stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
5ce40d2eebf33aa7bc803a0868a1c0d70dfdfd01
git.stella-ops.org/src/StellaOps.Cryptography/AGENTS.md
master 5ce40d2eeb feat: Initialize Zastava Webhook service with TLS and Authority authentication 
- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint.
- Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately.
- Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly.
- Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.
2025-10-19 18:36:22 +03:00

1.7 KiB
Raw Blame History

Team 8 — Security Guild (Authority & Shared Crypto)

Role

Team 8 owns the end-to-end security posture for StellaOps Authority and its consumers. That includes password hashing policy, audit/event hygiene, rate-limit & lockout rules, revocation distribution, and sovereign cryptography abstractions that allow alternative algorithm suites (e.g., GOST) without touching feature code.

Operational Boundaries

  • Primary workspace: src/StellaOps.Cryptography, src/StellaOps.Authority.Plugin.Standard, src/StellaOps.Authority.Storage.Mongo, and Authority host (src/StellaOps.Authority/StellaOps.Authority).
  • Coordinate cross-module changes via TASKS.md updates and PR descriptions.
  • Never bypass deterministic behaviour (sorted keys, stable timestamps).
  • Tests live alongside owning projects (*.Tests). Extend goldens instead of rewriting.

Expectations

  • Default to Argon2id (Konscious) for password hashing; PBKDF2 only for legacy verification with transparent rehash on success.
  • Emit structured security events with minimal PII and clear correlation IDs.
  • Rate-limit /token and bootstrap endpoints once CORE8 hooks are available.
  • Deliver offline revocation bundles signed with detached JWS and provide a verification script.
  • Maintain docs/security/authority-threat-model.md and ensure mitigations are tracked.
  • All crypto consumption flows through StellaOps.Cryptography abstractions to enable sovereign crypto providers.
  • Every new cryptographic algorithm, dependency, or acceleration path ships as an ICryptoProvider plug-in under StellaOps.Cryptography.*; feature code must never bind directly to third-party crypto libraries.