stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Add documentation and task tracking for Sprints 508 to 514 in Ops & Offline

Browse Source 
- Created detailed markdown files for Sprints 508 (Ops Offline Kit), 509 (Samples), 510 (AirGap), 511 (Api), 512 (Bench), 513 (Provenance), and 514 (Sovereign Crypto Enablement) outlining tasks, dependencies, and owners.
- Introduced a comprehensive Reachability Evidence Delivery Guide to streamline the reachability signal process.
- Implemented unit tests for Advisory AI to block known injection patterns and redact secrets.
- Added AuthoritySenderConstraintHelper to manage sender constraints in OpenIddict transactions.
This commit is contained in:
master
2025-11-08 23:18:28 +02:00
parent 536f6249a6
commit ae69b1a8a1
187 changed files with 4326 additions and 3196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/security/dpop-mtls-rollout.md
View File

@@ -8,15 +8,16 @@ _Last updated: 2025-11-07_
3. Provide telemetry + runbooks so plugins (SEC2/SEC3/SEC5) can validate enforcement without regressions.
## Phase 1 · Config & Telemetry (ETA 2025-11-08)
- [ ] Extend `authority.yaml` with `security.senderConstraints.dpop` section (nonce store, allowed algorithms, replay window).
- [ ] Wire structured logs (`authority.dpop.request`) containing tenant, client, cnf thumbprint, nonce status.
- [ ] Add `DPoPNonceStore` abstraction + Redis implementation for multi-node deployments.
- [ ] Update integration tests: `AuthorityTokenTests.DPoPNonceRequired`, `AuthorityTokenTests.DPoPMustMatchCnF`.
- [x] Extend `authority.yaml` with `security.senderConstraints.dpop` section (nonce store, allowed algorithms, replay window).
- [x] Wire structured logs (`authority.dpop.request`) containing tenant, client, cnf thumbprint, nonce status.
- [x] Add `DPoPNonceStore` abstraction + Redis implementation for multi-node deployments.
- [x] Update integration tests: `AuthorityTokenTests.DPoPNonceRequired`, `AuthorityTokenTests.DPoPMustMatchCnF`.
## Phase 2 · Enforcement & Fallback (ETA 2025-11-10)
- [ ] Reject `/token` requests lacking DPoP proof when tenant policy requires it.
- [ ] Persist `cnf.jkt` and expose through `/introspect` so downstream services validate sender.
- [ ] Add emergency bypass flag (`security.senderConstraints.dpop.allowTemporaryBypass`) for sealed recap drills; default disabled.
- [x] Reject `/token` requests lacking DPoP proof when tenant policy requires it.
- [x] Persist `cnf.jkt` and expose through `/introspect` so downstream services validate sender.
- [x] Add emergency bypass flag (`security.senderConstraints.dpop.allowTemporaryBypass`) for sealed recap drills; default disabled.
- When enabled, Authority logs `authority.dpop.proof.bypass`, adds `authority.dpop_result=bypass` telemetry, and issues tokens without `cnf` so downstream services know sender constraints were relaxed. Reset immediately after the drill.
## Phase 3 · mTLS Binding (ETA 2025-11-10)
- [x] Capture client cert thumbprint on `/token` (mutual TLS) and store in `authority_tokens.senderCertificate`.