feat: Implement policy attestation features and service account delegation

- Added new policy scopes: `policy:publish` and `policy:promote` with interactive-only enforcement. - Introduced metadata parameters for policy actions: `policy_reason`, `policy_ticket`, and `policy_digest`. - Enhanced token validation to require fresh authentication for policy attestation tokens. - Updated grant handlers to enforce policy scope checks and log audit information. - Implemented service account delegation configuration, including quotas and validation. - Seeded service accounts during application initialization based on configuration. - Updated documentation and tasks to reflect new features and changes.
2025-11-03 01:13:21 +02:00
parent 1d962ee6fc
commit ff0eca3a51
67 changed files with 5198 additions and 214 deletions
--- a/src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs
+++ b/src/Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOpsScopes.cs
@@ -154,14 +154,24 @@ public static class StellaOpsScopes
    public const string PolicyApprove = "policy:approve";

    /// <summary>
-    /// Scope granting permission to operate Policy Studio promotions and runs.
-    /// </summary>
-    public const string PolicyOperate = "policy:operate";
-
-    /// <summary>
-    /// Scope granting permission to audit Policy Studio activity.
-    /// </summary>
-    public const string PolicyAudit = "policy:audit";
+    /// Scope granting permission to operate Policy Studio promotions and runs.
+    /// </summary>
+    public const string PolicyOperate = "policy:operate";
+
+    /// <summary>
+    /// Scope granting permission to publish approved policy versions with attested artefacts.
+    /// </summary>
+    public const string PolicyPublish = "policy:publish";
+
+    /// <summary>
+    /// Scope granting permission to promote policy attestations between environments.
+    /// </summary>
+    public const string PolicyPromote = "policy:promote";
+
+    /// <summary>
+    /// Scope granting permission to audit Policy Studio activity.
+    /// </summary>
+    public const string PolicyAudit = "policy:audit";

    /// <summary>
    /// Scope granting permission to trigger policy runs and activation workflows.
@@ -377,12 +387,14 @@ public static class StellaOpsScopes
        PolicyEdit,
        PolicyRead,
        PolicyReview,
-        PolicySubmit,
-        PolicyApprove,
-        PolicyOperate,
-        PolicyAudit,
-        PolicyRun,
-        PolicyActivate,
+        PolicySubmit,
+        PolicyApprove,
+        PolicyOperate,
+        PolicyPublish,
+        PolicyPromote,
+        PolicyAudit,
+        PolicyRun,
+        PolicyActivate,
        PolicySimulate,
        FindingsRead,
        EffectiveWrite,