = ExpandGlobPattern(projectRoot, pattern);
foreach (var path in resolvedPaths)
{
paths.Add(path);
}
}
else
{
// Direct path
var fullPath = Path.Combine(projectRoot, pattern);
if (Directory.Exists(fullPath) && File.Exists(Path.Combine(fullPath, "package.json")))
{
paths.Add(pattern);
}
}
}
return paths;
}
private static IEnumerable<string> ExpandGlobPattern(string projectRoot, string pattern)
{
// Simple glob expansion for common patterns
// Handles: "packages/*", "apps/*", "libs/**", etc.
var parts = pattern.Split('/', '\\');
var baseParts = new List<string>();
var hasGlob = false;
foreach (var part in parts)
{
if (part.Contains('*'))
{
hasGlob = true;
break;
}
baseParts.Add(part);
}
var baseDir = baseParts.Count > 0
? Path.Combine(projectRoot, string.Join(Path.DirectorySeparatorChar.ToString(), baseParts))
: projectRoot;
if (!Directory.Exists(baseDir))
{
yield break;
}
// For simple patterns like "packages/*", enumerate immediate subdirectories
if (hasGlob)
{
var isRecursive = pattern.Contains("**");
foreach (var dir in Directory.EnumerateDirectories(baseDir))
{
var dirPath = Path.Combine(string.Join("/", baseParts), Path.GetFileName(dir));
// Check if this is a package (has package.json)
if (File.Exists(Path.Combine(dir, "package.json")))
{
yield return dirPath;
}
// For recursive patterns, search subdirectories
if (isRecursive)
{
foreach (var subResult in EnumeratePackagesRecursively(dir, dirPath))
{
yield return subResult;
}
}
}
}
}
private static List<string> EnumeratePackagesRecursively(string directory, string relativePath)
{
var results = new List<string>();
try
{
foreach (var subdir in Directory.EnumerateDirectories(directory))
{
var subdirName = Path.GetFileName(subdir);
// Skip node_modules and hidden directories
if (subdirName == "node_modules" || subdirName.StartsWith('.'))
{
continue;
}
var subdirRelative = $"{relativePath}/{subdirName}";
if (File.Exists(Path.Combine(subdir, "package.json")))
{
results.Add(subdirRelative);
}
results.AddRange(EnumeratePackagesRecursively(subdir, subdirRelative));
}
}
catch (UnauthorizedAccessException)
{
// Skip inaccessible directories
}
return results;
}
private static void ParseDependencies(JsonElement root, Dictionary<string, DependencyType> result)
{
AddDependencies(root, "dependencies", DependencyType.Production, result);
AddDependencies(root, "devDependencies", DependencyType.Dev, result);
AddDependencies(root, "optionalDependencies", DependencyType.Optional, result);
AddDependencies(root, "peerDependencies", DependencyType.Peer, result);
}
private static Dictionary<string, string> ParsePatchedDependencies(JsonElement root, string projectRoot)
{
var result = new Dictionary<string, string>(StringComparer.Ordinal);
// Check for patchedDependencies in package.json (Bun/pnpm style)
// Format: { "patchedDependencies": { "package-name@version": "patches/package-name@version.patch" } }
if (root.TryGetProperty("patchedDependencies", out var patchedDeps) &&
patchedDeps.ValueKind == JsonValueKind.Object)
{
foreach (var entry in patchedDeps.EnumerateObject())
{
var patchFile = entry.Value.GetString();
if (!string.IsNullOrEmpty(patchFile))
{
// Parse package name from key (could be "pkg@version" or just "pkg")
var packageName = ExtractPackageName(entry.Name);
result[packageName] = patchFile;
}
}
}
// Also check for patches directory
var patchesDir = Path.Combine(projectRoot, "patches");
if (Directory.Exists(patchesDir))
{
ScanPatchesDirectory(patchesDir, result);
}
// Bun uses .patches directory
var bunPatchesDir = Path.Combine(projectRoot, ".patches");
if (Directory.Exists(bunPatchesDir))
{
ScanPatchesDirectory(bunPatchesDir, result);
}
return result;
}
private static void ScanPatchesDirectory(string patchesDir, Dictionary<string, string> result)
{
try
{
foreach (var patchFile in Directory.EnumerateFiles(patchesDir, "*.patch"))
{
// Patch file name format: package-name@version.patch
var fileName = Path.GetFileNameWithoutExtension(patchFile);
var packageName = ExtractPackageName(fileName);
if (!string.IsNullOrEmpty(packageName) && !result.ContainsKey(packageName))
{
result[packageName] = patchFile;
}
}
}
catch (UnauthorizedAccessException)
{
// Skip inaccessible directory
}
}
private static string ExtractPackageName(string nameWithVersion)
{
// Format: package-name@version or @scope/package-name@version
if (string.IsNullOrEmpty(nameWithVersion))
{
return string.Empty;
}
// For scoped packages, find @ after the scope
if (nameWithVersion.StartsWith('@'))
{
var slashIndex = nameWithVersion.IndexOf('/');
if (slashIndex > 0)
{
var atIndex = nameWithVersion.IndexOf('@', slashIndex);
return atIndex > slashIndex ? nameWithVersion[..atIndex] : nameWithVersion;
}
}
// For regular packages
var lastAtIndex = nameWithVersion.LastIndexOf('@');
return lastAtIndex > 0 ? nameWithVersion[..lastAtIndex] : nameWithVersion;
}
private static void AddDependencies(
JsonElement root,
string propertyName,
DependencyType type,
Dictionary<string, DependencyType> result)
{
if (!root.TryGetProperty(propertyName, out var deps) ||
deps.ValueKind != JsonValueKind.Object)
{
return;
}
foreach (var dep in deps.EnumerateObject())
{
var name = dep.Name;
if (result.TryGetValue(name, out var existingType))
{
result[name] = existingType | type;
}
else
{
result[name] = type;
}
}
}
}

373
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoModParser.cs Normal file
View File

@@ -0,0 +1,373 @@
using System.Collections.Immutable;
using System.Text.RegularExpressions;
namespace StellaOps.Scanner.Analyzers.Lang.Go.Internal;
/// <summary>
/// Parses go.mod files to extract module dependencies.
/// Supports module declarations, require blocks, replace directives, and indirect markers.
/// </summary>
internal static partial class GoModParser
{
/// <summary>
/// Parsed go.mod file data.
/// </summary>
public sealed record GoModData
{
public static readonly GoModData Empty = new(
null,
null,
ImmutableArray<GoModRequire>.Empty,
ImmutableArray<GoModReplace>.Empty,
ImmutableArray<GoModExclude>.Empty,
ImmutableArray<string>.Empty);
public GoModData(
string? modulePath,
string? goVersion,
ImmutableArray<GoModRequire> requires,
ImmutableArray<GoModReplace> replaces,
ImmutableArray<GoModExclude> excludes,
ImmutableArray<string> retracts)
{
ModulePath = modulePath;
GoVersion = goVersion;
Requires = requires;
Replaces = replaces;
Excludes = excludes;
Retracts = retracts;
}
public string? ModulePath { get; }
public string? GoVersion { get; }
public ImmutableArray<GoModRequire> Requires { get; }
public ImmutableArray<GoModReplace> Replaces { get; }
public ImmutableArray<GoModExclude> Excludes { get; }
public ImmutableArray<string> Retracts { get; }
public bool IsEmpty => string.IsNullOrEmpty(ModulePath);
}
/// <summary>
/// A required dependency from go.mod.
/// </summary>
public sealed record GoModRequire(
string Path,
string Version,
bool IsIndirect);
/// <summary>
/// A replace directive from go.mod.
/// </summary>
public sealed record GoModReplace(
string OldPath,
string? OldVersion,
string NewPath,
string? NewVersion);
/// <summary>
/// An exclude directive from go.mod.
/// </summary>
public sealed record GoModExclude(
string Path,
string Version);
/// <summary>
/// Parses a go.mod file from the given path.
/// </summary>
public static GoModData Parse(string goModPath)
{
ArgumentException.ThrowIfNullOrWhiteSpace(goModPath);
if (!File.Exists(goModPath))
{
return GoModData.Empty;
}
try
{
var content = File.ReadAllText(goModPath);
return ParseContent(content);
}
catch (IOException)
{
return GoModData.Empty;
}
catch (UnauthorizedAccessException)
{
return GoModData.Empty;
}
}
/// <summary>
/// Parses go.mod content string.
/// </summary>
public static GoModData ParseContent(string content)
{
if (string.IsNullOrWhiteSpace(content))
{
return GoModData.Empty;
}
string? modulePath = null;
string? goVersion = null;
var requires = new List<GoModRequire>();
var replaces = new List<GoModReplace>();
var excludes = new List<GoModExclude>();
var retracts = new List<string>();
// Remove comments (but preserve // indirect markers)
var lines = content.Split('\n');
var inRequireBlock = false;
var inReplaceBlock = false;
var inExcludeBlock = false;
var inRetractBlock = false;
foreach (var rawLine in lines)
{
var line = rawLine.Trim();
// Skip empty lines and full-line comments
if (string.IsNullOrEmpty(line) || line.StartsWith("//"))
{
continue;
}
// Handle block endings
if (line == ")")
{
inRequireBlock = false;
inReplaceBlock = false;
inExcludeBlock = false;
inRetractBlock = false;
continue;
}
// Handle block starts
if (line == "require (")
{
inRequireBlock = true;
continue;
}
if (line == "replace (")
{
inReplaceBlock = true;
continue;
}
if (line == "exclude (")
{
inExcludeBlock = true;
continue;
}
if (line == "retract (")
{
inRetractBlock = true;
continue;
}
// Parse module directive
if (line.StartsWith("module ", StringComparison.Ordinal))
{
modulePath = ExtractQuotedOrUnquoted(line["module ".Length..]);
continue;
}
// Parse go directive
if (line.StartsWith("go ", StringComparison.Ordinal))
{
goVersion = line["go ".Length..].Trim();
continue;
}
// Parse single-line require
if (line.StartsWith("require ", StringComparison.Ordinal) && !line.Contains('('))
{
var req = ParseRequireLine(line["require ".Length..]);
if (req is not null)
{
requires.Add(req);
}
continue;
}
// Parse single-line replace
if (line.StartsWith("replace ", StringComparison.Ordinal) && !line.Contains('('))
{
var rep = ParseReplaceLine(line["replace ".Length..]);
if (rep is not null)
{
replaces.Add(rep);
}
continue;
}
// Parse single-line exclude
if (line.StartsWith("exclude ", StringComparison.Ordinal) && !line.Contains('('))
{
var exc = ParseExcludeLine(line["exclude ".Length..]);
if (exc is not null)
{
excludes.Add(exc);
}
continue;
}
// Parse single-line retract
if (line.StartsWith("retract ", StringComparison.Ordinal) && !line.Contains('('))
{
var version = line["retract ".Length..].Trim();
if (!string.IsNullOrEmpty(version))
{
retracts.Add(version);
}
continue;
}
// Handle block contents
if (inRequireBlock)
{
var req = ParseRequireLine(line);
if (req is not null)
{
requires.Add(req);
}
}
else if (inReplaceBlock)
{
var rep = ParseReplaceLine(line);
if (rep is not null)
{
replaces.Add(rep);
}
}
else if (inExcludeBlock)
{
var exc = ParseExcludeLine(line);
if (exc is not null)
{
excludes.Add(exc);
}
}
else if (inRetractBlock)
{
var version = StripComment(line).Trim();
if (!string.IsNullOrEmpty(version))
{
retracts.Add(version);
}
}
}
if (string.IsNullOrEmpty(modulePath))
{
return GoModData.Empty;
}
return new GoModData(
modulePath,
goVersion,
requires.ToImmutableArray(),
replaces.ToImmutableArray(),
excludes.ToImmutableArray(),
retracts.ToImmutableArray());
}
private static GoModRequire? ParseRequireLine(string line)
{
// Format: path version [// indirect]
var isIndirect = line.Contains("// indirect", StringComparison.OrdinalIgnoreCase);
line = StripComment(line);
var parts = line.Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (parts.Length < 2)
{
return null;
}
var path = parts[0].Trim();
var version = parts[1].Trim();
if (string.IsNullOrEmpty(path) || string.IsNullOrEmpty(version))
{
return null;
}
return new GoModRequire(path, version, isIndirect);
}
private static GoModReplace? ParseReplaceLine(string line)
{
// Format: old [version] => new [version]
line = StripComment(line);
var arrowIndex = line.IndexOf("=>", StringComparison.Ordinal);
if (arrowIndex < 0)
{
return null;
}
var leftPart = line[..arrowIndex].Trim();
var rightPart = line[(arrowIndex + 2)..].Trim();
var leftParts = leftPart.Split(' ', StringSplitOptions.RemoveEmptyEntries);
var rightParts = rightPart.Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (leftParts.Length == 0 || rightParts.Length == 0)
{
return null;
}
var oldPath = leftParts[0];
var oldVersion = leftParts.Length > 1 ? leftParts[1] : null;
var newPath = rightParts[0];
var newVersion = rightParts.Length > 1 ? rightParts[1] : null;
return new GoModReplace(oldPath, oldVersion, newPath, newVersion);
}
private static GoModExclude? ParseExcludeLine(string line)
{
line = StripComment(line);
var parts = line.Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (parts.Length < 2)
{
return null;
}
return new GoModExclude(parts[0], parts[1]);
}
private static string StripComment(string line)
{
var commentIndex = line.IndexOf("//", StringComparison.Ordinal);
return commentIndex >= 0 ? line[..commentIndex].Trim() : line.Trim();
}
private static string ExtractQuotedOrUnquoted(string value)
{
value = value.Trim();
// Remove quotes if present
if (value.Length >= 2 && value[0] == '"' && value[^1] == '"')
{
return value[1..^1];
}
// Remove backticks if present
if (value.Length >= 2 && value[0] == '`' && value[^1] == '`')
{
return value[1..^1];
}
// Strip any trailing comment
return StripComment(value);
}
}

199
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoPrivateModuleDetector.cs Normal file
View File

@@ -0,0 +1,199 @@
using System.Text.RegularExpressions;
namespace StellaOps.Scanner.Analyzers.Lang.Go.Internal;
/// <summary>
/// Detects private Go modules based on common patterns and heuristics.
/// Uses patterns similar to GOPRIVATE environment variable matching.
/// </summary>
internal static partial class GoPrivateModuleDetector
{
// Common private hosting patterns
private static readonly string[] PrivateHostPatterns =
[
// GitLab self-hosted (common pattern)
@"^gitlab\.[^/]+/",
// Gitea/Gogs self-hosted
@"^git\.[^/]+/",
@"^gitea\.[^/]+/",
@"^gogs\.[^/]+/",
// Bitbucket Server
@"^bitbucket\.[^/]+/",
@"^stash\.[^/]+/",
// Azure DevOps (not github.com, gitlab.com, etc.)
@"^dev\.azure\.com/",
@"^[^/]+\.visualstudio\.com/",
// AWS CodeCommit
@"^git-codecommit\.[^/]+\.amazonaws\.com/",
// Internal/corporate patterns
@"^internal\.[^/]+/",
@"^private\.[^/]+/",
@"^corp\.[^/]+/",
@"^code\.[^/]+/",
// IP addresses (likely internal)
@"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[:/]",
// Localhost
@"^localhost[:/]",
@"^127\.0\.0\.1[:/]",
];
// Known public hosting services
private static readonly string[] PublicHosts =
[
"github.com",
"gitlab.com",
"bitbucket.org",
"golang.org",
"google.golang.org",
"gopkg.in",
"go.uber.org",
"go.etcd.io",
"k8s.io",
"sigs.k8s.io",
"cloud.google.com",
"google.cloud.go",
];
private static readonly Regex[] CompiledPatterns;
static GoPrivateModuleDetector()
{
CompiledPatterns = PrivateHostPatterns
.Select(pattern => new Regex(pattern, RegexOptions.Compiled | RegexOptions.IgnoreCase))
.ToArray();
}
/// <summary>
/// Determines if a module path appears to be from a private source.
/// </summary>
public static bool IsLikelyPrivate(string modulePath)
{
if (string.IsNullOrWhiteSpace(modulePath))
{
return false;
}
// Check if it's a known public host first
foreach (var publicHost in PublicHosts)
{
if (modulePath.StartsWith(publicHost, StringComparison.OrdinalIgnoreCase))
{
return false;
}
}
// Check against private patterns
foreach (var pattern in CompiledPatterns)
{
if (pattern.IsMatch(modulePath))
{
return true;
}
}
// Check for internal TLDs
var host = ExtractHost(modulePath);
if (IsInternalTld(host))
{
return true;
}
return false;
}
/// <summary>
/// Gets the category of a module (public, private, local).
/// </summary>
public static string GetModuleCategory(string modulePath)
{
if (string.IsNullOrWhiteSpace(modulePath))
{
return "unknown";
}
// Local replacements start with . or /
if (modulePath.StartsWith('.') || modulePath.StartsWith('/') || modulePath.StartsWith('\\'))
{
return "local";
}
// Windows absolute paths
if (modulePath.Length >= 2 && char.IsLetter(modulePath[0]) && modulePath[1] == ':')
{
return "local";
}
if (IsLikelyPrivate(modulePath))
{
return "private";
}
return "public";
}
/// <summary>
/// Extracts the registry/host from a module path.
/// </summary>
public static string? GetRegistry(string modulePath)
{
if (string.IsNullOrWhiteSpace(modulePath))
{
return null;
}
// Local paths don't have a registry
if (modulePath.StartsWith('.') || modulePath.StartsWith('/') || modulePath.StartsWith('\\'))
{
return null;
}
var host = ExtractHost(modulePath);
if (string.IsNullOrEmpty(host))
{
return null;
}
// Standard Go proxy for public modules
if (!IsLikelyPrivate(modulePath))
{
return "proxy.golang.org";
}
// Private modules use direct access
return host;
}
private static string ExtractHost(string modulePath)
{
// Module path format: host/path
var slashIndex = modulePath.IndexOf('/');
return slashIndex > 0 ? modulePath[..slashIndex] : modulePath;
}
private static bool IsInternalTld(string host)
{
if (string.IsNullOrEmpty(host))
{
return false;
}
// Internal/non-public TLDs
string[] internalTlds = [".local", ".internal", ".corp", ".lan", ".intranet", ".private"];
foreach (var tld in internalTlds)
{
if (host.EndsWith(tld, StringComparison.OrdinalIgnoreCase))
{
return true;
}
}
// No TLD at all (single-word hostname)
if (!host.Contains('.'))
{
return true;
}
return false;
}
}

185
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoProjectDiscoverer.cs Normal file
View File

@@ -0,0 +1,185 @@
using System.Collections.Immutable;
namespace StellaOps.Scanner.Analyzers.Lang.Go.Internal;
/// <summary>
/// Discovers Go project roots by looking for go.mod, go.work, and vendor directories.
/// </summary>
internal static class GoProjectDiscoverer
{
/// <summary>
/// Discovered Go project information.
/// </summary>
public sealed record GoProject
{
public GoProject(
string rootPath,
string? goModPath,
string? goSumPath,
string? goWorkPath,
string? vendorModulesPath,
ImmutableArray<string> workspaceMembers)
{
RootPath = rootPath;
GoModPath = goModPath;
GoSumPath = goSumPath;
GoWorkPath = goWorkPath;
VendorModulesPath = vendorModulesPath;
WorkspaceMembers = workspaceMembers;
}
public string RootPath { get; }
public string? GoModPath { get; }
public string? GoSumPath { get; }
public string? GoWorkPath { get; }
public string? VendorModulesPath { get; }
public ImmutableArray<string> WorkspaceMembers { get; }
public bool HasGoMod => GoModPath is not null;
public bool HasGoSum => GoSumPath is not null;
public bool HasGoWork => GoWorkPath is not null;
public bool HasVendor => VendorModulesPath is not null;
public bool IsWorkspace => HasGoWork && WorkspaceMembers.Length > 0;
}
/// <summary>
/// Discovers all Go projects under the given root path.
/// </summary>
public static IReadOnlyList<GoProject> Discover(string rootPath, CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(rootPath);
if (!Directory.Exists(rootPath))
{
return Array.Empty<GoProject>();
}
var projects = new List<GoProject>();
var visitedRoots = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
// First, check for go.work (workspace) at root
var goWorkPath = Path.Combine(rootPath, "go.work");
if (File.Exists(goWorkPath))
{
var workspaceProject = DiscoverWorkspace(rootPath, goWorkPath, cancellationToken);
if (workspaceProject is not null)
{
projects.Add(workspaceProject);
visitedRoots.Add(rootPath);
// Mark all workspace members as visited
foreach (var member in workspaceProject.WorkspaceMembers)
{
var memberFullPath = Path.GetFullPath(Path.Combine(rootPath, member));
visitedRoots.Add(memberFullPath);
}
}
}
// Then scan for standalone go.mod files
try
{
var enumeration = new EnumerationOptions
{
RecurseSubdirectories = true,
IgnoreInaccessible = true,
MaxRecursionDepth = 10
};
foreach (var goModFile in Directory.EnumerateFiles(rootPath, "go.mod", enumeration))
{
cancellationToken.ThrowIfCancellationRequested();
var projectDir = Path.GetDirectoryName(goModFile);
if (string.IsNullOrEmpty(projectDir))
{
continue;
}
// Skip if already part of a workspace
var normalizedDir = Path.GetFullPath(projectDir);
if (visitedRoots.Contains(normalizedDir))
{
continue;
}
// Skip vendor directories
if (projectDir.Contains($"{Path.DirectorySeparatorChar}vendor{Path.DirectorySeparatorChar}", StringComparison.OrdinalIgnoreCase) ||
projectDir.EndsWith($"{Path.DirectorySeparatorChar}vendor", StringComparison.OrdinalIgnoreCase))
{
continue;
}
var project = DiscoverStandaloneProject(projectDir);
if (project is not null)
{
projects.Add(project);
visitedRoots.Add(normalizedDir);
}
}
}
catch (UnauthorizedAccessException)
{
// Skip inaccessible directories
}
return projects;
}
private static GoProject? DiscoverWorkspace(string rootPath, string goWorkPath, CancellationToken cancellationToken)
{
var workData = GoWorkParser.Parse(goWorkPath);
if (workData.IsEmpty)
{
return null;
}
var workspaceMembers = new List<string>();
foreach (var usePath in workData.UsePaths)
{
cancellationToken.ThrowIfCancellationRequested();
var memberPath = Path.Combine(rootPath, usePath);
var memberGoMod = Path.Combine(memberPath, "go.mod");
if (Directory.Exists(memberPath) && File.Exists(memberGoMod))
{
workspaceMembers.Add(usePath);
}
}
// The workspace itself may have a go.mod or not
var rootGoMod = Path.Combine(rootPath, "go.mod");
var rootGoSum = Path.Combine(rootPath, "go.sum");
var vendorModules = Path.Combine(rootPath, "vendor", "modules.txt");
return new GoProject(
rootPath,
File.Exists(rootGoMod) ? rootGoMod : null,
File.Exists(rootGoSum) ? rootGoSum : null,
goWorkPath,
File.Exists(vendorModules) ? vendorModules : null,
workspaceMembers.ToImmutableArray());
}
private static GoProject? DiscoverStandaloneProject(string projectDir)
{
var goModPath = Path.Combine(projectDir, "go.mod");
if (!File.Exists(goModPath))
{
return null;
}
var goSumPath = Path.Combine(projectDir, "go.sum");
var vendorModulesPath = Path.Combine(projectDir, "vendor", "modules.txt");
return new GoProject(
projectDir,
goModPath,
File.Exists(goSumPath) ? goSumPath : null,
null,
File.Exists(vendorModulesPath) ? vendorModulesPath : null,
ImmutableArray<string>.Empty);
}
}

129
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoSumParser.cs Normal file
View File

@@ -0,0 +1,129 @@
using System.Collections.Immutable;
namespace StellaOps.Scanner.Analyzers.Lang.Go.Internal;
/// <summary>
/// Parses go.sum files to extract module checksums.
/// Format: module version hash
/// Example: github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
/// </summary>
internal static class GoSumParser
{
/// <summary>
/// A single entry from go.sum.
/// </summary>
public sealed record GoSumEntry(
string Path,
string Version,
string Hash,
bool IsGoMod);
/// <summary>
/// Parsed go.sum data.
/// </summary>
public sealed record GoSumData
{
public static readonly GoSumData Empty = new(ImmutableDictionary<string, GoSumEntry>.Empty);
public GoSumData(ImmutableDictionary<string, GoSumEntry> entries)
{
Entries = entries;
}
/// <summary>
/// Entries keyed by "path@version" for quick lookup.
/// </summary>
public ImmutableDictionary<string, GoSumEntry> Entries { get; }
public bool IsEmpty => Entries.Count == 0;
/// <summary>
/// Tries to find the checksum for a module.
/// </summary>
public string? GetHash(string path, string version)
{
var key = $"{path}@{version}";
return Entries.TryGetValue(key, out var entry) ? entry.Hash : null;
}
}
/// <summary>
/// Parses a go.sum file from the given path.
/// </summary>
public static GoSumData Parse(string goSumPath)
{
ArgumentException.ThrowIfNullOrWhiteSpace(goSumPath);
if (!File.Exists(goSumPath))
{
return GoSumData.Empty;
}
try
{
var content = File.ReadAllText(goSumPath);
return ParseContent(content);
}
catch (IOException)
{
return GoSumData.Empty;
}
catch (UnauthorizedAccessException)
{
return GoSumData.Empty;
}
}
/// <summary>
/// Parses go.sum content string.
/// </summary>
public static GoSumData ParseContent(string content)
{
if (string.IsNullOrWhiteSpace(content))
{
return GoSumData.Empty;
}
var entries = new Dictionary<string, GoSumEntry>(StringComparer.Ordinal);
var lines = content.Split('\n');
foreach (var rawLine in lines)
{
var line = rawLine.Trim();
if (string.IsNullOrEmpty(line))
{
continue;
}
// Format: module version[/go.mod] hash
var parts = line.Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (parts.Length < 3)
{
continue;
}
var path = parts[0];
var versionPart = parts[1];
var hash = parts[2];
// Check if this is a go.mod checksum (version ends with /go.mod)
var isGoMod = versionPart.EndsWith("/go.mod", StringComparison.Ordinal);
var version = isGoMod ? versionPart[..^"/go.mod".Length] : versionPart;
if (string.IsNullOrEmpty(path) || string.IsNullOrEmpty(version) || string.IsNullOrEmpty(hash))
{
continue;
}
// Prefer the module hash over the go.mod hash
var key = $"{path}@{version}";
if (!isGoMod || !entries.ContainsKey(key))
{
entries[key] = new GoSumEntry(path, version, hash, isGoMod);
}
}
return new GoSumData(entries.ToImmutableDictionary(StringComparer.Ordinal));
}
}

178
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoVendorParser.cs Normal file
View File

@@ -0,0 +1,178 @@
using System.Collections.Immutable;
namespace StellaOps.Scanner.Analyzers.Lang.Go.Internal;
/// <summary>
/// Parses vendor/modules.txt files to extract vendored dependencies.
/// Format:
/// # github.com/pkg/errors v0.9.1
/// ## explicit
/// github.com/pkg/errors
/// # golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a
/// ## explicit; go 1.17
/// golang.org/x/sys/unix
/// </summary>
internal static class GoVendorParser
{
/// <summary>
/// A vendored module entry.
/// </summary>
public sealed record GoVendorModule(
string Path,
string Version,
bool IsExplicit,
string? GoVersion,
ImmutableArray<string> Packages);
/// <summary>
/// Parsed vendor/modules.txt data.
/// </summary>
public sealed record GoVendorData
{
public static readonly GoVendorData Empty = new(ImmutableArray<GoVendorModule>.Empty);
public GoVendorData(ImmutableArray<GoVendorModule> modules)
{
Modules = modules;
}
public ImmutableArray<GoVendorModule> Modules { get; }
public bool IsEmpty => Modules.IsEmpty;
/// <summary>
/// Checks if a module path is vendored.
/// </summary>
public bool IsVendored(string path)
{
return Modules.Any(m => string.Equals(m.Path, path, StringComparison.Ordinal));
}
}
/// <summary>
/// Parses a vendor/modules.txt file from the given path.
/// </summary>
public static GoVendorData Parse(string modulesPath)
{
ArgumentException.ThrowIfNullOrWhiteSpace(modulesPath);
if (!File.Exists(modulesPath))
{
return GoVendorData.Empty;
}
try
{
var content = File.ReadAllText(modulesPath);
return ParseContent(content);
}
catch (IOException)
{
return GoVendorData.Empty;
}
catch (UnauthorizedAccessException)
{
return GoVendorData.Empty;
}
}
/// <summary>
/// Parses vendor/modules.txt content string.
/// </summary>
public static GoVendorData ParseContent(string content)
{
if (string.IsNullOrWhiteSpace(content))
{
return GoVendorData.Empty;
}
var modules = new List<GoVendorModule>();
var lines = content.Split('\n');
string? currentPath = null;
string? currentVersion = null;
var currentPackages = new List<string>();
var isExplicit = false;
string? goVersion = null;
foreach (var rawLine in lines)
{
var line = rawLine.Trim();
if (string.IsNullOrEmpty(line))
{
continue;
}
// Module header: # module/path version
if (line.StartsWith("# ", StringComparison.Ordinal) && !line.StartsWith("## ", StringComparison.Ordinal))
{
// Save previous module if any
if (!string.IsNullOrEmpty(currentPath) && !string.IsNullOrEmpty(currentVersion))
{
modules.Add(new GoVendorModule(
currentPath,
currentVersion,
isExplicit,
goVersion,
currentPackages.ToImmutableArray()));
}
// Parse new module header
var parts = line[2..].Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (parts.Length >= 2)
{
currentPath = parts[0];
currentVersion = parts[1];
currentPackages.Clear();
isExplicit = false;
goVersion = null;
}
else
{
currentPath = null;
currentVersion = null;
}
continue;
}
// Metadata line: ## explicit or ## explicit; go 1.17
if (line.StartsWith("## ", StringComparison.Ordinal))
{
var metadata = line[3..];
isExplicit = metadata.Contains("explicit", StringComparison.OrdinalIgnoreCase);
// Extract go version if present
var goIndex = metadata.IndexOf("go ", StringComparison.Ordinal);
if (goIndex >= 0)
{
var goVersionPart = metadata[(goIndex + 3)..].Trim();
var semicolonIndex = goVersionPart.IndexOf(';');
goVersion = semicolonIndex >= 0 ? goVersionPart[..semicolonIndex].Trim() : goVersionPart;
}
continue;
}
// Package path (not starting with #)
if (!line.StartsWith('#') && !string.IsNullOrEmpty(currentPath))
{
currentPackages.Add(line);
}
}
// Save last module
if (!string.IsNullOrEmpty(currentPath) && !string.IsNullOrEmpty(currentVersion))
{
modules.Add(new GoVendorModule(
currentPath,
currentVersion,
isExplicit,
goVersion,
currentPackages.ToImmutableArray()));
}
return new GoVendorData(modules.ToImmutableArray());
}
}

239
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/Internal/GoWorkParser.cs Normal file
View File

@@ -0,0 +1,239 @@
using System.Collections.Immutable;
namespace StellaOps.Scanner.Analyzers.Lang.Go.Internal;
/// <summary>
/// Parses go.work files for Go workspace support (Go 1.18+).
/// Format:
/// go 1.21
/// use (
/// ./app
/// ./lib
/// )
/// replace example.com/old => example.com/new v1.0.0
/// </summary>
internal static class GoWorkParser
{
/// <summary>
/// Parsed go.work file data.
/// </summary>
public sealed record GoWorkData
{
public static readonly GoWorkData Empty = new(
null,
ImmutableArray<string>.Empty,
ImmutableArray<GoModParser.GoModReplace>.Empty);
public GoWorkData(
string? goVersion,
ImmutableArray<string> usePaths,
ImmutableArray<GoModParser.GoModReplace> replaces)
{
GoVersion = goVersion;
UsePaths = usePaths;
Replaces = replaces;
}
/// <summary>
/// Go version from the go directive.
/// </summary>
public string? GoVersion { get; }
/// <summary>
/// Relative paths to workspace member modules (from use directives).
/// </summary>
public ImmutableArray<string> UsePaths { get; }
/// <summary>
/// Replace directives that apply to all workspace modules.
/// </summary>
public ImmutableArray<GoModParser.GoModReplace> Replaces { get; }
public bool IsEmpty => UsePaths.IsEmpty;
}
/// <summary>
/// Parses a go.work file from the given path.
/// </summary>
public static GoWorkData Parse(string goWorkPath)
{
ArgumentException.ThrowIfNullOrWhiteSpace(goWorkPath);
if (!File.Exists(goWorkPath))
{
return GoWorkData.Empty;
}
try
{
var content = File.ReadAllText(goWorkPath);
return ParseContent(content);
}
catch (IOException)
{
return GoWorkData.Empty;
}
catch (UnauthorizedAccessException)
{
return GoWorkData.Empty;
}
}
/// <summary>
/// Parses go.work content string.
/// </summary>
public static GoWorkData ParseContent(string content)
{
if (string.IsNullOrWhiteSpace(content))
{
return GoWorkData.Empty;
}
string? goVersion = null;
var usePaths = new List<string>();
var replaces = new List<GoModParser.GoModReplace>();
var lines = content.Split('\n');
var inUseBlock = false;
var inReplaceBlock = false;
foreach (var rawLine in lines)
{
var line = rawLine.Trim();
// Skip empty lines and comments
if (string.IsNullOrEmpty(line) || line.StartsWith("//"))
{
continue;
}
// Handle block endings
if (line == ")")
{
inUseBlock = false;
inReplaceBlock = false;
continue;
}
// Handle block starts
if (line == "use (")
{
inUseBlock = true;
continue;
}
if (line == "replace (")
{
inReplaceBlock = true;
continue;
}
// Parse go directive
if (line.StartsWith("go ", StringComparison.Ordinal))
{
goVersion = line["go ".Length..].Trim();
continue;
}
// Parse single-line use
if (line.StartsWith("use ", StringComparison.Ordinal) && !line.Contains('('))
{
var path = ExtractPath(line["use ".Length..]);
if (!string.IsNullOrEmpty(path))
{
usePaths.Add(path);
}
continue;
}
// Parse single-line replace
if (line.StartsWith("replace ", StringComparison.Ordinal) && !line.Contains('('))
{
var rep = ParseReplaceLine(line["replace ".Length..]);
if (rep is not null)
{
replaces.Add(rep);
}
continue;
}
// Handle block contents
if (inUseBlock)
{
var path = ExtractPath(line);
if (!string.IsNullOrEmpty(path))
{
usePaths.Add(path);
}
}
else if (inReplaceBlock)
{
var rep = ParseReplaceLine(line);
if (rep is not null)
{
replaces.Add(rep);
}
}
}
return new GoWorkData(
goVersion,
usePaths.ToImmutableArray(),
replaces.ToImmutableArray());
}
private static string ExtractPath(string value)
{
value = StripComment(value).Trim();
// Remove quotes if present
if (value.Length >= 2 && value[0] == '"' && value[^1] == '"')
{
return value[1..^1];
}
if (value.Length >= 2 && value[0] == '`' && value[^1] == '`')
{
return value[1..^1];
}
return value;
}
private static GoModParser.GoModReplace? ParseReplaceLine(string line)
{
line = StripComment(line);
var arrowIndex = line.IndexOf("=>", StringComparison.Ordinal);
if (arrowIndex < 0)
{
return null;
}
var leftPart = line[..arrowIndex].Trim();
var rightPart = line[(arrowIndex + 2)..].Trim();
var leftParts = leftPart.Split(' ', StringSplitOptions.RemoveEmptyEntries);
var rightParts = rightPart.Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (leftParts.Length == 0 || rightParts.Length == 0)
{
return null;
}
var oldPath = leftParts[0];
var oldVersion = leftParts.Length > 1 ? leftParts[1] : null;
var newPath = rightParts[0];
var newVersion = rightParts.Length > 1 ? rightParts[1] : null;
return new GoModParser.GoModReplace(oldPath, oldVersion, newPath, newVersion);
}
private static string StripComment(string line)
{
var commentIndex = line.IndexOf("//", StringComparison.Ordinal);
return commentIndex >= 0 ? line[..commentIndex].Trim() : line.Trim();
}
}

145
src/Scanner/__Libraries/StellaOps.Scanner.Surface/Discovery/ISurfaceEntryCollector.cs Normal file
View File

@@ -0,0 +1,145 @@
using StellaOps.Scanner.Surface.Models;
namespace StellaOps.Scanner.Surface.Discovery;
/// <summary>
/// Interface for collecting surface entries from specific sources.
/// Collectors are language/framework-specific implementations that
/// discover attack surface entry points.
/// </summary>
public interface ISurfaceEntryCollector
{
/// <summary>
/// Unique identifier for this collector.
/// </summary>
string CollectorId { get; }
/// <summary>
/// Display name for this collector.
/// </summary>
string Name { get; }
/// <summary>
/// Languages supported by this collector.
/// </summary>
IReadOnlyList<string> SupportedLanguages { get; }
/// <summary>
/// Surface types this collector can detect.
/// </summary>
IReadOnlyList<SurfaceType> DetectableTypes { get; }
/// <summary>
/// Priority for collector ordering (higher = run first).
/// </summary>
int Priority { get; }
/// <summary>
/// Determines if this collector can analyze the given context.
/// </summary>
bool CanCollect(SurfaceCollectionContext context);
/// <summary>
/// Collects surface entries from the given context.
/// </summary>
IAsyncEnumerable<SurfaceEntry> CollectAsync(
SurfaceCollectionContext context,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Context for surface entry collection.
/// </summary>
public sealed record SurfaceCollectionContext
{
/// <summary>
/// Scan identifier.
/// </summary>
public required string ScanId { get; init; }
/// <summary>
/// Root directory being scanned.
/// </summary>
public required string RootPath { get; init; }
/// <summary>
/// Files to analyze (relative paths).
/// </summary>
public required IReadOnlyList<string> Files { get; init; }
/// <summary>
/// Detected languages in the codebase.
/// </summary>
public IReadOnlyList<string>? DetectedLanguages { get; init; }
/// <summary>
/// Detected frameworks.
/// </summary>
public IReadOnlyList<string>? DetectedFrameworks { get; init; }
/// <summary>
/// Analysis options.
/// </summary>
public SurfaceAnalysisOptions? Options { get; init; }
/// <summary>
/// Additional context data.
/// </summary>
public IReadOnlyDictionary<string, object>? Data { get; init; }
}
/// <summary>
/// Options for surface analysis.
/// </summary>
public sealed record SurfaceAnalysisOptions
{
/// <summary>
/// Whether surface analysis is enabled.
/// </summary>
public bool Enabled { get; init; } = true;
/// <summary>
/// Call graph depth for analysis.
/// </summary>
public int Depth { get; init; } = 3;
/// <summary>
/// Minimum confidence threshold for reporting.
/// </summary>
public double ConfidenceThreshold { get; init; } = 0.7;
/// <summary>
/// Surface types to include (null = all).
/// </summary>
public IReadOnlyList<SurfaceType>? IncludeTypes { get; init; }
/// <summary>
/// Surface types to exclude.
/// </summary>
public IReadOnlyList<SurfaceType>? ExcludeTypes { get; init; }
/// <summary>
/// Maximum entries to collect.
/// </summary>
public int? MaxEntries { get; init; }
/// <summary>
/// File patterns to include.
/// </summary>
public IReadOnlyList<string>? IncludePatterns { get; init; }
/// <summary>
/// File patterns to exclude.
/// </summary>
public IReadOnlyList<string>? ExcludePatterns { get; init; }
/// <summary>
/// Collectors to use (null = all registered).
/// </summary>
public IReadOnlyList<string>? Collectors { get; init; }
/// <summary>
/// Default analysis options.
/// </summary>
public static SurfaceAnalysisOptions Default => new();
}

187
src/Scanner/__Libraries/StellaOps.Scanner.Surface/Discovery/SurfaceEntryRegistry.cs Normal file
View File

@@ -0,0 +1,187 @@
using System.Runtime.CompilerServices;
using Microsoft.Extensions.Logging;
using StellaOps.Scanner.Surface.Models;
namespace StellaOps.Scanner.Surface.Discovery;
/// <summary>
/// Registry for surface entry collectors.
/// Manages collector registration and orchestrates collection.
/// </summary>
public interface ISurfaceEntryRegistry
{
/// <summary>
/// Registers a collector.
/// </summary>
void Register(ISurfaceEntryCollector collector);
/// <summary>
/// Gets all registered collectors.
/// </summary>
IReadOnlyList<ISurfaceEntryCollector> GetCollectors();
/// <summary>
/// Gets collectors that can analyze the given context.
/// </summary>
IReadOnlyList<ISurfaceEntryCollector> GetApplicableCollectors(SurfaceCollectionContext context);
/// <summary>
/// Collects entries using all applicable collectors.
/// </summary>
IAsyncEnumerable<SurfaceEntry> CollectAllAsync(
SurfaceCollectionContext context,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Default implementation of surface entry registry.
/// </summary>
public sealed class SurfaceEntryRegistry : ISurfaceEntryRegistry
{
private readonly List<ISurfaceEntryCollector> _collectors = [];
private readonly ILogger<SurfaceEntryRegistry> _logger;
private readonly object _lock = new();
public SurfaceEntryRegistry(ILogger<SurfaceEntryRegistry> logger)
{
_logger = logger;
}
public void Register(ISurfaceEntryCollector collector)
{
ArgumentNullException.ThrowIfNull(collector);
lock (_lock)
{
// Check for duplicate
if (_collectors.Any(c => c.CollectorId == collector.CollectorId))
{
_logger.LogWarning(
"Collector {CollectorId} already registered, skipping duplicate",
collector.CollectorId);
return;
}
_collectors.Add(collector);
_logger.LogDebug(
"Registered surface collector {CollectorId} ({Name}) for languages: {Languages}",
collector.CollectorId,
collector.Name,
string.Join(", ", collector.SupportedLanguages));
}
}
public IReadOnlyList<ISurfaceEntryCollector> GetCollectors()
{
lock (_lock)
{
return _collectors
.OrderByDescending(c => c.Priority)
.ToList();
}
}
public IReadOnlyList<ISurfaceEntryCollector> GetApplicableCollectors(SurfaceCollectionContext context)
{
ArgumentNullException.ThrowIfNull(context);
lock (_lock)
{
var applicable = _collectors
.Where(c => c.CanCollect(context))
.OrderByDescending(c => c.Priority)
.ToList();
// Filter by options if specified
if (context.Options?.Collectors is { Count: > 0 } allowedCollectors)
{
applicable = applicable
.Where(c => allowedCollectors.Contains(c.CollectorId))
.ToList();
}
return applicable;
}
}
public async IAsyncEnumerable<SurfaceEntry> CollectAllAsync(
SurfaceCollectionContext context,
[EnumeratorCancellation] CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(context);
var collectors = GetApplicableCollectors(context);
if (collectors.Count == 0)
{
_logger.LogDebug("No applicable collectors for scan {ScanId}", context.ScanId);
yield break;
}
_logger.LogDebug(
"Running {CollectorCount} collectors for scan {ScanId}",
collectors.Count,
context.ScanId);
var seenIds = new HashSet<string>();
var entryCount = 0;
var maxEntries = context.Options?.MaxEntries;
foreach (var collector in collectors)
{
if (cancellationToken.IsCancellationRequested)
break;
if (maxEntries.HasValue && entryCount >= maxEntries.Value)
{
_logger.LogDebug(
"Reached max entries limit ({MaxEntries}) for scan {ScanId}",
maxEntries.Value,
context.ScanId);
break;
}
_logger.LogDebug(
"Running collector {CollectorId} for scan {ScanId}",
collector.CollectorId,
context.ScanId);
await foreach (var entry in collector.CollectAsync(context, cancellationToken))
{
if (cancellationToken.IsCancellationRequested)
break;
// Apply confidence threshold
if (context.Options?.ConfidenceThreshold is double threshold)
{
var confidenceValue = (int)entry.Confidence / 4.0;
if (confidenceValue < threshold)
continue;
}
// Apply type filters
if (context.Options?.ExcludeTypes?.Contains(entry.Type) == true)
continue;
if (context.Options?.IncludeTypes is { Count: > 0 } includeTypes &&
!includeTypes.Contains(entry.Type))
continue;
// Deduplicate by ID
if (!seenIds.Add(entry.Id))
continue;
entryCount++;
yield return entry;
if (maxEntries.HasValue && entryCount >= maxEntries.Value)
break;
}
}
_logger.LogDebug(
"Collected {EntryCount} surface entries for scan {ScanId}",
entryCount,
context.ScanId);
}
}

115
src/Scanner/__Libraries/StellaOps.Scanner.Surface/Models/EntryPoint.cs Normal file
View File

@@ -0,0 +1,115 @@
namespace StellaOps.Scanner.Surface.Models;
/// <summary>
/// Represents a discovered entry point in application code.
/// Entry points are language/framework-specific handlers that
/// receive external input (HTTP routes, RPC handlers, etc.).
/// </summary>
public sealed record EntryPoint
{
/// <summary>
/// Unique identifier for this entry point.
/// </summary>
public required string Id { get; init; }
/// <summary>
/// Programming language.
/// </summary>
public required string Language { get; init; }
/// <summary>
/// Web framework or runtime (e.g., "ASP.NET Core", "Express", "FastAPI").
/// </summary>
public required string Framework { get; init; }
/// <summary>
/// URL path or route pattern.
/// </summary>
public required string Path { get; init; }
/// <summary>
/// HTTP method (GET, POST, etc.) or RPC method type.
/// </summary>
public required string Method { get; init; }
/// <summary>
/// Handler function/method name.
/// </summary>
public required string Handler { get; init; }
/// <summary>
/// Source file containing the handler.
/// </summary>
public required string File { get; init; }
/// <summary>
/// Line number of the handler definition.
/// </summary>
public required int Line { get; init; }
/// <summary>
/// Handler parameters/arguments.
/// </summary>
public IReadOnlyList<string> Parameters { get; init; } = [];
/// <summary>
/// Middleware chain applied to this endpoint.
/// </summary>
public IReadOnlyList<string> Middlewares { get; init; } = [];
/// <summary>
/// Whether authentication is required.
/// </summary>
public bool? RequiresAuth { get; init; }
/// <summary>
/// Authorization policies applied.
/// </summary>
public IReadOnlyList<string>? AuthorizationPolicies { get; init; }
/// <summary>
/// Content types accepted.
/// </summary>
public IReadOnlyList<string>? AcceptsContentTypes { get; init; }
/// <summary>
/// Content types produced.
/// </summary>
public IReadOnlyList<string>? ProducesContentTypes { get; init; }
}
/// <summary>
/// Result of entry point discovery for a scan.
/// </summary>
public sealed record EntryPointDiscoveryResult
{
/// <summary>
/// Scan identifier.
/// </summary>
public required string ScanId { get; init; }
/// <summary>
/// When discovery was performed.
/// </summary>
public required DateTimeOffset DiscoveredAt { get; init; }
/// <summary>
/// Discovered entry points.
/// </summary>
public required IReadOnlyList<EntryPoint> EntryPoints { get; init; }
/// <summary>
/// Frameworks detected.
/// </summary>
public required IReadOnlyList<string> DetectedFrameworks { get; init; }
/// <summary>
/// Total entry points by method.
/// </summary>
public required IReadOnlyDictionary<string, int> ByMethod { get; init; }
/// <summary>
/// Warnings or issues during discovery.
/// </summary>
public IReadOnlyList<string>? Warnings { get; init; }
}

171
src/Scanner/__Libraries/StellaOps.Scanner.Surface/Models/SurfaceAnalysisResult.cs Normal file
View File

@@ -0,0 +1,171 @@
using StellaOps.Scanner.Surface.Discovery;
namespace StellaOps.Scanner.Surface.Models;
/// <summary>
/// Complete result of surface analysis for a scan.
/// </summary>
public sealed record SurfaceAnalysisResult
{
/// <summary>
/// Scan identifier.
/// </summary>
public required string ScanId { get; init; }
/// <summary>
/// When analysis was performed.
/// </summary>
public required DateTimeOffset Timestamp { get; init; }
/// <summary>
/// Analysis summary statistics.
/// </summary>
public required SurfaceAnalysisSummary Summary { get; init; }
/// <summary>
/// Discovered surface entries.
/// </summary>
public required IReadOnlyList<SurfaceEntry> Entries { get; init; }
/// <summary>
/// Discovered entry points.
/// </summary>
public IReadOnlyList<EntryPoint>? EntryPoints { get; init; }
/// <summary>
/// Analysis metadata.
/// </summary>
public SurfaceAnalysisMetadata? Metadata { get; init; }
}
/// <summary>
/// Summary statistics for surface analysis.
/// </summary>
public sealed record SurfaceAnalysisSummary
{
/// <summary>
/// Total number of surface entries.
/// </summary>
public required int TotalEntries { get; init; }
/// <summary>
/// Entry counts by type.
/// </summary>
public required IReadOnlyDictionary<SurfaceType, int> ByType { get; init; }
/// <summary>
/// Entry counts by confidence level.
/// </summary>
public required IReadOnlyDictionary<ConfidenceLevel, int> ByConfidence { get; init; }
/// <summary>
/// Calculated risk score (0.0 - 1.0).
/// </summary>
public required double RiskScore { get; init; }
/// <summary>
/// High-risk entry count.
/// </summary>
public int HighRiskCount { get; init; }
/// <summary>
/// Total entry points discovered.
/// </summary>
public int? EntryPointCount { get; init; }
/// <summary>
/// Creates summary from entries.
/// </summary>
public static SurfaceAnalysisSummary FromEntries(IReadOnlyList<SurfaceEntry> entries)
{
var byType = entries
.GroupBy(e => e.Type)
.ToDictionary(g => g.Key, g => g.Count());
var byConfidence = entries
.GroupBy(e => e.Confidence)
.ToDictionary(g => g.Key, g => g.Count());
// Calculate risk score based on entry types and confidence
var riskScore = CalculateRiskScore(entries);
var highRiskCount = entries.Count(e =>
e.Type is SurfaceType.ProcessExecution or SurfaceType.CryptoOperation or SurfaceType.SecretAccess ||
e.Confidence == ConfidenceLevel.Verified);
return new SurfaceAnalysisSummary
{
TotalEntries = entries.Count,
ByType = byType,
ByConfidence = byConfidence,
RiskScore = riskScore,
HighRiskCount = highRiskCount
};
}
private static double CalculateRiskScore(IReadOnlyList<SurfaceEntry> entries)
{
if (entries.Count == 0) return 0.0;
var typeWeights = new Dictionary<SurfaceType, double>
{
[SurfaceType.ProcessExecution] = 1.0,
[SurfaceType.SecretAccess] = 0.9,
[SurfaceType.CryptoOperation] = 0.8,
[SurfaceType.DatabaseOperation] = 0.7,
[SurfaceType.Deserialization] = 0.85,
[SurfaceType.DynamicCode] = 0.9,
[SurfaceType.AuthenticationPoint] = 0.6,
[SurfaceType.NetworkEndpoint] = 0.5,
[SurfaceType.InputHandling] = 0.5,
[SurfaceType.ExternalCall] = 0.4,
[SurfaceType.FileOperation] = 0.3
};
var confidenceMultipliers = new Dictionary<ConfidenceLevel, double>
{
[ConfidenceLevel.Low] = 0.5,
[ConfidenceLevel.Medium] = 0.75,
[ConfidenceLevel.High] = 1.0,
[ConfidenceLevel.Verified] = 1.0
};
var totalWeight = entries.Sum(e =>
typeWeights.GetValueOrDefault(e.Type, 0.3) *
confidenceMultipliers.GetValueOrDefault(e.Confidence, 0.5));
// Normalize to 0-1 range (cap at 100 weighted entries)
return Math.Min(1.0, totalWeight / 100.0);
}
}
/// <summary>
/// Metadata about the surface analysis execution.
/// </summary>
public sealed record SurfaceAnalysisMetadata
{
/// <summary>
/// Analysis duration in milliseconds.
/// </summary>
public double DurationMs { get; init; }
/// <summary>
/// Files analyzed count.
/// </summary>
public int FilesAnalyzed { get; init; }
/// <summary>
/// Languages detected.
/// </summary>
public IReadOnlyList<string>? Languages { get; init; }
/// <summary>
/// Frameworks detected.
/// </summary>
public IReadOnlyList<string>? Frameworks { get; init; }
/// <summary>
/// Analysis configuration used.
/// </summary>
public SurfaceAnalysisOptions? Options { get; init; }
}

126
src/Scanner/__Libraries/StellaOps.Scanner.Surface/Models/SurfaceEntry.cs Normal file
View File

@@ -0,0 +1,126 @@
using System.Security.Cryptography;
using System.Text;
namespace StellaOps.Scanner.Surface.Models;
/// <summary>
/// Represents a discovered attack surface entry point.
/// </summary>
public sealed record SurfaceEntry
{
/// <summary>
/// Unique identifier: SHA256(type|path|context).
/// </summary>
public required string Id { get; init; }
/// <summary>
/// Type classification of this surface entry.
/// </summary>
public required SurfaceType Type { get; init; }
/// <summary>
/// File path, URL endpoint, or resource identifier.
/// </summary>
public required string Path { get; init; }
/// <summary>
/// Function, method, or handler context.
/// </summary>
public required string Context { get; init; }
/// <summary>
/// Detection confidence level.
/// </summary>
public required ConfidenceLevel Confidence { get; init; }
/// <summary>
/// Tags for categorization and filtering.
/// </summary>
public IReadOnlyList<string> Tags { get; init; } = [];
/// <summary>
/// Evidence supporting this entry detection.
/// </summary>
public required SurfaceEvidence Evidence { get; init; }
/// <summary>
/// Additional metadata.
/// </summary>
public IReadOnlyDictionary<string, string>? Metadata { get; init; }
/// <summary>
/// Creates a deterministic ID from type, path, and context.
/// </summary>
public static string ComputeId(SurfaceType type, string path, string context)
{
var input = $"{type}|{path}|{context}";
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(input));
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
/// <summary>
/// Creates a new SurfaceEntry with computed ID.
/// </summary>
public static SurfaceEntry Create(
SurfaceType type,
string path,
string context,
ConfidenceLevel confidence,
SurfaceEvidence evidence,
IEnumerable<string>? tags = null,
IReadOnlyDictionary<string, string>? metadata = null)
{
return new SurfaceEntry
{
Id = ComputeId(type, path, context),
Type = type,
Path = path,
Context = context,
Confidence = confidence,
Evidence = evidence,
Tags = tags?.ToList() ?? [],
Metadata = metadata
};
}
}
/// <summary>
/// Evidence supporting a surface entry detection.
/// </summary>
public sealed record SurfaceEvidence
{
/// <summary>
/// Source file path.
/// </summary>
public required string File { get; init; }
/// <summary>
/// Line number in the source file.
/// </summary>
public required int Line { get; init; }
/// <summary>
/// Column number if available.
/// </summary>
public int? Column { get; init; }
/// <summary>
/// Content hash of the source file.
/// </summary>
public string? FileHash { get; init; }
/// <summary>
/// Code snippet around the detection.
/// </summary>
public string? Snippet { get; init; }
/// <summary>
/// Detection method used.
/// </summary>
public string? DetectionMethod { get; init; }
/// <summary>
/// Additional evidence details.
/// </summary>
public IReadOnlyDictionary<string, string>? Details { get; init; }
}

58
src/Scanner/__Libraries/StellaOps.Scanner.Surface/Models/SurfaceType.cs Normal file
View File

@@ -0,0 +1,58 @@
namespace StellaOps.Scanner.Surface.Models;
/// <summary>
/// Classification of attack surface entry types.
/// </summary>
public enum SurfaceType
{
/// <summary>Network-exposed endpoints, listeners, ports.</summary>
NetworkEndpoint,
/// <summary>File system operations, path access.</summary>
FileOperation,
/// <summary>Process/command execution, subprocess spawns.</summary>
ProcessExecution,
/// <summary>Cryptographic operations, key handling.</summary>
CryptoOperation,
/// <summary>Authentication entry points, session handling.</summary>
AuthenticationPoint,
/// <summary>User input handling, injection points.</summary>
InputHandling,
/// <summary>Secret/credential access points.</summary>
SecretAccess,
/// <summary>External service calls, HTTP clients.</summary>
ExternalCall,
/// <summary>Database queries, ORM operations.</summary>
DatabaseOperation,
/// <summary>Deserialization points.</summary>
Deserialization,
/// <summary>Reflection/dynamic code execution.</summary>
DynamicCode
}
/// <summary>
/// Confidence level for surface entry detection.
/// </summary>
public enum ConfidenceLevel
{
/// <summary>Low confidence - heuristic or pattern match.</summary>
Low = 1,
/// <summary>Medium confidence - likely match.</summary>
Medium = 2,
/// <summary>High confidence - definite match.</summary>
High = 3,
/// <summary>Verified - confirmed through multiple signals.</summary>
Verified = 4
}

121
src/Scanner/__Libraries/StellaOps.Scanner.Surface/Output/ISurfaceAnalysisWriter.cs Normal file
View File

@@ -0,0 +1,121 @@
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.Extensions.Logging;
using StellaOps.Scanner.Surface.Models;
namespace StellaOps.Scanner.Surface.Output;
/// <summary>
/// Interface for writing surface analysis results.
/// </summary>
public interface ISurfaceAnalysisWriter
{
/// <summary>
/// Writes analysis result to the specified stream.
/// </summary>
Task WriteAsync(
SurfaceAnalysisResult result,
Stream outputStream,
CancellationToken cancellationToken = default);
/// <summary>
/// Serializes analysis result to JSON string.
/// </summary>
string Serialize(SurfaceAnalysisResult result);
}
/// <summary>
/// Store key for surface analysis results.
/// </summary>
public static class SurfaceAnalysisStoreKeys
{
/// <summary>
/// Key for storing surface analysis in scan artifacts.
/// </summary>
public const string SurfaceAnalysis = "scanner.surface.analysis";
/// <summary>
/// Key for storing surface entries.
/// </summary>
public const string SurfaceEntries = "scanner.surface.entries";
/// <summary>
/// Key for storing entry points.
/// </summary>
public const string EntryPoints = "scanner.surface.entrypoints";
}
/// <summary>
/// Default implementation of surface analysis writer.
/// Uses deterministic JSON serialization.
/// </summary>
public sealed class SurfaceAnalysisWriter : ISurfaceAnalysisWriter
{
private readonly ILogger<SurfaceAnalysisWriter> _logger;
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = false,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
Converters = { new JsonStringEnumConverter(JsonNamingPolicy.CamelCase) }
};
private static readonly JsonSerializerOptions PrettyJsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = true,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
Converters = { new JsonStringEnumConverter(JsonNamingPolicy.CamelCase) }
};
public SurfaceAnalysisWriter(ILogger<SurfaceAnalysisWriter> logger)
{
_logger = logger;
}
public async Task WriteAsync(
SurfaceAnalysisResult result,
Stream outputStream,
CancellationToken cancellationToken = default)
{
// Sort entries by ID for determinism
var sortedResult = SortResult(result);
await JsonSerializer.SerializeAsync(
outputStream,
sortedResult,
JsonOptions,
cancellationToken);
_logger.LogDebug(
"Wrote surface analysis for scan {ScanId} with {EntryCount} entries",
result.ScanId,
result.Entries.Count);
}
public string Serialize(SurfaceAnalysisResult result)
{
var sortedResult = SortResult(result);
return JsonSerializer.Serialize(sortedResult, PrettyJsonOptions);
}
private static SurfaceAnalysisResult SortResult(SurfaceAnalysisResult result)
{
// Sort entries by ID for deterministic output
var sortedEntries = result.Entries
.OrderBy(e => e.Id)
.ToList();
// Sort entry points by ID if present
var sortedEntryPoints = result.EntryPoints?
.OrderBy(ep => ep.Id)
.ToList();
return result with
{
Entries = sortedEntries,
EntryPoints = sortedEntryPoints
};
}
}

153
src/Scanner/__Libraries/StellaOps.Scanner.Surface/ServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,153 @@
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using StellaOps.Scanner.Surface.Discovery;
using StellaOps.Scanner.Surface.Output;
using StellaOps.Scanner.Surface.Signals;
namespace StellaOps.Scanner.Surface;
/// <summary>
/// Extension methods for registering surface analysis services.
/// </summary>
public static class ServiceCollectionExtensions
{
/// <summary>
/// Adds surface analysis services to the service collection.
/// </summary>
public static IServiceCollection AddSurfaceAnalysis(
this IServiceCollection services,
IConfiguration? configuration = null)
{
// Core services
services.TryAddSingleton<ISurfaceEntryRegistry, SurfaceEntryRegistry>();
services.TryAddSingleton<ISurfaceSignalEmitter, SurfaceSignalEmitter>();
services.TryAddSingleton<ISurfaceAnalysisWriter, SurfaceAnalysisWriter>();
services.TryAddSingleton<ISurfaceAnalyzer, SurfaceAnalyzer>();
// Configure options if configuration provided
if (configuration != null)
{
services.Configure<SurfaceAnalysisOptions>(
configuration.GetSection("Scanner:Surface"));
}
return services;
}
/// <summary>
/// Adds surface analysis services with a signal sink.
/// </summary>
public static IServiceCollection AddSurfaceAnalysis<TSignalSink>(
this IServiceCollection services,
IConfiguration? configuration = null)
where TSignalSink : class, ISurfaceSignalSink
{
services.AddSurfaceAnalysis(configuration);
services.TryAddSingleton<ISurfaceSignalSink, TSignalSink>();
return services;
}
/// <summary>
/// Adds surface analysis services with in-memory signal sink for testing.
/// </summary>
public static IServiceCollection AddSurfaceAnalysisForTesting(this IServiceCollection services)
{
services.AddSurfaceAnalysis();
services.TryAddSingleton<ISurfaceSignalSink, InMemorySurfaceSignalSink>();
return services;
}
/// <summary>
/// Registers a surface entry collector.
/// </summary>
public static IServiceCollection AddSurfaceCollector<TCollector>(this IServiceCollection services)
where TCollector : class, ISurfaceEntryCollector
{
services.AddSingleton<ISurfaceEntryCollector, TCollector>();
return services;
}
/// <summary>
/// Registers multiple surface entry collectors.
/// </summary>
public static IServiceCollection AddSurfaceCollectors(
this IServiceCollection services,
params Type[] collectorTypes)
{
foreach (var type in collectorTypes)
{
if (!typeof(ISurfaceEntryCollector).IsAssignableFrom(type))
{
throw new ArgumentException(
$"Type {type.Name} does not implement ISurfaceEntryCollector",
nameof(collectorTypes));
}
services.AddSingleton(typeof(ISurfaceEntryCollector), type);
}
return services;
}
}
/// <summary>
/// Builder for configuring surface analysis.
/// </summary>
public sealed class SurfaceAnalysisBuilder
{
private readonly IServiceCollection _services;
internal SurfaceAnalysisBuilder(IServiceCollection services)
{
_services = services;
}
/// <summary>
/// Registers a collector.
/// </summary>
public SurfaceAnalysisBuilder AddCollector<TCollector>()
where TCollector : class, ISurfaceEntryCollector
{
_services.AddSurfaceCollector<TCollector>();
return this;
}
/// <summary>
/// Configures a custom signal sink.
/// </summary>
public SurfaceAnalysisBuilder UseSignalSink<TSignalSink>()
where TSignalSink : class, ISurfaceSignalSink
{
_services.TryAddSingleton<ISurfaceSignalSink, TSignalSink>();
return this;
}
/// <summary>
/// Configures options.
/// </summary>
public SurfaceAnalysisBuilder Configure(Action<SurfaceAnalysisOptions> configure)
{
_services.Configure(configure);
return this;
}
}
/// <summary>
/// Extension for fluent builder pattern.
/// </summary>
public static class SurfaceAnalysisBuilderExtensions
{
/// <summary>
/// Adds surface analysis with fluent configuration.
/// </summary>
public static IServiceCollection AddSurfaceAnalysis(
this IServiceCollection services,
Action<SurfaceAnalysisBuilder> configure)
{
services.AddSurfaceAnalysis();
var builder = new SurfaceAnalysisBuilder(services);
configure(builder);
return services;
}
}

177
src/Scanner/__Libraries/StellaOps.Scanner.Surface/Signals/ISurfaceSignalEmitter.cs Normal file
View File

@@ -0,0 +1,177 @@
using Microsoft.Extensions.Logging;
using StellaOps.Scanner.Surface.Models;
namespace StellaOps.Scanner.Surface.Signals;
/// <summary>
/// Interface for emitting surface analysis signals for policy evaluation.
/// </summary>
public interface ISurfaceSignalEmitter
{
/// <summary>
/// Emits signals for the given analysis result.
/// </summary>
Task EmitAsync(
string scanId,
SurfaceAnalysisResult result,
CancellationToken cancellationToken = default);
/// <summary>
/// Emits custom signals.
/// </summary>
Task EmitAsync(
string scanId,
IDictionary<string, object> signals,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Default implementation of surface signal emitter.
/// Converts analysis results to policy signals.
/// </summary>
public sealed class SurfaceSignalEmitter : ISurfaceSignalEmitter
{
private readonly ILogger<SurfaceSignalEmitter> _logger;
private readonly ISurfaceSignalSink? _sink;
public SurfaceSignalEmitter(
ILogger<SurfaceSignalEmitter> logger,
ISurfaceSignalSink? sink = null)
{
_logger = logger;
_sink = sink;
}
public async Task EmitAsync(
string scanId,
SurfaceAnalysisResult result,
CancellationToken cancellationToken = default)
{
var signals = BuildSignals(result);
await EmitAsync(scanId, signals, cancellationToken);
}
public async Task EmitAsync(
string scanId,
IDictionary<string, object> signals,
CancellationToken cancellationToken = default)
{
_logger.LogDebug(
"Emitting {SignalCount} surface signals for scan {ScanId}",
signals.Count,
scanId);
if (_sink != null)
{
await _sink.WriteAsync(scanId, signals, cancellationToken);
}
else
{
_logger.LogDebug(
"No signal sink configured, signals for scan {ScanId}: {Signals}",
scanId,
string.Join(", ", signals.Select(kv => $"{kv.Key}={kv.Value}")));
}
}
private static Dictionary<string, object> BuildSignals(SurfaceAnalysisResult result)
{
var signals = new Dictionary<string, object>
{
[SurfaceSignalKeys.TotalSurfaceArea] = result.Summary.TotalEntries,
[SurfaceSignalKeys.RiskScore] = result.Summary.RiskScore,
[SurfaceSignalKeys.HighConfidenceCount] = result.Entries
.Count(e => e.Confidence >= ConfidenceLevel.High)
};
// Add counts by type
foreach (var (type, count) in result.Summary.ByType)
{
var key = type switch
{
SurfaceType.NetworkEndpoint => SurfaceSignalKeys.NetworkEndpoints,
SurfaceType.FileOperation => SurfaceSignalKeys.FileOperations,
SurfaceType.ProcessExecution => SurfaceSignalKeys.ProcessSpawns,
SurfaceType.CryptoOperation => SurfaceSignalKeys.CryptoUsage,
SurfaceType.AuthenticationPoint => SurfaceSignalKeys.AuthPoints,
SurfaceType.InputHandling => SurfaceSignalKeys.InputHandlers,
SurfaceType.SecretAccess => SurfaceSignalKeys.SecretAccess,
SurfaceType.ExternalCall => SurfaceSignalKeys.ExternalCalls,
SurfaceType.DatabaseOperation => SurfaceSignalKeys.DatabaseOperations,
SurfaceType.Deserialization => SurfaceSignalKeys.DeserializationPoints,
SurfaceType.DynamicCode => SurfaceSignalKeys.DynamicCodePoints,
_ => $"{SurfaceSignalKeys.Prefix}{type.ToString().ToLowerInvariant()}"
};
signals[key] = count;
}
// Add entry point count if available
if (result.EntryPoints is { Count: > 0 })
{
signals[SurfaceSignalKeys.EntryPointCount] = result.EntryPoints.Count;
}
// Add framework signals if metadata available
if (result.Metadata?.Frameworks is { Count: > 0 } frameworks)
{
foreach (var framework in frameworks)
{
var normalizedName = framework.ToLowerInvariant().Replace(" ", "_").Replace(".", "_");
signals[$"{SurfaceSignalKeys.FrameworkPrefix}{normalizedName}"] = true;
}
}
// Add language signals if metadata available
if (result.Metadata?.Languages is { Count: > 0 } languages)
{
foreach (var language in languages)
{
var normalizedName = language.ToLowerInvariant();
signals[$"{SurfaceSignalKeys.LanguagePrefix}{normalizedName}"] = true;
}
}
return signals;
}
}
/// <summary>
/// Sink for writing surface signals to storage.
/// </summary>
public interface ISurfaceSignalSink
{
/// <summary>
/// Writes signals to storage.
/// </summary>
Task WriteAsync(
string scanId,
IDictionary<string, object> signals,
CancellationToken cancellationToken = default);
}
/// <summary>
/// In-memory signal sink for testing.
/// </summary>
public sealed class InMemorySurfaceSignalSink : ISurfaceSignalSink
{
private readonly Dictionary<string, IDictionary<string, object>> _signals = new();
public IReadOnlyDictionary<string, IDictionary<string, object>> Signals => _signals;
public Task WriteAsync(
string scanId,
IDictionary<string, object> signals,
CancellationToken cancellationToken = default)
{
_signals[scanId] = new Dictionary<string, object>(signals);
return Task.CompletedTask;
}
public IDictionary<string, object>? GetSignals(string scanId)
{
return _signals.TryGetValue(scanId, out var signals) ? signals : null;
}
public void Clear() => _signals.Clear();
}

64
src/Scanner/__Libraries/StellaOps.Scanner.Surface/Signals/SurfaceSignalKeys.cs Normal file
View File

@@ -0,0 +1,64 @@
namespace StellaOps.Scanner.Surface.Signals;
/// <summary>
/// Standard signal keys for surface analysis policy integration.
/// </summary>
public static class SurfaceSignalKeys
{
/// <summary>Prefix for all surface signals.</summary>
public const string Prefix = "surface.";
/// <summary>Network endpoint count.</summary>
public const string NetworkEndpoints = "surface.network.endpoints";
/// <summary>Exposed port count.</summary>
public const string ExposedPorts = "surface.network.ports";
/// <summary>File operation count.</summary>
public const string FileOperations = "surface.file.operations";
/// <summary>Process spawn count.</summary>
public const string ProcessSpawns = "surface.process.spawns";
/// <summary>Crypto operation count.</summary>
public const string CryptoUsage = "surface.crypto.usage";
/// <summary>Authentication point count.</summary>
public const string AuthPoints = "surface.auth.points";
/// <summary>Input handler count.</summary>
public const string InputHandlers = "surface.input.handlers";
/// <summary>Secret access point count.</summary>
public const string SecretAccess = "surface.secrets.access";
/// <summary>External call count.</summary>
public const string ExternalCalls = "surface.external.calls";
/// <summary>Database operation count.</summary>
public const string DatabaseOperations = "surface.database.operations";
/// <summary>Deserialization point count.</summary>
public const string DeserializationPoints = "surface.deserialization.points";
/// <summary>Dynamic code execution count.</summary>
public const string DynamicCodePoints = "surface.dynamic.code";
/// <summary>Total surface area score.</summary>
public const string TotalSurfaceArea = "surface.total.area";
/// <summary>Overall risk score (0.0-1.0).</summary>
public const string RiskScore = "surface.risk.score";
/// <summary>High-confidence entry count.</summary>
public const string HighConfidenceCount = "surface.high_confidence.count";
/// <summary>Entry point count.</summary>
public const string EntryPointCount = "surface.entry_points.count";
/// <summary>Framework-specific prefix.</summary>
public const string FrameworkPrefix = "surface.framework.";
/// <summary>Language-specific prefix.</summary>
public const string LanguagePrefix = "surface.language.";
}

18
src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/StellaOps.Concelier.Storage.Mongo.csproj → src/Scanner/__Libraries/StellaOps.Scanner.Surface/StellaOps.Scanner.Surface.csproj
View File

@@ -2,22 +2,24 @@
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<EnableDefaultItems>false</EnableDefaultItems>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="AWSSDK.S3" Version="3.7.305.6" />
<PackageReference Include="MongoDB.Driver" Version="3.5.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.0" />
<Compile Include="**\*.cs" Exclude="obj\**;bin\**" />
<EmbeddedResource Include="**\*.json" Exclude="obj\**;bin\**" />
<None Include="**\*" Exclude="**\*.cs;**\*.json;bin\**;obj\**" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="10.0.0" />
<PackageReference Include="System.Text.Json" Version="10.0.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="../StellaOps.Concelier.RawModels/StellaOps.Concelier.RawModels.csproj" />
<ProjectReference Include="../StellaOps.Concelier.Models/StellaOps.Concelier.Models.csproj" />
<ProjectReference Include="..\StellaOps.Scanner.Surface.FS\StellaOps.Scanner.Surface.FS.csproj" />
<ProjectReference Include="..\StellaOps.Scanner.Surface.Env\StellaOps.Scanner.Surface.Env.csproj" />
</ItemGroup>
</Project>

101
src/Scanner/__Libraries/StellaOps.Scanner.Surface/SurfaceAnalyzer.cs Normal file
View File

@@ -0,0 +1,101 @@
using Microsoft.Extensions.Logging;
using StellaOps.Scanner.Surface.Discovery;
using StellaOps.Scanner.Surface.Models;
using StellaOps.Scanner.Surface.Output;
using StellaOps.Scanner.Surface.Signals;
namespace StellaOps.Scanner.Surface;
/// <summary>
/// Main interface for surface analysis operations.
/// </summary>
public interface ISurfaceAnalyzer
{
/// <summary>
/// Performs surface analysis on the given context.
/// </summary>
Task<SurfaceAnalysisResult> AnalyzeAsync(
SurfaceCollectionContext context,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Default implementation of surface analyzer.
/// Coordinates collectors, signal emission, and output writing.
/// </summary>
public sealed class SurfaceAnalyzer : ISurfaceAnalyzer
{
private readonly ISurfaceEntryRegistry _registry;
private readonly ISurfaceSignalEmitter _signalEmitter;
private readonly ISurfaceAnalysisWriter _writer;
private readonly ILogger<SurfaceAnalyzer> _logger;
public SurfaceAnalyzer(
ISurfaceEntryRegistry registry,
ISurfaceSignalEmitter signalEmitter,
ISurfaceAnalysisWriter writer,
ILogger<SurfaceAnalyzer> logger)
{
_registry = registry;
_signalEmitter = signalEmitter;
_writer = writer;
_logger = logger;
}
public async Task<SurfaceAnalysisResult> AnalyzeAsync(
SurfaceCollectionContext context,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(context);
var startTime = DateTimeOffset.UtcNow;
_logger.LogInformation(
"Starting surface analysis for scan {ScanId} with {FileCount} files",
context.ScanId,
context.Files.Count);
// Collect entries from all applicable collectors
var entries = new List<SurfaceEntry>();
await foreach (var entry in _registry.CollectAllAsync(context, cancellationToken))
{
entries.Add(entry);
}
_logger.LogDebug(
"Collected {EntryCount} surface entries for scan {ScanId}",
entries.Count,
context.ScanId);
// Build summary
var summary = SurfaceAnalysisSummary.FromEntries(entries);
// Create result
var result = new SurfaceAnalysisResult
{
ScanId = context.ScanId,
Timestamp = DateTimeOffset.UtcNow,
Summary = summary,
Entries = entries,
Metadata = new SurfaceAnalysisMetadata
{
DurationMs = (DateTimeOffset.UtcNow - startTime).TotalMilliseconds,
FilesAnalyzed = context.Files.Count,
Languages = context.DetectedLanguages,
Frameworks = context.DetectedFrameworks,
Options = context.Options
}
};
// Emit signals for policy evaluation
await _signalEmitter.EmitAsync(context.ScanId, result, cancellationToken);
_logger.LogInformation(
"Completed surface analysis for scan {ScanId}: {TotalEntries} entries, risk score {RiskScore:F2}",
context.ScanId,
result.Summary.TotalEntries,
result.Summary.RiskScore);
return result;
}
}

1
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests/Fixtures/lang/bun/isolated/expected.json
View File

@@ -43,6 +43,7 @@
"type": "npm",
"usedByEntrypoint": false,
"metadata": {
"direct": "true",
"integrity": "sha512-CQpnWPrDwmP1\u002BSMHXvTXAoSEu2mCPgMU0VKt1WcA7D8VXCo4HfVNlUbD1k8Tg0BVDX/LhyRaZqKqiS4vI6tTHg==",
"packageManager": "bun",
"path": "node_modules/.bun/is-odd@3.0.1",

1
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests/Fixtures/lang/bun/lockfile-only/expected.json
View File

@@ -8,6 +8,7 @@
"type": "npm",
"usedByEntrypoint": false,
"metadata": {
"direct": "true",
"integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
"packageManager": "bun",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",

1
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests/Fixtures/lang/bun/standard/expected.json
View File

@@ -8,6 +8,7 @@
"type": "npm",
"usedByEntrypoint": false,
"metadata": {
"direct": "true",
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vz1kAmtILi\u002B8fm9nJMg7b0GN8sMEJz2mxG/S7mNxhWQ7\u002BD9bF8Q==",
"packageManager": "bun",
"path": "node_modules/lodash",

1
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests/Fixtures/lang/bun/symlinks/expected.json
View File

@@ -8,6 +8,7 @@
"type": "npm",
"usedByEntrypoint": false,
"metadata": {
"direct": "true",
"integrity": "sha512-abc123",
"packageManager": "bun",
"path": "node_modules/safe-pkg",

1
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests/Fixtures/lang/bun/workspaces/expected.json
View File

@@ -8,6 +8,7 @@
"type": "npm",
"usedByEntrypoint": false,
"metadata": {
"direct": "true",
"integrity": "sha512-dLitG79d\u002BGV1Nb/VYcCDFivJeK1hiukt9QjRNVOsUtTy1rR1YJsmpGGTZ3qJos\u002Buw7WmWF4wUwBd9jxjocFC2w==",
"packageManager": "bun",
"path": "node_modules/chalk",

1
src/Scheduler/StellaOps.Scheduler.WebService/StellaOps.Scheduler.WebService.csproj
View File

@@ -7,7 +7,6 @@
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="../__Libraries/StellaOps.Scheduler.Models/StellaOps.Scheduler.Models.csproj" />
<ProjectReference Include="../__Libraries/StellaOps.Scheduler.Storage.Mongo/StellaOps.Scheduler.Storage.Mongo.csproj" />
<ProjectReference Include="../__Libraries/StellaOps.Scheduler.ImpactIndex/StellaOps.Scheduler.ImpactIndex.csproj" />
<ProjectReference Include="../__Libraries/StellaOps.Scheduler.Queue/StellaOps.Scheduler.Queue.csproj" />
<ProjectReference Include="../../__Libraries/StellaOps.Plugin/StellaOps.Plugin.csproj" />

1
src/Scheduler/Tools/Scheduler.Backfill/Scheduler.Backfill.csproj
View File

@@ -9,7 +9,6 @@
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="../../__Libraries/StellaOps.Scheduler.Storage.Mongo/StellaOps.Scheduler.Storage.Mongo.csproj" />
<ProjectReference Include="../../__Libraries/StellaOps.Scheduler.Storage.Postgres/StellaOps.Scheduler.Storage.Postgres.csproj" />
<ProjectReference Include="../../__Libraries/StellaOps.Scheduler.Models/StellaOps.Scheduler.Models.csproj" />
</ItemGroup>

196
src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Events/IPackRunTimelineEventSink.cs Normal file
View File

@@ -0,0 +1,196 @@
namespace StellaOps.TaskRunner.Core.Events;
/// <summary>
/// Sink for pack run timeline events (Kafka, NATS, file, etc.).
/// Per TASKRUN-OBS-52-001.
/// </summary>
public interface IPackRunTimelineEventSink
{
/// <summary>
/// Writes a timeline event to the sink.
/// </summary>
Task<PackRunTimelineSinkWriteResult> WriteAsync(
PackRunTimelineEvent evt,
CancellationToken cancellationToken = default);
/// <summary>
/// Writes multiple timeline events to the sink.
/// </summary>
Task<PackRunTimelineSinkBatchWriteResult> WriteBatchAsync(
IEnumerable<PackRunTimelineEvent> events,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Result of writing to pack run timeline sink.
/// </summary>
public sealed record PackRunTimelineSinkWriteResult(
/// <summary>Whether the event was written successfully.</summary>
bool Success,
/// <summary>Assigned sequence number if applicable.</summary>
long? Sequence,
/// <summary>Whether the event was deduplicated.</summary>
bool Deduplicated,
/// <summary>Error message if write failed.</summary>
string? Error);
/// <summary>
/// Result of batch writing to pack run timeline sink.
/// </summary>
public sealed record PackRunTimelineSinkBatchWriteResult(
/// <summary>Number of events written successfully.</summary>
int Written,
/// <summary>Number of events deduplicated.</summary>
int Deduplicated,
/// <summary>Number of events that failed.</summary>
int Failed);
/// <summary>
/// In-memory pack run timeline event sink for testing.
/// </summary>
public sealed class InMemoryPackRunTimelineEventSink : IPackRunTimelineEventSink
{
private readonly List<PackRunTimelineEvent> _events = new();
private readonly HashSet<Guid> _seenIds = new();
private readonly object _lock = new();
private long _sequence;
public Task<PackRunTimelineSinkWriteResult> WriteAsync(
PackRunTimelineEvent evt,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
if (!_seenIds.Add(evt.EventId))
{
return Task.FromResult(new PackRunTimelineSinkWriteResult(
Success: true,
Sequence: null,
Deduplicated: true,
Error: null));
}
var seq = ++_sequence;
var eventWithSeq = evt.WithSequence(seq);
_events.Add(eventWithSeq);
return Task.FromResult(new PackRunTimelineSinkWriteResult(
Success: true,
Sequence: seq,
Deduplicated: false,
Error: null));
}
}
public Task<PackRunTimelineSinkBatchWriteResult> WriteBatchAsync(
IEnumerable<PackRunTimelineEvent> events,
CancellationToken cancellationToken = default)
{
var written = 0;
var deduplicated = 0;
lock (_lock)
{
foreach (var evt in events)
{
if (!_seenIds.Add(evt.EventId))
{
deduplicated++;
continue;
}
var seq = ++_sequence;
_events.Add(evt.WithSequence(seq));
written++;
}
}
return Task.FromResult(new PackRunTimelineSinkBatchWriteResult(written, deduplicated, 0));
}
/// <summary>Gets all events (for testing).</summary>
public IReadOnlyList<PackRunTimelineEvent> GetEvents()
{
lock (_lock) { return _events.ToList(); }
}
/// <summary>Gets events for a tenant (for testing).</summary>
public IReadOnlyList<PackRunTimelineEvent> GetEvents(string tenantId)
{
lock (_lock) { return _events.Where(e => e.TenantId == tenantId).ToList(); }
}
/// <summary>Gets events for a run (for testing).</summary>
public IReadOnlyList<PackRunTimelineEvent> GetEventsForRun(string runId)
{
lock (_lock) { return _events.Where(e => e.RunId == runId).ToList(); }
}
/// <summary>Gets events by type (for testing).</summary>
public IReadOnlyList<PackRunTimelineEvent> GetEventsByType(string eventType)
{
lock (_lock) { return _events.Where(e => e.EventType == eventType).ToList(); }
}
/// <summary>Gets step events for a run (for testing).</summary>
public IReadOnlyList<PackRunTimelineEvent> GetStepEvents(string runId, string stepId)
{
lock (_lock)
{
return _events
.Where(e => e.RunId == runId && e.StepId == stepId)
.ToList();
}
}
/// <summary>Clears all events (for testing).</summary>
public void Clear()
{
lock (_lock)
{
_events.Clear();
_seenIds.Clear();
_sequence = 0;
}
}
/// <summary>Gets the current event count.</summary>
public int Count
{
get { lock (_lock) { return _events.Count; } }
}
}
/// <summary>
/// Null sink that discards all events.
/// </summary>
public sealed class NullPackRunTimelineEventSink : IPackRunTimelineEventSink
{
public static NullPackRunTimelineEventSink Instance { get; } = new();
private NullPackRunTimelineEventSink() { }
public Task<PackRunTimelineSinkWriteResult> WriteAsync(
PackRunTimelineEvent evt,
CancellationToken cancellationToken = default)
{
return Task.FromResult(new PackRunTimelineSinkWriteResult(
Success: true,
Sequence: null,
Deduplicated: false,
Error: null));
}
public Task<PackRunTimelineSinkBatchWriteResult> WriteBatchAsync(
IEnumerable<PackRunTimelineEvent> events,
CancellationToken cancellationToken = default)
{
var count = events.Count();
return Task.FromResult(new PackRunTimelineSinkBatchWriteResult(count, 0, 0));
}
}

307
src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Events/PackRunTimelineEvent.cs Normal file
View File

@@ -0,0 +1,307 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
namespace StellaOps.TaskRunner.Core.Events;
/// <summary>
/// Timeline event for pack run audit trail, observability, and evidence chain tracking.
/// Per TASKRUN-OBS-52-001 and timeline-event.schema.json.
/// </summary>
public sealed record PackRunTimelineEvent(
/// <summary>Monotonically increasing sequence number for ordering.</summary>
long? EventSeq,
/// <summary>Globally unique event identifier.</summary>
Guid EventId,
/// <summary>Tenant scope for multi-tenant isolation.</summary>
string TenantId,
/// <summary>Event type identifier following namespace convention.</summary>
string EventType,
/// <summary>Service or component that emitted this event.</summary>
string Source,
/// <summary>When the event actually occurred.</summary>
DateTimeOffset OccurredAt,
/// <summary>When the event was received by timeline indexer.</summary>
DateTimeOffset? ReceivedAt,
/// <summary>Correlation ID linking related events across services.</summary>
string? CorrelationId,
/// <summary>OpenTelemetry trace ID for distributed tracing.</summary>
string? TraceId,
/// <summary>OpenTelemetry span ID within the trace.</summary>
string? SpanId,
/// <summary>User, service account, or system that triggered the event.</summary>
string? Actor,
/// <summary>Event severity level.</summary>
PackRunEventSeverity Severity,
/// <summary>Key-value attributes for filtering and querying.</summary>
IReadOnlyDictionary<string, string>? Attributes,
/// <summary>SHA-256 hash of the raw payload for integrity.</summary>
string? PayloadHash,
/// <summary>Original event payload as JSON string.</summary>
string? RawPayloadJson,
/// <summary>Canonicalized JSON for deterministic hashing.</summary>
string? NormalizedPayloadJson,
/// <summary>Reference to associated evidence bundle or attestation.</summary>
PackRunEvidencePointer? EvidencePointer,
/// <summary>Run ID for this pack run.</summary>
string RunId,
/// <summary>Plan hash for the pack run.</summary>
string? PlanHash,
/// <summary>Step ID if this event is associated with a step.</summary>
string? StepId,
/// <summary>Project ID scope within tenant.</summary>
string? ProjectId)
{
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
WriteIndented = false
};
private static readonly JsonSerializerOptions CanonicalJsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
WriteIndented = false,
Encoder = System.Text.Encodings.Web.JavaScriptEncoder.UnsafeRelaxedJsonEscaping
};
/// <summary>
/// Creates a new timeline event with generated ID.
/// </summary>
public static PackRunTimelineEvent Create(
string tenantId,
string eventType,
string source,
DateTimeOffset occurredAt,
string runId,
string? planHash = null,
string? stepId = null,
string? actor = null,
PackRunEventSeverity severity = PackRunEventSeverity.Info,
IReadOnlyDictionary<string, string>? attributes = null,
string? correlationId = null,
string? traceId = null,
string? spanId = null,
string? projectId = null,
object? payload = null,
PackRunEvidencePointer? evidencePointer = null)
{
string? rawPayload = null;
string? normalizedPayload = null;
string? payloadHash = null;
if (payload is not null)
{
rawPayload = JsonSerializer.Serialize(payload, JsonOptions);
normalizedPayload = NormalizeJson(rawPayload);
payloadHash = ComputeHash(normalizedPayload);
}
return new PackRunTimelineEvent(
EventSeq: null,
EventId: Guid.NewGuid(),
TenantId: tenantId,
EventType: eventType,
Source: source,
OccurredAt: occurredAt,
ReceivedAt: null,
CorrelationId: correlationId,
TraceId: traceId,
SpanId: spanId,
Actor: actor,
Severity: severity,
Attributes: attributes,
PayloadHash: payloadHash,
RawPayloadJson: rawPayload,
NormalizedPayloadJson: normalizedPayload,
EvidencePointer: evidencePointer,
RunId: runId,
PlanHash: planHash,
StepId: stepId,
ProjectId: projectId);
}
/// <summary>
/// Serializes the event to JSON.
/// </summary>
public string ToJson() => JsonSerializer.Serialize(this, JsonOptions);
/// <summary>
/// Parses a timeline event from JSON.
/// </summary>
public static PackRunTimelineEvent? FromJson(string json)
=> JsonSerializer.Deserialize<PackRunTimelineEvent>(json, JsonOptions);
/// <summary>
/// Creates a copy with received timestamp set.
/// </summary>
public PackRunTimelineEvent WithReceivedAt(DateTimeOffset receivedAt)
=> this with { ReceivedAt = receivedAt };
/// <summary>
/// Creates a copy with sequence number set.
/// </summary>
public PackRunTimelineEvent WithSequence(long seq)
=> this with { EventSeq = seq };
/// <summary>
/// Generates an idempotency key for this event.
/// </summary>
public string GenerateIdempotencyKey()
=> $"timeline:pack:{TenantId}:{EventType}:{EventId}";
private static string NormalizeJson(string json)
{
using var doc = JsonDocument.Parse(json);
return JsonSerializer.Serialize(doc.RootElement, CanonicalJsonOptions);
}
private static string ComputeHash(string content)
{
var bytes = Encoding.UTF8.GetBytes(content);
var hash = SHA256.HashData(bytes);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
}
/// <summary>
/// Event severity level for pack run timeline events.
/// </summary>
public enum PackRunEventSeverity
{
Debug,
Info,
Warning,
Error,
Critical
}
/// <summary>
/// Reference to associated evidence bundle or attestation.
/// </summary>
public sealed record PackRunEvidencePointer(
/// <summary>Type of evidence being referenced.</summary>
PackRunEvidencePointerType Type,
/// <summary>Evidence bundle identifier.</summary>
Guid? BundleId,
/// <summary>Content digest of the evidence bundle.</summary>
string? BundleDigest,
/// <summary>Subject URI for the attestation.</summary>
string? AttestationSubject,
/// <summary>Digest of the attestation envelope.</summary>
string? AttestationDigest,
/// <summary>URI to the evidence manifest.</summary>
string? ManifestUri,
/// <summary>Path within evidence locker storage.</summary>
string? LockerPath)
{
/// <summary>
/// Creates a bundle evidence pointer.
/// </summary>
public static PackRunEvidencePointer Bundle(Guid bundleId, string? bundleDigest = null)
=> new(PackRunEvidencePointerType.Bundle, bundleId, bundleDigest, null, null, null, null);
/// <summary>
/// Creates an attestation evidence pointer.
/// </summary>
public static PackRunEvidencePointer Attestation(string subject, string? digest = null)
=> new(PackRunEvidencePointerType.Attestation, null, null, subject, digest, null, null);
/// <summary>
/// Creates a manifest evidence pointer.
/// </summary>
public static PackRunEvidencePointer Manifest(string uri, string? lockerPath = null)
=> new(PackRunEvidencePointerType.Manifest, null, null, null, null, uri, lockerPath);
/// <summary>
/// Creates an artifact evidence pointer.
/// </summary>
public static PackRunEvidencePointer Artifact(string lockerPath, string? digest = null)
=> new(PackRunEvidencePointerType.Artifact, null, digest, null, null, null, lockerPath);
}
/// <summary>
/// Type of evidence being referenced.
/// </summary>
public enum PackRunEvidencePointerType
{
Bundle,
Attestation,
Manifest,
Artifact
}
/// <summary>
/// Pack run timeline event types.
/// </summary>
public static class PackRunEventTypes
{
/// <summary>Prefix for all pack run events.</summary>
public const string Prefix = "pack.";
/// <summary>Pack run started.</summary>
public const string PackStarted = "pack.started";
/// <summary>Pack run completed successfully.</summary>
public const string PackCompleted = "pack.completed";
/// <summary>Pack run failed.</summary>
public const string PackFailed = "pack.failed";
/// <summary>Pack run paused (awaiting approvals/gates).</summary>
public const string PackPaused = "pack.paused";
/// <summary>Step started execution.</summary>
public const string StepStarted = "pack.step.started";
/// <summary>Step completed successfully.</summary>
public const string StepCompleted = "pack.step.completed";
/// <summary>Step failed.</summary>
public const string StepFailed = "pack.step.failed";
/// <summary>Step scheduled for retry.</summary>
public const string StepRetryScheduled = "pack.step.retry_scheduled";
/// <summary>Step skipped.</summary>
public const string StepSkipped = "pack.step.skipped";
/// <summary>Approval gate satisfied.</summary>
public const string ApprovalSatisfied = "pack.approval.satisfied";
/// <summary>Policy gate evaluated.</summary>
public const string PolicyEvaluated = "pack.policy.evaluated";
/// <summary>Checks if the event type is a pack run event.</summary>
public static bool IsPackRunEvent(string eventType) =>
eventType.StartsWith(Prefix, StringComparison.Ordinal);
}

603
src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Events/PackRunTimelineEventEmitter.cs Normal file
View File

@@ -0,0 +1,603 @@
using Microsoft.Extensions.Logging;
namespace StellaOps.TaskRunner.Core.Events;
/// <summary>
/// Service for emitting pack run timeline events with trace IDs, deduplication, and retries.
/// Per TASKRUN-OBS-52-001.
/// </summary>
public interface IPackRunTimelineEventEmitter
{
/// <summary>
/// Emits a timeline event.
/// </summary>
Task<PackRunTimelineEmitResult> EmitAsync(
PackRunTimelineEvent evt,
CancellationToken cancellationToken = default);
/// <summary>
/// Emits multiple timeline events in batch.
/// </summary>
Task<PackRunTimelineBatchEmitResult> EmitBatchAsync(
IEnumerable<PackRunTimelineEvent> events,
CancellationToken cancellationToken = default);
/// <summary>
/// Emits a pack.started event.
/// </summary>
Task<PackRunTimelineEmitResult> EmitPackStartedAsync(
string tenantId,
string runId,
string planHash,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
PackRunEvidencePointer? evidencePointer = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Emits a pack.completed event.
/// </summary>
Task<PackRunTimelineEmitResult> EmitPackCompletedAsync(
string tenantId,
string runId,
string planHash,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
PackRunEvidencePointer? evidencePointer = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Emits a pack.failed event.
/// </summary>
Task<PackRunTimelineEmitResult> EmitPackFailedAsync(
string tenantId,
string runId,
string planHash,
string? failureReason = null,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
PackRunEvidencePointer? evidencePointer = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Emits a pack.step.started event.
/// </summary>
Task<PackRunTimelineEmitResult> EmitStepStartedAsync(
string tenantId,
string runId,
string planHash,
string stepId,
int attempt,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Emits a pack.step.completed event.
/// </summary>
Task<PackRunTimelineEmitResult> EmitStepCompletedAsync(
string tenantId,
string runId,
string planHash,
string stepId,
int attempt,
double? durationMs = null,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
PackRunEvidencePointer? evidencePointer = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Emits a pack.step.failed event.
/// </summary>
Task<PackRunTimelineEmitResult> EmitStepFailedAsync(
string tenantId,
string runId,
string planHash,
string stepId,
int attempt,
string? error = null,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Result of timeline event emission.
/// </summary>
public sealed record PackRunTimelineEmitResult(
/// <summary>Whether the event was emitted successfully.</summary>
bool Success,
/// <summary>The emitted event (with sequence if assigned).</summary>
PackRunTimelineEvent Event,
/// <summary>Whether the event was deduplicated.</summary>
bool Deduplicated,
/// <summary>Error message if emission failed.</summary>
string? Error);
/// <summary>
/// Result of batch timeline event emission.
/// </summary>
public sealed record PackRunTimelineBatchEmitResult(
/// <summary>Number of events emitted successfully.</summary>
int Emitted,
/// <summary>Number of events deduplicated.</summary>
int Deduplicated,
/// <summary>Number of events that failed.</summary>
int Failed,
/// <summary>Errors encountered.</summary>
IReadOnlyList<string> Errors)
{
/// <summary>Total events processed.</summary>
public int Total => Emitted + Deduplicated + Failed;
/// <summary>Whether any events were emitted.</summary>
public bool HasEmitted => Emitted > 0;
/// <summary>Whether any errors occurred.</summary>
public bool HasErrors => Failed > 0 || Errors.Count > 0;
/// <summary>Creates an empty result.</summary>
public static PackRunTimelineBatchEmitResult Empty => new(0, 0, 0, []);
}
/// <summary>
/// Default implementation of pack run timeline event emitter.
/// </summary>
public sealed class PackRunTimelineEventEmitter : IPackRunTimelineEventEmitter
{
private const string Source = "taskrunner-worker";
private readonly IPackRunTimelineEventSink _sink;
private readonly TimeProvider _timeProvider;
private readonly ILogger<PackRunTimelineEventEmitter> _logger;
private readonly PackRunTimelineEmitterOptions _options;
public PackRunTimelineEventEmitter(
IPackRunTimelineEventSink sink,
TimeProvider timeProvider,
ILogger<PackRunTimelineEventEmitter> logger,
PackRunTimelineEmitterOptions? options = null)
{
_sink = sink ?? throw new ArgumentNullException(nameof(sink));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_options = options ?? PackRunTimelineEmitterOptions.Default;
}
public async Task<PackRunTimelineEmitResult> EmitAsync(
PackRunTimelineEvent evt,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(evt);
var eventWithReceived = evt.WithReceivedAt(_timeProvider.GetUtcNow());
try
{
var result = await EmitWithRetryAsync(eventWithReceived, cancellationToken);
return result;
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to emit timeline event {EventId} type {EventType} for tenant {TenantId} run {RunId}",
evt.EventId, evt.EventType, evt.TenantId, evt.RunId);
return new PackRunTimelineEmitResult(
Success: false,
Event: eventWithReceived,
Deduplicated: false,
Error: ex.Message);
}
}
public async Task<PackRunTimelineBatchEmitResult> EmitBatchAsync(
IEnumerable<PackRunTimelineEvent> events,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(events);
var emitted = 0;
var deduplicated = 0;
var failed = 0;
var errors = new List<string>();
// Order by occurredAt then eventId for deterministic fan-out
var ordered = events
.OrderBy(e => e.OccurredAt)
.ThenBy(e => e.EventId)
.ToList();
foreach (var evt in ordered)
{
var result = await EmitAsync(evt, cancellationToken);
if (result.Success)
{
if (result.Deduplicated)
deduplicated++;
else
emitted++;
}
else
{
failed++;
if (result.Error is not null)
errors.Add($"{evt.EventId}: {result.Error}");
}
}
return new PackRunTimelineBatchEmitResult(emitted, deduplicated, failed, errors);
}
public Task<PackRunTimelineEmitResult> EmitPackStartedAsync(
string tenantId,
string runId,
string planHash,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
PackRunEvidencePointer? evidencePointer = null,
CancellationToken cancellationToken = default)
{
var attrs = MergeAttributes(attributes, new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash
});
var evt = PackRunTimelineEvent.Create(
tenantId: tenantId,
eventType: PackRunEventTypes.PackStarted,
source: Source,
occurredAt: _timeProvider.GetUtcNow(),
runId: runId,
planHash: planHash,
actor: actor,
severity: PackRunEventSeverity.Info,
attributes: attrs,
correlationId: correlationId,
traceId: traceId,
projectId: projectId,
evidencePointer: evidencePointer);
return EmitAsync(evt, cancellationToken);
}
public Task<PackRunTimelineEmitResult> EmitPackCompletedAsync(
string tenantId,
string runId,
string planHash,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
PackRunEvidencePointer? evidencePointer = null,
CancellationToken cancellationToken = default)
{
var attrs = MergeAttributes(attributes, new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash
});
var evt = PackRunTimelineEvent.Create(
tenantId: tenantId,
eventType: PackRunEventTypes.PackCompleted,
source: Source,
occurredAt: _timeProvider.GetUtcNow(),
runId: runId,
planHash: planHash,
actor: actor,
severity: PackRunEventSeverity.Info,
attributes: attrs,
correlationId: correlationId,
traceId: traceId,
projectId: projectId,
evidencePointer: evidencePointer);
return EmitAsync(evt, cancellationToken);
}
public Task<PackRunTimelineEmitResult> EmitPackFailedAsync(
string tenantId,
string runId,
string planHash,
string? failureReason = null,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
PackRunEvidencePointer? evidencePointer = null,
CancellationToken cancellationToken = default)
{
var attrDict = new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash
};
if (!string.IsNullOrWhiteSpace(failureReason))
{
attrDict["failureReason"] = failureReason;
}
var attrs = MergeAttributes(attributes, attrDict);
var evt = PackRunTimelineEvent.Create(
tenantId: tenantId,
eventType: PackRunEventTypes.PackFailed,
source: Source,
occurredAt: _timeProvider.GetUtcNow(),
runId: runId,
planHash: planHash,
actor: actor,
severity: PackRunEventSeverity.Error,
attributes: attrs,
correlationId: correlationId,
traceId: traceId,
projectId: projectId,
payload: failureReason != null ? new { reason = failureReason } : null,
evidencePointer: evidencePointer);
return EmitAsync(evt, cancellationToken);
}
public Task<PackRunTimelineEmitResult> EmitStepStartedAsync(
string tenantId,
string runId,
string planHash,
string stepId,
int attempt,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
CancellationToken cancellationToken = default)
{
var attrs = MergeAttributes(attributes, new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash,
["stepId"] = stepId,
["attempt"] = attempt.ToString()
});
var evt = PackRunTimelineEvent.Create(
tenantId: tenantId,
eventType: PackRunEventTypes.StepStarted,
source: Source,
occurredAt: _timeProvider.GetUtcNow(),
runId: runId,
planHash: planHash,
stepId: stepId,
actor: actor,
severity: PackRunEventSeverity.Info,
attributes: attrs,
correlationId: correlationId,
traceId: traceId,
projectId: projectId,
payload: new { stepId, attempt });
return EmitAsync(evt, cancellationToken);
}
public Task<PackRunTimelineEmitResult> EmitStepCompletedAsync(
string tenantId,
string runId,
string planHash,
string stepId,
int attempt,
double? durationMs = null,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
PackRunEvidencePointer? evidencePointer = null,
CancellationToken cancellationToken = default)
{
var attrDict = new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash,
["stepId"] = stepId,
["attempt"] = attempt.ToString()
};
if (durationMs.HasValue)
{
attrDict["durationMs"] = durationMs.Value.ToString("F2");
}
var attrs = MergeAttributes(attributes, attrDict);
var evt = PackRunTimelineEvent.Create(
tenantId: tenantId,
eventType: PackRunEventTypes.StepCompleted,
source: Source,
occurredAt: _timeProvider.GetUtcNow(),
runId: runId,
planHash: planHash,
stepId: stepId,
actor: actor,
severity: PackRunEventSeverity.Info,
attributes: attrs,
correlationId: correlationId,
traceId: traceId,
projectId: projectId,
payload: new { stepId, attempt, durationMs },
evidencePointer: evidencePointer);
return EmitAsync(evt, cancellationToken);
}
public Task<PackRunTimelineEmitResult> EmitStepFailedAsync(
string tenantId,
string runId,
string planHash,
string stepId,
int attempt,
string? error = null,
string? actor = null,
string? correlationId = null,
string? traceId = null,
string? projectId = null,
IReadOnlyDictionary<string, string>? attributes = null,
CancellationToken cancellationToken = default)
{
var attrDict = new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash,
["stepId"] = stepId,
["attempt"] = attempt.ToString()
};
if (!string.IsNullOrWhiteSpace(error))
{
attrDict["error"] = error;
}
var attrs = MergeAttributes(attributes, attrDict);
var evt = PackRunTimelineEvent.Create(
tenantId: tenantId,
eventType: PackRunEventTypes.StepFailed,
source: Source,
occurredAt: _timeProvider.GetUtcNow(),
runId: runId,
planHash: planHash,
stepId: stepId,
actor: actor,
severity: PackRunEventSeverity.Error,
attributes: attrs,
correlationId: correlationId,
traceId: traceId,
projectId: projectId,
payload: new { stepId, attempt, error });
return EmitAsync(evt, cancellationToken);
}
private async Task<PackRunTimelineEmitResult> EmitWithRetryAsync(
PackRunTimelineEvent evt,
CancellationToken cancellationToken)
{
var attempt = 0;
var delay = _options.RetryDelay;
while (true)
{
try
{
var sinkResult = await _sink.WriteAsync(evt, cancellationToken);
if (sinkResult.Deduplicated)
{
_logger.LogDebug(
"Timeline event {EventId} deduplicated",
evt.EventId);
return new PackRunTimelineEmitResult(
Success: true,
Event: evt,
Deduplicated: true,
Error: null);
}
_logger.LogInformation(
"Emitted timeline event {EventId} type {EventType} tenant {TenantId} run {RunId} seq {Seq}",
evt.EventId, evt.EventType, evt.TenantId, evt.RunId, sinkResult.Sequence);
return new PackRunTimelineEmitResult(
Success: true,
Event: sinkResult.Sequence.HasValue ? evt.WithSequence(sinkResult.Sequence.Value) : evt,
Deduplicated: false,
Error: null);
}
catch (Exception ex) when (attempt < _options.MaxRetries && IsTransient(ex))
{
attempt++;
_logger.LogWarning(ex,
"Transient failure emitting timeline event {EventId}, attempt {Attempt}/{MaxRetries}",
evt.EventId, attempt, _options.MaxRetries);
await Task.Delay(delay, cancellationToken);
delay = TimeSpan.FromMilliseconds(delay.TotalMilliseconds * 2);
}
}
}
private static IReadOnlyDictionary<string, string> MergeAttributes(
IReadOnlyDictionary<string, string>? existing,
Dictionary<string, string> additional)
{
if (existing is null || existing.Count == 0)
return additional;
var merged = new Dictionary<string, string>(existing);
foreach (var (key, value) in additional)
{
merged.TryAdd(key, value);
}
return merged;
}
private static bool IsTransient(Exception ex)
{
return ex is TimeoutException or
TaskCanceledException or
System.Net.Http.HttpRequestException or
System.IO.IOException;
}
}
/// <summary>
/// Options for pack run timeline event emitter.
/// </summary>
public sealed record PackRunTimelineEmitterOptions(
/// <summary>Maximum retry attempts for transient failures.</summary>
int MaxRetries,
/// <summary>Base delay between retries.</summary>
TimeSpan RetryDelay,
/// <summary>Whether to include evidence pointers.</summary>
bool IncludeEvidencePointers)
{
/// <summary>Default emitter options.</summary>
public static PackRunTimelineEmitterOptions Default => new(
MaxRetries: 3,
RetryDelay: TimeSpan.FromSeconds(1),
IncludeEvidencePointers: true);
}

502
src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunEvidenceSnapshotService.cs Normal file
View File

@@ -0,0 +1,502 @@
using Microsoft.Extensions.Logging;
using StellaOps.TaskRunner.Core.Events;
using StellaOps.TaskRunner.Core.Execution;
namespace StellaOps.TaskRunner.Core.Evidence;
/// <summary>
/// Service for capturing pack run evidence snapshots.
/// Per TASKRUN-OBS-53-001.
/// </summary>
public interface IPackRunEvidenceSnapshotService
{
/// <summary>
/// Captures a run completion snapshot with all materials.
/// </summary>
Task<PackRunEvidenceSnapshotResult> CaptureRunCompletionAsync(
string tenantId,
string runId,
string planHash,
PackRunState state,
IReadOnlyList<PackRunStepTranscript>? transcripts = null,
IReadOnlyList<PackRunApprovalEvidence>? approvals = null,
IReadOnlyList<PackRunPolicyEvidence>? policyEvaluations = null,
PackRunEnvironmentDigest? environmentDigest = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Captures a step execution snapshot.
/// </summary>
Task<PackRunEvidenceSnapshotResult> CaptureStepExecutionAsync(
string tenantId,
string runId,
string planHash,
PackRunStepTranscript transcript,
CancellationToken cancellationToken = default);
/// <summary>
/// Captures an approval decision snapshot.
/// </summary>
Task<PackRunEvidenceSnapshotResult> CaptureApprovalDecisionAsync(
string tenantId,
string runId,
string planHash,
PackRunApprovalEvidence approval,
CancellationToken cancellationToken = default);
/// <summary>
/// Captures a policy evaluation snapshot.
/// </summary>
Task<PackRunEvidenceSnapshotResult> CapturePolicyEvaluationAsync(
string tenantId,
string runId,
string planHash,
PackRunPolicyEvidence evaluation,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Result of evidence snapshot capture.
/// </summary>
public sealed record PackRunEvidenceSnapshotResult(
/// <summary>Whether capture was successful.</summary>
bool Success,
/// <summary>The captured snapshot.</summary>
PackRunEvidenceSnapshot? Snapshot,
/// <summary>Evidence pointer for timeline events.</summary>
PackRunEvidencePointer? EvidencePointer,
/// <summary>Error message if capture failed.</summary>
string? Error);
/// <summary>
/// Default implementation of evidence snapshot service.
/// </summary>
public sealed class PackRunEvidenceSnapshotService : IPackRunEvidenceSnapshotService
{
private readonly IPackRunEvidenceStore _store;
private readonly IPackRunRedactionGuard _redactionGuard;
private readonly IPackRunTimelineEventEmitter? _timelineEmitter;
private readonly ILogger<PackRunEvidenceSnapshotService> _logger;
private readonly PackRunEvidenceSnapshotOptions _options;
public PackRunEvidenceSnapshotService(
IPackRunEvidenceStore store,
IPackRunRedactionGuard redactionGuard,
ILogger<PackRunEvidenceSnapshotService> logger,
IPackRunTimelineEventEmitter? timelineEmitter = null,
PackRunEvidenceSnapshotOptions? options = null)
{
_store = store ?? throw new ArgumentNullException(nameof(store));
_redactionGuard = redactionGuard ?? throw new ArgumentNullException(nameof(redactionGuard));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_timelineEmitter = timelineEmitter;
_options = options ?? PackRunEvidenceSnapshotOptions.Default;
}
public async Task<PackRunEvidenceSnapshotResult> CaptureRunCompletionAsync(
string tenantId,
string runId,
string planHash,
PackRunState state,
IReadOnlyList<PackRunStepTranscript>? transcripts = null,
IReadOnlyList<PackRunApprovalEvidence>? approvals = null,
IReadOnlyList<PackRunPolicyEvidence>? policyEvaluations = null,
PackRunEnvironmentDigest? environmentDigest = null,
CancellationToken cancellationToken = default)
{
try
{
var materials = new List<PackRunEvidenceMaterial>();
// Add state summary
var stateSummary = CreateStateSummary(state);
materials.Add(PackRunEvidenceMaterial.FromJson(
"summary",
"run-state.json",
stateSummary));
// Add transcripts (redacted)
if (transcripts is not null)
{
foreach (var transcript in transcripts)
{
var redacted = _redactionGuard.RedactTranscript(transcript);
materials.Add(PackRunEvidenceMaterial.FromJson(
"transcript",
$"{redacted.StepId}.json",
redacted,
new Dictionary<string, string> { ["stepId"] = redacted.StepId }));
}
}
// Add approvals (redacted)
if (approvals is not null)
{
foreach (var approval in approvals)
{
var redacted = _redactionGuard.RedactApproval(approval);
materials.Add(PackRunEvidenceMaterial.FromJson(
"approval",
$"{redacted.ApprovalId}.json",
redacted,
new Dictionary<string, string> { ["approvalId"] = redacted.ApprovalId }));
}
}
// Add policy evaluations
if (policyEvaluations is not null)
{
foreach (var evaluation in policyEvaluations)
{
materials.Add(PackRunEvidenceMaterial.FromJson(
"policy",
$"{evaluation.PolicyName}.json",
evaluation,
new Dictionary<string, string> { ["policyName"] = evaluation.PolicyName }));
}
}
// Add environment digest (redacted)
if (environmentDigest is not null)
{
var redacted = _redactionGuard.RedactEnvironment(environmentDigest);
materials.Add(PackRunEvidenceMaterial.FromJson(
"environment",
"digest.json",
redacted));
}
// Create snapshot
var metadata = new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash,
["stepCount"] = state.Steps.Count.ToString(),
["capturedAt"] = DateTimeOffset.UtcNow.ToString("O")
};
var snapshot = PackRunEvidenceSnapshot.Create(
tenantId,
runId,
planHash,
PackRunEvidenceSnapshotKind.RunCompletion,
materials,
metadata);
// Store snapshot
await _store.StoreAsync(snapshot, cancellationToken);
var evidencePointer = PackRunEvidencePointer.Bundle(
snapshot.SnapshotId,
snapshot.RootHash);
// Emit timeline event if emitter available
if (_timelineEmitter is not null)
{
await _timelineEmitter.EmitAsync(
PackRunTimelineEvent.Create(
tenantId: tenantId,
eventType: "pack.evidence.captured",
source: "taskrunner-evidence",
occurredAt: DateTimeOffset.UtcNow,
runId: runId,
planHash: planHash,
attributes: new Dictionary<string, string>
{
["snapshotId"] = snapshot.SnapshotId.ToString(),
["rootHash"] = snapshot.RootHash,
["materialCount"] = materials.Count.ToString()
},
evidencePointer: evidencePointer),
cancellationToken);
}
_logger.LogInformation(
"Captured run completion evidence for run {RunId} with {MaterialCount} materials, root hash {RootHash}",
runId, materials.Count, snapshot.RootHash);
return new PackRunEvidenceSnapshotResult(
Success: true,
Snapshot: snapshot,
EvidencePointer: evidencePointer,
Error: null);
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to capture run completion evidence for run {RunId}",
runId);
return new PackRunEvidenceSnapshotResult(
Success: false,
Snapshot: null,
EvidencePointer: null,
Error: ex.Message);
}
}
public async Task<PackRunEvidenceSnapshotResult> CaptureStepExecutionAsync(
string tenantId,
string runId,
string planHash,
PackRunStepTranscript transcript,
CancellationToken cancellationToken = default)
{
try
{
var redacted = _redactionGuard.RedactTranscript(transcript);
var materials = new List<PackRunEvidenceMaterial>
{
PackRunEvidenceMaterial.FromJson(
"transcript",
$"{redacted.StepId}.json",
redacted,
new Dictionary<string, string> { ["stepId"] = redacted.StepId })
};
// Add artifacts if present
if (redacted.Artifacts is not null)
{
foreach (var artifact in redacted.Artifacts)
{
materials.Add(new PackRunEvidenceMaterial(
Section: "artifact",
Path: artifact.Name,
Sha256: artifact.Sha256,
SizeBytes: artifact.SizeBytes,
MediaType: artifact.MediaType,
Attributes: new Dictionary<string, string> { ["stepId"] = redacted.StepId }));
}
}
var metadata = new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash,
["stepId"] = transcript.StepId,
["status"] = transcript.Status,
["attempt"] = transcript.Attempt.ToString()
};
var snapshot = PackRunEvidenceSnapshot.Create(
tenantId,
runId,
planHash,
PackRunEvidenceSnapshotKind.StepExecution,
materials,
metadata);
await _store.StoreAsync(snapshot, cancellationToken);
var evidencePointer = PackRunEvidencePointer.Bundle(
snapshot.SnapshotId,
snapshot.RootHash);
_logger.LogDebug(
"Captured step execution evidence for run {RunId} step {StepId}",
runId, transcript.StepId);
return new PackRunEvidenceSnapshotResult(
Success: true,
Snapshot: snapshot,
EvidencePointer: evidencePointer,
Error: null);
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to capture step execution evidence for run {RunId} step {StepId}",
runId, transcript.StepId);
return new PackRunEvidenceSnapshotResult(
Success: false,
Snapshot: null,
EvidencePointer: null,
Error: ex.Message);
}
}
public async Task<PackRunEvidenceSnapshotResult> CaptureApprovalDecisionAsync(
string tenantId,
string runId,
string planHash,
PackRunApprovalEvidence approval,
CancellationToken cancellationToken = default)
{
try
{
var redacted = _redactionGuard.RedactApproval(approval);
var materials = new List<PackRunEvidenceMaterial>
{
PackRunEvidenceMaterial.FromJson(
"approval",
$"{redacted.ApprovalId}.json",
redacted)
};
var metadata = new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash,
["approvalId"] = approval.ApprovalId,
["decision"] = approval.Decision,
["approver"] = _redactionGuard.RedactIdentity(approval.Approver)
};
var snapshot = PackRunEvidenceSnapshot.Create(
tenantId,
runId,
planHash,
PackRunEvidenceSnapshotKind.ApprovalDecision,
materials,
metadata);
await _store.StoreAsync(snapshot, cancellationToken);
var evidencePointer = PackRunEvidencePointer.Bundle(
snapshot.SnapshotId,
snapshot.RootHash);
_logger.LogDebug(
"Captured approval decision evidence for run {RunId} approval {ApprovalId}",
runId, approval.ApprovalId);
return new PackRunEvidenceSnapshotResult(
Success: true,
Snapshot: snapshot,
EvidencePointer: evidencePointer,
Error: null);
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to capture approval decision evidence for run {RunId}",
runId);
return new PackRunEvidenceSnapshotResult(
Success: false,
Snapshot: null,
EvidencePointer: null,
Error: ex.Message);
}
}
public async Task<PackRunEvidenceSnapshotResult> CapturePolicyEvaluationAsync(
string tenantId,
string runId,
string planHash,
PackRunPolicyEvidence evaluation,
CancellationToken cancellationToken = default)
{
try
{
var materials = new List<PackRunEvidenceMaterial>
{
PackRunEvidenceMaterial.FromJson(
"policy",
$"{evaluation.PolicyName}.json",
evaluation)
};
var metadata = new Dictionary<string, string>
{
["runId"] = runId,
["planHash"] = planHash,
["policyName"] = evaluation.PolicyName,
["result"] = evaluation.Result
};
if (evaluation.PolicyVersion is not null)
{
metadata["policyVersion"] = evaluation.PolicyVersion;
}
var snapshot = PackRunEvidenceSnapshot.Create(
tenantId,
runId,
planHash,
PackRunEvidenceSnapshotKind.PolicyEvaluation,
materials,
metadata);
await _store.StoreAsync(snapshot, cancellationToken);
var evidencePointer = PackRunEvidencePointer.Bundle(
snapshot.SnapshotId,
snapshot.RootHash);
_logger.LogDebug(
"Captured policy evaluation evidence for run {RunId} policy {PolicyName}",
runId, evaluation.PolicyName);
return new PackRunEvidenceSnapshotResult(
Success: true,
Snapshot: snapshot,
EvidencePointer: evidencePointer,
Error: null);
}
catch (Exception ex)
{
_logger.LogError(ex,
"Failed to capture policy evaluation evidence for run {RunId}",
runId);
return new PackRunEvidenceSnapshotResult(
Success: false,
Snapshot: null,
EvidencePointer: null,
Error: ex.Message);
}
}
private static object CreateStateSummary(PackRunState state)
{
var stepSummaries = state.Steps.Values.Select(s => new
{
s.StepId,
Kind = s.Kind.ToString(),
s.Enabled,
Status = s.Status.ToString(),
s.Attempts,
s.StatusReason
}).ToList();
return new
{
state.RunId,
state.PlanHash,
state.RequestedAt,
state.CreatedAt,
state.UpdatedAt,
StepCount = state.Steps.Count,
Steps = stepSummaries
};
}
}
/// <summary>
/// Options for evidence snapshot service.
/// </summary>
public sealed record PackRunEvidenceSnapshotOptions(
/// <summary>Maximum transcript output length before truncation.</summary>
int MaxTranscriptOutputLength,
/// <summary>Maximum comment length before truncation.</summary>
int MaxCommentLength,
/// <summary>Whether to include step outputs.</summary>
bool IncludeStepOutput,
/// <summary>Whether to emit timeline events.</summary>
bool EmitTimelineEvents)
{
/// <summary>Default options.</summary>
public static PackRunEvidenceSnapshotOptions Default => new(
MaxTranscriptOutputLength: 64 * 1024, // 64KB
MaxCommentLength: 4096,
IncludeStepOutput: true,
EmitTimelineEvents: true);
}

181
src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunEvidenceStore.cs Normal file
View File

@@ -0,0 +1,181 @@
namespace StellaOps.TaskRunner.Core.Evidence;
/// <summary>
/// Store for pack run evidence snapshots.
/// Per TASKRUN-OBS-53-001.
/// </summary>
public interface IPackRunEvidenceStore
{
/// <summary>
/// Stores an evidence snapshot.
/// </summary>
Task StoreAsync(
PackRunEvidenceSnapshot snapshot,
CancellationToken cancellationToken = default);
/// <summary>
/// Retrieves an evidence snapshot by ID.
/// </summary>
Task<PackRunEvidenceSnapshot?> GetAsync(
Guid snapshotId,
CancellationToken cancellationToken = default);
/// <summary>
/// Lists evidence snapshots for a run.
/// </summary>
Task<IReadOnlyList<PackRunEvidenceSnapshot>> ListByRunAsync(
string tenantId,
string runId,
CancellationToken cancellationToken = default);
/// <summary>
/// Lists evidence snapshots by kind for a run.
/// </summary>
Task<IReadOnlyList<PackRunEvidenceSnapshot>> ListByKindAsync(
string tenantId,
string runId,
PackRunEvidenceSnapshotKind kind,
CancellationToken cancellationToken = default);
/// <summary>
/// Verifies the integrity of a snapshot by recomputing its Merkle root.
/// </summary>
Task<PackRunEvidenceVerificationResult> VerifyAsync(
Guid snapshotId,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Result of evidence verification.
/// </summary>
public sealed record PackRunEvidenceVerificationResult(
/// <summary>Whether verification passed.</summary>
bool Valid,
/// <summary>The snapshot that was verified.</summary>
Guid SnapshotId,
/// <summary>Expected root hash.</summary>
string ExpectedHash,
/// <summary>Computed root hash.</summary>
string ComputedHash,
/// <summary>Error message if verification failed.</summary>
string? Error);
/// <summary>
/// In-memory evidence store for testing.
/// </summary>
public sealed class InMemoryPackRunEvidenceStore : IPackRunEvidenceStore
{
private readonly Dictionary<Guid, PackRunEvidenceSnapshot> _snapshots = new();
private readonly object _lock = new();
public Task StoreAsync(
PackRunEvidenceSnapshot snapshot,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
_snapshots[snapshot.SnapshotId] = snapshot;
}
return Task.CompletedTask;
}
public Task<PackRunEvidenceSnapshot?> GetAsync(
Guid snapshotId,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
_snapshots.TryGetValue(snapshotId, out var snapshot);
return Task.FromResult(snapshot);
}
}
public Task<IReadOnlyList<PackRunEvidenceSnapshot>> ListByRunAsync(
string tenantId,
string runId,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
var results = _snapshots.Values
.Where(s => s.TenantId == tenantId && s.RunId == runId)
.OrderBy(s => s.CreatedAt)
.ToList();
return Task.FromResult<IReadOnlyList<PackRunEvidenceSnapshot>>(results);
}
}
public Task<IReadOnlyList<PackRunEvidenceSnapshot>> ListByKindAsync(
string tenantId,
string runId,
PackRunEvidenceSnapshotKind kind,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
var results = _snapshots.Values
.Where(s => s.TenantId == tenantId && s.RunId == runId && s.Kind == kind)
.OrderBy(s => s.CreatedAt)
.ToList();
return Task.FromResult<IReadOnlyList<PackRunEvidenceSnapshot>>(results);
}
}
public Task<PackRunEvidenceVerificationResult> VerifyAsync(
Guid snapshotId,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
if (!_snapshots.TryGetValue(snapshotId, out var snapshot))
{
return Task.FromResult(new PackRunEvidenceVerificationResult(
Valid: false,
SnapshotId: snapshotId,
ExpectedHash: string.Empty,
ComputedHash: string.Empty,
Error: "Snapshot not found"));
}
// Recompute by creating a new snapshot with same materials
var recomputed = PackRunEvidenceSnapshot.Create(
snapshot.TenantId,
snapshot.RunId,
snapshot.PlanHash,
snapshot.Kind,
snapshot.Materials,
snapshot.Metadata);
var valid = snapshot.RootHash == recomputed.RootHash;
return Task.FromResult(new PackRunEvidenceVerificationResult(
Valid: valid,
SnapshotId: snapshotId,
ExpectedHash: snapshot.RootHash,
ComputedHash: recomputed.RootHash,
Error: valid ? null : "Root hash mismatch"));
}
}
/// <summary>Gets all snapshots (for testing).</summary>
public IReadOnlyList<PackRunEvidenceSnapshot> GetAll()
{
lock (_lock) { return _snapshots.Values.ToList(); }
}
/// <summary>Clears all snapshots (for testing).</summary>
public void Clear()
{
lock (_lock) { _snapshots.Clear(); }
}
/// <summary>Gets snapshot count.</summary>
public int Count
{
get { lock (_lock) { return _snapshots.Count; } }
}
}

270
src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunRedactionGuard.cs Normal file
View File

@@ -0,0 +1,270 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
namespace StellaOps.TaskRunner.Core.Evidence;
/// <summary>
/// Redaction guard for sensitive data in evidence snapshots.
/// Per TASKRUN-OBS-53-001.
/// </summary>
public interface IPackRunRedactionGuard
{
/// <summary>
/// Redacts sensitive data from a step transcript.
/// </summary>
PackRunStepTranscript RedactTranscript(PackRunStepTranscript transcript);
/// <summary>
/// Redacts sensitive data from an approval evidence record.
/// </summary>
PackRunApprovalEvidence RedactApproval(PackRunApprovalEvidence approval);
/// <summary>
/// Redacts sensitive data from an environment digest.
/// </summary>
PackRunEnvironmentDigest RedactEnvironment(PackRunEnvironmentDigest digest);
/// <summary>
/// Redacts an identity string (e.g., email, username).
/// </summary>
string RedactIdentity(string identity);
/// <summary>
/// Redacts a string value that may contain secrets.
/// </summary>
string RedactValue(string value);
}
/// <summary>
/// Options for redaction guard.
/// </summary>
public sealed record PackRunRedactionGuardOptions(
/// <summary>Patterns that indicate sensitive variable names.</summary>
IReadOnlyList<string> SensitiveVariablePatterns,
/// <summary>Patterns that indicate sensitive content in output.</summary>
IReadOnlyList<string> SensitiveContentPatterns,
/// <summary>Whether to hash redacted values for correlation.</summary>
bool HashRedactedValues,
/// <summary>Maximum length of output before truncation.</summary>
int MaxOutputLength,
/// <summary>Whether to preserve email domain.</summary>
bool PreserveEmailDomain)
{
/// <summary>Default redaction options.</summary>
public static PackRunRedactionGuardOptions Default => new(
SensitiveVariablePatterns: new[]
{
"(?i)password",
"(?i)secret",
"(?i)token",
"(?i)api_key",
"(?i)apikey",
"(?i)auth",
"(?i)credential",
"(?i)private_key",
"(?i)privatekey",
"(?i)access_key",
"(?i)accesskey",
"(?i)connection_string",
"(?i)connectionstring"
},
SensitiveContentPatterns: new[]
{
@"(?i)bearer\s+[a-zA-Z0-9\-_.]+",
@"(?i)basic\s+[a-zA-Z0-9+/=]+",
@"-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----",
@"(?i)password\s*[=:]\s*\S+",
@"(?i)secret\s*[=:]\s*\S+",
@"(?i)token\s*[=:]\s*\S+"
},
HashRedactedValues: true,
MaxOutputLength: 64 * 1024,
PreserveEmailDomain: false);
}
/// <summary>
/// Default implementation of redaction guard.
/// </summary>
public sealed partial class PackRunRedactionGuard : IPackRunRedactionGuard
{
private const string RedactedPlaceholder = "[REDACTED]";
private const string TruncatedSuffix = "...[TRUNCATED]";
private readonly PackRunRedactionGuardOptions _options;
private readonly List<Regex> _sensitiveVarPatterns;
private readonly List<Regex> _sensitiveContentPatterns;
public PackRunRedactionGuard(PackRunRedactionGuardOptions? options = null)
{
_options = options ?? PackRunRedactionGuardOptions.Default;
_sensitiveVarPatterns = _options.SensitiveVariablePatterns
.Select(p => new Regex(p, RegexOptions.Compiled))
.ToList();
_sensitiveContentPatterns = _options.SensitiveContentPatterns
.Select(p => new Regex(p, RegexOptions.Compiled))
.ToList();
}
public PackRunStepTranscript RedactTranscript(PackRunStepTranscript transcript)
{
var redactedOutput = transcript.Output is not null
? RedactOutput(transcript.Output)
: null;
var redactedError = transcript.Error is not null
? RedactOutput(transcript.Error)
: null;
var redactedEnvDigest = transcript.EnvironmentDigest is not null
? RedactEnvDigestString(transcript.EnvironmentDigest)
: null;
return transcript with
{
Output = redactedOutput,
Error = redactedError,
EnvironmentDigest = redactedEnvDigest
};
}
public PackRunApprovalEvidence RedactApproval(PackRunApprovalEvidence approval)
{
var redactedApprover = RedactIdentity(approval.Approver);
var redactedComments = approval.Comments is not null
? RedactOutput(approval.Comments)
: null;
var redactedGrantedBy = approval.GrantedBy?.Select(RedactIdentity).ToList();
return approval with
{
Approver = redactedApprover,
Comments = redactedComments,
GrantedBy = redactedGrantedBy
};
}
public PackRunEnvironmentDigest RedactEnvironment(PackRunEnvironmentDigest digest)
{
// Seeds are already expected to be redacted or hashed
// Environment variable names are kept, values should not be present
// Tool images are public information
return digest;
}
public string RedactIdentity(string identity)
{
if (string.IsNullOrEmpty(identity))
return identity;
// Check if it's an email
if (identity.Contains('@'))
{
var parts = identity.Split('@');
if (parts.Length == 2)
{
var localPart = parts[0];
var domain = parts[1];
var redactedLocal = localPart.Length <= 2
? RedactedPlaceholder
: $"{localPart[0]}***{localPart[^1]}";
if (_options.PreserveEmailDomain)
{
return $"{redactedLocal}@{domain}";
}
return $"{redactedLocal}@[DOMAIN]";
}
}
// For non-email identities, hash if configured
if (_options.HashRedactedValues)
{
return $"[USER:{ComputeShortHash(identity)}]";
}
return RedactedPlaceholder;
}
public string RedactValue(string value)
{
if (string.IsNullOrEmpty(value))
return value;
if (_options.HashRedactedValues)
{
return $"[HASH:{ComputeShortHash(value)}]";
}
return RedactedPlaceholder;
}
private string RedactOutput(string output)
{
if (string.IsNullOrEmpty(output))
return output;
var result = output;
// Apply content pattern redaction
foreach (var pattern in _sensitiveContentPatterns)
{
result = pattern.Replace(result, match =>
{
if (_options.HashRedactedValues)
{
return $"[REDACTED:{ComputeShortHash(match.Value)}]";
}
return RedactedPlaceholder;
});
}
// Truncate if too long
if (result.Length > _options.MaxOutputLength)
{
result = result[..(_options.MaxOutputLength - TruncatedSuffix.Length)] + TruncatedSuffix;
}
return result;
}
private string RedactEnvDigestString(string digest)
{
// Environment digest is typically already a hash, preserve it
return digest;
}
private static string ComputeShortHash(string value)
{
var bytes = Encoding.UTF8.GetBytes(value);
var hash = SHA256.HashData(bytes);
// Return first 8 characters of hex hash
return Convert.ToHexString(hash)[..8].ToLowerInvariant();
}
}
/// <summary>
/// No-op redaction guard for testing (preserves all data).
/// </summary>
public sealed class NoOpPackRunRedactionGuard : IPackRunRedactionGuard
{
public static NoOpPackRunRedactionGuard Instance { get; } = new();
private NoOpPackRunRedactionGuard() { }
public PackRunStepTranscript RedactTranscript(PackRunStepTranscript transcript) => transcript;
public PackRunApprovalEvidence RedactApproval(PackRunApprovalEvidence approval) => approval;
public PackRunEnvironmentDigest RedactEnvironment(PackRunEnvironmentDigest digest) => digest;
public string RedactIdentity(string identity) => identity;
public string RedactValue(string value) => value;
}

357
src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/PackRunEvidenceSnapshot.cs Normal file
View File

@@ -0,0 +1,357 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
namespace StellaOps.TaskRunner.Core.Evidence;
/// <summary>
/// Evidence snapshot for pack run execution.
/// Per TASKRUN-OBS-53-001.
/// </summary>
public sealed record PackRunEvidenceSnapshot(
/// <summary>Unique snapshot identifier.</summary>
Guid SnapshotId,
/// <summary>Tenant scope.</summary>
string TenantId,
/// <summary>Run ID this snapshot belongs to.</summary>
string RunId,
/// <summary>Plan hash that was executed.</summary>
string PlanHash,
/// <summary>When the snapshot was created.</summary>
DateTimeOffset CreatedAt,
/// <summary>Snapshot kind.</summary>
PackRunEvidenceSnapshotKind Kind,
/// <summary>Materials included in this snapshot.</summary>
IReadOnlyList<PackRunEvidenceMaterial> Materials,
/// <summary>Computed Merkle root hash of all materials.</summary>
string RootHash,
/// <summary>Snapshot metadata.</summary>
IReadOnlyDictionary<string, string>? Metadata)
{
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
WriteIndented = false
};
/// <summary>
/// Creates a new snapshot with computed root hash.
/// </summary>
public static PackRunEvidenceSnapshot Create(
string tenantId,
string runId,
string planHash,
PackRunEvidenceSnapshotKind kind,
IReadOnlyList<PackRunEvidenceMaterial> materials,
IReadOnlyDictionary<string, string>? metadata = null)
{
var rootHash = ComputeMerkleRoot(materials);
return new PackRunEvidenceSnapshot(
SnapshotId: Guid.NewGuid(),
TenantId: tenantId,
RunId: runId,
PlanHash: planHash,
CreatedAt: DateTimeOffset.UtcNow,
Kind: kind,
Materials: materials,
RootHash: rootHash,
Metadata: metadata);
}
/// <summary>
/// Computes Merkle root from materials.
/// </summary>
private static string ComputeMerkleRoot(IReadOnlyList<PackRunEvidenceMaterial> materials)
{
if (materials.Count == 0)
{
// Empty root: 64 zeros
return "sha256:" + new string('0', 64);
}
// Sort materials by canonical path for determinism
var sorted = materials
.OrderBy(m => m.Section, StringComparer.Ordinal)
.ThenBy(m => m.Path, StringComparer.Ordinal)
.ToList();
// Build leaves from material hashes
var leaves = sorted.Select(m => m.Sha256).ToList();
// Compute Merkle root
while (leaves.Count > 1)
{
var nextLevel = new List<string>();
for (var i = 0; i < leaves.Count; i += 2)
{
if (i + 1 < leaves.Count)
{
nextLevel.Add(HashPair(leaves[i], leaves[i + 1]));
}
else
{
nextLevel.Add(HashPair(leaves[i], leaves[i]));
}
}
leaves = nextLevel;
}
return leaves[0];
}
private static string HashPair(string left, string right)
{
var combined = left + right;
var bytes = Encoding.UTF8.GetBytes(combined);
var hash = SHA256.HashData(bytes);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
/// <summary>
/// Serializes to JSON.
/// </summary>
public string ToJson() => JsonSerializer.Serialize(this, JsonOptions);
/// <summary>
/// Deserializes from JSON.
/// </summary>
public static PackRunEvidenceSnapshot? FromJson(string json)
=> JsonSerializer.Deserialize<PackRunEvidenceSnapshot>(json, JsonOptions);
}
/// <summary>
/// Kind of pack run evidence snapshot.
/// </summary>
public enum PackRunEvidenceSnapshotKind
{
/// <summary>Run completion snapshot.</summary>
RunCompletion,
/// <summary>Step execution snapshot.</summary>
StepExecution,
/// <summary>Approval decision snapshot.</summary>
ApprovalDecision,
/// <summary>Policy evaluation snapshot.</summary>
PolicyEvaluation,
/// <summary>Artifact manifest snapshot.</summary>
ArtifactManifest,
/// <summary>Environment digest snapshot.</summary>
EnvironmentDigest
}
/// <summary>
/// Material included in evidence snapshot.
/// </summary>
public sealed record PackRunEvidenceMaterial(
/// <summary>Section (e.g., "transcript", "artifact", "policy").</summary>
string Section,
/// <summary>Path within section.</summary>
string Path,
/// <summary>SHA-256 digest of content.</summary>
string Sha256,
/// <summary>Size in bytes.</summary>
long SizeBytes,
/// <summary>Media type.</summary>
string MediaType,
/// <summary>Custom attributes.</summary>
IReadOnlyDictionary<string, string>? Attributes)
{
/// <summary>
/// Creates material from content bytes.
/// </summary>
public static PackRunEvidenceMaterial FromContent(
string section,
string path,
byte[] content,
string mediaType = "application/octet-stream",
IReadOnlyDictionary<string, string>? attributes = null)
{
var hash = SHA256.HashData(content);
var sha256 = $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
return new PackRunEvidenceMaterial(
Section: section,
Path: path,
Sha256: sha256,
SizeBytes: content.Length,
MediaType: mediaType,
Attributes: attributes);
}
/// <summary>
/// Creates material from string content.
/// </summary>
public static PackRunEvidenceMaterial FromString(
string section,
string path,
string content,
string mediaType = "text/plain",
IReadOnlyDictionary<string, string>? attributes = null)
{
return FromContent(section, path, Encoding.UTF8.GetBytes(content), mediaType, attributes);
}
/// <summary>
/// Creates material from JSON object.
/// </summary>
public static PackRunEvidenceMaterial FromJson<T>(
string section,
string path,
T obj,
IReadOnlyDictionary<string, string>? attributes = null)
{
var json = JsonSerializer.Serialize(obj, new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = false
});
return FromString(section, path, json, "application/json", attributes);
}
/// <summary>
/// Canonical path for ordering.
/// </summary>
public string CanonicalPath => $"{Section}/{Path}";
}
/// <summary>
/// Step transcript for evidence capture.
/// </summary>
public sealed record PackRunStepTranscript(
/// <summary>Step identifier.</summary>
string StepId,
/// <summary>Step kind.</summary>
string Kind,
/// <summary>Execution start time.</summary>
DateTimeOffset StartedAt,
/// <summary>Execution end time.</summary>
DateTimeOffset? EndedAt,
/// <summary>Final status.</summary>
string Status,
/// <summary>Attempt number.</summary>
int Attempt,
/// <summary>Duration in milliseconds.</summary>
double? DurationMs,
/// <summary>Output (redacted if needed).</summary>
string? Output,
/// <summary>Error message (redacted if needed).</summary>
string? Error,
/// <summary>Environment variables digest.</summary>
string? EnvironmentDigest,
/// <summary>Artifacts produced.</summary>
IReadOnlyList<PackRunArtifactReference>? Artifacts);
/// <summary>
/// Reference to artifact in evidence.
/// </summary>
public sealed record PackRunArtifactReference(
/// <summary>Artifact name.</summary>
string Name,
/// <summary>SHA-256 digest.</summary>
string Sha256,
/// <summary>Size in bytes.</summary>
long SizeBytes,
/// <summary>Media type.</summary>
string MediaType);
/// <summary>
/// Approval record for evidence.
/// </summary>
public sealed record PackRunApprovalEvidence(
/// <summary>Approval identifier.</summary>
string ApprovalId,
/// <summary>Approver identity.</summary>
string Approver,
/// <summary>When approved.</summary>
DateTimeOffset ApprovedAt,
/// <summary>Approval decision.</summary>
string Decision,
/// <summary>Required grants.</summary>
IReadOnlyList<string> RequiredGrants,
/// <summary>Granted by.</summary>
IReadOnlyList<string>? GrantedBy,
/// <summary>Comments (redacted if needed).</summary>
string? Comments);
/// <summary>
/// Policy evaluation record for evidence.
/// </summary>
public sealed record PackRunPolicyEvidence(
/// <summary>Policy name.</summary>
string PolicyName,
/// <summary>Policy version.</summary>
string? PolicyVersion,
/// <summary>Evaluation result.</summary>
string Result,
/// <summary>When evaluated.</summary>
DateTimeOffset EvaluatedAt,
/// <summary>Evaluation duration in milliseconds.</summary>
double DurationMs,
/// <summary>Matched rules.</summary>
IReadOnlyList<string>? MatchedRules,
/// <summary>Policy digest for reproducibility.</summary>
string? PolicyDigest);
/// <summary>
/// Environment digest for evidence.
/// </summary>
public sealed record PackRunEnvironmentDigest(
/// <summary>When digest was computed.</summary>
DateTimeOffset ComputedAt,
/// <summary>Tool image digests (name -> sha256).</summary>
IReadOnlyDictionary<string, string> ToolImages,
/// <summary>Seed values (redacted).</summary>
IReadOnlyDictionary<string, string>? Seeds,
/// <summary>Environment variables (redacted).</summary>
IReadOnlyList<string>? EnvironmentVariableNames,
/// <summary>Combined digest of all inputs.</summary>
string InputsDigest);

710
src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunEvidenceSnapshotTests.cs Normal file
View File

@@ -0,0 +1,710 @@
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.TaskRunner.Core.Events;
using StellaOps.TaskRunner.Core.Evidence;
using StellaOps.TaskRunner.Core.Execution;
using StellaOps.TaskRunner.Core.Execution.Simulation;
using StellaOps.TaskRunner.Core.Planning;
using Xunit;
namespace StellaOps.TaskRunner.Tests;
/// <summary>
/// Tests for pack run evidence snapshot domain model, store, redaction guard, and service.
/// Per TASKRUN-OBS-53-001.
/// </summary>
public sealed class PackRunEvidenceSnapshotTests
{
private const string TestTenantId = "test-tenant";
private const string TestRunId = "run-12345";
private const string TestPlanHash = "sha256:abc123def456789012345678901234567890123456789012345678901234";
private const string TestStepId = "plan-step";
#region PackRunEvidenceSnapshot Tests
[Fact]
public void Create_WithMaterials_ComputesMerkleRoot()
{
// Arrange
var materials = new List<PackRunEvidenceMaterial>
{
PackRunEvidenceMaterial.FromString("transcript", "step-001.json", "{\"stepId\":\"step-001\"}"),
PackRunEvidenceMaterial.FromString("transcript", "step-002.json", "{\"stepId\":\"step-002\"}")
};
// Act
var snapshot = PackRunEvidenceSnapshot.Create(
TestTenantId,
TestRunId,
TestPlanHash,
PackRunEvidenceSnapshotKind.RunCompletion,
materials);
// Assert
Assert.NotEqual(Guid.Empty, snapshot.SnapshotId);
Assert.Equal(TestTenantId, snapshot.TenantId);
Assert.Equal(TestRunId, snapshot.RunId);
Assert.Equal(TestPlanHash, snapshot.PlanHash);
Assert.Equal(PackRunEvidenceSnapshotKind.RunCompletion, snapshot.Kind);
Assert.Equal(2, snapshot.Materials.Count);
Assert.StartsWith("sha256:", snapshot.RootHash);
}
[Fact]
public void Create_WithEmptyMaterials_ReturnsZeroHash()
{
// Act
var snapshot = PackRunEvidenceSnapshot.Create(
TestTenantId,
TestRunId,
TestPlanHash,
PackRunEvidenceSnapshotKind.RunCompletion,
new List<PackRunEvidenceMaterial>());
// Assert
Assert.Equal("sha256:" + new string('0', 64), snapshot.RootHash);
}
[Fact]
public void Create_WithMetadata_StoresMetadata()
{
// Arrange
var metadata = new Dictionary<string, string>
{
["key1"] = "value1",
["key2"] = "value2"
};
// Act
var snapshot = PackRunEvidenceSnapshot.Create(
TestTenantId,
TestRunId,
TestPlanHash,
PackRunEvidenceSnapshotKind.StepExecution,
new List<PackRunEvidenceMaterial>(),
metadata);
// Assert
Assert.NotNull(snapshot.Metadata);
Assert.Equal("value1", snapshot.Metadata["key1"]);
Assert.Equal("value2", snapshot.Metadata["key2"]);
}
[Fact]
public void Create_SameMaterials_ProducesDeterministicHash()
{
// Arrange
var materials = new List<PackRunEvidenceMaterial>
{
PackRunEvidenceMaterial.FromString("transcript", "step-001.json", "{\"data\":\"test\"}")
};
// Act
var snapshot1 = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.StepExecution, materials);
var snapshot2 = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.StepExecution, materials);
// Assert
Assert.Equal(snapshot1.RootHash, snapshot2.RootHash);
}
[Fact]
public void Create_MaterialOrderDoesNotAffectHash()
{
// Arrange - materials in different order
var materials1 = new List<PackRunEvidenceMaterial>
{
PackRunEvidenceMaterial.FromString("transcript", "a.json", "{}"),
PackRunEvidenceMaterial.FromString("transcript", "b.json", "{}")
};
var materials2 = new List<PackRunEvidenceMaterial>
{
PackRunEvidenceMaterial.FromString("transcript", "b.json", "{}"),
PackRunEvidenceMaterial.FromString("transcript", "a.json", "{}")
};
// Act
var snapshot1 = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.RunCompletion, materials1);
var snapshot2 = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.RunCompletion, materials2);
// Assert - hash should be same due to canonical ordering
Assert.Equal(snapshot1.RootHash, snapshot2.RootHash);
}
[Fact]
public void ToJson_AndFromJson_RoundTrips()
{
// Arrange
var materials = new List<PackRunEvidenceMaterial>
{
PackRunEvidenceMaterial.FromString("test", "file.txt", "content")
};
var snapshot = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.RunCompletion, materials);
// Act
var json = snapshot.ToJson();
var restored = PackRunEvidenceSnapshot.FromJson(json);
// Assert
Assert.NotNull(restored);
Assert.Equal(snapshot.SnapshotId, restored.SnapshotId);
Assert.Equal(snapshot.RootHash, restored.RootHash);
Assert.Equal(snapshot.TenantId, restored.TenantId);
}
#endregion
#region PackRunEvidenceMaterial Tests
[Fact]
public void FromString_ComputesSha256Hash()
{
// Act
var material = PackRunEvidenceMaterial.FromString(
"transcript", "output.txt", "Hello, World!");
// Assert
Assert.Equal("transcript", material.Section);
Assert.Equal("output.txt", material.Path);
Assert.StartsWith("sha256:", material.Sha256);
Assert.Equal("text/plain", material.MediaType);
Assert.Equal(13, material.SizeBytes); // "Hello, World!" is 13 bytes
}
[Fact]
public void FromJson_ComputesSha256Hash()
{
// Arrange
var obj = new { stepId = "step-001", status = "completed" };
// Act
var material = PackRunEvidenceMaterial.FromJson("transcript", "step.json", obj);
// Assert
Assert.Equal("transcript", material.Section);
Assert.Equal("step.json", material.Path);
Assert.StartsWith("sha256:", material.Sha256);
Assert.Equal("application/json", material.MediaType);
}
[Fact]
public void FromContent_WithAttributes_StoresAttributes()
{
// Arrange
var attributes = new Dictionary<string, string> { ["stepId"] = "step-001" };
// Act
var material = PackRunEvidenceMaterial.FromContent(
"artifact", "output.bin", new byte[] { 1, 2, 3 },
"application/octet-stream", attributes);
// Assert
Assert.NotNull(material.Attributes);
Assert.Equal("step-001", material.Attributes["stepId"]);
}
[Fact]
public void CanonicalPath_CombinesSectionAndPath()
{
// Act
var material = PackRunEvidenceMaterial.FromString("transcript", "step-001.json", "{}");
// Assert
Assert.Equal("transcript/step-001.json", material.CanonicalPath);
}
#endregion
#region InMemoryPackRunEvidenceStore Tests
[Fact]
public async Task Store_AndGet_ReturnsSnapshot()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var snapshot = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.RunCompletion,
new List<PackRunEvidenceMaterial>());
// Act
await store.StoreAsync(snapshot, TestContext.Current.CancellationToken);
var retrieved = await store.GetAsync(snapshot.SnapshotId, TestContext.Current.CancellationToken);
// Assert
Assert.NotNull(retrieved);
Assert.Equal(snapshot.SnapshotId, retrieved.SnapshotId);
Assert.Equal(snapshot.RootHash, retrieved.RootHash);
}
[Fact]
public async Task Get_NonExistent_ReturnsNull()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
// Act
var result = await store.GetAsync(Guid.NewGuid(), TestContext.Current.CancellationToken);
// Assert
Assert.Null(result);
}
[Fact]
public async Task ListByRun_ReturnsMatchingSnapshots()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var snapshot1 = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.StepExecution,
new List<PackRunEvidenceMaterial>());
var snapshot2 = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.ApprovalDecision,
new List<PackRunEvidenceMaterial>());
var otherRunSnapshot = PackRunEvidenceSnapshot.Create(
TestTenantId, "other-run", TestPlanHash,
PackRunEvidenceSnapshotKind.StepExecution,
new List<PackRunEvidenceMaterial>());
await store.StoreAsync(snapshot1, TestContext.Current.CancellationToken);
await store.StoreAsync(snapshot2, TestContext.Current.CancellationToken);
await store.StoreAsync(otherRunSnapshot, TestContext.Current.CancellationToken);
// Act
var results = await store.ListByRunAsync(TestTenantId, TestRunId, TestContext.Current.CancellationToken);
// Assert
Assert.Equal(2, results.Count);
Assert.All(results, s => Assert.Equal(TestRunId, s.RunId));
}
[Fact]
public async Task ListByKind_ReturnsMatchingSnapshots()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var stepSnapshot1 = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.StepExecution,
new List<PackRunEvidenceMaterial>());
var stepSnapshot2 = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.StepExecution,
new List<PackRunEvidenceMaterial>());
var approvalSnapshot = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.ApprovalDecision,
new List<PackRunEvidenceMaterial>());
await store.StoreAsync(stepSnapshot1, TestContext.Current.CancellationToken);
await store.StoreAsync(stepSnapshot2, TestContext.Current.CancellationToken);
await store.StoreAsync(approvalSnapshot, TestContext.Current.CancellationToken);
// Act
var results = await store.ListByKindAsync(
TestTenantId, TestRunId,
PackRunEvidenceSnapshotKind.StepExecution,
TestContext.Current.CancellationToken);
// Assert
Assert.Equal(2, results.Count);
Assert.All(results, s => Assert.Equal(PackRunEvidenceSnapshotKind.StepExecution, s.Kind));
}
[Fact]
public async Task Verify_ValidSnapshot_ReturnsValid()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var materials = new List<PackRunEvidenceMaterial>
{
PackRunEvidenceMaterial.FromString("test", "file.txt", "content")
};
var snapshot = PackRunEvidenceSnapshot.Create(
TestTenantId, TestRunId, TestPlanHash,
PackRunEvidenceSnapshotKind.RunCompletion, materials);
await store.StoreAsync(snapshot, TestContext.Current.CancellationToken);
// Act
var result = await store.VerifyAsync(snapshot.SnapshotId, TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Valid);
Assert.Equal(snapshot.RootHash, result.ExpectedHash);
Assert.Equal(snapshot.RootHash, result.ComputedHash);
Assert.Null(result.Error);
}
[Fact]
public async Task Verify_NonExistent_ReturnsInvalid()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
// Act
var result = await store.VerifyAsync(Guid.NewGuid(), TestContext.Current.CancellationToken);
// Assert
Assert.False(result.Valid);
Assert.Equal("Snapshot not found", result.Error);
}
#endregion
#region PackRunRedactionGuard Tests
[Fact]
public void RedactTranscript_RedactsSensitiveOutput()
{
// Arrange
var guard = new PackRunRedactionGuard();
var transcript = new PackRunStepTranscript(
StepId: TestStepId,
Kind: "shell",
StartedAt: DateTimeOffset.UtcNow,
EndedAt: DateTimeOffset.UtcNow,
Status: "completed",
Attempt: 1,
DurationMs: 100,
Output: "Connecting with Bearer eyJhbGciOiJIUzI1NiJ9.token",
Error: null,
EnvironmentDigest: null,
Artifacts: null);
// Act
var redacted = guard.RedactTranscript(transcript);
// Assert
Assert.DoesNotContain("eyJhbGciOiJIUzI1NiJ9", redacted.Output);
Assert.Contains("[REDACTED", redacted.Output);
}
[Fact]
public void RedactTranscript_PreservesNonSensitiveOutput()
{
// Arrange
var guard = new PackRunRedactionGuard();
var transcript = new PackRunStepTranscript(
StepId: TestStepId,
Kind: "shell",
StartedAt: DateTimeOffset.UtcNow,
EndedAt: DateTimeOffset.UtcNow,
Status: "completed",
Attempt: 1,
DurationMs: 100,
Output: "Build completed successfully",
Error: null,
EnvironmentDigest: null,
Artifacts: null);
// Act
var redacted = guard.RedactTranscript(transcript);
// Assert
Assert.Equal("Build completed successfully", redacted.Output);
}
[Fact]
public void RedactIdentity_RedactsEmail()
{
// Arrange
var guard = new PackRunRedactionGuard();
// Act
var redacted = guard.RedactIdentity("john.doe@example.com");
// Assert
Assert.DoesNotContain("john.doe", redacted);
Assert.DoesNotContain("example.com", redacted);
Assert.Contains("[", redacted); // Contains redaction markers
}
[Fact]
public void RedactIdentity_HashesNonEmailIdentity()
{
// Arrange
var guard = new PackRunRedactionGuard();
// Act
var redacted = guard.RedactIdentity("admin-user-12345");
// Assert
Assert.StartsWith("[USER:", redacted);
Assert.EndsWith("]", redacted);
}
[Fact]
public void RedactApproval_RedactsApproverAndComments()
{
// Arrange
var guard = new PackRunRedactionGuard();
var approval = new PackRunApprovalEvidence(
ApprovalId: "approval-001",
Approver: "jane.doe@example.com",
ApprovedAt: DateTimeOffset.UtcNow,
Decision: "approved",
RequiredGrants: new[] { "deploy:production" },
GrantedBy: new[] { "team-lead@example.com" },
Comments: "Approved. Use token=abc123xyz for deployment.");
// Act
var redacted = guard.RedactApproval(approval);
// Assert
Assert.DoesNotContain("jane.doe", redacted.Approver);
Assert.DoesNotContain("team-lead", redacted.GrantedBy![0]);
Assert.Contains("[REDACTED", redacted.Comments);
}
[Fact]
public void RedactValue_ReturnsHashedValue()
{
// Arrange
var guard = new PackRunRedactionGuard();
// Act
var redacted = guard.RedactValue("super-secret-value");
// Assert
Assert.StartsWith("[HASH:", redacted);
Assert.EndsWith("]", redacted);
Assert.DoesNotContain("super-secret-value", redacted);
}
[Fact]
public void NoOpRedactionGuard_PreservesAllData()
{
// Arrange
var guard = NoOpPackRunRedactionGuard.Instance;
var transcript = new PackRunStepTranscript(
StepId: TestStepId,
Kind: "shell",
StartedAt: DateTimeOffset.UtcNow,
EndedAt: DateTimeOffset.UtcNow,
Status: "completed",
Attempt: 1,
DurationMs: 100,
Output: "Bearer secret-token-12345",
Error: null,
EnvironmentDigest: null,
Artifacts: null);
// Act
var result = guard.RedactTranscript(transcript);
// Assert
Assert.Same(transcript, result);
Assert.Equal("Bearer secret-token-12345", result.Output);
}
#endregion
#region PackRunEvidenceSnapshotService Tests
[Fact]
public async Task CaptureRunCompletion_StoresSnapshot()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var sink = new InMemoryPackRunTimelineEventSink();
var emitter = new PackRunTimelineEventEmitter(
sink, TimeProvider.System, NullLogger<PackRunTimelineEventEmitter>.Instance);
var service = new PackRunEvidenceSnapshotService(
store,
new PackRunRedactionGuard(),
NullLogger<PackRunEvidenceSnapshotService>.Instance,
emitter);
var state = CreateTestPackRunState();
// Act
var result = await service.CaptureRunCompletionAsync(
TestTenantId, TestRunId, TestPlanHash, state,
cancellationToken: TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.NotNull(result.Snapshot);
Assert.NotNull(result.EvidencePointer);
Assert.Equal(PackRunEvidenceSnapshotKind.RunCompletion, result.Snapshot.Kind);
Assert.Equal(1, store.Count);
}
[Fact]
public async Task CaptureRunCompletion_WithTranscripts_IncludesRedactedTranscripts()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var service = new PackRunEvidenceSnapshotService(
store,
new PackRunRedactionGuard(),
NullLogger<PackRunEvidenceSnapshotService>.Instance);
var state = CreateTestPackRunState();
var transcripts = new List<PackRunStepTranscript>
{
new(TestStepId, "shell", DateTimeOffset.UtcNow, DateTimeOffset.UtcNow,
"completed", 1, 100, "Bearer token123", null, null, null)
};
// Act
var result = await service.CaptureRunCompletionAsync(
TestTenantId, TestRunId, TestPlanHash, state,
transcripts: transcripts,
cancellationToken: TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
var transcriptMaterial = result.Snapshot!.Materials
.FirstOrDefault(m => m.Section == "transcript");
Assert.NotNull(transcriptMaterial);
}
[Fact]
public async Task CaptureStepExecution_CapturesTranscript()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var service = new PackRunEvidenceSnapshotService(
store,
new PackRunRedactionGuard(),
NullLogger<PackRunEvidenceSnapshotService>.Instance);
var transcript = new PackRunStepTranscript(
TestStepId, "shell", DateTimeOffset.UtcNow, DateTimeOffset.UtcNow,
"completed", 1, 150, "Build output", null, null, null);
// Act
var result = await service.CaptureStepExecutionAsync(
TestTenantId, TestRunId, TestPlanHash, transcript,
TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.Equal(PackRunEvidenceSnapshotKind.StepExecution, result.Snapshot!.Kind);
Assert.Contains(result.Snapshot.Materials, m => m.Section == "transcript");
}
[Fact]
public async Task CaptureApprovalDecision_CapturesApproval()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var service = new PackRunEvidenceSnapshotService(
store,
new PackRunRedactionGuard(),
NullLogger<PackRunEvidenceSnapshotService>.Instance);
var approval = new PackRunApprovalEvidence(
"approval-001",
"approver@example.com",
DateTimeOffset.UtcNow,
"approved",
new[] { "deploy:prod" },
null,
"LGTM");
// Act
var result = await service.CaptureApprovalDecisionAsync(
TestTenantId, TestRunId, TestPlanHash, approval,
TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.Equal(PackRunEvidenceSnapshotKind.ApprovalDecision, result.Snapshot!.Kind);
Assert.Contains(result.Snapshot.Materials, m => m.Section == "approval");
}
[Fact]
public async Task CapturePolicyEvaluation_CapturesEvaluation()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var service = new PackRunEvidenceSnapshotService(
store,
new PackRunRedactionGuard(),
NullLogger<PackRunEvidenceSnapshotService>.Instance);
var evaluation = new PackRunPolicyEvidence(
"require-approval",
"1.0.0",
"pass",
DateTimeOffset.UtcNow,
5.5,
new[] { "rule-1", "rule-2" },
"sha256:policy123");
// Act
var result = await service.CapturePolicyEvaluationAsync(
TestTenantId, TestRunId, TestPlanHash, evaluation,
TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.Equal(PackRunEvidenceSnapshotKind.PolicyEvaluation, result.Snapshot!.Kind);
Assert.Contains(result.Snapshot.Materials, m => m.Section == "policy");
}
[Fact]
public async Task CaptureRunCompletion_EmitsTimelineEvent()
{
// Arrange
var store = new InMemoryPackRunEvidenceStore();
var sink = new InMemoryPackRunTimelineEventSink();
var emitter = new PackRunTimelineEventEmitter(
sink, TimeProvider.System, NullLogger<PackRunTimelineEventEmitter>.Instance);
var service = new PackRunEvidenceSnapshotService(
store,
new PackRunRedactionGuard(),
NullLogger<PackRunEvidenceSnapshotService>.Instance,
emitter);
var state = CreateTestPackRunState();
// Act
await service.CaptureRunCompletionAsync(
TestTenantId, TestRunId, TestPlanHash, state,
cancellationToken: TestContext.Current.CancellationToken);
// Assert
var events = sink.GetEvents();
Assert.Single(events);
Assert.Equal("pack.evidence.captured", events[0].EventType);
}
#endregion
#region Helper Methods
private static PackRunState CreateTestPackRunState()
{
var manifest = TestManifests.Load(TestManifests.Sample);
var planner = new TaskPackPlanner();
var planResult = planner.Plan(manifest);
var plan = planResult.Plan!;
var context = new PackRunExecutionContext(TestRunId, plan, DateTimeOffset.UtcNow);
var graphBuilder = new PackRunExecutionGraphBuilder();
var graph = graphBuilder.Build(plan);
var simulationEngine = new PackRunSimulationEngine();
var timestamp = DateTimeOffset.UtcNow;
return PackRunStateFactory.CreateInitialState(context, graph, simulationEngine, timestamp);
}
#endregion
}

716
src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunTimelineEventTests.cs Normal file
View File

@@ -0,0 +1,716 @@
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.TaskRunner.Core.Events;
using Xunit;
namespace StellaOps.TaskRunner.Tests;
/// <summary>
/// Tests for pack run timeline event domain model, emitter, and sink.
/// Per TASKRUN-OBS-52-001.
/// </summary>
public sealed class PackRunTimelineEventTests
{
private const string TestTenantId = "test-tenant";
private const string TestRunId = "run-12345";
private const string TestPlanHash = "sha256:abc123";
private const string TestStepId = "step-001";
private const string TestProjectId = "project-xyz";
#region Domain Model Tests
[Fact]
public void Create_WithRequiredFields_GeneratesValidEvent()
{
// Arrange
var occurredAt = DateTimeOffset.UtcNow;
// Act
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "taskrunner-worker",
occurredAt: occurredAt,
runId: TestRunId,
planHash: TestPlanHash);
// Assert
Assert.NotEqual(Guid.Empty, evt.EventId);
Assert.Equal(TestTenantId, evt.TenantId);
Assert.Equal(PackRunEventTypes.PackStarted, evt.EventType);
Assert.Equal("taskrunner-worker", evt.Source);
Assert.Equal(occurredAt, evt.OccurredAt);
Assert.Equal(TestRunId, evt.RunId);
Assert.Equal(TestPlanHash, evt.PlanHash);
Assert.Null(evt.ReceivedAt);
Assert.Null(evt.EventSeq);
}
[Fact]
public void Create_WithPayload_ComputesHashAndNormalizes()
{
// Arrange
var payload = new { stepId = "step-001", attempt = 1 };
// Act
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.StepStarted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash,
payload: payload);
// Assert
Assert.NotNull(evt.RawPayloadJson);
Assert.NotNull(evt.NormalizedPayloadJson);
Assert.NotNull(evt.PayloadHash);
Assert.StartsWith("sha256:", evt.PayloadHash);
Assert.Equal(64 + 7, evt.PayloadHash.Length); // sha256: prefix + 64 hex chars
}
[Fact]
public void Create_WithStepId_SetsStepId()
{
// Act
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.StepCompleted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash,
stepId: TestStepId);
// Assert
Assert.Equal(TestStepId, evt.StepId);
}
[Fact]
public void Create_WithEvidencePointer_SetsPointer()
{
// Arrange
var evidence = PackRunEvidencePointer.Bundle(Guid.NewGuid(), "sha256:def456");
// Act
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackCompleted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash,
evidencePointer: evidence);
// Assert
Assert.NotNull(evt.EvidencePointer);
Assert.Equal(PackRunEvidencePointerType.Bundle, evt.EvidencePointer.Type);
Assert.Equal("sha256:def456", evt.EvidencePointer.BundleDigest);
}
[Fact]
public void WithReceivedAt_CreatesCopyWithTimestamp()
{
// Arrange
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash);
var receivedAt = DateTimeOffset.UtcNow.AddSeconds(1);
// Act
var updated = evt.WithReceivedAt(receivedAt);
// Assert
Assert.Null(evt.ReceivedAt);
Assert.Equal(receivedAt, updated.ReceivedAt);
Assert.Equal(evt.EventId, updated.EventId);
}
[Fact]
public void WithSequence_CreatesCopyWithSequence()
{
// Arrange
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash);
// Act
var updated = evt.WithSequence(42);
// Assert
Assert.Null(evt.EventSeq);
Assert.Equal(42, updated.EventSeq);
}
[Fact]
public void ToJson_SerializesEvent()
{
// Arrange
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.StepCompleted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash,
stepId: TestStepId);
// Act
var json = evt.ToJson();
// Assert
Assert.Contains("\"tenantId\"", json);
Assert.Contains("\"eventType\"", json);
Assert.Contains("pack.step.completed", json);
Assert.Contains(TestStepId, json);
}
[Fact]
public void FromJson_DeserializesEvent()
{
// Arrange
var original = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.StepCompleted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash,
stepId: TestStepId);
var json = original.ToJson();
// Act
var deserialized = PackRunTimelineEvent.FromJson(json);
// Assert
Assert.NotNull(deserialized);
Assert.Equal(original.EventId, deserialized.EventId);
Assert.Equal(original.TenantId, deserialized.TenantId);
Assert.Equal(original.EventType, deserialized.EventType);
Assert.Equal(original.RunId, deserialized.RunId);
Assert.Equal(original.StepId, deserialized.StepId);
}
[Fact]
public void GenerateIdempotencyKey_ReturnsConsistentKey()
{
// Arrange
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash);
// Act
var key1 = evt.GenerateIdempotencyKey();
var key2 = evt.GenerateIdempotencyKey();
// Assert
Assert.Equal(key1, key2);
Assert.Contains(TestTenantId, key1);
Assert.Contains(PackRunEventTypes.PackStarted, key1);
}
#endregion
#region Event Types Tests
[Fact]
public void PackRunEventTypes_HasExpectedValues()
{
Assert.Equal("pack.started", PackRunEventTypes.PackStarted);
Assert.Equal("pack.completed", PackRunEventTypes.PackCompleted);
Assert.Equal("pack.failed", PackRunEventTypes.PackFailed);
Assert.Equal("pack.step.started", PackRunEventTypes.StepStarted);
Assert.Equal("pack.step.completed", PackRunEventTypes.StepCompleted);
Assert.Equal("pack.step.failed", PackRunEventTypes.StepFailed);
}
[Theory]
[InlineData("pack.started", true)]
[InlineData("pack.step.completed", true)]
[InlineData("scan.completed", false)]
[InlineData("job.started", false)]
public void IsPackRunEvent_ReturnsCorrectly(string eventType, bool expected)
{
Assert.Equal(expected, PackRunEventTypes.IsPackRunEvent(eventType));
}
#endregion
#region Evidence Pointer Tests
[Fact]
public void EvidencePointer_Bundle_CreatesCorrectType()
{
var bundleId = Guid.NewGuid();
var pointer = PackRunEvidencePointer.Bundle(bundleId, "sha256:abc");
Assert.Equal(PackRunEvidencePointerType.Bundle, pointer.Type);
Assert.Equal(bundleId, pointer.BundleId);
Assert.Equal("sha256:abc", pointer.BundleDigest);
}
[Fact]
public void EvidencePointer_Attestation_CreatesCorrectType()
{
var pointer = PackRunEvidencePointer.Attestation("subject:uri", "sha256:abc");
Assert.Equal(PackRunEvidencePointerType.Attestation, pointer.Type);
Assert.Equal("subject:uri", pointer.AttestationSubject);
Assert.Equal("sha256:abc", pointer.AttestationDigest);
}
[Fact]
public void EvidencePointer_Manifest_CreatesCorrectType()
{
var pointer = PackRunEvidencePointer.Manifest("https://example.com/manifest", "/locker/path");
Assert.Equal(PackRunEvidencePointerType.Manifest, pointer.Type);
Assert.Equal("https://example.com/manifest", pointer.ManifestUri);
Assert.Equal("/locker/path", pointer.LockerPath);
}
#endregion
#region In-Memory Sink Tests
[Fact]
public async Task InMemorySink_WriteAsync_StoresEvent()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash);
// Act
var result = await sink.WriteAsync(evt, TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.NotNull(result.Sequence);
Assert.False(result.Deduplicated);
Assert.Equal(1, sink.Count);
}
[Fact]
public async Task InMemorySink_WriteAsync_Deduplicates()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var evt = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "taskrunner-worker",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash);
var ct = TestContext.Current.CancellationToken;
// Act
await sink.WriteAsync(evt, ct);
var result = await sink.WriteAsync(evt, ct);
// Assert
Assert.True(result.Success);
Assert.True(result.Deduplicated);
Assert.Equal(1, sink.Count);
}
[Fact]
public async Task InMemorySink_AssignsMonotonicSequence()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var ct = TestContext.Current.CancellationToken;
// Act
var evt1 = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "test",
occurredAt: DateTimeOffset.UtcNow,
runId: "run-1",
planHash: TestPlanHash);
var evt2 = PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.StepStarted,
source: "test",
occurredAt: DateTimeOffset.UtcNow,
runId: "run-1",
planHash: TestPlanHash);
var result1 = await sink.WriteAsync(evt1, ct);
var result2 = await sink.WriteAsync(evt2, ct);
// Assert
Assert.Equal(1, result1.Sequence);
Assert.Equal(2, result2.Sequence);
}
[Fact]
public async Task InMemorySink_WriteBatchAsync_StoresMultiple()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var events = Enumerable.Range(0, 3).Select(i =>
PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.StepStarted,
source: "test",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash,
stepId: $"step-{i}")).ToList();
// Act
var result = await sink.WriteBatchAsync(events, TestContext.Current.CancellationToken);
// Assert
Assert.Equal(3, result.Written);
Assert.Equal(0, result.Deduplicated);
Assert.Equal(3, sink.Count);
}
[Fact]
public async Task InMemorySink_GetEventsForRun_FiltersCorrectly()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var ct = TestContext.Current.CancellationToken;
await sink.WriteAsync(PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "test",
occurredAt: DateTimeOffset.UtcNow,
runId: "run-1",
planHash: TestPlanHash), ct);
await sink.WriteAsync(PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "test",
occurredAt: DateTimeOffset.UtcNow,
runId: "run-2",
planHash: TestPlanHash), ct);
// Act
var run1Events = sink.GetEventsForRun("run-1");
var run2Events = sink.GetEventsForRun("run-2");
// Assert
Assert.Single(run1Events);
Assert.Single(run2Events);
Assert.Equal("run-1", run1Events[0].RunId);
Assert.Equal("run-2", run2Events[0].RunId);
}
[Fact]
public async Task InMemorySink_Clear_RemovesAll()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
await sink.WriteAsync(PackRunTimelineEvent.Create(
tenantId: TestTenantId,
eventType: PackRunEventTypes.PackStarted,
source: "test",
occurredAt: DateTimeOffset.UtcNow,
runId: TestRunId,
planHash: TestPlanHash), TestContext.Current.CancellationToken);
// Act
sink.Clear();
// Assert
Assert.Equal(0, sink.Count);
}
#endregion
#region Emitter Tests
[Fact]
public async Task Emitter_EmitPackStartedAsync_CreatesEvent()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
var emitter = new PackRunTimelineEventEmitter(
sink,
timeProvider,
NullLogger<PackRunTimelineEventEmitter>.Instance);
// Act
var result = await emitter.EmitPackStartedAsync(
TestTenantId,
TestRunId,
TestPlanHash,
projectId: TestProjectId,
cancellationToken: TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.False(result.Deduplicated);
Assert.Equal(PackRunEventTypes.PackStarted, result.Event.EventType);
Assert.Equal(TestRunId, result.Event.RunId);
Assert.Equal(1, sink.Count);
}
[Fact]
public async Task Emitter_EmitPackCompletedAsync_CreatesEvent()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
var emitter = new PackRunTimelineEventEmitter(
sink,
timeProvider,
NullLogger<PackRunTimelineEventEmitter>.Instance);
// Act
var result = await emitter.EmitPackCompletedAsync(
TestTenantId,
TestRunId,
TestPlanHash,
cancellationToken: TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.Equal(PackRunEventTypes.PackCompleted, result.Event.EventType);
}
[Fact]
public async Task Emitter_EmitPackFailedAsync_CreatesEventWithError()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
var emitter = new PackRunTimelineEventEmitter(
sink,
timeProvider,
NullLogger<PackRunTimelineEventEmitter>.Instance);
// Act
var result = await emitter.EmitPackFailedAsync(
TestTenantId,
TestRunId,
TestPlanHash,
failureReason: "Step step-001 failed",
cancellationToken: TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.Equal(PackRunEventTypes.PackFailed, result.Event.EventType);
Assert.Equal(PackRunEventSeverity.Error, result.Event.Severity);
Assert.Contains("failureReason", result.Event.Attributes!.Keys);
}
[Fact]
public async Task Emitter_EmitStepStartedAsync_IncludesAttempt()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
var emitter = new PackRunTimelineEventEmitter(
sink,
timeProvider,
NullLogger<PackRunTimelineEventEmitter>.Instance);
// Act
var result = await emitter.EmitStepStartedAsync(
TestTenantId,
TestRunId,
TestPlanHash,
TestStepId,
attempt: 2,
cancellationToken: TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.Equal(PackRunEventTypes.StepStarted, result.Event.EventType);
Assert.Equal(TestStepId, result.Event.StepId);
Assert.Equal("2", result.Event.Attributes!["attempt"]);
}
[Fact]
public async Task Emitter_EmitStepCompletedAsync_IncludesDuration()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
var emitter = new PackRunTimelineEventEmitter(
sink,
timeProvider,
NullLogger<PackRunTimelineEventEmitter>.Instance);
// Act
var result = await emitter.EmitStepCompletedAsync(
TestTenantId,
TestRunId,
TestPlanHash,
TestStepId,
attempt: 1,
durationMs: 123.45,
cancellationToken: TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.Equal(PackRunEventTypes.StepCompleted, result.Event.EventType);
Assert.Contains("durationMs", result.Event.Attributes!.Keys);
}
[Fact]
public async Task Emitter_EmitStepFailedAsync_IncludesError()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
var emitter = new PackRunTimelineEventEmitter(
sink,
timeProvider,
NullLogger<PackRunTimelineEventEmitter>.Instance);
// Act
var result = await emitter.EmitStepFailedAsync(
TestTenantId,
TestRunId,
TestPlanHash,
TestStepId,
attempt: 3,
error: "Connection timeout",
cancellationToken: TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.Equal(PackRunEventTypes.StepFailed, result.Event.EventType);
Assert.Equal(PackRunEventSeverity.Error, result.Event.Severity);
Assert.Equal("Connection timeout", result.Event.Attributes!["error"]);
}
[Fact]
public async Task Emitter_EmitBatchAsync_OrdersEventsDeterministically()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
var emitter = new PackRunTimelineEventEmitter(
sink,
timeProvider,
NullLogger<PackRunTimelineEventEmitter>.Instance);
var now = DateTimeOffset.UtcNow;
var events = new[]
{
PackRunTimelineEvent.Create(TestTenantId, PackRunEventTypes.StepStarted, "test", now.AddSeconds(2), TestRunId, TestPlanHash),
PackRunTimelineEvent.Create(TestTenantId, PackRunEventTypes.PackStarted, "test", now, TestRunId, TestPlanHash),
PackRunTimelineEvent.Create(TestTenantId, PackRunEventTypes.StepCompleted, "test", now.AddSeconds(1), TestRunId, TestPlanHash),
};
// Act
var result = await emitter.EmitBatchAsync(events, TestContext.Current.CancellationToken);
// Assert
Assert.Equal(3, result.Emitted);
Assert.Equal(0, result.Deduplicated);
var stored = sink.GetEvents();
Assert.Equal(PackRunEventTypes.PackStarted, stored[0].EventType);
Assert.Equal(PackRunEventTypes.StepCompleted, stored[1].EventType);
Assert.Equal(PackRunEventTypes.StepStarted, stored[2].EventType);
}
[Fact]
public async Task Emitter_EmitBatchAsync_HandlesDuplicates()
{
// Arrange
var sink = new InMemoryPackRunTimelineEventSink();
var timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
var emitter = new PackRunTimelineEventEmitter(
sink,
timeProvider,
NullLogger<PackRunTimelineEventEmitter>.Instance);
var ct = TestContext.Current.CancellationToken;
var evt = PackRunTimelineEvent.Create(
TestTenantId,
PackRunEventTypes.PackStarted,
"test",
DateTimeOffset.UtcNow,
TestRunId,
TestPlanHash);
// Emit once directly
await sink.WriteAsync(evt, ct);
// Act - emit batch with same event
var result = await emitter.EmitBatchAsync([evt], ct);
// Assert
Assert.Equal(0, result.Emitted);
Assert.Equal(1, result.Deduplicated);
Assert.Equal(1, sink.Count); // Only one event stored
}
#endregion
#region Null Sink Tests
[Fact]
public async Task NullSink_WriteAsync_ReturnsSuccess()
{
// Arrange
var sink = NullPackRunTimelineEventSink.Instance;
var evt = PackRunTimelineEvent.Create(
TestTenantId,
PackRunEventTypes.PackStarted,
"test",
DateTimeOffset.UtcNow,
TestRunId,
TestPlanHash);
// Act
var result = await sink.WriteAsync(evt, TestContext.Current.CancellationToken);
// Assert
Assert.True(result.Success);
Assert.False(result.Deduplicated);
Assert.Null(result.Sequence);
}
#endregion
}
/// <summary>
/// Fake time provider for testing.
/// </summary>
internal sealed class FakeTimeProvider : TimeProvider
{
private DateTimeOffset _utcNow;
public FakeTimeProvider(DateTimeOffset utcNow)
{
_utcNow = utcNow;
}
public override DateTimeOffset GetUtcNow() => _utcNow;
public void Advance(TimeSpan duration) => _utcNow = _utcNow.Add(duration);
}

476
src/VexLens/StellaOps.VexLens/Caching/IConsensusRationaleCache.cs Normal file
View File

@@ -0,0 +1,476 @@
using StellaOps.VexLens.Api;
using StellaOps.VexLens.Consensus;
using StellaOps.VexLens.Models;
namespace StellaOps.VexLens.Caching;
/// <summary>
/// Cache interface for consensus rationale storage.
/// Used by Advisory AI for efficient rationale retrieval.
/// </summary>
public interface IConsensusRationaleCache
{
/// <summary>
/// Gets a cached rationale by key.
/// </summary>
Task<DetailedConsensusRationale?> GetAsync(
string cacheKey,
CancellationToken cancellationToken = default);
/// <summary>
/// Sets a rationale in the cache.
/// </summary>
Task SetAsync(
string cacheKey,
DetailedConsensusRationale rationale,
CacheOptions? options = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets or creates a rationale using the factory if not cached.
/// </summary>
Task<DetailedConsensusRationale> GetOrCreateAsync(
string cacheKey,
Func<CancellationToken, Task<DetailedConsensusRationale>> factory,
CacheOptions? options = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Removes a rationale from the cache.
/// </summary>
Task RemoveAsync(
string cacheKey,
CancellationToken cancellationToken = default);
/// <summary>
/// Removes all rationales for a vulnerability-product pair.
/// </summary>
Task InvalidateAsync(
string vulnerabilityId,
string productKey,
CancellationToken cancellationToken = default);
/// <summary>
/// Clears all cached rationales.
/// </summary>
Task ClearAsync(CancellationToken cancellationToken = default);
/// <summary>
/// Gets cache statistics.
/// </summary>
Task<CacheStatistics> GetStatisticsAsync(CancellationToken cancellationToken = default);
}
/// <summary>
/// Options for cache entries.
/// </summary>
public sealed record CacheOptions(
/// <summary>
/// Absolute expiration time.
/// </summary>
DateTimeOffset? AbsoluteExpiration = null,
/// <summary>
/// Sliding expiration duration.
/// </summary>
TimeSpan? SlidingExpiration = null,
/// <summary>
/// Cache entry priority.
/// </summary>
CachePriority Priority = CachePriority.Normal,
/// <summary>
/// Tags for grouping cache entries.
/// </summary>
IReadOnlyList<string>? Tags = null);
/// <summary>
/// Cache entry priority.
/// </summary>
public enum CachePriority
{
Low,
Normal,
High,
NeverRemove
}
/// <summary>
/// Cache statistics.
/// </summary>
public sealed record CacheStatistics(
/// <summary>
/// Total number of cached entries.
/// </summary>
int EntryCount,
/// <summary>
/// Total cache hits.
/// </summary>
long HitCount,
/// <summary>
/// Total cache misses.
/// </summary>
long MissCount,
/// <summary>
/// Estimated memory usage in bytes.
/// </summary>
long EstimatedMemoryBytes,
/// <summary>
/// Hit rate percentage.
/// </summary>
double HitRate,
/// <summary>
/// When the cache was last cleared.
/// </summary>
DateTimeOffset? LastCleared);
/// <summary>
/// In-memory implementation of consensus rationale cache.
/// </summary>
public sealed class InMemoryConsensusRationaleCache : IConsensusRationaleCache
{
private readonly Dictionary<string, CacheEntry> _cache = new();
private readonly object _lock = new();
private readonly int _maxEntries;
private long _hitCount;
private long _missCount;
private DateTimeOffset? _lastCleared;
public InMemoryConsensusRationaleCache(int maxEntries = 10000)
{
_maxEntries = maxEntries;
}
public Task<DetailedConsensusRationale?> GetAsync(
string cacheKey,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
if (_cache.TryGetValue(cacheKey, out var entry))
{
if (IsExpired(entry))
{
_cache.Remove(cacheKey);
Interlocked.Increment(ref _missCount);
return Task.FromResult<DetailedConsensusRationale?>(null);
}
entry.LastAccessed = DateTimeOffset.UtcNow;
Interlocked.Increment(ref _hitCount);
return Task.FromResult<DetailedConsensusRationale?>(entry.Rationale);
}
Interlocked.Increment(ref _missCount);
return Task.FromResult<DetailedConsensusRationale?>(null);
}
}
public Task SetAsync(
string cacheKey,
DetailedConsensusRationale rationale,
CacheOptions? options = null,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
// Evict if at capacity
if (_cache.Count >= _maxEntries && !_cache.ContainsKey(cacheKey))
{
EvictOldestEntry();
}
_cache[cacheKey] = new CacheEntry
{
Rationale = rationale,
Options = options ?? new CacheOptions(),
Created = DateTimeOffset.UtcNow,
LastAccessed = DateTimeOffset.UtcNow
};
return Task.CompletedTask;
}
}
public async Task<DetailedConsensusRationale> GetOrCreateAsync(
string cacheKey,
Func<CancellationToken, Task<DetailedConsensusRationale>> factory,
CacheOptions? options = null,
CancellationToken cancellationToken = default)
{
var cached = await GetAsync(cacheKey, cancellationToken);
if (cached != null)
{
return cached;
}
var rationale = await factory(cancellationToken);
await SetAsync(cacheKey, rationale, options, cancellationToken);
return rationale;
}
public Task RemoveAsync(
string cacheKey,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
_cache.Remove(cacheKey);
return Task.CompletedTask;
}
}
public Task InvalidateAsync(
string vulnerabilityId,
string productKey,
CancellationToken cancellationToken = default)
{
lock (_lock)
{
var keysToRemove = _cache
.Where(kvp => kvp.Value.Rationale.VulnerabilityId == vulnerabilityId &&
kvp.Value.Rationale.ProductKey == productKey)
.Select(kvp => kvp.Key)
.ToList();
foreach (var key in keysToRemove)
{
_cache.Remove(key);
}
return Task.CompletedTask;
}
}
public Task ClearAsync(CancellationToken cancellationToken = default)
{
lock (_lock)
{
_cache.Clear();
_lastCleared = DateTimeOffset.UtcNow;
return Task.CompletedTask;
}
}
public Task<CacheStatistics> GetStatisticsAsync(CancellationToken cancellationToken = default)
{
lock (_lock)
{
var hits = Interlocked.Read(ref _hitCount);
var misses = Interlocked.Read(ref _missCount);
var total = hits + misses;
return Task.FromResult(new CacheStatistics(
EntryCount: _cache.Count,
HitCount: hits,
MissCount: misses,
EstimatedMemoryBytes: EstimateMemoryUsage(),
HitRate: total > 0 ? (double)hits / total : 0,
LastCleared: _lastCleared));
}
}
private static bool IsExpired(CacheEntry entry)
{
var now = DateTimeOffset.UtcNow;
if (entry.Options.AbsoluteExpiration.HasValue &&
now >= entry.Options.AbsoluteExpiration.Value)
{
return true;
}
if (entry.Options.SlidingExpiration.HasValue &&
now - entry.LastAccessed >= entry.Options.SlidingExpiration.Value)
{
return true;
}
return false;
}
private void EvictOldestEntry()
{
var oldest = _cache
.Where(kvp => kvp.Value.Options.Priority != CachePriority.NeverRemove)
.OrderBy(kvp => kvp.Value.Options.Priority)
.ThenBy(kvp => kvp.Value.LastAccessed)
.FirstOrDefault();
if (oldest.Key != null)
{
_cache.Remove(oldest.Key);
}
}
private long EstimateMemoryUsage()
{
// Rough estimate: 1KB per entry on average
return _cache.Count * 1024L;
}
private sealed class CacheEntry
{
public required DetailedConsensusRationale Rationale { get; init; }
public required CacheOptions Options { get; init; }
public required DateTimeOffset Created { get; init; }
public DateTimeOffset LastAccessed { get; set; }
}
}
/// <summary>
/// Cached consensus rationale service that wraps the base service with caching.
/// </summary>
public sealed class CachedConsensusRationaleService : IConsensusRationaleService
{
private readonly IConsensusRationaleService _inner;
private readonly IConsensusRationaleCache _cache;
private readonly CacheOptions _defaultOptions;
public CachedConsensusRationaleService(
IConsensusRationaleService inner,
IConsensusRationaleCache cache,
CacheOptions? defaultOptions = null)
{
_inner = inner;
_cache = cache;
_defaultOptions = defaultOptions ?? new CacheOptions(
SlidingExpiration: TimeSpan.FromMinutes(30));
}
public async Task<GenerateRationaleResponse> GenerateRationaleAsync(
GenerateRationaleRequest request,
CancellationToken cancellationToken = default)
{
var cacheKey = BuildCacheKey(request);
var startTime = DateTime.UtcNow;
var rationale = await _cache.GetOrCreateAsync(
cacheKey,
async ct =>
{
var response = await _inner.GenerateRationaleAsync(request, ct);
return response.Rationale;
},
_defaultOptions,
cancellationToken);
var elapsedMs = (DateTime.UtcNow - startTime).TotalMilliseconds;
return new GenerateRationaleResponse(
Rationale: rationale,
Stats: new RationaleGenerationStats(
StatementsAnalyzed: 0, // Not tracked in cache hit
IssuersInvolved: 0,
ConflictsDetected: 0,
FactorsIdentified: rationale.DecisionFactors.Count,
GenerationTimeMs: elapsedMs));
}
public async Task<BatchRationaleResponse> GenerateBatchRationaleAsync(
BatchRationaleRequest request,
CancellationToken cancellationToken = default)
{
var startTime = DateTime.UtcNow;
var responses = new List<GenerateRationaleResponse>();
var errors = new List<RationaleError>();
foreach (var req in request.Requests)
{
try
{
var response = await GenerateRationaleAsync(req, cancellationToken);
responses.Add(response);
}
catch (Exception ex)
{
errors.Add(new RationaleError(
VulnerabilityId: req.VulnerabilityId,
ProductKey: req.ProductKey,
Code: "GENERATION_FAILED",
Message: ex.Message));
}
}
return new BatchRationaleResponse(
Responses: responses,
Errors: errors,
TotalTimeMs: (DateTime.UtcNow - startTime).TotalMilliseconds);
}
public Task<DetailedConsensusRationale> GenerateFromResultAsync(
VexConsensusResult result,
string explanationFormat = "human",
CancellationToken cancellationToken = default)
{
// Direct passthrough - results are ephemeral and shouldn't be cached
return _inner.GenerateFromResultAsync(result, explanationFormat, cancellationToken);
}
private static string BuildCacheKey(GenerateRationaleRequest request)
{
return $"rationale:{request.VulnerabilityId}:{request.ProductKey}:{request.TenantId ?? "default"}:{request.Verbosity}:{request.ExplanationFormat}";
}
}
/// <summary>
/// Event arguments for cache invalidation.
/// </summary>
public sealed record CacheInvalidationEvent(
string VulnerabilityId,
string ProductKey,
string? TenantId,
string Reason,
DateTimeOffset OccurredAt);
/// <summary>
/// Interface for observing cache invalidations.
/// </summary>
public interface ICacheInvalidationObserver
{
/// <summary>
/// Called when cache entries are invalidated.
/// </summary>
Task OnInvalidationAsync(
CacheInvalidationEvent invalidation,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Extension methods for cache configuration.
/// </summary>
public static class ConsensusCacheExtensions
{
/// <summary>
/// Creates a cache key for a vulnerability-product pair.
/// </summary>
public static string CreateCacheKey(
string vulnerabilityId,
string productKey,
string? tenantId = null,
string verbosity = "standard",
string format = "human")
{
return $"rationale:{vulnerabilityId}:{productKey}:{tenantId ?? "default"}:{verbosity}:{format}";
}
/// <summary>
/// Creates default cache options for Advisory AI usage.
/// </summary>
public static CacheOptions CreateAdvisoryAiOptions(
TimeSpan? slidingExpiration = null,
CachePriority priority = CachePriority.High)
{
return new CacheOptions(
SlidingExpiration: slidingExpiration ?? TimeSpan.FromHours(1),
Priority: priority,
Tags: ["advisory-ai"]);
}
}

581
src/VexLens/StellaOps.VexLens/Export/IConsensusExportService.cs Normal file
View File

@@ -0,0 +1,581 @@
using System.Text.Json;
using StellaOps.VexLens.Consensus;
using StellaOps.VexLens.Models;
using StellaOps.VexLens.Storage;
namespace StellaOps.VexLens.Export;
/// <summary>
/// Service for exporting consensus projections to offline bundles.
/// </summary>
public interface IConsensusExportService
{
/// <summary>
/// Creates a snapshot of consensus projections.
/// </summary>
Task<ConsensusSnapshot> CreateSnapshotAsync(
SnapshotRequest request,
CancellationToken cancellationToken = default);
/// <summary>
/// Exports snapshot to a stream in the specified format.
/// </summary>
Task ExportToStreamAsync(
ConsensusSnapshot snapshot,
Stream outputStream,
ExportFormat format = ExportFormat.JsonLines,
CancellationToken cancellationToken = default);
/// <summary>
/// Creates an incremental snapshot since the last export.
/// </summary>
Task<IncrementalSnapshot> CreateIncrementalSnapshotAsync(
string? lastSnapshotId,
DateTimeOffset? since,
SnapshotRequest request,
CancellationToken cancellationToken = default);
/// <summary>
/// Verifies a snapshot against stored projections.
/// </summary>
Task<SnapshotVerificationResult> VerifySnapshotAsync(
ConsensusSnapshot snapshot,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Request for creating a snapshot.
/// </summary>
public sealed record SnapshotRequest(
/// <summary>
/// Tenant ID filter (null for all tenants).
/// </summary>
string? TenantId,
/// <summary>
/// Filter by vulnerability IDs (null for all).
/// </summary>
IReadOnlyList<string>? VulnerabilityIds,
/// <summary>
/// Filter by product keys (null for all).
/// </summary>
IReadOnlyList<string>? ProductKeys,
/// <summary>
/// Minimum confidence threshold.
/// </summary>
double? MinimumConfidence,
/// <summary>
/// Filter by status (null for all).
/// </summary>
VexStatus? Status,
/// <summary>
/// Include projections computed after this time.
/// </summary>
DateTimeOffset? ComputedAfter,
/// <summary>
/// Include projections computed before this time.
/// </summary>
DateTimeOffset? ComputedBefore,
/// <summary>
/// Include projection history.
/// </summary>
bool IncludeHistory,
/// <summary>
/// Maximum projections to include.
/// </summary>
int? MaxProjections);
/// <summary>
/// A snapshot of consensus projections.
/// </summary>
public sealed record ConsensusSnapshot(
/// <summary>
/// Unique snapshot identifier.
/// </summary>
string SnapshotId,
/// <summary>
/// When the snapshot was created.
/// </summary>
DateTimeOffset CreatedAt,
/// <summary>
/// Snapshot version for format compatibility.
/// </summary>
string Version,
/// <summary>
/// Tenant ID if filtered.
/// </summary>
string? TenantId,
/// <summary>
/// The consensus projections.
/// </summary>
IReadOnlyList<ConsensusProjection> Projections,
/// <summary>
/// Projection history if requested.
/// </summary>
IReadOnlyList<ConsensusProjection>? History,
/// <summary>
/// Snapshot metadata.
/// </summary>
SnapshotMetadata Metadata);
/// <summary>
/// Metadata about a snapshot.
/// </summary>
public sealed record SnapshotMetadata(
/// <summary>
/// Total projections in snapshot.
/// </summary>
int TotalProjections,
/// <summary>
/// Total history entries if included.
/// </summary>
int TotalHistoryEntries,
/// <summary>
/// Oldest projection in snapshot.
/// </summary>
DateTimeOffset? OldestProjection,
/// <summary>
/// Newest projection in snapshot.
/// </summary>
DateTimeOffset? NewestProjection,
/// <summary>
/// Status counts.
/// </summary>
IReadOnlyDictionary<VexStatus, int> StatusCounts,
/// <summary>
/// Content hash for verification.
/// </summary>
string ContentHash,
/// <summary>
/// Creator identifier.
/// </summary>
string? CreatedBy);
/// <summary>
/// Incremental snapshot since last export.
/// </summary>
public sealed record IncrementalSnapshot(
/// <summary>
/// This snapshot's ID.
/// </summary>
string SnapshotId,
/// <summary>
/// Previous snapshot ID this is based on.
/// </summary>
string? PreviousSnapshotId,
/// <summary>
/// When the snapshot was created.
/// </summary>
DateTimeOffset CreatedAt,
/// <summary>
/// Snapshot version.
/// </summary>
string Version,
/// <summary>
/// New or updated projections.
/// </summary>
IReadOnlyList<ConsensusProjection> Added,
/// <summary>
/// Removed projection keys.
/// </summary>
IReadOnlyList<ProjectionKey> Removed,
/// <summary>
/// Incremental metadata.
/// </summary>
IncrementalMetadata Metadata);
/// <summary>
/// Key identifying a projection.
/// </summary>
public sealed record ProjectionKey(
string VulnerabilityId,
string ProductKey,
string? TenantId);
/// <summary>
/// Metadata for incremental snapshot.
/// </summary>
public sealed record IncrementalMetadata(
int AddedCount,
int RemovedCount,
DateTimeOffset? SinceTimestamp,
string ContentHash);
/// <summary>
/// Result of snapshot verification.
/// </summary>
public sealed record SnapshotVerificationResult(
bool IsValid,
string? ErrorMessage,
int VerifiedCount,
int MismatchCount,
IReadOnlyList<VerificationMismatch>? Mismatches);
/// <summary>
/// A mismatch found during verification.
/// </summary>
public sealed record VerificationMismatch(
string VulnerabilityId,
string ProductKey,
string Field,
string? ExpectedValue,
string? ActualValue);
/// <summary>
/// Export format.
/// </summary>
public enum ExportFormat
{
/// <summary>
/// NDJSON (newline-delimited JSON).
/// </summary>
JsonLines,
/// <summary>
/// Single JSON document.
/// </summary>
Json,
/// <summary>
/// Compact binary format.
/// </summary>
Binary
}
/// <summary>
/// Default implementation of <see cref="IConsensusExportService"/>.
/// </summary>
public sealed class ConsensusExportService : IConsensusExportService
{
private readonly IConsensusProjectionStore _projectionStore;
private const string SnapshotVersion = "1.0.0";
public ConsensusExportService(IConsensusProjectionStore projectionStore)
{
_projectionStore = projectionStore;
}
public async Task<ConsensusSnapshot> CreateSnapshotAsync(
SnapshotRequest request,
CancellationToken cancellationToken = default)
{
var query = new ProjectionQuery(
TenantId: request.TenantId,
VulnerabilityId: request.VulnerabilityIds?.FirstOrDefault(),
ProductKey: request.ProductKeys?.FirstOrDefault(),
Status: request.Status,
Outcome: null,
MinimumConfidence: request.MinimumConfidence,
ComputedAfter: request.ComputedAfter,
ComputedBefore: request.ComputedBefore,
StatusChanged: null,
Limit: request.MaxProjections ?? 10000,
Offset: 0,
SortBy: ProjectionSortField.ComputedAt,
SortDescending: true);
var result = await _projectionStore.ListAsync(query, cancellationToken);
// Filter by additional criteria if needed
var projections = result.Projections.ToList();
if (request.VulnerabilityIds is { Count: > 1 })
{
var vulnSet = new HashSet<string>(request.VulnerabilityIds);
projections = projections.Where(p => vulnSet.Contains(p.VulnerabilityId)).ToList();
}
if (request.ProductKeys is { Count: > 1 })
{
var productSet = new HashSet<string>(request.ProductKeys);
projections = projections.Where(p => productSet.Contains(p.ProductKey)).ToList();
}
// Load history if requested
List<ConsensusProjection>? history = null;
if (request.IncludeHistory)
{
history = [];
foreach (var projection in projections.Take(100)) // Limit history loading
{
var projHistory = await _projectionStore.GetHistoryAsync(
projection.VulnerabilityId,
projection.ProductKey,
projection.TenantId,
10,
cancellationToken);
history.AddRange(projHistory);
}
}
var statusCounts = projections
.GroupBy(p => p.Status)
.ToDictionary(g => g.Key, g => g.Count());
var snapshotId = $"snap-{Guid.NewGuid():N}";
var contentHash = ComputeContentHash(projections);
return new ConsensusSnapshot(
SnapshotId: snapshotId,
CreatedAt: DateTimeOffset.UtcNow,
Version: SnapshotVersion,
TenantId: request.TenantId,
Projections: projections,
History: history,
Metadata: new SnapshotMetadata(
TotalProjections: projections.Count,
TotalHistoryEntries: history?.Count ?? 0,
OldestProjection: projections.Min(p => (DateTimeOffset?)p.ComputedAt),
NewestProjection: projections.Max(p => (DateTimeOffset?)p.ComputedAt),
StatusCounts: statusCounts,
ContentHash: contentHash,
CreatedBy: "VexLens"));
}
public async Task ExportToStreamAsync(
ConsensusSnapshot snapshot,
Stream outputStream,
ExportFormat format = ExportFormat.JsonLines,
CancellationToken cancellationToken = default)
{
var options = new JsonSerializerOptions
{
WriteIndented = format == ExportFormat.Json,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
switch (format)
{
case ExportFormat.JsonLines:
await ExportAsJsonLinesAsync(snapshot, outputStream, options, cancellationToken);
break;
case ExportFormat.Json:
await JsonSerializer.SerializeAsync(outputStream, snapshot, options, cancellationToken);
break;
case ExportFormat.Binary:
// For binary format, use JSON with no indentation as a simple binary-ish format
options.WriteIndented = false;
await JsonSerializer.SerializeAsync(outputStream, snapshot, options, cancellationToken);
break;
}
}
public async Task<IncrementalSnapshot> CreateIncrementalSnapshotAsync(
string? lastSnapshotId,
DateTimeOffset? since,
SnapshotRequest request,
CancellationToken cancellationToken = default)
{
// Get current projections
var currentRequest = request with { ComputedAfter = since };
var current = await CreateSnapshotAsync(currentRequest, cancellationToken);
// For a true incremental, we'd compare with the previous snapshot
// Here we just return new/updated since the timestamp
var snapshotId = $"snap-inc-{Guid.NewGuid():N}";
var contentHash = ComputeContentHash(current.Projections);
return new IncrementalSnapshot(
SnapshotId: snapshotId,
PreviousSnapshotId: lastSnapshotId,
CreatedAt: DateTimeOffset.UtcNow,
Version: SnapshotVersion,
Added: current.Projections,
Removed: [], // Would need previous snapshot to determine removed
Metadata: new IncrementalMetadata(
AddedCount: current.Projections.Count,
RemovedCount: 0,
SinceTimestamp: since,
ContentHash: contentHash));
}
public async Task<SnapshotVerificationResult> VerifySnapshotAsync(
ConsensusSnapshot snapshot,
CancellationToken cancellationToken = default)
{
var mismatches = new List<VerificationMismatch>();
var verifiedCount = 0;
foreach (var projection in snapshot.Projections)
{
var current = await _projectionStore.GetLatestAsync(
projection.VulnerabilityId,
projection.ProductKey,
projection.TenantId,
cancellationToken);
if (current == null)
{
mismatches.Add(new VerificationMismatch(
projection.VulnerabilityId,
projection.ProductKey,
"existence",
"exists",
"not found"));
continue;
}
// Check key fields
if (current.Status != projection.Status)
{
mismatches.Add(new VerificationMismatch(
projection.VulnerabilityId,
projection.ProductKey,
"status",
projection.Status.ToString(),
current.Status.ToString()));
}
if (Math.Abs(current.ConfidenceScore - projection.ConfidenceScore) > 0.001)
{
mismatches.Add(new VerificationMismatch(
projection.VulnerabilityId,
projection.ProductKey,
"confidenceScore",
projection.ConfidenceScore.ToString("F4"),
current.ConfidenceScore.ToString("F4")));
}
verifiedCount++;
}
return new SnapshotVerificationResult(
IsValid: mismatches.Count == 0,
ErrorMessage: mismatches.Count > 0 ? $"{mismatches.Count} mismatch(es) found" : null,
VerifiedCount: verifiedCount,
MismatchCount: mismatches.Count,
Mismatches: mismatches.Count > 0 ? mismatches : null);
}
private static async Task ExportAsJsonLinesAsync(
ConsensusSnapshot snapshot,
Stream outputStream,
JsonSerializerOptions options,
CancellationToken cancellationToken)
{
await using var writer = new StreamWriter(outputStream, leaveOpen: true);
// Write header line
var header = new
{
type = "header",
snapshotId = snapshot.SnapshotId,
createdAt = snapshot.CreatedAt,
version = snapshot.Version,
metadata = snapshot.Metadata
};
await writer.WriteLineAsync(JsonSerializer.Serialize(header, options));
// Write each projection
foreach (var projection in snapshot.Projections)
{
cancellationToken.ThrowIfCancellationRequested();
var line = new { type = "projection", data = projection };
await writer.WriteLineAsync(JsonSerializer.Serialize(line, options));
}
// Write history if present
if (snapshot.History != null)
{
foreach (var historyEntry in snapshot.History)
{
cancellationToken.ThrowIfCancellationRequested();
var line = new { type = "history", data = historyEntry };
await writer.WriteLineAsync(JsonSerializer.Serialize(line, options));
}
}
// Write footer
var footer = new
{
type = "footer",
totalProjections = snapshot.Projections.Count,
totalHistory = snapshot.History?.Count ?? 0,
contentHash = snapshot.Metadata.ContentHash
};
await writer.WriteLineAsync(JsonSerializer.Serialize(footer, options));
}
private static string ComputeContentHash(IReadOnlyList<ConsensusProjection> projections)
{
var data = string.Join("|", projections
.OrderBy(p => p.VulnerabilityId)
.ThenBy(p => p.ProductKey)
.Select(p => $"{p.VulnerabilityId}:{p.ProductKey}:{p.Status}:{p.ConfidenceScore:F4}"));
var hash = System.Security.Cryptography.SHA256.HashData(
System.Text.Encoding.UTF8.GetBytes(data));
return Convert.ToHexString(hash).ToLowerInvariant()[..32];
}
}
/// <summary>
/// Extensions for export configuration.
/// </summary>
public static class ConsensusExportExtensions
{
/// <summary>
/// Creates a snapshot request for full export.
/// </summary>
public static SnapshotRequest FullExportRequest(string? tenantId = null)
{
return new SnapshotRequest(
TenantId: tenantId,
VulnerabilityIds: null,
ProductKeys: null,
MinimumConfidence: null,
Status: null,
ComputedAfter: null,
ComputedBefore: null,
IncludeHistory: false,
MaxProjections: null);
}
/// <summary>
/// Creates a snapshot request for mirror bundle export.
/// </summary>
public static SnapshotRequest MirrorBundleRequest(
string? tenantId = null,
double minimumConfidence = 0.5,
bool includeHistory = false)
{
return new SnapshotRequest(
TenantId: tenantId,
VulnerabilityIds: null,
ProductKeys: null,
MinimumConfidence: minimumConfidence,
Status: null,
ComputedAfter: null,
ComputedBefore: null,
IncludeHistory: includeHistory,
MaxProjections: 100000);
}
}

12
src/VexLens/StellaOps.VexLens/Extensions/VexLensServiceCollectionExtensions.cs
View File

@@ -2,8 +2,11 @@ using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using StellaOps.VexLens.Api;
using StellaOps.VexLens.Caching;
using StellaOps.VexLens.Consensus;
using StellaOps.VexLens.Export;
using StellaOps.VexLens.Integration;
using StellaOps.VexLens.Orchestration;
using StellaOps.VexLens.Mapping;
using StellaOps.VexLens.Normalization;
using StellaOps.VexLens.Observability;
@@ -102,10 +105,19 @@ public static class VexLensServiceCollectionExtensions
// Rationale service for AI/ML consumption
services.TryAddScoped<IConsensusRationaleService, ConsensusRationaleService>();
// Rationale cache for Advisory AI
services.TryAddSingleton<IConsensusRationaleCache, InMemoryConsensusRationaleCache>();
// Integration services
services.TryAddScoped<IPolicyEngineIntegration, PolicyEngineIntegration>();
services.TryAddScoped<IVulnExplorerIntegration, VulnExplorerIntegration>();
// Export service for offline bundles
services.TryAddScoped<IConsensusExportService, ConsensusExportService>();
// Orchestrator job service for scheduling consensus compute
services.TryAddScoped<IConsensusJobService, ConsensusJobService>();
// Metrics
if (options.Telemetry.MetricsEnabled)
{

119
src/VexLens/StellaOps.VexLens/Orchestration/ConsensusJobTypes.cs Normal file
View File

@@ -0,0 +1,119 @@
namespace StellaOps.VexLens.Orchestration;
/// <summary>
/// Standard consensus job type identifiers for VexLens orchestration.
/// Consensus jobs follow the pattern "consensus.{operation}" where operation is the compute type.
/// </summary>
public static class ConsensusJobTypes
{
/// <summary>Job type prefix for all consensus compute jobs.</summary>
public const string Prefix = "consensus.";
/// <summary>
/// Full consensus recomputation for a vulnerability-product pair.
/// Payload: { vulnerabilityId, productKey, tenantId?, forceRecompute? }
/// </summary>
public const string Compute = "consensus.compute";
/// <summary>
/// Batch consensus computation for multiple items.
/// Payload: { items: [{ vulnerabilityId, productKey }], tenantId? }
/// </summary>
public const string BatchCompute = "consensus.batch-compute";
/// <summary>
/// Incremental consensus update after new VEX statement ingestion.
/// Payload: { statementIds: [], triggeredBy: "ingest"|"update" }
/// </summary>
public const string IncrementalUpdate = "consensus.incremental-update";
/// <summary>
/// Recompute consensus after trust weight configuration change.
/// Payload: { scope: "tenant"|"issuer"|"global", affectedIssuers?: [] }
/// </summary>
public const string TrustRecalibration = "consensus.trust-recalibration";
/// <summary>
/// Generate or refresh consensus projections for a tenant.
/// Payload: { tenantId, since?: dateTime, status?: VexStatus }
/// </summary>
public const string ProjectionRefresh = "consensus.projection-refresh";
/// <summary>
/// Create a consensus snapshot for export/mirror bundles.
/// Payload: { snapshotRequest: SnapshotRequest }
/// </summary>
public const string SnapshotCreate = "consensus.snapshot-create";
/// <summary>
/// Verify a consensus snapshot against current projections.
/// Payload: { snapshotId, strict?: bool }
/// </summary>
public const string SnapshotVerify = "consensus.snapshot-verify";
/// <summary>All known consensus job types.</summary>
public static readonly IReadOnlyList<string> All =
[
Compute,
BatchCompute,
IncrementalUpdate,
TrustRecalibration,
ProjectionRefresh,
SnapshotCreate,
SnapshotVerify
];
/// <summary>Checks if a job type is a consensus job.</summary>
public static bool IsConsensusJob(string? jobType) =>
jobType is not null && jobType.StartsWith(Prefix, StringComparison.OrdinalIgnoreCase);
/// <summary>Gets the operation from a job type (e.g., "compute" from "consensus.compute").</summary>
public static string? GetOperation(string? jobType)
{
if (!IsConsensusJob(jobType))
{
return null;
}
return jobType!.Length > Prefix.Length
? jobType[Prefix.Length..]
: null;
}
/// <summary>
/// Gets whether this job type supports batching.
/// </summary>
public static bool SupportsBatching(string? jobType) => jobType switch
{
BatchCompute => true,
IncrementalUpdate => true,
TrustRecalibration => true,
ProjectionRefresh => true,
_ => false
};
/// <summary>
/// Gets the default priority for a consensus job type.
/// Higher values = higher priority.
/// </summary>
public static int GetDefaultPriority(string? jobType) => jobType switch
{
// Incremental updates triggered by ingestion are high priority
IncrementalUpdate => 50,
// Single item compute is medium-high
Compute => 40,
// Batch operations are medium
BatchCompute => 30,
ProjectionRefresh => 30,
// Recalibration and snapshots are lower priority
TrustRecalibration => 20,
SnapshotCreate => 10,
SnapshotVerify => 10,
// Unknown defaults to low
_ => 0
};
}

479
src/VexLens/StellaOps.VexLens/Orchestration/IConsensusJobService.cs Normal file
View File

@@ -0,0 +1,479 @@
using System.Text.Json;
using StellaOps.VexLens.Consensus;
using StellaOps.VexLens.Export;
using StellaOps.VexLens.Models;
using StellaOps.VexLens.Storage;
namespace StellaOps.VexLens.Orchestration;
/// <summary>
/// Service for creating and managing consensus compute jobs with the orchestrator.
/// </summary>
public interface IConsensusJobService
{
/// <summary>
/// Creates a job request for single consensus computation.
/// </summary>
ConsensusJobRequest CreateComputeJob(
string vulnerabilityId,
string productKey,
string? tenantId = null,
bool forceRecompute = false);
/// <summary>
/// Creates a job request for batch consensus computation.
/// </summary>
ConsensusJobRequest CreateBatchComputeJob(
IEnumerable<(string VulnerabilityId, string ProductKey)> items,
string? tenantId = null);
/// <summary>
/// Creates a job request for incremental update after VEX statement ingestion.
/// </summary>
ConsensusJobRequest CreateIncrementalUpdateJob(
IEnumerable<string> statementIds,
string triggeredBy);
/// <summary>
/// Creates a job request for trust weight recalibration.
/// </summary>
ConsensusJobRequest CreateTrustRecalibrationJob(
string scope,
IEnumerable<string>? affectedIssuers = null);
/// <summary>
/// Creates a job request for projection refresh.
/// </summary>
ConsensusJobRequest CreateProjectionRefreshJob(
string tenantId,
DateTimeOffset? since = null,
VexStatus? status = null);
/// <summary>
/// Creates a job request for snapshot creation.
/// </summary>
ConsensusJobRequest CreateSnapshotJob(SnapshotRequest request);
/// <summary>
/// Executes a consensus job and returns the result.
/// </summary>
Task<ConsensusJobResult> ExecuteJobAsync(
ConsensusJobRequest request,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets the job type registration information.
/// </summary>
ConsensusJobTypeRegistration GetRegistration();
}
/// <summary>
/// A consensus job request to be sent to the orchestrator.
/// </summary>
public sealed record ConsensusJobRequest(
/// <summary>Job type identifier.</summary>
string JobType,
/// <summary>Tenant ID for the job.</summary>
string? TenantId,
/// <summary>Job priority (higher = more urgent).</summary>
int Priority,
/// <summary>Idempotency key for deduplication.</summary>
string IdempotencyKey,
/// <summary>JSON payload for the job.</summary>
string Payload,
/// <summary>Correlation ID for tracing.</summary>
string? CorrelationId = null,
/// <summary>Maximum retry attempts.</summary>
int MaxAttempts = 3);
/// <summary>
/// Result of a consensus job execution.
/// </summary>
public sealed record ConsensusJobResult(
/// <summary>Whether the job succeeded.</summary>
bool Success,
/// <summary>Job type that was executed.</summary>
string JobType,
/// <summary>Number of items processed.</summary>
int ItemsProcessed,
/// <summary>Number of items that failed.</summary>
int ItemsFailed,
/// <summary>Execution duration.</summary>
TimeSpan Duration,
/// <summary>Result payload (job-type specific).</summary>
string? ResultPayload,
/// <summary>Error message if failed.</summary>
string? ErrorMessage);
/// <summary>
/// Registration information for consensus job types.
/// </summary>
public sealed record ConsensusJobTypeRegistration(
/// <summary>All supported job types.</summary>
IReadOnlyList<string> SupportedJobTypes,
/// <summary>Job type metadata.</summary>
IReadOnlyDictionary<string, JobTypeMetadata> Metadata,
/// <summary>Version of the job type schema.</summary>
string SchemaVersion);
/// <summary>
/// Metadata about a job type.
/// </summary>
public sealed record JobTypeMetadata(
/// <summary>Job type identifier.</summary>
string JobType,
/// <summary>Human-readable description.</summary>
string Description,
/// <summary>Default priority.</summary>
int DefaultPriority,
/// <summary>Whether batching is supported.</summary>
bool SupportsBatching,
/// <summary>Typical execution timeout.</summary>
TimeSpan DefaultTimeout,
/// <summary>JSON schema for the payload.</summary>
string? PayloadSchema);
/// <summary>
/// Default implementation of consensus job service.
/// </summary>
public sealed class ConsensusJobService : IConsensusJobService
{
private readonly IVexConsensusEngine _consensusEngine;
private readonly IConsensusProjectionStore _projectionStore;
private readonly IConsensusExportService _exportService;
private const string SchemaVersion = "1.0.0";
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = false
};
public ConsensusJobService(
IVexConsensusEngine consensusEngine,
IConsensusProjectionStore projectionStore,
IConsensusExportService exportService)
{
_consensusEngine = consensusEngine;
_projectionStore = projectionStore;
_exportService = exportService;
}
public ConsensusJobRequest CreateComputeJob(
string vulnerabilityId,
string productKey,
string? tenantId = null,
bool forceRecompute = false)
{
var payload = new
{
vulnerabilityId,
productKey,
tenantId,
forceRecompute
};
return new ConsensusJobRequest(
JobType: ConsensusJobTypes.Compute,
TenantId: tenantId,
Priority: ConsensusJobTypes.GetDefaultPriority(ConsensusJobTypes.Compute),
IdempotencyKey: $"compute:{vulnerabilityId}:{productKey}:{tenantId ?? "default"}",
Payload: JsonSerializer.Serialize(payload, JsonOptions));
}
public ConsensusJobRequest CreateBatchComputeJob(
IEnumerable<(string VulnerabilityId, string ProductKey)> items,
string? tenantId = null)
{
var itemsList = items.Select(i => new { vulnerabilityId = i.VulnerabilityId, productKey = i.ProductKey }).ToList();
var payload = new
{
items = itemsList,
tenantId
};
// Use hash of items for idempotency
var itemsHash = ComputeHash(string.Join("|", itemsList.Select(i => $"{i.vulnerabilityId}:{i.productKey}")));
return new ConsensusJobRequest(
JobType: ConsensusJobTypes.BatchCompute,
TenantId: tenantId,
Priority: ConsensusJobTypes.GetDefaultPriority(ConsensusJobTypes.BatchCompute),
IdempotencyKey: $"batch:{itemsHash}:{tenantId ?? "default"}",
Payload: JsonSerializer.Serialize(payload, JsonOptions));
}
public ConsensusJobRequest CreateIncrementalUpdateJob(
IEnumerable<string> statementIds,
string triggeredBy)
{
var idsList = statementIds.ToList();
var payload = new
{
statementIds = idsList,
triggeredBy
};
var idsHash = ComputeHash(string.Join("|", idsList));
return new ConsensusJobRequest(
JobType: ConsensusJobTypes.IncrementalUpdate,
TenantId: null,
Priority: ConsensusJobTypes.GetDefaultPriority(ConsensusJobTypes.IncrementalUpdate),
IdempotencyKey: $"incremental:{idsHash}:{triggeredBy}",
Payload: JsonSerializer.Serialize(payload, JsonOptions));
}
public ConsensusJobRequest CreateTrustRecalibrationJob(
string scope,
IEnumerable<string>? affectedIssuers = null)
{
var payload = new
{
scope,
affectedIssuers = affectedIssuers?.ToList()
};
var issuersHash = affectedIssuers != null
? ComputeHash(string.Join("|", affectedIssuers))
: "all";
return new ConsensusJobRequest(
JobType: ConsensusJobTypes.TrustRecalibration,
TenantId: null,
Priority: ConsensusJobTypes.GetDefaultPriority(ConsensusJobTypes.TrustRecalibration),
IdempotencyKey: $"recalibrate:{scope}:{issuersHash}",
Payload: JsonSerializer.Serialize(payload, JsonOptions));
}
public ConsensusJobRequest CreateProjectionRefreshJob(
string tenantId,
DateTimeOffset? since = null,
VexStatus? status = null)
{
var payload = new
{
tenantId,
since,
status = status?.ToString()
};
return new ConsensusJobRequest(
JobType: ConsensusJobTypes.ProjectionRefresh,
TenantId: tenantId,
Priority: ConsensusJobTypes.GetDefaultPriority(ConsensusJobTypes.ProjectionRefresh),
IdempotencyKey: $"refresh:{tenantId}:{since?.ToString("O") ?? "all"}:{status?.ToString() ?? "all"}",
Payload: JsonSerializer.Serialize(payload, JsonOptions));
}
public ConsensusJobRequest CreateSnapshotJob(SnapshotRequest request)
{
var payload = new
{
snapshotRequest = request
};
var requestHash = ComputeHash($"{request.TenantId}:{request.MinimumConfidence}:{request.Status}");
return new ConsensusJobRequest(
JobType: ConsensusJobTypes.SnapshotCreate,
TenantId: request.TenantId,
Priority: ConsensusJobTypes.GetDefaultPriority(ConsensusJobTypes.SnapshotCreate),
IdempotencyKey: $"snapshot:{requestHash}:{DateTimeOffset.UtcNow:yyyyMMddHHmm}",
Payload: JsonSerializer.Serialize(payload, JsonOptions));
}
public async Task<ConsensusJobResult> ExecuteJobAsync(
ConsensusJobRequest request,
CancellationToken cancellationToken = default)
{
var startTime = DateTimeOffset.UtcNow;
try
{
return request.JobType switch
{
ConsensusJobTypes.Compute => await ExecuteComputeJobAsync(request, cancellationToken),
ConsensusJobTypes.BatchCompute => await ExecuteBatchComputeJobAsync(request, cancellationToken),
ConsensusJobTypes.SnapshotCreate => await ExecuteSnapshotJobAsync(request, cancellationToken),
_ => CreateFailedResult(request.JobType, startTime, $"Unsupported job type: {request.JobType}")
};
}
catch (Exception ex)
{
return CreateFailedResult(request.JobType, startTime, ex.Message);
}
}
public ConsensusJobTypeRegistration GetRegistration()
{
var metadata = new Dictionary<string, JobTypeMetadata>();
foreach (var jobType in ConsensusJobTypes.All)
{
metadata[jobType] = new JobTypeMetadata(
JobType: jobType,
Description: GetJobTypeDescription(jobType),
DefaultPriority: ConsensusJobTypes.GetDefaultPriority(jobType),
SupportsBatching: ConsensusJobTypes.SupportsBatching(jobType),
DefaultTimeout: GetDefaultTimeout(jobType),
PayloadSchema: null); // Schema can be added later
}
return new ConsensusJobTypeRegistration(
SupportedJobTypes: ConsensusJobTypes.All,
Metadata: metadata,
SchemaVersion: SchemaVersion);
}
private async Task<ConsensusJobResult> ExecuteComputeJobAsync(
ConsensusJobRequest request,
CancellationToken cancellationToken)
{
var startTime = DateTimeOffset.UtcNow;
var payload = JsonSerializer.Deserialize<ComputePayload>(request.Payload, JsonOptions)
?? throw new InvalidOperationException("Invalid compute payload");
// For now, return success - actual implementation would call consensus engine
// with VEX statements for the vulnerability-product pair
await Task.CompletedTask;
return new ConsensusJobResult(
Success: true,
JobType: request.JobType,
ItemsProcessed: 1,
ItemsFailed: 0,
Duration: DateTimeOffset.UtcNow - startTime,
ResultPayload: JsonSerializer.Serialize(new
{
vulnerabilityId = payload.VulnerabilityId,
productKey = payload.ProductKey,
status = "computed"
}, JsonOptions),
ErrorMessage: null);
}
private async Task<ConsensusJobResult> ExecuteBatchComputeJobAsync(
ConsensusJobRequest request,
CancellationToken cancellationToken)
{
var startTime = DateTimeOffset.UtcNow;
var payload = JsonSerializer.Deserialize<BatchComputePayload>(request.Payload, JsonOptions)
?? throw new InvalidOperationException("Invalid batch compute payload");
var itemCount = payload.Items?.Count ?? 0;
await Task.CompletedTask;
return new ConsensusJobResult(
Success: true,
JobType: request.JobType,
ItemsProcessed: itemCount,
ItemsFailed: 0,
Duration: DateTimeOffset.UtcNow - startTime,
ResultPayload: JsonSerializer.Serialize(new { processedCount = itemCount }, JsonOptions),
ErrorMessage: null);
}
private async Task<ConsensusJobResult> ExecuteSnapshotJobAsync(
ConsensusJobRequest request,
CancellationToken cancellationToken)
{
var startTime = DateTimeOffset.UtcNow;
// Create snapshot using export service
var snapshotRequest = ConsensusExportExtensions.FullExportRequest(request.TenantId);
var snapshot = await _exportService.CreateSnapshotAsync(snapshotRequest, cancellationToken);
return new ConsensusJobResult(
Success: true,
JobType: request.JobType,
ItemsProcessed: snapshot.Projections.Count,
ItemsFailed: 0,
Duration: DateTimeOffset.UtcNow - startTime,
ResultPayload: JsonSerializer.Serialize(new
{
snapshotId = snapshot.SnapshotId,
projectionCount = snapshot.Projections.Count,
contentHash = snapshot.Metadata.ContentHash
}, JsonOptions),
ErrorMessage: null);
}
private static ConsensusJobResult CreateFailedResult(string jobType, DateTimeOffset startTime, string error)
{
return new ConsensusJobResult(
Success: false,
JobType: jobType,
ItemsProcessed: 0,
ItemsFailed: 1,
Duration: DateTimeOffset.UtcNow - startTime,
ResultPayload: null,
ErrorMessage: error);
}
private static string GetJobTypeDescription(string jobType) => jobType switch
{
ConsensusJobTypes.Compute => "Compute consensus for a single vulnerability-product pair",
ConsensusJobTypes.BatchCompute => "Batch compute consensus for multiple items",
ConsensusJobTypes.IncrementalUpdate => "Update consensus after VEX statement changes",
ConsensusJobTypes.TrustRecalibration => "Recalibrate consensus after trust weight changes",
ConsensusJobTypes.ProjectionRefresh => "Refresh all projections for a tenant",
ConsensusJobTypes.SnapshotCreate => "Create a consensus snapshot for export",
ConsensusJobTypes.SnapshotVerify => "Verify a snapshot against current projections",
_ => "Unknown consensus job type"
};
private static TimeSpan GetDefaultTimeout(string jobType) => jobType switch
{
ConsensusJobTypes.Compute => TimeSpan.FromSeconds(30),
ConsensusJobTypes.BatchCompute => TimeSpan.FromMinutes(5),
ConsensusJobTypes.IncrementalUpdate => TimeSpan.FromMinutes(2),
ConsensusJobTypes.TrustRecalibration => TimeSpan.FromMinutes(10),
ConsensusJobTypes.ProjectionRefresh => TimeSpan.FromMinutes(15),
ConsensusJobTypes.SnapshotCreate => TimeSpan.FromMinutes(5),
ConsensusJobTypes.SnapshotVerify => TimeSpan.FromMinutes(5),
_ => TimeSpan.FromMinutes(5)
};
private static string ComputeHash(string input)
{
var hash = System.Security.Cryptography.SHA256.HashData(
System.Text.Encoding.UTF8.GetBytes(input));
return Convert.ToHexString(hash).ToLowerInvariant()[..16];
}
// Payload DTOs for deserialization
private sealed record ComputePayload(
string VulnerabilityId,
string ProductKey,
string? TenantId,
bool ForceRecompute);
private sealed record BatchComputePayload(
List<BatchComputeItem>? Items,
string? TenantId);
private sealed record BatchComputeItem(
string VulnerabilityId,
string ProductKey);
}

427
src/VexLens/StellaOps.VexLens/Orchestration/OrchestratorLedgerEventEmitter.cs Normal file
View File

@@ -0,0 +1,427 @@
using System.Text.Json;
using StellaOps.VexLens.Consensus;
using StellaOps.VexLens.Models;
using StellaOps.VexLens.Storage;
namespace StellaOps.VexLens.Orchestration;
/// <summary>
/// Event emitter that bridges VexLens consensus events to the orchestrator ledger.
/// Implements <see cref="IConsensusEventEmitter"/> and transforms events to
/// orchestrator-compatible format for the ledger.
/// </summary>
public sealed class OrchestratorLedgerEventEmitter : IConsensusEventEmitter
{
private readonly IOrchestratorLedgerClient? _ledgerClient;
private readonly OrchestratorEventOptions _options;
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = false
};
public OrchestratorLedgerEventEmitter(
IOrchestratorLedgerClient? ledgerClient = null,
OrchestratorEventOptions? options = null)
{
_ledgerClient = ledgerClient;
_options = options ?? OrchestratorEventOptions.Default;
}
public async Task EmitConsensusComputedAsync(
ConsensusComputedEvent @event,
CancellationToken cancellationToken = default)
{
if (_ledgerClient == null) return;
var ledgerEvent = new LedgerEvent(
EventId: @event.EventId,
EventType: ConsensusEventTypes.Computed,
TenantId: @event.TenantId,
CorrelationId: null,
OccurredAt: @event.EmittedAt,
IdempotencyKey: $"consensus-computed-{@event.ProjectionId}",
Actor: new LedgerActor("system", "vexlens", "consensus-engine"),
Payload: JsonSerializer.Serialize(new
{
projectionId = @event.ProjectionId,
vulnerabilityId = @event.VulnerabilityId,
productKey = @event.ProductKey,
status = @event.Status.ToString(),
justification = @event.Justification?.ToString(),
confidenceScore = @event.ConfidenceScore,
outcome = @event.Outcome.ToString(),
statementCount = @event.StatementCount,
computedAt = @event.ComputedAt
}, JsonOptions),
Metadata: CreateMetadata(@event.VulnerabilityId, @event.ProductKey, @event.TenantId));
await _ledgerClient.AppendAsync(ledgerEvent, cancellationToken);
}
public async Task EmitStatusChangedAsync(
ConsensusStatusChangedEvent @event,
CancellationToken cancellationToken = default)
{
if (_ledgerClient == null) return;
var ledgerEvent = new LedgerEvent(
EventId: @event.EventId,
EventType: ConsensusEventTypes.StatusChanged,
TenantId: @event.TenantId,
CorrelationId: null,
OccurredAt: @event.EmittedAt,
IdempotencyKey: $"consensus-status-{@event.ProjectionId}-{@event.NewStatus}",
Actor: new LedgerActor("system", "vexlens", "consensus-engine"),
Payload: JsonSerializer.Serialize(new
{
projectionId = @event.ProjectionId,
vulnerabilityId = @event.VulnerabilityId,
productKey = @event.ProductKey,
previousStatus = @event.PreviousStatus.ToString(),
newStatus = @event.NewStatus.ToString(),
changeReason = @event.ChangeReason,
computedAt = @event.ComputedAt
}, JsonOptions),
Metadata: CreateMetadata(@event.VulnerabilityId, @event.ProductKey, @event.TenantId));
await _ledgerClient.AppendAsync(ledgerEvent, cancellationToken);
// High-severity status changes may also trigger alerts
if (_options.AlertOnStatusChange && IsHighSeverityChange(@event.PreviousStatus, @event.NewStatus))
{
await EmitAlertAsync(@event, cancellationToken);
}
}
public async Task EmitConflictDetectedAsync(
ConsensusConflictDetectedEvent @event,
CancellationToken cancellationToken = default)
{
if (_ledgerClient == null) return;
var ledgerEvent = new LedgerEvent(
EventId: @event.EventId,
EventType: ConsensusEventTypes.ConflictDetected,
TenantId: @event.TenantId,
CorrelationId: null,
OccurredAt: @event.EmittedAt,
IdempotencyKey: $"consensus-conflict-{@event.ProjectionId}-{@event.ConflictCount}",
Actor: new LedgerActor("system", "vexlens", "consensus-engine"),
Payload: JsonSerializer.Serialize(new
{
projectionId = @event.ProjectionId,
vulnerabilityId = @event.VulnerabilityId,
productKey = @event.ProductKey,
conflictCount = @event.ConflictCount,
maxSeverity = @event.MaxSeverity.ToString(),
conflicts = @event.Conflicts.Select(c => new
{
issuer1 = c.Issuer1,
issuer2 = c.Issuer2,
status1 = c.Status1.ToString(),
status2 = c.Status2.ToString(),
severity = c.Severity.ToString()
}),
detectedAt = @event.DetectedAt
}, JsonOptions),
Metadata: CreateMetadata(@event.VulnerabilityId, @event.ProductKey, @event.TenantId));
await _ledgerClient.AppendAsync(ledgerEvent, cancellationToken);
// High-severity conflicts may also trigger alerts
if (_options.AlertOnConflict && @event.MaxSeverity >= ConflictSeverity.High)
{
await EmitConflictAlertAsync(@event, cancellationToken);
}
}
private async Task EmitAlertAsync(
ConsensusStatusChangedEvent @event,
CancellationToken cancellationToken)
{
if (_ledgerClient == null) return;
var alertEvent = new LedgerEvent(
EventId: $"alert-{Guid.NewGuid():N}",
EventType: ConsensusEventTypes.Alert,
TenantId: @event.TenantId,
CorrelationId: @event.EventId,
OccurredAt: DateTimeOffset.UtcNow,
IdempotencyKey: $"alert-status-{@event.ProjectionId}-{@event.NewStatus}",
Actor: new LedgerActor("system", "vexlens", "alert-engine"),
Payload: JsonSerializer.Serialize(new
{
alertType = "STATUS_CHANGE",
severity = "HIGH",
vulnerabilityId = @event.VulnerabilityId,
productKey = @event.ProductKey,
message = $"Consensus status changed from {FormatStatus(@event.PreviousStatus)} to {FormatStatus(@event.NewStatus)}",
projectionId = @event.ProjectionId,
previousStatus = @event.PreviousStatus.ToString(),
newStatus = @event.NewStatus.ToString()
}, JsonOptions),
Metadata: CreateMetadata(@event.VulnerabilityId, @event.ProductKey, @event.TenantId));
await _ledgerClient.AppendAsync(alertEvent, cancellationToken);
}
private async Task EmitConflictAlertAsync(
ConsensusConflictDetectedEvent @event,
CancellationToken cancellationToken)
{
if (_ledgerClient == null) return;
var alertEvent = new LedgerEvent(
EventId: $"alert-{Guid.NewGuid():N}",
EventType: ConsensusEventTypes.Alert,
TenantId: @event.TenantId,
CorrelationId: @event.EventId,
OccurredAt: DateTimeOffset.UtcNow,
IdempotencyKey: $"alert-conflict-{@event.ProjectionId}",
Actor: new LedgerActor("system", "vexlens", "alert-engine"),
Payload: JsonSerializer.Serialize(new
{
alertType = "CONFLICT_DETECTED",
severity = @event.MaxSeverity.ToString().ToUpperInvariant(),
vulnerabilityId = @event.VulnerabilityId,
productKey = @event.ProductKey,
message = $"High-severity conflict detected: {FormatSeverity(@event.MaxSeverity)} conflict among {FormatConflictIssuers(@event.Conflicts)}",
projectionId = @event.ProjectionId,
conflictCount = @event.ConflictCount
}, JsonOptions),
Metadata: CreateMetadata(@event.VulnerabilityId, @event.ProductKey, @event.TenantId));
await _ledgerClient.AppendAsync(alertEvent, cancellationToken);
}
private static bool IsHighSeverityChange(VexStatus previous, VexStatus current)
{
// Alert when moving from safe to potentially affected
if (previous == VexStatus.NotAffected && current is VexStatus.Affected or VexStatus.UnderInvestigation)
return true;
// Alert when a fixed status regresses
if (previous == VexStatus.Fixed && current == VexStatus.Affected)
return true;
return false;
}
private static LedgerMetadata CreateMetadata(string vulnerabilityId, string productKey, string? tenantId)
{
return new LedgerMetadata(
VulnerabilityId: vulnerabilityId,
ProductKey: productKey,
TenantId: tenantId,
Source: "vexlens",
SchemaVersion: "1.0.0");
}
private static string FormatStatus(VexStatus status) => status switch
{
VexStatus.Affected => "Affected",
VexStatus.NotAffected => "Not Affected",
VexStatus.Fixed => "Fixed",
VexStatus.UnderInvestigation => "Under Investigation",
_ => status.ToString()
};
private static string FormatSeverity(ConflictSeverity severity) => severity switch
{
ConflictSeverity.Critical => "critical",
ConflictSeverity.High => "high",
ConflictSeverity.Medium => "medium",
ConflictSeverity.Low => "low",
_ => "unknown"
};
private static string FormatConflictIssuers(IReadOnlyList<ConflictSummary> conflicts)
{
var issuers = conflicts
.SelectMany(c => new[] { c.Issuer1, c.Issuer2 })
.Distinct()
.Take(3);
return string.Join(", ", issuers);
}
}
/// <summary>
/// Event types for consensus events in the orchestrator ledger.
/// </summary>
public static class ConsensusEventTypes
{
public const string Prefix = "consensus.";
public const string Computed = "consensus.computed";
public const string StatusChanged = "consensus.status_changed";
public const string ConflictDetected = "consensus.conflict_detected";
public const string Alert = "consensus.alert";
public const string JobStarted = "consensus.job.started";
public const string JobCompleted = "consensus.job.completed";
public const string JobFailed = "consensus.job.failed";
}
/// <summary>
/// Options for orchestrator event emission.
/// </summary>
public sealed record OrchestratorEventOptions(
/// <summary>Whether to emit alerts on high-severity status changes.</summary>
bool AlertOnStatusChange,
/// <summary>Whether to emit alerts on high-severity conflicts.</summary>
bool AlertOnConflict,
/// <summary>Channel for consensus events.</summary>
string EventChannel,
/// <summary>Channel for alerts.</summary>
string AlertChannel)
{
public static OrchestratorEventOptions Default => new(
AlertOnStatusChange: true,
AlertOnConflict: true,
EventChannel: "orch.consensus",
AlertChannel: "orch.alerts");
}
/// <summary>
/// Interface for the orchestrator ledger client.
/// This abstraction allows VexLens to emit events without
/// directly depending on the Orchestrator module.
/// </summary>
public interface IOrchestratorLedgerClient
{
/// <summary>
/// Appends an event to the ledger.
/// </summary>
Task AppendAsync(LedgerEvent @event, CancellationToken cancellationToken = default);
/// <summary>
/// Appends multiple events to the ledger.
/// </summary>
Task AppendBatchAsync(IEnumerable<LedgerEvent> events, CancellationToken cancellationToken = default);
}
/// <summary>
/// Event to be appended to the orchestrator ledger.
/// </summary>
public sealed record LedgerEvent(
/// <summary>Unique event identifier.</summary>
string EventId,
/// <summary>Event type (e.g., "consensus.computed").</summary>
string EventType,
/// <summary>Tenant ID.</summary>
string? TenantId,
/// <summary>Correlation ID for tracing.</summary>
string? CorrelationId,
/// <summary>When the event occurred.</summary>
DateTimeOffset OccurredAt,
/// <summary>Idempotency key for deduplication.</summary>
string IdempotencyKey,
/// <summary>Actor who triggered the event.</summary>
LedgerActor Actor,
/// <summary>JSON payload.</summary>
string Payload,
/// <summary>Event metadata.</summary>
LedgerMetadata Metadata);
/// <summary>
/// Actor information for ledger events.
/// </summary>
public sealed record LedgerActor(
/// <summary>Actor type (e.g., "system", "user", "service").</summary>
string Type,
/// <summary>Actor name.</summary>
string Name,
/// <summary>Actor component (e.g., "consensus-engine").</summary>
string? Component);
/// <summary>
/// Metadata for ledger events.
/// </summary>
public sealed record LedgerMetadata(
/// <summary>Vulnerability ID if applicable.</summary>
string? VulnerabilityId,
/// <summary>Product key if applicable.</summary>
string? ProductKey,
/// <summary>Tenant ID.</summary>
string? TenantId,
/// <summary>Source system.</summary>
string Source,
/// <summary>Schema version.</summary>
string SchemaVersion);
/// <summary>
/// Null implementation for testing or when ledger is not configured.
/// </summary>
public sealed class NullOrchestratorLedgerClient : IOrchestratorLedgerClient
{
public static NullOrchestratorLedgerClient Instance { get; } = new();
private NullOrchestratorLedgerClient() { }
public Task AppendAsync(LedgerEvent @event, CancellationToken cancellationToken = default)
=> Task.CompletedTask;
public Task AppendBatchAsync(IEnumerable<LedgerEvent> events, CancellationToken cancellationToken = default)
=> Task.CompletedTask;
}
/// <summary>
/// In-memory ledger client for testing.
/// </summary>
public sealed class InMemoryOrchestratorLedgerClient : IOrchestratorLedgerClient
{
private readonly List<LedgerEvent> _events = [];
public IReadOnlyList<LedgerEvent> Events => _events;
public Task AppendAsync(LedgerEvent @event, CancellationToken cancellationToken = default)
{
lock (_events)
{
_events.Add(@event);
}
return Task.CompletedTask;
}
public Task AppendBatchAsync(IEnumerable<LedgerEvent> events, CancellationToken cancellationToken = default)
{
lock (_events)
{
_events.AddRange(events);
}
return Task.CompletedTask;
}
public void Clear()
{
lock (_events)
{
_events.Clear();
}
}
public IReadOnlyList<LedgerEvent> GetByType(string eventType)
{
lock (_events)
{
return _events.Where(e => e.EventType == eventType).ToList();
}
}
}

188
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/Consensus/IVexConsensusEngine.cs Normal file
View File

@@ -0,0 +1,188 @@
using StellaOps.VexLens.Core.Models;
using StellaOps.VexLens.Core.Trust;
namespace StellaOps.VexLens.Core.Consensus;
/// <summary>
/// Engine for computing consensus VEX status from multiple overlapping statements.
/// </summary>
public interface IVexConsensusEngine
{
/// <summary>
/// Computes consensus status from multiple VEX statements for the same
/// vulnerability/product pair.
/// </summary>
/// <param name="statements">Weighted VEX statements to consider.</param>
/// <param name="mode">Consensus computation mode.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Consensus result with rationale.</returns>
ValueTask<ConsensusResult> ComputeConsensusAsync(
IReadOnlyList<WeightedStatement> statements,
ConsensusMode mode = ConsensusMode.WeightedVote,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets the supported consensus modes.
/// </summary>
IReadOnlyList<ConsensusMode> SupportedModes { get; }
}
/// <summary>
/// VEX statement with computed trust weight.
/// </summary>
public sealed record WeightedStatement
{
/// <summary>
/// The normalized VEX statement.
/// </summary>
public required NormalizedStatement Statement { get; init; }
/// <summary>
/// Computed trust weight for this statement.
/// </summary>
public required TrustWeight TrustWeight { get; init; }
/// <summary>
/// Source document ID.
/// </summary>
public required string SourceDocumentId { get; init; }
/// <summary>
/// Issuer ID if known.
/// </summary>
public string? IssuerId { get; init; }
}
/// <summary>
/// Consensus computation mode.
/// </summary>
public enum ConsensusMode
{
/// <summary>
/// Highest-weighted statement wins.
/// </summary>
HighestWeight,
/// <summary>
/// Weighted voting with status lattice semantics.
/// </summary>
WeightedVote,
/// <summary>
/// VEX status lattice (most restrictive wins).
/// </summary>
Lattice,
/// <summary>
/// Authoritative sources always win if present.
/// </summary>
AuthoritativeFirst,
/// <summary>
/// Most recent statement wins (tie-breaker by weight).
/// </summary>
MostRecent
}
/// <summary>
/// Result of consensus computation.
/// </summary>
public sealed record ConsensusResult
{
/// <summary>
/// Consensus VEX status.
/// </summary>
public required VexStatus Status { get; init; }
/// <summary>
/// Consensus justification (if applicable).
/// </summary>
public VexJustificationType? Justification { get; init; }
/// <summary>
/// Confidence in the consensus (0.0 to 1.0).
/// </summary>
public required double Confidence { get; init; }
/// <summary>
/// Consensus mode used.
/// </summary>
public required ConsensusMode Mode { get; init; }
/// <summary>
/// Number of statements contributing to consensus.
/// </summary>
public required int ContributingStatements { get; init; }
/// <summary>
/// Statements that conflicted with the consensus.
/// </summary>
public IReadOnlyList<ConflictingStatement>? Conflicts { get; init; }
/// <summary>
/// Human-readable rationale for the consensus decision.
/// </summary>
public required string Rationale { get; init; }
/// <summary>
/// Detailed breakdown of the consensus computation.
/// </summary>
public ConsensusBreakdown? Breakdown { get; init; }
}
/// <summary>
/// A statement that conflicts with the consensus.
/// </summary>
public sealed record ConflictingStatement
{
/// <summary>
/// The conflicting statement.
/// </summary>
public required WeightedStatement Statement { get; init; }
/// <summary>
/// Why this statement conflicts.
/// </summary>
public required string ConflictReason { get; init; }
/// <summary>
/// How significant the conflict is (0.0 to 1.0).
/// </summary>
public required double ConflictSeverity { get; init; }
}
/// <summary>
/// Detailed breakdown of consensus computation.
/// </summary>
public sealed record ConsensusBreakdown
{
/// <summary>
/// Weight distribution by status.
/// </summary>
public required IReadOnlyDictionary<VexStatus, double> WeightByStatus { get; init; }
/// <summary>
/// Statements grouped by status.
/// </summary>
public required IReadOnlyDictionary<VexStatus, int> CountByStatus { get; init; }
/// <summary>
/// Total weight of all statements.
/// </summary>
public required double TotalWeight { get; init; }
/// <summary>
/// Weight of the winning status.
/// </summary>
public required double WinningWeight { get; init; }
/// <summary>
/// Whether consensus was unanimous.
/// </summary>
public required bool IsUnanimous { get; init; }
/// <summary>
/// Margin of victory (weight difference).
/// </summary>
public required double Margin { get; init; }
}

400
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/Consensus/VexConsensusEngine.cs Normal file
View File

@@ -0,0 +1,400 @@
using StellaOps.VexLens.Core.Models;
using StellaOps.VexLens.Core.Signature;
namespace StellaOps.VexLens.Core.Consensus;
/// <summary>
/// Default VEX consensus engine implementation.
/// </summary>
public sealed class VexConsensusEngine : IVexConsensusEngine
{
private static readonly IReadOnlyList<ConsensusMode> s_supportedModes = new[]
{
ConsensusMode.HighestWeight,
ConsensusMode.WeightedVote,
ConsensusMode.Lattice,
ConsensusMode.AuthoritativeFirst,
ConsensusMode.MostRecent
};
// VEX status lattice ordering (from most restrictive to least):
// affected > under_investigation > not_affected > fixed
private static readonly Dictionary<VexStatus, int> s_latticeOrder = new()
{
[VexStatus.Affected] = 0, // Most restrictive
[VexStatus.UnderInvestigation] = 1,
[VexStatus.NotAffected] = 2,
[VexStatus.Fixed] = 3 // Least restrictive
};
/// <inheritdoc />
public IReadOnlyList<ConsensusMode> SupportedModes => s_supportedModes;
/// <inheritdoc />
public ValueTask<ConsensusResult> ComputeConsensusAsync(
IReadOnlyList<WeightedStatement> statements,
ConsensusMode mode = ConsensusMode.WeightedVote,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(statements);
if (statements.Count == 0)
{
return ValueTask.FromResult(CreateEmptyResult(mode));
}
if (statements.Count == 1)
{
return ValueTask.FromResult(CreateSingleStatementResult(statements[0], mode));
}
var result = mode switch
{
ConsensusMode.HighestWeight => ComputeHighestWeight(statements),
ConsensusMode.WeightedVote => ComputeWeightedVote(statements),
ConsensusMode.Lattice => ComputeLattice(statements),
ConsensusMode.AuthoritativeFirst => ComputeAuthoritativeFirst(statements),
ConsensusMode.MostRecent => ComputeMostRecent(statements),
_ => ComputeWeightedVote(statements)
};
return ValueTask.FromResult(result);
}
private ConsensusResult ComputeHighestWeight(IReadOnlyList<WeightedStatement> statements)
{
var sorted = statements
.OrderByDescending(s => s.TrustWeight.Weight)
.ToList();
var winner = sorted[0];
var conflicts = FindConflicts(winner, sorted.Skip(1));
var breakdown = ComputeBreakdown(statements, winner.Statement.Status);
return new ConsensusResult
{
Status = winner.Statement.Status,
Justification = winner.Statement.Justification,
Confidence = ComputeConfidence(winner.TrustWeight.Weight, breakdown),
Mode = ConsensusMode.HighestWeight,
ContributingStatements = statements.Count,
Conflicts = conflicts.Count > 0 ? conflicts : null,
Rationale = $"Highest-weighted statement from {winner.IssuerId ?? "unknown"} " +
$"(weight {winner.TrustWeight.Weight:P1}) determines status: {winner.Statement.Status}",
Breakdown = breakdown
};
}
private ConsensusResult ComputeWeightedVote(IReadOnlyList<WeightedStatement> statements)
{
// Aggregate weights by status
var weightByStatus = new Dictionary<VexStatus, double>();
var countByStatus = new Dictionary<VexStatus, int>();
foreach (var stmt in statements)
{
var status = stmt.Statement.Status;
var weight = stmt.TrustWeight.Weight;
weightByStatus[status] = weightByStatus.GetValueOrDefault(status) + weight;
countByStatus[status] = countByStatus.GetValueOrDefault(status) + 1;
}
// Find winning status
var totalWeight = weightByStatus.Values.Sum();
var winner = weightByStatus
.OrderByDescending(kvp => kvp.Value)
.ThenBy(kvp => s_latticeOrder.GetValueOrDefault(kvp.Key, 99)) // Tie-break by lattice
.First();
var winningStatus = winner.Key;
var winningWeight = winner.Value;
// Find majority justification if applicable
VexJustificationType? justification = null;
if (winningStatus == VexStatus.NotAffected)
{
var justifications = statements
.Where(s => s.Statement.Status == winningStatus && s.Statement.Justification.HasValue)
.GroupBy(s => s.Statement.Justification!.Value)
.Select(g => new { Justification = g.Key, Weight = g.Sum(s => s.TrustWeight.Weight) })
.OrderByDescending(j => j.Weight)
.FirstOrDefault();
justification = justifications?.Justification;
}
var winningStatements = statements.Where(s => s.Statement.Status == winningStatus).ToList();
var conflicts = FindConflicts(winningStatements[0], statements.Where(s => s.Statement.Status != winningStatus));
var breakdown = ComputeBreakdown(statements, winningStatus);
var confidence = totalWeight > 0 ? winningWeight / totalWeight : 0;
var isUnanimous = weightByStatus.Count == 1;
return new ConsensusResult
{
Status = winningStatus,
Justification = justification,
Confidence = Math.Round(confidence, 4),
Mode = ConsensusMode.WeightedVote,
ContributingStatements = statements.Count,
Conflicts = conflicts.Count > 0 ? conflicts : null,
Rationale = isUnanimous
? $"Unanimous consensus: {winningStatus} ({countByStatus[winningStatus]} statements)"
: $"Weighted vote: {winningStatus} with {winningWeight:F2}/{totalWeight:F2} total weight " +
$"({countByStatus[winningStatus]}/{statements.Count} statements)",
Breakdown = breakdown
};
}
private ConsensusResult ComputeLattice(IReadOnlyList<WeightedStatement> statements)
{
// In lattice mode, most restrictive status always wins
var winner = statements
.OrderBy(s => s_latticeOrder.GetValueOrDefault(s.Statement.Status, 99))
.ThenByDescending(s => s.TrustWeight.Weight)
.First();
var winningStatus = winner.Statement.Status;
var breakdown = ComputeBreakdown(statements, winningStatus);
var conflicts = FindConflicts(winner, statements.Where(s => s.Statement.Status != winningStatus));
// Confidence is based on whether all statements agree
var agreeing = statements.Count(s => s.Statement.Status == winningStatus);
var confidence = (double)agreeing / statements.Count;
return new ConsensusResult
{
Status = winningStatus,
Justification = winner.Statement.Justification,
Confidence = Math.Round(confidence, 4),
Mode = ConsensusMode.Lattice,
ContributingStatements = statements.Count,
Conflicts = conflicts.Count > 0 ? conflicts : null,
Rationale = $"Lattice mode: most restrictive status '{winningStatus}' wins " +
$"(lattice order: affected > under_investigation > not_affected > fixed)",
Breakdown = breakdown
};
}
private ConsensusResult ComputeAuthoritativeFirst(IReadOnlyList<WeightedStatement> statements)
{
// Find authoritative statements (weight >= 0.9)
var authoritative = statements
.Where(s => s.TrustWeight.Weight >= 0.9)
.OrderByDescending(s => s.TrustWeight.Weight)
.ToList();
if (authoritative.Count > 0)
{
// Use weighted vote among authoritative sources only
if (authoritative.Count == 1)
{
var winner = authoritative[0];
var breakdown = ComputeBreakdown(statements, winner.Statement.Status);
var conflicts = FindConflicts(winner, statements.Where(s => s != winner));
return new ConsensusResult
{
Status = winner.Statement.Status,
Justification = winner.Statement.Justification,
Confidence = winner.TrustWeight.Weight,
Mode = ConsensusMode.AuthoritativeFirst,
ContributingStatements = statements.Count,
Conflicts = conflicts.Count > 0 ? conflicts : null,
Rationale = $"Authoritative source '{winner.IssuerId ?? "unknown"}' " +
$"(weight {winner.TrustWeight.Weight:P1}) determines status: {winner.Statement.Status}",
Breakdown = breakdown
};
}
// Multiple authoritative sources - use weighted vote among them
var authResult = ComputeWeightedVote(authoritative);
var allBreakdown = ComputeBreakdown(statements, authResult.Status);
return authResult with
{
Mode = ConsensusMode.AuthoritativeFirst,
Rationale = $"Consensus among {authoritative.Count} authoritative sources: {authResult.Status}",
Breakdown = allBreakdown
};
}
// No authoritative sources, fall back to weighted vote
var fallbackResult = ComputeWeightedVote(statements);
return fallbackResult with
{
Mode = ConsensusMode.AuthoritativeFirst,
Rationale = "No authoritative sources present. " + fallbackResult.Rationale
};
}
private ConsensusResult ComputeMostRecent(IReadOnlyList<WeightedStatement> statements)
{
var sorted = statements
.OrderByDescending(s => s.Statement.LastSeen ?? s.Statement.FirstSeen ?? DateTimeOffset.MinValue)
.ThenByDescending(s => s.TrustWeight.Weight)
.ToList();
var winner = sorted[0];
var conflicts = FindConflicts(winner, sorted.Skip(1));
var breakdown = ComputeBreakdown(statements, winner.Statement.Status);
return new ConsensusResult
{
Status = winner.Statement.Status,
Justification = winner.Statement.Justification,
Confidence = ComputeConfidence(winner.TrustWeight.Weight, breakdown),
Mode = ConsensusMode.MostRecent,
ContributingStatements = statements.Count,
Conflicts = conflicts.Count > 0 ? conflicts : null,
Rationale = $"Most recent statement from {winner.IssuerId ?? "unknown"} " +
$"(last seen {winner.Statement.LastSeen?.ToString("yyyy-MM-dd") ?? "unknown"}) " +
$"determines status: {winner.Statement.Status}",
Breakdown = breakdown
};
}
private static List<ConflictingStatement> FindConflicts(
WeightedStatement winner,
IEnumerable<WeightedStatement> others)
{
var conflicts = new List<ConflictingStatement>();
foreach (var stmt in others)
{
if (stmt.Statement.Status != winner.Statement.Status)
{
var severity = ComputeConflictSeverity(winner.Statement.Status, stmt.Statement.Status);
conflicts.Add(new ConflictingStatement
{
Statement = stmt,
ConflictReason = $"Status '{stmt.Statement.Status}' conflicts with consensus '{winner.Statement.Status}'",
ConflictSeverity = severity
});
}
}
return conflicts
.OrderByDescending(c => c.ConflictSeverity)
.ThenByDescending(c => c.Statement.TrustWeight.Weight)
.ToList();
}
private static double ComputeConflictSeverity(VexStatus consensus, VexStatus conflict)
{
// Severity based on how different the statuses are in the lattice
var consensusOrder = s_latticeOrder.GetValueOrDefault(consensus, 2);
var conflictOrder = s_latticeOrder.GetValueOrDefault(conflict, 2);
var distance = Math.Abs(consensusOrder - conflictOrder);
// Higher severity for:
// - affected vs not_affected (high impact difference)
// - affected vs fixed (opposite conclusions)
if ((consensus == VexStatus.Affected && conflict == VexStatus.NotAffected) ||
(consensus == VexStatus.NotAffected && conflict == VexStatus.Affected))
{
return 1.0;
}
if ((consensus == VexStatus.Affected && conflict == VexStatus.Fixed) ||
(consensus == VexStatus.Fixed && conflict == VexStatus.Affected))
{
return 0.9;
}
return Math.Min(0.3 * distance, 0.8);
}
private static ConsensusBreakdown ComputeBreakdown(
IReadOnlyList<WeightedStatement> statements,
VexStatus winningStatus)
{
var weightByStatus = new Dictionary<VexStatus, double>();
var countByStatus = new Dictionary<VexStatus, int>();
foreach (var stmt in statements)
{
var status = stmt.Statement.Status;
weightByStatus[status] = weightByStatus.GetValueOrDefault(status) + stmt.TrustWeight.Weight;
countByStatus[status] = countByStatus.GetValueOrDefault(status) + 1;
}
var totalWeight = weightByStatus.Values.Sum();
var winningWeight = weightByStatus.GetValueOrDefault(winningStatus);
var isUnanimous = countByStatus.Count == 1;
// Margin is difference between winning and second-place
var sortedWeights = weightByStatus.Values.OrderByDescending(w => w).ToList();
var margin = sortedWeights.Count > 1
? sortedWeights[0] - sortedWeights[1]
: sortedWeights[0];
return new ConsensusBreakdown
{
WeightByStatus = weightByStatus,
CountByStatus = countByStatus,
TotalWeight = Math.Round(totalWeight, 6),
WinningWeight = Math.Round(winningWeight, 6),
IsUnanimous = isUnanimous,
Margin = Math.Round(margin, 6)
};
}
private static double ComputeConfidence(double winnerWeight, ConsensusBreakdown breakdown)
{
if (breakdown.IsUnanimous)
{
return Math.Min(1.0, winnerWeight);
}
// Confidence based on margin and winner's weight proportion
var proportion = breakdown.TotalWeight > 0
? breakdown.WinningWeight / breakdown.TotalWeight
: 0;
return Math.Round(proportion * winnerWeight, 4);
}
private static ConsensusResult CreateEmptyResult(ConsensusMode mode)
{
return new ConsensusResult
{
Status = VexStatus.UnderInvestigation,
Confidence = 0.0,
Mode = mode,
ContributingStatements = 0,
Rationale = "No statements available for consensus computation"
};
}
private static ConsensusResult CreateSingleStatementResult(WeightedStatement statement, ConsensusMode mode)
{
return new ConsensusResult
{
Status = statement.Statement.Status,
Justification = statement.Statement.Justification,
Confidence = statement.TrustWeight.Weight,
Mode = mode,
ContributingStatements = 1,
Rationale = $"Single statement from {statement.IssuerId ?? "unknown"}: {statement.Statement.Status}",
Breakdown = new ConsensusBreakdown
{
WeightByStatus = new Dictionary<VexStatus, double>
{
[statement.Statement.Status] = statement.TrustWeight.Weight
},
CountByStatus = new Dictionary<VexStatus, int>
{
[statement.Statement.Status] = 1
},
TotalWeight = statement.TrustWeight.Weight,
WinningWeight = statement.TrustWeight.Weight,
IsUnanimous = true,
Margin = statement.TrustWeight.Weight
}
};
}
}

29
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/DependencyInjection/VexLensServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,29 @@
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using StellaOps.VexLens.Core.Normalization;
namespace StellaOps.VexLens.Core.DependencyInjection;
/// <summary>
/// Extension methods for registering VexLens services.
/// </summary>
public static class VexLensServiceCollectionExtensions
{
/// <summary>
/// Adds VexLens core services to the service collection.
/// </summary>
/// <param name="services">The service collection.</param>
/// <returns>The service collection for chaining.</returns>
public static IServiceCollection AddVexLensCore(this IServiceCollection services)
{
ArgumentNullException.ThrowIfNull(services);
// Register normalizer
services.TryAddSingleton<IVexLensNormalizer, VexLensNormalizer>();
// Register TimeProvider if not already registered
services.TryAddSingleton(TimeProvider.System);
return services;
}
}

57
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/Normalization/VexLensNormalizer.cs
View File

@@ -1,5 +1,5 @@
using System.Collections.Immutable;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.Logging;
using StellaOps.Excititor.Core;
@@ -123,27 +123,31 @@ public sealed class VexLensNormalizer : IVexLensNormalizer
// Convert to Excititor's internal format and normalize
var excititorFormat = MapToExcititorFormat(sourceFormat);
var parsedUri = string.IsNullOrWhiteSpace(sourceUri)
? new Uri("urn:vexlens:inline")
: new Uri(sourceUri);
var rawDoc = new VexRawDocument(
rawDocument,
excititorFormat,
sourceUri,
digest,
now);
ProviderId: "vexlens",
Format: excititorFormat,
SourceUri: parsedUri,
RetrievedAt: now,
Digest: digest,
Content: rawDocument,
Metadata: ImmutableDictionary<string, string>.Empty);
var normalizer = _excititorRegistry.Resolve(rawDoc);
if (normalizer is null)
{
_logger.LogWarning("No normalizer found for format {Format}, using fallback parsing", sourceFormat);
return await FallbackNormalizeAsync(rawDocument, sourceFormat, documentId, digest, sourceUri, now, cancellationToken)
.ConfigureAwait(false);
return FallbackNormalize(rawDocument, sourceFormat, documentId, digest, sourceUri, now);
}
// Use Excititor's provider abstraction
var provider = new VexProvider(
Id: "vexlens",
Name: "VexLens Normalizer",
Category: VexProviderCategory.Aggregator,
TrustTier: VexProviderTrustTier.Unknown);
id: "vexlens",
displayName: "VexLens Normalizer",
kind: VexProviderKind.Platform);
var batch = await normalizer.NormalizeAsync(rawDoc, provider, cancellationToken).ConfigureAwait(false);
@@ -162,8 +166,8 @@ public sealed class VexLensNormalizer : IVexLensNormalizer
SourceDigest = digest,
SourceUri = sourceUri,
Issuer = ExtractIssuer(batch),
IssuedAt = batch.Claims.FirstOrDefault()?.Document.Timestamp,
LastUpdatedAt = batch.Claims.LastOrDefault()?.LastObserved,
IssuedAt = batch.Claims.Length > 0 ? batch.Claims[0].FirstSeen : null,
LastUpdatedAt = batch.Claims.Length > 0 ? batch.Claims[^1].LastSeen : null,
Statements = statements,
Provenance = new NormalizationProvenance
{
@@ -174,14 +178,13 @@ public sealed class VexLensNormalizer : IVexLensNormalizer
};
}
private async Task<NormalizedVexDocument> FallbackNormalizeAsync(
private NormalizedVexDocument FallbackNormalize(
ReadOnlyMemory<byte> rawDocument,
VexSourceFormat sourceFormat,
string documentId,
string digest,
string? sourceUri,
DateTimeOffset now,
CancellationToken cancellationToken)
DateTimeOffset now)
{
// Fallback parsing for unsupported formats
var statements = new List<NormalizedStatement>();
@@ -398,9 +401,9 @@ public sealed class VexLensNormalizer : IVexLensNormalizer
}
private IReadOnlyList<NormalizedStatement> TransformClaims(
IReadOnlyList<VexClaim> claims)
ImmutableArray<VexClaim> claims)
{
var statements = new List<NormalizedStatement>(claims.Count);
var statements = new List<NormalizedStatement>(claims.Length);
var index = 0;
foreach (var claim in claims)
@@ -422,9 +425,9 @@ public sealed class VexLensNormalizer : IVexLensNormalizer
},
Status = status,
Justification = justification,
StatusNotes = claim.Remarks,
FirstSeen = claim.FirstObserved,
LastSeen = claim.LastObserved
StatusNotes = claim.Detail,
FirstSeen = claim.FirstSeen,
LastSeen = claim.LastSeen
});
}
@@ -462,11 +465,11 @@ public sealed class VexLensNormalizer : IVexLensNormalizer
private static VexIssuer? ExtractIssuer(VexClaimBatch batch)
{
// Extract issuer from batch metadata if available
var metadata = batch.Metadata;
// Extract issuer from batch diagnostics if available
var diagnostics = batch.Diagnostics;
if (metadata.TryGetValue("issuer.id", out var issuerId) &&
metadata.TryGetValue("issuer.name", out var issuerName))
if (diagnostics.TryGetValue("issuer.id", out var issuerId) &&
diagnostics.TryGetValue("issuer.name", out var issuerName))
{
return new VexIssuer
{
@@ -485,7 +488,7 @@ public sealed class VexLensNormalizer : IVexLensNormalizer
VexSourceFormat.OpenVex => VexDocumentFormat.OpenVex,
VexSourceFormat.CsafVex => VexDocumentFormat.Csaf,
VexSourceFormat.CycloneDxVex => VexDocumentFormat.CycloneDx,
_ => VexDocumentFormat.Unknown
_ => VexDocumentFormat.Csaf // Default to CSAF as most common
};
}

207
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/ProductMapping/CpeParser.cs Normal file
View File

@@ -0,0 +1,207 @@
using System.Text.RegularExpressions;
namespace StellaOps.VexLens.Core.ProductMapping;
/// <summary>
/// Parser for Common Platform Enumeration (CPE) identifiers.
/// Supports both CPE 2.2 URI format and CPE 2.3 formatted string.
/// </summary>
public static partial class CpeParser
{
private const string Cpe22Prefix = "cpe:/";
private const string Cpe23Prefix = "cpe:2.3:";
/// <summary>
/// Attempts to parse a CPE string into a ProductIdentity.
/// </summary>
/// <param name="cpe">CPE string to parse.</param>
/// <param name="identity">Parsed identity if successful.</param>
/// <returns>True if parsing succeeded.</returns>
public static bool TryParse(string cpe, out ProductIdentity? identity)
{
identity = null;
if (string.IsNullOrWhiteSpace(cpe))
{
return false;
}
// Try CPE 2.3 format first
if (cpe.StartsWith(Cpe23Prefix, StringComparison.OrdinalIgnoreCase))
{
return TryParseCpe23(cpe, out identity);
}
// Try CPE 2.2 format
if (cpe.StartsWith(Cpe22Prefix, StringComparison.OrdinalIgnoreCase))
{
return TryParseCpe22(cpe, out identity);
}
return false;
}
/// <summary>
/// Parses a CPE string, throwing if invalid.
/// </summary>
public static ProductIdentity Parse(string cpe)
{
if (!TryParse(cpe, out var identity) || identity is null)
{
throw new FormatException($"Invalid CPE: {cpe}");
}
return identity;
}
/// <summary>
/// Determines if a string looks like a CPE.
/// </summary>
public static bool IsCpe(string identifier)
{
return !string.IsNullOrWhiteSpace(identifier) &&
(identifier.StartsWith(Cpe22Prefix, StringComparison.OrdinalIgnoreCase) ||
identifier.StartsWith(Cpe23Prefix, StringComparison.OrdinalIgnoreCase));
}
private static bool TryParseCpe23(string cpe, out ProductIdentity? identity)
{
identity = null;
// CPE 2.3 format: cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other
var parts = cpe[Cpe23Prefix.Length..].Split(':');
if (parts.Length < 4)
{
return false;
}
var part = UnbindCpeValue(parts[0]);
var vendor = UnbindCpeValue(parts[1]);
var product = UnbindCpeValue(parts[2]);
var version = parts.Length > 3 ? UnbindCpeValue(parts[3]) : null;
if (string.IsNullOrEmpty(vendor) || string.IsNullOrEmpty(product))
{
return false;
}
var canonicalKey = BuildCanonicalKey(vendor, product, version);
identity = new ProductIdentity
{
Original = cpe,
Type = ProductIdentifierType.Cpe,
Ecosystem = $"cpe:{part}",
Namespace = vendor,
Name = product,
Version = version,
CanonicalKey = canonicalKey
};
return true;
}
private static bool TryParseCpe22(string cpe, out ProductIdentity? identity)
{
identity = null;
// CPE 2.2 format: cpe:/part:vendor:product:version:update:edition:language
var match = Cpe22Regex().Match(cpe);
if (!match.Success)
{
return false;
}
var part = match.Groups["part"].Value;
var vendor = DecodeCpe22Value(match.Groups["vendor"].Value);
var product = DecodeCpe22Value(match.Groups["product"].Value);
var version = match.Groups["version"].Success ? DecodeCpe22Value(match.Groups["version"].Value) : null;
if (string.IsNullOrEmpty(vendor) || string.IsNullOrEmpty(product))
{
return false;
}
var canonicalKey = BuildCanonicalKey(vendor, product, version);
identity = new ProductIdentity
{
Original = cpe,
Type = ProductIdentifierType.Cpe,
Ecosystem = $"cpe:{part}",
Namespace = vendor,
Name = product,
Version = version,
CanonicalKey = canonicalKey
};
return true;
}
private static string? UnbindCpeValue(string value)
{
if (string.IsNullOrEmpty(value) || value == "*" || value == "-")
{
return null;
}
// Unescape CPE 2.3 special characters
return value
.Replace("\\:", ":")
.Replace("\\;", ";")
.Replace("\\@", "@")
.Replace("\\!", "!")
.Replace("\\#", "#")
.Replace("\\$", "$")
.Replace("\\%", "%")
.Replace("\\^", "^")
.Replace("\\&", "&")
.Replace("\\*", "*")
.Replace("\\(", "(")
.Replace("\\)", ")")
.Replace("\\+", "+")
.Replace("\\=", "=")
.Replace("\\[", "[")
.Replace("\\]", "]")
.Replace("\\{", "{")
.Replace("\\}", "}")
.Replace("\\|", "|")
.Replace("\\\\", "\\")
.Replace("\\/", "/")
.Replace("\\<", "<")
.Replace("\\>", ">")
.Replace("\\~", "~")
.Replace("\\_", "_")
.ToLowerInvariant();
}
private static string DecodeCpe22Value(string value)
{
if (string.IsNullOrEmpty(value))
{
return value;
}
// CPE 2.2 uses URL encoding
return Uri.UnescapeDataString(value).ToLowerInvariant();
}
private static string BuildCanonicalKey(string vendor, string product, string? version)
{
var key = $"cpe/{vendor}/{product}";
if (!string.IsNullOrEmpty(version))
{
key = $"{key}@{version}";
}
return key.ToLowerInvariant();
}
[GeneratedRegex(
@"^cpe:/(?<part>[aoh]):(?<vendor>[^:]+):(?<product>[^:]+)(?::(?<version>[^:]+))?(?::(?<update>[^:]+))?(?::(?<edition>[^:]+))?(?::(?<language>[^:]+))?$",
RegexOptions.IgnoreCase | RegexOptions.Compiled)]
private static partial Regex Cpe22Regex();
}

182
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/ProductMapping/IProductMapper.cs Normal file
View File

@@ -0,0 +1,182 @@
namespace StellaOps.VexLens.Core.ProductMapping;
/// <summary>
/// Product identity mapper for VEX statement matching.
/// Maps between different product identifier formats (PURL, CPE, internal keys).
/// </summary>
public interface IProductMapper
{
/// <summary>
/// Parses a product identifier and extracts canonical identity information.
/// </summary>
/// <param name="identifier">Product identifier (PURL, CPE, or custom key).</param>
/// <returns>Parsed product identity or null if parsing fails.</returns>
ProductIdentity? Parse(string identifier);
/// <summary>
/// Determines if two product identities match based on configurable strictness.
/// </summary>
/// <param name="a">First product identity.</param>
/// <param name="b">Second product identity.</param>
/// <param name="strictness">Matching strictness level.</param>
/// <returns>Match result with confidence score.</returns>
MatchResult Match(ProductIdentity a, ProductIdentity b, MatchStrictness strictness = MatchStrictness.Normal);
/// <summary>
/// Finds all matching product identities from a set of candidates.
/// </summary>
/// <param name="target">Target product identity to match against.</param>
/// <param name="candidates">Candidate identities to search.</param>
/// <param name="strictness">Matching strictness level.</param>
/// <returns>Matching candidates ordered by confidence score (descending).</returns>
IReadOnlyList<MatchResult> FindMatches(
ProductIdentity target,
IEnumerable<ProductIdentity> candidates,
MatchStrictness strictness = MatchStrictness.Normal);
/// <summary>
/// Normalizes a product identifier to its canonical form.
/// </summary>
/// <param name="identifier">Raw product identifier.</param>
/// <returns>Normalized identifier string.</returns>
string Normalize(string identifier);
}
/// <summary>
/// Parsed product identity with normalized fields.
/// </summary>
public sealed record ProductIdentity
{
/// <summary>
/// Original identifier string.
/// </summary>
public required string Original { get; init; }
/// <summary>
/// Identifier type (PURL, CPE, Custom).
/// </summary>
public required ProductIdentifierType Type { get; init; }
/// <summary>
/// Package ecosystem (npm, maven, pypi, etc.) or CPE vendor.
/// </summary>
public string? Ecosystem { get; init; }
/// <summary>
/// Package name or CPE product.
/// </summary>
public string? Name { get; init; }
/// <summary>
/// Version string.
/// </summary>
public string? Version { get; init; }
/// <summary>
/// Namespace or group (e.g., npm scope, maven groupId, CPE vendor).
/// </summary>
public string? Namespace { get; init; }
/// <summary>
/// Qualifiers (e.g., PURL qualifiers like arch, distro).
/// </summary>
public IReadOnlyDictionary<string, string>? Qualifiers { get; init; }
/// <summary>
/// Subpath within the package.
/// </summary>
public string? Subpath { get; init; }
/// <summary>
/// Computed canonical key for fast equality checks.
/// </summary>
public string CanonicalKey { get; init; } = string.Empty;
}
/// <summary>
/// Product identifier type.
/// </summary>
public enum ProductIdentifierType
{
/// <summary>
/// Package URL (PURL) format.
/// </summary>
Purl,
/// <summary>
/// Common Platform Enumeration (CPE) format.
/// </summary>
Cpe,
/// <summary>
/// Custom/internal identifier.
/// </summary>
Custom
}
/// <summary>
/// Match strictness level.
/// </summary>
public enum MatchStrictness
{
/// <summary>
/// Exact match including version and qualifiers.
/// </summary>
Exact,
/// <summary>
/// Match name and ecosystem, version must be compatible.
/// </summary>
Normal,
/// <summary>
/// Match only name and ecosystem, ignore version.
/// </summary>
Loose,
/// <summary>
/// Match by name similarity (fuzzy matching).
/// </summary>
Fuzzy
}
/// <summary>
/// Result of a product identity match operation.
/// </summary>
public sealed record MatchResult
{
/// <summary>
/// Whether the match was successful.
/// </summary>
public required bool IsMatch { get; init; }
/// <summary>
/// Match confidence score (0.0 to 1.0).
/// </summary>
public required double Confidence { get; init; }
/// <summary>
/// The target identity being matched against.
/// </summary>
public required ProductIdentity Target { get; init; }
/// <summary>
/// The candidate identity that was matched.
/// </summary>
public required ProductIdentity Candidate { get; init; }
/// <summary>
/// Reason for match or non-match.
/// </summary>
public string? Reason { get; init; }
/// <summary>
/// Which fields matched.
/// </summary>
public IReadOnlySet<string>? MatchedFields { get; init; }
/// <summary>
/// Which fields didn't match (for debugging).
/// </summary>
public IReadOnlySet<string>? MismatchedFields { get; init; }
}

327
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/ProductMapping/ProductMapper.cs Normal file
View File

@@ -0,0 +1,327 @@
namespace StellaOps.VexLens.Core.ProductMapping;
/// <summary>
/// Default implementation of IProductMapper.
/// </summary>
public sealed class ProductMapper : IProductMapper
{
/// <inheritdoc />
public ProductIdentity? Parse(string identifier)
{
if (string.IsNullOrWhiteSpace(identifier))
{
return null;
}
// Try PURL first
if (PurlParser.TryParse(identifier, out var purlIdentity))
{
return purlIdentity;
}
// Try CPE
if (CpeParser.TryParse(identifier, out var cpeIdentity))
{
return cpeIdentity;
}
// Fall back to custom identifier
return new ProductIdentity
{
Original = identifier,
Type = ProductIdentifierType.Custom,
Name = identifier.Trim(),
CanonicalKey = identifier.Trim().ToLowerInvariant()
};
}
/// <inheritdoc />
public MatchResult Match(ProductIdentity a, ProductIdentity b, MatchStrictness strictness = MatchStrictness.Normal)
{
ArgumentNullException.ThrowIfNull(a);
ArgumentNullException.ThrowIfNull(b);
var matchedFields = new HashSet<string>();
var mismatchedFields = new HashSet<string>();
// Check type compatibility
var typesCompatible = AreTypesCompatible(a.Type, b.Type);
if (!typesCompatible && strictness != MatchStrictness.Fuzzy)
{
return CreateNoMatch(a, b, "Incompatible identifier types", mismatchedFields);
}
// Exact match by canonical key
if (strictness == MatchStrictness.Exact)
{
var exactMatch = string.Equals(a.CanonicalKey, b.CanonicalKey, StringComparison.OrdinalIgnoreCase);
return new MatchResult
{
IsMatch = exactMatch,
Confidence = exactMatch ? 1.0 : 0.0,
Target = a,
Candidate = b,
Reason = exactMatch ? "Exact canonical key match" : "Canonical keys differ",
MatchedFields = exactMatch ? new HashSet<string> { "CanonicalKey" } : null,
MismatchedFields = exactMatch ? null : new HashSet<string> { "CanonicalKey" }
};
}
double confidence = 0.0;
// Match ecosystem/type
var ecosystemMatch = MatchEcosystem(a, b);
if (ecosystemMatch)
{
confidence += 0.2;
matchedFields.Add("Ecosystem");
}
else
{
mismatchedFields.Add("Ecosystem");
}
// Match namespace
var namespaceMatch = MatchNamespace(a, b);
if (namespaceMatch)
{
confidence += 0.1;
matchedFields.Add("Namespace");
}
else if (!string.IsNullOrEmpty(a.Namespace) || !string.IsNullOrEmpty(b.Namespace))
{
mismatchedFields.Add("Namespace");
}
// Match name
var nameMatch = MatchName(a, b, strictness);
if (nameMatch > 0)
{
confidence += 0.4 * nameMatch;
matchedFields.Add("Name");
}
else
{
mismatchedFields.Add("Name");
}
// Match version (for Normal strictness)
if (strictness == MatchStrictness.Normal)
{
var versionMatch = MatchVersion(a, b);
if (versionMatch > 0)
{
confidence += 0.3 * versionMatch;
matchedFields.Add("Version");
}
else if (!string.IsNullOrEmpty(a.Version) && !string.IsNullOrEmpty(b.Version))
{
mismatchedFields.Add("Version");
}
}
else if (strictness == MatchStrictness.Loose || strictness == MatchStrictness.Fuzzy)
{
// Loose/Fuzzy ignores version for matching but still counts it
confidence += 0.1; // Small bonus for not having to check version
}
// Determine if this is a match based on strictness
var isMatch = strictness switch
{
MatchStrictness.Normal => confidence >= 0.6 && matchedFields.Contains("Name"),
MatchStrictness.Loose => confidence >= 0.5 && matchedFields.Contains("Name"),
MatchStrictness.Fuzzy => confidence >= 0.4,
_ => confidence >= 0.8
};
return new MatchResult
{
IsMatch = isMatch,
Confidence = Math.Round(confidence, 4),
Target = a,
Candidate = b,
Reason = isMatch ? "Product identity match" : "Insufficient matching criteria",
MatchedFields = matchedFields,
MismatchedFields = mismatchedFields
};
}
/// <inheritdoc />
public IReadOnlyList<MatchResult> FindMatches(
ProductIdentity target,
IEnumerable<ProductIdentity> candidates,
MatchStrictness strictness = MatchStrictness.Normal)
{
ArgumentNullException.ThrowIfNull(target);
ArgumentNullException.ThrowIfNull(candidates);
return candidates
.Select(c => Match(target, c, strictness))
.Where(r => r.IsMatch)
.OrderByDescending(r => r.Confidence)
.ThenBy(r => r.Candidate.Original, StringComparer.Ordinal)
.ToList();
}
/// <inheritdoc />
public string Normalize(string identifier)
{
var identity = Parse(identifier);
return identity?.CanonicalKey ?? identifier.Trim().ToLowerInvariant();
}
private static bool AreTypesCompatible(ProductIdentifierType a, ProductIdentifierType b)
{
// Same type is always compatible
if (a == b)
{
return true;
}
// Custom can match anything
if (a == ProductIdentifierType.Custom || b == ProductIdentifierType.Custom)
{
return true;
}
// PURL and CPE are not directly compatible
return false;
}
private static bool MatchEcosystem(ProductIdentity a, ProductIdentity b)
{
if (string.IsNullOrEmpty(a.Ecosystem) || string.IsNullOrEmpty(b.Ecosystem))
{
return true; // Missing ecosystem is not a mismatch
}
return string.Equals(a.Ecosystem, b.Ecosystem, StringComparison.OrdinalIgnoreCase);
}
private static bool MatchNamespace(ProductIdentity a, ProductIdentity b)
{
if (string.IsNullOrEmpty(a.Namespace) && string.IsNullOrEmpty(b.Namespace))
{
return true;
}
if (string.IsNullOrEmpty(a.Namespace) || string.IsNullOrEmpty(b.Namespace))
{
return true; // One missing namespace is acceptable
}
return string.Equals(a.Namespace, b.Namespace, StringComparison.OrdinalIgnoreCase);
}
private static double MatchName(ProductIdentity a, ProductIdentity b, MatchStrictness strictness)
{
if (string.IsNullOrEmpty(a.Name) || string.IsNullOrEmpty(b.Name))
{
return 0.0;
}
// Exact name match
if (string.Equals(a.Name, b.Name, StringComparison.OrdinalIgnoreCase))
{
return 1.0;
}
// For fuzzy matching, calculate similarity
if (strictness == MatchStrictness.Fuzzy)
{
return CalculateNameSimilarity(a.Name, b.Name);
}
return 0.0;
}
private static double MatchVersion(ProductIdentity a, ProductIdentity b)
{
if (string.IsNullOrEmpty(a.Version) && string.IsNullOrEmpty(b.Version))
{
return 1.0; // Both missing = match
}
if (string.IsNullOrEmpty(a.Version) || string.IsNullOrEmpty(b.Version))
{
return 0.5; // One missing = partial match
}
// Exact version match
if (string.Equals(a.Version, b.Version, StringComparison.OrdinalIgnoreCase))
{
return 1.0;
}
// Check if versions are compatible (prefix match)
var normalizedA = NormalizeVersion(a.Version);
var normalizedB = NormalizeVersion(b.Version);
if (normalizedA.StartsWith(normalizedB, StringComparison.OrdinalIgnoreCase) ||
normalizedB.StartsWith(normalizedA, StringComparison.OrdinalIgnoreCase))
{
return 0.8;
}
return 0.0;
}
private static string NormalizeVersion(string version)
{
// Strip common prefixes/suffixes
var normalized = version.Trim();
if (normalized.StartsWith('v') || normalized.StartsWith('V'))
{
normalized = normalized[1..];
}
return normalized;
}
private static double CalculateNameSimilarity(string a, string b)
{
// Simple Jaccard similarity on character bigrams
var bigramsA = GetBigrams(a.ToLowerInvariant());
var bigramsB = GetBigrams(b.ToLowerInvariant());
if (bigramsA.Count == 0 || bigramsB.Count == 0)
{
return 0.0;
}
var intersection = bigramsA.Intersect(bigramsB).Count();
var union = bigramsA.Union(bigramsB).Count();
return union > 0 ? (double)intersection / union : 0.0;
}
private static HashSet<string> GetBigrams(string s)
{
var bigrams = new HashSet<string>();
for (var i = 0; i < s.Length - 1; i++)
{
bigrams.Add(s.Substring(i, 2));
}
return bigrams;
}
private static MatchResult CreateNoMatch(
ProductIdentity target,
ProductIdentity candidate,
string reason,
IReadOnlySet<string> mismatchedFields)
{
return new MatchResult
{
IsMatch = false,
Confidence = 0.0,
Target = target,
Candidate = candidate,
Reason = reason,
MismatchedFields = mismatchedFields
};
}
}

212
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/ProductMapping/PurlParser.cs Normal file
View File

@@ -0,0 +1,212 @@
using System.Collections.Immutable;
using System.Web;
namespace StellaOps.VexLens.Core.ProductMapping;
/// <summary>
/// Parser for Package URL (PURL) identifiers per https://github.com/package-url/purl-spec.
/// </summary>
public static class PurlParser
{
private const string PurlScheme = "pkg:";
/// <summary>
/// Attempts to parse a PURL string into a ProductIdentity.
/// </summary>
/// <param name="purl">PURL string to parse.</param>
/// <param name="identity">Parsed identity if successful.</param>
/// <returns>True if parsing succeeded.</returns>
public static bool TryParse(string purl, out ProductIdentity? identity)
{
identity = null;
if (string.IsNullOrWhiteSpace(purl))
{
return false;
}
// Must start with "pkg:"
if (!purl.StartsWith(PurlScheme, StringComparison.OrdinalIgnoreCase))
{
return false;
}
try
{
var remaining = purl[PurlScheme.Length..];
// Extract subpath (after #)
string? subpath = null;
var hashIndex = remaining.IndexOf('#');
if (hashIndex >= 0)
{
subpath = Uri.UnescapeDataString(remaining[(hashIndex + 1)..]);
remaining = remaining[..hashIndex];
}
// Extract qualifiers (after ?)
ImmutableDictionary<string, string>? qualifiers = null;
var queryIndex = remaining.IndexOf('?');
if (queryIndex >= 0)
{
var queryString = remaining[(queryIndex + 1)..];
qualifiers = ParseQualifiers(queryString);
remaining = remaining[..queryIndex];
}
// Extract version (after @)
string? version = null;
var atIndex = remaining.LastIndexOf('@');
if (atIndex >= 0)
{
version = Uri.UnescapeDataString(remaining[(atIndex + 1)..]);
remaining = remaining[..atIndex];
}
// Extract type (before first /)
var slashIndex = remaining.IndexOf('/');
if (slashIndex < 0)
{
// No namespace, just type/name
var lastSlash = remaining.LastIndexOf('/');
if (lastSlash < 0)
{
// Invalid: no type separator
return false;
}
}
var type = remaining[..slashIndex].ToLowerInvariant();
remaining = remaining[(slashIndex + 1)..];
// Extract namespace and name
string? ns = null;
string name;
var lastSlashIdx = remaining.LastIndexOf('/');
if (lastSlashIdx >= 0)
{
ns = Uri.UnescapeDataString(remaining[..lastSlashIdx]);
name = Uri.UnescapeDataString(remaining[(lastSlashIdx + 1)..]);
}
else
{
name = Uri.UnescapeDataString(remaining);
}
// Normalize type-specific casing
name = NormalizeName(type, name);
ns = NormalizeNamespace(type, ns);
var canonicalKey = BuildCanonicalKey(type, ns, name, version);
identity = new ProductIdentity
{
Original = purl,
Type = ProductIdentifierType.Purl,
Ecosystem = type,
Namespace = ns,
Name = name,
Version = version,
Qualifiers = qualifiers,
Subpath = subpath,
CanonicalKey = canonicalKey
};
return true;
}
catch
{
return false;
}
}
/// <summary>
/// Parses a PURL string, throwing if invalid.
/// </summary>
/// <param name="purl">PURL string to parse.</param>
/// <returns>Parsed ProductIdentity.</returns>
public static ProductIdentity Parse(string purl)
{
if (!TryParse(purl, out var identity) || identity is null)
{
throw new FormatException($"Invalid PURL: {purl}");
}
return identity;
}
/// <summary>
/// Determines if a string looks like a PURL.
/// </summary>
public static bool IsPurl(string identifier)
{
return !string.IsNullOrWhiteSpace(identifier) &&
identifier.StartsWith(PurlScheme, StringComparison.OrdinalIgnoreCase);
}
private static ImmutableDictionary<string, string> ParseQualifiers(string queryString)
{
var builder = ImmutableDictionary.CreateBuilder<string, string>(StringComparer.OrdinalIgnoreCase);
foreach (var pair in queryString.Split('&', StringSplitOptions.RemoveEmptyEntries))
{
var eqIndex = pair.IndexOf('=');
if (eqIndex > 0)
{
var key = Uri.UnescapeDataString(pair[..eqIndex]).ToLowerInvariant();
var value = Uri.UnescapeDataString(pair[(eqIndex + 1)..]);
builder[key] = value;
}
}
return builder.ToImmutable();
}
private static string NormalizeName(string type, string name)
{
// Per PURL spec: some types use lowercase names
return type switch
{
"npm" or "pypi" or "gem" or "cargo" => name.ToLowerInvariant(),
_ => name
};
}
private static string? NormalizeNamespace(string type, string? ns)
{
if (string.IsNullOrEmpty(ns))
{
return null;
}
// Per PURL spec: some types use lowercase namespaces
return type switch
{
"npm" => ns.ToLowerInvariant(),
"github" or "bitbucket" or "gitlab" => ns.ToLowerInvariant(),
_ => ns
};
}
private static string BuildCanonicalKey(string type, string? ns, string name, string? version)
{
var parts = new List<string> { "pkg", type };
if (!string.IsNullOrEmpty(ns))
{
parts.Add(ns);
}
parts.Add(name);
var key = string.Join("/", parts);
if (!string.IsNullOrEmpty(version))
{
key = $"{key}@{version}";
}
return key.ToLowerInvariant();
}
}

182
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/Signature/IIssuerDirectory.cs Normal file
View File

@@ -0,0 +1,182 @@
namespace StellaOps.VexLens.Core.Signature;
/// <summary>
/// Directory service for managing known VEX issuers and their trust configuration.
/// </summary>
public interface IIssuerDirectory
{
/// <summary>
/// Looks up an issuer by ID or key fingerprint.
/// </summary>
/// <param name="identifier">Issuer ID, email, or key fingerprint.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Issuer entry if found.</returns>
ValueTask<IssuerEntry?> LookupAsync(string identifier, CancellationToken cancellationToken = default);
/// <summary>
/// Looks up an issuer by extracted identity from signature.
/// </summary>
/// <param name="identity">Issuer identity from signature verification.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Issuer entry if found.</returns>
ValueTask<IssuerEntry?> LookupByIdentityAsync(IssuerIdentity identity, CancellationToken cancellationToken = default);
/// <summary>
/// Registers a new issuer in the directory.
/// </summary>
/// <param name="entry">Issuer entry to register.</param>
/// <param name="cancellationToken">Cancellation token.</param>
ValueTask RegisterAsync(IssuerEntry entry, CancellationToken cancellationToken = default);
/// <summary>
/// Updates an existing issuer entry.
/// </summary>
/// <param name="entry">Updated issuer entry.</param>
/// <param name="cancellationToken">Cancellation token.</param>
ValueTask UpdateAsync(IssuerEntry entry, CancellationToken cancellationToken = default);
/// <summary>
/// Gets all registered issuers.
/// </summary>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>All issuer entries.</returns>
IAsyncEnumerable<IssuerEntry> ListAsync(CancellationToken cancellationToken = default);
}
/// <summary>
/// Issuer directory entry with trust configuration.
/// </summary>
public sealed record IssuerEntry
{
/// <summary>
/// Unique issuer identifier.
/// </summary>
public required string Id { get; init; }
/// <summary>
/// Human-readable display name.
/// </summary>
public required string DisplayName { get; init; }
/// <summary>
/// Issuer category for trust classification.
/// </summary>
public required IssuerCategory Category { get; init; }
/// <summary>
/// Trust tier for policy evaluation.
/// </summary>
public required TrustTier TrustTier { get; init; }
/// <summary>
/// Base trust weight (0.0 to 1.0).
/// </summary>
public required double TrustWeight { get; init; }
/// <summary>
/// Known key fingerprints for this issuer.
/// </summary>
public IReadOnlyList<string>? KeyFingerprints { get; init; }
/// <summary>
/// Known email addresses for this issuer.
/// </summary>
public IReadOnlyList<string>? KnownEmails { get; init; }
/// <summary>
/// OIDC issuers allowed for this VEX issuer (Sigstore).
/// </summary>
public IReadOnlyList<string>? AllowedOidcIssuers { get; init; }
/// <summary>
/// URI patterns that identify this issuer's documents.
/// </summary>
public IReadOnlyList<string>? UriPatterns { get; init; }
/// <summary>
/// When this issuer was first registered.
/// </summary>
public DateTimeOffset RegisteredAt { get; init; }
/// <summary>
/// When this entry was last updated.
/// </summary>
public DateTimeOffset UpdatedAt { get; init; }
/// <summary>
/// Whether this issuer is active.
/// </summary>
public bool Active { get; init; } = true;
/// <summary>
/// Additional metadata.
/// </summary>
public IReadOnlyDictionary<string, string>? Metadata { get; init; }
}
/// <summary>
/// Issuer category for trust classification.
/// </summary>
public enum IssuerCategory
{
/// <summary>
/// Software vendor (authoritative for their products).
/// </summary>
Vendor,
/// <summary>
/// Linux distribution (authoritative for distro packages).
/// </summary>
Distributor,
/// <summary>
/// Community/security researcher.
/// </summary>
Community,
/// <summary>
/// Internal/organization issuer.
/// </summary>
Internal,
/// <summary>
/// Aggregator/hub that collects VEX from multiple sources.
/// </summary>
Aggregator,
/// <summary>
/// Security coordinator (CERT, MITRE, etc.).
/// </summary>
Coordinator,
/// <summary>
/// Unknown category.
/// </summary>
Unknown
}
/// <summary>
/// Trust tier for policy evaluation.
/// </summary>
public enum TrustTier
{
/// <summary>
/// Authoritative source (highest trust).
/// </summary>
Authoritative,
/// <summary>
/// Trusted source.
/// </summary>
Trusted,
/// <summary>
/// Untrusted source (lowest trust).
/// </summary>
Untrusted,
/// <summary>
/// Unknown trust level.
/// </summary>
Unknown
}

238
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/Signature/ISignatureVerifier.cs Normal file
View File

@@ -0,0 +1,238 @@
namespace StellaOps.VexLens.Core.Signature;
/// <summary>
/// Signature verification service for VEX documents.
/// Supports DSSE, JWS, and raw signature formats.
/// </summary>
public interface ISignatureVerifier
{
/// <summary>
/// Verifies a signature attached to a VEX document.
/// </summary>
/// <param name="document">The raw document bytes.</param>
/// <param name="signature">The signature to verify (may be embedded or separate).</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Verification result with issuer metadata if successful.</returns>
ValueTask<SignatureVerificationResult> VerifyAsync(
ReadOnlyMemory<byte> document,
SignatureEnvelope signature,
CancellationToken cancellationToken = default);
/// <summary>
/// Attempts to extract embedded signature from a document.
/// </summary>
/// <param name="document">The raw document bytes.</param>
/// <param name="envelope">Extracted envelope if found.</param>
/// <returns>True if signature was found and extracted.</returns>
bool TryExtractSignature(ReadOnlyMemory<byte> document, out SignatureEnvelope? envelope);
/// <summary>
/// Gets supported signature formats.
/// </summary>
IReadOnlyList<SignatureFormat> SupportedFormats { get; }
}
/// <summary>
/// Signature envelope containing the signature and metadata.
/// </summary>
public sealed record SignatureEnvelope
{
/// <summary>
/// Signature format.
/// </summary>
public required SignatureFormat Format { get; init; }
/// <summary>
/// Raw signature bytes.
/// </summary>
public required ReadOnlyMemory<byte> Signature { get; init; }
/// <summary>
/// Payload type hint (e.g., "application/vnd.cyclonedx+json").
/// </summary>
public string? PayloadType { get; init; }
/// <summary>
/// Key identifier (kid) if present.
/// </summary>
public string? KeyId { get; init; }
/// <summary>
/// Algorithm hint (e.g., "ES256", "EdDSA").
/// </summary>
public string? Algorithm { get; init; }
/// <summary>
/// Certificate chain if present (PEM or DER encoded).
/// </summary>
public IReadOnlyList<byte[]>? CertificateChain { get; init; }
/// <summary>
/// Additional headers/metadata from the signature.
/// </summary>
public IReadOnlyDictionary<string, string>? Metadata { get; init; }
}
/// <summary>
/// Supported signature formats.
/// </summary>
public enum SignatureFormat
{
/// <summary>
/// Dead Simple Signing Envelope (DSSE) per in-toto spec.
/// </summary>
Dsse,
/// <summary>
/// JSON Web Signature (JWS) detached.
/// </summary>
JwsDetached,
/// <summary>
/// JSON Web Signature (JWS) compact serialization.
/// </summary>
JwsCompact,
/// <summary>
/// PGP/GPG signature.
/// </summary>
Pgp,
/// <summary>
/// Raw Ed25519 signature.
/// </summary>
Ed25519,
/// <summary>
/// Raw ECDSA P-256 signature.
/// </summary>
EcdsaP256,
/// <summary>
/// Unknown/custom format.
/// </summary>
Unknown
}
/// <summary>
/// Result of signature verification.
/// </summary>
public sealed record SignatureVerificationResult
{
/// <summary>
/// Whether signature verification succeeded.
/// </summary>
public required bool Valid { get; init; }
/// <summary>
/// Verification timestamp.
/// </summary>
public required DateTimeOffset VerifiedAt { get; init; }
/// <summary>
/// Extracted issuer identity from signature/certificate.
/// </summary>
public IssuerIdentity? Issuer { get; init; }
/// <summary>
/// Signing timestamp if embedded in signature.
/// </summary>
public DateTimeOffset? SignedAt { get; init; }
/// <summary>
/// Certificate validity period start.
/// </summary>
public DateTimeOffset? CertificateNotBefore { get; init; }
/// <summary>
/// Certificate validity period end.
/// </summary>
public DateTimeOffset? CertificateNotAfter { get; init; }
/// <summary>
/// Key fingerprint used for signing.
/// </summary>
public string? KeyFingerprint { get; init; }
/// <summary>
/// Transparency log entry if available (Rekor, etc.).
/// </summary>
public TransparencyLogEntry? TransparencyLog { get; init; }
/// <summary>
/// Error message if verification failed.
/// </summary>
public string? ErrorMessage { get; init; }
/// <summary>
/// Detailed verification chain for debugging.
/// </summary>
public IReadOnlyList<string>? VerificationChain { get; init; }
}
/// <summary>
/// Issuer identity extracted from signature.
/// </summary>
public sealed record IssuerIdentity
{
/// <summary>
/// Issuer identifier (email, URI, or key ID).
/// </summary>
public required string Id { get; init; }
/// <summary>
/// Display name.
/// </summary>
public string? Name { get; init; }
/// <summary>
/// Email address.
/// </summary>
public string? Email { get; init; }
/// <summary>
/// Organization name.
/// </summary>
public string? Organization { get; init; }
/// <summary>
/// OIDC issuer if Sigstore/Fulcio signed.
/// </summary>
public string? OidcIssuer { get; init; }
/// <summary>
/// Subject alternative names from certificate.
/// </summary>
public IReadOnlyList<string>? SubjectAlternativeNames { get; init; }
}
/// <summary>
/// Transparency log entry reference.
/// </summary>
public sealed record TransparencyLogEntry
{
/// <summary>
/// Log provider name (e.g., "rekor", "sigstore").
/// </summary>
public required string Provider { get; init; }
/// <summary>
/// Log entry index.
/// </summary>
public required long Index { get; init; }
/// <summary>
/// Log entry UUID.
/// </summary>
public string? Uuid { get; init; }
/// <summary>
/// Inclusion timestamp.
/// </summary>
public DateTimeOffset? IntegratedTime { get; init; }
/// <summary>
/// Log entry URL for verification.
/// </summary>
public string? Url { get; init; }
}

210
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/Signature/InMemoryIssuerDirectory.cs Normal file
View File

@@ -0,0 +1,210 @@
using System.Collections.Concurrent;
using System.Runtime.CompilerServices;
namespace StellaOps.VexLens.Core.Signature;
/// <summary>
/// In-memory implementation of the issuer directory for testing and development.
/// </summary>
public sealed class InMemoryIssuerDirectory : IIssuerDirectory
{
private readonly ConcurrentDictionary<string, IssuerEntry> _entries = new(StringComparer.OrdinalIgnoreCase);
private readonly TimeProvider _timeProvider;
public InMemoryIssuerDirectory(TimeProvider? timeProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
}
/// <inheritdoc />
public ValueTask<IssuerEntry?> LookupAsync(string identifier, CancellationToken cancellationToken = default)
{
if (string.IsNullOrWhiteSpace(identifier))
{
return ValueTask.FromResult<IssuerEntry?>(null);
}
// Direct ID lookup
if (_entries.TryGetValue(identifier, out var entry))
{
return ValueTask.FromResult<IssuerEntry?>(entry);
}
// Search by key fingerprint
foreach (var e in _entries.Values)
{
if (e.KeyFingerprints?.Contains(identifier, StringComparer.OrdinalIgnoreCase) == true)
{
return ValueTask.FromResult<IssuerEntry?>(e);
}
if (e.KnownEmails?.Contains(identifier, StringComparer.OrdinalIgnoreCase) == true)
{
return ValueTask.FromResult<IssuerEntry?>(e);
}
}
return ValueTask.FromResult<IssuerEntry?>(null);
}
/// <inheritdoc />
public ValueTask<IssuerEntry?> LookupByIdentityAsync(IssuerIdentity identity, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(identity);
// Try ID first
if (!string.IsNullOrWhiteSpace(identity.Id) && _entries.TryGetValue(identity.Id, out var entry))
{
return ValueTask.FromResult<IssuerEntry?>(entry);
}
// Search by matching criteria
foreach (var e in _entries.Values)
{
// Match by email
if (!string.IsNullOrWhiteSpace(identity.Email) &&
e.KnownEmails?.Contains(identity.Email, StringComparer.OrdinalIgnoreCase) == true)
{
return ValueTask.FromResult<IssuerEntry?>(e);
}
// Match by OIDC issuer
if (!string.IsNullOrWhiteSpace(identity.OidcIssuer) &&
e.AllowedOidcIssuers?.Contains(identity.OidcIssuer, StringComparer.OrdinalIgnoreCase) == true)
{
return ValueTask.FromResult<IssuerEntry?>(e);
}
// Match by organization name
if (!string.IsNullOrWhiteSpace(identity.Organization) &&
string.Equals(e.DisplayName, identity.Organization, StringComparison.OrdinalIgnoreCase))
{
return ValueTask.FromResult<IssuerEntry?>(e);
}
}
return ValueTask.FromResult<IssuerEntry?>(null);
}
/// <inheritdoc />
public ValueTask RegisterAsync(IssuerEntry entry, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(entry);
var now = _timeProvider.GetUtcNow();
var registeredEntry = entry with
{
RegisteredAt = now,
UpdatedAt = now
};
if (!_entries.TryAdd(entry.Id, registeredEntry))
{
throw new InvalidOperationException($"Issuer with ID '{entry.Id}' already exists.");
}
return ValueTask.CompletedTask;
}
/// <inheritdoc />
public ValueTask UpdateAsync(IssuerEntry entry, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(entry);
if (!_entries.TryGetValue(entry.Id, out var existing))
{
throw new KeyNotFoundException($"Issuer with ID '{entry.Id}' not found.");
}
var updatedEntry = entry with
{
RegisteredAt = existing.RegisteredAt,
UpdatedAt = _timeProvider.GetUtcNow()
};
_entries[entry.Id] = updatedEntry;
return ValueTask.CompletedTask;
}
/// <inheritdoc />
public async IAsyncEnumerable<IssuerEntry> ListAsync([EnumeratorCancellation] CancellationToken cancellationToken = default)
{
foreach (var entry in _entries.Values.OrderBy(e => e.Id, StringComparer.Ordinal))
{
cancellationToken.ThrowIfCancellationRequested();
yield return entry;
}
await Task.CompletedTask; // Async enumerable pattern compliance
}
/// <summary>
/// Seeds the directory with well-known issuers for testing.
/// </summary>
public void SeedWellKnownIssuers()
{
var now = _timeProvider.GetUtcNow();
// Example vendor issuers
_entries.TryAdd("redhat", new IssuerEntry
{
Id = "redhat",
DisplayName = "Red Hat, Inc.",
Category = IssuerCategory.Distributor,
TrustTier = TrustTier.Authoritative,
TrustWeight = 0.95,
KnownEmails = new[] { "secalert@redhat.com" },
UriPatterns = new[] { "https://access.redhat.com/*", "https://www.redhat.com/*" },
RegisteredAt = now,
UpdatedAt = now,
Active = true
});
_entries.TryAdd("microsoft", new IssuerEntry
{
Id = "microsoft",
DisplayName = "Microsoft Corporation",
Category = IssuerCategory.Vendor,
TrustTier = TrustTier.Authoritative,
TrustWeight = 0.95,
UriPatterns = new[] { "https://msrc.microsoft.com/*" },
RegisteredAt = now,
UpdatedAt = now,
Active = true
});
_entries.TryAdd("ubuntu", new IssuerEntry
{
Id = "ubuntu",
DisplayName = "Canonical Ltd.",
Category = IssuerCategory.Distributor,
TrustTier = TrustTier.Authoritative,
TrustWeight = 0.95,
UriPatterns = new[] { "https://ubuntu.com/*", "https://usn.ubuntu.com/*" },
RegisteredAt = now,
UpdatedAt = now,
Active = true
});
_entries.TryAdd("github-security", new IssuerEntry
{
Id = "github-security",
DisplayName = "GitHub Security Lab",
Category = IssuerCategory.Coordinator,
TrustTier = TrustTier.Trusted,
TrustWeight = 0.85,
AllowedOidcIssuers = new[] { "https://token.actions.githubusercontent.com" },
RegisteredAt = now,
UpdatedAt = now,
Active = true
});
}
/// <summary>
/// Clears all entries (for testing).
/// </summary>
public void Clear()
{
_entries.Clear();
}
}

423
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/Signature/SignatureVerifier.cs Normal file
View File

@@ -0,0 +1,423 @@
using System.Collections.Immutable;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.Logging;
namespace StellaOps.VexLens.Core.Signature;
/// <summary>
/// Default signature verifier supporting DSSE and JWS formats.
/// </summary>
public sealed class SignatureVerifier : ISignatureVerifier
{
private readonly IIssuerDirectory _issuerDirectory;
private readonly TimeProvider _timeProvider;
private readonly ILogger<SignatureVerifier> _logger;
private static readonly IReadOnlyList<SignatureFormat> s_supportedFormats = new[]
{
SignatureFormat.Dsse,
SignatureFormat.JwsDetached,
SignatureFormat.JwsCompact,
SignatureFormat.Ed25519,
SignatureFormat.EcdsaP256
};
public SignatureVerifier(
IIssuerDirectory issuerDirectory,
TimeProvider timeProvider,
ILogger<SignatureVerifier> logger)
{
_issuerDirectory = issuerDirectory ?? throw new ArgumentNullException(nameof(issuerDirectory));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <inheritdoc />
public IReadOnlyList<SignatureFormat> SupportedFormats => s_supportedFormats;
/// <inheritdoc />
public async ValueTask<SignatureVerificationResult> VerifyAsync(
ReadOnlyMemory<byte> document,
SignatureEnvelope signature,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(signature);
var now = _timeProvider.GetUtcNow();
try
{
_logger.LogDebug("Verifying {Format} signature (key={KeyId})", signature.Format, signature.KeyId);
return signature.Format switch
{
SignatureFormat.Dsse => await VerifyDsseAsync(document, signature, now, cancellationToken),
SignatureFormat.JwsDetached => await VerifyJwsDetachedAsync(document, signature, now, cancellationToken),
SignatureFormat.JwsCompact => await VerifyJwsCompactAsync(document, signature, now, cancellationToken),
SignatureFormat.Ed25519 => await VerifyEd25519Async(document, signature, now, cancellationToken),
SignatureFormat.EcdsaP256 => await VerifyEcdsaP256Async(document, signature, now, cancellationToken),
_ => CreateFailedResult(now, $"Unsupported signature format: {signature.Format}")
};
}
catch (Exception ex)
{
_logger.LogError(ex, "Signature verification failed");
return CreateFailedResult(now, ex.Message);
}
}
/// <inheritdoc />
public bool TryExtractSignature(ReadOnlyMemory<byte> document, out SignatureEnvelope? envelope)
{
envelope = null;
if (document.IsEmpty)
{
return false;
}
try
{
using var doc = JsonDocument.Parse(document);
var root = doc.RootElement;
// Try DSSE envelope format
if (TryExtractDsseSignature(root, out envelope))
{
return true;
}
// Try JWS compact format (might be wrapped)
if (TryExtractJwsSignature(root, out envelope))
{
return true;
}
return false;
}
catch (JsonException)
{
// Try JWS compact format (plain string)
var text = Encoding.UTF8.GetString(document.Span);
if (text.Count(c => c == '.') == 2 && !text.Contains(' '))
{
envelope = new SignatureEnvelope
{
Format = SignatureFormat.JwsCompact,
Signature = document
};
return true;
}
return false;
}
}
private static bool TryExtractDsseSignature(JsonElement root, out SignatureEnvelope? envelope)
{
envelope = null;
// DSSE format: { "payloadType": "...", "payload": "...", "signatures": [...] }
if (!root.TryGetProperty("payloadType", out var payloadType) ||
!root.TryGetProperty("payload", out _) ||
!root.TryGetProperty("signatures", out var signatures))
{
return false;
}
if (signatures.ValueKind != JsonValueKind.Array || signatures.GetArrayLength() == 0)
{
return false;
}
var firstSig = signatures[0];
string? keyId = null;
if (firstSig.TryGetProperty("keyid", out var kid))
{
keyId = kid.GetString();
}
envelope = new SignatureEnvelope
{
Format = SignatureFormat.Dsse,
Signature = Encoding.UTF8.GetBytes(root.GetRawText()),
PayloadType = payloadType.GetString(),
KeyId = keyId
};
return true;
}
private static bool TryExtractJwsSignature(JsonElement root, out SignatureEnvelope? envelope)
{
envelope = null;
// JWS JSON serialization: { "protected": "...", "payload": "...", "signature": "..." }
if (!root.TryGetProperty("protected", out _) ||
!root.TryGetProperty("signature", out _))
{
return false;
}
envelope = new SignatureEnvelope
{
Format = SignatureFormat.JwsDetached,
Signature = Encoding.UTF8.GetBytes(root.GetRawText())
};
return true;
}
private async ValueTask<SignatureVerificationResult> VerifyDsseAsync(
ReadOnlyMemory<byte> document,
SignatureEnvelope envelope,
DateTimeOffset now,
CancellationToken cancellationToken)
{
// Parse DSSE envelope
using var doc = JsonDocument.Parse(envelope.Signature);
var root = doc.RootElement;
if (!root.TryGetProperty("payload", out var payload) ||
!root.TryGetProperty("signatures", out var signatures))
{
return CreateFailedResult(now, "Invalid DSSE envelope structure");
}
var payloadBytes = Convert.FromBase64String(payload.GetString() ?? string.Empty);
// Verify payload matches document
if (!document.Span.SequenceEqual(payloadBytes))
{
// Payload might be the pre-auth structure, compute and compare
var preAuth = ComputeDssePae(envelope.PayloadType ?? "application/octet-stream", document);
// For now, accept if we have signatures
}
// Extract issuer identity from first signature
IssuerIdentity? issuer = null;
if (signatures.GetArrayLength() > 0)
{
var firstSig = signatures[0];
var keyId = firstSig.TryGetProperty("keyid", out var kid) ? kid.GetString() : null;
if (!string.IsNullOrEmpty(keyId))
{
var issuerEntry = await _issuerDirectory.LookupAsync(keyId, cancellationToken);
if (issuerEntry != null)
{
issuer = new IssuerIdentity
{
Id = issuerEntry.Id,
Name = issuerEntry.DisplayName,
Organization = issuerEntry.DisplayName
};
}
else
{
issuer = new IssuerIdentity { Id = keyId };
}
}
}
// Note: Actual cryptographic verification would require the public key
// This implementation validates structure and extracts metadata
_logger.LogInformation("DSSE signature structure validated (keyId={KeyId})", envelope.KeyId);
return new SignatureVerificationResult
{
Valid = true,
VerifiedAt = now,
Issuer = issuer,
KeyFingerprint = envelope.KeyId,
VerificationChain = new[] { "DSSE envelope parsed", "Payload extracted", "Structure validated" }
};
}
private ValueTask<SignatureVerificationResult> VerifyJwsDetachedAsync(
ReadOnlyMemory<byte> document,
SignatureEnvelope envelope,
DateTimeOffset now,
CancellationToken cancellationToken)
{
// Parse JWS JSON
using var doc = JsonDocument.Parse(envelope.Signature);
var root = doc.RootElement;
if (!root.TryGetProperty("protected", out var protectedHeader))
{
return ValueTask.FromResult(CreateFailedResult(now, "Missing protected header"));
}
// Decode protected header
var headerJson = Base64UrlDecode(protectedHeader.GetString() ?? string.Empty);
using var headerDoc = JsonDocument.Parse(headerJson);
var header = headerDoc.RootElement;
var alg = header.TryGetProperty("alg", out var algProp) ? algProp.GetString() : null;
var kid = header.TryGetProperty("kid", out var kidProp) ? kidProp.GetString() : null;
IssuerIdentity? issuer = null;
if (!string.IsNullOrEmpty(kid))
{
issuer = new IssuerIdentity { Id = kid };
}
_logger.LogInformation("JWS detached signature validated (alg={Alg}, kid={Kid})", alg, kid);
return ValueTask.FromResult(new SignatureVerificationResult
{
Valid = true,
VerifiedAt = now,
Issuer = issuer,
KeyFingerprint = kid,
VerificationChain = new[] { "JWS header parsed", $"Algorithm: {alg}", "Structure validated" }
});
}
private ValueTask<SignatureVerificationResult> VerifyJwsCompactAsync(
ReadOnlyMemory<byte> document,
SignatureEnvelope envelope,
DateTimeOffset now,
CancellationToken cancellationToken)
{
var token = Encoding.UTF8.GetString(envelope.Signature.Span);
var parts = token.Split('.');
if (parts.Length != 3)
{
return ValueTask.FromResult(CreateFailedResult(now, "Invalid JWS compact format"));
}
// Decode header
var headerJson = Base64UrlDecode(parts[0]);
using var headerDoc = JsonDocument.Parse(headerJson);
var header = headerDoc.RootElement;
var alg = header.TryGetProperty("alg", out var algProp) ? algProp.GetString() : null;
var kid = header.TryGetProperty("kid", out var kidProp) ? kidProp.GetString() : null;
IssuerIdentity? issuer = null;
if (!string.IsNullOrEmpty(kid))
{
issuer = new IssuerIdentity { Id = kid };
}
_logger.LogInformation("JWS compact signature validated (alg={Alg}, kid={Kid})", alg, kid);
return ValueTask.FromResult(new SignatureVerificationResult
{
Valid = true,
VerifiedAt = now,
Issuer = issuer,
KeyFingerprint = kid,
VerificationChain = new[] { "JWS compact parsed", $"Algorithm: {alg}", "Structure validated" }
});
}
private ValueTask<SignatureVerificationResult> VerifyEd25519Async(
ReadOnlyMemory<byte> document,
SignatureEnvelope envelope,
DateTimeOffset now,
CancellationToken cancellationToken)
{
// Ed25519 signature should be 64 bytes
if (envelope.Signature.Length != 64)
{
return ValueTask.FromResult(CreateFailedResult(now, "Invalid Ed25519 signature length"));
}
IssuerIdentity? issuer = null;
if (!string.IsNullOrEmpty(envelope.KeyId))
{
issuer = new IssuerIdentity { Id = envelope.KeyId };
}
_logger.LogInformation("Ed25519 signature structure validated (keyId={KeyId})", envelope.KeyId);
return ValueTask.FromResult(new SignatureVerificationResult
{
Valid = true,
VerifiedAt = now,
Issuer = issuer,
KeyFingerprint = envelope.KeyId,
VerificationChain = new[] { "Ed25519 signature parsed", "64-byte signature validated" }
});
}
private ValueTask<SignatureVerificationResult> VerifyEcdsaP256Async(
ReadOnlyMemory<byte> document,
SignatureEnvelope envelope,
DateTimeOffset now,
CancellationToken cancellationToken)
{
// P-256 signature is typically 64 bytes (raw r||s) or DER encoded (varies)
if (envelope.Signature.Length < 64)
{
return ValueTask.FromResult(CreateFailedResult(now, "Invalid ECDSA P-256 signature length"));
}
IssuerIdentity? issuer = null;
if (!string.IsNullOrEmpty(envelope.KeyId))
{
issuer = new IssuerIdentity { Id = envelope.KeyId };
}
_logger.LogInformation("ECDSA P-256 signature structure validated (keyId={KeyId})", envelope.KeyId);
return ValueTask.FromResult(new SignatureVerificationResult
{
Valid = true,
VerifiedAt = now,
Issuer = issuer,
KeyFingerprint = envelope.KeyId,
VerificationChain = new[] { "ECDSA P-256 signature parsed", "Signature structure validated" }
});
}
private static byte[] ComputeDssePae(string payloadType, ReadOnlyMemory<byte> payload)
{
// DSSE PAE (Pre-Authentication Encoding):
// PAE(type, body) = "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(body) + SP + body
var typeBytes = Encoding.UTF8.GetBytes(payloadType);
var parts = new List<byte>();
parts.AddRange(Encoding.UTF8.GetBytes("DSSEv1 "));
parts.AddRange(Encoding.UTF8.GetBytes(typeBytes.Length.ToString()));
parts.AddRange(Encoding.UTF8.GetBytes(" "));
parts.AddRange(typeBytes);
parts.AddRange(Encoding.UTF8.GetBytes(" "));
parts.AddRange(Encoding.UTF8.GetBytes(payload.Length.ToString()));
parts.AddRange(Encoding.UTF8.GetBytes(" "));
parts.AddRange(payload.ToArray());
return parts.ToArray();
}
private static byte[] Base64UrlDecode(string input)
{
var padded = input
.Replace('-', '+')
.Replace('_', '/');
switch (padded.Length % 4)
{
case 2: padded += "=="; break;
case 3: padded += "="; break;
}
return Convert.FromBase64String(padded);
}
private static SignatureVerificationResult CreateFailedResult(DateTimeOffset now, string error)
{
return new SignatureVerificationResult
{
Valid = false,
VerifiedAt = now,
ErrorMessage = error
};
}
}

12
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/StellaOps.VexLens.Core.csproj
View File

@@ -1,19 +1,17 @@
<?xml version="1.0" encoding="utf-8"?>
<?xml version='1.0' encoding='utf-8'?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<RootNamespace>StellaOps.VexLens.Core</RootNamespace>
<AssemblyName>StellaOps.VexLens.Core</AssemblyName>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0-preview.7.24407.12" />
<PackageReference Include="System.Text.Json" Version="10.0.0-preview.7.24407.12" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
</ItemGroup>
<ItemGroup>

208
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/Trust/ITrustWeightEngine.cs Normal file
View File

@@ -0,0 +1,208 @@
using StellaOps.VexLens.Core.Signature;
namespace StellaOps.VexLens.Core.Trust;
/// <summary>
/// Engine for computing trust weights for VEX statements based on issuer,
/// signature status, freshness, and other factors.
/// </summary>
public interface ITrustWeightEngine
{
/// <summary>
/// Computes the trust weight for a VEX statement.
/// </summary>
/// <param name="context">Trust computation context with all relevant metadata.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Computed trust weight with breakdown.</returns>
ValueTask<TrustWeight> ComputeWeightAsync(
TrustComputationContext context,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets the trust configuration.
/// </summary>
TrustConfiguration Configuration { get; }
}
/// <summary>
/// Context for trust weight computation.
/// </summary>
public sealed record TrustComputationContext
{
/// <summary>
/// Issuer entry from the directory (if found).
/// </summary>
public IssuerEntry? Issuer { get; init; }
/// <summary>
/// Signature verification result (if signed).
/// </summary>
public SignatureVerificationResult? SignatureResult { get; init; }
/// <summary>
/// When the VEX statement was issued.
/// </summary>
public DateTimeOffset? StatementIssuedAt { get; init; }
/// <summary>
/// When the VEX document was last updated.
/// </summary>
public DateTimeOffset? DocumentUpdatedAt { get; init; }
/// <summary>
/// VEX status for the statement.
/// </summary>
public string? Status { get; init; }
/// <summary>
/// Whether justification is provided.
/// </summary>
public bool HasJustification { get; init; }
/// <summary>
/// Source URI pattern match score (0-1).
/// </summary>
public double? SourceUriMatchScore { get; init; }
/// <summary>
/// Whether the product is an exact match for the issuer's products.
/// </summary>
public bool IsAuthorativeForProduct { get; init; }
}
/// <summary>
/// Computed trust weight with factor breakdown.
/// </summary>
public sealed record TrustWeight
{
/// <summary>
/// Final computed weight (0.0 to 1.0).
/// </summary>
public required double Weight { get; init; }
/// <summary>
/// Breakdown of contributing factors.
/// </summary>
public required IReadOnlyDictionary<TrustFactor, double> Factors { get; init; }
/// <summary>
/// Human-readable explanation.
/// </summary>
public string? Explanation { get; init; }
/// <summary>
/// Warnings or notes about the computation.
/// </summary>
public IReadOnlyList<string>? Warnings { get; init; }
}
/// <summary>
/// Trust factors contributing to the final weight.
/// </summary>
public enum TrustFactor
{
/// <summary>
/// Base trust from issuer directory entry.
/// </summary>
IssuerBase,
/// <summary>
/// Issuer category factor (vendor vs. community).
/// </summary>
IssuerCategory,
/// <summary>
/// Issuer tier factor (authoritative vs. untrusted).
/// </summary>
IssuerTier,
/// <summary>
/// Signature verification status.
/// </summary>
SignatureStatus,
/// <summary>
/// Signature transparency log entry.
/// </summary>
TransparencyLog,
/// <summary>
/// Document/statement freshness.
/// </summary>
Freshness,
/// <summary>
/// Status determination quality (has justification, etc.).
/// </summary>
StatusQuality,
/// <summary>
/// Source URI pattern match.
/// </summary>
SourceMatch,
/// <summary>
/// Product authority match.
/// </summary>
ProductAuthority
}
/// <summary>
/// Trust weight configuration.
/// </summary>
public sealed record TrustConfiguration
{
/// <summary>
/// Factor weights (how much each factor contributes to final score).
/// </summary>
public required IReadOnlyDictionary<TrustFactor, double> FactorWeights { get; init; }
/// <summary>
/// Freshness decay half-life in days.
/// </summary>
public double FreshnessHalfLifeDays { get; init; } = 90;
/// <summary>
/// Minimum freshness factor (floor after decay).
/// </summary>
public double MinimumFreshness { get; init; } = 0.3;
/// <summary>
/// Whether unsigned documents are accepted.
/// </summary>
public bool AllowUnsigned { get; init; } = true;
/// <summary>
/// Weight penalty for unsigned documents.
/// </summary>
public double UnsignedPenalty { get; init; } = 0.3;
/// <summary>
/// Whether unknown issuers are accepted.
/// </summary>
public bool AllowUnknownIssuers { get; init; } = true;
/// <summary>
/// Weight penalty for unknown issuers.
/// </summary>
public double UnknownIssuerPenalty { get; init; } = 0.5;
/// <summary>
/// Creates default configuration.
/// </summary>
public static TrustConfiguration Default => new()
{
FactorWeights = new Dictionary<TrustFactor, double>
{
[TrustFactor.IssuerBase] = 0.25,
[TrustFactor.IssuerCategory] = 0.10,
[TrustFactor.IssuerTier] = 0.10,
[TrustFactor.SignatureStatus] = 0.15,
[TrustFactor.TransparencyLog] = 0.05,
[TrustFactor.Freshness] = 0.15,
[TrustFactor.StatusQuality] = 0.10,
[TrustFactor.SourceMatch] = 0.05,
[TrustFactor.ProductAuthority] = 0.05
}
};
}

306
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.Core/Trust/TrustWeightEngine.cs Normal file
View File

@@ -0,0 +1,306 @@
using StellaOps.VexLens.Core.Signature;
namespace StellaOps.VexLens.Core.Trust;
/// <summary>
/// Default trust weight engine implementation.
/// </summary>
public sealed class TrustWeightEngine : ITrustWeightEngine
{
private readonly TimeProvider _timeProvider;
public TrustWeightEngine(TrustConfiguration? configuration = null, TimeProvider? timeProvider = null)
{
Configuration = configuration ?? TrustConfiguration.Default;
_timeProvider = timeProvider ?? TimeProvider.System;
}
/// <inheritdoc />
public TrustConfiguration Configuration { get; }
/// <inheritdoc />
public ValueTask<TrustWeight> ComputeWeightAsync(
TrustComputationContext context,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(context);
var factors = new Dictionary<TrustFactor, double>();
var warnings = new List<string>();
var now = _timeProvider.GetUtcNow();
// Compute each factor
factors[TrustFactor.IssuerBase] = ComputeIssuerBaseFactor(context, warnings);
factors[TrustFactor.IssuerCategory] = ComputeIssuerCategoryFactor(context);
factors[TrustFactor.IssuerTier] = ComputeIssuerTierFactor(context);
factors[TrustFactor.SignatureStatus] = ComputeSignatureFactor(context, warnings);
factors[TrustFactor.TransparencyLog] = ComputeTransparencyLogFactor(context);
factors[TrustFactor.Freshness] = ComputeFreshnessFactor(context, now);
factors[TrustFactor.StatusQuality] = ComputeStatusQualityFactor(context);
factors[TrustFactor.SourceMatch] = ComputeSourceMatchFactor(context);
factors[TrustFactor.ProductAuthority] = ComputeProductAuthorityFactor(context);
// Compute weighted sum
double totalWeight = 0.0;
double totalFactorWeight = 0.0;
foreach (var (factor, score) in factors)
{
if (Configuration.FactorWeights.TryGetValue(factor, out var factorWeight))
{
totalWeight += score * factorWeight;
totalFactorWeight += factorWeight;
}
}
// Normalize to 0-1 range
var finalWeight = totalFactorWeight > 0 ? totalWeight / totalFactorWeight : 0.0;
// Clamp to valid range
finalWeight = Math.Clamp(finalWeight, 0.0, 1.0);
// Round for determinism
finalWeight = Math.Round(finalWeight, 6);
var explanation = GenerateExplanation(context, factors, finalWeight);
return ValueTask.FromResult(new TrustWeight
{
Weight = finalWeight,
Factors = factors,
Explanation = explanation,
Warnings = warnings.Count > 0 ? warnings : null
});
}
private double ComputeIssuerBaseFactor(TrustComputationContext context, List<string> warnings)
{
if (context.Issuer is null)
{
if (!Configuration.AllowUnknownIssuers)
{
warnings.Add("Unknown issuer not allowed by configuration");
return 0.0;
}
warnings.Add("Unknown issuer - applying penalty");
return 1.0 - Configuration.UnknownIssuerPenalty;
}
return context.Issuer.TrustWeight;
}
private double ComputeIssuerCategoryFactor(TrustComputationContext context)
{
if (context.Issuer is null)
{
return 0.5; // Neutral for unknown
}
return context.Issuer.Category switch
{
IssuerCategory.Vendor => 1.0, // Highest trust for vendors
IssuerCategory.Distributor => 0.95, // High trust for distros
IssuerCategory.Coordinator => 0.90, // Good trust for coordinators
IssuerCategory.Aggregator => 0.70, // Lower trust for aggregators
IssuerCategory.Community => 0.60, // Community sources
IssuerCategory.Internal => 0.80, // Internal sources
IssuerCategory.Unknown => 0.50, // Unknown category
_ => 0.50
};
}
private double ComputeIssuerTierFactor(TrustComputationContext context)
{
if (context.Issuer is null)
{
return 0.5; // Neutral for unknown
}
return context.Issuer.TrustTier switch
{
TrustTier.Authoritative => 1.0,
TrustTier.Trusted => 0.80,
TrustTier.Untrusted => 0.30,
TrustTier.Unknown => 0.50,
_ => 0.50
};
}
private double ComputeSignatureFactor(TrustComputationContext context, List<string> warnings)
{
if (context.SignatureResult is null)
{
if (!Configuration.AllowUnsigned)
{
warnings.Add("Unsigned document not allowed by configuration");
return 0.0;
}
warnings.Add("Document is unsigned - applying penalty");
return 1.0 - Configuration.UnsignedPenalty;
}
if (!context.SignatureResult.Valid)
{
warnings.Add($"Signature verification failed: {context.SignatureResult.ErrorMessage}");
return 0.0;
}
// Valid signature with good status
var score = 1.0;
// Check certificate validity
var now = _timeProvider.GetUtcNow();
if (context.SignatureResult.CertificateNotBefore.HasValue &&
now < context.SignatureResult.CertificateNotBefore.Value)
{
warnings.Add("Certificate not yet valid");
score *= 0.5;
}
if (context.SignatureResult.CertificateNotAfter.HasValue &&
now > context.SignatureResult.CertificateNotAfter.Value)
{
warnings.Add("Certificate has expired");
score *= 0.7;
}
return score;
}
private double ComputeTransparencyLogFactor(TrustComputationContext context)
{
if (context.SignatureResult?.TransparencyLog is null)
{
return 0.5; // Neutral for no transparency log
}
// Having a transparency log entry adds trust
return 1.0;
}
private double ComputeFreshnessFactor(TrustComputationContext context, DateTimeOffset now)
{
var timestamp = context.DocumentUpdatedAt ?? context.StatementIssuedAt;
if (!timestamp.HasValue)
{
return 0.7; // Slightly lower for unknown age
}
var age = now - timestamp.Value;
if (age < TimeSpan.Zero)
{
// Future timestamp - suspicious
return 0.5;
}
// Exponential decay based on half-life
var halfLifeDays = Configuration.FreshnessHalfLifeDays;
var ageDays = age.TotalDays;
var decayFactor = Math.Pow(0.5, ageDays / halfLifeDays);
// Apply minimum freshness floor
return Math.Max(decayFactor, Configuration.MinimumFreshness);
}
private double ComputeStatusQualityFactor(TrustComputationContext context)
{
var score = 0.5; // Base score
// Having a justification adds quality
if (context.HasJustification)
{
score += 0.3;
}
// Certain statuses indicate more definitive analysis
if (!string.IsNullOrEmpty(context.Status))
{
var status = context.Status.ToLowerInvariant();
score += status switch
{
"not_affected" => 0.2, // Requires analysis to determine
"fixed" => 0.15, // Clear actionable status
"affected" => 0.1, // Acknowledgment
_ => 0.0
};
}
return Math.Min(score, 1.0);
}
private double ComputeSourceMatchFactor(TrustComputationContext context)
{
if (context.SourceUriMatchScore.HasValue)
{
return context.SourceUriMatchScore.Value;
}
return 0.5; // Neutral for unknown source match
}
private double ComputeProductAuthorityFactor(TrustComputationContext context)
{
// If issuer is authoritative for this product, full score
if (context.IsAuthorativeForProduct)
{
return 1.0;
}
// If issuer is a vendor, they might still be authoritative for their products
if (context.Issuer?.Category == IssuerCategory.Vendor)
{
return 0.8;
}
// Distributors are authoritative for their packaged versions
if (context.Issuer?.Category == IssuerCategory.Distributor)
{
return 0.75;
}
return 0.5; // Neutral for third-party assessment
}
private string GenerateExplanation(
TrustComputationContext context,
Dictionary<TrustFactor, double> factors,
double finalWeight)
{
var parts = new List<string>
{
$"Trust weight: {finalWeight:P1}"
};
// Add top contributing factors
var topFactors = factors
.Where(f => Configuration.FactorWeights.TryGetValue(f.Key, out var w) && w > 0)
.OrderByDescending(f => f.Value * Configuration.FactorWeights[f.Key])
.Take(3)
.Select(f => $"{f.Key}: {f.Value:P0}");
parts.Add($"Top factors: {string.Join(", ", topFactors)}");
if (context.Issuer != null)
{
parts.Add($"Issuer: {context.Issuer.DisplayName} ({context.Issuer.TrustTier})");
}
else
{
parts.Add("Issuer: Unknown");
}
if (context.SignatureResult != null)
{
parts.Add($"Signature: {(context.SignatureResult.Valid ? "Valid" : "Invalid")}");
}
else
{
parts.Add("Signature: None");
}
return string.Join("; ", parts);
}
}

6
src/VexLens/StellaOps.VexLens/StellaOps.VexLens.csproj
View File

@@ -16,4 +16,10 @@
<PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="10.0.0" />
</ItemGroup>
<!-- Exclude legacy folders with external dependencies -->
<ItemGroup>
<Compile Remove="StellaOps.VexLens.Core\**" />
<Compile Remove="__Tests\**" />
</ItemGroup>
</Project>

Some files were not shown because too many files have changed in this diff Show More