docs consolidation work

2025-12-25 10:53:53 +02:00
parent b9f71fc7e9
commit deb82b4f03
117 changed files with 852 additions and 847 deletions
--- a/docs/security/authority-scopes.md
+++ b/docs/security/authority-scopes.md
@@ -374,7 +374,7 @@ tenants:

 ## 6 · References

- [Aggregation-Only Contract reference](../ingestion/aggregation-only-contract.md)
+- [Aggregation-Only Contract reference](../aoc/aggregation-only-contract.md)
 - [Architecture overview](../modules/platform/architecture-overview.md)
 - [Concelier architecture](../modules/concelier/architecture.md)
 - [Excititor architecture](../modules/excititor/architecture.md)
--- a/docs/security/console-security.md
+++ b/docs/security/console-security.md
@@ -52,17 +52,17 @@ The console client is registered in Authority as `console-ui` with scopes:
 | Policy approvals | `policy:read`, `policy:review`, `policy:approve`, `policy:operate`, `policy:simulate` | `policy:operate` (promote/activate/run) requires fresh-auth. |
 | Observability panes (status ticker, telemetry) | `ui.telemetry`, `scheduler:runs.read`, `advisory:read`, `vex:read` | `ui.telemetry` drives OTLP export toggles. |
 | Orchestrator dashboard (queues, workers, rate limits) | `orch:read` | Provision via `Orch.Viewer` role; read-only access to job state and telemetry. |
-| Orchestrator control actions (pause/resume, retry, sync-now) | `orch:operate` (plus `orch:read`) | CLI/Console must request tokens with `operator_reason` and `operator_ticket`; Authority denies issuance when either value is missing. |
-| Orchestrator backfill runs | `orch:backfill` (plus `orch:read`, `orch:operate`) | Backfill tokens require `backfill_reason` (≤256 chars) and `backfill_ticket` (≤128 chars); Authority stores both alongside operator metadata in audit events. |
-| Orchestrator quota & burst controls | `orch:quota` (plus `orch:read`, `orch:operate`) | Tokens must include `quota_reason` (≤256 chars); optional `quota_ticket` (≤128 chars) is captured for audit. |
+| Orchestrator control actions (pause/resume, retry, sync-now) | `orch:operate` (plus `orch:read`) | CLI/Console must request tokens with `operator_reason` and `operator_ticket`; Authority denies issuance when either value is missing. |
+| Orchestrator backfill runs | `orch:backfill` (plus `orch:read`, `orch:operate`) | Backfill tokens require `backfill_reason` (≤256 chars) and `backfill_ticket` (≤128 chars); Authority stores both alongside operator metadata in audit events. |
+| Orchestrator quota & burst controls | `orch:quota` (plus `orch:read`, `orch:operate`) | Tokens must include `quota_reason` (≤256 chars); optional `quota_ticket` (≤128 chars) is captured for audit. |
 | Downloads parity (SBOM, attestation) | `downloads:read`, `attestation:verify`, `sbom:export` | Console surfaces digests only; download links require CLI parity for write operations. |

 Guidance:

- **Role mapping**: Provision Authority role `role/ui-console-admin` encapsulating the admin scopes above.  
- **Orchestrator viewers**: Assign Authority role `role/orch-viewer` (Authority role string `Orch.Viewer`) to consoles that require read-only access to Orchestrator telemetry.  
- **Orchestrator operators**: Assign Authority role `role/orch-operator` (Authority role string `Orch.Operator`) to identities allowed to pause/resume jobs. Tokens must include `operator_reason` (≤256 chars) and `operator_ticket` (≤128 chars); Authority records the values in audit logs.
- **Orchestrator admins**: Assign Authority role `role/orch-admin` (Authority role string `Orch.Admin`) to the handful of identities permitted to raise/lower quotas or trigger backfills. Tokens must include `quota_reason` (≤256 chars) and `backfill_reason` (≤256 chars), plus the corresponding ticket fields (`quota_ticket`, `backfill_ticket`, ≤128 chars each) so audit streams capture the change record.
+- **Role mapping**: Provision Authority role `role/ui-console-admin` encapsulating the admin scopes above.  
+- **Orchestrator viewers**: Assign Authority role `role/orch-viewer` (Authority role string `Orch.Viewer`) to consoles that require read-only access to Orchestrator telemetry.  
+- **Orchestrator operators**: Assign Authority role `role/orch-operator` (Authority role string `Orch.Operator`) to identities allowed to pause/resume jobs. Tokens must include `operator_reason` (≤256 chars) and `operator_ticket` (≤128 chars); Authority records the values in audit logs.
+- **Orchestrator admins**: Assign Authority role `role/orch-admin` (Authority role string `Orch.Admin`) to the handful of identities permitted to raise/lower quotas or trigger backfills. Tokens must include `quota_reason` (≤256 chars) and `backfill_reason` (≤256 chars), plus the corresponding ticket fields (`quota_ticket`, `backfill_ticket`, ≤128 chars each) so audit streams capture the change record.
 - **Tenant enforcement**: Gateway injects `X-Stella-Tenant` from token claims. Requests missing the header must be rejected by downstream services (Concelier, Excititor, Policy Engine) and logged.  
 - **Separation of duties**: Never grant `ui.admin` and `policy:approve`/`policy:operate` to the same human role without SOC sign-off; automation accounts should use least-privilege dedicated clients.

@@ -171,15 +171,15 @@ Document gaps and remediation hooks in `SEC5.*` backlog as they are addressed.

 ## 9 · Compliance checklist

- [x] Authority client `console-ui` registered with PKCE, DPoP, tenant claim requirement, and scopes from §3. (see [console security sign-off](../updates/2025-10-27-console-security-signoff.md#authority-client-validation))  
- [x] CSP enforced per §4 with overrides documented in deployment manifests. (see [console security sign-off](../updates/2025-10-27-console-security-signoff.md#csp-enforcement))  
- [x] Fresh-auth timer (300 s) validated for admin and policy actions; audit events captured. (see [console security sign-off](../updates/2025-10-27-console-security-signoff.md#fresh-auth-timer))  
- [x] DPoP binding tested (replay attempt blocked; logs show `ui_dpop_failure_total` increment). (see [console security sign-off](../updates/2025-10-27-console-security-signoff.md#dpop-binding-test))  
- [x] Offline mode exercises performed (banner, CLI guidance, manifest verification). (see [console security sign-off](../updates/2025-10-27-console-security-signoff.md#offline-mode-exercise))  
- [x] Evidence download parity verified with CLI scripts; console never caches sensitive artefacts. (see [console security sign-off](../updates/2025-10-27-console-security-signoff.md#evidence-parity))  
- [x] Monitoring dashboards show metrics and alerts outlined in §6; alert runbooks reviewed with Security Guild. (see [console security sign-off](../updates/2025-10-27-console-security-signoff.md#monitoring--alerts))  
- [x] Security review sign-off recorded in sprint log with links to Authority threat model references. (see [console security sign-off](../updates/2025-10-27-console-security-signoff.md#sign-off))
- [x] `/console` Authority endpoints validated for tenant header enforcement, fresh-auth prompts, and introspection flows (Audit IDs `authority.console.tenants.read`, `authority.console.profile.read`, `authority.console.token.introspect`). (see [console security sign-off](../updates/2025-10-31-console-security-refresh.md))
+- [x] Authority client `console-ui` registered with PKCE, DPoP, tenant claim requirement, and scopes from §3. (see [console security sign-off](../implplan/archived/updates/2025-10-27-console-security-signoff.md#authority-client-validation))  
+- [x] CSP enforced per §4 with overrides documented in deployment manifests. (see [console security sign-off](../implplan/archived/updates/2025-10-27-console-security-signoff.md#csp-enforcement))  
+- [x] Fresh-auth timer (300 s) validated for admin and policy actions; audit events captured. (see [console security sign-off](../implplan/archived/updates/2025-10-27-console-security-signoff.md#fresh-auth-timer))  
+- [x] DPoP binding tested (replay attempt blocked; logs show `ui_dpop_failure_total` increment). (see [console security sign-off](../implplan/archived/updates/2025-10-27-console-security-signoff.md#dpop-binding-test))  
+- [x] Offline mode exercises performed (banner, CLI guidance, manifest verification). (see [console security sign-off](../implplan/archived/updates/2025-10-27-console-security-signoff.md#offline-mode-exercise))  
+- [x] Evidence download parity verified with CLI scripts; console never caches sensitive artefacts. (see [console security sign-off](../implplan/archived/updates/2025-10-27-console-security-signoff.md#evidence-parity))  
+- [x] Monitoring dashboards show metrics and alerts outlined in §6; alert runbooks reviewed with Security Guild. (see [console security sign-off](../implplan/archived/updates/2025-10-27-console-security-signoff.md#monitoring--alerts))  
+- [x] Security review sign-off recorded in sprint log with links to Authority threat model references. (see [console security sign-off](../implplan/archived/updates/2025-10-27-console-security-signoff.md#sign-off))
+- [x] `/console` Authority endpoints validated for tenant header enforcement, fresh-auth prompts, and introspection flows (Audit IDs `authority.console.tenants.read`, `authority.console.profile.read`, `authority.console.token.introspect`). (see [console security sign-off](../implplan/archived/updates/2025-10-31-console-security-refresh.md))

 ---