feat(api): Add Policy Registry API specification

- Introduced OpenAPI specification for the StellaOps Policy Registry API, covering endpoints for verification policies, policy packs, snapshots, violations, overrides, sealed mode operations, and advisory staleness tracking. - Defined schemas, parameters, and responses for comprehensive API documentation. chore(scanner): Add global usings for scanner analyzers - Created GlobalUsings.cs to simplify namespace usage across analyzer libraries. feat(scanner): Implement Surface Service Collection Extensions - Added SurfaceServiceCollectionExtensions for dependency injection registration of surface analysis services. - Included methods for adding surface analysis, surface collectors, and entry point collectors to the service collection.
2025-12-06 20:52:23 +02:00
parent 05597616d6
commit f6c22854a4
37 changed files with 5664 additions and 1263 deletions
--- a/src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/OpenApiMetadataFactory.cs
+++ b/src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/OpenApiMetadataFactory.cs
@@ -1,38 +1,82 @@
 using System.Reflection;
+using System.Security.Cryptography;
+using System.Text;

 namespace StellaOps.TaskRunner.WebService;

+/// <summary>
+/// Factory for creating OpenAPI metadata including version, build info, and spec signature.
+/// </summary>
 internal static class OpenApiMetadataFactory
 {
+    /// <summary>API version from the OpenAPI spec (docs/api/taskrunner-openapi.yaml).</summary>
+    public const string ApiVersion = "0.1.0-draft";
+
    internal static Type ResponseType => typeof(OpenApiMetadata);

+    /// <summary>
+    /// Creates OpenAPI metadata with versioning and signature information.
+    /// </summary>
+    /// <param name="specUrl">URL path to the OpenAPI spec endpoint.</param>
+    /// <returns>Metadata record with version, build, ETag, and signature.</returns>
    public static OpenApiMetadata Create(string? specUrl = null)
    {
-        var assembly = Assembly.GetExecutingAssembly().GetName();
-        var version = assembly.Version?.ToString() ?? "0.0.0";
+        var assembly = Assembly.GetExecutingAssembly();
+        var assemblyName = assembly.GetName();
+
+        // Get informational version (includes git hash if available) or fall back to assembly version
+        var informationalVersion = assembly
+            .GetCustomAttribute<AssemblyInformationalVersionAttribute>()?.InformationalVersion;
+        var buildVersion = !string.IsNullOrWhiteSpace(informationalVersion)
+            ? informationalVersion
+            : assemblyName.Version?.ToString() ?? "0.0.0";
+
        var url = string.IsNullOrWhiteSpace(specUrl) ? "/openapi" : specUrl;
-        var etag = CreateWeakEtag(version);
-        var signature = ComputeSignature(url, version);

-        return new OpenApiMetadata(url, version, etag, signature);
+        // ETag combines API version and build version for cache invalidation
+        var etag = CreateEtag(ApiVersion, buildVersion);
+
+        // Signature is SHA-256 of spec URL + API version + build version
+        var signature = ComputeSignature(url, ApiVersion, buildVersion);
+
+        return new OpenApiMetadata(url, ApiVersion, buildVersion, etag, signature);
    }

-    private static string CreateWeakEtag(string input)
+    /// <summary>
+    /// Creates a weak ETag from version components.
+    /// </summary>
+    private static string CreateEtag(string apiVersion, string buildVersion)
    {
-        if (string.IsNullOrWhiteSpace(input))
-        {
-            input = "0.0.0";
-        }
-
-        return $"W/\"{input}\"";
+        // Use SHA-256 of combined versions for a stable, fixed-length ETag
+        var combined = $"{apiVersion}:{buildVersion}";
+        var hash = SHA256.HashData(Encoding.UTF8.GetBytes(combined));
+        var shortHash = Convert.ToHexString(hash)[..16].ToLowerInvariant();
+        return $"W/\"{shortHash}\"";
    }

-    private static string ComputeSignature(string url, string build)
+    /// <summary>
+    /// Computes a SHA-256 signature for spec verification.
+    /// </summary>
+    private static string ComputeSignature(string url, string apiVersion, string buildVersion)
    {
-        var data = System.Text.Encoding.UTF8.GetBytes(url + build);
-        var hash = System.Security.Cryptography.SHA256.HashData(data);
-        return Convert.ToHexString(hash).ToLowerInvariant();
+        // Include all metadata components in signature
+        var data = Encoding.UTF8.GetBytes($"{url}|{apiVersion}|{buildVersion}");
+        var hash = SHA256.HashData(data);
+        return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
    }

-    internal sealed record OpenApiMetadata(string Url, string Build, string ETag, string Signature);
+    /// <summary>
+    /// OpenAPI metadata for the /.well-known/openapi endpoint.
+    /// </summary>
+    /// <param name="SpecUrl">URL to fetch the full OpenAPI specification.</param>
+    /// <param name="Version">API version (e.g., "0.1.0-draft").</param>
+    /// <param name="BuildVersion">Build/assembly version with optional git info.</param>
+    /// <param name="ETag">ETag for HTTP caching.</param>
+    /// <param name="Signature">SHA-256 signature for verification.</param>
+    internal sealed record OpenApiMetadata(
+        string SpecUrl,
+        string Version,
+        string BuildVersion,
+        string ETag,
+        string Signature);
 }
--- a/src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs
+++ b/src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs
@@ -18,7 +18,7 @@ using StellaOps.TaskRunner.Core.TaskPacks;
 using StellaOps.TaskRunner.Infrastructure.Execution;
 using StellaOps.TaskRunner.WebService;
 using StellaOps.Telemetry.Core;
-
+
 var builder = WebApplication.CreateBuilder(args);

 builder.Services.Configure<TaskRunnerServiceOptions>(builder.Configuration.GetSection("TaskRunner"));
@@ -96,47 +96,47 @@ builder.Services.AddSingleton(sp =>
 builder.Services.AddSingleton<IPackRunJobScheduler>(sp => sp.GetRequiredService<FilesystemPackRunDispatcher>());
 builder.Services.AddSingleton<PackRunApprovalDecisionService>();
 builder.Services.AddOpenApi();
-
-var app = builder.Build();
-
+
+var app = builder.Build();
+
 app.MapOpenApi("/openapi");
-
-app.MapPost("/v1/task-runner/simulations", async (
-    [FromBody] SimulationRequest request,
-    TaskPackManifestLoader loader,
-    TaskPackPlanner planner,
-    PackRunSimulationEngine simulationEngine,
-    CancellationToken cancellationToken) =>
-{
-    if (string.IsNullOrWhiteSpace(request.Manifest))
-    {
-        return Results.BadRequest(new { error = "Manifest is required." });
-    }
-
-    TaskPackManifest manifest;
-    try
-    {
-        manifest = loader.Deserialize(request.Manifest);
-    }
-    catch (Exception ex)
-    {
-        return Results.BadRequest(new { error = "Invalid manifest", detail = ex.Message });
-    }
-
-    var inputs = ConvertInputs(request.Inputs);
-    var planResult = planner.Plan(manifest, inputs);
-    if (!planResult.Success || planResult.Plan is null)
-    {
-        return Results.BadRequest(new
-        {
-            errors = planResult.Errors.Select(error => new { error.Path, error.Message })
-        });
-    }
-
-    var plan = planResult.Plan;
-    var simulation = simulationEngine.Simulate(plan);
-    var response = SimulationMapper.ToResponse(plan, simulation);
-    return Results.Ok(response);
+
+app.MapPost("/v1/task-runner/simulations", async (
+    [FromBody] SimulationRequest request,
+    TaskPackManifestLoader loader,
+    TaskPackPlanner planner,
+    PackRunSimulationEngine simulationEngine,
+    CancellationToken cancellationToken) =>
+{
+    if (string.IsNullOrWhiteSpace(request.Manifest))
+    {
+        return Results.BadRequest(new { error = "Manifest is required." });
+    }
+
+    TaskPackManifest manifest;
+    try
+    {
+        manifest = loader.Deserialize(request.Manifest);
+    }
+    catch (Exception ex)
+    {
+        return Results.BadRequest(new { error = "Invalid manifest", detail = ex.Message });
+    }
+
+    var inputs = ConvertInputs(request.Inputs);
+    var planResult = planner.Plan(manifest, inputs);
+    if (!planResult.Success || planResult.Plan is null)
+    {
+        return Results.BadRequest(new
+        {
+            errors = planResult.Errors.Select(error => new { error.Path, error.Message })
+        });
+    }
+
+    var plan = planResult.Plan;
+    var simulation = simulationEngine.Simulate(plan);
+    var response = SimulationMapper.ToResponse(plan, simulation);
+    return Results.Ok(response);
 }).WithName("SimulateTaskPack");

 app.MapPost("/v1/task-runner/runs", HandleCreateRun).WithName("CreatePackRun");
@@ -162,6 +162,8 @@ app.MapGet("/.well-known/openapi", (HttpResponse response) =>
    var metadata = OpenApiMetadataFactory.Create("/openapi");
    response.Headers.ETag = metadata.ETag;
    response.Headers.Append("X-Signature", metadata.Signature);
+    response.Headers.Append("X-Api-Version", metadata.Version);
+    response.Headers.Append("X-Build-Version", metadata.BuildVersion);
    return Results.Ok(metadata);
 }).WithName("GetOpenApiMetadata");

@@ -432,21 +434,21 @@ async Task<IResult> HandleCancelRun(
 app.Run();

 static IDictionary<string, JsonNode?>? ConvertInputs(JsonObject? node)
-{
-    if (node is null)
-    {
-        return null;
-    }
-
-    var dictionary = new Dictionary<string, JsonNode?>(StringComparer.Ordinal);
-    foreach (var property in node)
-    {
-        dictionary[property.Key] = property.Value?.DeepClone();
-    }
-
-    return dictionary;
-}
-
+{
+    if (node is null)
+    {
+        return null;
+    }
+
+    var dictionary = new Dictionary<string, JsonNode?>(StringComparer.Ordinal);
+    foreach (var property in node)
+    {
+        dictionary[property.Key] = property.Value?.DeepClone();
+    }
+
+    return dictionary;
+}
+
 internal sealed record CreateRunRequest(string? RunId, string Manifest, JsonObject? Inputs, string? TenantId);

 internal sealed record SimulationRequest(string Manifest, JsonObject? Inputs);
@@ -455,40 +457,40 @@ internal sealed record SimulationResponse(
    string PlanHash,
    FailurePolicyResponse FailurePolicy,
    IReadOnlyList<SimulationStepResponse> Steps,
-    IReadOnlyList<SimulationOutputResponse> Outputs,
-    bool HasPendingApprovals);
-
-internal sealed record SimulationStepResponse(
-    string Id,
-    string TemplateId,
-    string Kind,
-    bool Enabled,
-    string Status,
-    string? StatusReason,
-    string? Uses,
-    string? ApprovalId,
-    string? GateMessage,
-    int? MaxParallel,
-    bool ContinueOnError,
-    IReadOnlyList<SimulationStepResponse> Children);
-
-internal sealed record SimulationOutputResponse(
-    string Name,
-    string Type,
-    bool RequiresRuntimeValue,
-    string? PathExpression,
-    string? ValueExpression);
-
-internal sealed record FailurePolicyResponse(int MaxAttempts, int BackoffSeconds, bool ContinueOnError);
-
-internal sealed record RunStateResponse(
-    string RunId,
-    string PlanHash,
-    FailurePolicyResponse FailurePolicy,
-    DateTimeOffset CreatedAt,
-    DateTimeOffset UpdatedAt,
-    IReadOnlyList<RunStateStepResponse> Steps);
-
+    IReadOnlyList<SimulationOutputResponse> Outputs,
+    bool HasPendingApprovals);
+
+internal sealed record SimulationStepResponse(
+    string Id,
+    string TemplateId,
+    string Kind,
+    bool Enabled,
+    string Status,
+    string? StatusReason,
+    string? Uses,
+    string? ApprovalId,
+    string? GateMessage,
+    int? MaxParallel,
+    bool ContinueOnError,
+    IReadOnlyList<SimulationStepResponse> Children);
+
+internal sealed record SimulationOutputResponse(
+    string Name,
+    string Type,
+    bool RequiresRuntimeValue,
+    string? PathExpression,
+    string? ValueExpression);
+
+internal sealed record FailurePolicyResponse(int MaxAttempts, int BackoffSeconds, bool ContinueOnError);
+
+internal sealed record RunStateResponse(
+    string RunId,
+    string PlanHash,
+    FailurePolicyResponse FailurePolicy,
+    DateTimeOffset CreatedAt,
+    DateTimeOffset UpdatedAt,
+    IReadOnlyList<RunStateStepResponse> Steps);
+
 internal sealed record RunStateStepResponse(
    string StepId,
    string Kind,
@@ -552,81 +554,81 @@ internal static class RunLogMapper

 internal static class SimulationMapper
 {
-    public static SimulationResponse ToResponse(TaskPackPlan plan, PackRunSimulationResult result)
-    {
-        var failurePolicy = result.FailurePolicy ?? PackRunExecutionGraph.DefaultFailurePolicy;
-        var steps = result.Steps.Select(MapStep).ToList();
-        var outputs = result.Outputs.Select(MapOutput).ToList();
-
-        return new SimulationResponse(
-            plan.Hash,
-            new FailurePolicyResponse(failurePolicy.MaxAttempts, failurePolicy.BackoffSeconds, failurePolicy.ContinueOnError),
-            steps,
-            outputs,
-            result.HasPendingApprovals);
-    }
-
-    private static SimulationStepResponse MapStep(PackRunSimulationNode node)
-    {
-        var children = node.Children.Select(MapStep).ToList();
-        return new SimulationStepResponse(
-            node.Id,
-            node.TemplateId,
-            node.Kind.ToString(),
-            node.Enabled,
-            node.Status.ToString(),
-            node.Status.ToString() switch
-            {
-                nameof(PackRunSimulationStatus.RequiresApproval) => "requires-approval",
-                nameof(PackRunSimulationStatus.RequiresPolicy) => "requires-policy",
-                nameof(PackRunSimulationStatus.Skipped) => "condition-false",
-                _ => null
-            },
-            node.Uses,
-            node.ApprovalId,
-            node.GateMessage,
-            node.MaxParallel,
-            node.ContinueOnError,
-            children);
-    }
-
-    private static SimulationOutputResponse MapOutput(PackRunSimulationOutput output)
-        => new(
-            output.Name,
-            output.Type,
-            output.RequiresRuntimeValue,
-            output.Path?.Expression,
-            output.Expression?.Expression);
-}
-
-internal static class RunStateMapper
-{
-    public static RunStateResponse ToResponse(PackRunState state)
-    {
-        var failurePolicy = state.FailurePolicy ?? PackRunExecutionGraph.DefaultFailurePolicy;
-        var steps = state.Steps.Values
-            .OrderBy(step => step.StepId, StringComparer.Ordinal)
-            .Select(step => new RunStateStepResponse(
-                step.StepId,
-                step.Kind.ToString(),
-                step.Enabled,
-                step.ContinueOnError,
-                step.MaxParallel,
-                step.ApprovalId,
-                step.GateMessage,
-                step.Status.ToString(),
-                step.Attempts,
-                step.LastTransitionAt,
-                step.NextAttemptAt,
-                step.StatusReason))
-            .ToList();
-
-        return new RunStateResponse(
-            state.RunId,
-            state.PlanHash,
-            new FailurePolicyResponse(failurePolicy.MaxAttempts, failurePolicy.BackoffSeconds, failurePolicy.ContinueOnError),
-            state.CreatedAt,
-            state.UpdatedAt,
-            steps);
-    }
-}
+    public static SimulationResponse ToResponse(TaskPackPlan plan, PackRunSimulationResult result)
+    {
+        var failurePolicy = result.FailurePolicy ?? PackRunExecutionGraph.DefaultFailurePolicy;
+        var steps = result.Steps.Select(MapStep).ToList();
+        var outputs = result.Outputs.Select(MapOutput).ToList();
+
+        return new SimulationResponse(
+            plan.Hash,
+            new FailurePolicyResponse(failurePolicy.MaxAttempts, failurePolicy.BackoffSeconds, failurePolicy.ContinueOnError),
+            steps,
+            outputs,
+            result.HasPendingApprovals);
+    }
+
+    private static SimulationStepResponse MapStep(PackRunSimulationNode node)
+    {
+        var children = node.Children.Select(MapStep).ToList();
+        return new SimulationStepResponse(
+            node.Id,
+            node.TemplateId,
+            node.Kind.ToString(),
+            node.Enabled,
+            node.Status.ToString(),
+            node.Status.ToString() switch
+            {
+                nameof(PackRunSimulationStatus.RequiresApproval) => "requires-approval",
+                nameof(PackRunSimulationStatus.RequiresPolicy) => "requires-policy",
+                nameof(PackRunSimulationStatus.Skipped) => "condition-false",
+                _ => null
+            },
+            node.Uses,
+            node.ApprovalId,
+            node.GateMessage,
+            node.MaxParallel,
+            node.ContinueOnError,
+            children);
+    }
+
+    private static SimulationOutputResponse MapOutput(PackRunSimulationOutput output)
+        => new(
+            output.Name,
+            output.Type,
+            output.RequiresRuntimeValue,
+            output.Path?.Expression,
+            output.Expression?.Expression);
+}
+
+internal static class RunStateMapper
+{
+    public static RunStateResponse ToResponse(PackRunState state)
+    {
+        var failurePolicy = state.FailurePolicy ?? PackRunExecutionGraph.DefaultFailurePolicy;
+        var steps = state.Steps.Values
+            .OrderBy(step => step.StepId, StringComparer.Ordinal)
+            .Select(step => new RunStateStepResponse(
+                step.StepId,
+                step.Kind.ToString(),
+                step.Enabled,
+                step.ContinueOnError,
+                step.MaxParallel,
+                step.ApprovalId,
+                step.GateMessage,
+                step.Status.ToString(),
+                step.Attempts,
+                step.LastTransitionAt,
+                step.NextAttemptAt,
+                step.StatusReason))
+            .ToList();
+
+        return new RunStateResponse(
+            state.RunId,
+            state.PlanHash,
+            new FailurePolicyResponse(failurePolicy.MaxAttempts, failurePolicy.BackoffSeconds, failurePolicy.ContinueOnError),
+            state.CreatedAt,
+            state.UpdatedAt,
+            steps);
+    }
+}