stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
docs/qa/feature-checks/runs/authority/authority-identity-provider-registry/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,42 @@
{
"feature": "authority-identity-provider-registry",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 7,
"presentFiles": 7,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProject": "StellaOps.Authority.Tests.csproj",
"relevantTests": [
"AuthorityIdentityProviderRegistryTests.RegistryIndexesProvidersAndAggregatesCapabilities",
"AuthorityIdentityProviderRegistryTests.RegistryIgnoresDuplicateNames",
"AuthorityIdentityProviderRegistryTests.AcquireAsync_ReturnsScopedProviderInstances",
"AuthorityIdentityProviderSelectorTests.ResolvePasswordProvider_UsesSingleProviderWhenNoParameter",
"AuthorityIdentityProviderSelectorTests.ResolvePasswordProvider_FailsWhenNoProviders",
"AuthorityIdentityProviderSelectorTests.ResolvePasswordProvider_RequiresParameterWhenMultipleProviders",
"AuthorityIdentityProviderSelectorTests.ResolvePasswordProvider_HonoursProviderParameter"
],
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"Registry indexes multiple providers by name and aggregates capabilities (password, MFA, client provisioning, bootstrap)",
"AcquireAsync returns scoped provider instances with unique InstanceIds confirming DI scope isolation",
"Duplicate provider names are handled gracefully - first registration wins",
"Selector resolves single password provider automatically when no parameter specified",
"Selector requires explicit provider parameter when multiple password providers registered",
"Selector honours provider parameter to route to specific named provider (e.g., ldap)",
"Selector returns error with correct OpenIddict error codes when no providers available or parameter missing"
],
"assertionQuality": "strong - tests verify capability aggregation, scoped resolution, duplicate handling, and parameter-based routing with correct error codes"
}
}

43
docs/qa/feature-checks/runs/authority/authority-module-with-oidc-oauth2-dpop-mtls/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,43 @@
{
"feature": "authority-module-with-oidc-oauth2-dpop-mtls",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 13,
"presentFiles": 13,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProject": "StellaOps.Authority.Tests.csproj",
"relevantTests": [
"ClientCredentialsHandlersTests (multiple tests - scope validation, grant type validation, DPoP binding, mTLS binding, audit logging)",
"DiscoveryMetadataTests",
"PasswordGrantHandlersTests",
"TokenPersistenceIntegrationTests"
],
"totalRelevantTestCount": "50+",
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"ClientCredentialsHandler rejects requests when scope not in client's allowed scopes (InvalidScope error)",
"ClientCredentialsHandler rejects obs:incident scope appropriately",
"DPoP proof validation validates sender-constrained tokens via AuthoritySenderConstraintHelper",
"mTLS certificate validation through AuthorityClientCertificateValidator checks certificate thumbprints",
"Token persistence integrates with both InMemory and Postgres stores",
"Discovery metadata endpoints return correct OIDC configuration",
"Password grant handlers validate credentials through identity provider plugins",
"TokenRequestTamperInspector detects tampered requests",
"RevocationHandlers invalidate tokens properly",
"TokenValidationHandlers verify token integrity and binding"
],
"assertionQuality": "strong - tests verify scope enforcement, grant type validation, DPoP/mTLS binding, audit logging, and error responses with specific OpenIddict error codes"
}
}

40
docs/qa/feature-checks/runs/authority/authority-plugin-system/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,40 @@
{
"feature": "authority-plugin-system",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 12,
"presentFiles": 12,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Authority.Tests.csproj (AuthorityPluginLoaderTests)",
"StellaOps.Authority.Plugin.Standard.Tests.csproj (39 tests)",
"StellaOps.Authority.Plugin.Ldap.Tests.csproj (75 tests)",
"StellaOps.Authority.Plugin.Oidc.Tests.csproj (44 tests)",
"StellaOps.Authority.Plugin.Saml.Tests.csproj (38 tests)"
],
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"AuthorityPluginLoader.RegisterPluginsCore returns empty summary when no plugins configured",
"AuthorityPluginLoader records failure with plugin name and reason when assembly is missing",
"AuthorityPluginLoader registers enabled plugin when registrar is available in loaded assembly",
"Standard plugin (39 tests): bootstraps admin user, validates credentials, audit logs credential operations",
"LDAP plugin (75 tests): claims enrichment, client provisioning, capability probing, DN parsing, credential store, TLS connections",
"OIDC plugin (44 tests): external OIDC identity provider flow, token exchange, claims mapping",
"SAML plugin (38 tests): SAML assertion validation, claims extraction, protocol flow handling",
"Each plugin implements IAuthorityPluginRegistrar and registers with AuthorityPluginRegistrationContext"
],
"assertionQuality": "strong - 196+ plugin-specific tests across 4 concrete plugins plus loader tests verifying assembly discovery, registration lifecycle, failure reporting"
}
}

37
docs/qa/feature-checks/runs/authority/authority-sealed-mode-evidence-validator/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,37 @@
{
"feature": "authority-sealed-mode-evidence-validator",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 8,
"presentFiles": 8,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Authority.Tests.csproj (AuthoritySealedModeEvidenceValidatorTests, AirgapAuditEndpointsTests)",
"StellaOps.Authority.Persistence.Tests.csproj (OfflineKitAuditRepositoryTests)"
],
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"ValidateAsync returns success (IsSatisfied=true) when evidence file is fresh and all checks pass",
"ValidateAsync returns failure with code 'evidence_missing' when evidence file does not exist",
"ValidateAsync returns failure with code 'evidence_stale' when evidence timestamp exceeds MaxEvidenceAge",
"Validator reads evidence from file path configured in StellaOpsAuthorityOptions.AirGap.SealedMode",
"Evidence includes health checks for authority, signer, attestor, and egress services",
"AirgapAuditEndpoints provide REST API for querying audit logs",
"OfflineKitAuditRepository persists audit records for offline kit operations",
"OfflineKitAuditEmitter emits events for offline kit operations"
],
"assertionQuality": "strong - tests verify evidence freshness validation, missing file handling, stale evidence detection with specific failure codes, and correct configuration binding"
}
}

37
docs/qa/feature-checks/runs/authority/cli-dpop-bound-authentication/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,37 @@
{
"feature": "cli-dpop-bound-authentication",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 10,
"presentFiles": 10,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Auth.Client.Tests.csproj (28 tests)",
"StellaOps.Authority.Tests.csproj (ClientCredentialsHandlersTests - DPoP handling)"
],
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"Auth.Client.Tests (28 tests) cover StellaOpsTokenClient, StellaOpsBearerTokenHandler, FileTokenCache, InMemoryTokenCache, MessagingTokenCache",
"DPoP proof generation in StellaOpsTokenClient creates JWTs with jkt (JWK thumbprint) claim",
"StellaOpsBearerTokenHandler attaches DPoP proof headers to outgoing API requests",
"FileTokenCache persists DPoP-bound tokens to disk for CLI session continuity",
"InMemoryTokenCache provides in-process caching for DPoP tokens",
"StellaOpsAuthClientOptions configures DPoP key material, Authority URL, and client credentials",
"StellaOpsApiAuthMode enumerates Bearer, DPoP, and mTLS authentication modes",
"Server-side DpopHandlers validates proof JWTs and binds tokens (covered in Authority.Tests)"
],
"assertionQuality": "strong - 28 client-side tests plus server-side DPoP handler tests verify end-to-end DPoP flow including proof generation, token binding, caching, and API request handling"
}
}

38
docs/qa/feature-checks/runs/authority/ldap-plugin-with-claims-enrichment-and-client-provisioning/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,38 @@
{
"feature": "ldap-plugin-with-claims-enrichment-and-client-provisioning",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 12,
"presentFiles": 12,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProject": "StellaOps.Authority.Plugin.Ldap.Tests.csproj",
"totalTests": 75,
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"75 tests across Claims/, ClientProvisioning/, Credentials/, Resilience/, Security/, Snapshots/ subdirectories",
"LdapClaimsEnricher maps LDAP attributes (group memberships, department, title) to OAuth2 claims",
"InMemoryLdapClaimsCache and MessagingLdapClaimsCache provide caching with in-memory and distributed implementations",
"LdapClientProvisioningStore auto-creates OAuth2 clients from LDAP service account entries",
"LdapCapabilityProbe tests probe LDAP server capabilities (controls, extensions, schema)",
"LdapCapabilitySnapshotCache caches probe results to avoid repeated LDAP queries",
"LdapDistinguishedNameHelper parses complex DNs (CN=John Doe,OU=Users,DC=example,DC=com)",
"LdapCredentialStore manages LDAP bind credentials",
"LdapSecretResolver resolves LDAP secrets from secure storage",
"LdapMetrics records bind latency and search duration via OpenTelemetry",
"Resilience tests verify retry policies and circuit breaker behavior for LDAP connections"
],
"assertionQuality": "strong - comprehensive 75-test suite covering claims enrichment, client provisioning, credential management, resilience, security, and snapshot caching with meaningful behavioral assertions"
}
}

38
docs/qa/feature-checks/runs/authority/local-rbac-policy-fallback-with-break-glass-access/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,38 @@
{
"feature": "local-rbac-policy-fallback-with-break-glass-access",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 9,
"presentFiles": 9,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Authority.Tests.csproj (FileBasedPolicyStoreTests, FallbackPolicyStoreIntegrationTests)",
"StellaOps.Authority.Persistence.Tests.csproj (RoleBasedAccessTests, RoleRepositoryTests, PermissionRepositoryTests)"
],
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"FileBasedPolicyStore correctly serializes and deserializes JSON policy with roles (admin, operator, auditor), subjects, and break-glass configuration",
"Policy model supports role inheritance (auditor inherits operator scopes)",
"Subject model supports enabled/disabled flag and expiration dates",
"Break-glass configuration includes bcrypt credential hashing, session timeout, max extensions, and required reason codes",
"FallbackPolicyStore integration tests verify mode switching between Primary, Fallback, and Degraded modes",
"Fallback triggers after configurable consecutive failure threshold",
"Health check integration restores primary store when health recovers",
"RoleRepository and PermissionRepository provide Postgres-backed primary RBAC store",
"RoleBasedAccessTests verify role-scope mapping and permission evaluation"
],
"assertionQuality": "strong - tests verify policy serialization, role inheritance, subject lifecycle (enabled/disabled/expired), break-glass credential configuration, and fallback mode transitions"
}
}

39
docs/qa/feature-checks/runs/authority/multi-tenant-scope-based-authorization/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,39 @@
{
"feature": "multi-tenant-scope-based-authorization",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 11,
"presentFiles": 11,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Auth.ServerIntegration.Tests.csproj (27 tests)",
"StellaOps.Auth.Abstractions.Tests.csproj (103 tests)",
"StellaOps.Authority.Persistence.Tests.csproj (TenantRepository tests)"
],
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"Auth.Abstractions.Tests (103 tests) verify StellaOpsScopes enumeration, StellaOpsTenancyDefaults, and claim type definitions",
"Auth.ServerIntegration.Tests (27 tests) verify StellaOpsScopeAuthorizationHandler, StellaOpsScopeRequirement, and StellaOpsResourceServerPolicies",
"ScopeAuthorizationHandler evaluates scope requirements against user token scopes",
"ResourceServerPolicies register pre-defined authorization policies per module (Scanner, Attestor, Policy, etc.)",
"AuthorizationPolicyBuilderExtensions provide RequireScope and RequireAnyScope methods",
"TenantHeaderFilter extracts tenant ID from HTTP headers and sets tenant context",
"AuthorityTenantCatalog manages tenant registration and metadata",
"TenantRepository provides Postgres-backed CRUD for tenant records",
"TenantEntity models include tenant isolation and configuration"
],
"assertionQuality": "strong - 130+ tests across abstractions and server integration verify scope definitions, authorization policies, tenant isolation, and claim type consistency"
}
}

39
docs/qa/feature-checks/runs/authority/pack-rbac-roles-and-cli-profiles/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,39 @@
{
"feature": "pack-rbac-roles-and-cli-profiles",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 8,
"presentFiles": 8,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Auth.ServerIntegration.Tests.csproj (27 tests - includes AddPacksResourcePolicies)",
"StellaOps.Auth.Abstractions.Tests.csproj (103 tests - includes packs scope definitions)",
"StellaOps.Auth.Client.Tests.csproj (28 tests - includes profile/token client tests)",
"StellaOps.Authority.Persistence.Tests.csproj (RoleBasedAccessTests, RoleRepositoryTests)"
],
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"StellaOpsScopes defines pack-specific scopes: packs:read, packs:execute, packs:publish, packs:approve, packs:admin",
"StellaOpsResourceServerPolicies.AddPacksResourcePolicies registers five authorization policies with deterministic scope bundles",
"RequireScope and RequireAnyScope extension methods used by pack policies for scope-based authorization",
"StellaOpsClaimTypes defines custom claim types including pack role claims",
"StellaOpsAuthClientOptions configures CLI profile with scope bundle for each role",
"StellaOpsTokenClient acquires tokens with correct scope bundle for configured CLI profile/role",
"FileTokenCache stores per-profile tokens to disk for CLI session continuity",
"RoleRepository stores role definitions including pack roles in PostgreSQL"
],
"assertionQuality": "strong - pack scope definitions verified through Auth.Abstractions.Tests, policy registration through ServerIntegration.Tests, CLI profile token acquisition through Auth.Client.Tests, and role persistence through Persistence.Tests"
}
}

39
docs/qa/feature-checks/runs/authority/plugin-sdk-plugin-architecture/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,39 @@
{
"feature": "plugin-sdk-plugin-architecture",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 18,
"presentFiles": 18,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Authority.Tests.csproj (AuthorityPluginLoaderTests)",
"StellaOps.Authority.Plugins.Abstractions.Tests.csproj (32 tests)"
],
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"AuthorityPluginLoader.RegisterPluginsCore returns empty summary when no plugins configured",
"AuthorityPluginLoader records failure when assembly is missing with plugin name and reason",
"AuthorityPluginLoader registers enabled plugin when registrar (IAuthorityPluginRegistrar) is found in loaded assembly",
"Plugins.Abstractions.Tests (32 tests) verify plugin contracts: IAuthorityPlugin, IAuthorityPluginRegistrar, IAuthorityIdentityProviderPlugin",
"AuthorityPluginRegistrationContext provides DI services access during plugin registration",
"AuthorityCredentialAuditContext supports audit trail for credential operations",
"AuthoritySecretHasher abstraction enables pluggable password/secret hashing",
"AuthorityClientMetadataKeys defines standardized metadata keys for client configuration",
"AuthorityPluginRegistrationSummary captures registered plugins, failures, and missing ordered plugins",
"Five concrete plugin registrars (Standard, LDAP, OIDC, SAML, Unified) all implement the SDK interfaces"
],
"assertionQuality": "strong - 32 abstractions tests plus plugin loader tests verify the full SDK contract surface, assembly discovery, registration lifecycle, and failure reporting"
}
}

40
docs/qa/feature-checks/runs/authority/postgres-backend-store-prototype-for-authority-tokens/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,40 @@
{
"feature": "postgres-backend-store-prototype-for-authority-tokens",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 12,
"presentFiles": 12,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Authority.Tests.csproj (PostgresAdapterTests)",
"StellaOps.Authority.Persistence.Tests.csproj (TokenRepositoryTests, RefreshTokenRepositoryTests, InMemoryStoreTests, SessionRepositoryTests, AuthorityMigrationTests)"
],
"totalPersistenceTests": 75,
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"PostgresClientStore uses AuthorityIdGenerator and TimeProvider for deterministic ID and timestamp assignment",
"PostgresServiceAccountStore assigns generated IDs and clock-based timestamps on upsert",
"PostgresLoginAttemptStore uses ID generator for login attempt tracking",
"TokenRepositoryTests verify token CRUD operations against embedded Postgres",
"RefreshTokenRepositoryTests verify refresh token rotation and exchange",
"InMemoryStoreTests verify InMemoryStores implements IAuthorityStores with same interface parity",
"SessionRepositoryTests verify session persistence and lookup",
"AuthorityMigrationTests verify EF Core migrations create schema correctly on empty database",
"PostgresRevocationStore and PostgresRevocationExportStateStore handle token revocation lifecycle",
"PostgresBootstrapInviteStore manages initial setup invites"
],
"assertionQuality": "strong - 75 persistence tests plus PostgresAdapter unit tests verify CRUD operations, ID generation, clock integration, schema migrations, and InMemory/Postgres interface parity"
}
}

39
docs/qa/feature-checks/runs/authority/rfc-3161-tsa-client-for-ci-cd-timestamping/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,39 @@
{
"feature": "rfc-3161-tsa-client-for-ci-cd-timestamping",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 20,
"presentFiles": 20,
"missingFiles": 0,
"note": "Core TSA client infrastructure fully implemented; CI/CD pipeline integration hooks are documented as missing in feature spec"
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Authority.Timestamping.Tests.csproj (16 tests)",
"StellaOps.Authority.Timestamping.Abstractions.Tests.csproj (16 tests)"
],
"totalTests": 32,
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"TimeStampReqEncoder tests verify ASN.1 request encoding with algorithm selection and extension support",
"TimeStampRespDecoder tests verify ASN.1 response decoding of TimeStampResp structures",
"TimeStampTokenVerifier tests verify message imprint mismatch detection and nonce mismatch detection",
"TsaProviderRegistry tests verify priority-based provider ordering, health check (HTTP HEAD), and success/failure statistics tracking",
"InMemoryTsaCacheStore tests verify response caching to reduce TSA provider load",
"Timestamping.Abstractions.Tests (16 tests) verify TimeStampRequest, TimeStampResponse, TimeStampToken, TstInfo, TstAccuracy, verification options, and TsaClientOptions data models",
"CiCdTimestampingService tests and InMemoryArtifactTimestampRegistry tests present in test project",
"Feature spec explicitly documents missing CI/CD pipeline integration hooks, timestamped artifact registry integration, and eIDAS compliance checks as future work - these are NOT bugs but planned enhancements"
],
"assertionQuality": "strong - 32 tests verify core TSA client infrastructure (ASN.1 encoding/decoding, token verification, provider registry, caching, and abstraction contracts)"
}
}

40
docs/qa/feature-checks/runs/authority/trust-root-and-certificate-chain-verification/run-001/tier2-integration-check.json Normal file
View File

@@ -0,0 +1,40 @@
{
"feature": "trust-root-and-certificate-chain-verification",
"module": "authority",
"runId": "run-001",
"timestamp": "2026-02-13T00:00:00Z",
"tier": "tier2d",
"status": "pass",
"tier0": {
"status": "pass",
"referencedFiles": 18,
"presentFiles": 18,
"missingFiles": 0
},
"tier1": {
"status": "pass",
"buildResult": "success",
"testProjects": [
"StellaOps.Authority.Timestamping.Tests.csproj (TimeStampTokenVerifierTests, TsaProviderRegistryTests)",
"StellaOps.Authority.Tests.csproj (AuthorityJwksServiceTests, AuthoritySigningKeyManagerTests, KmsAuthoritySigningKeySourceTests, TokenSignVerifyRoundtripTests)"
],
"allPassed": true
},
"tier2d": {
"status": "pass",
"behavioralNotes": [
"TimeStampTokenVerifier detects message imprint mismatches (VerificationErrorCode.MessageImprintMismatch)",
"TimeStampTokenVerifier detects nonce mismatches when expected nonce does not match",
"TsaProviderRegistry respects provider priority ordering and tracks health status",
"AuthoritySigningKeyManager.Rotate replaces active key, retires previous key, and updates JWKS",
"After key rotation, JWKS endpoint serves both active and retired keys for validation continuity",
"TokenSignVerifyRoundtripTests verify RSA sign/verify roundtrip: token signed with private key validates with public key",
"Claims (sub, tenant, scope) are preserved through sign/verify cycle",
"AuthorityJwksService serves JSON Web Key Set with correct key status (Active/Retired)",
"KmsAuthoritySigningKeySource resolves signing keys from KMS",
"FileAuthoritySigningKeySource resolves signing keys from local PEM files",
"AuthorityDsseStatementSigner signs in-toto/DSSE statements using authority keys"
],
"assertionQuality": "strong - tests verify certificate chain validation via timestamp token verifier, key rotation with JWKS continuity, sign/verify roundtrips with claim preservation, and multiple key source implementations"
}
}