stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
dac8e10e361e03690a2e1ffa374f4617ffbd9705
git.stella-ops.org/etc/policy.poe.yaml.sample
master ef933db0d8 feat(cli): Implement crypto plugin CLI architecture with regional compliance 
Sprint: SPRINT_4100_0006_0001
Status: COMPLETED

Implemented plugin-based crypto command architecture for regional compliance
with build-time distribution selection (GOST/eIDAS/SM) and runtime validation.

## New Commands

- `stella crypto sign` - Sign artifacts with regional crypto providers
- `stella crypto verify` - Verify signatures with trust policy support
- `stella crypto profiles` - List available crypto providers & capabilities

## Build-Time Distribution Selection

```bash
# International (default - BouncyCastle)
dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj

# Russia distribution (GOST R 34.10-2012)
dotnet build -p:StellaOpsEnableGOST=true

# EU distribution (eIDAS Regulation 910/2014)
dotnet build -p:StellaOpsEnableEIDAS=true

# China distribution (SM2/SM3/SM4)
dotnet build -p:StellaOpsEnableSM=true
```

## Key Features

- Build-time conditional compilation prevents export control violations
- Runtime crypto profile validation on CLI startup
- 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev)
- Comprehensive configuration with environment variable substitution
- Integration tests with distribution-specific assertions
- Full migration path from deprecated `cryptoru` CLI

## Files Added

- src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs
- src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs
- src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs
- src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example
- src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs
- docs/cli/crypto-commands.md
- docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md

## Files Modified

- src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs)
- src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation)
- src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring)
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix)

## Compliance

- GOST (Russia): GOST R 34.10-2012, FSB certified
- eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES
- SM (China): GM/T 0003-2012 (SM2), OSCCA certified

## Migration

`cryptoru` CLI deprecated → sunset date: 2025-07-01
- `cryptoru providers` → `stella crypto profiles`
- `cryptoru sign` → `stella crypto sign`

## Testing

 All crypto code compiles successfully
 Integration tests pass
 Build verification for all distributions (international/GOST/eIDAS/SM)

Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 13:13:00 +02:00

226 lines
6.7 KiB
Plaintext
Raw Blame History

# StellaOps Proof of Exposure (PoE) Policy Configuration
#
# This file configures policy gates for validating Proof of Exposure artifacts.
# PoE artifacts provide compact, offline-verifiable proof of vulnerability reachability
# at the function level with signed DSSE attestations.
#
# Documentation: docs/modules/policy/poe-policy-gates.md
# Schema: src/Policy/StellaOps.Policy.Engine/ProofOfExposure/PoEPolicyModels.cs
# ====================================
# Example 1: Minimal (Development)
# ====================================
# Minimal configuration for development environments.
# PoE is optional, warnings only.
poe_policy_minimal:
require_poe_for_reachable: false
require_signed_poe: false
require_rekor_timestamp: false
on_validation_failure: warn
max_poe_age_days: 90
reject_stale_poe: false
# ====================================
# Example 2: Standard (Production)
# ====================================
# Standard configuration for production environments.
# Requires PoE for reachable vulnerabilities with DSSE signatures.
poe_policy_standard:
require_poe_for_reachable: true
require_signed_poe: true
require_rekor_timestamp: false
min_edge_confidence: 0.7
allow_guarded_paths: true
trusted_key_ids:
- scanner-signing-2025
- scanner-signing-2025-backup
max_poe_age_days: 90
reject_stale_poe: false
require_build_id_match: true
require_policy_digest_match: false
on_validation_failure: warn
# ====================================
# Example 3: Strict (Critical Systems)
# ====================================
# Strict configuration for critical systems (finance, healthcare, defense).
# Requires PoE with Rekor timestamps and rejects failures.
poe_policy_strict:
require_poe_for_reachable: true
require_signed_poe: true
require_rekor_timestamp: true
min_paths: 1
max_path_depth: 15
min_edge_confidence: 0.85
allow_guarded_paths: false
trusted_key_ids:
- scanner-signing-2025
max_poe_age_days: 30
reject_stale_poe: true
require_build_id_match: true
require_policy_digest_match: true
on_validation_failure: reject
# ====================================
# Example 4: Custom
# ====================================
# Custom configuration with specific requirements.
poe_policy_custom:
# Require PoE for all reachable vulnerabilities
require_poe_for_reachable: true
# DSSE signature is mandatory
require_signed_poe: true
# Rekor transparency log timestamp required for audit compliance
require_rekor_timestamp: true
# Subgraph constraints
min_paths: 1 # At least one path to vulnerable code
max_path_depth: 20 # Maximum call depth in path
min_edge_confidence: 0.75 # Minimum confidence for edges (0.0-1.0)
# Allow paths with feature flag guards (e.g., if (FeatureFlags.Beta))
allow_guarded_paths: true
# Trusted signing key IDs for DSSE verification
trusted_key_ids:
- scanner-signing-2025
- scanner-signing-2025-backup
# PoE age constraints
max_poe_age_days: 60 # PoE must be refreshed every 60 days
reject_stale_poe: false # Warn but don't reject stale PoE
# Build reproducibility
require_build_id_match: true # PoE build ID must match scan build ID
# Policy versioning
require_policy_digest_match: false # Allow PoE from previous policy versions
# Action on validation failure
# Options: warn, reject, downgrade, review
on_validation_failure: downgrade
# ====================================
# Integration with Policy Engine
# ====================================
# Use PoE policy configuration in policy evaluation rules.
#
# Example OPA/Rego policy:
#
# package stellaops.policy
#
# import data.poe_policy_standard as poe_config
#
# violation[msg] {
# finding := input.findings[_]
# finding.is_reachable == true
# not finding.poe_validation.is_valid
# poe_config.require_poe_for_reachable == true
# msg := sprintf("Reachable vulnerability %s missing valid PoE", [finding.vuln_id])
# }
#
# severity_adjustment[adjusted] {
# finding := input.findings[_]
# not finding.poe_validation.is_valid
# poe_config.on_validation_failure == "downgrade"
# adjusted := {
# "finding_id": finding.finding_id,
# "original_severity": finding.severity,
# "adjusted_severity": downgrade_severity(finding.severity)
# }
# }
#
# downgrade_severity(severity) = "High" {
# severity == "Critical"
# }
#
# downgrade_severity(severity) = "Medium" {
# severity == "High"
# }
#
# downgrade_severity(severity) = "Low" {
# severity == "Medium"
# }
#
# downgrade_severity(severity) = severity {
# severity != "Critical"
# severity != "High"
# severity != "Medium"
# }
# ====================================
# Field Descriptions
# ====================================
#
# require_poe_for_reachable: (boolean)
# Whether PoE is mandatory for vulnerabilities marked as reachable.
# Default: false
#
# require_signed_poe: (boolean)
# Whether PoE must be cryptographically signed with DSSE.
# Default: true
#
# require_rekor_timestamp: (boolean)
# Whether PoE signatures must be timestamped in Rekor transparency log.
# Default: false
#
# min_paths: (integer, optional)
# Minimum number of paths required in PoE subgraph.
# Null means no minimum.
#
# max_path_depth: (integer, optional)
# Maximum allowed path depth in PoE subgraph.
# Null means no maximum.
#
# min_edge_confidence: (decimal, 0.0-1.0)
# Minimum confidence threshold for PoE edges.
# Default: 0.7
#
# allow_guarded_paths: (boolean)
# Whether to allow PoE with feature flag guards.
# Default: true
#
# trusted_key_ids: (array of strings)
# List of trusted key IDs for DSSE signature verification.
# Example: ["scanner-signing-2025"]
#
# max_poe_age_days: (integer)
# Maximum age of PoE artifacts before they're considered stale.
# Default: 90
#
# reject_stale_poe: (boolean)
# Whether to reject findings with stale PoE.
# Default: false
#
# require_build_id_match: (boolean)
# Whether PoE build ID must match scan build ID.
# Default: true
#
# require_policy_digest_match: (boolean)
# Whether PoE policy digest must match current policy.
# Default: false
#
# on_validation_failure: (enum)
# Action to take when PoE validation fails.
# Options:
# - warn: Allow the finding but add a warning
# - reject: Reject the finding (treat as policy violation)
# - downgrade: Downgrade severity of the finding
# - review: Mark the finding for manual review
# Default: warn
# ====================================
# Related Configuration
# ====================================
# - Scanner PoE emission: etc/scanner.poe.yaml.sample
# - Signing keys: etc/keys/scanner-signing-2025.key.json.sample
# - Public keys: etc/keys/scanner-signing-2025.pub.json.sample
# - CLI export: stella poe export --help
# - CLI verify: stella poe verify --help
Reference in New Issue View Git Blame Copy Permalink