# Surface.Validation Framework

## Module
Scanner

## Status
VERIFIED

## Description
Preflight validation framework for scanner surfaces, allowing validators to check secrets availability, environment correctness, and required capabilities before scan execution.

## Implementation Details
- **Validator Runner**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/SurfaceValidatorRunner.cs` - `SurfaceValidatorRunner` executing all registered validators and collecting results
  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/ISurfaceValidatorRunner.cs` - Interface for validator runner
- **Validator Interface**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/ISurfaceValidator.cs` - `ISurfaceValidator` interface for individual validation checks
- **Built-in Validators**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/Validators/SurfaceSecretsValidator.cs` - `SurfaceSecretsValidator` checking that required secrets (signing keys, registry credentials, CAS tokens) are available
  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/Validators/SurfaceCacheValidator.cs` - `SurfaceCacheValidator` checking cache availability and write permissions
  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/Validators/SurfaceEndpointValidator.cs` - `SurfaceEndpointValidator` checking that required service endpoints are reachable
- **Builder**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/SurfaceValidationBuilder.cs` - `SurfaceValidationBuilder` fluent API for configuring which validators to run
- **DI Registration**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/ServiceCollectionExtensions.cs` - DI registration for validation services
- **Tests**:
  - `src/Scanner/__Tests/StellaOps.Scanner.Surface.Validation.Tests/SurfaceValidatorRunnerTests.cs` - Validator runner tests

## E2E Test Plan
- [ ] Run preflight validation with all required secrets available and verify all validators pass
- [ ] Run preflight validation with a missing signing key and verify `SurfaceSecretsValidator` reports the failure
- [ ] Verify `SurfaceCacheValidator` detects when cache directory is not writable and reports the issue
- [ ] Verify `SurfaceEndpointValidator` correctly checks reachability of required service endpoints
- [ ] Verify `SurfaceValidationBuilder` allows selective configuration of which validators to run
- [ ] Verify the validator runner aggregates all validation results and provides a clear pass/fail summary

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |