stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
75c2bcafced8b7a9e4e442cd10af3972f5788d35
git.stella-ops.org/docs/implplan/SPRINT_100_identity_signing.md
master 75c2bcafce
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add LDAP Distinguished Name Helper and Credential Audit Context 
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.
2025-11-09 12:21:38 +02:00

6.4 KiB
Raw Blame History

Sprint 100 - Identity & Signing

Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED.

Sprint 100 tracks Identity & Signing readiness; sections below list only in-flight tasks.

100.B) Authority.I

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on Authority (phase I).

# Task ID & handle State Key dependency / next step Owners
1 AUTH-AIRGAP-57-001 DONE (2025-11-08) Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority)
2 AUTH-PACKS-43-001 BLOCKED (2025-10-27) Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) Authority Core & Security Guild (src/Authority/StellaOps.Authority)

100.B) Authority.II

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on Authority (phase II).

# Task ID & handle State Key dependency / next step Owners
1 AUTH-DPOP-11-001 DONE (2025-11-08) DPoP validation now runs for every /token grant, interactive tokens inherit cnf.jkt/sender claims, and docs/tests document the expanded coverage. (Deps: AUTH-AOC-19-002.) Authority Core & Security Guild (src/Authority/StellaOps.Authority)
2 AUTH-MTLS-11-002 DONE (2025-11-08) Refresh grants now enforce the original client certificate, tokens persist x5t#S256/hex metadata via shared helper, and docs/JWKS guidance call out the mTLS binding expectations. (Deps: AUTH-DPOP-11-001.) Authority Core & Security Guild (src/Authority/StellaOps.Authority)
3 PLG4-6.CAPABILITIES DONE (2025-11-08) Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
4 PLG6.DIAGRAM DONE (2025-11-03) Component + sequence diagrams rendered (Mermaid + SVG) and offline assets published under docs/assets/authority; dev guide now references final exports. Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
5 PLG7.RFC DONE (2025-11-03) LDAP plugin RFC reviewed; guild sign-off captured and follow-up implementation issues filed per review notes. BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
6 SEC2.PLG DONE (2025-11-09) StandardCredentialAuditLogger now pushes authority.plugin.standard.password_verification events via IAuthEventSink, pulling client/tenant/network metadata from AuthorityCredentialAuditContextAccessor; success/failure/lockout scenarios are covered by new unit tests. Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
7 SEC3.PLG DONE (2025-11-09) Lockout/rate-limit telemetry emits deterministic plugin.retry_after_seconds + plugin.lockout_until properties, maps failure codes to the extended AuthEventOutcome set, and is validated by updated credential store/audit logger tests. Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
8 SEC5.PLG DONE (2025-11-09) Plugin guide + threat model document bootstrap safeguards, Argon2 password policy expectations, and the credential audit contract (plugin.* properties) so SOC/offline reviewers can trace mitigations end-to-end. Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
9 PLG7.IMPL-003 DONE (2025-11-09) Claims enricher ships with DN map + regex substitutions, Mongo claims cache (TTL + capacity enforcement) wired through DI, plus unit tests covering enrichment + cache eviction. BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
10 PLG7.IMPL-004 DONE (2025-11-09) LDAP plug-in now ships clientProvisioning.* options, a Mongo-audited LdapClientProvisioningStore, capability gating, and docs/tests covering LDAP writes + cache shims. BE-Auth Plugin, DevOps Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap)
11 PLG7.IMPL-005 DONE (2025-11-09) LDAP plug-in docs refreshed (mutual TLS, regex mappings, cache/audit mirror guidance), sample manifest updated, Offline Kit + release notes now reference the bundled plug-in assets. BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard)
  • 2025-11-08: PLG4-6.CAPABILITIES marked DONE bootstrap capability surfaced in code/docs, registry logs updated, and bootstrap APIs now gate on providers that advertise it (dotnet test across plugins + Authority core).
  • 2025-11-08: AUTH-AIRGAP-57-001 landed — new airGap.sealedMode options, file-backed evidence ingestion, client metadata gating, docs/tests, and audit telemetry ensure sealed tenants cannot mint tokens until authority-sealed-ci.json passes.
  • 2025-11-09: PLG7.IMPL-003 + PLG7.IMPL-004 complete — LDAP claims enricher/cache + client provisioning store with audit mirror, LDAP DN escapes, DI wiring, and plugin docs/tests refreshed.
  • 2025-11-09: PLG7.IMPL-003 complete — LDAP claims enricher + Mongo cache wired (DI + tests), regex placeholder compatibility finalised, sample config/docs updated, and plugin tests green (StellaOps.Authority.Plugin.Ldap.Tests).
  • 2025-11-09: PLG7.IMPL-005 complete — Developer guide, sample manifest, Offline Kit notes, and release updates now cover LDAP mutual TLS, regex mappings, caching, and the audit mirror workflow.

100.D) __Libraries

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on __Libraries.

# Task ID & handle State Key dependency / next step Owners
1 KMS-73-001 DONE (2025-11-03) AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms)
2 KMS-73-002 DONE (2025-11-03) PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms)