stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
730354a1afe41e7810e89e38d62b37291b3a030b
git.stella-ops.org/src/StellaOps.Authority/TASKS.md
master 730354a1af
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Implement Scheduler Worker Options and Planner Loop 
- Added `SchedulerWorkerOptions` class to encapsulate configuration for the scheduler worker.
- Introduced `PlannerBackgroundService` to manage the planner loop, fetching and processing planning runs.
- Created `PlannerExecutionService` to handle the execution logic for planning runs, including impact targeting and run persistence.
- Developed `PlannerExecutionResult` and `PlannerExecutionStatus` to standardize execution outcomes.
- Implemented validation logic within `SchedulerWorkerOptions` to ensure proper configuration.
- Added documentation for the planner loop and impact targeting features.
- Established health check endpoints and authentication mechanisms for the Signals service.
- Created unit tests for the Signals API to ensure proper functionality and response handling.
- Configured options for authority integration and fallback authentication methods.
2025-10-27 09:46:31 +02:00

21 KiB
Raw Blame History

Authority Host Task Board — Epic 1: Aggregation-Only Contract

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-AOC-19-001 DONE (2025-10-26) Authority Core & Security Guild Introduce scopes advisory:read, advisory:ingest, vex:read, vex:ingest, aoc:verify with configuration binding, migrations, and offline kit defaults. Scopes published in metadata/OpenAPI, configuration validates scope lists, tests cover token issuance + enforcement.
AUTH-AOC-19-002 DONE (2025-10-27) Authority Core & Security Guild AUTH-AOC-19-001 Propagate tenant claim + scope enforcement for ingestion identities; ensure cross-tenant writes/read blocked and audit logs capture tenant context. Tenant claim injected into downstream services; forbidden cross-tenant access rejected; audit/log fixtures updated.

2025-10-26: Rate limiter metadata/audit records now include tenants, password grant scopes/tenants enforced, token persistence + tests updated. Docs refresh tracked via AUTH-AOC-19-003. 2025-10-27: Client credential ingestion scopes now require tenant assignment; access token validation backfills tenants and rejects cross-tenant mismatches with tests. 2025-10-27: dotnet test blocked — Concelier build fails (AdvisoryObservationQueryService returns ImmutableHashSet<string?>), preventing Authority test suite run; waiting on Concelier fix before rerun. | AUTH-AOC-19-003 | DONE (2025-10-27) | Authority Core & Docs Guild | AUTH-AOC-19-001 | Update Authority docs and sample configs to describe new scopes, tenancy enforcement, and verify endpoints. | Docs and examples refreshed; release notes prepared; smoke tests confirm new scopes required. | 2025-10-26: Docs updated (docs/11_AUTHORITY.md, Concelier audit runbook, docs/security/authority-scopes.md); sample config highlights tenant-aware clients. Release notes + smoke verification pending (blocked on Concelier/Excititor smoke updates). 2025-10-27: Scope catalogue aligned with advisory:ingest/advisory:read/vex:ingest/vex:read, aoc:verify pairing documented, console/CLI references refreshed, and etc/authority.yaml.sample updated to require read scopes for verification clients.

Policy Engine v2

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-POLICY-20-001 DONE (2025-10-26) Authority Core & Security Guild AUTH-AOC-19-001 Add scopes policy:write, policy:submit, policy:approve, policy:run, findings:read, effective:write with configuration binding and issuer policy updates. Scopes available in metadata; token issuance validated; offline kit defaults updated; tests cover scope combinations.
AUTH-POLICY-20-002 DONE (2025-10-26) Authority Core & Security Guild AUTH-POLICY-20-001, AUTH-AOC-19-002 Enforce Policy Engine service identity with effective:write and ensure API gateway enforces scopes/tenant claims for new endpoints. Gateway policies updated; unauthorized requests rejected in tests; audit logs capture scope usage.

2025-10-26: Restricted effective:write to Policy Engine service identities with tenant requirement, registered full scope set, and tightened resource server default scope enforcement (unit tests pass). | AUTH-POLICY-20-003 | DONE (2025-10-26) | Authority Core & Docs Guild | AUTH-POLICY-20-001 | Update Authority configuration/docs with policy scopes, service identities, and approval workflows; include compliance checklist. | Docs refreshed; samples updated; release notes prepared; doc lint passes. | 2025-10-26: Authority docs now detail policy scopes/service identity guardrails with checklist; authority.yaml.sample includes properties.serviceIdentity example.

Graph Explorer v1

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-GRAPH-21-001 DONE (2025-10-26) Authority Core & Security Guild AUTH-POLICY-20-001 Define scopes graph:write, graph:read, graph:export, graph:simulate, update metadata/OpenAPI, and add OFFLINE kit defaults. Scopes exposed via discovery docs; smoke tests ensure enforcement; offline kit updated.
AUTH-GRAPH-21-002 DONE (2025-10-26) Authority Core & Security Guild AUTH-GRAPH-21-001, AUTH-AOC-19-002 Wire gateway enforcement for new graph scopes, Cartographer service identity, and tenant propagation across graph APIs. Gateway config updated; unauthorized access blocked in integration tests; audit logs include graph scope usage.
AUTH-GRAPH-21-003 DONE (2025-10-26) Authority Core & Docs Guild AUTH-GRAPH-21-001 Update security docs and samples describing graph access roles, least privilege guidance, and service identities. Docs merged with compliance checklist; examples refreshed; release notes prepared.

Policy Engine + Editor v1

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-POLICY-23-001 TODO Authority Core & Security Guild AUTH-POLICY-20-001 Introduce fine-grained scopes policy:read, policy:edit, policy:approve, policy:activate, policy:simulate; update issuer templates and metadata. Scopes exposed; integration tests confirm enforcement; offline kit updated.
AUTH-POLICY-23-002 TODO Authority Core & Security Guild AUTH-POLICY-23-001 Implement optional two-person rule for activation: require two distinct policy:activate approvals when configured; emit audit logs. Activation endpoint enforces rule; audit logs contain approver IDs; tests cover 2-person path.
AUTH-POLICY-23-003 TODO Authority Core & Docs Guild AUTH-POLICY-23-001 Update documentation and sample configs for policy roles, approval workflow, and signing requirements. Docs updated with reviewer checklist; configuration examples validated.

Graph & Vuln Explorer v1

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-VULN-24-001 TODO Authority Core & Security Guild AUTH-GRAPH-21-001 Extend scopes to include vuln:read and signed permalinks with scoped claims for Vuln Explorer; update metadata. Scopes published; permalinks validated; integration tests cover RBAC.

2025-10-27: Paused work after exploratory spike (scope enforcement still outstanding); no functional changes merged.

Orchestrator Dashboard

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-ORCH-32-001 TODO Authority Core & Security Guild Define orch:read scope, register Orch.Viewer role, update discovery metadata, and seed offline defaults. Scope/role available in metadata; integration tests confirm read-only enforcement; offline kit updated.
AUTH-ORCH-33-001 TODO Authority Core & Security Guild AUTH-ORCH-32-001 Add Orch.Operator role/scopes for control actions, require reason/ticket attributes, and update issuer templates. Operator tokens issued; action endpoints enforce scope + reason; audit logs capture operator info; docs refreshed.
AUTH-ORCH-34-001 TODO Authority Core & Security Guild AUTH-ORCH-33-001 Introduce Orch.Admin role with quota/backfill scopes, enforce audit reason on quota changes, and update offline defaults/docs. Admin role available; quotas/backfills require scope + reason; tests confirm tenant isolation; documentation updated.

StellaOps Console (Sprint 23)

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-CONSOLE-23-001 TODO Authority Core & Security Guild AUTH-POLICY-20-001 Register StellaOps Console confidential client with OIDC PKCE support, short-lived ID/access tokens, console:* audience claims, and SPA-friendly refresh (token exchange endpoint). Publish discovery metadata + offline kit defaults. Client registration committed, configuration templates updated, integration tests validate PKCE + scope issuance, security review recorded.
AUTH-CONSOLE-23-002 TODO Authority Core & Security Guild AUTH-CONSOLE-23-001, AUTH-AOC-19-002 Expose tenant catalog, user profile, and token introspection endpoints required by Console (fresh-auth prompts, scope checks); enforce tenant header requirements and audit logging with correlation IDs. Endpoints ship with RBAC enforcement, audit logs include tenant+scope, integration tests cover unauthorized/tenant-mismatch scenarios.
AUTH-CONSOLE-23-003 TODO Authority Core & Docs Guild AUTH-CONSOLE-23-001, AUTH-CONSOLE-23-002 Update security docs/config samples for Console flows (PKCE, tenant badge, fresh-auth for admin actions, session inactivity timeouts) with compliance checklist. Docs merged, config samples validated, release notes updated, ops runbook references new flows.

2025-10-28: docs/security/console-security.md drafted with PKCE + DPoP (120s OpTok, 300s fresh-auth) and scope table. Authority Core to confirm /fresh-auth semantics, token lifetimes, and scope bundles align before closing task. | AUTH-CONSOLE-23-004 | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-003, DOCS-CONSOLE-23-012 | Validate console security guide assumptions (120s OpTok TTL, 300s fresh-auth window, scope bundles) against Authority implementation and update configs/audit fixtures if needed. | Confirmation recorded in sprint log; Authority config samples/tests updated when adjustments required; /fresh-auth behaviour documented in release notes. |

Policy Studio (Sprint 27)

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-POLICY-27-001 TODO Authority Core & Security Guild AUTH-POLICY-20-001, AUTH-CONSOLE-23-001 Define Policy Studio roles (policy:author, policy:review, policy:approve, policy:operate, policy:audit) with tenant-scoped claims, update issuer metadata, and seed offline kit defaults. Scopes/roles exposed via discovery docs; tokens issued with correct claims; integration tests cover role combinations; docs updated.
AUTH-POLICY-27-002 TODO Authority Core & Security Guild AUTH-POLICY-27-001, REGISTRY-API-27-007 Provide attestation signing service bindings (OIDC token exchange, cosign integration) and enforce publish/promote scope checks, fresh-auth requirements, and audit logging. Publish/promote requests require fresh auth + correct scopes; attestations signed with validated identity; audit logs enriched with digest + tenant; integration tests pass.

Docs dependency: DOCS-POLICY-27-009 awaiting signing guidance from this work. | AUTH-POLICY-27-003 | TODO | Authority Core & Docs Guild | AUTH-POLICY-27-001, AUTH-POLICY-27-002 | Update Authority configuration/docs for Policy Studio roles, signing policies, approval workflows, and CLI integration; include compliance checklist. | Docs merged; samples validated; governance checklist appended; release notes updated. |

Exceptions v1

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-EXC-25-001 TODO Authority Core & Security Guild AUTH-POLICY-23-001 Introduce exception scopes (exceptions:read, exceptions:write, exceptions:approve) and approval routing configuration with MFA gating. Scopes published in metadata; routing matrix validated; integration tests enforce scope + MFA rules.
AUTH-EXC-25-002 TODO Authority Core & Docs Guild AUTH-EXC-25-001 Update documentation/samples for exception roles, routing matrix, MFA requirements, and audit trail references. Docs merged with compliance checklist; samples verified.

Reachability v1

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-SIG-26-001 TODO Authority Core & Security Guild AUTH-EXC-25-001 Add signals:read, signals:write, signals:admin scopes, issue SignalsUploader role template, and enforce AOC for sensor identities. Scopes exposed; configuration validated; integration tests ensure RBAC + AOC enforcement.

Vulnerability Explorer (Sprint 29)

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-VULN-29-001 TODO Authority Core & Security Guild AUTH-POLICY-27-001 Define Vuln Explorer scopes/roles (vuln:view, vuln:investigate, vuln:operate, vuln:audit) with ABAC attributes (env, owner, business_tier) and update discovery metadata/offline kit defaults. Roles/scopes published; issuer templates updated; integration tests cover ABAC filters; docs refreshed.
AUTH-VULN-29-002 TODO Authority Core & Security Guild AUTH-VULN-29-001, LEDGER-29-002 Enforce CSRF/anti-forgery tokens for workflow actions, sign attachment tokens, and record audit logs with ledger event hashes. Workflow calls require valid tokens; audit logs include ledger references; security tests cover token expiry/abuse.
AUTH-VULN-29-003 TODO Authority Core & Docs Guild AUTH-VULN-29-001..002 Update security docs/config samples for Vuln Explorer roles, ABAC policies, attachment signing, and ledger verification guidance. Docs merged with compliance checklist; configuration examples validated; release notes updated.

Advisory AI (Sprint 31)

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-AIAI-31-001 TODO Authority Core & Security Guild AUTH-VULN-29-001 Define Advisory AI scopes (advisory-ai:view, advisory-ai:operate, advisory-ai:admin) and remote inference toggles; update discovery metadata/offline defaults. Scopes/flags published; integration tests cover RBAC + opt-in settings; docs updated.
AUTH-AIAI-31-002 TODO Authority Core & Security Guild AUTH-AIAI-31-001, AIAI-31-006 Enforce anonymized prompt logging, tenant consent for remote inference, and audit logging of assistant tasks. Logging/audit flows verified; privacy review passed; docs updated.

Export Center

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-EXPORT-35-001 TODO Authority Core & Security Guild AUTH-AOC-19-001 Introduce Export.Viewer, Export.Operator, Export.Admin scopes, configure issuer templates, and update discovery metadata/offline defaults. Scopes available; metadata updated; tests ensure enforcement; offline kit defaults refreshed.
AUTH-EXPORT-37-001 TODO Authority Core & Security Guild AUTH-EXPORT-35-001, WEB-EXPORT-37-001 Enforce admin-only access for scheduling, retention, encryption key references, and verify endpoints with audit reason capture. Admin scope required; audit logs include reason/ticket; integration tests cover denial cases; docs updated.

Notifications Studio

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-NOTIFY-38-001 TODO Authority Core & Security Guild Define Notify.Viewer, Notify.Operator, Notify.Admin scopes/roles, update discovery metadata, offline defaults, and issuer templates. Scopes available; metadata updated; tests ensure enforcement; offline kit defaults refreshed.
AUTH-NOTIFY-40-001 TODO Authority Core & Security Guild AUTH-NOTIFY-38-001, WEB-NOTIFY-40-001 Implement signed ack token key rotation, webhook allowlists, admin-only escalation settings, and audit logging of ack actions. Ack tokens signed/rotated; webhook allowlists enforced; admin enforcement validated; audit logs capture ack/resolution.

CLI Parity & Task Packs

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-PACKS-41-001 TODO Authority Core & Security Guild AUTH-AOC-19-001 Define CLI SSO profiles and pack scopes (Packs.Read, Packs.Write, Packs.Run, Packs.Approve), update discovery metadata, offline defaults, and issuer templates. Scopes available; metadata updated; tests ensure enforcement; offline kit templates refreshed.
AUTH-PACKS-43-001 TODO Authority Core & Security Guild AUTH-PACKS-41-001, ORCH-SVC-42-101 Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. Signing policies enforced; approvals require correct roles; CI token scope tests pass; audit logs recorded.

Authority-Backed Scopes & Tenancy (Epic 14)

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-TEN-47-001 TODO Authority Core & Security Guild AUTH-AOC-19-001 Align Authority with OIDC/JWT claims (tenants, projects, scopes), implement JWKS caching/rotation, publish scope grammar, and enforce required claims on tokens. Tokens include tenant/project claims; JWKS cache validated; docs updated; imposed rule noted.
AUTH-TEN-49-001 TODO Authority Core & Security Guild AUTH-TEN-47-001 Implement service accounts & delegation tokens (act chain), per-tenant quotas, audit stream of auth decisions, and revocation APIs. Service tokens minted with scopes/TTL; delegation logged; quotas configurable; audit stream live; docs updated.

Observability & Forensics (Epic 15)

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-OBS-50-001 TODO Authority Core & Security Guild AUTH-AOC-19-001 Introduce scopes obs:read, timeline:read, timeline:write, evidence:create, evidence:read, evidence:hold, attest:read, and obs:incident (all tenant-scoped). Update discovery metadata, offline defaults, and scope grammar docs. Scopes exposed via metadata; issuer templates updated; offline kit seeded; integration tests cover new scopes.
AUTH-OBS-52-001 TODO Authority Core & Security Guild AUTH-OBS-50-001, TIMELINE-OBS-52-003, EVID-OBS-53-003 Configure resource server policies for Timeline Indexer, Evidence Locker, Exporter, and Observability APIs enforcing new scopes + tenant claims. Emit audit events including scope usage and trace IDs. Policies deployed; unauthorized access blocked; audit logs prove scope usage; contract tests updated.
AUTH-OBS-55-001 TODO Authority Core & Security Guild, Ops Guild AUTH-OBS-50-001, WEB-OBS-55-001 Harden incident mode authorization: require obs:incident scope + fresh auth, log activation reason, and expose verification endpoint for auditors. Update docs/runbooks. Incident activate/deactivate requires scope; audit entries logged; docs updated with imposed rule reminder.

Air-Gapped Mode (Epic 16)

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-AIRGAP-56-001 TODO Authority Core & Security Guild AIRGAP-CTL-56-001 Provision new scopes (airgap:seal, airgap:import, airgap:status:read) in configuration metadata, offline kit defaults, and issuer templates. Scopes exposed in discovery docs; offline kit updated; integration tests cover issuance.
AUTH-AIRGAP-56-002 TODO Authority Core & Security Guild AUTH-AIRGAP-56-001, AIRGAP-IMP-58-001 Audit import actions with actor, tenant, bundle ID, and trace ID; expose /authority/audit/airgap endpoint. Audit records persisted; endpoint paginates results; tests cover RBAC + filtering.
AUTH-AIRGAP-57-001 TODO Authority Core & Security Guild, DevOps Guild AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002 Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. CI scenario validated; error surfaces remediation; docs updated.

SDKs & OpenAPI (Epic 17)

ID Status Owner(s) Depends on Description Exit Criteria
AUTH-OAS-61-001 TODO Authority Core & Security Guild, API Contracts Guild OAS-61-001 Document Authority authentication/token endpoints in OAS with scopes, examples, and error envelopes. Spec complete with security schemes; lint passes.
AUTH-OAS-61-002 TODO Authority Core & Security Guild AUTH-OAS-61-001 Implement /.well-known/openapi with scope metadata, supported grant types, and build version. Endpoint deployed; contract tests cover discovery.
AUTH-OAS-62-001 TODO Authority Core & Security Guild, SDK Generator Guild AUTH-OAS-61-001, SDKGEN-63-001 Provide SDK helpers for OAuth2/PAT flows, tenancy override header; add integration tests. SDKs expose auth helpers; tests cover token issuance; docs updated.
AUTH-OAS-63-001 TODO Authority Core & Security Guild, API Governance Guild APIGOV-63-001 Emit deprecation headers and notifications for legacy auth endpoints. Headers emitted; notifications verified; migration guide published.