stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

Restructure solution layout by module

Browse Source
This commit is contained in:
master
2025-10-28 15:10:40 +02:00
parent 95daa159c4
commit d870da18ce
4103 changed files with 192899 additions and 187024 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/updates/2025-10-20-authority-identity-registry.md
View File

@@ -1,14 +1,14 @@
# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates
## Summary
- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks.
- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised.
- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs.
## Operator impact
- No configuration changes are required; existing YAML and environment-based settings continue to function.
- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use.
## Developer notes
- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`.
- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set.
# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates
## Summary
- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks.
- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised.
- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs.
## Operator impact
- No configuration changes are required; existing YAML and environment-based settings continue to function.
- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use.
## Developer notes
- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`.
- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set.

2
docs/updates/2025-10-20-scanner-events.md
View File

@@ -2,4 +2,4 @@
- Scanner WebService now wires a reusable `IRedisConnectionFactory`, simplifying redis transport testing and reuse for future adapters.
- `/api/v1/reports` integration test (`ReportsEndpointPublishesPlatformEvents`) asserts both report-ready and scan-completed envelopes carry DSSE payloads, scope metadata, and deterministic verdicts.
- Task `SCANNER-EVENTS-15-201` closed after verifying `dotnet test src/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj`.
- Task `SCANNER-EVENTS-15-201` closed after verifying `dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj`.

26
docs/updates/2025-10-22-docs-guild.md
View File

@@ -1,13 +1,13 @@
# Docs Guild Update — 2025-10-22
**Subject:** Concelier Authority toggle rollout polish
**Audience:** Docs Guild, Concelier WebService Guild, Authority Core
- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step.
- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement.
- Refreshed `docs/ops/concelier-authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned.
- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 20251022 bundle before promoting it to mirrors.
Next steps:
- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review.
- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build.
# Docs Guild Update — 2025-10-22
**Subject:** Concelier Authority toggle rollout polish
**Audience:** Docs Guild, Concelier WebService Guild, Authority Core
- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step.
- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement.
- Refreshed `docs/ops/concelier-authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned.
- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 20251022 bundle before promoting it to mirrors.
Next steps:
- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review.
- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build.

30
docs/updates/2025-10-26-authority-graph-scopes.md
View File

@@ -1,15 +1,15 @@
# 2025-10-26 — Authority graph scopes documentation refresh
## Summary
- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations).
- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults.
- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 |
| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up |
| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up |
# 2025-10-26 — Authority graph scopes documentation refresh
## Summary
- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations).
- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults.
- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 |
| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up |
| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up |

6
docs/updates/2025-10-26-scheduler-graph-jobs.md
View File

@@ -6,10 +6,10 @@ SCHED-MODELS-21-001 delivered the new `GraphBuildJob`/`GraphOverlayJob` contract
Key links:
- Schema doc: `src/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md`
- Schema doc: `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md`
- Samples (round-trip tested): `samples/api/scheduler/graph-build-job.json`, `samples/api/scheduler/graph-overlay-job.json`
- Event schema + sample: `docs/events/scheduler.graph.job.completed@1.json`, `docs/events/samples/scheduler.graph.job.completed@1.sample.json`
- API doc: `src/StellaOps.Scheduler.WebService/docs/SCHED-WEB-21-001-GRAPH-APIS.md`
- API doc: `src/Scheduler/StellaOps.Scheduler.WebService/docs/SCHED-WEB-21-001-GRAPH-APIS.md`
- Tests: `StellaOps.Scheduler.Models.Tests/SamplePayloadTests.cs`, `GraphJobStateMachineTests.cs`
## Action items
@@ -28,7 +28,7 @@ Key links:
> Suggested message for Slack `#scheduler-guild` & `#cartographer-guild`:
>
> ```
> Graph job DTOs/docs are live (SCHED-MODELS-21-001/002). Samples under samples/api/scheduler, schema notes in src/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md. Please review before wiring SCHED-WEB-21-001/201. GraphJobStateMachine enforces status/attempt invariants—shout if you need additional states.
> Graph job DTOs/docs are live (SCHED-MODELS-21-001/002). Samples under samples/api/scheduler, schema notes in src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md. Please review before wiring SCHED-WEB-21-001/201. GraphJobStateMachine enforces status/attempt invariants—shout if you need additional states.
> ```
Record notifications here once posted.

96
docs/updates/2025-10-27-console-security-signoff.md
View File

@@ -1,48 +1,48 @@
# Console Security Checklist Sign-off — 2025-10-27
## Summary
- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint23 build.
- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
- Result: **PASS** console may progress with Sprint23 release gating.
## Authority client validation
- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
## CSP enforcement
- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
## Fresh-auth timer
- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5minutes idle.
- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
## DPoP binding test
- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
## Offline mode exercise
- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
- Imported Offline Kit manifest; parity checks report `OK` status.
## Evidence parity
- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
## Monitoring & alerts
- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
## Sign-off
- Reviewed by **Security Guild** (lead: `@sec-lfox`).
- Sign-off recorded in Sprint23 tracker (`SPRINTS.md`, `DOCS-CONSOLE-23-018`).
# Console Security Checklist Sign-off — 2025-10-27
## Summary
- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint23 build.
- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
- Result: **PASS** console may progress with Sprint23 release gating.
## Authority client validation
- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
## CSP enforcement
- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
## Fresh-auth timer
- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5minutes idle.
- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
## DPoP binding test
- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
## Offline mode exercise
- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
- Imported Offline Kit manifest; parity checks report `OK` status.
## Evidence parity
- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
## Monitoring & alerts
- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
## Sign-off
- Reviewed by **Security Guild** (lead: `@sec-lfox`).
- Sign-off recorded in Sprint23 tracker (`../implplan/SPRINTS.md`, `DOCS-CONSOLE-23-018`).

30
docs/updates/2025-10-27-orch-operator-scope.md
View File

@@ -1,15 +1,15 @@
# 2025-10-27 — Orchestrator operator scope & audit metadata
## Summary
- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`.
- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued.
- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up |
| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up |
| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation |
# 2025-10-27 — Orchestrator operator scope & audit metadata
## Summary
- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`.
- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued.
- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up |
| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up |
| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation |

30
docs/updates/2025-10-27-policy-scope-migration.md
View File

@@ -1,15 +1,15 @@
# 2025-10-27 — Policy scope migration guidance
## Summary
- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`).
- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes.
- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up |
| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |
# 2025-10-27 — Policy scope migration guidance
## Summary
- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`).
- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes.
- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
## Next steps
| Team | Follow-up | Target |
|------|-----------|--------|
| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up |
| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |

30
docs/updates/2025-10-27-task-packs-docs.md
View File

@@ -1,15 +1,15 @@
# Docs Guild Update — Task Pack Docs (2025-10-27)
- Added Task Pack core documentation set:
- `/docs/task-packs/spec.md`
- `/docs/task-packs/authoring-guide.md`
- `/docs/task-packs/registry.md`
- `/docs/task-packs/runbook.md`
- `/docs/security/pack-signing-and-rbac.md`
- `/docs/operations/cli-release-and-packaging.md`
- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds.
Artifacts: [Spec](../task-packs/spec.md), [Authoring guide](../task-packs/authoring-guide.md), [Registry](../task-packs/registry.md), [Runbook](../task-packs/runbook.md), [Signing/RBAC](../security/pack-signing-and-rbac.md), [CLI release runbook](../operations/cli-release-and-packaging.md).
# Docs Guild Update — Task Pack Docs (2025-10-27)
- Added Task Pack core documentation set:
- `/docs/task-packs/spec.md`
- `/docs/task-packs/authoring-guide.md`
- `/docs/task-packs/registry.md`
- `/docs/task-packs/runbook.md`
- `/docs/security/pack-signing-and-rbac.md`
- `/docs/operations/cli-release-and-packaging.md`
- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks.
- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement).
- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm).
- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds.
Artifacts: [Spec](../task-packs/spec.md), [Authoring guide](../task-packs/authoring-guide.md), [Registry](../task-packs/registry.md), [Runbook](../task-packs/runbook.md), [Signing/RBAC](../security/pack-signing-and-rbac.md), [CLI release runbook](../operations/cli-release-and-packaging.md).

52
docs/updates/2025-10-28-docs-guild.md
View File

@@ -1,26 +1,26 @@
# Docs Guild Update — 2025-10-28
## Console security posture draft
- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist.
- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120s OpTok, 300s fresh-auth window) and confirm scope bundles before closing the sprint task.
- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`).
## Console CLI parity matrix
- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`).
- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot.
## Accessibility refresh
- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance.
- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102.
Artifacts:
- Doc: `/docs/security/console-security.md`
- Doc: `/docs/cli-vs-ui-parity.md`
- Doc: `/docs/accessibility.md`
- Sprint tracker: `SPRINTS.md` (DOCS-CONSOLE-23-012 now DONE)
cc: `@authority-core`, `@security-guild`, `@docs-guild`
# Docs Guild Update — 2025-10-28
## Console security posture draft
- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist.
- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120s OpTok, 300s fresh-auth window) and confirm scope bundles before closing the sprint task.
- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`).
## Console CLI parity matrix
- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`).
- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot.
## Accessibility refresh
- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance.
- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102.
Artifacts:
- Doc: `/docs/security/console-security.md`
- Doc: `/docs/cli-vs-ui-parity.md`
- Doc: `/docs/accessibility.md`
- Sprint tracker: `../implplan/SPRINTS.md` (DOCS-CONSOLE-23-012 now DONE)
cc: `@authority-core`, `@security-guild`, `@docs-guild`

18
docs/updates/2025-10-29-export-center-provenance.md
View File

@@ -1,9 +1,9 @@
# 2025-10-29 Export Center provenance/signing doc
## Summary
- Authored `docs/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling.
## Follow-ups
- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary.
- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section.
# 2025-10-29 Export Center provenance/signing doc
## Summary
- Authored `docs/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist.
- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling.
## Follow-ups
- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary.
- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section.

20
docs/updates/2025-10-29-notify-docs.md
View File

@@ -1,10 +1,10 @@
# 2025-10-29 Notifications Studio docs sync prep
## Summary
- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint39.
- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge.
- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas.
## Follow-ups
- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details.
- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised.
# 2025-10-29 Notifications Studio docs sync prep
## Summary
- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint39.
- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge.
- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas.
## Follow-ups
- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details.
- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised.

4
docs/updates/2025-10-29-scheduler-policy-doc-refresh.md
View File

@@ -10,9 +10,9 @@
> **Message:**
> ```
> Policy Engine run DTO docs just picked up a refresh (environment metadata, lifecycle+retry table, diff payload notes).
> • Doc: src/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md
> • Doc: src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-20-001-POLICY-RUNS.md
> • Samples: samples/api/scheduler/policy-*.json
> • Tests: dotnet test src/StellaOps.Scheduler.Models.Tests
> • Tests: dotnet test src/Scheduler/__Tests/StellaOps.Scheduler.Models.Tests
> Please review for orchestration + API consumer work; ping back if other fields need coverage.
> ```

22
docs/updates/2025-10-31-console-security-refresh.md
View File

@@ -1,12 +1,12 @@
# 2025-10-31 — Console Security Docs Refresh
## Summary
- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations.
- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts.
## Impact
- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers.
- Security Guild can rely on the updated compliance checklist when executing Sprint23 sign-off.
# 2025-10-31 — Console Security Docs Refresh
## Summary
- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour.
- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations.
- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts.
## Impact
- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers.
- Security Guild can rely on the updated compliance checklist when executing Sprint23 sign-off.
- Deployment teams have explicit configuration reminders for tenants and orchestrator dashboard access.