Add TLS certificates and private keys for telemetry components

- Added CA certificate (ca.crt) and private key (ca.key) for secure communication.
- Added client certificate (client.crt) and private key (client.key) for client authentication.
- Added collector certificate (collector.crt) and private key (collector.key) for collector authentication.

ops/devops/TASKS.md

@@ -17,6 +17,8 @@
 > Blocked: guard coverage suites and exporter hooks pending in Concelier/Excititor (CONCELIER-WEB-AOC-19-003, EXCITITOR-WEB-AOC-19-003).
 | DEVOPS-AOC-19-101 | TODO (2025-10-28) | DevOps Guild, Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. | Runbook committed in `docs/deploy/containers.md` + Offline Kit notes, staging rehearsal scheduled with dependencies captured in SPRINTS. |
 | DEVOPS-OBS-50-002 | DONE (2025-11-05) | DevOps Guild, Security Guild | DEVOPS-OBS-50-001, TELEMETRY-OBS-51-002 | Stand up multi-tenant storage backends (Prometheus, Tempo/Jaeger, Loki) with retention policies, tenant isolation, and redaction guard rails. Integrate with Authority scopes for read paths. | Storage stack deployed with auth; retention configured; integration tests verify tenant isolation; runbook drafted. |
+> 2025-11-05: Collector now exports to Tempo/Loki with tenant headers; tenant isolation smoke + CI integration landed.
+| DEVOPS-OBS-50-003 | DONE (2025-11-05) | DevOps Guild | DEVOPS-OBS-50-002 | Automate telemetry tenant-isolation smoke in CI (compose stack + OTLP checks). | Build pipeline runs `tenant_isolation_smoke.py`; cleanup guards registered. |
 > Coordination started with Observability Guild (2025-10-26) to schedule staging rollout and provision service accounts. Staging bootstrap commands and secret names documented in `docs/modules/telemetry/operations/storage.md`.
 > 2025-10-30: Added static validator `ops/devops/telemetry/validate_storage_stack.py` and updated storage runbook to require it alongside TLS/tenant setup.
 | DEVOPS-OBS-51-001 | TODO | DevOps Guild, Observability Guild | WEB-OBS-51-001, DEVOPS-OBS-50-001 | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. | Dashboards live; evaluator emits webhooks; alert runbook referenced; staging alert fired in test. |
@@ -117,8 +119,8 @@
 |----|--------|----------|------------|-------------|---------------|
 | DEVOPS-CLI-41-001 | TODO | DevOps Guild, DevEx/CLI Guild | CLI-CORE-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | Build pipeline operational; SBOM/checksums published; parity gate failing on drift; docs updated. |
 | DEVOPS-CLI-42-001 | TODO | DevOps Guild | DEVOPS-CLI-41-001, CLI-PARITY-41-001 | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. | Golden tests running; parity diff automation in CI; pack run harness executes sample packs; documentation updated. |
-| DEVOPS-CLI-43-001 | DOING (2025-10-27) | DevOps Guild | DEVOPS-CLI-42-001, TASKRUN-42-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | Release automation verified; SBOM signed; parity gate enforced; chaos tests documented. |
-> 2025-10-27: Release pipeline now packages CLI multi-platform artefacts with SBOM/signature coverage and enforces the CLI parity gate (`ops/devops/check_cli_parity.py`). Task Pack chaos smoke still pending CLI pack command delivery.
+| DEVOPS-CLI-43-001 | DONE (2025-11-05) | DevOps Guild | DEVOPS-CLI-42-001, TASKRUN-42-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | Release automation verified; SBOM signed; parity gate enforced; chaos tests documented. |
+> 2025-11-05: Build/Test workflow now publishes CLI binaries for linux/mac/windows and runs CLI unit tests; release workflow gates on `check_cli_parity.py` and signs CLI SBOMs. Task Pack chaos smoke tracked under DEVOPS-CLI-43-002 pending Task Runner approvals GA.
 | DEVOPS-CLI-43-002 | TODO | DevOps Guild, Task Runner Guild | CLI-PACKS-43-001, TASKRUN-43-001 | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. | Chaos smoke job runs nightly; failures alert Slack; evidence stored in `out/pack-chaos`; runbook updated. |
 | DEVOPS-CLI-43-003 | TODO | DevOps Guild, DevEx/CLI Guild | CLI-PARITY-41-001, CLI-PACKS-42-001 | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. | `check_cli_parity.py` wired to compare parity matrix and CLI outputs; artifact uploaded; release fails on regressions.
 

ops/devops/telemetry/generate_dev_tls.sh

@@ -1,77 +1,77 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-CERT_DIR="${SCRIPT_DIR}/../../deploy/telemetry/certs"
-
-mkdir -p "${CERT_DIR}"
-
-CA_KEY="${CERT_DIR}/ca.key"
-CA_CRT="${CERT_DIR}/ca.crt"
-COL_KEY="${CERT_DIR}/collector.key"
-COL_CSR="${CERT_DIR}/collector.csr"
-COL_CRT="${CERT_DIR}/collector.crt"
-CLIENT_KEY="${CERT_DIR}/client.key"
-CLIENT_CSR="${CERT_DIR}/client.csr"
-CLIENT_CRT="${CERT_DIR}/client.crt"
-
-echo "[*] Generating OpenTelemetry dev CA and certificates in ${CERT_DIR}"
-
-# Root CA
-if [[ ! -f "${CA_KEY}" ]]; then
-  openssl genrsa -out "${CA_KEY}" 4096 >/dev/null 2>&1
-fi
-openssl req -x509 -new -key "${CA_KEY}" -days 365 -sha256 \
-  -out "${CA_CRT}" -subj "/CN=StellaOps Dev Telemetry CA" \
-  -config <(cat <<'EOF'
-[req]
-distinguished_name = req_distinguished_name
-prompt = no
-[req_distinguished_name]
-EOF
-) >/dev/null 2>&1
-
-# Collector certificate (server + client auth)
-openssl req -new -nodes -newkey rsa:4096 \
-  -keyout "${COL_KEY}" \
-  -out "${COL_CSR}" \
-  -subj "/CN=stellaops-otel-collector" >/dev/null 2>&1
-
-openssl x509 -req -in "${COL_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \
-  -CAcreateserial -out "${COL_CRT}" -days 365 -sha256 \
-  -extensions v3_req -extfile <(cat <<'EOF'
-[v3_req]
-subjectAltName = @alt_names
-extendedKeyUsage = serverAuth, clientAuth
-[alt_names]
-DNS.1 = stellaops-otel-collector
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-EOF
-) >/dev/null 2>&1
-
-# Client certificate
-openssl req -new -nodes -newkey rsa:4096 \
-  -keyout "${CLIENT_KEY}" \
-  -out "${CLIENT_CSR}" \
-  -subj "/CN=stellaops-otel-client" >/dev/null 2>&1
-
-openssl x509 -req -in "${CLIENT_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \
-  -CAcreateserial -out "${CLIENT_CRT}" -days 365 -sha256 \
-  -extensions v3_req -extfile <(cat <<'EOF'
-[v3_req]
-extendedKeyUsage = clientAuth
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = stellaops-otel-client
-DNS.2 = localhost
-IP.1 = 127.0.0.1
-EOF
-) >/dev/null 2>&1
-
-rm -f "${COL_CSR}" "${CLIENT_CSR}"
-rm -f "${CERT_DIR}/ca.srl"
-
-echo "[✓] Certificates ready:"
-ls -1 "${CERT_DIR}"
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CERT_DIR="${SCRIPT_DIR}/../../deploy/telemetry/certs"
+
+mkdir -p "${CERT_DIR}"
+
+CA_KEY="${CERT_DIR}/ca.key"
+CA_CRT="${CERT_DIR}/ca.crt"
+COL_KEY="${CERT_DIR}/collector.key"
+COL_CSR="${CERT_DIR}/collector.csr"
+COL_CRT="${CERT_DIR}/collector.crt"
+CLIENT_KEY="${CERT_DIR}/client.key"
+CLIENT_CSR="${CERT_DIR}/client.csr"
+CLIENT_CRT="${CERT_DIR}/client.crt"
+
+echo "[*] Generating OpenTelemetry dev CA and certificates in ${CERT_DIR}"
+
+# Root CA
+if [[ ! -f "${CA_KEY}" ]]; then
+  openssl genrsa -out "${CA_KEY}" 4096 >/dev/null 2>&1
+fi
+openssl req -x509 -new -key "${CA_KEY}" -days 365 -sha256 \
+  -out "${CA_CRT}" -subj "/CN=StellaOps Dev Telemetry CA" \
+  -config <(cat <<'EOF'
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+[req_distinguished_name]
+EOF
+) >/dev/null 2>&1
+
+# Collector certificate (server + client auth)
+openssl req -new -nodes -newkey rsa:4096 \
+  -keyout "${COL_KEY}" \
+  -out "${COL_CSR}" \
+  -subj "/CN=stellaops-otel-collector" >/dev/null 2>&1
+
+openssl x509 -req -in "${COL_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \
+  -CAcreateserial -out "${COL_CRT}" -days 365 -sha256 \
+  -extensions v3_req -extfile <(cat <<'EOF'
+[v3_req]
+subjectAltName = @alt_names
+extendedKeyUsage = serverAuth, clientAuth
+[alt_names]
+DNS.1 = stellaops-otel-collector
+DNS.2 = localhost
+IP.1 = 127.0.0.1
+EOF
+) >/dev/null 2>&1
+
+# Client certificate
+openssl req -new -nodes -newkey rsa:4096 \
+  -keyout "${CLIENT_KEY}" \
+  -out "${CLIENT_CSR}" \
+  -subj "/CN=stellaops-otel-client" >/dev/null 2>&1
+
+openssl x509 -req -in "${CLIENT_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \
+  -CAcreateserial -out "${CLIENT_CRT}" -days 365 -sha256 \
+  -extensions v3_req -extfile <(cat <<'EOF'
+[v3_req]
+extendedKeyUsage = clientAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = stellaops-otel-client
+DNS.2 = localhost
+IP.1 = 127.0.0.1
+EOF
+) >/dev/null 2>&1
+
+rm -f "${COL_CSR}" "${CLIENT_CSR}"
+rm -f "${CERT_DIR}/ca.srl"
+
+echo "[✓] Certificates ready:"
+ls -1 "${CERT_DIR}"