Files

master d870da18ce Restructure solution layout by module

2025-10-28 15:10:40 +02:00

6.3 KiB

Raw Blame History

Imposed rule: Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

Pack Signing & RBAC Controls

This document defines signing, verification, and authorization requirements for Task Packs across the CLI, Packs Registry, Task Runner, and Offline Kit. It aligns with Authority sprint tasks (AUTH-PACKS-41-001, AUTH-PACKS-43-001) and security guild expectations.

1 · Threat Model Highlights

Threat	Mitigation
Unsigned or tampered pack uploaded to registry	Mandatory cosign/DSSE verification before acceptance.
Unauthorized user publishing or promoting packs	Authority scopes (`Packs.Write`) + registry policy checks.
Privilege escalation during approvals	Approval gates require `Packs.Approve` + audit logging; fresh-auth recommended.
Secret exfiltration via pack steps	Secrets injection sandbox with redaction, sealed-mode network guardrails, evidence review.
Replay of old approval tokens	Approval payloads carry plan hash + expiry; Task Runner rejects mismatches.
Malicious pack in Offline Kit	Mirror verification using signed manifest and DSSE provenance.

2 · Signing Requirements

Cosign signatures required for all bundles. Keys can be:
- Keyless (Fulcio OIDC).
- KMS-backed (HSM, cloud KMS).
- Offline keys stored in secure vault (air-gapped mode).
DSSE Attestations recommended to embed:
- Manifest digest.
- Build metadata (repo, commit, CI run).
- CLI version (stella/pack).
Signatures stored alongside bundle in registry object storage.
stella pack push refuses to publish without signature (unless --insecure-publish used in dev).
Registry enforces trust policy:

Policy	Description
`anyOf`	Accepts any key in configured trust store.
`keyRef`	Accepts specific key ID (`kid`).
`oidcIssuer`	Accepts Fulcio certificates from allowed issuers (e.g., `https://fulcio.sigstore.dev`).
`threshold`	Requires N-of-M signatures (future release).

3 · RBAC & Scopes

Authority exposes pack-related scopes:

Scope	Description
`Packs.Read`	View packs, download manifests/bundles.
`Packs.Write`	Publish, promote, deprecate packs.
`Packs.Run`	Execute packs (Task Runner, CLI).
`Packs.Approve`	Approve pack gates, override tenant visibility.

3.1 Role Mapping

Role	Scopes	Use Cases
`pack.viewer`	`Packs.Read`	Inspect packs, plan runs.
`pack.publisher`	`Packs.Read`, `Packs.Write`	Publish new versions, manage channels.
`pack.operator`	`Packs.Read`, `Packs.Run`	Execute packs, monitor runs.
`pack.approver`	`Packs.Read`, `Packs.Approve`	Fulfil approvals, authorize promotions.
`pack.admin`	All	Full lifecycle management (rare).

Roles are tenant-scoped; cross-tenant access requires explicit addition.

3.2 CLI Enforcement

CLI requests scopes based on command:
- stella pack plan → Packs.Read.
- stella pack run → Packs.Run.
- stella pack push → Packs.Write.
- stella pack approve → Packs.Approve.
Offline tokens must include same scopes; CLI warns if missing.

4 · Approvals & Fresh Auth

Approval commands require recent fresh-auth (< 5 minutes). CLI prompts automatically; Console enforces via Authority.
Approval payload includes:
- runId
- gateId
- planHash
- approver
- timestamp
Task Runner logs approval event and verifies plan hash to prevent rerouting.

5 · Secret Management

Secrets defined in pack manifest map to Authority secret providers (e.g., HSM, Vault).
Task Runner obtains secrets using service account with scoped access; CLI may prompt or read from profile.
Secret audit trail:
- secretRequested event with reason, pack, step.
- secretDelivered event omitted (only aggregate metrics) to avoid leakage.
- Evidence bundle includes hashed secret metadata (no values).

Sealed mode requires secrets to originate from sealed vault; external endpoints blocked.

6 · Audit & Evidence

Registry, Task Runner, and Authority emit audit events to central timeline.
Required events:
- pack.version.published
- pack.version.promoted
- pack.run.started/completed
- pack.approval.requested/granted
- pack.secret.requested
Evidence Locker stores DSSE attestations and run bundles for 90 days (configurable).
Auditors can use stella pack audit --run <id> to retrieve audit trail.

7 · Offline / Air-Gap Policies

Offline Kit includes:
- Pack bundles + signatures.
- Trusted key store (trust-bundle.pem).
- Approval workflow instructions for manual signing.
Air-gapped approvals:
- CLI generates approval request file (.approval-request.json).
- Approver uses offline CLI to sign with offline key.
- Response imported to Task Runner.
Mirror process verifies signatures prior to import; failure aborts import with ERR_PACK_SIGNATURE_INVALID.

8 · Incident Response

Compromised pack signature:
- Revoke key via Authority trust store.
- Deprecate affected versions (registry deprecate).
- Notify consumers via Notifier (pack.security.alert).
- Forensically review run evidence for impacted tenants.
Unauthorized approval:
- Review audit log for Packs.Approve events.
- Trigger pack.run.freeze (pauses run pending investigation).
- Rotate approver credentials and require fresh-auth.
Secret leak suspicion:
- Quarantine evidence bundles.
- Rotate secrets referenced by pack.
- Run sealed-mode audit script to confirm guardrails.

9 · Compliance Checklist

Signing requirements (cosign/DSSE, trust policies) documented.
Authority scope mapping and CLI enforcement captured.
Approval workflow + fresh-auth expectations defined.
Secret lifecycle (request, injection, audit) described.
Audit/evidence integration noted (timeline, Evidence Locker).
Offline/air-gap controls outlined.
Incident response playbook provided.
Imposed rule reminder retained at top.

Last updated: 2025-10-27 (Sprint 43).

6.3 KiB Raw Blame History Unescape Escape

Pack Signing & RBAC Controls

1 · Threat Model Highlights

2 · Signing Requirements

3 · RBAC & Scopes

3.1 Role Mapping

3.2 CLI Enforcement

4 · Approvals & Fresh Auth

5 · Secret Management

6 · Audit & Evidence

7 · Offline / Air-Gap Policies

8 · Incident Response

9 · Compliance Checklist