stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Finalize UI truthfulness and bootstrap hardening

Browse Source
This commit is contained in:
master
2026-04-16 16:23:54 +03:00
parent 4799aa2402
commit bc6b1c5959
145 changed files with 10503 additions and 9837 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/modules/authority/architecture.md
View File

@@ -30,8 +30,14 @@
* **OAuth2** grant types:
* **Client Credentials** (service↔service, with mTLS or private_key_jwt)
* **Device Code** (CLI login on headless agents; optional)
* **Authorization Code + PKCE** (browser login for UI; optional)
* **Device Code** (CLI login on headless agents; optional when enabled by the deployment profile)
* **Authorization Code + PKCE** (browser login for UI and future human CLI flows; optional)
* **Password** (current local/dev bootstrap compatibility path for human CLI login; not the target long-term operator flow)
* **Current local/dev standard-plugin seed** (`etc/authority/plugins/standard.yaml`):
* `stella-ops-ui`: `authorization_code refresh_token`
* `stellaops-cli`: public human client with `authorization_code password refresh_token`; localhost redirect URIs are PKCE-required, and the CLI currently uses this client for fresh-shell interactive username/password login
* `stellaops-cli-automation`: confidential automation client with `client_credentials`
* **Sender constraint options** (choose per caller or per audience):
* **DPoP** (Demonstration of ProofofPossession): proof JWT on each HTTP request, bound to the access token via `cnf.jkt`.
@@ -117,8 +123,9 @@ plan? = <plan name> // optional hint for UIs; not used for e
* `security.senderConstraints.mtls.enforceForAudiences` forces the mTLS path when requested `aud`/`resource` values intersect high-value audiences (defaults include `signer`). Authority rejects clients attempting to use DPoP/basic secrets for these audiences.
* Stored `certificateBindings` are authoritative: thumbprint, subject, issuer, serial number, and SAN values are matched against the presented certificate, with rotation grace applied to activation windows. Failures surface deterministic error codes (e.g. `certificate_binding_subject_mismatch`).
* **private_key_jwt**: JWTbased client auth + **DPoP** header (preferred for tools and CLI)
* **Device Code** (CLI): `POST /oauth/device/code` + `POST /oauth/token` poll
* **Authorization Code + PKCE** (UI): standard
* **Device Code** (CLI): `POST /oauth/device/code` + `POST /oauth/token` poll when enabled by the deployment profile
* **Authorization Code + PKCE** (UI/browser and future human CLI): standard
* **Password** (current local/dev human CLI bootstrap): `POST /token` using the seeded `stellaops-cli` public client
**DPoP handshake (example)**