2eaf0f699b
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Added AirgapTimelineImpact, AirgapTimelineImpactInput, and AirgapTimelineImpactResult records for managing air-gap bundle import impacts. - Introduced EvidenceSnapshotRecord, EvidenceSnapshotLinkInput, and EvidenceSnapshotLinkResult records for linking findings to evidence snapshots. - Created IEvidenceSnapshotRepository interface for managing evidence snapshot records. - Developed StalenessValidationService to validate staleness and enforce freshness thresholds. - Implemented AirgapTimelineService for emitting timeline events related to bundle imports. - Added EvidenceSnapshotService for linking findings to evidence snapshots and verifying their validity. - Introduced AirGapOptions for configuring air-gap staleness enforcement and thresholds. - Added minimal jsPDF stub for offline/testing builds in the web application. - Created TypeScript definitions for jsPDF to enhance type safety in the web application.
StellaOps Authority
Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.
Latest updates (2025-12-04)
- Added gap remediation package for AU1–AU10 and RR1–RR10 (31-Nov-2025 FINDINGS) under
docs/modules/authority/gaps/; includes deliverable map + evidence layout. - Sprint tracker
docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.mdand moduleTASKS.mdmirror status. - Monitoring/observability references consolidated; Grafana JSON remains offline import (
operations/grafana-dashboard.json). - Prior content retained: OpTok/DPoP/mTLS responsibilities, backup/restore, key rotation.
Responsibilities
- Expose device-code, auth-code, and client-credential flows with DPoP or mTLS binding.
- Manage signing keys, JWKS rotation, and PoE integration for plan enforcement.
- Emit structured audit events and enforce tenant-aware scope policies.
- Provide plugin surface for custom identity providers and credential validators.
Key components
StellaOps.Authorityweb host.StellaOps.Authority.Plugin.*extensions for secret stores, identity bridges, and OpTok validation.- Telemetry and audit pipeline feeding Security/Observability stacks.
Integrations & dependencies
- Signer/Attestor for PoE and OpTok introspection.
- CLI/UI for login flows and token management.
- Scheduler/Scanner for machine-to-machine scope enforcement.
Operational notes
- MongoDB for tenant, client, and token state.
- Key material in KMS/HSM with rotation runbooks (
operations/key-rotation.md). - Monitoring runbook (
operations/monitoring.md) and offline-import Grafana JSON (operations/grafana-dashboard.json).
Related resources
- ./operations/backup-restore.md
- ./operations/key-rotation.md
- ./operations/monitoring.md
- ./operations/grafana-dashboard.json
- ./gaps/2025-12-04-auth-gaps-au1-au10.md
- ./gaps/2025-12-04-rekor-receipt-gaps-rr1-rr10.md
- Sprint/status mirrors:
docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md,docs/modules/authority/TASKS.md
Backlog references
- DOCS-SEC-62-001 (scope hardening doc) in ../../TASKS.md.
- AUTH-POLICY-20-001/002 follow-ups in src/Authority/StellaOps.Authority/TASKS.md.
Epic alignment
- Epic 1 – AOC enforcement: enforce OpTok scopes and guardrails supporting raw ingestion boundaries.
- Epic 2 – Policy Engine & Editor: supply policy evaluation/principal scopes and short-lived tokens for evaluator workflows.
- Epic 4 – Policy Studio: integrate approval/promotion signatures and policy registry access controls.
- Epic 14 – Identity & Tenancy: deliver tenant isolation, RBAC hierarchies, and governance tooling for authentication.