stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

feat: Implement console session management with tenant and profile handling

Browse Source 
- Add ConsoleSessionStore for managing console session state including tenants, profile, and token information.
- Create OperatorContextService to manage operator context for orchestrator actions.
- Implement OperatorMetadataInterceptor to enrich HTTP requests with operator context metadata.
- Develop ConsoleProfileComponent to display user profile and session details, including tenant information and access tokens.
- Add corresponding HTML and SCSS for ConsoleProfileComponent to enhance UI presentation.
- Write unit tests for ConsoleProfileComponent to ensure correct rendering and functionality.
This commit is contained in:
master
2025-10-28 09:58:55 +02:00
parent 4d932cc1ba
commit 4e3e575db5
501 changed files with 51904 additions and 6663 deletions
Download Patch File Download Diff File Expand all files Collapse all files

165
docs/security/pack-signing-and-rbac.md Normal file
View File

@@ -0,0 +1,165 @@
> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.
# Pack Signing & RBAC Controls
This document defines signing, verification, and authorization requirements for Task Packs across the CLI, Packs Registry, Task Runner, and Offline Kit. It aligns with Authority sprint tasks (`AUTH-PACKS-41-001`, `AUTH-PACKS-43-001`) and security guild expectations.
---
## 1·Threat Model Highlights
| Threat | Mitigation |
|--------|------------|
| Unsigned or tampered pack uploaded to registry | Mandatory cosign/DSSE verification before acceptance. |
| Unauthorized user publishing or promoting packs | Authority scopes (`Packs.Write`) + registry policy checks. |
| Privilege escalation during approvals | Approval gates require `Packs.Approve` + audit logging; fresh-auth recommended. |
| Secret exfiltration via pack steps | Secrets injection sandbox with redaction, sealed-mode network guardrails, evidence review. |
| Replay of old approval tokens | Approval payloads carry plan hash + expiry; Task Runner rejects mismatches. |
| Malicious pack in Offline Kit | Mirror verification using signed manifest and DSSE provenance. |
---
## 2·Signing Requirements
- **Cosign** signatures required for all bundles. Keys can be:
- Keyless (Fulcio OIDC).
- KMS-backed (HSM, cloud KMS).
- Offline keys stored in secure vault (air-gapped mode).
- **DSSE Attestations** recommended to embed:
- Manifest digest.
- Build metadata (repo, commit, CI run).
- CLI version (`stella/pack`).
- Signatures stored alongside bundle in registry object storage.
- `stella pack push` refuses to publish without signature (unless `--insecure-publish` used in dev).
- Registry enforces trust policy:
| Policy | Description |
|--------|-------------|
| `anyOf` | Accepts any key in configured trust store. |
| `keyRef` | Accepts specific key ID (`kid`). |
| `oidcIssuer` | Accepts Fulcio certificates from allowed issuers (e.g., `https://fulcio.sigstore.dev`). |
| `threshold` | Requires N-of-M signatures (future release). |
---
## 3·RBAC & Scopes
Authority exposes pack-related scopes:
| Scope | Description |
|-------|-------------|
| `Packs.Read` | View packs, download manifests/bundles. |
| `Packs.Write` | Publish, promote, deprecate packs. |
| `Packs.Run` | Execute packs (Task Runner, CLI). |
| `Packs.Approve` | Approve pack gates, override tenant visibility. |
### 3.1 Role Mapping
| Role | Scopes | Use Cases |
|------|--------|-----------|
| `pack.viewer` | `Packs.Read` | Inspect packs, plan runs. |
| `pack.publisher` | `Packs.Read`, `Packs.Write` | Publish new versions, manage channels. |
| `pack.operator` | `Packs.Read`, `Packs.Run` | Execute packs, monitor runs. |
| `pack.approver` | `Packs.Read`, `Packs.Approve` | Fulfil approvals, authorize promotions. |
| `pack.admin` | All | Full lifecycle management (rare). |
Roles are tenant-scoped; cross-tenant access requires explicit addition.
### 3.2 CLI Enforcement
- CLI requests scopes based on command:
- `stella pack plan``Packs.Read`.
- `stella pack run``Packs.Run`.
- `stella pack push``Packs.Write`.
- `stella pack approve``Packs.Approve`.
- Offline tokens must include same scopes; CLI warns if missing.
---
## 4·Approvals & Fresh Auth
- Approval commands require recent fresh-auth (<5minutes). CLI prompts automatically; Console enforces via Authority.
- Approval payload includes:
- `runId`
- `gateId`
- `planHash`
- `approver`
- `timestamp`
- Task Runner logs approval event and verifies plan hash to prevent rerouting.
---
## 5·Secret Management
- Secrets defined in pack manifest map to Authority secret providers (e.g., HSM, Vault).
- Task Runner obtains secrets using service account with scoped access; CLI may prompt or read from profile.
- Secret audit trail:
- `secretRequested` event with reason, pack, step.
- `secretDelivered` event omitted (only aggregate metrics) to avoid leakage.
- Evidence bundle includes hashed secret metadata (no values).
Sealed mode requires secrets to originate from sealed vault; external endpoints blocked.
---
## 6·Audit & Evidence
- Registry, Task Runner, and Authority emit audit events to central timeline.
- Required events:
- `pack.version.published`
- `pack.version.promoted`
- `pack.run.started/completed`
- `pack.approval.requested/granted`
- `pack.secret.requested`
- Evidence Locker stores DSSE attestations and run bundles for 90days (configurable).
- Auditors can use `stella pack audit --run <id>` to retrieve audit trail.
---
## 7·Offline / Air-Gap Policies
- Offline Kit includes:
- Pack bundles + signatures.
- Trusted key store (`trust-bundle.pem`).
- Approval workflow instructions for manual signing.
- Air-gapped approvals:
- CLI generates approval request file (`.approval-request.json`).
- Approver uses offline CLI to sign with offline key.
- Response imported to Task Runner.
- Mirror process verifies signatures prior to import; failure aborts import with `ERR_PACK_SIGNATURE_INVALID`.
---
## 8·Incident Response
- Compromised pack signature:
- Revoke key via Authority trust store.
- Deprecate affected versions (`registry deprecate`).
- Notify consumers via Notifier (`pack.security.alert`).
- Forensically review run evidence for impacted tenants.
- Unauthorized approval:
- Review audit log for `Packs.Approve` events.
- Trigger `pack.run.freeze` (pauses run pending investigation).
- Rotate approver credentials and require fresh-auth.
- Secret leak suspicion:
- Quarantine evidence bundles.
- Rotate secrets referenced by pack.
- Run sealed-mode audit script to confirm guardrails.
---
## 9·Compliance Checklist
- [ ] Signing requirements (cosign/DSSE, trust policies) documented.
- [ ] Authority scope mapping and CLI enforcement captured.
- [ ] Approval workflow + fresh-auth expectations defined.
- [ ] Secret lifecycle (request, injection, audit) described.
- [ ] Audit/evidence integration noted (timeline, Evidence Locker).
- [ ] Offline/air-gap controls outlined.
- [ ] Incident response playbook provided.
- [ ] Imposed rule reminder retained at top.
---
*Last updated: 2025-10-27 (Sprint43).*