25 lines
1.1 KiB
Markdown
25 lines
1.1 KiB
Markdown
# Token Minting and Delegation CLI
|
|
|
|
## Module
|
|
Cli
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Service account token minting with scope/expiry/tenant control, and token delegation to other principals with scope restriction and audit reasons.
|
|
|
|
## Implementation Details
|
|
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/AuthCommandGroup.cs` -- auth token commands
|
|
- **Authority Console Client**: `src/Cli/StellaOps.Cli/Services/AuthorityConsoleClient.cs` / `IAuthorityConsoleClient.cs`
|
|
- **Commands**:
|
|
- `stella auth token mint --scope <scopes> --expiry <duration> --tenant <id>` -- mint service account token
|
|
- `stella auth token delegate --to <principal> --scope <scopes> --reason <text>` -- delegate token with scope restriction
|
|
|
|
## E2E Test Plan
|
|
- [ ] Run `stella auth token mint --scope "read:policy" --expiry 24h` and verify token minted
|
|
- [ ] Run with `--tenant <id>` and verify tenant-scoped token
|
|
- [ ] Run `stella auth token delegate --to service-a --scope "read:evidence" --reason "CI pipeline"` and verify delegation
|
|
- [ ] Verify delegated token has restricted scopes
|
|
- [ ] Verify audit reason recorded for delegation
|