stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
dac8e10e361e03690a2e1ffa374f4617ffbd9705
git.stella-ops.org/docs2/README.md
master dac8e10e36 feat(crypto): Complete Phase 2 - Configuration-driven crypto architecture with 100% compliance 
## Summary

This commit completes Phase 2 of the configuration-driven crypto architecture, achieving
100% crypto compliance by eliminating all hardcoded cryptographic implementations.

## Key Changes

### Phase 1: Plugin Loader Infrastructure
- **Plugin Discovery System**: Created StellaOps.Cryptography.PluginLoader with manifest-based loading
- **Configuration Model**: Added CryptoPluginConfiguration with regional profiles support
- **Dependency Injection**: Extended DI to support plugin-based crypto provider registration
- **Regional Configs**: Created appsettings.crypto.{international,russia,eu,china}.yaml
- **CI Workflow**: Added .gitea/workflows/crypto-compliance.yml for audit enforcement

### Phase 2: Code Refactoring
- **API Extension**: Added ICryptoProvider.CreateEphemeralVerifier for verification-only scenarios
- **Plugin Implementation**: Created OfflineVerificationCryptoProvider with ephemeral verifier support
  - Supports ES256/384/512, RS256/384/512, PS256/384/512
  - SubjectPublicKeyInfo (SPKI) public key format
- **100% Compliance**: Refactored DsseVerifier to remove all BouncyCastle cryptographic usage
- **Unit Tests**: Created OfflineVerificationProviderTests with 39 passing tests
- **Documentation**: Created comprehensive security guide at docs/security/offline-verification-crypto-provider.md
- **Audit Infrastructure**: Created scripts/audit-crypto-usage.ps1 for static analysis

### Testing Infrastructure (TestKit)
- **Determinism Gate**: Created DeterminismGate for reproducibility validation
- **Test Fixtures**: Added PostgresFixture and ValkeyFixture using Testcontainers
- **Traits System**: Implemented test lane attributes for parallel CI execution
- **JSON Assertions**: Added CanonicalJsonAssert for deterministic JSON comparisons
- **Test Lanes**: Created test-lanes.yml workflow for parallel test execution

### Documentation
- **Architecture**: Created CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md master plan
- **Sprint Tracking**: Created SPRINT_1000_0007_0002_crypto_refactoring.md (COMPLETE)
- **API Documentation**: Updated docs2/cli/crypto-plugins.md and crypto.md
- **Testing Strategy**: Created testing strategy documents in docs/implplan/SPRINT_5100_0007_*

## Compliance & Testing

-  Zero direct System.Security.Cryptography usage in production code
-  All crypto operations go through ICryptoProvider abstraction
-  39/39 unit tests passing for OfflineVerificationCryptoProvider
-  Build successful (AirGap, Crypto plugin, DI infrastructure)
-  Audit script validates crypto boundaries

## Files Modified

**Core Crypto Infrastructure:**
- src/__Libraries/StellaOps.Cryptography/CryptoProvider.cs (API extension)
- src/__Libraries/StellaOps.Cryptography/CryptoSigningKey.cs (verification-only constructor)
- src/__Libraries/StellaOps.Cryptography/EcdsaSigner.cs (fixed ephemeral verifier)

**Plugin Implementation:**
- src/__Libraries/StellaOps.Cryptography.Plugin.OfflineVerification/ (new)
- src/__Libraries/StellaOps.Cryptography.PluginLoader/ (new)

**Production Code Refactoring:**
- src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs (100% compliant)

**Tests:**
- src/__Libraries/__Tests/StellaOps.Cryptography.Plugin.OfflineVerification.Tests/ (new, 39 tests)
- src/__Libraries/__Tests/StellaOps.Cryptography.PluginLoader.Tests/ (new)

**Configuration:**
- etc/crypto-plugins-manifest.json (plugin registry)
- etc/appsettings.crypto.*.yaml (regional profiles)

**Documentation:**
- docs/security/offline-verification-crypto-provider.md (600+ lines)
- docs/implplan/CRYPTO_CONFIGURATION_DRIVEN_ARCHITECTURE.md (master plan)
- docs/implplan/SPRINT_1000_0007_0002_crypto_refactoring.md (Phase 2 complete)

## Next Steps

Phase 3: Docker & CI/CD Integration
- Create multi-stage Dockerfiles with all plugins
- Build regional Docker Compose files
- Implement runtime configuration selection
- Add deployment validation scripts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 18:20:00 +02:00

153 lines
8.3 KiB
Markdown
Raw Blame History

# StellaOps docs2
This directory is a cleaned, deduplicated documentation set rebuilt from the existing docs tree
(excluding docs/implplan and docs/product-advisories). It keeps stable, product-level facts and
removes old status notes, duplicated architecture snapshots, and dated implementation checklists.
Assumptions baked into docs2
- Runtime: .NET 10 (net10.0) for services and libraries
- UI: Angular 17 for the console
- Data: PostgreSQL as the only canonical database
- Cache and queues: Valkey (Redis compatible)
- Object storage: RustFS (S3 compatible)
- Determinism and offline-first operation are non-negotiable
How to navigate
- product/overview.md - Vision, capabilities, and requirements
- product/roadmap-and-requirements.md - Requirements and roadmap summary
- product/market-positioning.md - Moats and competitive positioning
- product/claims-and-benchmarks.md - Claims and benchmark linkage
- architecture/overview.md - System map and dependencies
- architecture/workflows.md - Key data and control flows
- architecture/evidence-and-trust.md - Evidence chain, DSSE, replay, AOC
- architecture/reachability-vex.md - Reachability, VEX consensus, unknowns
- architecture/component-map.md - Module interaction map
- architecture/reachability-lattice.md - Reachability lattice model
- architecture/reachability-evidence.md - Reachability evidence schemas
- architecture/advisory-alignment.md - Advisory architecture alignment summary
- ingestion/aggregation-and-linksets.md - AOC rules and linkset model
- ingestion/aoc-guardrails.md - Guard library and ingestion guardrails
- ingestion/backfill.md - AOC linkset backfill process
- modules/index.md - Module summaries (core and supporting)
- advisory-ai/overview.md - Advisory AI guardrails and evidence
- orchestrator/overview.md - Orchestrator execution model
- orchestrator/run-ledger.md - Orchestrator run ledger schema
- orchestrator/architecture.md - Orchestrator component architecture
- orchestrator/api.md - Orchestrator API surface
- orchestrator/cli.md - Orchestrator CLI commands
- orchestrator/console.md - Orchestrator console views
- operations/quickstart.md - First scan workflow
- operations/install-deploy.md - Install and deployment guidance
- operations/deployment-versioning.md - Versioning and promotion model
- operations/binary-prereqs.md - Offline binary and package prerequisites
- operations/airgap.md - Offline kit and air-gap operations
- operations/airgap-bundles.md - Bundle formats and verification
- operations/airgap-runbooks.md - Air-gap import and quarantine runbooks
- operations/replay-and-determinism.md - Replay artifacts and deterministic rules
- operations/runtime-readiness.md - Runtime readiness checks
- operations/slo.md - Service SLO overview
- operations/runbooks.md - Operational runbooks and incident response
- operations/notifications.md - Notifications Studio operations
- notifications/overview.md - Notifications overview
- notifications/rules.md - Notification rules and routing
- notifications/channels.md - Notification channels
- notifications/templates.md - Notification templates
- notifications/digests.md - Notification digests
- notifications/pack-approvals.md - Pack approval notifications
- operations/router-rate-limiting.md - Gateway rate limiting
- release/release-engineering.md - Release and CI/CD overview
- api/overview.md - API surface and conventions
- api/auth-and-tokens.md - Authority, OpTok, DPoP and mTLS, PoE
- policy/policy-system.md - Policy DSL, lifecycle, and governance
- cli-ui.md - CLI and console guide
- cli/overview.md - CLI command groups and config
- cli/commands.md - CLI groups and global options
- cli/crypto.md - Crypto commands and regional compliance
- cli/crypto-plugins.md - Crypto provider plugin model
- cli/distribution-matrix.md - CLI regional distribution matrix
- cli/reachability.md - Reachability, drift, and smart-diff CLI
- cli/triage.md - Triage CLI workflows
- cli/unknowns.md - Unknowns CLI workflows
- cli/score-proofs.md - Scoring replay and proofs
- cli/sbomer.md - SBOMer offline commands
- cli/audit-pack.md - Audit pack export and replay
- cli/keyboard-shortcuts.md - CLI interactive shortcuts
- cli/troubleshooting.md - Common CLI issues
- ui/console.md - Console overview and shared surfaces
- ui/navigation.md - Console routing, shortcuts, deep links
- ui/aoc-dashboard.md - AOC ingestion dashboard
- ui/findings.md - Findings workspace guide
- ui/advisories-vex.md - Advisories and VEX explorer
- ui/downloads.md - Downloads workspace and manifest handling
- ui/runs.md - Runs workspace and evidence bundles
- ui/policies.md - Policies workspace and approvals
- ui/admin.md - Admin workspace for tenants, roles, tokens
- ui/exception-center.md - Exception and waiver workflows
- ui/reachability-overlays.md - Reachability overlay semantics
- ui/sbom-explorer.md - SBOM Explorer guide
- ui/sbom-graph-explorer.md - SBOM graph explorer
- ui/vulnerability-explorer.md - Vulnerability explorer
- ui/explainers.md - Policy explainers UI
- ui/airgap.md - Air-gap console UI
- ui/attestor.md - Attestation UI
- ui/forensics.md - Forensics UI
- ui/observability.md - Observability UI
- ui/risk-ui.md - Risk UI
- ui/policy-editor.md - Policy editor workspace
- ui/accessibility.md - Console accessibility guidance
- ui/triage.md - Triage UX and state model
- ui/branding.md - Tenant branding model
- data-and-schemas.md - Storage, schemas, and determinism rules
- data/persistence.md - Database model and migration notes
- data/events.md - Event envelopes and validation
- sbom/overview.md - SBOM formats, mapping, and heuristics
- governance/approvals.md - Approval routing and audit
- governance/exceptions.md - Exception lifecycle and controls
- security-and-governance.md - Security policy, hardening, governance, compliance
- security/identity-tenancy-and-scopes.md - Authority scopes and tenancy rules
- security/crypto-and-trust.md - Crypto profiles and trust roots
- security/crypto-compliance.md - Regional crypto profiles and licensing notes
- security/quota-and-licensing.md - Offline quota and JWT licensing
- security/admin-rbac.md - Console admin RBAC model
- security/console-security.md - Console security posture
- security/operational-hardening.md - DPoP, rate limits, secrets, exports
- security/audit-events.md - Authority audit event schema
- security/revocation-bundles.md - Revocation bundle format and verification
- security/risk-model.md - Risk scoring model and explainability
- security/forensics-and-evidence-locker.md - Evidence locker and forensic storage
- provenance/inline-provenance.md - DSSE metadata and transparency links
- signals/unknowns.md - Unknowns registry and signals model
- signals/unknowns-ranking.md - Unknowns scoring and triage bands
- signals/uncertainty.md - Uncertainty states and tiers
- signals/callgraph-schema.md - Callgraph schema and determinism
- signals/contract-mapping.md - Signal contract mapping
- contracts-and-interfaces.md - Cross-module contracts and specs
- contracts/scanner-core.md - Scanner core DTOs and determinism helpers
- task-packs.md - Task Runner pack format and workflow
- interop/sbom-interop.md - SBOM interoperability and parity testing
- interop/cosign.md - Cosign attestation integration
- migration/overview.md - Migration paths and parity guidance
- vex/consensus.md - VEX consensus overview
- testing-and-quality.md - Test strategy and quality gates
- observability.md - Metrics, logs, tracing, telemetry stack
- developer/onboarding.md - Local dev setup and workflows
- developer/plugin-sdk.md - Plugin SDK summary
- developer/devportal.md - Developer portal publishing
- developer/implementation-guidelines.md - Deterministic implementation rules
- sdk/overview.md - SDK and client guidance
- guides/compare-workflow.md - Compare workflow guide
- guides/epss-integration.md - EPSS integration summary
- references/examples-and-fixtures.md - Examples, samples, schemas
- specs/symbols.md - Symbol manifest and bundle format
- benchmarks.md - Benchmark program overview
- vuln-explorer/overview.md - Vuln Explorer summary
- training-and-adoption.md - Evaluation checklist and training material
- glossary.md - Core terms
Legal and regulator view
- legal/regulator-threat-evidence.md - Regulator threat and evidence model
Notes
- Raw schemas, samples, and fixtures remain under docs/ and are referenced from docs2.
- If you need a deep schema or fixture, follow the path in data-and-schemas.md.
Reference in New Issue View Git Blame Copy Permalink