feat: Enhance Authority Identity Provider Registry with Bootstrap Capability

- Added support for bootstrap providers in AuthorityIdentityProviderRegistry. - Introduced a new property for bootstrap providers and updated AggregateCapabilities. - Updated relevant methods to handle bootstrap capabilities during provider registration. feat: Introduce Sealed Mode Status in OpenIddict Handlers - Added SealedModeStatusProperty to AuthorityOpenIddictConstants. - Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence. - Implemented logic to handle airgap seal confirmation requirements. feat: Update Program Configuration for Sealed Mode - Registered IAuthoritySealedModeEvidenceValidator in Program.cs. - Added logging for bootstrap capabilities in identity provider plugins. - Implemented checks for bootstrap support in API endpoints. chore: Update Tasks and Documentation - Marked AUTH-MTLS-11-002 as DONE in TASKS.md. - Updated documentation to reflect changes in sealed mode and bootstrap capabilities. fix: Improve CLI Command Handlers Output - Enhanced output formatting for command responses and prompts in CommandHandlers.cs. feat: Extend Advisory AI Models - Added Response property to AdvisoryPipelineOutputModel for better output handling. fix: Adjust Concelier Web Service Authentication - Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging. test: Enhance Web Service Endpoints Tests - Added detailed logging for authentication failures in WebServiceEndpointsTests. - Enabled PII logging for better debugging of authentication issues. feat: Introduce Air-Gap Configuration Options - Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions. - Implemented validation logic for air-gap configurations to ensure proper setup.
2025-11-09 12:18:14 +02:00
parent d71c81e45d
commit ba4c935182
68 changed files with 2142 additions and 291 deletions
--- a/ops/devops/release/components.json
+++ b/ops/devops/release/components.json
@@ -72,6 +72,24 @@
      "project": "src/Excititor/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj",
      "entrypoint": "StellaOps.Excititor.WebService.dll"
    },
+    {
+      "name": "advisory-ai-web",
+      "repository": "advisory-ai-web",
+      "kind": "dotnet-service",
+      "context": ".",
+      "dockerfile": "ops/devops/release/docker/Dockerfile.dotnet-service",
+      "project": "src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/StellaOps.AdvisoryAI.WebService.csproj",
+      "entrypoint": "StellaOps.AdvisoryAI.WebService.dll"
+    },
+    {
+      "name": "advisory-ai-worker",
+      "repository": "advisory-ai-worker",
+      "kind": "dotnet-service",
+      "context": ".",
+      "dockerfile": "ops/devops/release/docker/Dockerfile.dotnet-service",
+      "project": "src/AdvisoryAI/StellaOps.AdvisoryAI.Worker/StellaOps.AdvisoryAI.Worker.csproj",
+      "entrypoint": "StellaOps.AdvisoryAI.Worker.dll"
+    },
    {
      "name": "web-ui",
      "repository": "web-ui",
--- a/ops/devops/sealed-mode-ci/authority.harness.yaml
+++ b/ops/devops/sealed-mode-ci/authority.harness.yaml
@@ -46,6 +46,15 @@ airGap:
    allowPrivateNetworks: true
    remediationDocumentationUrl: https://docs.stella-ops.org/airgap/sealed-ci
    supportContact: airgap-ops@stella-ops.org
+  sealedMode:
+    enforcementEnabled: true
+    evidencePath: /artifacts/sealed-mode-ci/latest/authority-sealed-ci.json
+    maxEvidenceAge: 00:30:00
+    cacheLifetime: 00:01:00
+    requireAuthorityHealthPass: true
+    requireSignerHealthPass: true
+    requireAttestorHealthPass: true
+    requireEgressProbePass: true
 tenants:
  - name: sealed-ci
    roles: