Gaps fill up, fixes, ui restructuring

src/Authority/StellaOps.Api.OpenApi/authority/openapi.yaml

@@ -72,6 +72,9 @@ components:
             signals:read: Read Signals events and state.
             signals:write: Publish Signals events or mutate state.
             stellaops.bypass: Bypass trust boundary protections (restricted identities only).
+            trust:admin: Administer trust and signing configuration.
+            trust:read: Read trust and signing state.
+            trust:write: Mutate trust and signing configuration.
             ui.read: Read Console UX resources.
             vex:ingest: Submit VEX ingestion payloads.
             vex:read: Read VEX ingestion data.
@@ -127,6 +130,9 @@ components:
             signals:read: Read Signals events and state.
             signals:write: Publish Signals events or mutate state.
             stellaops.bypass: Bypass trust boundary protections (restricted identities only).
+            trust:admin: Administer trust and signing configuration.
+            trust:read: Read trust and signing state.
+            trust:write: Mutate trust and signing configuration.
             ui.read: Read Console UX resources.
             vex:ingest: Submit VEX ingestion payloads.
             vex:read: Read VEX ingestion data.
@@ -184,6 +190,9 @@ components:
             signals:read: Read Signals events and state.
             signals:write: Publish Signals events or mutate state.
             stellaops.bypass: Bypass trust boundary protections (restricted identities only).
+            trust:admin: Administer trust and signing configuration.
+            trust:read: Read trust and signing state.
+            trust:write: Mutate trust and signing configuration.
             ui.read: Read Console UX resources.
             vex:ingest: Submit VEX ingestion payloads.
             vex:read: Read VEX ingestion data.

src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions.Tests/StellaOpsScopesTests.cs

@@ -71,6 +71,9 @@ public class StellaOpsScopesTests
     [InlineData(StellaOpsScopes.EvidenceHold)]
     [InlineData(StellaOpsScopes.AttestRead)]
     [InlineData(StellaOpsScopes.ObservabilityIncident)]
+    [InlineData(StellaOpsScopes.TrustRead)]
+    [InlineData(StellaOpsScopes.TrustWrite)]
+    [InlineData(StellaOpsScopes.TrustAdmin)]
     [InlineData(StellaOpsScopes.AuthorityTenantsRead)]
     public void All_IncludesNewScopes(string scope)
     {
@@ -93,6 +96,7 @@ public class StellaOpsScopesTests
     [InlineData("Packs.Run", StellaOpsScopes.PacksRun)]
     [InlineData("Packs.Approve", StellaOpsScopes.PacksApprove)]
     [InlineData("Notify.Escalate", StellaOpsScopes.NotifyEscalate)]
+    [InlineData("TRUST:WRITE", StellaOpsScopes.TrustWrite)]
     [InlineData("VULN:VIEW", StellaOpsScopes.VulnView)]
     [InlineData("VULN:INVESTIGATE", StellaOpsScopes.VulnInvestigate)]
     [InlineData("VULN:OPERATE", StellaOpsScopes.VulnOperate)]

src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs

@@ -442,6 +442,21 @@ public static class StellaOpsScopes
     /// </summary>
     public const string UiAdmin = "ui.admin";
 
+    /// <summary>
+    /// Scope granting read-only access to trust and signing state.
+    /// </summary>
+    public const string TrustRead = "trust:read";
+
+    /// <summary>
+    /// Scope granting permission to mutate trust and signing configuration.
+    /// </summary>
+    public const string TrustWrite = "trust:write";
+
+    /// <summary>
+    /// Scope granting administrative control over trust and signing operations.
+    /// </summary>
+    public const string TrustAdmin = "trust:admin";
+
     /// <summary>
     /// Scope granting read-only access to Scanner scan results and metadata.
     /// </summary>