stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Compare commits

base: stella-ops.org:76ecea482e83dbe9f51afd75ef96c67154df3a0a
Branches Tags
stella-ops.org:main stella-ops.org:feature/docs-mdx-skeletons
...
compare: stella-ops.org:feature/docs-mdx-skeletons
Branches Tags
stella-ops.org:main stella-ops.org:feature/docs-mdx-skeletons

35 Commits
76ecea482e ... feature/do

Author SHA1 Message Date
StellaOps Bot
43c281a8b2 Merge remote-tracking branch 'origin/main' into feature/docs-mdx-skeletons
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
Details
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
Symbols Server CI / symbols-smoke (push) Has been cancelled
Details
VEX Proof Bundles / verify-bundles (push) Has been cancelled
Details
2025-12-05 23:14:58 +02:00
master
91550196fe more binary removals 2025-12-05 21:08:21 +00:00
master
e8eacde73e more binary files removal 2025-12-05 21:06:40 +00:00
master
5d7c687a77 chore: stop tracking dependencies and build artifacts 2025-12-05 21:03:18 +00:00
master
ffa219cfeb chore: stop tracking dependencies and build artifacts
Some checks failed
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
Details
2025-12-05 21:01:09 +00:00
StellaOps Bot
579236bfce Add MongoDB storage library and update acceptance tests with deterministic stubs
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details 
- Created StellaOps.Notify.Storage.Mongo project with initial configuration.
- Added expected output files for acceptance tests (at1.txt to at10.txt).
- Added fixture input files for acceptance tests (at1 to at10).
- Created input and signature files for test cases fc1 to fc5.
 2025-12-05 22:56:01 +02:00
StellaOps Bot
18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
 2025-12-05 21:24:34 +02:00
StellaOps Bot
347c88342c Add draft skeletons for various documentation topics 
- Created draft documentation for enabling reachability, CLI authentication, EntryTrace heuristics, Go stripped binaries, Java and Python lockfiles, Rust fingerprint enrichment, SAST integration, Windows/macOS analyzer coverage, scanner engine surface, multi-tenancy operations, RLS and data isolation, ABAC overlays, VEX trust model, VEX ops runbook, VEX mapping, scopes and roles, tenancy overview, VEX signatures, contract testing, VEX consensus algorithm, VEX consensus API, VEX consensus console, VEX consensus overview, and VEX issuer directory.
- Each document includes a status placeholder, purpose, and open TODOs for future updates.
 2025-12-05 21:23:21 +02:00
master
cc69d332e3 Add unit tests for RabbitMq and Udp transport servers and clients
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details 
- Implemented comprehensive unit tests for RabbitMqTransportServer, covering constructor, disposal, connection management, event handlers, and exception handling.
- Added configuration tests for RabbitMqTransportServer to validate SSL, durable queues, auto-recovery, and custom virtual host options.
- Created unit tests for UdpFrameProtocol, including frame parsing and serialization, header size validation, and round-trip data preservation.
- Developed tests for UdpTransportClient, focusing on connection handling, event subscriptions, and exception scenarios.
- Established tests for UdpTransportServer, ensuring proper start/stop behavior, connection state management, and event handling.
- Included tests for UdpTransportOptions to verify default values and modification capabilities.
- Enhanced service registration tests for Udp transport services in the dependency injection container.
 2025-12-05 19:01:12 +02:00
StellaOps Bot
53508ceccb Add unit tests and logging infrastructure for InMemory and RabbitMQ transports
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details 
- Implemented RecordingLogger and RecordingLoggerFactory for capturing log entries in tests.
- Added unit tests for InMemoryChannel, covering constructor behavior, property assignments, channel communication, and disposal.
- Created InMemoryTransportOptionsTests to validate default values and customizable options for InMemory transport.
- Developed RabbitMqFrameProtocolTests to ensure correct parsing and property creation for RabbitMQ frames.
- Added RabbitMqTransportOptionsTests to verify default settings and customization options for RabbitMQ transport.
- Updated project files for testing libraries and dependencies.
 2025-12-05 09:38:45 +02:00
StellaOps Bot
6a299d231f Add unit tests for Router configuration and transport layers
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details 
- Implemented tests for RouterConfig, RoutingOptions, StaticInstanceConfig, and RouterConfigOptions to ensure default values are set correctly.
- Added tests for RouterConfigProvider to validate configurations and ensure defaults are returned when no file is specified.
- Created tests for ConfigValidationResult to check success and error scenarios.
- Developed tests for ServiceCollectionExtensions to verify service registration for RouterConfig.
- Introduced UdpTransportTests to validate serialization, connection, request-response, and error handling in UDP transport.
- Added scripts for signing authority gaps and hashing DevPortal SDK snippets.
 2025-12-05 08:01:47 +02:00
StellaOps Bot
635c70e828 feat: Refactor policy findings recording to include sealed mode tagging
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
2025-12-05 01:00:45 +02:00
StellaOps Bot
0de3c8a3f0 feat: Enhance telemetry metrics recording with sealed mode tagging 2025-12-05 01:00:29 +02:00
StellaOps Bot
175b750e29 Implement InMemory Transport Layer for StellaOps Router 
- Added InMemoryTransportOptions class for configuration settings including timeouts and latency.
- Developed InMemoryTransportServer class to handle connections, frame processing, and event management.
- Created ServiceCollectionExtensions for easy registration of InMemory transport services.
- Established project structure and dependencies for InMemory transport library.
- Implemented comprehensive unit tests for endpoint discovery, connection management, request/response flow, and streaming capabilities.
- Ensured proper handling of cancellation, heartbeat, and hello frames within the transport layer.
 2025-12-05 01:00:10 +02:00
StellaOps Bot
8768c27f30 Add signal contracts for reachability, exploitability, trust, and unknown symbols
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / sign-signals-artifacts (push) Has been cancelled
Details
Signals DSSE Sign & Evidence Locker / verify-signatures (push) Has been cancelled
Details 
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties.
- Implemented JSON serialization attributes for proper data interchange.
- Created project files for the new signal contracts library and corresponding test projects.
- Added deterministic test fixtures for micro-interaction testing.
- Included cryptographic keys for secure operations with cosign.
 2025-12-05 00:27:00 +02:00
StellaOps Bot
b018949a8d Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
2025-12-04 21:36:12 +02:00
StellaOps Bot
f214edff82 feat: Add Storybook configuration and motion tokens implementation 
- Introduced Storybook configuration files (`main.ts`, `preview.ts`, `tsconfig.json`) for Angular components.
- Created motion tokens in `motion-tokens.ts` to define durations, easing functions, and transforms.
- Developed a Storybook story for motion tokens showcasing their usage and reduced motion fallback.
- Added SCSS variables for motion durations, easing, and transforms in `_motion.scss`.
- Implemented accessibility smoke tests using Playwright and Axe for automated accessibility checks.
- Created portable and sealed bundle structures with corresponding JSON files for evidence locker.
- Added shell script for verifying notify kit determinism.
 2025-12-04 21:36:06 +02:00
master
75f6942769 Add integration tests for migration categories and execution
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details 
- Implemented MigrationCategoryTests to validate migration categorization for startup, release, seed, and data migrations.
- Added tests for edge cases, including null, empty, and whitespace migration names.
- Created StartupMigrationHostTests to verify the behavior of the migration host with real PostgreSQL instances using Testcontainers.
- Included tests for migration execution, schema creation, and handling of pending release migrations.
- Added SQL migration files for testing: creating a test table, adding a column, a release migration, and seeding data.
 2025-12-04 19:10:54 +02:00
StellaOps Bot
600f3a7a3c feat(graph): introduce graph.inspect.v1 contract and schema for SBOM relationships
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details 
- Added graph.inspect.v1 documentation outlining payload structure and determinism rules.
- Created JSON schema for graph.inspect.v1 to enforce payload validation.
- Defined mapping rules for graph relationships, advisories, and VEX statements.

feat(notifications): establish remediation blueprint for gaps NR1-NR10

- Documented requirements, evidence, and tests for Notifier runtime.
- Specified deliverables and next steps for addressing identified gaps.

docs(notifications): organize operations and schemas documentation

- Created README files for operations, schemas, and security notes to clarify deliverables and policies.

feat(advisory): implement PostgreSQL caching for Link-Not-Merge linksets

- Created database schema for advisory linkset cache.
- Developed repository for managing advisory linkset cache operations.
- Added tests to ensure correct functionality of the AdvisoryLinksetCacheRepository.
 2025-12-04 09:36:59 +02:00
StellaOps Bot
4dc7cf834a Add sample proof bundle configurations and verification script
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
VEX Proof Bundles / verify-bundles (push) Has been cancelled
Details 
- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`.
- Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs.
- Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details.
- Enhanced evidence entries with expiration dates and hashes for better integrity checks.
- Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.
 2025-12-04 08:54:32 +02:00
StellaOps Bot
e1262eb916 Add receipt input JSON and SHA256 hash for CVSS policy scoring tests 
- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring.
- Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.
 2025-12-04 07:30:42 +02:00
StellaOps Bot
2d079d61ed up
Some checks failed
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
2025-12-03 09:50:44 +02:00
StellaOps Bot
e0b585c799 feat: Add JSON schema definitions for coverage and trace artifacts in reachability benchmark 2025-12-03 09:49:59 +02:00
StellaOps Bot
de53785176 feat: Update benchmark manifest schema to include hashedPath references and remove signatures 2025-12-03 09:48:56 +02:00
StellaOps Bot
ca91f40051 feat: Add attestation and SBOM JSON outputs for various Python applications
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
2025-12-03 09:47:40 +02:00
StellaOps Bot
35c8f9216f Add tests and implement timeline ingestion options with NATS and Redis subscribers 
- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality.
- Created `PackRunWorkerOptions` for configuring worker paths and execution persistence.
- Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports.
- Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events.
- Developed `RedisTimelineEventSubscriber` for reading from Redis Streams.
- Added `TimelineEnvelopeParser` to normalize incoming event envelopes.
- Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping.
- Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.
 2025-12-03 09:46:48 +02:00
StellaOps Bot
e923880694 feat: Add DigestUpsertRequest and LockEntity models
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details 
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil.
- Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt.

feat: Implement ILockRepository interface and LockRepository class

- Defined ILockRepository interface with methods for acquiring and releasing locks.
- Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations.

feat: Add SurfaceManifestPointer record for manifest pointers

- Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest.

feat: Create PolicySimulationInputLock and related validation logic

- Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests.
- Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements.

test: Add unit tests for ReplayVerificationService and ReplayVerifier

- Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios.
- Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic.

test: Implement PolicySimulationInputLockValidatorTests

- Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions.

chore: Add cosign key example and signing scripts

- Included a placeholder cosign key example for development purposes.
- Added a script for signing Signals artifacts using cosign with support for both v2 and v3.

chore: Create script for uploading evidence to the evidence locker

- Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
 2025-12-03 07:51:50 +02:00
StellaOps Bot
37cba83708 up
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
2025-12-03 00:10:19 +02:00
StellaOps Bot
ea1d58a89b add cosign 2025-12-02 21:31:52 +02:00
StellaOps Bot
47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
 2025-12-02 21:08:01 +02:00
StellaOps Bot
6d049905c7 Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
2025-12-02 19:25:16 +02:00
StellaOps Bot
acbb0ff637 feat: Enhance traceability and logging in Risk and Vulnerability clients 
- Implemented shared trace ID generation utility for Risk and Vulnerability clients, ensuring consistent trace headers across API calls.
- Updated RiskHttpClient and VulnerabilityHttpClient to utilize the new trace ID generation method.
- Added validation for artifact metadata in PackRun endpoints, ensuring all artifacts include a digest and positive size.
- Enhanced logging payloads in PackRun to include artifact digests and sizes.
- Created a utility for generating trace IDs, preferring crypto.randomUUID when available, with a fallback to a ULID-style string.
- Added unit tests to verify the presence of trace IDs in HTTP requests for VulnerabilityHttpClient.
- Documented query-hash metrics for Vuln Explorer, detailing hashing rules and logging filters to ensure compliance with privacy standards.
- Consolidated findings from late-November reviews into a comprehensive advisory for Scanner and SBOM/VEX areas, outlining remediation tracks and gaps.
 2025-12-02 19:24:26 +02:00
master
d785a9095f Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
2025-12-02 18:38:37 +02:00
master
0c9e8d5d18 router planning 2025-12-02 18:38:32 +02:00
master
790801f329 add advisories 2025-12-01 17:50:11 +02:00
9593 changed files with 323427 additions and 7494300 deletions
Expand all files Collapse all files

9
.claude/settings.local.json
View File

@@ -1,12 +1,11 @@
{
"permissions": {
"allow": [
"Bash(dotnet build:*)",
"Bash(dotnet restore:*)",
"Bash(chmod:*)",
"Bash(cat:*)"
"Bash(wc:*)",
"Bash(sort:*)"
],
"deny": [],
"ask": []
}
},
"outputStyle": "default"
}

2
.gitea/workflows/airgap-sealed-ci.yml
View File

@@ -20,6 +20,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Install dnslib
run: pip install dnslib
- name: Run sealed-mode smoke

6
.gitea/workflows/aoc-guard.yml
View File

@@ -32,6 +32,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh
@@ -78,6 +81,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh

2
.gitea/workflows/api-governance.yml
View File

@@ -17,6 +17,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node.js
uses: actions/setup-node@v4
with:

3
.gitea/workflows/attestation-bundle.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Build bundle
run: |
chmod +x scripts/attest/build-attestation-bundle.sh

3
.gitea/workflows/authority-key-rotation.yml
View File

@@ -58,6 +58,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Resolve Authority configuration
id: config
run: |

2
.gitea/workflows/bench-determinism.yml
View File

@@ -8,6 +8,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Python
uses: actions/setup-python@v5

85
.gitea/workflows/build-test-deploy.yml
View File

@@ -111,6 +111,10 @@ jobs:
- name: Validate telemetry storage configuration
run: python3 ops/devops/telemetry/validate_storage_stack.py
- name: Task Pack offline bundle fixtures
run: |
python3 scripts/packs/run-fixtures-check.sh
- name: Telemetry tenant isolation smoke
env:
COMPOSE_DIR: ${GITHUB_WORKSPACE}/deploy/compose
@@ -180,6 +184,37 @@ jobs:
--logger "trx;LogFileName=stellaops-concelier-tests.trx" \
--results-directory "$TEST_RESULTS_DIR"
- name: Run PostgreSQL storage integration tests (Testcontainers)
env:
POSTGRES_TEST_IMAGE: postgres:16-alpine
run: |
set -euo pipefail
mkdir -p "$TEST_RESULTS_DIR"
PROJECTS=(
src/__Libraries/__Tests/StellaOps.Infrastructure.Postgres.Tests/StellaOps.Infrastructure.Postgres.Tests.csproj
src/Authority/__Tests/StellaOps.Authority.Storage.Postgres.Tests/StellaOps.Authority.Storage.Postgres.Tests.csproj
src/Scheduler/__Tests/StellaOps.Scheduler.Storage.Postgres.Tests/StellaOps.Scheduler.Storage.Postgres.Tests.csproj
src/Concelier/__Tests/StellaOps.Concelier.Storage.Postgres.Tests/StellaOps.Concelier.Storage.Postgres.Tests.csproj
src/Excititor/__Tests/StellaOps.Excititor.Storage.Postgres.Tests/StellaOps.Excititor.Storage.Postgres.Tests.csproj
src/Notify/__Tests/StellaOps.Notify.Storage.Postgres.Tests/StellaOps.Notify.Storage.Postgres.Tests.csproj
src/Policy/__Tests/StellaOps.Policy.Storage.Postgres.Tests/StellaOps.Policy.Storage.Postgres.Tests.csproj
)
for project in "${PROJECTS[@]}"; do
name="$(basename "${project%.*}")"
dotnet test "$project" \
--configuration $BUILD_CONFIGURATION \
--logger "trx;LogFileName=${name}.trx" \
--results-directory "$TEST_RESULTS_DIR"
done
- name: Run TimelineIndexer tests (EB1 evidence linkage gate)
run: |
mkdir -p "$TEST_RESULTS_DIR"
dotnet test src/TimelineIndexer/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.sln \
--configuration $BUILD_CONFIGURATION \
--logger "trx;LogFileName=timelineindexer-tests.trx" \
--results-directory "$TEST_RESULTS_DIR"
- name: Lint policy DSL samples
run: dotnet run --project tools/PolicyDslValidator/PolicyDslValidator.csproj -- --strict docs/examples/policies/*.yaml
@@ -310,6 +345,56 @@ PY
--logger "trx;LogFileName=stellaops-scanner-lang-tests.trx" \
--results-directory "$TEST_RESULTS_DIR"
- name: Build and test Router components
run: |
set -euo pipefail
ROUTER_PROJECTS=(
src/__Libraries/StellaOps.Router.Common/StellaOps.Router.Common.csproj
src/__Libraries/StellaOps.Router.Config/StellaOps.Router.Config.csproj
src/__Libraries/StellaOps.Router.Transport.InMemory/StellaOps.Router.Transport.InMemory.csproj
src/__Libraries/StellaOps.Router.Transport.Tcp/StellaOps.Router.Transport.Tcp.csproj
src/__Libraries/StellaOps.Router.Transport.Tls/StellaOps.Router.Transport.Tls.csproj
src/__Libraries/StellaOps.Router.Transport.Udp/StellaOps.Router.Transport.Udp.csproj
src/__Libraries/StellaOps.Router.Transport.RabbitMq/StellaOps.Router.Transport.RabbitMq.csproj
src/__Libraries/StellaOps.Microservice/StellaOps.Microservice.csproj
src/__Libraries/StellaOps.Microservice.SourceGen/StellaOps.Microservice.SourceGen.csproj
)
for project in "${ROUTER_PROJECTS[@]}"; do
echo "::group::Build $project"
dotnet build "$project" --configuration $BUILD_CONFIGURATION --no-restore -warnaserror
echo "::endgroup::"
done
- name: Run Router and Microservice tests
run: |
mkdir -p "$TEST_RESULTS_DIR"
ROUTER_TEST_PROJECTS=(
# Core Router libraries
src/__Libraries/__Tests/StellaOps.Router.Common.Tests/StellaOps.Router.Common.Tests.csproj
src/__Libraries/__Tests/StellaOps.Router.Config.Tests/StellaOps.Router.Config.Tests.csproj
# Transport layers
src/__Libraries/__Tests/StellaOps.Router.Transport.InMemory.Tests/StellaOps.Router.Transport.InMemory.Tests.csproj
src/__Libraries/__Tests/StellaOps.Router.Transport.Tcp.Tests/StellaOps.Router.Transport.Tcp.Tests.csproj
src/__Libraries/__Tests/StellaOps.Router.Transport.Tls.Tests/StellaOps.Router.Transport.Tls.Tests.csproj
src/__Libraries/__Tests/StellaOps.Router.Transport.Udp.Tests/StellaOps.Router.Transport.Udp.Tests.csproj
# Microservice SDK
src/__Libraries/__Tests/StellaOps.Microservice.Tests/StellaOps.Microservice.Tests.csproj
src/__Libraries/__Tests/StellaOps.Microservice.SourceGen.Tests/StellaOps.Microservice.SourceGen.Tests.csproj
# Integration tests
src/__Libraries/__Tests/StellaOps.Router.Integration.Tests/StellaOps.Router.Integration.Tests.csproj
# Gateway tests
src/Gateway/__Tests/StellaOps.Gateway.WebService.Tests/StellaOps.Gateway.WebService.Tests.csproj
)
for project in "${ROUTER_TEST_PROJECTS[@]}"; do
name="$(basename "${project%.*}")"
echo "::group::Test $name"
dotnet test "$project" \
--configuration $BUILD_CONFIGURATION \
--logger "trx;LogFileName=${name}.trx" \
--results-directory "$TEST_RESULTS_DIR"
echo "::endgroup::"
done
- name: Run scanner analyzer performance benchmark
env:
PERF_OUTPUT_DIR: ${{ github.workspace }}/artifacts/perf/scanner-analyzers

3
.gitea/workflows/cli-build.yml
View File

@@ -22,6 +22,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/cli-chaos-parity.yml
View File

@@ -18,6 +18,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/concelier-attestation-tests.yml
View File

@@ -17,6 +17,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET 10 preview
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/console-ci.yml
View File

@@ -24,6 +24,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/containers-multiarch.yml
View File

@@ -25,6 +25,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Set up QEMU
uses: docker/setup-qemu-action@v3

3
.gitea/workflows/cryptopro-optin.yml
View File

@@ -19,6 +19,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET 10 (preview)
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/devportal-offline.yml
View File

@@ -11,6 +11,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node (corepack/pnpm)
uses: actions/setup-node@v4
with:

3
.gitea/workflows/docs.yml
View File

@@ -29,6 +29,9 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh

59
.gitea/workflows/evidence-locker.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Emit retention summary
env:
RETENTION_TARGET: ${{ github.event.inputs.retention_target }}
@@ -25,3 +28,59 @@ jobs:
with:
name: evidence-locker
path: out/evidence-locker/**
push-zastava-evidence:
runs-on: ubuntu-latest
needs: check-evidence-locker
env:
STAGED_DIR: evidence-locker/zastava/2025-12-02
MODULE_ROOT: docs/modules/zastava
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Package staged Zastava artefacts
run: |
test -d "$MODULE_ROOT" || { echo "missing $MODULE_ROOT" >&2; exit 1; }
tmpdir=$(mktemp -d)
rsync -a --relative \
"$MODULE_ROOT/SHA256SUMS" \
"$MODULE_ROOT/schemas/" \
"$MODULE_ROOT/exports/" \
"$MODULE_ROOT/thresholds.yaml" \
"$MODULE_ROOT/thresholds.yaml.dsse" \
"$MODULE_ROOT/kit/verify.sh" \
"$MODULE_ROOT/kit/README.md" \
"$MODULE_ROOT/kit/ed25519.pub" \
"$MODULE_ROOT/kit/zastava-kit.tzst" \
"$MODULE_ROOT/kit/zastava-kit.tzst.dsse" \
"$MODULE_ROOT/evidence/README.md" \
"$tmpdir/"
(cd "$tmpdir/docs/modules/zastava" && sha256sum --check SHA256SUMS)
tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
-cf /tmp/zastava-evidence.tar -C "$tmpdir/docs/modules/zastava" .
sha256sum /tmp/zastava-evidence.tar
- name: Upload staged artefacts (fallback)
uses: actions/upload-artifact@v4
with:
name: zastava-evidence-locker-2025-12-02
path: /tmp/zastava-evidence.tar
- name: Push to Evidence Locker
if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
env:
TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
URL: ${{ env.EVIDENCE_LOCKER_URL }}
run: |
curl -f -X PUT "$URL/zastava/2025-12-02/zastava-evidence.tar" \
-H "Authorization: Bearer $TOKEN" \
--data-binary @/tmp/zastava-evidence.tar
- name: Skip push (missing secret or URL)
if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
run: |
echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2

11
.gitea/workflows/export-ci.yml
View File

@@ -28,6 +28,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0
@@ -60,6 +63,14 @@ jobs:
- name: Trivy/OCI smoke
run: ops/devops/export/trivy-smoke.sh
- name: Schema lint
run: |
python -m json.tool docs/modules/export-center/schemas/export-profile.schema.json >/dev/null
python -m json.tool docs/modules/export-center/schemas/export-manifest.schema.json >/dev/null
- name: Offline kit verify (fixtures)
run: bash docs/modules/export-center/operations/verify-export-kit.sh src/ExportCenter/__fixtures/export-kit
- name: SBOM
run: syft dir:src/ExportCenter -o spdx-json=$ARTIFACT_DIR/exportcenter.spdx.json

3
.gitea/workflows/export-compat.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Trivy
uses: aquasecurity/trivy-action@v0.24.0
with:

3
.gitea/workflows/graph-load.yml
View File

@@ -22,6 +22,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Install k6
run: |
sudo apt-get update -qq

3
.gitea/workflows/graph-ui-sim.yml
View File

@@ -22,6 +22,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node
uses: actions/setup-node@v4
with:

3
.gitea/workflows/lnm-backfill.yml
View File

@@ -26,6 +26,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/lnm-vex-backfill.yml
View File

@@ -30,6 +30,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/mirror-sign.yml
View File

@@ -24,6 +24,9 @@ jobs:
dotnet-version: 10.0.100-rc.2.25502.107
include-prerelease: true
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Verify signing prerequisites
run: scripts/mirror/check_signing_prereqs.sh

3
.gitea/workflows/oas-ci.yml
View File

@@ -20,6 +20,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node.js
uses: actions/setup-node@v4
with:

3
.gitea/workflows/obs-slo.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Python (telemetry schema checks)
uses: actions/setup-python@v5
with:

3
.gitea/workflows/obs-stream.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Install nats CLI
run: |
curl -sSL https://github.com/nats-io/natscli/releases/download/v0.1.4/nats-0.1.4-linux-amd64.tar.gz -o /tmp/natscli.tgz

3
.gitea/workflows/policy-lint.yml
View File

@@ -26,6 +26,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

3
.gitea/workflows/policy-simulate.yml
View File

@@ -27,6 +27,9 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
with:
fetch-depth: 0

17
.gitea/workflows/promote.yml
View File

@@ -22,13 +22,16 @@ jobs:
runs-on: ubuntu-22.04
environment: production
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Resolve staging credentials
id: staging
run: |
missing=()
- name: Checkout repository
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Resolve staging credentials
id: staging
run: |
missing=()
host="${{ secrets.STAGING_DEPLOYMENT_HOST }}"
if [ -z "$host" ]; then host="${{ vars.STAGING_DEPLOYMENT_HOST }}"; fi

3
.gitea/workflows/provenance-check.yml
View File

@@ -9,6 +9,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Emit provenance summary
run: |
mkdir -p out/provenance

3
.gitea/workflows/release.yml
View File

@@ -44,6 +44,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Validate NuGet restore source ordering
run: python3 ops/devops/validate_restore_sources.py

3
.gitea/workflows/scanner-analyzers-release.yml
View File

@@ -14,6 +14,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/scanner-determinism.yml
View File

@@ -9,6 +9,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/sdk-generator.yml
View File

@@ -17,6 +17,9 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Node.js
uses: actions/setup-node@v4
with:

3
.gitea/workflows/sdk-publish.yml
View File

@@ -33,6 +33,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET 10 RC
uses: actions/setup-dotnet@v4
with:

3
.gitea/workflows/signals-ci.yml
View File

@@ -31,6 +31,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup .NET 10 RC
uses: actions/setup-dotnet@v4
with:

171
.gitea/workflows/signals-dsse-sign.yml Normal file
View File

@@ -0,0 +1,171 @@
name: Signals DSSE Sign & Evidence Locker
on:
workflow_dispatch:
inputs:
out_dir:
description: "Output directory for signed artifacts"
required: false
default: "evidence-locker/signals/2025-12-01"
allow_dev_key:
description: "Allow dev key for testing (1=yes, 0=no)"
required: false
default: "0"
push:
branches: [main]
paths:
- 'docs/modules/signals/decay/**'
- 'docs/modules/signals/unknowns/**'
- 'docs/modules/signals/heuristics/**'
- 'docs/modules/signals/SHA256SUMS'
- 'tools/cosign/sign-signals.sh'
jobs:
sign-signals-artifacts:
runs-on: ubuntu-22.04
env:
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
OUT_DIR: ${{ github.event.inputs.out_dir || 'evidence-locker/signals/2025-12-01' }}
COSIGN_ALLOW_DEV_KEY: ${{ github.event.inputs.allow_dev_key || '0' }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Install cosign
uses: sigstore/cosign-installer@v3
with:
cosign-release: 'v2.2.4'
- name: Verify artifacts exist
run: |
cd docs/modules/signals
sha256sum -c SHA256SUMS
echo "All artifacts verified against SHA256SUMS"
- name: Check signing key availability
id: check-key
run: |
if [[ -n "$COSIGN_PRIVATE_KEY_B64" ]]; then
echo "key_source=ci_secret" >> "$GITHUB_OUTPUT"
echo "Signing key available via CI secret"
elif [[ "$COSIGN_ALLOW_DEV_KEY" == "1" ]]; then
echo "key_source=dev_key" >> "$GITHUB_OUTPUT"
echo "[warn] Using development key - NOT for production Evidence Locker"
else
echo "key_source=none" >> "$GITHUB_OUTPUT"
echo "::error::No signing key available. Set COSIGN_PRIVATE_KEY_B64 secret or enable dev key."
exit 1
fi
- name: Sign signals artifacts
run: |
chmod +x tools/cosign/sign-signals.sh
OUT_DIR="${OUT_DIR}" tools/cosign/sign-signals.sh
- name: Verify signatures
run: |
cd "$OUT_DIR"
# List generated artifacts
echo "=== Generated Artifacts ==="
ls -la
echo ""
echo "=== SHA256SUMS ==="
cat SHA256SUMS
- name: Upload signed artifacts
uses: actions/upload-artifact@v4
with:
name: signals-dsse-signed-${{ github.run_number }}
path: |
${{ env.OUT_DIR }}/*.sigstore.json
${{ env.OUT_DIR }}/*.dsse
${{ env.OUT_DIR }}/SHA256SUMS
if-no-files-found: error
retention-days: 90
- name: Push to Evidence Locker
if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
env:
TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
URL: ${{ env.EVIDENCE_LOCKER_URL }}
run: |
tar -cf /tmp/signals-dsse.tar -C "$OUT_DIR" .
curl -f -X PUT "$URL/signals/dsse/$(date -u +%Y-%m-%d)/signals-dsse.tar" \
-H "Authorization: Bearer $TOKEN" \
--data-binary @/tmp/signals-dsse.tar
echo "Pushed to Evidence Locker"
- name: Evidence Locker skip notice
if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
run: |
echo "::notice::Evidence Locker push skipped (CI_EVIDENCE_LOCKER_TOKEN or EVIDENCE_LOCKER_URL not set)"
echo "Artifacts available as workflow artifact for manual ingestion"
verify-signatures:
runs-on: ubuntu-22.04
needs: sign-signals-artifacts
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download signed artifacts
uses: actions/download-artifact@v4
with:
name: signals-dsse-signed-${{ github.run_number }}
path: signed-artifacts/
- name: Install cosign
uses: sigstore/cosign-installer@v3
with:
cosign-release: 'v2.2.4'
- name: Verify decay config signature
run: |
if [[ -f signed-artifacts/confidence_decay_config.sigstore.json ]]; then
cosign verify-blob \
--key tools/cosign/cosign.dev.pub \
--bundle signed-artifacts/confidence_decay_config.sigstore.json \
docs/modules/signals/decay/confidence_decay_config.yaml \
&& echo "✓ decay config signature verified" \
|| echo "::warning::Signature verification failed (may need production public key)"
fi
- name: Verify unknowns manifest signature
run: |
if [[ -f signed-artifacts/unknowns_scoring_manifest.sigstore.json ]]; then
cosign verify-blob \
--key tools/cosign/cosign.dev.pub \
--bundle signed-artifacts/unknowns_scoring_manifest.sigstore.json \
docs/modules/signals/unknowns/unknowns_scoring_manifest.json \
&& echo "✓ unknowns manifest signature verified" \
|| echo "::warning::Signature verification failed (may need production public key)"
fi
- name: Verify heuristics catalog signature
run: |
if [[ -f signed-artifacts/heuristics_catalog.sigstore.json ]]; then
cosign verify-blob \
--key tools/cosign/cosign.dev.pub \
--bundle signed-artifacts/heuristics_catalog.sigstore.json \
docs/modules/signals/heuristics/heuristics.catalog.json \
&& echo "✓ heuristics catalog signature verified" \
|| echo "::warning::Signature verification failed (may need production public key)"
fi
- name: Summary
run: |
echo "## Signals DSSE Signing Summary" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "| Artifact | Status |" >> "$GITHUB_STEP_SUMMARY"
echo "|----------|--------|" >> "$GITHUB_STEP_SUMMARY"
for f in signed-artifacts/*.sigstore.json signed-artifacts/*.dsse; do
[[ -f "$f" ]] && echo "| $(basename $f) | ✓ Signed |" >> "$GITHUB_STEP_SUMMARY"
done
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "Run ID: ${{ github.run_number }}" >> "$GITHUB_STEP_SUMMARY"

67
.gitea/workflows/signals-evidence-locker.yml Normal file
View File

@@ -0,0 +1,67 @@
name: signals-evidence-locker
on:
workflow_dispatch:
inputs:
retention_target:
description: "Retention days target"
required: false
default: "180"
jobs:
prepare-signals-evidence:
runs-on: ubuntu-latest
env:
MODULE_ROOT: docs/modules/signals
OUT_DIR: evidence-locker/signals/2025-12-05
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Build deterministic signals evidence tar
run: |
set -euo pipefail
test -d "$MODULE_ROOT" || { echo "missing $MODULE_ROOT" >&2; exit 1; }
tmpdir=$(mktemp -d)
rsync -a --relative \
"$OUT_DIR/SHA256SUMS" \
"$OUT_DIR/confidence_decay_config.sigstore.json" \
"$OUT_DIR/unknowns_scoring_manifest.sigstore.json" \
"$OUT_DIR/heuristics_catalog.sigstore.json" \
"$MODULE_ROOT/decay/confidence_decay_config.yaml" \
"$MODULE_ROOT/unknowns/unknowns_scoring_manifest.json" \
"$MODULE_ROOT/heuristics/heuristics.catalog.json" \
"$tmpdir/"
(cd "$tmpdir/$OUT_DIR" && sha256sum --check SHA256SUMS)
tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
-cf /tmp/signals-evidence.tar -C "$tmpdir" .
sha256sum /tmp/signals-evidence.tar > /tmp/signals-evidence.tar.sha256
- name: Upload artifact (fallback)
uses: actions/upload-artifact@v4
with:
name: signals-evidence-2025-12-05
path: |
/tmp/signals-evidence.tar
/tmp/signals-evidence.tar.sha256
- name: Push to Evidence Locker
if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
env:
TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
URL: ${{ env.EVIDENCE_LOCKER_URL }}
run: |
curl -f -X PUT "$URL/signals/2025-12-05/signals-evidence.tar" \
-H "Authorization: Bearer $TOKEN" \
--data-binary @/tmp/signals-evidence.tar
- name: Skip push (missing secret or URL)
if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
run: |
echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2

3
.gitea/workflows/symbols-ci.yml
View File

@@ -26,6 +26,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh

3
.gitea/workflows/symbols-release.yml
View File

@@ -17,6 +17,9 @@ jobs:
with:
fetch-depth: 0
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Export OpenSSL 1.1 shim for Mongo2Go
run: scripts/enable-openssl11-shim.sh

40
.gitea/workflows/vex-proof-bundles.yml Normal file
View File

@@ -0,0 +1,40 @@
name: VEX Proof Bundles
on:
pull_request:
paths:
- 'scripts/vex/**'
- 'tests/Vex/ProofBundles/**'
- 'docs/benchmarks/vex-evidence-playbook*'
- '.gitea/workflows/vex-proof-bundles.yml'
push:
branches: [ main ]
paths:
- 'scripts/vex/**'
- 'tests/Vex/ProofBundles/**'
- 'docs/benchmarks/vex-evidence-playbook*'
- '.gitea/workflows/vex-proof-bundles.yml'
jobs:
verify-bundles:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Task Pack offline bundle fixtures
run: python3 scripts/packs/run-fixtures-check.sh
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install deps
run: pip install --disable-pip-version-check --no-cache-dir -r scripts/vex/requirements.txt
- name: Verify proof bundles (offline)
env:
PYTHONHASHSEED: "0"
run: |
chmod +x tests/Vex/ProofBundles/test_verify_sample.sh
tests/Vex/ProofBundles/test_verify_sample.sh

51
.gitignore vendored
View File

@@ -14,11 +14,11 @@ obj/
.idea/
.vscode/
# Packages and logs
*.log
TestResults/
local-nuget/
local-nugets/packages/
# Packages and logs
*.log
TestResults/
local-nuget/
local-nugets/packages/
.dotnet
.DS_Store
@@ -31,11 +31,36 @@ seed-data/cert-bund/**/*.sha256
out/offline-kit/web/**/*
**/node_modules/**/*
**/.angular/**/*
**/.cache/**/*
**/dist/**/*
tmp/**/*
build/
/out/cli/**
/src/Sdk/StellaOps.Sdk.Release/out/**
/src/Sdk/StellaOps.Sdk.Generator/out/**
/out/scanner-analyzers/**
**/.cache/**/*
**/dist/**/*
tmp/**/*
build/
/out/cli/**
/src/Sdk/StellaOps.Sdk.Release/out/**
/src/Sdk/StellaOps.Sdk.Generator/out/**
/out/scanner-analyzers/**
# Node / frontend
node_modules/
dist/
.build/
.cache/
# .NET
bin/
obj/
# IDEs
.vscode/
.idea/
*.user
*.suo
# Misc
logs/
tmp/
coverage/
.nuget/
local-nugets/
local-nuget/
src/Sdk/StellaOps.Sdk.Generator/tools/jdk-21.0.1+12

BIN
.nuget/packages/AWSSDK.Core.4.0.1.3.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/AWSSDK.KeyManagementService.4.0.6.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Api.CommonProtos.2.17.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Api.Gax.4.11.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Api.Gax.Grpc.4.11.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Api.Gax.Grpc.4.7.0.nupkg
View File

Binary file not shown.

3
.nuget/packages/Google.Api.Gax.Grpc.GrpcCore.4.11.0.nupkg
View File

@@ -1,3 +0,0 @@
<?xml version="1.0" encoding="utf-8"?><Error><Code>BlobNotFound</Code><Message>The specified blob does not exist.
RequestId:111b5cf5-801e-0033-51f3-4ee25c000000
Time:2025-11-06T08:00:59.9404934Z</Message></Error>

BIN
.nuget/packages/Google.Apis.1.69.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Apis.Auth.1.69.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Apis.Core.1.64.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Apis.Core.1.69.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Cloud.Iam.V1.3.4.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Cloud.Kms.V1.3.19.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Cloud.Location.2.3.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.LongRunning.3.3.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Protobuf.3.27.2.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Google.Protobuf.3.31.1.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Auth.2.71.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Core.2.46.6.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Core.Api.2.65.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Core.Api.2.71.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Net.Client.2.65.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Net.Client.2.71.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Net.Common.2.65.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Net.Common.2.71.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Tools.2.65.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Grpc.Tools.2.71.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.AspNetCore.Authentication.JwtBearer.10.0.0-rc.1.25451.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.AspNetCore.Authentication.JwtBearer.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.AspNetCore.Mvc.Testing.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.AspNetCore.OpenApi.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Bcl.AsyncInterfaces.6.0.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Bcl.AsyncInterfaces.8.0.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Data.Sqlite.9.0.0-rc.1.24451.1.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Caching.Memory.10.0.0-preview.7.25380.108.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Caching.Memory.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Configuration.10.0.0-preview.7.25380.108.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Configuration.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Configuration.Abstractions.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Configuration.Binder.10.0.0-preview.7.25380.108.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Configuration.Binder.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Configuration.CommandLine.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Configuration.EnvironmentVariables.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Configuration.FileExtensions.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Configuration.Json.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.DependencyInjection.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.DependencyInjection.Abstractions.10.0.0-preview.7.25380.108.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.DependencyInjection.Abstractions.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.DependencyInjection.Abstractions.9.0.0.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Diagnostics.Abstractions.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Diagnostics.HealthChecks.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Diagnostics.HealthChecks.Abstractions.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Hosting.10.0.0-preview.7.25380.108.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Hosting.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Hosting.Abstractions.10.0.0-preview.7.25380.108.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Hosting.Abstractions.10.0.0-rc.2.25502.107.nupkg
View File

Binary file not shown.

BIN
.nuget/packages/Microsoft.Extensions.Hosting.Abstractions.8.0.0.nupkg
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More