git.stella-ops.org

stella-ops.org/git.stella-ops.org

Fork 0

Commit Graph

Author	SHA1	Message	Date
master	bc4318ef97	Add tests for SBOM generation determinism across multiple formats - Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.	2025-12-23 18:56:12 +02:00
master	dac8e10e36	feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance ## Summary This commit completes Phase 2 of the configuration-driven crypto architecture, achieving 100% crypto compliance by eliminating all hardcoded cryptographic implementations. ## Key Changes ### Phase 1: Plugin Loader Infrastructure - Plugin Discovery System: Created StellaOps.Cryptography.PluginLoader with manifest-based loading - Configuration Model: Added CryptoPluginConfiguration with regional profiles support - Dependency Injection: Extended DI to support plugin-based crypto provider registration - Regional Configs: Created appsettings.crypto.{international,russia,eu,china}.yaml - CI Workflow: Added .gitea/workflows/crypto-compliance.yml for audit enforcement ### Phase 2: Code Refactoring - API Extension: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios - Plugin Implementation: Created OfflineVerificationCryptoProvider with ephemeral verifier support - Supports ES256/384/512, RS256/384/512, PS256/384/512 - SubjectPublicKeyInfo (SPKI) public key format - 100% Compliance: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage - Unit Tests: Created OfflineVerificationProviderTests with 39 passing tests - Documentation: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md - Audit Infrastructure: Created scripts/audit-crypto-usage.ps1 for static analysis ### Testing Infrastructure (TestKit) - Determinism Gate: Created DeterminismGate for reproducibility validation - Test Fixtures: Added PostgresFixture and ValkeyFixture using Testcontainers - Traits System: Implemented test lane attributes for parallel CI execution - JSON Assertions: Added CanonicalJsonAssert for deterministic JSON comparisons - Test Lanes: Created test-lanes.yml workflow for parallel test execution ### Documentation - Architecture: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan - Sprint Tracking: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE) - API Documentation: Updated docs2/cli/crypto-plugins.md and crypto.md - Testing Strategy: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_* ## Compliance & Testing - ✅ Zero direct System.Security.Cryptography usage in production code - ✅ All crypto operations go through ICryptoProvider abstraction - ✅ 39/39 unit tests passing for OfflineVerificationCryptoProvider - ✅ Build successful (AirGap, Crypto plugin, DI infrastructure) - ✅ Audit script validates crypto boundaries ## Files Modified Core Crypto Infrastructure: - src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension) - src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor) - src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier) Plugin Implementation: - src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new) - src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new) Production Code Refactoring: - src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant) Tests: - src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests) - src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new) Configuration: - etc/crypto-plugins-manifest.json (plugin registry) - etc/appsettings.crypto..yaml (regional profiles) Documentation:* - docs/security/offline-verification-crypto-provider.md (600+ lines) - docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan) - docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete) ## Next Steps Phase 3: Docker & CI/CD Integration - Create multi-stage Dockerfiles with all plugins - Build regional Docker Compose files - Implement runtime configuration selection - Add deployment validation scripts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2025-12-23 18:20:00 +02:00
master	b444284be5	docs: Archive Sprint 3500 (PoE), Sprint 7100 (Proof Moats), and additional sprints Archive completed sprint documentation and deliverables: ## SPRINT_3500 - Proof of Exposure (PoE) Implementation (COMPLETE ✅) - Windows filesystem hash sanitization (colon → underscore) - Namespace conflict resolution (Subgraph → PoESubgraph) - Mock test improvements with It.IsAny<>() - Direct orchestrator unit tests - 8/8 PoE tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-3500-poe/ ## SPRINT_7100.0001 - Proof-Driven Moats Core (COMPLETE ✅) - Four-tier backport detection system - 9 production modules (4,044 LOC) - Binary fingerprinting (TLSH + instruction hashing) - VEX integration with proof-carrying verdicts - 42+ unit tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_7100.0002 - Proof Moats Storage Layer (COMPLETE ✅) - PostgreSQL repository implementations - Database migrations (4 evidence tables + audit) - Test data seed scripts (12 evidence records, 3 CVEs) - Integration tests with Testcontainers - <100ms proof generation performance - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_3000_0200 - Authority Admin & Branding (COMPLETE ✅) - Console admin RBAC UI components - Branding editor with tenant isolation - Authority backend endpoints - Archived to: docs/implplan/archived/ ## Additional Documentation - CLI command reference and compliance guides - Module architecture docs (26 modules documented) - Data schemas and contracts - Operations runbooks - Security risk models - Product roadmap All archived sprints achieved 100% completion of planned deliverables. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2025-12-23 15:02:38 +02:00

Author

SHA1

Message

Date

master

bc4318ef97

Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.

2025-12-23 18:56:12 +02:00

master

dac8e10e36

feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance

## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

- ✅ Zero direct System.Security.Cryptography usage in production code
- ✅ All crypto operations go through ICryptoProvider abstraction
- ✅ 39/39 unit tests passing for OfflineVerificationCryptoProvider
- ✅ Build successful (AirGap, Crypto plugin, DI infrastructure)
- ✅ Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2025-12-23 18:20:00 +02:00

master

b444284be5

docs: Archive Sprint 3500 (PoE), Sprint 7100 (Proof Moats), and additional sprints

Archive completed sprint documentation and deliverables:

## SPRINT_3500 - Proof of Exposure (PoE) Implementation (COMPLETE ✅)
- Windows filesystem hash sanitization (colon → underscore)
- Namespace conflict resolution (Subgraph → PoESubgraph)
- Mock test improvements with It.IsAny<>()
- Direct orchestrator unit tests
- 8/8 PoE tests passing (100% success)
- Archived to: docs/implplan/archived/2025-12-23-sprint-3500-poe/

## SPRINT_7100.0001 - Proof-Driven Moats Core (COMPLETE ✅)
- Four-tier backport detection system
- 9 production modules (4,044 LOC)
- Binary fingerprinting (TLSH + instruction hashing)
- VEX integration with proof-carrying verdicts
- 42+ unit tests passing (100% success)
- Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/

## SPRINT_7100.0002 - Proof Moats Storage Layer (COMPLETE ✅)
- PostgreSQL repository implementations
- Database migrations (4 evidence tables + audit)
- Test data seed scripts (12 evidence records, 3 CVEs)
- Integration tests with Testcontainers
- <100ms proof generation performance
- Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/

## SPRINT_3000_0200 - Authority Admin & Branding (COMPLETE ✅)
- Console admin RBAC UI components
- Branding editor with tenant isolation
- Authority backend endpoints
- Archived to: docs/implplan/archived/

## Additional Documentation
- CLI command reference and compliance guides
- Module architecture docs (26 modules documented)
- Data schemas and contracts
- Operations runbooks
- Security risk models
- Product roadmap

All archived sprints achieved 100% completion of planned deliverables.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2025-12-23 15:02:38 +02:00

3 Commits