stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
1d962ee6fc98ad8c53715bbff6d513246f5b1361
git.stella-ops.org/docs/implplan/SPRINT_100_identity_signing.md
master 1d962ee6fc
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add OpenSslLegacyShim to ensure OpenSSL 1.1 libraries are accessible on Linux 
This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.
2025-11-02 21:41:03 +02:00

20 KiB
Raw Blame History

Sprint 100 - Identity & Signing

[Identity & Signing] 100.A) Attestor.I Summary: Identity & Signing focus on Attestor (phase I).

Task ID State Task description Owners (Source)
ATTEST-ENVELOPE-72-001 DONE (2025-11-01) Implement DSSE canonicalization, JSON normalization, multi-signature structures, and hashing helpers. Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-ENVELOPE-72-002 DONE (2025-11-01) Support compact and expanded JSON output, payload compression, and detached payload references. Dependencies: ATTEST-ENVELOPE-72-001. Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-ENVELOPE-73-001 DONE Implement Ed25519 & ECDSA signature create/verify helpers, key identification (keyid) scheme, and error mapping. Dependencies: ATTEST-ENVELOPE-72-002. Envelope Guild, KMS Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-ENVELOPE-73-002 DONE Add fuzz tests for envelope parsing, signature verification, and canonical JSON round-trips. Dependencies: ATTEST-ENVELOPE-73-001. Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-TYPES-72-001 DONE Draft JSON Schemas for BuildProvenance v1, SBOMAttestation v1, VEXAttestation v1, ScanResults v1, PolicyEvaluation v1, RiskProfileEvidence v1, CustomEvidence v1. Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-TYPES-72-002 DONE Generate Go/TS models from schemas with validation helpers and canonical JSON serialization. Dependencies: ATTEST-TYPES-72-001. Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-TYPES-73-001 DONE Create golden payload samples for each type; integrate into tests and documentation. Dependencies: ATTEST-TYPES-72-002. Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-TYPES-73-002 DONE Publish schema reference docs (/docs/modules/attestor/payloads.md) with annotated JSON examples. Dependencies: ATTEST-TYPES-73-001. Attestation Payloads Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-VERIFY-73-001 DONE Implement verification engine: policy evaluation, issuer trust resolution, freshness, signature count, transparency checks; produce structured reports. Dependencies: VERPOL-73-001, ATTESTOR-73-002. Verification Guild, Policy Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTEST-VERIFY-73-002 DONE Add caching layer keyed by (subject, envelope_id, policy_version) with TTL and invalidation on new evidence. Dependencies: ATTEST-VERIFY-73-001. Verification Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTEST-VERIFY-74-001 DONE Emit telemetry (spans/metrics) tagged by subject, issuer, policy, result; integrate with dashboards. Dependencies: ATTEST-VERIFY-73-001. Verification Guild, Observability Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTEST-VERIFY-74-002 DONE (2025-11-01) Document verification report schema and explainability in /docs/modules/attestor/workflows.md. Dependencies: ATTEST-VERIFY-73-001. Verification Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTESTOR-72-001 DONE Scaffold service (REST API skeleton, storage interfaces, KMS integration stubs) and DSSE validation pipeline. Dependencies: ATTEST-ENVELOPE-72-001. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-72-002 DONE Implement attestation store (DB tables, object storage integration), CRUD, and indexing strategies. Dependencies: ATTESTOR-72-001. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-72-003 BLOCKED Validate attestation store TTL against production-like Mongo/Redis stack; capture logs and remediation plan. Dependencies: ATTESTOR-72-002. Attestor Service Guild, QA Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-73-001 DONE (2025-11-01) Implement signing endpoint with Ed25519/ECDSA support, KMS integration, and audit logging. Dependencies: ATTESTOR-72-002, KMS-72-001. Attestor Service Guild, KMS Guild (src/Attestor/StellaOps.Attestor/TASKS.md)

[Identity & Signing] 100.A) Attestor.II Depends on: Sprint 100.A - Attestor.I Summary: Identity & Signing focus on Attestor (phase II).

Task ID State Task description Owners (Source)
ATTESTOR-73-002 DONE (2025-11-01) Build verification pipeline evaluating DSSE signatures, issuer trust, and verification policies; persist reports. Dependencies: ATTESTOR-73-001, VERPOL-73-001. Attestor Service Guild, Policy Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-73-003 DONE Implement listing/fetch APIs with filters (subject, type, issuer, scope, date). Dependencies: ATTESTOR-73-002. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-74-001 DONE (2025-11-02) Integrate transparency witness client, inclusion proof verification, and caching. Dependencies: ATTESTOR-73-002, TRANSP-74-001. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-74-002 DONE Implement bulk verification worker + API with progress tracking, rate limits, and caching. Dependencies: ATTESTOR-74-001. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-75-001 DONE Add export/import flows for attestation bundles and offline verification mode. Dependencies: ATTESTOR-74-002, EXPORT-ATTEST-74-001. Attestor Service Guild, Export Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-75-002 DONE Harden APIs with rate limits, auth scopes, threat model mitigations, and fuzz testing. Dependencies: ATTESTOR-73-002. Attestor Service Guild, Security Guild (src/Attestor/StellaOps.Attestor/TASKS.md)

2025-11-01: ATTESTOR-73-002 completed — verification endpoints emit structured reports, cache hits, and telemetry; Attestor verification test suites cover success, failure, and cached paths. Transparency witness integration continues under ATTESTOR-74-001. 2025-11-02: ATTESTOR-74-001 completed — witness client wired into proof refresh, repository model stores witness statements, and verification warns on missing endorsements. Tests updated for witness refresh, bundle export/import, and signing stubs.

[Identity & Signing] 100.B) Authority.I Summary: Identity & Signing focus on Authority (phase I).

Task ID State Task description Owners (Source)
AUTH-AIAI-31-001 DONE (2025-11-01) Define Advisory AI scopes (advisory-ai:view, advisory-ai:operate, advisory-ai:admin) and remote inference toggles; update discovery metadata/offline defaults. Dependencies: AUTH-VULN-29-001. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIAI-31-002 DONE (2025-11-01) Enforce anonymized prompt logging, tenant consent for remote inference, and audit logging of assistant tasks. Dependencies: AUTH-AIAI-31-001, AIAI-31-006. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIRGAP-56-001 DOING (2025-11-01) Provision new scopes (airgap:seal, airgap:import, airgap:status:read) in configuration metadata, offline kit defaults, and issuer templates. Dependencies: AIRGAP-CTL-56-001. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIRGAP-56-002 DOING (2025-11-01) Audit import actions with actor, tenant, bundle ID, and trace ID; expose /authority/audit/airgap endpoint. Dependencies: AUTH-AIRGAP-56-001, AIRGAP-IMP-58-001. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIRGAP-57-001 BLOCKED (2025-11-01) Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. Dependencies: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002. Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority/TASKS.md)

2025-11-01: AUTH-AIRGAP-57-001 blocked pending definition of sealed-confirmation evidence and configuration shape before gating (Authority Core & Security Guild, DevOps Guild). AUTH-NOTIFY-38-001 | DONE (2025-11-01) | Define Notify.Viewer, Notify.Operator, Notify.Admin scopes/roles, update discovery metadata, offline defaults, and issuer templates. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-01: AUTH-NOTIFY-38-001 completed—Notify scope catalog, discovery metadata, docs, configuration samples, and service tests updated for new roles. AUTH-NOTIFY-40-001 | DONE (2025-11-02) | Implement signed ack token key rotation, webhook allowlists, admin-only escalation settings, and audit logging of ack actions. Dependencies: AUTH-NOTIFY-38-001, WEB-NOTIFY-40-001. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: /notify/ack-tokens/rotate (notify.admin) now rotates DSSE keys with audit coverage and integration tests. Webhook allowlist + escalation scope enforcement verified. AUTH-OAS-62-001 | DONE (2025-11-02) | Provide SDK helpers for OAuth2/PAT flows, tenancy override header; add integration tests. Dependencies: AUTH-OAS-61-001, SDKGEN-63-001. | Authority Core & Security Guild, SDK Generator Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Added HttpClient auth helper (OAuth2 + PAT) with tenant header support, plus coverage in StellaOps.Auth.Client.Tests. AUTH-OAS-63-001 | DONE (2025-11-02) | Emit deprecation headers and notifications for legacy auth endpoints. Dependencies: AUTH-OAS-62-001, APIGOV-63-001. | Authority Core & Security Guild, API Governance Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: AUTH-OAS-63-001 marked DONE — legacy /oauth/* shims now emit Deprecation/Sunset/Warning headers, audit events (authority.api.legacy_endpoint) validated by tests, and migration guide docs/api/authority-legacy-auth-endpoints.md published (Authority Core & Security Guild, API Governance Guild). AUTH-OBS-50-001 | DONE (2025-11-02) | Introduce scopes obs:read, timeline:read, timeline:write, evidence:create, evidence:read, evidence:hold, attest:read, and obs:incident (all tenant-scoped). Update discovery metadata, offline defaults, and scope grammar docs. Dependencies: AUTH-AOC-19-001. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Observability scope bundle published in discovery metadata, OpenAPI, docs, and offline configs; issuer templates + roles updated with deterministic scope ordering and tests refreshed. AUTH-OBS-52-001 | DONE (2025-11-02) | Configure resource server policies for Timeline Indexer, Evidence Locker, Exporter, and Observability APIs enforcing new scopes + tenant claims. Emit audit events including scope usage and trace IDs. Dependencies: AUTH-OBS-50-001, TIMELINE-OBS-52-003, EVID-OBS-53-003. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Timeline/Evidence/Export resource servers now register observability policies, enforce tenant claims, and emit enriched authorization audit events; config samples + tests updated. AUTH-OBS-55-001 | DONE (2025-11-02) | Harden incident mode authorization: require obs:incident scope + fresh auth, log activation reason, and expose verification endpoint for auditors. Update docs/runbooks. Dependencies: AUTH-OBS-50-001, WEB-OBS-55-001. | Authority Core & Security Guild, Ops Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Resource servers now enforce a five-minute fresh-auth window for obs:incident, incident reasons are stamped into authorization audits and /authority/audit/incident, and sample configs/tests updated to require tenant headers across observability endpoints. AUTH-ORCH-34-001 | DONE (2025-11-02) | Introduce Orch.Admin role with quota/backfill scopes, enforce audit reason on quota changes, and update offline defaults/docs. Dependencies: AUTH-ORCH-33-001. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Added orch:backfill scope with required backfill_reason/backfill_ticket, tightened Authority handlers/tests, updated CLI configuration/env vars, and refreshed docs + samples for Orchestrator admins. AUTH-PACKS-41-001 | DOING (2025-11-02) | Define CLI SSO profiles and pack scopes (Packs.Read, Packs.Write, Packs.Run, Packs.Approve), update discovery metadata, offline defaults, and issuer templates. Dependencies: AUTH-AOC-19-001. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Pack scope policies added, Authority samples/roles refreshed, and CLI SSO profiles documented for packs operators/publishers/approvers. 2025-11-02: Shared OpenSSL 1.1 shim now feeds Mongo2Go for Authority & Signals tests, keeping pack scope regressions and other Mongo flows working on OpenSSL 3 hosts. AUTH-PACKS-43-001 | BLOCKED (2025-10-27) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. Dependencies: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)

[Identity & Signing] 100.B) Authority.II Depends on: Sprint 100.B - Authority.I Summary: Identity & Signing focus on Authority (phase II).

Task ID State Task description Owners (Source)
AUTH-POLICY-23-002 BLOCKED (2025-10-29) Implement optional two-person rule for activation: require two distinct policy:activate approvals when configured; emit audit logs. Dependencies: AUTH-POLICY-23-001. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-POLICY-23-003 BLOCKED (2025-10-29) Update documentation and sample configs for policy roles, approval workflow, and signing requirements. Dependencies: AUTH-POLICY-23-001. Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-POLICY-27-002 TODO Provide attestation signing service bindings (OIDC token exchange, cosign integration) and enforce publish/promote scope checks, fresh-auth requirements, and audit logging. Dependencies: AUTH-POLICY-27-001, REGISTRY-API-27-007. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-POLICY-27-003 TODO Update Authority configuration/docs for Policy Studio roles, signing policies, approval workflows, and CLI integration; include compliance checklist. Dependencies: AUTH-POLICY-27-001, AUTH-POLICY-27-002. Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-TEN-49-001 TODO Implement service accounts & delegation tokens (act chain), per-tenant quotas, audit stream of auth decisions, and revocation APIs. Dependencies: AUTH-TEN-47-001. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-VULN-29-001 TODO Define Vuln Explorer scopes/roles (vuln:view, vuln:investigate, vuln:operate, vuln:audit) with ABAC attributes (env, owner, business_tier) and update discovery metadata/offline kit defaults. Dependencies: AUTH-POLICY-27-001. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-VULN-29-002 TODO Enforce CSRF/anti-forgery tokens for workflow actions, sign attachment tokens, and record audit logs with ledger event hashes. Dependencies: AUTH-VULN-29-001, LEDGER-29-002. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-VULN-29-003 TODO Update security docs/config samples for Vuln Explorer roles, ABAC policies, attachment signing, and ledger verification guidance. Dependencies: AUTH-VULN-29-001..002. Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md)
PLG4-6.CAPABILITIES BLOCKED (2025-10-12) Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
PLG6.DIAGRAM TODO Export final sequence/component diagrams for the developer guide and add offline-friendly assets under docs/assets/authority. Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
PLG7.RFC REVIEW Socialize LDAP plugin RFC (docs/rfcs/authority-plugin-ldap.md) and capture guild feedback. BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
SEC2.PLG BLOCKED (2025-10-21) Emit audit events from password verification outcomes and persist via IAuthorityLoginAttemptStore.
Waiting on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 to stabilise Authority auth surfaces before final verification + publish.		 Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
SEC3.PLG BLOCKED (2025-10-21) Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after).
Pending AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 so limiter telemetry contract matches final authority surface.		 Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
SEC5.PLG BLOCKED (2025-10-21) Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog.
Final documentation depends on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 outcomes.		 Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)

[Identity & Signing] 100.C) IssuerDirectory Summary: Identity & Signing focus on IssuerDirectory.

Task ID State Task description Owners (Source)
ISSUER-30-001 DONE (2025-11-01) Implement issuer CRUD API with RBAC, audit logging, and tenant scoping; seed CSAF publisher metadata. Issuer Directory Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-002 DONE (2025-11-01) Implement key management endpoints (add/rotate/revoke keys), enforce expiry, validate formats (Ed25519, X.509, DSSE). Dependencies: ISSUER-30-001. Issuer Directory Guild, Security Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-003 DOING Provide trust weight APIs and tenant overrides with validation (+/- bounds) and audit trails. Dependencies: ISSUER-30-001. Issuer Directory Guild, Policy Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-004 DONE (2025-11-01) Integrate with VEX Lens and Excitator signature verification (client SDK, caching, retries). Dependencies: ISSUER-30-001..003. Issuer Directory Guild, VEX Lens Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-005 DONE (2025-11-01) Instrument metrics/logs (issuer changes, key rotation, verification failures) and dashboards/alerts. Dependencies: ISSUER-30-001..004. Issuer Directory Guild, Observability Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-006 TODO Provide deployment manifests, backup/restore, secure secret storage, and offline kit instructions. Dependencies: ISSUER-30-001..005. Issuer Directory Guild, DevOps Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)

[Identity & Signing] 100.D) __Libraries Summary: Identity & Signing focus on Libraries.

Task ID State Task description Owners (Source)
KMS-73-001 TODO Add cloud KMS driver (e.g., AWS KMS, GCP KMS) with signing and key metadata retrieval. Dependencies: KMS-72-001. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)
KMS-73-002 TODO Implement PKCS#11/HSM driver plus FIDO2 signing support for high assurance workflows. Dependencies: KMS-73-001. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)

If all tasks are done - read next sprint section - SPRINT_110_ingestion_evidence.md