stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
79b8e53441e92dbc63684f42072434d40b80275f
git.stella-ops.org/docs/airgap/time-anchor-scaffold.md
master 79b8e53441
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add new features and tests for AirGap and Time modules 
- Introduced `SbomService` tasks documentation.
- Updated `StellaOps.sln` to include new projects: `StellaOps.AirGap.Time` and `StellaOps.AirGap.Importer`.
- Added unit tests for `BundleImportPlanner`, `DsseVerifier`, `ImportValidator`, and other components in the `StellaOps.AirGap.Importer.Tests` namespace.
- Implemented `InMemoryBundleRepositories` for testing bundle catalog and item repositories.
- Created `MerkleRootCalculator`, `RootRotationPolicy`, and `TufMetadataValidator` tests.
- Developed `StalenessCalculator` and `TimeAnchorLoader` tests in the `StellaOps.AirGap.Time.Tests` namespace.
- Added `fetch-sbomservice-deps.sh` script for offline dependency fetching.
2025-11-20 23:29:54 +02:00

2.2 KiB
Raw Blame History

AirGap Time Anchor Scaffold (prep for AIRGAP-TIME-57-001)

Scope for prep

  • Provide a deterministic parsing surface for signed time tokens (Roughtime, RFC3161) so staleness calculations and telemetry wiring can start without full crypto yet.

What landed (2025-11-20)

  • New project: src/AirGap/StellaOps.AirGap.Time/StellaOps.AirGap.Time.csproj (net10.0), BCL-only.
  • Model: TimeAnchor canonical record (anchor time, source, format, signature fingerprint placeholder, token digest).
  • Parser: TimeTokenParser with deterministic SHA-256 digest derivation and structured success/failure reasons.
  • Result envelope: TimeAnchorValidationResult and TimeTokenFormat enum.
  • Tests: tests/AirGap/StellaOps.AirGap.Time.Tests cover empty-token failure and digest production for Roughtime tokens.

Updates (2025-11-20)

  • Added staleness calculator (StalenessCalculator) and budgets/evaluation models to derive warning/breach states deterministically.
  • Added TimeAnchorLoader to ingest hex-encoded tokens from fixtures; sample tokens placed under src/AirGap/StellaOps.AirGap.Time/fixtures/.
  • Added TimeStatusService + InMemoryTimeAnchorStore for per-tenant anchor/budget status + staleness; tests in TimeStatusServiceTests.
  • Added verification pipeline (TimeVerificationService) with stub Roughtime/RFC3161 verifiers requiring trust roots; loader now verifies using trust roots.
  • Added API surface /api/v1/time/status (plus POST /api/v1/time/anchor) via TimeStatusController and web host wiring.

Next implementation hooks

  • Plug real Roughtime and RFC3161 decoders, verifying against trust roots supplied via sealed-mode config.
  • Persist TimeAnchor rows under controller/importer once schema is final; emit telemetry counters/alerts.
  • Replace placeholder signature fingerprint with actual signer fingerprint post-verification.

Determinism/air-gap posture

  • Parser avoids wall-clock; anchor time derived deterministically from token digest until real parser is wired.
  • No network calls; uses cached NuGet (local-nugets/) for tests.

How to consume

DOTNET_NOLOGO=1 dotnet test tests/AirGap/StellaOps.AirGap.Time.Tests/StellaOps.AirGap.Time.Tests.csproj --no-build

Owners

  • AirGap Time Guild (per sprint 0510).