49 lines
2.5 KiB
Markdown
49 lines
2.5 KiB
Markdown
# Authority CI/CD Timestamping
|
|
|
|
This document describes the CI/CD timestamping orchestration added in Sprint `SPRINT_20260208_025_Authority_rfc_3161_tsa_client_for_ci_cd_timestamping`.
|
|
|
|
## Scope
|
|
- Automatically request RFC-3161 timestamps for pipeline artifacts (SBOMs, attestations, logs, or other digest-addressed artifacts).
|
|
- Persist deterministic artifact-to-token mappings for replay, lookup, and audit.
|
|
- Support pipeline-scoped and environment-scoped timestamp policies without requiring network access in tests.
|
|
|
|
## Implementation
|
|
- Orchestration service:
|
|
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/CiCdTimestampingService.cs`
|
|
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/ICiCdTimestampingService.cs`
|
|
- Artifact timestamp registry:
|
|
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/IArtifactTimestampRegistry.cs`
|
|
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/InMemoryArtifactTimestampRegistry.cs`
|
|
- Policy models:
|
|
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/PipelineTimestampingPolicyOptions.cs`
|
|
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/CiCdTimestampingModels.cs`
|
|
- DI registration:
|
|
- `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimestampingServiceCollectionExtensions.cs`
|
|
|
|
## Policy behavior
|
|
- `DefaultPolicy` applies when no pipeline override exists.
|
|
- `Pipelines[<pipelineId>]` overrides the default policy.
|
|
- `Pipelines[<pipelineId>].Environments[<environment>]` overrides the pipeline policy.
|
|
- Core controls:
|
|
- `Enabled`
|
|
- `RequiredSuccessCount`
|
|
- `MaxAttemptsPerArtifact`
|
|
- `RequireDistinctProviders`
|
|
- `IncludeNonce`
|
|
- `CertificateRequired`
|
|
- `HashAlgorithm`
|
|
- `PolicyOid`
|
|
|
|
## Determinism and offline posture
|
|
- Artifact processing is deterministic: artifacts are sorted by digest and type before orchestration.
|
|
- Digest normalization is deterministic (`algo:hex-lowercase`).
|
|
- Nonce generation is deterministic when `IncludeNonce=true` (derived from pipeline/artifact identity and attempt index).
|
|
- Tests use in-memory fakes only and run without network access.
|
|
|
|
## Test coverage
|
|
- `src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/CiCdTimestampingServiceTests.cs`
|
|
- `src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/InMemoryArtifactTimestampRegistryTests.cs`
|
|
|
|
Validation command used:
|
|
- `dotnet test src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/StellaOps.Authority.Timestamping.Tests.csproj --no-restore -p:BuildProjectReferences=false -v minimal`
|