stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
dac8e10e361e03690a2e1ffa374f4617ffbd9705
git.stella-ops.org/docs2/README.md
master dac8e10e36 feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 18:20:00 +02:00

8.3 KiB
Raw Blame History

StellaOps docs2

This directory is a cleaned, deduplicated documentation set rebuilt from the existing docs tree (excluding docs/implplan and docs/product-advisories). It keeps stable, product-level facts and removes old status notes, duplicated architecture snapshots, and dated implementation checklists.

Assumptions baked into docs2

  • Runtime: .NET 10 (net10.0) for services and libraries
  • UI: Angular 17 for the console
  • Data: PostgreSQL as the only canonical database
  • Cache and queues: Valkey (Redis compatible)
  • Object storage: RustFS (S3 compatible)
  • Determinism and offline-first operation are non-negotiable

How to navigate

  • product/overview.md - Vision, capabilities, and requirements
  • product/roadmap-and-requirements.md - Requirements and roadmap summary
  • product/market-positioning.md - Moats and competitive positioning
  • product/claims-and-benchmarks.md - Claims and benchmark linkage
  • architecture/overview.md - System map and dependencies
  • architecture/workflows.md - Key data and control flows
  • architecture/evidence-and-trust.md - Evidence chain, DSSE, replay, AOC
  • architecture/reachability-vex.md - Reachability, VEX consensus, unknowns
  • architecture/component-map.md - Module interaction map
  • architecture/reachability-lattice.md - Reachability lattice model
  • architecture/reachability-evidence.md - Reachability evidence schemas
  • architecture/advisory-alignment.md - Advisory architecture alignment summary
  • ingestion/aggregation-and-linksets.md - AOC rules and linkset model
  • ingestion/aoc-guardrails.md - Guard library and ingestion guardrails
  • ingestion/backfill.md - AOC linkset backfill process
  • modules/index.md - Module summaries (core and supporting)
  • advisory-ai/overview.md - Advisory AI guardrails and evidence
  • orchestrator/overview.md - Orchestrator execution model
  • orchestrator/run-ledger.md - Orchestrator run ledger schema
  • orchestrator/architecture.md - Orchestrator component architecture
  • orchestrator/api.md - Orchestrator API surface
  • orchestrator/cli.md - Orchestrator CLI commands
  • orchestrator/console.md - Orchestrator console views
  • operations/quickstart.md - First scan workflow
  • operations/install-deploy.md - Install and deployment guidance
  • operations/deployment-versioning.md - Versioning and promotion model
  • operations/binary-prereqs.md - Offline binary and package prerequisites
  • operations/airgap.md - Offline kit and air-gap operations
  • operations/airgap-bundles.md - Bundle formats and verification
  • operations/airgap-runbooks.md - Air-gap import and quarantine runbooks
  • operations/replay-and-determinism.md - Replay artifacts and deterministic rules
  • operations/runtime-readiness.md - Runtime readiness checks
  • operations/slo.md - Service SLO overview
  • operations/runbooks.md - Operational runbooks and incident response
  • operations/notifications.md - Notifications Studio operations
  • notifications/overview.md - Notifications overview
  • notifications/rules.md - Notification rules and routing
  • notifications/channels.md - Notification channels
  • notifications/templates.md - Notification templates
  • notifications/digests.md - Notification digests
  • notifications/pack-approvals.md - Pack approval notifications
  • operations/router-rate-limiting.md - Gateway rate limiting
  • release/release-engineering.md - Release and CI/CD overview
  • api/overview.md - API surface and conventions
  • api/auth-and-tokens.md - Authority, OpTok, DPoP and mTLS, PoE
  • policy/policy-system.md - Policy DSL, lifecycle, and governance
  • cli-ui.md - CLI and console guide
  • cli/overview.md - CLI command groups and config
  • cli/commands.md - CLI groups and global options
  • cli/crypto.md - Crypto commands and regional compliance
  • cli/crypto-plugins.md - Crypto provider plugin model
  • cli/distribution-matrix.md - CLI regional distribution matrix
  • cli/reachability.md - Reachability, drift, and smart-diff CLI
  • cli/triage.md - Triage CLI workflows
  • cli/unknowns.md - Unknowns CLI workflows
  • cli/score-proofs.md - Scoring replay and proofs
  • cli/sbomer.md - SBOMer offline commands
  • cli/audit-pack.md - Audit pack export and replay
  • cli/keyboard-shortcuts.md - CLI interactive shortcuts
  • cli/troubleshooting.md - Common CLI issues
  • ui/console.md - Console overview and shared surfaces
  • ui/navigation.md - Console routing, shortcuts, deep links
  • ui/aoc-dashboard.md - AOC ingestion dashboard
  • ui/findings.md - Findings workspace guide
  • ui/advisories-vex.md - Advisories and VEX explorer
  • ui/downloads.md - Downloads workspace and manifest handling
  • ui/runs.md - Runs workspace and evidence bundles
  • ui/policies.md - Policies workspace and approvals
  • ui/admin.md - Admin workspace for tenants, roles, tokens
  • ui/exception-center.md - Exception and waiver workflows
  • ui/reachability-overlays.md - Reachability overlay semantics
  • ui/sbom-explorer.md - SBOM Explorer guide
  • ui/sbom-graph-explorer.md - SBOM graph explorer
  • ui/vulnerability-explorer.md - Vulnerability explorer
  • ui/explainers.md - Policy explainers UI
  • ui/airgap.md - Air-gap console UI
  • ui/attestor.md - Attestation UI
  • ui/forensics.md - Forensics UI
  • ui/observability.md - Observability UI
  • ui/risk-ui.md - Risk UI
  • ui/policy-editor.md - Policy editor workspace
  • ui/accessibility.md - Console accessibility guidance
  • ui/triage.md - Triage UX and state model
  • ui/branding.md - Tenant branding model
  • data-and-schemas.md - Storage, schemas, and determinism rules
  • data/persistence.md - Database model and migration notes
  • data/events.md - Event envelopes and validation
  • sbom/overview.md - SBOM formats, mapping, and heuristics
  • governance/approvals.md - Approval routing and audit
  • governance/exceptions.md - Exception lifecycle and controls
  • security-and-governance.md - Security policy, hardening, governance, compliance
  • security/identity-tenancy-and-scopes.md - Authority scopes and tenancy rules
  • security/crypto-and-trust.md - Crypto profiles and trust roots
  • security/crypto-compliance.md - Regional crypto profiles and licensing notes
  • security/quota-and-licensing.md - Offline quota and JWT licensing
  • security/admin-rbac.md - Console admin RBAC model
  • security/console-security.md - Console security posture
  • security/operational-hardening.md - DPoP, rate limits, secrets, exports
  • security/audit-events.md - Authority audit event schema
  • security/revocation-bundles.md - Revocation bundle format and verification
  • security/risk-model.md - Risk scoring model and explainability
  • security/forensics-and-evidence-locker.md - Evidence locker and forensic storage
  • provenance/inline-provenance.md - DSSE metadata and transparency links
  • signals/unknowns.md - Unknowns registry and signals model
  • signals/unknowns-ranking.md - Unknowns scoring and triage bands
  • signals/uncertainty.md - Uncertainty states and tiers
  • signals/callgraph-schema.md - Callgraph schema and determinism
  • signals/contract-mapping.md - Signal contract mapping
  • contracts-and-interfaces.md - Cross-module contracts and specs
  • contracts/scanner-core.md - Scanner core DTOs and determinism helpers
  • task-packs.md - Task Runner pack format and workflow
  • interop/sbom-interop.md - SBOM interoperability and parity testing
  • interop/cosign.md - Cosign attestation integration
  • migration/overview.md - Migration paths and parity guidance
  • vex/consensus.md - VEX consensus overview
  • testing-and-quality.md - Test strategy and quality gates
  • observability.md - Metrics, logs, tracing, telemetry stack
  • developer/onboarding.md - Local dev setup and workflows
  • developer/plugin-sdk.md - Plugin SDK summary
  • developer/devportal.md - Developer portal publishing
  • developer/implementation-guidelines.md - Deterministic implementation rules
  • sdk/overview.md - SDK and client guidance
  • guides/compare-workflow.md - Compare workflow guide
  • guides/epss-integration.md - EPSS integration summary
  • references/examples-and-fixtures.md - Examples, samples, schemas
  • specs/symbols.md - Symbol manifest and bundle format
  • benchmarks.md - Benchmark program overview
  • vuln-explorer/overview.md - Vuln Explorer summary
  • training-and-adoption.md - Evaluation checklist and training material
  • glossary.md - Core terms

Legal and regulator view

  • legal/regulator-threat-evidence.md - Regulator threat and evidence model

Notes

  • Raw schemas, samples, and fixtures remain under docs/ and are referenced from docs2.
  • If you need a deep schema or fixture, follow the path in data-and-schemas.md.