stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
17d45a6d303350efb35db194b706c526070417be
git.stella-ops.org/docs/modules/authority/README.md
StellaOps Bot 17d45a6d30
Some checks failed
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context 
- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem.
- Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB.
- Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB.
- Developed unit tests for filesystem and MongoDB provenance writers.
- Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling.
- Implemented `TimelineIngestionService` to validate and persist timeline events with hashing.
- Created PostgreSQL schema and migration scripts for timeline indexing.
- Added dependency injection support for timeline indexer services.
- Developed tests for timeline ingestion and schema validation.
2025-11-30 15:38:14 +02:00

2.5 KiB
Raw Blame History

StellaOps Authority

Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.

Latest updates (2025-11-30)

  • Sprint tracker docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md and module TASKS.md added to mirror status.
  • Monitoring/observability references consolidated; Grafana JSON remains offline import (operations/grafana-dashboard.json).
  • Prior content retained: OpTok/DPoP/mTLS responsibilities, backup/restore, key rotation.

Responsibilities

  • Expose device-code, auth-code, and client-credential flows with DPoP or mTLS binding.
  • Manage signing keys, JWKS rotation, and PoE integration for plan enforcement.
  • Emit structured audit events and enforce tenant-aware scope policies.
  • Provide plugin surface for custom identity providers and credential validators.

Key components

  • StellaOps.Authority web host.
  • StellaOps.Authority.Plugin.* extensions for secret stores, identity bridges, and OpTok validation.
  • Telemetry and audit pipeline feeding Security/Observability stacks.

Integrations & dependencies

  • Signer/Attestor for PoE and OpTok introspection.
  • CLI/UI for login flows and token management.
  • Scheduler/Scanner for machine-to-machine scope enforcement.

Operational notes

  • MongoDB for tenant, client, and token state.
  • Key material in KMS/HSM with rotation runbooks (operations/key-rotation.md).
  • Monitoring runbook (operations/monitoring.md) and offline-import Grafana JSON (operations/grafana-dashboard.json).

Related resources

  • ./operations/backup-restore.md
  • ./operations/key-rotation.md
  • ./operations/monitoring.md
  • ./operations/grafana-dashboard.json
  • Sprint/status mirrors: docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md, docs/modules/authority/TASKS.md

Backlog references

  • DOCS-SEC-62-001 (scope hardening doc) in ../../TASKS.md.
  • AUTH-POLICY-20-001/002 follow-ups in src/Authority/StellaOps.Authority/TASKS.md.

Epic alignment

  • Epic 1 AOC enforcement: enforce OpTok scopes and guardrails supporting raw ingestion boundaries.
  • Epic 2 Policy Engine & Editor: supply policy evaluation/principal scopes and short-lived tokens for evaluator workflows.
  • Epic 4 Policy Studio: integrate approval/promotion signatures and policy registry access controls.
  • Epic 14 Identity & Tenancy: deliver tenant isolation, RBAC hierarchies, and governance tooling for authentication.