stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Restructure solution layout by module

Browse Source
This commit is contained in:
master
2025-10-28 15:10:40 +02:00
parent 95daa159c4
commit d870da18ce
4103 changed files with 192899 additions and 187024 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md Normal file
View File

@@ -0,0 +1,21 @@
# Issuer Directory Guild Charter (Epic 7)
## Mission
Manage trusted VEX issuer metadata, keys, and trust overrides used by the VEX Lens, Policy Engine, and downstream services.
## Scope
- Service `src/IssuerDirectory/StellaOps.IssuerDirectory` providing REST APIs and admin tooling for issuers, keys, trust weights, audit logs.
- Integration with Excitator/VEX Lens/Policy Engine for signature verification and trust weighting.
- Tenant overrides, import of CSAF publisher metadata, and compliance logging.
## Principles
1. **Security first** enforce least privilege, key expiry, rotation, and audit logs.
2. **Tenant awareness** global issuer defaults with per-tenant overrides.
3. **Deterministic** trust weights reproducible; changes logged.
4. **Audit ready** all modifications recorded with actor, reason, signature.
5. **API-first** CLI/Console/automation consume same endpoints.
## Definition of Done
- APIs documented, RBAC enforced, audit logs persisted.
- Key verification integrated with VEX Lens and Excitator; rotation tooling delivered.
- Docs/runbooks updated with compliance checklist.

9
src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md Normal file
View File

@@ -0,0 +1,9 @@
# Issuer Directory Task Board — Epic 7
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| ISSUER-30-001 | TODO | Issuer Directory Guild | AUTH-VULN-29-001 | Implement issuer CRUD API with RBAC, audit logging, and tenant scoping; seed CSAF publisher metadata. | APIs deployed; audit logs capture actor/reason; seed data imported; tests cover RBAC. |
| ISSUER-30-002 | TODO | Issuer Directory Guild, Security Guild | ISSUER-30-001 | Implement key management endpoints (add/rotate/revoke keys), enforce expiry, validate formats (Ed25519, X.509, DSSE). | Keys stored securely; expiry enforced; validation tests cover key types; docs updated. |
| ISSUER-30-003 | TODO | Issuer Directory Guild, Policy Guild | ISSUER-30-001 | Provide trust weight APIs and tenant overrides with validation (+/- bounds) and audit trails. | Trust overrides persisted; policy integration confirmed; tests cover overrides. |
| ISSUER-30-004 | TODO | Issuer Directory Guild, VEX Lens Guild | ISSUER-30-001..003 | Integrate with VEX Lens and Excitator signature verification (client SDK, caching, retries). | Lens/Excitator resolve issuer metadata via SDK; integration tests cover network failures. |
| ISSUER-30-005 | TODO | Issuer Directory Guild, Observability Guild | ISSUER-30-001..004 | Instrument metrics/logs (issuer changes, key rotation, verification failures) and dashboards/alerts. | Telemetry live; alerts configured; docs updated. |
| ISSUER-30-006 | TODO | Issuer Directory Guild, DevOps Guild | ISSUER-30-001..005 | Provide deployment manifests, backup/restore, secure secret storage, and offline kit instructions. | Deployment docs merged; smoke deploy validated; backup tested; offline kit updated. |