git.stella-ops.org/docs/features/unchecked/scanner/surface-validation-framework.md

Surface.Validation Framework

Module

Scanner

Status

IMPLEMENTED

Description

Preflight validation framework for scanner surfaces, allowing validators to check secrets availability, environment correctness, and required capabilities before scan execution.

Implementation Details

• Validator Runner:
  • src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/SurfaceValidatorRunner.cs - SurfaceValidatorRunner executing all registered validators and collecting results
  • src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/ISurfaceValidatorRunner.cs - Interface for validator runner
• Validator Interface:
  • src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/ISurfaceValidator.cs - ISurfaceValidator interface for individual validation checks
• Built-in Validators:
  • src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/Validators/SurfaceSecretsValidator.cs - SurfaceSecretsValidator checking that required secrets (signing keys, registry credentials, CAS tokens) are available
  • src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/Validators/SurfaceCacheValidator.cs - SurfaceCacheValidator checking cache availability and write permissions
  • src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/Validators/SurfaceEndpointValidator.cs - SurfaceEndpointValidator checking that required service endpoints are reachable
• Builder:
  • src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/SurfaceValidationBuilder.cs - SurfaceValidationBuilder fluent API for configuring which validators to run
• DI Registration:
  • src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/ServiceCollectionExtensions.cs - DI registration for validation services
• Tests:
  • src/Scanner/__Tests/StellaOps.Scanner.Surface.Validation.Tests/SurfaceValidatorRunnerTests.cs - Validator runner tests

E2E Test Plan

• Run preflight validation with all required secrets available and verify all validators pass
• Run preflight validation with a missing signing key and verify SurfaceSecretsValidator reports the failure
• Verify SurfaceCacheValidator detects when cache directory is not writable and reports the issue
• Verify SurfaceEndpointValidator correctly checks reachability of required service endpoints
• Verify SurfaceValidationBuilder allows selective configuration of which validators to run
• Verify the validator runner aggregates all validation results and provides a clear pass/fail summary