stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/checked/notifier/ack-tokens-for-approval-workflows.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

3.2 KiB
Raw Blame History

Ack Tokens for Approval Workflows

Module

Notifier

Status

VERIFIED

Description

HMAC-based ack token service with bridge integration for acknowledgement workflows. Note: uses HMAC rather than DSSE-signed tokens as described in the advisory.

Implementation Details

  • IAckTokenService interface: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Security/IAckTokenService.cs -- CreateToken, VerifyToken, CreateAckUrl for signed acknowledgement tokens with configurable expiration and metadata
  • HmacAckTokenService: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Security/HmacAckTokenService.cs -- HMAC-SHA256 implementation with HKDF key derivation, soa1 token prefix, versioned token format, configurable signing key
  • IAckBridge interface: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Escalation/IAckBridge.cs -- bridge between ack tokens and escalation engine
  • AckBridge: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker/Escalation/AckBridge.cs -- processes ack requests, maps external IDs to internal incident IDs, integrates with IEscalationEngine and IIncidentManager, supports audit logging
  • SecurityContracts: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Contracts/SecurityContracts.cs -- ack token request/response DTOs
  • PackApprovalAckRequest: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Contracts/PackApprovalAckRequest.cs -- pack approval ack request model
  • EscalationEndpoints: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/EscalationEndpoints.cs -- REST endpoints for ack token processing
  • SecurityEndpoints: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/Endpoints/SecurityEndpoints.cs -- security-related endpoints
  • Tests: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService.Tests/Escalation/AckBridgeTests.cs
  • OpenAPI: src/Notifier/StellaOps.Notifier/StellaOps.Notifier.WebService/openapi/pack-approvals.yaml
  • Source: Feature matrix scan

E2E Test Plan

  • Verify HMAC ack token creation with configurable expiration (default 7 days)
  • Test token verification rejects expired, tampered, or malformed tokens
  • Verify AckBridge routes ack actions (ack, resolve, escalate) to escalation engine
  • Test ack URL generation and round-trip verification
  • Verify pack approval ack workflow through EscalationEndpoints
  • Test audit logging of ack processing events

Verification

  • Verified on 2026-02-11 with run-001.
  • Tier 0 source checks passed for ack token service, ack bridge, security/escalation endpoints, request contracts, and OpenAPI surface.
  • Tier 1 build and focused behavior tests passed (10/10 class-scoped, 505/505 full suite).
  • Tier 2 API behavior checks passed using Notifier test-host routes for pack approval ack flows (positive + negative) and token verification behavior evidence.
  • Evidence:
    • docs/qa/feature-checks/runs/notifier/ack-tokens-for-approval-workflows/run-001/tier0-source-check.json
    • docs/qa/feature-checks/runs/notifier/ack-tokens-for-approval-workflows/run-001/tier1-build-check.json
    • docs/qa/feature-checks/runs/notifier/ack-tokens-for-approval-workflows/run-001/tier2-api-check.json