stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity
Files
main
git.stella-ops.org/docs/modules/authority
History
master 66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add guild charters and task boards for various components 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
2025-11-01 02:21:46 +02:00
..
operations
Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
2025-10-31 19:16:43 +02:00
AGENTS.md
feat: Add guild charters and task boards for various components
2025-11-01 02:21:46 +02:00
architecture.md
feat(docs): Add comprehensive documentation for Vexer, Vulnerability Explorer, and Zastava modules
2025-10-30 00:09:39 +02:00
implementation_plan.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
README.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
TASKS.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00

README.md

StellaOps Authority

Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.

Responsibilities

  • Expose device-code, auth-code, and client-credential flows with DPoP or mTLS binding.
  • Manage signing keys, JWKS rotation, and PoE integration for plan enforcement.
  • Emit structured audit events and enforce tenant-aware scope policies.
  • Provide plugin surface for custom identity providers and credential validators.

Key components

  • StellaOps.Authority web host.
  • StellaOps.Authority.Plugin.* extensions for secret stores, identity bridges, and OpTok validation.
  • Telemetry and audit pipeline feeding Security/Observability stacks.

Integrations & dependencies

  • Signer/Attestor for PoE and OpTok introspection.
  • CLI/UI for login flows and token management.
  • Scheduler/Scanner for machine-to-machine scope enforcement.

Operational notes

  • MongoDB for tenant, client, and token state.
  • Key material in KMS/HSM with rotation runbooks (see ./operations/key-rotation.md).
  • Grafana/Prometheus dashboards for auth latency/issuance.

Related resources

  • ./operations/backup-restore.md
  • ./operations/key-rotation.md
  • ./operations/monitoring.md
  • ./operations/grafana-dashboard.json

Backlog references

  • DOCS-SEC-62-001 (scope hardening doc) in ../../TASKS.md.
  • AUTH-POLICY-20-001/002 follow-ups in src/Authority/StellaOps.Authority/TASKS.md.

Epic alignment

  • Epic 1 AOC enforcement: enforce OpTok scopes and guardrails supporting raw ingestion boundaries.
  • Epic 2 Policy Engine & Editor: supply policy evaluation/principal scopes and short-lived tokens for evaluator workflows.
  • Epic 4 Policy Studio: integrate approval/promotion signatures and policy registry access controls.
  • Epic 14 Identity & Tenancy: deliver tenant isolation, RBAC hierarchies, and governance tooling for authentication.