stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add determinism tests for verdict artifact generation and update SHA256 sums script

Browse Source 
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering.
- Created helper methods for generating sample verdict inputs and computing canonical hashes.
- Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics.
- Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
This commit is contained in:
StellaOps Bot
2025-12-24 02:17:34 +02:00
parent e59921374e
commit 7503c19b8f
390 changed files with 37389 additions and 5380 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
docs/security/scopes-and-roles.md
View File

@@ -1,17 +1,46 @@
# Scopes and Roles — Draft Skeleton (2025-12-05 UTC)
# Scopes and Roles
Status: draft placeholder. Inputs pending: DVDO0110 scope grammar.
This document defines the **scope taxonomy** and how scopes map to roles across StellaOps. It is intentionally cross-cutting and does not attempt to list every module-specific scope; module dossiers and gateway contracts are the source of truth for per-surface requirements.
## Scope Grammar
- Syntax overview; examples (tenant/org/project/workspace).
## Terms
## Roles & Permissions
- Core roles (admin, auditor, operator, viewer) — to confirm.
- Mapping to scopes and imposed rule reminder.
- **Scope:** an OAuth2/OIDC scope string granted to a client/user token and enforced by the gateway and services.
- **Role:** a human-friendly grouping of scopes, assigned per tenant (often via RBAC in Authority/Console).
- **ABAC claims:** optional attribute filters that constrain a token further (e.g., environment, namespace, project).
## Token / Session Handling
- How scopes flow through tokens and sessions.
## Scope Naming Conventions
## Open TODOs
- Fill role matrix when DVDO0110 lands.
- Add ABAC overlay pointers once defined.
Scopes follow a predictable pattern:
- `<area>:<verb>`
- Verbs are small and consistent: `read`, `write`, `approve`, `simulate`, `audit`, `admin`.
Examples that appear across current contracts and module dossiers:
- Vulnerability Explorer: `vuln:view`, `vuln:investigate`, `vuln:operate`, `vuln:audit`
- Exception governance: `exception:read`, `exception:write`, `exception:approve`
- Policy: `policy:read`, `policy:simulate`
- VEX ingestion: `vex.read`, `vex.admin`
## Typical Role Shapes (Tenant-Local)
Exact role names vary per deployment, but the intent is stable:
- **Viewer:** read-only access to findings/evidence for a tenant.
- **Operator:** can triage findings and create workflow objects (comments, assignments, exports).
- **Approver:** can approve/reject workflow objects that change gating (exceptions, waivers) for a tenant.
- **Auditor:** can access audit exports, histories, and verification surfaces.
- **Admin:** tenant administration (RBAC, client credentials, quotas, configuration).
## Enforcement Model (Where Scopes Are Checked)
- **Authority** issues tokens and embeds scopes (and optional ABAC claims).
- **Gateway** (when present) performs consistent scope enforcement and tenant routing.
- **Services** validate tenant context and enforce scope checks at endpoint boundaries.
- **Service-to-service** calls may use short-lived, sender-constrained tokens (OpTok/DPoP/mTLS) in addition to scopes.
## References
- Tenancy model and isolation: `docs/security/tenancy-overview.md`
- Exceptions API entry point: `docs/api/exceptions.md`
- Policy + Exceptions gateway contract: `docs/api/gateway/policy-exceptions.md`

40
docs/security/tenancy-overview.md
View File

@@ -1,21 +1,35 @@
# Tenancy Overview — Draft Skeleton (2025-12-05 UTC)
# Tenancy Overview
Status: draft placeholder. Inputs pending: DVDO0110 tenancy ADR.
StellaOps is designed for strict multi-tenancy. Tenancy is an explicit input to requests, storage, and exported evidence so decisions remain auditable and replayable (including in air-gapped deployments).
## Goals
- Clarify tenant model, isolation guarantees, and scope grammar.
## Tenant Identity
## Tenant Model
- Concepts: tenant, org, workspace, project (to confirm with ADR).
- Identity anchors and trust roots.
- A **tenant** is the primary isolation boundary for data, policies, issuers/trust settings, and workflow objects (exceptions, approvals, exports).
- Requests are tenant-scoped via `X-StellaOps-Tenant: <tenantId>` and/or tenant claims in tokens (depending on deployment).
Optional sub-scoping (environment/project/workspace) is supported via ABAC claims and module-specific selectors, but does not replace the tenant boundary.
## Isolation Guarantees
- Data, control plane, audit/log boundaries.
- Reachability to shared services (DB, cache) with RLS.
StellaOps aims for defense-in-depth isolation:
- **Database isolation:** each service owns its schema; tenant scoping is enforced on every query, typically via `tenant_id` columns and Row-Level Security where appropriate.
- **Cache isolation:** cache keys and stream partitions are tenant-aware (and may use per-tenant databases in Redis/Valkey-compatible stores when configured).
- **Object storage isolation:** stored artifacts and evidence bundles are content-addressed and namespaced so tenant boundaries are preserved even when sharing infrastructure.
- **Audit boundaries:** audit trails are tenant-scoped and exported with tenant identifiers so offline reviewers can verify context.
## Enforcement Stack
- Authority, CLI, API, Console touchpoints.
## Open TODOs
- Insert canonical definitions and diagrams from DVDO0110.
- Add references to scopes-and-roles once finalized.
- **Authority** issues tokens containing scopes and optional ABAC claims.
- **Gateway** (when deployed) routes and enforces tenant + scope checks consistently across modules.
- **Services** validate tenant context and enforce tenant constraints at the storage layer.
## Offline / Air-Gap Considerations
- Offline Kit snapshots and exported evidence bundles include tenant identifiers and deterministic manifests so verification does not rely on online services.
- Cross-tenant exports are not supported by default; when an operator needs cross-tenant reporting, it should be implemented as an explicit, audited workflow.
## References
- Scope taxonomy: `docs/security/scopes-and-roles.md`
- Gateway tenant auth contract: `docs/api/gateway/tenant-auth.md`

15
docs/security/vex-signatures.md
View File

@@ -1,15 +0,0 @@
# VEX Signatures — Draft Skeleton (2025-12-05 UTC)
Status: draft placeholder. Inputs pending: security review (DVDO0110), key rotation plan.
## Verification Flow
- How signatures are verified; trust roots (to fill).
## Rotation
- Key rotation process; expiry handling.
## Audit
- Logging, evidence capture, review cadence.
## Open TODOs
- Insert concrete commands/config once security review completes.

20
docs/security/vuln-rbac.md
View File

@@ -1,20 +0,0 @@
# Vuln Explorer RBAC & ABAC (Md.XI draft)
> Status: DRAFT — pending security review and GRAP0101. Do not publish until roles/claims verified.
## Scope
- Roles/scopes, ABAC policies, attachment encryption/CSRF considerations for Vuln Explorer.
## Dependencies
- Security review; GRAP0101 identifiers; attachment token wording from Authority.
## Outline
- Scopes: vuln:view/investigate/operate/audit (+ legacy read).
- ABAC filters: vuln_env, vuln_owner, vuln_business_tier; enforcement in tokens/permalinks.
- Attachment tokens: issuance/verify; encryption notes; CSRF protections.
### Hash Capture Checklist (post-review)
- `assets/vuln-explorer/rbac-scope-table.md` (scope/role matrix)
- `assets/vuln-explorer/abac-claims.json` (sample token claims)
- `assets/vuln-explorer/attachment-token-flow.json` (issuance/verify payloads)
_Last updated: 2025-12-05 (UTC)_