using StellaOps.Policy.Registry.Contracts;
namespace StellaOps.Policy.Registry.Services;
///
/// Service for publishing policy packs with signing and attestations.
/// Implements REGISTRY-API-27-007: Publish pipeline with signing/attestations.
///
public interface IPublishPipelineService
{
///
/// Publishes an approved policy pack.
///
Task PublishAsync(
Guid tenantId,
Guid packId,
PublishPackRequest request,
CancellationToken cancellationToken = default);
///
/// Gets the publication status of a policy pack.
///
Task GetPublicationStatusAsync(
Guid tenantId,
Guid packId,
CancellationToken cancellationToken = default);
///
/// Gets the attestation for a published policy pack.
///
Task GetAttestationAsync(
Guid tenantId,
Guid packId,
CancellationToken cancellationToken = default);
///
/// Verifies the signature and attestation of a published policy pack.
///
Task VerifyAttestationAsync(
Guid tenantId,
Guid packId,
CancellationToken cancellationToken = default);
///
/// Lists published policy packs for a tenant.
///
Task ListPublishedAsync(
Guid tenantId,
int pageSize = 20,
string? pageToken = null,
CancellationToken cancellationToken = default);
///
/// Revokes a published policy pack.
///
Task RevokeAsync(
Guid tenantId,
Guid packId,
RevokePackRequest request,
CancellationToken cancellationToken = default);
}
///
/// Request to publish a policy pack.
///
public sealed record PublishPackRequest
{
public string? ApprovalId { get; init; }
public string? PublishedBy { get; init; }
public SigningOptions? SigningOptions { get; init; }
public AttestationOptions? AttestationOptions { get; init; }
public IReadOnlyDictionary? Metadata { get; init; }
}
///
/// Signing options for policy pack publication.
///
public sealed record SigningOptions
{
public required string KeyId { get; init; }
public SigningAlgorithm Algorithm { get; init; } = SigningAlgorithm.ECDSA_P256_SHA256;
public bool IncludeTimestamp { get; init; } = true;
public bool IncludeRekorEntry { get; init; }
}
///
/// Attestation options for policy pack publication.
///
public sealed record AttestationOptions
{
public required string PredicateType { get; init; }
public bool IncludeCompilationResult { get; init; } = true;
public bool IncludeReviewHistory { get; init; } = true;
public bool IncludeSimulationResults { get; init; }
public IReadOnlyDictionary? CustomClaims { get; init; }
}
///
/// Supported signing algorithms.
///
public enum SigningAlgorithm
{
ECDSA_P256_SHA256,
ECDSA_P384_SHA384,
RSA_PKCS1_SHA256,
RSA_PSS_SHA256,
Ed25519
}
///
/// Result of policy pack publication.
///
public sealed record PublishResult
{
public required bool Success { get; init; }
public Guid? PackId { get; init; }
public string? Digest { get; init; }
public PublicationStatus? Status { get; init; }
public PolicyPackAttestation? Attestation { get; init; }
public string? Error { get; init; }
}
///
/// Publication status of a policy pack.
///
public sealed record PublicationStatus
{
public required Guid PackId { get; init; }
public required string PackVersion { get; init; }
public required string Digest { get; init; }
public required PublishState State { get; init; }
public required DateTimeOffset PublishedAt { get; init; }
public string? PublishedBy { get; init; }
public DateTimeOffset? RevokedAt { get; init; }
public string? RevokedBy { get; init; }
public string? RevokeReason { get; init; }
public string? SignatureKeyId { get; init; }
public SigningAlgorithm? SignatureAlgorithm { get; init; }
public string? RekorLogId { get; init; }
}
///
/// Publication state.
///
public enum PublishState
{
Published,
Revoked,
Superseded
}
///
/// Policy pack attestation following in-toto/DSSE format.
///
public sealed record PolicyPackAttestation
{
public required string PayloadType { get; init; }
public required string Payload { get; init; }
public required IReadOnlyList Signatures { get; init; }
}
///
/// Attestation signature.
///
public sealed record AttestationSignature
{
public required string KeyId { get; init; }
public required string Signature { get; init; }
public DateTimeOffset? Timestamp { get; init; }
public string? RekorLogIndex { get; init; }
}
///
/// Attestation payload in SLSA provenance format.
///
public sealed record AttestationPayload
{
public required string Type { get; init; }
public required string PredicateType { get; init; }
public required AttestationSubject Subject { get; init; }
public required AttestationPredicate Predicate { get; init; }
}
///
/// Attestation subject (the policy pack).
///
public sealed record AttestationSubject
{
public required string Name { get; init; }
public required IReadOnlyDictionary Digest { get; init; }
}
///
/// Attestation predicate containing provenance metadata.
///
public sealed record AttestationPredicate
{
public required string BuildType { get; init; }
public required AttestationBuilder Builder { get; init; }
public DateTimeOffset? BuildStartedOn { get; init; }
public DateTimeOffset? BuildFinishedOn { get; init; }
public PolicyPackCompilationMetadata? Compilation { get; init; }
public PolicyPackReviewMetadata? Review { get; init; }
public IReadOnlyDictionary? Metadata { get; init; }
}
///
/// Attestation builder information.
///
public sealed record AttestationBuilder
{
public required string Id { get; init; }
public string? Version { get; init; }
}
///
/// Compilation metadata in attestation.
///
public sealed record PolicyPackCompilationMetadata
{
public required string Digest { get; init; }
public required int RuleCount { get; init; }
public DateTimeOffset? CompiledAt { get; init; }
public IReadOnlyDictionary? Statistics { get; init; }
}
///
/// Review metadata in attestation.
///
public sealed record PolicyPackReviewMetadata
{
public required string ReviewId { get; init; }
public required DateTimeOffset ApprovedAt { get; init; }
public string? ApprovedBy { get; init; }
public IReadOnlyList? Reviewers { get; init; }
}
///
/// Result of attestation verification.
///
public sealed record AttestationVerificationResult
{
public required bool Valid { get; init; }
public IReadOnlyList? Checks { get; init; }
public IReadOnlyList? Errors { get; init; }
public IReadOnlyList? Warnings { get; init; }
}
///
/// Individual verification check result.
///
public sealed record VerificationCheck
{
public required string Name { get; init; }
public required bool Passed { get; init; }
public string? Details { get; init; }
}
///
/// List of published policy packs.
///
public sealed record PublishedPackList
{
public required IReadOnlyList Items { get; init; }
public string? NextPageToken { get; init; }
public int TotalCount { get; init; }
}
///
/// Request to revoke a published policy pack.
///
public sealed record RevokePackRequest
{
public required string Reason { get; init; }
public string? RevokedBy { get; init; }
}
///
/// Result of policy pack revocation.
///
public sealed record RevokeResult
{
public required bool Success { get; init; }
public PublicationStatus? Status { get; init; }
public string? Error { get; init; }
}