dac8e10e36
## Summary
This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.
## Key Changes
### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement
### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
- Supports ES256/384/512, RS256/384/512, PS256/384/512
- SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis
### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution
### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*
## Compliance & Testing
- ✅ Zero direct System.Security.Cryptography usage in production code
- ✅ All crypto operations go through ICryptoProvider abstraction
- ✅ 39/39 unit tests passing for OfflineVerificationCryptoProvider
- ✅ Build successful (AirGap, Crypto plugin, DI infrastructure)
- ✅ Audit script validates crypto boundaries
## Files Modified
**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)
**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)
**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)
**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)
**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)
**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)
## Next Steps
Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
10 KiB
10 KiB
SPRINT_4300 Summary - Explainable Triage Gaps
Overview
This sprint series closes the remaining gaps between the "Designing Explainable Triage and Proof-Linked Evidence" advisory (18-Dec-2025) and the current implementation.
Origin Advisory: docs/product-advisories/18-Dec-2025 - Designing Explainable Triage and Proof‑Linked Evidence.md
Gap Analysis: docs/implplan/analysis/4300_explainable_triage_gap_analysis.md
Executive Summary
IMPORTANT: This summary file describes the ORIGINAL plan from advisory 18-Dec-2025.
The ACTUAL implemented sprints under SPRINT_4300 are DIFFERENT and focus on moat hardening features:
| Sprint | Title | Status | Tasks |
|---|---|---|---|
| 4300.0002.0001 | Unknowns Budget Policy Integration | ✅ DONE | 20/20 |
| 4300.0002.0002 | Unknowns Attestation Predicates | ✅ DONE | 8/8 |
| 4300.0003.0001 | Sealed Knowledge Snapshot Export/Import | ✅ DONE | 20/20 |
Total Tasks Completed: 48/48 (100%)
ORIGINAL Plan (Not Implemented)
The advisory defined a comprehensive vision for explainable, evidence-linked triage. ~85% was already implemented through prior sprints (3800, 3801, 4100, 4200 series). This series addresses the remaining 6 gaps:
| Gap | Description | Sprint | Priority | Effort |
|---|---|---|---|---|
| G1 | CLI attestation chain verify command | 4300.0001.0001 | HIGH | M |
| G6 | Findings evidence API endpoint | 4300.0001.0002 | MEDIUM | S |
| G2 | Evidence privacy controls | 4300.0002.0001 | MEDIUM | M |
| G3 | Evidence TTL enforcement | 4300.0002.0002 | MEDIUM | S |
| G4 | Predicate JSON schemas | 4300.0003.0001 | LOW | S |
| G5 | Attestation completeness metrics | 4300.0003.0002 | LOW | M |
Note: The above gaps from the original plan were not implemented under SPRINT_4300.
Sprint Structure
SPRINT_4300 (Explainable Triage Gaps)
├── 0001 (CLI & API)
│ ├── 0001 CLI Attestation Verify Command [HIGH]
│ └── 0002 Findings Evidence API [MEDIUM]
├── 0002 (Evidence Management)
│ ├── 0001 Evidence Privacy Controls [MEDIUM]
│ └── 0002 Evidence TTL Enforcement [MEDIUM]
└── 0003 (Quality & Observability)
├── 0001 Predicate JSON Schemas [LOW]
└── 0002 Attestation Metrics [LOW]
Dependencies
External Dependencies (Already DONE)
| Dependency | Sprint | Status |
|---|---|---|
| OCI Referrer Discovery | 4100.0003.0002 | DONE |
| Risk Verdict Attestation | 4100.0003.0001 | DONE |
| Human Approval Attestation | 3801.0001.0004 | DONE |
| Approve Button UI | 4100.0005.0001 | DONE |
| Evidence Composition Service | 3800.0003.0001 | DONE |
| Boundary Extractors | 3800.0002.* | DONE |
| Trust Lattice Engine | (core) | DONE |
Internal Dependencies
4300.0001.0001 ─┬─> (none, can start immediately)
4300.0001.0002 ─┤
4300.0002.0001 ─┤
4300.0002.0002 ─┤
4300.0003.0001 ─┤
4300.0003.0002 ─┘
All sprints can run in parallel.
Recommended Execution Order
Wave 1 (Week 1): HIGH priority + foundations
- 4300.0001.0001 - CLI Attestation Verify (CLI Team)
- 4300.0001.0002 - Findings Evidence API (Scanner Team)
- 4300.0002.0002 - Evidence TTL Enforcement (Policy Team)
Wave 2 (Week 2): MEDIUM + LOW priority
- 4300.0002.0001 - Evidence Privacy Controls (Scanner Team)
- 4300.0003.0001 - Predicate Schemas (Attestor Team)
- 4300.0003.0002 - Attestation Metrics (Telemetry Team)
Success Criteria (from Advisory)
| # | Criterion | Coverage |
|---|---|---|
| 1 | Every risk row expands to path, boundary, VEX, last-seen in <300ms | 4200.0001.0001 (planned) + 4300.0001.0002 |
| 2 | "Approve" button disabled until SBOM+VEX+Decision attestations validate | 4100.0005.0001 (DONE) |
| 3 | One-click "Show DSSE chain" renders envelopes with digests and signers | 4200.0001.0001 (planned) |
| 4 | Audit log captures who approved, which digests, evidence hashes | 3801.0001.0004 (DONE) |
| 5 | CLI can verify attestation chain before deploy | 4300.0001.0001 |
| 6 | % attestation completeness >= 95% | 4300.0003.0002 |
| 7 | TTFE (time-to-first-evidence) <= 30s | 4300.0003.0002 |
| 8 | Post-deploy reversions trend to zero | 4300.0003.0002 |
Team Assignments
| Team | Sprints | Total Effort |
|---|---|---|
| CLI Team | 4300.0001.0001 | M (2-3d) |
| Scanner Team | 4300.0001.0002, 4300.0002.0001 | S+M (3-5d) |
| Policy Team | 4300.0002.0002 | S (1-2d) |
| Attestor Team | 4300.0003.0001 | S (1-2d) |
| Telemetry Team | 4300.0003.0002 | M (2-3d) |
Deliverables
New CLI Commands
stella verify image <reference> --require sbom,vex,decision
New API Endpoints
GET /api/v1/findings/{findingId}/evidencePOST /api/v1/findings/evidence/batch
New Services
ImageAttestationVerifierTrustPolicyLoaderEvidenceRedactionServiceEvidenceTtlEnforcerAttestationCompletenessCalculatorPredicateSchemaValidator
New Metrics
stella_attestations_created_totalstella_attestations_verified_totalstella_attestations_failed_totalstella_ttfe_secondsstella_post_deploy_reversions_total
New Schemas
docs/schemas/predicates/sbom.v1.schema.jsondocs/schemas/predicates/vex.v1.schema.jsondocs/schemas/predicates/reachability.v1.schema.jsondocs/schemas/predicates/boundary.v1.schema.jsondocs/schemas/predicates/policy-decision.v1.schema.jsondocs/schemas/predicates/human-approval.v1.schema.json
New Dashboard
deploy/grafana/dashboards/attestation-metrics.json
Risk Register
| Risk | Impact | Mitigation |
|---|---|---|
| OCI referrers API not supported by all registries | Fallback tag discovery | Already implemented in 4100.0003.0002 |
| Schema validation performance | Latency on attestation creation | Cache compiled schemas |
| Metric cardinality explosion | Prometheus storage | Limit label values |
Completion Checklist
- All 6 sprints marked DONE
- CLI verify command works end-to-end
- Evidence API returns advisory-compliant contract
- Privacy redaction enforced by default
- TTL staleness affects policy decisions
- All predicate schemas validate correctly
- Grafana dashboard shows all metrics
- Integration tests pass
- Documentation updated
Post-Completion
After all sprints complete:
- Update
docs/09_API_CLI_REFERENCE.mdwith new CLI command - Update
docs/modules/scanner/architecture.mdwith evidence API - Archive this summary to
docs/implplan/archived/ - Close advisory tracking issue
Topic & Scope
- Track delivery of the Explainable Triage gaps identified in the 18-Dec-2025 advisory.
- Provide a single coordination view across the six gap-closing sprints.
- Capture decisions, risks, and cross-module interlocks.
- Working directory:
docs/implplan.
Dependencies & Concurrency
- Depends on prior SPRINT_3800/3801/4100/4200 series outlined above.
- All child sprints can run in parallel.
Documentation Prerequisites
docs/README.mddocs/07_HIGH_LEVEL_ARCHITECTURE.mddocs/modules/platform/architecture-overview.mddocs/product-advisories/18-Dec-2025 - Designing Explainable Triage and Proof-Linked Evidence.md
Delivery Tracker (ACTUAL Implementation)
| # | Task ID | Status | Sprint File | Owners | Verification |
|---|---|---|---|---|---|
| 1 | BUDGET-POLICY | DONE | SPRINT_4300_0002_0001 | Policy Team | ✅ Code verified, 6 tests passing |
| 2 | BUDGET-ATTESTATION | DONE | SPRINT_4300_0002_0002 | Attestor Team | ✅ Code verified, 7 tests passing |
| 3 | AIRGAP-SNAPSHOT | DONE | SPRINT_4300_0003_0001 | AirGap Team | ✅ Code verified, all components present |
Original Delivery Tracker (Not Implemented)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---|---|---|---|---|
| 1 | SUMMARY-G1 | NOT IMPLEMENTED | SPRINT_4300_0001_0001 | Planning | Track CLI attestation verify sprint completion. |
| 2 | SUMMARY-G6 | NOT IMPLEMENTED | SPRINT_4300_0001_0002 | Planning | Track findings evidence API sprint completion. |
| 3 | SUMMARY-G2 | NOT IMPLEMENTED | SPRINT_4300_0002_0001 | Planning | Track evidence privacy controls sprint completion. |
| 4 | SUMMARY-G3 | NOT IMPLEMENTED | SPRINT_4300_0002_0002 | Planning | Track evidence TTL enforcement sprint completion. |
| 5 | SUMMARY-G4 | NOT IMPLEMENTED | SPRINT_4300_0003_0001 | Planning | Track predicate schema sprint completion. |
| 6 | SUMMARY-G5 | NOT IMPLEMENTED | SPRINT_4300_0003_0002 | Planning | Track attestation metrics sprint completion. |
Wave Coordination
- Wave 1: CLI + API + TTL foundations.
- Wave 2: Privacy controls + schemas + metrics.
Wave Detail Snapshots
- See "Recommended Execution Order" for wave details.
Interlocks
- UI evidence drawer depends on findings evidence API and privacy controls.
- CLI verification depends on attestation verification services and referrer discovery.
Upcoming Checkpoints
| Date (UTC) | Checkpoint | Owner |
|---|---|---|
| 2025-12-22 | Summary normalized to sprint template. | Agent |
Action Tracker
| Date (UTC) | Action | Owner | Status |
|---|---|---|---|
| 2025-12-22 | Normalize summary file to standard template. | Agent | DONE |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-22 | Summary created from Explainable Triage advisory gap analysis. | Agent |
| 2025-12-22 | Normalized summary file to standard template; no semantic changes. | Agent |
| 2025-12-23 | Verification completed: All 3 actual sprints (4300.0002.0001, 4300.0002.0002, 4300.0003.0001) verified as DONE. Total 48/48 tasks completed with passing tests. Summary updated to reflect actual implementation vs. original plan. | Agent |
Decisions & Risks
| Item | Type | Owner | Notes |
|---|---|---|---|
| Advisory gaps | Decision | Planning | Six gaps targeted for closure per analysis. |
| Risk | Impact | Mitigation |
|---|---|---|
| Parallel execution drift | Coordination overhead | Weekly checkpoints with sprint owners. |
Sprint Series Status: ✅ DONE (3/3 actual sprints complete, 100%)
Created: 2025-12-22 Origin: Gap analysis of 18-Dec-2025 advisory (original plan not implemented) Verified: 2025-12-23 (all tasks verified in codebase with passing tests)