71e9a56cfd
- Implemented `run-scanner-ci.sh` to build and run tests for the Scanner solution with a warmed NuGet cache. - Created `excititor-vex-traces.json` dashboard for monitoring Excititor VEX observations. - Added Docker Compose configuration for the OTLP span sink in `docker-compose.spansink.yml`. - Configured OpenTelemetry collector in `otel-spansink.yaml` to receive and process traces. - Developed `run-spansink.sh` script to run the OTLP span sink for Excititor traces. - Introduced `FileSystemRiskBundleObjectStore` for storing risk bundle artifacts in the filesystem. - Built `RiskBundleBuilder` for creating risk bundles with associated metadata and providers. - Established `RiskBundleJob` to execute the risk bundle creation and storage process. - Defined models for risk bundle inputs, entries, and manifests in `RiskBundleModels.cs`. - Implemented signing functionality for risk bundle manifests with `HmacRiskBundleManifestSigner`. - Created unit tests for `RiskBundleBuilder`, `RiskBundleJob`, and signing functionality to ensure correctness. - Added filesystem artifact reader tests to validate manifest parsing and artifact listing. - Included test manifests for egress scenarios in the task runner tests. - Developed timeline query service tests to verify tenant and event ID handling.
Air-gap Egress Guard Rails
Artifacts supporting DEVOPS-AIRGAP-56-001:
k8s-deny-egress.yaml— NetworkPolicy template that denies all egress for pods labeledsealed=true, except optional in-cluster DNS when enabled.compose-egress-guard.sh— Idempotent iptables guard for Docker/compose using theDOCKER-USERchain to drop all outbound traffic from a compose project network while allowing loopback and RFC1918 intra-cluster ranges.verify-egress-block.sh— Verification harness that runs curl probes from Docker or Kubernetes and reports JSON results; exits non-zero if any target is reachable.bundle_stage_import.py— Deterministic bundle staging helper: validates sha256 manifest, copies bundles to staging dir as<sha256>-<basename>, emitsstaging-report.jsonfor evidence.stage-bundle.sh— Thin wrapper aroundbundle_stage_import.pywith positional args.build_bootstrap_pack.py— Builds a Bootstrap Pack from images/charts/extras listed in a JSON config, writingbootstrap-manifest.json+checksums.sha256deterministically.build_bootstrap_pack.sh— Wrapper for the bootstrap pack builder.build_mirror_bundle.py— Generates mirror bundle manifest + checksums with dual-control approvals; optional cosign signing. Outputsmirror-bundle-manifest.json,checksums.sha256, and optional signature/cert.
See also ops/devops/sealed-mode-ci/ for the full sealed-mode compose harness and egress_probe.py, which this verification script wraps.