stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
8768c27f30d4849b4f983ee6121d710c5eba9992
git.stella-ops.org/docs/modules/authority/README.md
StellaOps Bot 17d45a6d30
Some checks failed
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context 
- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem.
- Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB.
- Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB.
- Developed unit tests for filesystem and MongoDB provenance writers.
- Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling.
- Implemented `TimelineIngestionService` to validate and persist timeline events with hashing.
- Created PostgreSQL schema and migration scripts for timeline indexing.
- Added dependency injection support for timeline indexer services.
- Developed tests for timeline ingestion and schema validation.
2025-11-30 15:38:14 +02:00

47 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# StellaOps Authority
Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.
## Latest updates (2025-11-30)
- Sprint tracker `docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md` and module `TASKS.md` added to mirror status.
- Monitoring/observability references consolidated; Grafana JSON remains offline import (`operations/grafana-dashboard.json`).
- Prior content retained: OpTok/DPoP/mTLS responsibilities, backup/restore, key rotation.
## Responsibilities
- Expose device-code, auth-code, and client-credential flows with DPoP or mTLS binding.
- Manage signing keys, JWKS rotation, and PoE integration for plan enforcement.
- Emit structured audit events and enforce tenant-aware scope policies.
- Provide plugin surface for custom identity providers and credential validators.
## Key components
- `StellaOps.Authority` web host.
- `StellaOps.Authority.Plugin.*` extensions for secret stores, identity bridges, and OpTok validation.
- Telemetry and audit pipeline feeding Security/Observability stacks.
## Integrations & dependencies
- Signer/Attestor for PoE and OpTok introspection.
- CLI/UI for login flows and token management.
- Scheduler/Scanner for machine-to-machine scope enforcement.
## Operational notes
- MongoDB for tenant, client, and token state.
- Key material in KMS/HSM with rotation runbooks (`operations/key-rotation.md`).
- Monitoring runbook (`operations/monitoring.md`) and offline-import Grafana JSON (`operations/grafana-dashboard.json`).
## Related resources
- ./operations/backup-restore.md
- ./operations/key-rotation.md
- ./operations/monitoring.md
- ./operations/grafana-dashboard.json
- Sprint/status mirrors: `docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md`, `docs/modules/authority/TASKS.md`
## Backlog references
- DOCS-SEC-62-001 (scope hardening doc) in ../../TASKS.md.
- AUTH-POLICY-20-001/002 follow-ups in src/Authority/StellaOps.Authority/TASKS.md.
## Epic alignment
- **Epic 1 AOC enforcement:** enforce OpTok scopes and guardrails supporting raw ingestion boundaries.
- **Epic 2 Policy Engine & Editor:** supply policy evaluation/principal scopes and short-lived tokens for evaluator workflows.
- **Epic 4 Policy Studio:** integrate approval/promotion signatures and policy registry access controls.
- **Epic 14 Identity & Tenancy:** deliver tenant isolation, RBAC hierarchies, and governance tooling for authentication.
Reference in New Issue View Git Blame Copy Permalink