# Ack Tokens for Approval Workflows ## Module Notifier ## Status VERIFIED ## Description HMAC-based ack token service with bridge integration for acknowledgement workflows. Note: uses HMAC rather than DSSE-signed tokens as described in the advisory. ## Implementation Details - **IAckTokenService interface**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Security/IAckTokenService.cs` -- `CreateToken`, `VerifyToken`, `CreateAckUrl` for signed acknowledgement tokens with configurable expiration and metadata - **HmacAckTokenService**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Security/HmacAckTokenService.cs` -- HMAC-SHA256 implementation with HKDF key derivation, `soa1` token prefix, versioned token format, configurable signing key - **IAckBridge interface**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Escalation/IAckBridge.cs` -- bridge between ack tokens and escalation engine - **AckBridge**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Escalation/AckBridge.cs` -- processes ack requests, maps external IDs to internal incident IDs, integrates with `IEscalationEngine` and `IIncidentManager`, supports audit logging - **SecurityContracts**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Contracts/SecurityContracts.cs` -- ack token request/response DTOs - **PackApprovalAckRequest**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Contracts/PackApprovalAckRequest.cs` -- pack approval ack request model - **EscalationEndpoints**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/EscalationEndpoints.cs` -- REST endpoints for ack token processing - **SecurityEndpoints**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/SecurityEndpoints.cs` -- security-related endpoints - **Tests**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService.Tests/Escalation/AckBridgeTests.cs` - **OpenAPI**: `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/openapi/pack-approvals.yaml` - **Source**: Feature matrix scan ## E2E Test Plan - [ ] Verify HMAC ack token creation with configurable expiration (default 7 days) - [ ] Test token verification rejects expired, tampered, or malformed tokens - [ ] Verify AckBridge routes ack actions (ack, resolve, escalate) to escalation engine - [ ] Test ack URL generation and round-trip verification - [ ] Verify pack approval ack workflow through EscalationEndpoints - [ ] Test audit logging of ack processing events ## Verification - Verified on 2026-02-11 with `run-001`. - Tier 0 source checks passed for ack token service, ack bridge, security/escalation endpoints, request contracts, and OpenAPI surface. - Tier 1 build and focused behavior tests passed (`10/10` class-scoped, `505/505` full suite). - Tier 2 API behavior checks passed using Notifier test-host routes for pack approval ack flows (positive + negative) and token verification behavior evidence. - Evidence: - `docs/qa/feature-checks/runs/notifier/ack-tokens-for-approval-workflows/run-001/tier0-source-check.json` - `docs/qa/feature-checks/runs/notifier/ack-tokens-for-approval-workflows/run-001/tier1-build-check.json` - `docs/qa/feature-checks/runs/notifier/ack-tokens-for-approval-workflows/run-001/tier2-api-check.json`