stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5c5c0881b1824db3d38b162c5af069d0e5c46481
git.stella-ops.org/docs/modules/registry
History
master fdf95e0f46 docs: module dossier + install/quickstart sync for truthful cutover sprints 
- API_CLI_REFERENCE.md, INSTALL_GUIDE.md, quickstart.md, architecture/integrations.md, dev/DEV_ENVIRONMENT_SETUP.md, integrations/LOCAL_SERVICES.md: reflect real-service wiring.
- docs/modules/**: module dossier updates across the modules touched by SPRINT_20260415_001..007 + SPRINT_20260416_003..017 + SPRINT_20260417_018..024 + SPRINT_20260418_025 + SPRINT_20260419_026.
- docs/features/checked/web/**: update feature notes where UI changed.
- docs/qa/feature-checks/runs/web/evidence-presentation-ux/: QA evidence artifacts.
- docs/setup/**, docs/technical/**: align with setup wizard contracts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 14:45:09 +03:00
..
operations
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
AGENTS.md
docs consolidation work
2025-12-25 10:54:10 +02:00
architecture.md
docs: module dossier + install/quickstart sync for truthful cutover sprints
2026-04-19 14:45:09 +03:00
implementation_plan.md
stabilize tests
2026-02-01 21:37:40 +02:00
README.md
docs consolidation work
2025-12-25 19:09:48 +02:00

README.md

StellaOps Registry Token Service

Registry Token Service issues short-lived Docker registry bearer tokens for private or mirrored registries. It exchanges an Authority-issued access token for a registry-compatible JWT after enforcing plan/licence constraints.

Responsibilities

  • Validate Authority-issued caller identity and required scopes (default registry.token.issue).
  • Authorize requested repository scopes against a local plan catalogue (stellaops:plan claim + configured rules).
  • Block issuance for revoked licences (stellaops:license claim + configured deny list).
  • Mint registry tokens with a bounded lifetime (default 5 minutes) signed by a local RSA key.

Key endpoints

  • GET /token - Docker registry token exchange endpoint.
  • GET /healthz - liveness probe.

Code locations

  • Service: src/Registry/StellaOps.Registry.TokenService
  • Tests: src/Registry/__Tests/StellaOps.Registry.TokenService.Tests

Configuration

  • File: etc/registry-token.yaml
  • Environment variables: REGISTRY_TOKEN_*

Implementation Status

Current Objectives

  • Maintain deterministic behaviour and offline parity across releases
  • Keep documentation, telemetry, and runbooks aligned with latest sprint outcomes

Epic Milestones

  • Epic 10 Export Center: signed registry token bundles for mirror/Offline Kit workflows (planned)
  • Epic 14 Identity & Tenancy: tenant-aware scope validation, revocation, audit trails (planned)

Core Capabilities

  • Docker registry token exchange with Authority validation
  • Plan/license constraint enforcement via claims inspection
  • Short-lived JWT tokens (default 5 minutes) signed by local RSA key
  • Revocation support via deny list and stellaops:license claim

Technical Decisions

  • Token lifetime bounded to 5 minutes to minimize exposure window
  • Local RSA key signing avoids external dependencies
  • Plan catalogue enforcement ensures license compliance
  • Integration with Authority for caller identity and scope validation

Coordination Approach

  • Review AGENTS.md before starting new work
  • Sync with cross-cutting teams via docs/implplan/SPRINT_*.md
  • Track follow-ups in ../../TASKS.md and src/Registry/TASKS.md

Related docs

  • Architecture: docs/modules/registry/architecture.md
  • Operations: docs/modules/registry/operations/token-service.md