feat: Enhance Authority Identity Provider Registry with Bootstrap Capability

- Added support for bootstrap providers in AuthorityIdentityProviderRegistry.
- Introduced a new property for bootstrap providers and updated AggregateCapabilities.
- Updated relevant methods to handle bootstrap capabilities during provider registration.

feat: Introduce Sealed Mode Status in OpenIddict Handlers

- Added SealedModeStatusProperty to AuthorityOpenIddictConstants.
- Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence.
- Implemented logic to handle airgap seal confirmation requirements.

feat: Update Program Configuration for Sealed Mode

- Registered IAuthoritySealedModeEvidenceValidator in Program.cs.
- Added logging for bootstrap capabilities in identity provider plugins.
- Implemented checks for bootstrap support in API endpoints.

chore: Update Tasks and Documentation

- Marked AUTH-MTLS-11-002 as DONE in TASKS.md.
- Updated documentation to reflect changes in sealed mode and bootstrap capabilities.

fix: Improve CLI Command Handlers Output

- Enhanced output formatting for command responses and prompts in CommandHandlers.cs.

feat: Extend Advisory AI Models

- Added Response property to AdvisoryPipelineOutputModel for better output handling.

fix: Adjust Concelier Web Service Authentication

- Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging.

test: Enhance Web Service Endpoints Tests

- Added detailed logging for authentication failures in WebServiceEndpointsTests.
- Enabled PII logging for better debugging of authentication issues.

feat: Introduce Air-Gap Configuration Options

- Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions.
- Implemented validation logic for air-gap configurations to ensure proper setup.

deploy/compose/env/airgap.env.example

@@ -35,3 +35,8 @@ SCHEDULER_QUEUE_KIND=Nats
 SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
 SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
 SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=

deploy/compose/env/dev.env.example

@@ -35,3 +35,8 @@ SCHEDULER_QUEUE_KIND=Nats
 SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
 SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
 SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=

deploy/compose/env/prod.env.example

@@ -37,5 +37,10 @@ SCHEDULER_QUEUE_KIND=Nats
 SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
 SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
 SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=https://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=
 # External reverse proxy (Traefik, Envoy, etc.) that terminates TLS.
 FRONTDOOR_NETWORK=stellaops_frontdoor

deploy/compose/env/stage.env.example

@@ -34,3 +34,8 @@ SCHEDULER_QUEUE_KIND=Nats
 SCHEDULER_QUEUE_NATS_URL=nats://nats:4222
 SCHEDULER_STORAGE_DATABASE=stellaops_scheduler
 SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=