stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: Enhance telemetry metrics recording with sealed mode tagging

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-05 01:00:29 +02:00
parent 175b750e29
commit 0de3c8a3f0
4 changed files with 152 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md
View File

@@ -26,8 +26,8 @@
| 1 | AUTHORITY-DOCS-0001 | DONE (2025-11-30) | Refresh module docs per latest OpTok/tenant scope posture. | Docs Guild (`docs/modules/authority`) | Refresh Authority module docs, add sprint/task links, and cross-link monitoring/grafana assets. |
| 2 | AUTHORITY-ENG-0001 | DONE (2025-11-27) | Sprint readiness tracker added. | Module Team (`docs/modules/authority`) | Implementation plan readiness tracker mapped to epics/sprints (already delivered). |
| 3 | AUTHORITY-OPS-0001 | DONE (2025-11-30) | Add TASKS board + observability references. | Ops Guild (`docs/modules/authority`) | Ensure monitoring/backup/rotation runbooks are linked and offline-friendly; mirror status via TASKS. |
| 4 | AUTH-GAPS-314-004 | TODO | None; informs authority/crypto work. | Product Mgmt · Authority Guild | Address auth gaps AU1AU10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: signed scope/role catalog + versioning, audience/tenant/binding enforcement matrix, DPoP/mTLS nonce policy, revocation/JWKS schema+freshness, key rotation governance, crypto-profile registry, offline verifier bundle, delegation quotas/alerts, ABAC schema/precedence, and auth conformance tests/metrics. |
| 5 | REKOR-RECEIPT-GAPS-314-005 | TODO | Close RR1RR10 from `31-Nov-2025 FINDINGS.md`; depends on bundle/schema publication | Authority Guild · Attestor Guild · Sbomer Guild | Remediate RR1RR10: signed receipt schema + canonical hash, required fields (tlog URL/key, checkpoint, inclusion proof, bundle hash, policy hash), provenance (TUF snapshot, client version/flags), TSA/Fulcio chain, mirror metadata, repro inputs hash, offline verify script, storage/retention rules, metrics/alerts, and DSSE signing of schema/catalog. |
| 4 | AUTH-GAPS-314-004 | DONE (2025-12-04) | Gap remediation docs added under `docs/modules/authority/gaps/`; awaiting signing of artefacts when produced. | Product Mgmt · Authority Guild | Address auth gaps AU1AU10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: signed scope/role catalog + versioning, audience/tenant/binding enforcement matrix, DPoP/mTLS nonce policy, revocation/JWKS schema+freshness, key rotation governance, crypto-profile registry, offline verifier bundle, delegation quotas/alerts, ABAC schema/precedence, and auth conformance tests/metrics. |
| 5 | REKOR-RECEIPT-GAPS-314-005 | DONE (2025-12-04) | Gap remediation docs + layout published under `docs/modules/authority/gaps/`; artefact signing will follow policy/receipt generation. | Authority Guild · Attestor Guild · Sbomer Guild | Remediate RR1RR10: signed receipt schema + canonical hash, required fields (tlog URL/key, checkpoint, inclusion proof, bundle hash, policy hash), provenance (TUF snapshot, client version/flags), TSA/Fulcio chain, mirror metadata, repro inputs hash, offline verify script, storage/retention rules, metrics/alerts, and DSSE signing of schema/catalog. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -38,12 +38,15 @@
| 2025-11-30 | Completed AUTHORITY-OPS-0001: created TASKS board and aligned monitoring/Grafana references. | Ops Guild |
| 2025-12-01 | Added AUTH-GAPS-314-004 to track AU1AU10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-01 | Added REKOR-RECEIPT-GAPS-314-005 to track RR1RR10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending receipt schema/bundle updates. | Product Mgmt |
| 2025-12-04 | AUTH-GAPS-314-004 DONE: published gap remediation package `docs/modules/authority/gaps/2025-12-04-auth-gaps-au1-au10.md` + evidence map and SHA index stub. Linked from README. | Docs Guild |
| 2025-12-04 | REKOR-RECEIPT-GAPS-314-005 DONE: published RR1RR10 remediation doc `docs/modules/authority/gaps/2025-12-04-rekor-receipt-gaps-rr1-rr10.md` with policy/schema/bundle layout and hashing/DSSE plan. | Docs Guild |
## Decisions & Risks
- Offline posture must be preserved; dashboards stay JSON importable (no external datasources).
- Tenant-scope/Surface.Env/Surface.Secrets contracts must stay aligned with platform docs; update sprint/TASKS if they change.
- Keep sprint and TASKS mirrored to avoid drift.
- Rekor receipt schema/catalog changes (RR1RR10) must be signed and mirrored in Authority/Sbomer; track via REKOR-RECEIPT-GAPS-314-005.
- Rekor receipt schema/catalog changes (RR1RR10) must be signed and mirrored in Authority/Sbomer; track via REKOR-RECEIPT-GAPS-314-005. Docs landed; DSSE signing still pending once artefacts are generated.
- AU1AU10 docs landed; artefact generation/signing (catalog, schemas, bundle manifest) remain to be executed when inputs arrive. Keep SHA256SUMS/DSSE paths stable to avoid drift.
## Next Checkpoints
- 2025-12-05 · Verify grafana-dashboard.json still matches current metrics contract; update runbooks if changes land. Owner: Ops Guild.