stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/authority/implementation_plan.md
StellaOps Bot 2eaf0f699b
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
feat: Implement air-gap functionality with timeline impact and evidence snapshot services 
- Added AirgapTimelineImpact, AirgapTimelineImpactInput, and AirgapTimelineImpactResult records for managing air-gap bundle import impacts.
- Introduced EvidenceSnapshotRecord, EvidenceSnapshotLinkInput, and EvidenceSnapshotLinkResult records for linking findings to evidence snapshots.
- Created IEvidenceSnapshotRepository interface for managing evidence snapshot records.
- Developed StalenessValidationService to validate staleness and enforce freshness thresholds.
- Implemented AirgapTimelineService for emitting timeline events related to bundle imports.
- Added EvidenceSnapshotService for linking findings to evidence snapshots and verifying their validity.
- Introduced AirGapOptions for configuring air-gap staleness enforcement and thresholds.
- Added minimal jsPDF stub for offline/testing builds in the web application.
- Created TypeScript definitions for jsPDF to enhance type safety in the web application.
2025-12-06 01:30:08 +02:00

5.4 KiB
Raw Blame History

Implementation plan — Authority

Current objectives

  • Maintain deterministic behaviour and offline parity across releases.
  • Keep documentation, telemetry, and runbooks aligned with the latest sprint outcomes.

Workstreams

  • Backlog grooming: reconcile open stories in ../../TASKS.md with this module's roadmap.
  • Implementation: collaborate with service owners to land feature work defined in SPRINTS/EPIC docs.
  • Validation: extend tests/fixtures to preserve determinism and provenance requirements.

Epic milestones

  • Epic 1 AOC enforcement: deliver OpTok scopes, guardrails, and AOC verifier hooks for ingestion services.
  • Epic 2 Policy Engine & Editor: support policy evaluator flows (device-code, client credentials, scope sandboxing).
  • Epic 4 Policy Studio: provide registry/promotion signing, approvals, and fresh-auth prompts.
  • Epic 14 Identity & Tenancy: implement tenant isolation, RBAC hierarchies, audit trails, and PoE integration.
  • Track additional work (DOCS-SEC-62-001, AUTH-POLICY-20-001/002) in ../../TASKS.md and src/Authority/**/TASKS.md.

Coordination

  • Review ./AGENTS.md before picking up new work.
  • Sync with cross-cutting teams noted in /docs/implplan/SPRINT_*.md.
  • Update this plan whenever scope, dependencies, or guardrails change.

Sprint alignment (2025-11-30)

  • Docs refresh tracked in docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md; statuses mirrored in docs/modules/authority/TASKS.md.
  • Observability assets remain in operations/monitoring.md with Grafana JSON operations/grafana-dashboard.json (offline import).
  • Authority readiness tracker (AUTHORITY-ENG-0001) delivered 2025-11-27; future updates should adjust both sprint and TASKS.

Sprint readiness tracker

Last updated: 2025-11-27 (AUTHORITY-ENG-0001)

This section maps epic milestones to implementation sprints and tracks readiness checkpoints.

Epic 1 — AOC enforcement

Task ID Status Sprint Notes
AUTH-SIG-26-001 DONE (2025-10-29) SPRINT_0143_0001_0001_signals Signals scopes + AOC role templates; propagation validation complete.
AUTH-AIRGAP-57-001 DONE (2025-11-08) SPRINT_100_identity_signing Sealed-mode CI gating; refuses tokens when sealed install lacks confirmation.

Checkpoint: AOC enforcement operational with guardrails and scope policies in place.

Epic 2 — Policy Engine & Editor

Task ID Status Sprint Notes
AUTH-DPOP-11-001 DONE (2025-11-08) SPRINT_100_identity_signing DPoP validation on /token grants; interactive tokens inherit cnf.jkt.
AUTH-MTLS-11-002 DONE (2025-11-08) SPRINT_100_identity_signing Refresh grants enforce original client cert; x5t#S256 metadata persisted.

Checkpoint: DPoP and mTLS sender-constraint flows operational.

Epic 4 — Policy Studio

Task ID Status Sprint Notes
AUTH-PACKS-43-001 DONE (2025-11-09) SPRINT_100_identity_signing Pack signing policies, approval RBAC, CLI CI token scopes, audit logging.

Checkpoint: Pack signing and approval flows with fresh-auth prompts complete.

Epic 14 — Identity & Tenancy

Task ID Status Sprint Notes
AUTH-TEN-47-001 Contract published SPRINT_0115_0001_0004_concelier_iv Tenant-scope contract at docs/modules/authority/tenant-scope-47-001.md.
AUTH-CRYPTO-90-001 🔄 DOING SPRINT_0514_0001_0001_sovereign_crypto Sovereign signing provider; key-loading path migration in progress.

Checkpoint: Tenancy contract published; sovereign crypto provider integration in progress.

Future tasks

Task ID Status Sprint Notes
AUTH-REACH-401-005 📝 TODO SPRINT_0401_0001_0001_reachability_evidence_chain DSSE predicate types for SBOM/Graph/VEX/Replay; blocked on predicate definitions.
AUTH-VERIFY-186-007 📝 TODO SPRINT_186_record_deterministic_execution Verification helper for DSSE signatures and Rekor proofs; awaits provenance harness.

Checkpoint: Attestation predicate support and verification helpers pending upstream dependencies.

Overall readiness summary

Epic Status Blocking items
1 AOC enforcement Complete
2 Policy Engine & Editor Complete
4 Policy Studio Complete
14 Identity & Tenancy 🔄 In progress AUTH-CRYPTO-90-001 provider contract
Future (Attestation) 📝 Not started DSSE predicate schema; provenance harness

Cross-module dependencies

Dependency Required by Status
Signals scope propagation AUTH-SIG-26-001 Validated
Sealed-mode CI evidence AUTH-AIRGAP-57-001 Implemented
DSSE predicate definitions AUTH-REACH-401-005 Schema draft pending
Provenance harness (PROB0101) AUTH-VERIFY-186-007 In progress
Sovereign crypto keystore plan AUTH-CRYPTO-90-001 Prep published

Next actions

  1. Complete AUTH-CRYPTO-90-001 provider registry wiring (Sprint 0514).
  2. Coordinate DSSE predicate schema with Signer guild for AUTH-REACH-401-005 (Sprint 0401).
  3. Monitor PROB0101 provenance harness for AUTH-VERIFY-186-007 (Sprint 186).