feat(scanner): Complete PoE implementation with Windows compatibility fix
- Fix namespace conflicts (Subgraph → PoESubgraph) - Add hash sanitization for Windows filesystem (colon → underscore) - Update all test mocks to use It.IsAny<>() - Add direct orchestrator unit tests - All 8 PoE tests now passing (100% success rate) - Complete SPRINT_3500_0001_0001 documentation Fixes compilation errors and Windows filesystem compatibility issues. Tests: 8/8 passing Files: 8 modified, 1 new test, 1 completion report 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
43
docs2/api/auth-and-tokens.md
Normal file
43
docs2/api/auth-and-tokens.md
Normal file
@@ -0,0 +1,43 @@
|
||||
# Auth and tokens
|
||||
|
||||
## Authority (OIDC and OAuth2)
|
||||
- Issues short-lived OpTok access tokens.
|
||||
- Tokens are sender-constrained by DPoP or mTLS.
|
||||
- Audiences and scopes are enforced by each service.
|
||||
|
||||
## Token types
|
||||
- OpTok: short-lived operational access token (minutes).
|
||||
- Offline token: signed token for air-gap use and local verification.
|
||||
- PoE: proof of entitlement enforced by Signer.
|
||||
|
||||
## Claims (typical)
|
||||
- iss, sub, aud, exp, iat, nbf, jti, scope
|
||||
- tid (tenant), inst (installation), roles
|
||||
- cnf.jkt (DPoP) or cnf.x5t#S256 (mTLS)
|
||||
|
||||
## Sender constraints
|
||||
- DPoP binds the access token to an ephemeral key (cnf.jkt).
|
||||
- mTLS binds the access token to a client certificate (cnf.x5t#S256).
|
||||
- High-value audiences should require a DPoP nonce challenge.
|
||||
|
||||
## Proof of Entitlement (PoE)
|
||||
- PoE is enforced by Signer for signing operations.
|
||||
- OpTok proves who is calling; PoE proves entitlement.
|
||||
- Enrollment: License Token -> PoE, bound to installation key.
|
||||
|
||||
## Recommended flows
|
||||
- Client credentials for services and automation.
|
||||
- Device code for CLI interactive login.
|
||||
- Authorization code with PKCE for UI logins.
|
||||
|
||||
## Validation rules (resource servers)
|
||||
- Verify signature, issuer, audience, exp, nbf, and scope.
|
||||
- Enforce sender constraints (DPoP or mTLS).
|
||||
- Enforce tenant and installation boundaries.
|
||||
|
||||
## Key rotation
|
||||
- JWKS exposes active and retired keys.
|
||||
- Keep old keys for the max token lifetime plus skew.
|
||||
|
||||
## Introspection
|
||||
- Optional for services that require online token validation.
|
||||
20
docs2/api/overview.md
Normal file
20
docs2/api/overview.md
Normal file
@@ -0,0 +1,20 @@
|
||||
# API overview
|
||||
|
||||
## Conventions
|
||||
- JSON payloads use camelCase and RFC 7807 for problem details.
|
||||
- Streaming endpoints support SSE or NDJSON.
|
||||
- Timestamps are UTC ISO 8601.
|
||||
|
||||
## Major API groups
|
||||
- Scanner: scan submission, status, SBOM retrieval, diffs, reports.
|
||||
- Policy: policy import/export, validation, preview, and simulation.
|
||||
- Scheduler: schedules, runs, and impact selection.
|
||||
- Notify: rules, channels, deliveries, and test sends.
|
||||
- VEX and consensus: consensus evaluation and exports.
|
||||
- Signals: reachability, runtime facts, unknowns.
|
||||
- Export Center: export runs and offline bundles.
|
||||
- Authority: token issuance and administrative endpoints.
|
||||
|
||||
## Contracts and schemas
|
||||
- OpenAPI specs live under docs/api/.
|
||||
- JSON schemas live under docs/schemas/ and docs/contracts/.
|
||||
Reference in New Issue
Block a user