feat: Implement vulnerability token signing and verification utilities

- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys. - Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries. - Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads. - Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options. - Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads. - Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features. - Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
2025-11-03 10:02:29 +02:00
parent bf2bf4b395
commit b1e78fe412
215 changed files with 19441 additions and 12185 deletions
--- a/src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs
+++ b/src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs
@@ -206,8 +206,29 @@ public static class StellaOpsScopes
    /// <summary>
    /// Scope granting read-only access to Vuln Explorer resources and permalinks.
    /// </summary>
+    [Obsolete("Use vuln:view (StellaOpsScopes.VulnView) instead.")]
    public const string VulnRead = "vuln:read";

+    /// <summary>
+    /// Scope granting read-only access to Vuln Explorer findings, reports, and dashboards.
+    /// </summary>
+    public const string VulnView = "vuln:view";
+
+    /// <summary>
+    /// Scope permitting triage actions (assign, comment, annotate) within Vuln Explorer.
+    /// </summary>
+    public const string VulnInvestigate = "vuln:investigate";
+
+    /// <summary>
+    /// Scope permitting state-changing operations (status transitions, remediation workflows) within Vuln Explorer.
+    /// </summary>
+    public const string VulnOperate = "vuln:operate";
+
+    /// <summary>
+    /// Scope permitting access to Vuln Explorer audit exports and immutable ledgers.
+    /// </summary>
+    public const string VulnAudit = "vuln:audit";
+
    /// <summary>
    /// Scope granting read-only access to observability dashboards and overlays.
    /// </summary>
@@ -399,7 +420,13 @@ public static class StellaOpsScopes
        FindingsRead,
        EffectiveWrite,
        GraphRead,
+        VulnView,
+        VulnInvestigate,
+        VulnOperate,
+        VulnAudit,
+#pragma warning disable CS0618 // track removal once legacy scope dropped
        VulnRead,
+#pragma warning restore CS0618
        ObservabilityRead,
        TimelineRead,
        TimelineWrite,