stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
dac8e10e361e03690a2e1ffa374f4617ffbd9705
git.stella-ops.org/docs/testing/SPRINT_DEPENDENCY_GRAPH.md
master dac8e10e36 feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 18:20:00 +02:00

394 lines
16 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Testing Strategy Sprint Dependency Graph & Critical Path Analysis
> **Purpose:** Visualize sprint dependencies, identify critical path, optimize parallel execution, and coordinate cross-guild work.
---
## Executive Summary
**Total Sprints:** 22 sprints across 4 batches
**Total Tasks:** ~370 tasks
**Estimated Duration:** 26 weeks (6 months) if executed sequentially
**Optimal Duration:** 14 weeks (3.5 months) with full parallelization
**Critical Path:** 14 weeks (Foundation Epics → Module Tests)
**Parallelization Opportunities:** Up to 15 sprints can run concurrently
---
## Sprint Inventory by Batch
### Batch 5100.0007: Foundation Epics (90 tasks, 6 sprints)
| Sprint ID | Name | Tasks | Waves | Dependencies |
|-----------|------|-------|-------|--------------|
| 5100.0007.0001 | Master Testing Strategy | 18 | 4 | None (entry point) |
| 5100.0007.0002 | Epic A: TestKit Foundations | 13 | 4 | 0001 (Wave 1 complete) |
| 5100.0007.0003 | Epic B: Determinism Gate | 12 | 4 | 0002 (TestKit available) |
| 5100.0007.0004 | Epic C: Storage Harness | 12 | 4 | 0002 (TestKit available) |
| 5100.0007.0005 | Epic D: Connector Fixtures | 12 | 4 | 0002 (TestKit available) |
| 5100.0007.0006 | Epic E: WebService Contract | 12 | 4 | 0002 (TestKit + OtelCapture) |
| 5100.0007.0007 | Epic F: Architecture Tests | 17 | 6 | None (can start immediately) |
### Batch 5100.0008: Quality Gates (11 tasks, 1 sprint)
| Sprint ID | Name | Tasks | Waves | Dependencies |
|-----------|------|-------|-------|--------------|
| 5100.0008.0001 | Competitor Parity Testing | 11 | 4 | 0007.0001 (Wave 1), 0007.0002 |
### Batch 5100.0009: Module Test Implementations (185 tasks, 11 sprints)
| Sprint ID | Module | Models | Tasks | Waves | Dependencies |
|-----------|--------|--------|-------|-------|--------------|
| 5100.0009.0001 | Scanner | L0,AN1,S1,T1,W1,WK1,PERF | 25 | 4 | 0002,0003,0004,0006 |
| 5100.0009.0002 | Concelier | C1,L0,S1,W1,AN1 | 18 | 4 | 0002,0003,0004,0005,0006,0007.0007 |
| 5100.0009.0003 | Excititor | C1,L0,S1,W1,WK1 | 21 | 4 | 0002,0003,0004,0005,0006,0007.0007 |
| 5100.0009.0004 | Policy | L0,S1,W1 | 15 | 3 | 0002,0003,0004,0006 |
| 5100.0009.0005 | Authority | L0,W1,C1 | 17 | 3 | 0002,0005,0006 |
| 5100.0009.0006 | Signer | L0,W1,C1 | 17 | 3 | 0002,0003,0005,0006 |
| 5100.0009.0007 | Attestor | L0,W1 | 14 | 3 | 0002,0003,0006,0009.0006 |
| 5100.0009.0008 | Scheduler | L0,S1,W1,WK1 | 14 | 3 | 0002,0004,0006 |
| 5100.0009.0009 | Notify | L0,C1,S1,W1,WK1 | 18 | 3 | 0002,0004,0005,0006 |
| 5100.0009.0010 | CLI | CLI1 | 13 | 3 | 0002,0003 |
| 5100.0009.0011 | UI | W1 | 13 | 3 | 0002,0006 |
### Batch 5100.0010: Infrastructure Tests (62 tasks, 4 sprints)
| Sprint ID | Module Family | Models | Tasks | Waves | Dependencies |
|-----------|---------------|--------|-------|-------|--------------|
| 5100.0010.0001 | EvidenceLocker + Findings + Replay | L0,S1,W1,WK1 | 16 | 3 | 0002,0004,0006 |
| 5100.0010.0002 | Graph + TimelineIndexer | L0,S1,W1,WK1 | 15 | 3 | 0002,0004,0006 |
| 5100.0010.0003 | Router + Messaging | L0,T1,W1,S1 | 14 | 3 | 0002,0004 |
| 5100.0010.0004 | AirGap | L0,AN1,S1,W1,CLI1 | 17 | 3 | 0002,0003,0004,0006 |
---
## Dependency Visualization (ASCII Graph)
```
CRITICAL PATH (14 weeks):
Week 1-2: [5100.0007.0001] Master Strategy (Wave 1-4)
Week 3-4: [5100.0007.0002] TestKit Foundations ← CRITICAL BOTTLENECK
├──────────┬──────────┬──────────┬──────────┐
Week 5-6: [0003] [0004] [0005] [0006] [0007.0007]
Determ. Storage Connect. WebSvc Arch.Tests
│ │ │ │
└─────────┴─────────┴─────────┘
Week 7-10: ┌──────────┼──────────────────────────────────┐
[5100.0009.xxxx] ALL MODULE TESTS (parallel) │
11 sprints run concurrently │
│ │
Week 11-14:└────────────────────────────────────────────┘
[5100.0010.xxxx] ALL INFRASTRUCTURE TESTS
4 sprints run concurrently
PARALLEL EXECUTION ZONES:
Zone 1 (Weeks 5-6): Epic Implementations
- 5100.0007.0003 (Determinism) ─┐
- 5100.0007.0004 (Storage) ├─ Can run in parallel
- 5100.0007.0005 (Connectors) │ (all depend only on TestKit)
- 5100.0007.0006 (WebService) │
- 5100.0007.0007 (Architecture) ─┘
Zone 2 (Weeks 7-10): Module Tests
- Scanner (5100.0009.0001) ─┐
- Concelier (5100.0009.0002) │
- Excititor (5100.0009.0003) │
- Policy (5100.0009.0004) ├─ Can run in parallel
- Authority (5100.0009.0005) │ (Epic dependencies met)
- Signer (5100.0009.0006) │
- Attestor (5100.0009.0007) │
- Scheduler (5100.0009.0008) │
- Notify (5100.0009.0009) │
- CLI (5100.0009.0010) │
- UI (5100.0009.0011) ─┘
Zone 3 (Weeks 11-14): Infrastructure Tests
- EvidenceLocker (5100.0010.0001) ─┐
- Graph (5100.0010.0002) ├─ Can run in parallel
- Router/Messaging (5100.0010.0003)│
- AirGap (5100.0010.0004) ─┘
Zone 4 (Weeks 3-14): Quality Gates (can overlap)
- Competitor Parity (5100.0008.0001) runs after Week 3
```
---
## Critical Path Analysis
### Critical Path Sequence (14 weeks)
1. **Week 1-2:** Master Strategy Sprint (5100.0007.0001)
- Wave 1: Documentation sync
- Wave 2: Quick wins (test runner scripts, trait standardization)
- Wave 3: CI infrastructure
- Wave 4: Epic sprint creation
2. **Week 3-4:** TestKit Foundations (5100.0007.0002) ← **CRITICAL BOTTLENECK**
- ALL downstream sprints depend on TestKit
- Must complete before any module tests can start
- Priority: DeterministicTime, DeterministicRandom, CanonicalJsonAssert, SnapshotAssert, PostgresFixture, OtelCapture
3. **Week 5-6:** Epic Implementation (parallel zone)
- 5 sprints run concurrently
- Unblocks all module tests
4. **Week 7-10:** Module Test Implementation (parallel zone)
- 11 sprints run concurrently
- Longest pole: Scanner (25 tasks, 4 waves)
5. **Week 11-14:** Infrastructure Test Implementation (parallel zone)
- 4 sprints run concurrently
- Can overlap with late-stage module tests
### Critical Bottleneck: TestKit (Sprint 5100.0007.0002)
**Impact:** Blocks 20 downstream sprints (all module + infrastructure tests)
**Mitigation:**
- Staff with 2-3 senior engineers
- Prioritize DeterministicTime and SnapshotAssert (most commonly used)
- Release incrementally (partial TestKit unlocks some modules)
- Run daily check-ins to unblock consuming teams
---
## Dependency Matrix
### Epic → Module Dependencies
| Epic Sprint | Blocks Module Sprints | Reason |
|-------------|----------------------|--------|
| 5100.0007.0002 (TestKit) | ALL 15 module/infra sprints | Core test utilities required |
| 5100.0007.0003 (Determinism) | Scanner, Excititor, Signer, CLI, AirGap | Determinism gate required |
| 5100.0007.0004 (Storage) | Scanner, Concelier, Excititor, Policy, Scheduler, Notify, EvidenceLocker, Graph, Router, AirGap | PostgresFixture required |
| 5100.0007.0005 (Connectors) | Concelier, Excititor, Authority, Signer, Notify | Fixture discipline required |
| 5100.0007.0006 (WebService) | Scanner, Concelier, Excititor, Policy, Authority, Signer, Attestor, Scheduler, Notify, UI, EvidenceLocker, Graph, AirGap | WebServiceFixture required |
| 5100.0007.0007 (Architecture) | Concelier, Excititor | Lattice boundary enforcement |
### Module → Module Dependencies
| Sprint | Depends On Other Modules | Reason |
|--------|--------------------------|--------|
| Attestor (0009.0007) | Signer (0009.0006) | Sign/verify integration tests |
| (None other) | - | Modules are otherwise independent |
---
## Parallelization Strategy
### Maximum Parallel Execution (15 sprints)
**Week 5-6 (5 parallel):**
- Determinism (2 eng)
- Storage (3 eng)
- Connectors (2 eng)
- WebService (2 eng)
- Architecture (1 eng)
**Week 7-10 (11 parallel):**
- Scanner (3 eng) ← longest pole
- Concelier (2 eng)
- Excititor (2 eng)
- Policy (2 eng)
- Authority (2 eng)
- Signer (2 eng)
- Attestor (2 eng)
- Scheduler (2 eng)
- Notify (2 eng)
- CLI (1 eng)
- UI (2 eng)
**Week 11-14 (4 parallel):**
- EvidenceLocker (2 eng)
- Graph (2 eng)
- Router/Messaging (2 eng)
- AirGap (2 eng)
**Resource Requirement (Peak):**
- Week 7-10: 22 engineers (11 sprints × avg 2 eng/sprint)
- Realistic: 10-12 engineers with staggered starts
---
## Risk Hotspots
### High-Impact Delays
| Risk | Impact | Probability | Mitigation |
|------|--------|-------------|------------|
| TestKit delayed (5100.0007.0002) | Blocks ALL downstream sprints; +2-4 weeks delay | MEDIUM | Staff with senior engineers; daily standups; incremental releases |
| Storage harness issues (5100.0007.0004) | Blocks 10 sprints | MEDIUM | Use Testcontainers early; validate Postgres 16 compatibility Week 1 |
| Determinism gate drift (5100.0007.0003) | Scanner/Excititor blocked; compliance issues | LOW | Explicit canonical JSON contract; freeze schema early |
| Attestor-Signer circular dependency (0009.0007 ↔ 0009.0006) | Integration tests blocked | MEDIUM | Mock signing for Attestor initial tests; coordinate guilds |
| Concurrent module tests overwhelm CI | Test suite timeout; flaky tests | HIGH | Stagger module test starts; use CI parallelization; dedicated test runners |
### Critical Path Risks
| Sprint | Risk | Impact if Delayed |
|--------|------|-------------------|
| 5100.0007.0002 (TestKit) | DeterministicTime implementation complex | +2 weeks to critical path |
| 5100.0009.0001 (Scanner) | 25 tasks, 4 waves; reachability tests complex | Delays integration tests; no impact on other modules |
| 5100.0007.0004 (Storage) | Testcontainers Postgres compatibility issues | Blocks 10 sprints; +2-3 weeks |
---
## Recommended Execution Sequence
### Phase 1: Foundation (Weeks 1-4)
**Goal:** Establish test infrastructure and strategy docs
**Sprints:**
1. 5100.0007.0001 (Master Strategy) — Week 1-2
2. 5100.0007.0002 (TestKit) — Week 3-4 ← CRITICAL
**Exit Criteria:**
- TestKit utilities available (DeterministicTime, SnapshotAssert, PostgresFixture, OtelCapture)
- Test runner scripts operational
- Trait standardization complete
### Phase 2: Epic Implementation (Weeks 5-6)
**Goal:** Implement all foundation epics in parallel
**Sprints (parallel):**
1. 5100.0007.0003 (Determinism)
2. 5100.0007.0004 (Storage)
3. 5100.0007.0005 (Connectors)
4. 5100.0007.0006 (WebService)
5. 5100.0007.0007 (Architecture)
**Exit Criteria:**
- PostgresFixture operational (Testcontainers)
- Determinism manifest format defined
- Connector fixture discipline documented
- WebServiceFixture operational
- Architecture tests in CI (PR gate)
### Phase 3: Module Tests — Priority Tier 1 (Weeks 7-8)
**Goal:** Implement tests for critical security/compliance modules
**Sprints (parallel):**
1. 5100.0009.0001 (Scanner) — critical path, longest pole
2. 5100.0009.0002 (Concelier)
3. 5100.0009.0003 (Excititor)
4. 5100.0009.0004 (Policy)
5. 5100.0009.0005 (Authority)
6. 5100.0009.0006 (Signer)
### Phase 4: Module Tests — Priority Tier 2 (Weeks 9-10)
**Goal:** Complete remaining module tests
**Sprints (parallel):**
1. 5100.0009.0007 (Attestor)
2. 5100.0009.0008 (Scheduler)
3. 5100.0009.0009 (Notify)
4. 5100.0009.0010 (CLI)
5. 5100.0009.0011 (UI)
### Phase 5: Infrastructure Tests (Weeks 11-14)
**Goal:** Complete platform infrastructure tests
**Sprints (parallel):**
1. 5100.0010.0001 (EvidenceLocker)
2. 5100.0010.0002 (Graph)
3. 5100.0010.0003 (Router/Messaging)
4. 5100.0010.0004 (AirGap)
### Phase 6: Quality Gates (Overlapping Weeks 3-14)
**Goal:** Establish ongoing parity testing
**Sprint:**
1. 5100.0008.0001 (Competitor Parity) — can start Week 3, run nightly thereafter
---
## Guild Coordination
### Cross-Guild Dependencies
| Guild | Owns Sprints | Depends On Guilds | Coordination Points |
|-------|--------------|-------------------|---------------------|
| Platform Guild | TestKit, Storage, Architecture, EvidenceLocker, Graph, Router | None | Week 3: TestKit readiness review |
| Scanner Guild | Scanner | Platform (TestKit, Storage, Determinism, WebService) | Week 5: Storage harness validation |
| Concelier Guild | Concelier | Platform (TestKit, Storage, Connectors, WebService), Architecture | Week 6: Connector fixture review |
| Excititor Guild | Excititor | Platform (TestKit, Storage, Connectors, WebService), Architecture | Week 6: Preserve-prune test design |
| Policy Guild | Policy, AirGap (analyzers) | Platform (TestKit, Storage, WebService) | Week 7: Unknown budget enforcement review |
| Authority Guild | Authority | Platform (TestKit, Connectors, WebService) | Week 7: OIDC connector fixture validation |
| Crypto Guild | Signer, Attestor | Platform (TestKit, Determinism, Connectors, WebService), Authority | Week 8: Canonical payload design; Week 9: Sign/verify integration |
| Scheduler Guild | Scheduler | Platform (TestKit, Storage, WebService) | Week 9: DeterministicTime validation |
| Notify Guild | Notify | Platform (TestKit, Storage, Connectors, WebService) | Week 9: Connector fixture templates |
| CLI Guild | CLI | Platform (TestKit, Determinism) | Week 10: Exit code conventions |
| UI Guild | UI | Platform (TestKit, WebService) | Week 10: API contract snapshot review |
| AirGap Guild | AirGap | Platform (TestKit, Determinism, Storage, WebService), Policy | Week 11: Bundle determinism validation |
| QA Guild | Competitor Parity | Platform (TestKit) | Week 3: Parity harness design |
### Weekly Sync Schedule
**Week 1-2:**
- All guilds: Master strategy review, sprint assignment
**Week 3-4:**
- Platform Guild: Daily standup (TestKit unblocking)
- All guilds: TestKit API review (design feedback)
**Week 5-6:**
- Epic guilds: Bi-weekly sync (Determinism, Storage, Connectors, WebService, Architecture)
- Scanner/Concelier/Excititor guilds: Prepare for module test sprint kickoff
**Week 7-10:**
- All module guilds: Weekly guild-specific standups
- Cross-guild: Bi-weekly integration sync (Signer ↔ Attestor, Policy ↔ AirGap)
**Week 11-14:**
- Infrastructure guilds: Weekly sync
- All guilds: Bi-weekly retrospective
---
## Metrics & Tracking
### Sprint Completion Metrics
| Metric | Target | Measurement |
|--------|--------|-------------|
| Sprint on-time completion | >80% | Tasks complete by wave deadline |
| Test coverage increase | +30% per module | Code coverage reports |
| Determinism tests passing | 100% | Determinism gate CI job |
| Contract tests in CI | 100% of WebServices | Contract lane CI job |
| Architecture tests enforcing | 100% violations blocked | Architecture test failures = build failures |
### Quality Gates
| Gate | Criteria | Enforced By |
|------|----------|-------------|
| Determinism | SHA-256 hash stable across runs | Sprint 5100.0007.0003 tests |
| Contract Stability | OpenAPI schema unchanged or explicitly versioned | Sprint 5100.0007.0006 tests |
| Architecture Boundaries | Concelier/Excititor do NOT reference Scanner lattice | Sprint 5100.0007.0007 tests |
| Preserve-Prune Source | Excititor preserves VEX source references and rationale | Sprint 5100.0009.0003 tests |
| Unknown Budget Enforcement | Policy engine fails when unknowns > N | Sprint 5100.0009.0004 tests |
---
## Next Steps
1. **Week 1 (2026-01-06):**
- Kick off Sprint 5100.0007.0001 (Master Strategy)
- Assign Platform Guild to TestKit (5100.0007.0002) for Week 3 start
- Review this dependency graph with all guild leads
2. **Week 2 (2026-01-13):**
- Complete Master Strategy Wave 1-2
- Finalize TestKit API design (DeterministicTime, SnapshotAssert, etc.)
3. **Week 3 (2026-01-20):**
- Start TestKit implementation (CRITICAL PATH)
- Daily standup for TestKit unblocking
- Prepare Epic sprint kickoffs for Week 5
4. **Week 4 (2026-01-27):**
- Complete TestKit Wave 1-2 (DeterministicTime, SnapshotAssert)
- Validate TestKit with pilot tests
- Final Epic sprint preparation
5. **Week 5 (2026-02-03):**
- Kick off 5 Epic sprints in parallel
- Weekly Epic sync meeting (Fridays)
---
**Prepared by:** Project Management
**Date:** 2025-12-23
**Next Review:** 2026-01-06 (Week 1 kickoff)
Reference in New Issue View Git Blame Copy Permalink