stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a6187c70b47ebfb28579da680220700c2a7c57e4
git.stella-ops.org/docs/modules/authority/timestamping-ci-cd.md

2.5 KiB
Raw Blame History

Authority CI/CD Timestamping

This document describes the CI/CD timestamping orchestration added in Sprint SPRINT_20260208_025_Authority_rfc_3161_tsa_client_for_ci_cd_timestamping.

Scope

  • Automatically request RFC-3161 timestamps for pipeline artifacts (SBOMs, attestations, logs, or other digest-addressed artifacts).
  • Persist deterministic artifact-to-token mappings for replay, lookup, and audit.
  • Support pipeline-scoped and environment-scoped timestamp policies without requiring network access in tests.

Implementation

  • Orchestration service:
    • src/Authority/__Libraries/StellaOps.Authority.Timestamping/CiCdTimestampingService.cs
    • src/Authority/__Libraries/StellaOps.Authority.Timestamping/ICiCdTimestampingService.cs
  • Artifact timestamp registry:
    • src/Authority/__Libraries/StellaOps.Authority.Timestamping/IArtifactTimestampRegistry.cs
    • src/Authority/__Libraries/StellaOps.Authority.Timestamping/InMemoryArtifactTimestampRegistry.cs
  • Policy models:
    • src/Authority/__Libraries/StellaOps.Authority.Timestamping/PipelineTimestampingPolicyOptions.cs
    • src/Authority/__Libraries/StellaOps.Authority.Timestamping/CiCdTimestampingModels.cs
  • DI registration:
    • src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimestampingServiceCollectionExtensions.cs

Policy behavior

  • DefaultPolicy applies when no pipeline override exists.
  • Pipelines[<pipelineId>] overrides the default policy.
  • Pipelines[<pipelineId>].Environments[<environment>] overrides the pipeline policy.
  • Core controls:
    • Enabled
    • RequiredSuccessCount
    • MaxAttemptsPerArtifact
    • RequireDistinctProviders
    • IncludeNonce
    • CertificateRequired
    • HashAlgorithm
    • PolicyOid

Determinism and offline posture

  • Artifact processing is deterministic: artifacts are sorted by digest and type before orchestration.
  • Digest normalization is deterministic (algo:hex-lowercase).
  • Nonce generation is deterministic when IncludeNonce=true (derived from pipeline/artifact identity and attempt index).
  • Tests use in-memory fakes only and run without network access.

Test coverage

  • src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/CiCdTimestampingServiceTests.cs
  • src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/InMemoryArtifactTimestampRegistryTests.cs

Validation command used:

  • dotnet test src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/StellaOps.Authority.Timestamping.Tests.csproj --no-restore -p:BuildProjectReferences=false -v minimal