stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(scanner): Complete PoE implementation with Windows compatibility fix

Browse Source 
- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
2025-12-23 14:52:08 +02:00
parent 84d97fd22c
commit fcb5ffe25d
90 changed files with 9457 additions and 2039 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/11_AUTHORITY.md
View File

@@ -45,11 +45,12 @@ Authority persists every issued token in PostgreSQL so operators can audit or re
- **Client ID**: `console-web`
- **Grants**: `authorization_code` (PKCE required), `refresh_token`
- **Audience**: `console`
- **Scopes**: `openid`, `profile`, `email`, `advisory:read`, `advisory-ai:view`, `vex:read`, `aoc:verify`, `findings:read`, `orch:read`, `vuln:view`, `vuln:investigate`, `vuln:operate`, `vuln:audit`
- **Scopes**: `openid`, `profile`, `email`, `advisory:read`, `advisory-ai:view`, `vex:read`, `aoc:verify`, `findings:read`, `scanner:read`, `scanner:scan`, `scanner:export`, `orch:read`, `vuln:view`, `vuln:investigate`, `vuln:operate`, `vuln:audit`, `ui.read`, `ui.admin`, `authority:*`
- **Redirect URIs** (defaults): `https://console.stella-ops.local/oidc/callback`
- **Post-logout redirect**: `https://console.stella-ops.local/`
- **Tokens**: Access tokens inherit the global 2 minute lifetime; refresh tokens remain short-lived (30 days) and can be exchanged silently via `/token`.
- **Roles**: Assign Authority role `Orch.Viewer` (exposed to tenants as `role/orch-viewer`) when operators need read-only access to Orchestrator telemetry via Console dashboards. Policy Studio ships dedicated roles (`role/policy-author`, `role/policy-reviewer`, `role/policy-approver`, `role/policy-operator`, `role/policy-auditor`) plus the new attestation verbs (`policy:publish`, `policy:promote`) that align with the `policy:*` scope family; issue them per tenant so audit trails remain scoped and interactive attestations stay attributable.
- **Role bundles**: Module role bundles (Console, Scanner, Scheduler, Policy, Graph, Observability, etc.) are cataloged in `docs/architecture/console-admin-rbac.md` and should be seeded into Authority to keep UI and CLI defaults consistent.
Configuration sample (`etc/authority.yaml.sample`) seeds the client with a confidential secret so Console can negotiate the code exchange on the backend while browsers execute the PKCE dance.
@@ -71,9 +72,10 @@ Authority publishes the trio in OpenID discovery (`stellaops_advisory_ai_scopes_
### Console Authority endpoints
- `/console/tenants` Requires `authority:tenants.read`; returns the tenant catalogue for the authenticated principal. Requests lacking the `X-Stella-Tenant` header are rejected (`tenant_header_missing`) and logged.
- `/console/profile` Requires `ui.read`; exposes subject metadata (roles, scopes, audiences) and indicates whether the session is within the five-minute fresh-auth window.
- `/console/token/introspect` Requires `ui.read`; introspects the active access token so the SPA can prompt for re-authentication before privileged actions.
- `/console/tenants` - Requires `authority:tenants.read`; returns the tenant catalogue for the authenticated principal. Requests lacking the `X-Stella-Tenant` header are rejected (`tenant_header_missing`) and logged.
- `/console/profile` - Requires `ui.read`; exposes subject metadata (roles, scopes, audiences) and indicates whether the session is within the five-minute fresh-auth window.
- `/console/token/introspect` - Requires `ui.read`; introspects the active access token so the SPA can prompt for re-authentication before privileged actions.
- `/console/admin/*` - Requires `ui.admin` plus the relevant `authority:*` scope. Used by Console Admin for tenant, user, role, client, token, audit, and branding workflows.
All endpoints demand DPoP-bound tokens and propagate structured audit events (`authority.console.*`). Gateways must forward the `X-Stella-Tenant` header derived from the access token; downstream services rely on the same value for isolation. Keep Console access tokens short-lived (default 15minutes) and enforce the fresh-auth window for admin actions (`ui.admin`, `authority:*`, `policy:activate`, `exceptions:approve`).
- `status` (`valid`, `revoked`, `expired`), `createdAt`, optional `expiresAt`