StellaOps.Auth.Abstractions

Canonical telemetry metadata for the StellaOps Authority stack.

service.name resource attribute recorded by Authority components.

service.namespace resource attribute aligning Authority with other StellaOps services.

Activity source identifier used by Authority instrumentation.

Meter name used by Authority instrumentation.

Builds the default set of resource attributes (service name/namespace/version).

Optional assembly used to resolve the service version.

Resolves the service version string from the provided assembly (defaults to the Authority telemetry assembly).

Represents an IP network expressed in CIDR notation.

Initialises a new .

Canonical network address with host bits zeroed. Prefix length (0-32 for IPv4, 0-128 for IPv6).

Canonical network address with host bits zeroed.

Prefix length.

Attempts to parse the supplied value as CIDR notation or a single IP address.

Thrown when the input is not recognised.

Attempts to parse the supplied value as CIDR notation or a single IP address.

Determines whether the provided address belongs to this network.

Evaluates remote addresses against configured network masks.

Creates a matcher from raw CIDR strings.

Sequence of CIDR entries or IP addresses. Thrown when a value cannot be parsed.

Creates a matcher from already parsed masks.

Sequence of network masks.

Gets a matcher that allows every address.

Gets a matcher that denies every address (no masks configured).

Indicates whether this matcher has no masks configured and does not allow all.

Returns the configured masks.

Checks whether the provided address matches any of the configured masks.

Remote address to test. true when the address is allowed.

Default authentication constants used by StellaOps resource servers and clients.

Default authentication scheme for StellaOps bearer tokens.

Logical authentication type attached to .

Policy prefix applied to named authorization policies.

Canonical claim type identifiers used across StellaOps services.

Subject identifier claim (maps to sub in JWTs).

StellaOps tenant identifier claim (multi-tenant deployments).

StellaOps project identifier claim (optional project scoping within a tenant).

OAuth2/OIDC client identifier claim (maps to client_id).

Unique token identifier claim (maps to jti).

Authentication method reference claim (amr).

Space separated scope list (scope).

Individual scope items (scp).

OAuth2 resource audiences (aud).

Identity provider hint for downstream services.

Operator reason supplied when issuing orchestrator control tokens.

Operator ticket supplied when issuing orchestrator control tokens.

Quota change reason supplied when issuing Orchestrator quota tokens.

Quota change ticket/incident reference supplied when issuing Orchestrator quota tokens.

Incident activation reason recorded when issuing observability incident tokens.

Session identifier claim (sid).

Fluent helper used to construct instances that follow StellaOps conventions.

Adds or replaces the canonical subject identifier.

Adds or replaces the canonical client identifier.

Adds or replaces the tenant identifier claim.

Adds or replaces the user display name claim.

Adds or replaces the identity provider claim.

Adds or replaces the session identifier claim.

Adds or replaces the token identifier claim.

Adds or replaces the authentication method reference claim.

Sets the name claim type appended when building the .

Sets the role claim type appended when building the .

Sets the authentication type stamped on the .

Registers the supplied scopes (normalised to lower-case, deduplicated, sorted).

Registers the supplied audiences (trimmed, deduplicated, sorted).

Adds a single audience.

Adds an arbitrary claim (no deduplication is performed).

Adds multiple claims (incoming claims are cloned to enforce value trimming).

Adds an iat (issued at) claim using Unix time seconds.

Adds an nbf (not before) claim using Unix time seconds.

Adds an exp (expires) claim using Unix time seconds.

Returns the normalised scope list (deduplicated + sorted).

Returns the normalised audience list (deduplicated + sorted).

Builds the immutable instance based on the registered data.

Factory helpers for returning RFC 7807 problem responses using StellaOps conventions.

Produces a 401 problem response indicating authentication is required.

Produces a 401 problem response for invalid, expired, or revoked tokens.

Produces a 403 problem response when access is denied.

Produces a 403 problem response for insufficient scopes.

Canonical scope names supported by StellaOps services.

Scope required to trigger Concelier jobs.

Scope required to manage Concelier merge operations.

Scope granting administrative access to Authority user management.

Scope granting administrative access to Authority client registrations.

Scope granting read-only access to Authority audit logs.

Synthetic scope representing trusted network bypass.

Scope granting read-only access to console UX features.

Scope granting permission to approve exceptions.

Scope granting read-only access to raw advisory ingestion data.

Scope granting write access for raw advisory ingestion.

Scope granting read-only access to Advisory AI artefacts (summaries, remediation exports).

Scope permitting Advisory AI inference requests and workflow execution.

Scope granting administrative control over Advisory AI configuration and profiles.

Scope granting read-only access to raw VEX ingestion data.

Scope granting write access for raw VEX ingestion.

Scope granting permission to execute aggregation-only contract verification.

Scope granting read-only access to reachability signals.

Scope granting permission to write reachability signals.

Scope granting administrative access to reachability signal ingestion.

Scope granting permission to seal or unseal an installation in air-gapped mode.

Scope granting permission to import offline bundles while in air-gapped mode.

Scope granting read-only access to air-gap status and sealing state endpoints.

Scope granting permission to create or edit policy drafts.

Scope granting permission to author Policy Studio workspaces.

Scope granting permission to edit policy configurations.

Scope granting read-only access to policy metadata.

Scope granting permission to review Policy Studio drafts.

Scope granting permission to submit drafts for review.

Scope granting permission to approve or reject policies.

Scope granting permission to operate Policy Studio promotions and runs.

Scope granting permission to audit Policy Studio activity.

Scope granting permission to trigger policy runs and activation workflows.

Scope granting permission to activate policies.

Scope granting read-only access to effective findings materialised by Policy Engine.

Scope granting permission to run Policy Studio simulations.

Scope granted to Policy Engine service identity for writing effective findings.

Scope granting read-only access to graph queries and overlays.

Scope granting read-only access to Vuln Explorer resources and permalinks.

Scope granting read-only access to observability dashboards and overlays.

Scope granting read-only access to incident timelines and chronology data.

Scope granting permission to append events to incident timelines.

Scope granting permission to create evidence packets in the evidence locker.

Scope granting read-only access to stored evidence packets.

Scope granting permission to place or release legal holds on evidence packets.

Scope granting read-only access to attestation records and observer feeds.

Scope granting permission to activate or resolve observability incident mode controls.

Scope granting read-only access to export center runs and bundles.

Scope granting permission to operate export center scheduling and run execution.

Scope granting administrative control over export center retention, encryption keys, and scheduling policies.

Scope granting read-only access to notifier channels, rules, and delivery history.

Scope permitting notifier rule management, delivery actions, and channel operations.

Scope granting administrative control over notifier secrets, escalations, and platform-wide settings.

Scope granting read-only access to issuer directory catalogues.

Scope permitting creation and modification of issuer directory entries.

Scope granting administrative control over issuer directory resources (delete, audit bypass).

Scope required to issue or honour escalation actions for notifications.

Scope granting read-only access to Task Packs catalogues and manifests.

Scope permitting publication or updates to Task Packs in the registry.

Scope granting permission to execute Task Packs via CLI or Task Runner.

Scope granting permission to fulfil Task Pack approval gates.

Scope granting permission to enqueue or mutate graph build jobs.

Scope granting permission to export graph artefacts (GraphML/JSONL/etc.).

Scope granting permission to trigger what-if simulations on graphs.

Scope granting read-only access to Orchestrator job state and telemetry.

Scope granting permission to execute Orchestrator control actions.

Scope granting permission to manage Orchestrator quotas and elevated backfill tooling.

Scope granting read-only access to Authority tenant catalog APIs.

Normalises a scope string (trim/convert to lower case).

Scope raw value. Normalised scope or null when the input is blank.

Checks whether the provided scope is registered as a built-in StellaOps scope.

Returns the full set of built-in scopes.

Canonical identifiers for StellaOps service principals.

Service identity used by Policy Engine when materialising effective findings.

Service identity used by Cartographer when constructing and maintaining graph projections.

Service identity used by Vuln Explorer when issuing scoped permalink requests.

Service identity used by Signals components when managing reachability facts.

Shared tenancy default values used across StellaOps services.

Sentinel value indicating the token is not scoped to a specific project.