stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
1d962ee6fc98ad8c53715bbff6d513246f5b1361
git.stella-ops.org/docs/modules/authority
History
master f98cea3bcf Add Authority Advisory AI and API Lifecycle Configuration 
- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings.
- Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations.
- Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration.
- Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options.
- Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations.
- Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client.
- Updated project file to include necessary package references for the new Issuer Directory Client library.
2025-11-02 13:50:25 +02:00
..
operations
Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
2025-10-31 19:16:43 +02:00
AGENTS.md
feat: Add guild charters and task boards for various components
2025-11-01 02:21:46 +02:00
architecture.md
Add Authority Advisory AI and API Lifecycle Configuration
2025-11-02 13:50:25 +02:00
implementation_plan.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
README.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
TASKS.md
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00

README.md

StellaOps Authority

Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.

Responsibilities

  • Expose device-code, auth-code, and client-credential flows with DPoP or mTLS binding.
  • Manage signing keys, JWKS rotation, and PoE integration for plan enforcement.
  • Emit structured audit events and enforce tenant-aware scope policies.
  • Provide plugin surface for custom identity providers and credential validators.

Key components

  • StellaOps.Authority web host.
  • StellaOps.Authority.Plugin.* extensions for secret stores, identity bridges, and OpTok validation.
  • Telemetry and audit pipeline feeding Security/Observability stacks.

Integrations & dependencies

  • Signer/Attestor for PoE and OpTok introspection.
  • CLI/UI for login flows and token management.
  • Scheduler/Scanner for machine-to-machine scope enforcement.

Operational notes

  • MongoDB for tenant, client, and token state.
  • Key material in KMS/HSM with rotation runbooks (see ./operations/key-rotation.md).
  • Grafana/Prometheus dashboards for auth latency/issuance.

Related resources

  • ./operations/backup-restore.md
  • ./operations/key-rotation.md
  • ./operations/monitoring.md
  • ./operations/grafana-dashboard.json

Backlog references

  • DOCS-SEC-62-001 (scope hardening doc) in ../../TASKS.md.
  • AUTH-POLICY-20-001/002 follow-ups in src/Authority/StellaOps.Authority/TASKS.md.

Epic alignment

  • Epic 1 AOC enforcement: enforce OpTok scopes and guardrails supporting raw ingestion boundaries.
  • Epic 2 Policy Engine & Editor: supply policy evaluation/principal scopes and short-lived tokens for evaluator workflows.
  • Epic 4 Policy Studio: integrate approval/promotion signatures and policy registry access controls.
  • Epic 14 Identity & Tenancy: deliver tenant isolation, RBAC hierarchies, and governance tooling for authentication.