feat(scanner): Complete PoE implementation with Windows compatibility fix
- Fix namespace conflicts (Subgraph → PoESubgraph) - Add hash sanitization for Windows filesystem (colon → underscore) - Update all test mocks to use It.IsAny<>() - Add direct orchestrator unit tests - All 8 PoE tests now passing (100% success rate) - Complete SPRINT_3500_0001_0001 documentation Fixes compilation errors and Windows filesystem compatibility issues. Tests: 8/8 passing Files: 8 modified, 1 new test, 1 completion report 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
@@ -65,6 +65,13 @@ Authority issues short-lived tokens bound to tenants and scopes. Sprint 19 int
|
||||
| `orch:read` | Orchestrator dashboards/API | Read queued jobs, worker state, and rate-limit telemetry. | Tenant required; never grants mutation rights. |
|
||||
| `orch:operate` | Orchestrator control actions | Execute pause/resume, retry, sync-now, and backfill operations. Requires tenant assignment **and** `operator_reason`/`operator_ticket` parameters when requesting tokens. |
|
||||
| `orch:quota` | Orchestrator quota administration | Adjust per-tenant quotas, burst ceilings, and backfill allowances. Requires tenant assignment and `quota_reason` (≤256 chars); optional `quota_ticket` (≤128 chars) is recorded for audit. |
|
||||
| `scanner:read` | Scanner API, Console | Read scan results, configurations, and summaries. | Tenant required; read-only access. |
|
||||
| `scanner:scan` | Scanner control APIs | Trigger scans and pipelines. | Tenant required; operator workflows should enforce fresh-auth. |
|
||||
| `scanner:export` | Scanner export APIs | Export scan artefacts and evidence bundles. | Tenant required; used by reporting flows. |
|
||||
| `scanner:write` | Scanner admin APIs | Update scanner configuration, feeds, and tenants. | Tenant required; admin only. |
|
||||
| `scheduler:read` | Scheduler API, Console | Read schedules, job runs, and worker status. | Proposed scope; add to Authority constants and gateway enforcement. |
|
||||
| `scheduler:operate` | Scheduler control APIs | Trigger/manual run, pause/resume schedules. | Proposed scope; operator flows should enforce fresh-auth. |
|
||||
| `scheduler:admin` | Scheduler admin APIs | Manage schedules, queues, and retention policies. | Proposed scope; admin only. |
|
||||
| `packs.read` | Packs Registry, Task Runner | Discover Task Packs, download manifests, and inspect metadata. | Tenant claim required; Authority rejects cross-tenant tokens and tags violations with `authority.pack_scope_violation`. |
|
||||
| `packs.write` | Packs Registry APIs | Publish or update Task Packs (requires signed bundles). | Tenant claim required; typically restricted to registry automation; violations surface via `authority.pack_scope_violation`. |
|
||||
| `packs.run` | Task Runner | Execute Task Packs via CLI or Task Runner APIs. | Tenant claim required; Task Runner enforces tenant isolation; Authority emits `authority.pack_scope_violation` when missing. |
|
||||
@@ -73,7 +80,20 @@ Authority issues short-lived tokens bound to tenants and scopes. Sprint 19 int
|
||||
| `exceptions:write` | Policy Engine → Authority bridge | Persist exception evaluations, lifecycle events, and status changes. | Tenant required; only service principals should hold this scope. |
|
||||
| `exceptions:approve` | Console fresh-auth flows, delegated admins | Approve or reject exception requests routed through Authority. | Tenant required; Authority enforces MFA when any bound routing template has `requireMfa=true`. |
|
||||
| `ui.read` | Console base APIs | Retrieve tenant catalog, profile metadata, and token introspection results. | Tenant header required; responses are DPoP-bound and audit logged. |
|
||||
| `ui.admin` | Console admin workspace | Access admin routes and admin UI shell. | Must be paired with `authority:*` scopes; DPoP required. |
|
||||
| `authority:tenants.read` | Console admin workspace | Enumerate configured tenants, default roles, and isolation metadata. | Tenant claim must match header; access audited via `authority.console.tenants.read`. |
|
||||
| `authority:tenants.write` | Console admin workspace | Create and update tenant records (status, defaults, isolation). | Fresh-auth enforced for suspend/resume and isolation changes. |
|
||||
| `authority:users.read` | Console admin workspace | List tenant users and role assignments. | Tenant claim must match header; audit logged. |
|
||||
| `authority:users.write` | Console admin workspace | Update user status, assignments, and local users. | Fresh-auth enforced for disable/enable. |
|
||||
| `authority:roles.read` | Console admin workspace | Read role bundles, scope mappings, and audiences. | Audit logged. |
|
||||
| `authority:roles.write` | Console admin workspace | Create or update role bundles. | Fresh-auth enforced for role changes. |
|
||||
| `authority:clients.read` | Console admin workspace | List OAuth clients, audiences, and grant settings. | Audit logged. |
|
||||
| `authority:clients.write` | Console admin workspace | Create, update, or rotate client credentials. | Fresh-auth enforced for key rotation. |
|
||||
| `authority:tokens.read` | Console admin workspace | Read active/revoked token inventory. | Audit logged. |
|
||||
| `authority:tokens.revoke` | Console admin workspace | Revoke access/refresh/device tokens. | Fresh-auth enforced; revocation bundles emitted. |
|
||||
| `authority:audit.read` | Console admin workspace | Read authority audit events. | Audit logged. |
|
||||
| `authority:branding.read` | Console admin workspace | Read branding configuration. | Audit logged. |
|
||||
| `authority:branding.write` | Console admin workspace | Update branding configuration (logo/theme tokens). | Fresh-auth enforced. |
|
||||
| Existing scopes | (e.g., `policy:*`, `concelier.jobs.trigger`) | Unchanged. | `concelier.merge` is retired — clients must request `advisory:ingest`/`advisory:read`; requests continue to fail with `invalid_client`. Review `/docs/security/policy-governance.md` for policy-specific scopes. |
|
||||
|
||||
### 1.1 Scope bundles (roles)
|
||||
@@ -86,6 +106,15 @@ Authority issues short-lived tokens bound to tenants and scopes. Sprint 19 int
|
||||
- **`role/cartographer-service`** → `graph:write`, `graph:read`.
|
||||
- **`role/graph-gateway`** → `graph:read`, `graph:export`, `graph:simulate`.
|
||||
- **`role/console`** → `ui.read`, `advisory:read`, `vex:read`, `exceptions:read`, `aoc:verify`, `findings:read`, `airgap:status:read`, `orch:read`, `vuln:view`, `vuln:investigate`.
|
||||
- **`role/console-viewer`** -> `ui.read`.
|
||||
- **`role/console-admin`** -> `ui.read`, `ui.admin`, `authority:tenants.read`, `authority:users.read`, `authority:roles.read`, `authority:clients.read`, `authority:tokens.read`, `authority:audit.read`, `authority:branding.read`.
|
||||
- **`role/console-superadmin`** -> `ui.read`, `ui.admin`, `authority:tenants.*`, `authority:users.*`, `authority:roles.*`, `authority:clients.*`, `authority:tokens.*`, `authority:audit.read`, `authority:branding.*`.
|
||||
- **`role/scanner-viewer`** -> `scanner:read`.
|
||||
- **`role/scanner-operator`** -> `scanner:read`, `scanner:scan`, `scanner:export`.
|
||||
- **`role/scanner-admin`** -> `scanner:read`, `scanner:scan`, `scanner:export`, `scanner:write`.
|
||||
- **`role/scheduler-viewer`** -> `scheduler:read` (proposed).
|
||||
- **`role/scheduler-operator`** -> `scheduler:read`, `scheduler:operate` (proposed).
|
||||
- **`role/scheduler-admin`** -> `scheduler:read`, `scheduler:operate`, `scheduler:admin` (proposed).
|
||||
- **`role/ui-console-admin`** → `ui.read`, `authority:tenants.read`, `authority:roles.read`, `authority:tokens.read`, `authority:clients.read` (paired with write scopes where required).
|
||||
- **`role/orch-viewer`** *(Authority role: `Orch.Viewer`)* → `orch:read`.
|
||||
- **`role/orch-operator`** *(Authority role: `Orch.Operator`)* → `orch:read`, `orch:operate`.
|
||||
@@ -114,6 +143,8 @@ Authority issues short-lived tokens bound to tenants and scopes. Sprint 19 int
|
||||
- **`role/exceptions-service`** → `exceptions:read`, `exceptions:write`.
|
||||
- **`role/exceptions-approver`** → `exceptions:read`, `exceptions:approve`.
|
||||
|
||||
Full module role bundle catalog (Console, Scanner, Scheduler, Policy, Graph, Observability, etc.) is maintained in `docs/architecture/console-admin-rbac.md` and is the reference for Console admin UI and Authority seeding.
|
||||
|
||||
Roles are declared per tenant in `authority.yaml`:
|
||||
|
||||
```yaml
|
||||
|
||||
Reference in New Issue
Block a user