stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b1f40945b77383b1cda392639eb5d14f0b3fa12f
git.stella-ops.org/src/Scanner/StellaOps.Scanner.WebService/TASKS.completed.md
master b1e78fe412
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Implement vulnerability token signing and verification utilities 
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
2025-11-03 10:04:10 +02:00

5.5 KiB
Raw Blame History

Completed Tasks

ID Status Owner(s) Depends on Description Exit Criteria
SCANNER-WEB-09-101 DONE (2025-10-18) Scanner WebService Guild SCANNER-CORE-09-501 Stand up minimal API host with Authority OpTok + DPoP enforcement, health/ready endpoints, and restart-time plug-in loader per architecture §1, §4. Host boots with configuration validation, /healthz and /readyz return 200, Authority middleware enforced in integration tests.
SCANNER-WEB-09-102 DONE (2025-10-18) Scanner WebService Guild SCANNER-WEB-09-101, SCANNER-QUEUE-09-401 Implement /api/v1/scans submission/status endpoints with deterministic IDs, validation, and cancellation tokens. Contract documented, e2e test posts scan request and retrieves status, cancellation token honoured.
SCANNER-WEB-09-103 DONE (2025-10-19) Scanner WebService Guild SCANNER-WEB-09-102, SCANNER-CORE-09-502 Emit scan progress via SSE/JSONL with correlation IDs and deterministic timestamps; document API reference. Streaming endpoint verified in tests, timestamps formatted ISO-8601 UTC, docs updated in docs/09_API_CLI_REFERENCE.md.
SCANNER-WEB-09-104 DONE (2025-10-19) Scanner WebService Guild SCANNER-STORAGE-09-301, SCANNER-QUEUE-09-401 Bind configuration for Mongo, MinIO, queue, feature flags; add startup diagnostics and fail-fast policy for missing deps. Misconfiguration fails fast with actionable errors, configuration bound tests pass, diagnostics logged with correlation IDs.
SCANNER-POLICY-09-105 DONE (2025-10-19) Scanner WebService Guild POLICY-CORE-09-001 Integrate policy schema loader + diagnostics + OpenAPI (YAML ignore rules, VEX include/exclude, vendor precedence). Policy endpoints documented; validation surfaces actionable errors; OpenAPI schema published.
SCANNER-POLICY-09-106 DONE (2025-10-19) Scanner WebService Guild POLICY-CORE-09-002, SCANNER-POLICY-09-105 /reports verdict assembly (Conselier/Excitor/Policy merge) + signed response envelope. Aggregated report includes policy metadata; integration test verifies signed response; docs updated.
SCANNER-POLICY-09-107 DONE (2025-10-19) Scanner WebService Guild POLICY-CORE-09-005, SCANNER-POLICY-09-106 Surface score inputs, config version, and quietedBy provenance in /reports response and signed payload; document schema changes. /reports JSON + DSSE contain score, reachability, sourceTrust, confidenceBand, quiet provenance; contract tests updated; docs refreshed.
SCANNER-WEB-10-201 DONE (2025-10-19) Scanner WebService Guild SCANNER-CACHE-10-101 Register scanner cache services and maintenance loop within WebService host. AddScannerCache wired for configuration binding; maintenance service skips when disabled; project references updated.
SCANNER-RUNTIME-12-301 DONE (2025-10-20) Scanner WebService Guild ZASTAVA-CORE-12-201 Implement /runtime/events ingestion endpoint with validation, batching, and storage hooks per Zastava contract. Observer fixtures POST events, data persisted and acked; invalid payloads rejected with deterministic errors.
SCANNER-RUNTIME-12-302 DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-301, ZASTAVA-CORE-12-201 Implement /policy/runtime endpoint joining SBOM baseline + policy verdict, returning admission guidance. Coordinate with CLI (CLI-RUNTIME-13-008) before GA to lock response field names/metadata. Webhook integration test passes; responses include verdict, TTL, reasons; metrics/logging added; CLI contract review signed off.
SCANNER-RUNTIME-12-303 DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-302 Replace /policy/runtime heuristic with canonical policy evaluation (Conselier/Excitor inputs, PolicyPreviewService) so results align with /reports. Runtime policy endpoint now pipes findings through PolicyPreviewService, emits canonical verdicts/confidence/quiet metadata, and updated tests cover pass/warn/fail paths + CLI contract fixtures.
SCANNER-RUNTIME-12-304 DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-302 Surface attestation verification status by integrating Authority/Attestor Rekor validation (beyond presence-only). /policy/runtime maps Rekor UUIDs through the runtime attestation verifier so rekor.verified reflects attestor outcomes; webhook/CLI coverage added.
SCANNER-RUNTIME-12-305 DONE (2025-10-24) Scanner WebService Guild SCANNER-RUNTIME-12-301, SCANNER-RUNTIME-12-302 Promote shared fixtures with Zastava/CLI and add end-to-end automation for /runtime/events + /policy/runtime. Runtime policy integration test + CLI-aligned fixture assert confidence, metadata JSON, and Rekor verification; docs note shared contract.
SCANNER-EVENTS-15-201 DONE (2025-10-20) Scanner WebService Guild NOTIFY-QUEUE-15-401 Emit scanner.report.ready and scanner.scan.completed events (bus adapters + tests). Event envelopes published to queue with schemas; fixtures committed; Notify consumption test passes.
SCANNER-RUNTIME-17-401 DONE (2025-10-25) Scanner WebService Guild SCANNER-RUNTIME-12-301, ZASTAVA-OBS-17-005, SCANNER-EMIT-17-701, POLICY-RUNTIME-17-201 Persist runtime build-id observations and expose them via /runtime/events + policy joins for debug-symbol correlation. Runtime events store normalized digests + build IDs with supporting indexes, runtime policy responses surface buildIds, tests/docs updated, and CLI/API consumers can derive debug-store paths deterministically.