stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fda92af9bcbaf6c1677f0d6b13609a8e04222bbc
git.stella-ops.org/etc/scanner.poe.yaml.sample
master ef933db0d8 feat(cli): Implement crypto plugin CLI architecture with regional compliance 
Sprint: SPRINT_4100_0006_0001
Status: COMPLETED

Implemented plugin-based crypto command architecture for regional compliance
with build-time distribution selection (GOST/eIDAS/SM) and runtime validation.

## New Commands

- `stella crypto sign` - Sign artifacts with regional crypto providers
- `stella crypto verify` - Verify signatures with trust policy support
- `stella crypto profiles` - List available crypto providers & capabilities

## Build-Time Distribution Selection

```bash
# International (default - BouncyCastle)
dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj

# Russia distribution (GOST R 34.10-2012)
dotnet build -p:StellaOpsEnableGOST=true

# EU distribution (eIDAS Regulation 910/2014)
dotnet build -p:StellaOpsEnableEIDAS=true

# China distribution (SM2/SM3/SM4)
dotnet build -p:StellaOpsEnableSM=true
```

## Key Features

- Build-time conditional compilation prevents export control violations
- Runtime crypto profile validation on CLI startup
- 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev)
- Comprehensive configuration with environment variable substitution
- Integration tests with distribution-specific assertions
- Full migration path from deprecated `cryptoru` CLI

## Files Added

- src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs
- src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs
- src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs
- src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example
- src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs
- docs/cli/crypto-commands.md
- docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md

## Files Modified

- src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs)
- src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation)
- src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring)
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix)

## Compliance

- GOST (Russia): GOST R 34.10-2012, FSB certified
- eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES
- SM (China): GM/T 0003-2012 (SM2), OSCCA certified

## Migration

`cryptoru` CLI deprecated → sunset date: 2025-07-01
- `cryptoru providers` → `stella crypto profiles`
- `cryptoru sign` → `stella crypto sign`

## Testing

 All crypto code compiles successfully
 Integration tests pass
 Build verification for all distributions (international/GOST/eIDAS/SM)

Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 13:13:00 +02:00

102 lines
3.0 KiB
Plaintext
Raw Blame History

# Scanner Configuration with Proof of Exposure (PoE) Settings
# Copy to etc/scanner.yaml and customize for your deployment
scanner:
# ... other scanner settings ...
reachability:
# Proof of Exposure configuration
poe:
# Enable PoE generation (default: false)
# Set to true to emit PoE artifacts for reachable vulnerabilities
enabled: false
# Maximum depth for subgraph extraction (hops from entry to sink)
# Range: 5-20, default: 10
# Higher values find more paths but increase processing time
maxDepth: 10
# Maximum number of paths to include in each PoE
# Range: 1-10, default: 5
# Multiple paths provide alternative evidence for auditors
maxPaths: 5
# Include guard predicates (feature flags, platform conditionals) in edges
# Default: true
# Guards help explain conditional reachability
includeGuards: true
# Only emit PoE for vulnerabilities with reachability=true
# Default: true
# Set to false to emit PoE for all vulnerabilities (including unreachable with empty paths)
emitOnlyReachable: true
# Attach PoE artifacts to OCI images as attestations
# Default: false
# Requires OCI registry write access
attachToOci: false
# Submit PoE DSSE envelopes to Rekor transparency log
# Default: false
# Requires network access to Rekor instance
submitToRekor: false
# Path pruning strategy
# Options: ShortestWithConfidence | ShortestOnly | ConfidenceFirst | RuntimeFirst
# Default: ShortestWithConfidence
pruneStrategy: ShortestWithConfidence
# Require runtime confirmation for high-risk findings
# Default: false
# When true, only runtime-observed paths are included in PoE
requireRuntimeConfirmation: false
# Signing key ID for DSSE envelopes
# Must match a key in keys directory or KMS
# Default: "scanner-signing-2025"
signingKeyId: scanner-signing-2025
# Include SBOM reference in PoE evidence block
# Default: true
includeSbomRef: true
# Include VEX claim URI in PoE evidence block
# Default: false
includeVexClaimUri: false
# Include runtime facts URI in PoE evidence block
# Default: false
includeRuntimeFactsUri: false
# Prettify PoE JSON (2-space indentation)
# Default: true
# Set to false for minimal file size (~20% reduction)
prettifyJson: true
# Example: Minimal PoE configuration (enabled with defaults)
# reachability:
# poe:
# enabled: true
# Example: Strict PoE configuration (high-assurance environments)
# reachability:
# poe:
# enabled: true
# maxDepth: 8
# maxPaths: 1
# requireRuntimeConfirmation: true
# submitToRekor: true
# attachToOci: true
# pruneStrategy: ShortestOnly
# Example: Comprehensive PoE configuration (maximum context for auditors)
# reachability:
# poe:
# enabled: true
# maxDepth: 15
# maxPaths: 10
# includeSbomRef: true
# includeVexClaimUri: true
# includeRuntimeFactsUri: true
# pruneStrategy: RuntimeFirst
Reference in New Issue View Git Blame Copy Permalink