ba4c935182
- Added support for bootstrap providers in AuthorityIdentityProviderRegistry. - Introduced a new property for bootstrap providers and updated AggregateCapabilities. - Updated relevant methods to handle bootstrap capabilities during provider registration. feat: Introduce Sealed Mode Status in OpenIddict Handlers - Added SealedModeStatusProperty to AuthorityOpenIddictConstants. - Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence. - Implemented logic to handle airgap seal confirmation requirements. feat: Update Program Configuration for Sealed Mode - Registered IAuthoritySealedModeEvidenceValidator in Program.cs. - Added logging for bootstrap capabilities in identity provider plugins. - Implemented checks for bootstrap support in API endpoints. chore: Update Tasks and Documentation - Marked AUTH-MTLS-11-002 as DONE in TASKS.md. - Updated documentation to reflect changes in sealed mode and bootstrap capabilities. fix: Improve CLI Command Handlers Output - Enhanced output formatting for command responses and prompts in CommandHandlers.cs. feat: Extend Advisory AI Models - Added Response property to AdvisoryPipelineOutputModel for better output handling. fix: Adjust Concelier Web Service Authentication - Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging. test: Enhance Web Service Endpoints Tests - Added detailed logging for authentication failures in WebServiceEndpointsTests. - Enabled PII logging for better debugging of authentication issues. feat: Introduce Air-Gap Configuration Options - Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions. - Implemented validation logic for air-gap configurations to ensure proper setup.
Sealed-Mode CI Harness
This harness supports DEVOPS-AIRGAP-57-002 by exercising services with the sealed flag, verifying that no outbound network traffic succeeds, and producing artefacts Authority can use for AUTH-AIRGAP-57-001 gating.
Workflow
- Run
./run-sealed-ci.shfrom this directory (the script now boots the stack, applies the iptables guard, and captures artefacts automatically). - The harness:
- Launches
sealed-mode-compose.ymlwith Authority/Signer/Attestor + Mongo. - Snapshots iptables, injects a
STELLAOPS_SEALEDchain intoDOCKER-USER/OUTPUT, and whitelists only loopback + RFC1918 ranges so container egress is denied. - Repeatedly polls
/healthzon5088/6088/7088to verify sealed-mode bindings stay healthy while egress is blocked. - Executes
egress_probe.py, which runs curl probes from inside the compose network to confirm off-cluster addresses are unreachable. - Writes logs, iptables counters, and the summary contract to
artifacts/sealed-mode-ci/<timestamp>.
- Launches
.gitea/workflows/build-test-deploy.ymlnow includes asealed-mode-cijob that runs this script on every push/PR and uploads the artefacts forAUTH-AIRGAP-57-001.
Outputs
authority.health.log,signer.health.log,attestor.health.logiptables-docker-user.txt,iptables-output.txtegress-probe.jsoncompose.log,compose.psauthority-sealed-ci.json(single file Authority uses to validate the run)
TODO
- Wire into offline kit smoke tests (DEVOPS-AIRGAP-58-001).
Refer to docs/security/dpop-mtls-rollout.md for cross-guild milestones.