c11d87d252
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
- Implement unit tests for RichGraphPublisher to verify graph publishing to CAS. - Implement unit tests for RichGraphWriter to ensure correct writing of canonical graphs and metadata. feat: Implement AOC Guard validation logic - Add AOC Guard validation logic to enforce document structure and field constraints. - Introduce violation codes for various validation errors. - Implement tests for AOC Guard to validate expected behavior. feat: Create Console Status API client and service - Implement ConsoleStatusClient for fetching console status and streaming run events. - Create ConsoleStatusService to manage console status polling and event subscriptions. - Add tests for ConsoleStatusClient to verify API interactions. feat: Develop Console Status component - Create ConsoleStatusComponent for displaying console status and run events. - Implement UI for showing status metrics and handling user interactions. - Add styles for console status display. test: Add tests for Console Status store - Implement tests for ConsoleStatusStore to verify event handling and state management.
2.7 KiB
2.7 KiB
Gateway Tenant Auth & ABAC Contract (Web V)
Status
- Draft v0.1 (2025-12-01); to be confirmed at 2025-12-02 checkpoint with Policy Guild.
Scope
- Gateway header/claim contract for tenant activation and scope validation across Web V endpoints.
- ABAC overlay hooks with Policy Engine (attributes, evaluation order, failure modes).
- Audit emission requirements for auth decisions (RBAC + ABAC).
Header & Claim Inputs
Authorization: Bearer <jwt>— RS256/ES256, optionally DPoP-bound; claims:iss,sub,aud,exp,iat,nbf,jti, optionalscp(scopes) andten(tenant).X-Stella-Tenant— required, tenant slug or UUID; must matchtenclaim when present.X-Stella-Project— optional project/workspace slug; required for project-scoped routes.X-Stella-Scopes— optional override for service tokens; space-delimited (policy:run notifier:emit).X-Stella-Trace-Id— propagated trace ID for audit linking; if absent, gateway generates ULID-based trace ID.X-Request-Id— optional client request ID; echoed for idempotency diagnostics.
Processing Rules
- Validate JWT signature against offline bundle trust roots; enforce
aud∈ {stellaops-web,stellaops-gateway} andexp/nbf. - Resolve tenant: prefer
X-Stella-Tenant; fallback totenclaim when header missing; mismatch →ERR_TENANT_MISMATCH. - Scope evaluation:
- Base scopes from JWT
scporX-Stella-Scopes. - Enforce required scopes per route; deny with
ERR_SCOPE_MISMATCHon missing scope.
- Base scopes from JWT
- ABAC overlay:
- Attribute sources: JWT claims (
sub,roles,org), headers (X-Stella-Tenant,X-Stella-Project), request path/query/body attributes per route contract. - Evaluation order: RBAC allow → ABAC evaluate → deny overrides → allow.
- Failure →
ERR_ABAC_DENYwithreasonandtrace_id.
- Attribute sources: JWT claims (
- Determinism: reject requests lacking tenant header; no fallback to anonymous; enforce stable error codes.
Outputs
- On success: downstream context includes
tenant_id,project_id,subject,scopes,abac_result,trace_id,request_id. - On failure: structured envelope with
error.code,error.message,trace_id,request_id; HTTP 401 for token errors, 403 for scope/ABAC denials, 400 for tenant mismatch/missing.
Audit & Telemetry
- Emit DSSE-wrapped audit record:
{ tenant_id, project_id, subject, scopes, decision, reason_code, trace_id, request_id, route, ts_utc }. - Counters:
gateway.auth.success,gateway.auth.denied,gateway.auth.abac_denied,gateway.auth.tenant_missing, labeled by route and tenant.
Open Questions
- Confirm whether DPoP binding is mandatory for Web gateway tokens.
- Confirm canonical scope names for service tokens and whether
X-Stella-Scopesshould be allowed in prod.