stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/notifier/ack-tokens-for-approval-workflows.md

2.5 KiB
Raw Blame History

Ack Tokens for Approval Workflows

Module

Notifier

Status

IMPLEMENTED

Description

HMAC-based ack token service with bridge integration for acknowledgement workflows. Note: uses HMAC rather than DSSE-signed tokens as described in the advisory.

Implementation Details

  • IAckTokenService interface: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Security/IAckTokenService.cs -- CreateToken, VerifyToken, CreateAckUrl for signed acknowledgement tokens with configurable expiration and metadata
  • HmacAckTokenService: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Security/HmacAckTokenService.cs -- HMAC-SHA256 implementation with HKDF key derivation, soa1 token prefix, versioned token format, configurable signing key
  • IAckBridge interface: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Escalation/IAckBridge.cs -- bridge between ack tokens and escalation engine
  • AckBridge: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Escalation/AckBridge.cs -- processes ack requests, maps external IDs to internal incident IDs, integrates with IEscalationEngine and IIncidentManager, supports audit logging
  • SecurityContracts: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Contracts/SecurityContracts.cs -- ack token request/response DTOs
  • PackApprovalAckRequest: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Contracts/PackApprovalAckRequest.cs -- pack approval ack request model
  • EscalationEndpoints: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/EscalationEndpoints.cs -- REST endpoints for ack token processing
  • SecurityEndpoints: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/SecurityEndpoints.cs -- security-related endpoints
  • Tests: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService.Tests/Escalation/AckBridgeTests.cs
  • OpenAPI: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/openapi/pack-approvals.yaml
  • Source: Feature matrix scan

E2E Test Plan

  • Verify HMAC ack token creation with configurable expiration (default 7 days)
  • Test token verification rejects expired, tampered, or malformed tokens
  • Verify AckBridge routes ack actions (ack, resolve, escalate) to escalation engine
  • Test ack URL generation and round-trip verification
  • Verify pack approval ack workflow through EscalationEndpoints
  • Test audit logging of ack processing events