15b4a1de6a
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys. - Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations. - Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
7.0 KiB
7.0 KiB
Completed Tasks
| ID | Status | Owner | Description | Dependencies | Exit Criteria |
|---|---|---|---|---|---|
| SEC1.A | DONE (2025-10-11) | Security Guild | Introduce Argon2idPasswordHasher backed by Konscious defaults. Wire options into StandardPluginOptions (PasswordHashOptions) and StellaOpsAuthorityOptions.Security.PasswordHashing. |
PLG3, CORE3 | ✅ Hashes emit PHC string $argon2id$v=19$m=19456,t=2,p=1$...; ✅ NeedsRehash promotes PBKDF2 → Argon2; ✅ Integration tests cover tamper, legacy rehash, perf p95 < 250 ms. |
| SEC1.B | DONE (2025-10-12) | Security Guild | Add compile-time switch to enable libsodium/Core variants later (STELLAOPS_CRYPTO_SODIUM). Document build variable. |
SEC1.A | ✅ Conditional compilation path compiles; ✅ README snippet in docs/security/password-hashing.md. |
| SEC2.A | DONE (2025-10-13) | Security Guild + Core | Define audit event contract (AuthEventRecord) with subject/client/scope/IP/outcome/correlationId and PII tags. |
CORE5–CORE7 | ✅ Contract shipped in StellaOps.Cryptography (or shared abstractions); ✅ Docs in docs/security/audit-events.md. |
| SEC2.B | DONE (2025-10-13) | Security Guild | Emit audit records from OpenIddict handlers (password + client creds) and bootstrap APIs. Persist via IAuthorityLoginAttemptStore. |
SEC2.A | ✅ Tests assert three flows (success/failure/lockout); ✅ Serilog output contains correlationId + PII tagging; ✅ Mongo store holds summary rows. |
| SEC3.A | DONE (2025-10-12) | Security Guild + Core | Configure ASP.NET rate limiter (AddRateLimiter) with fixed-window policy keyed by IP + client_id. Apply to /token and /internal/*. |
CORE8 completion | ✅ Middleware active; ✅ Configurable limits via options; ✅ Integration test hits 429. |
| SEC3.B | DONE (2025-10-13) | Security Guild | Document lockout + rate-limit tuning guidance and escalation thresholds. | SEC3.A | ✅ Section in docs/security/rate-limits.md; ✅ Includes SOC alert recommendations. |
| SEC4.A | DONE (2025-10-12) | Security Guild + DevOps | Define revocation JSON schema (revocation_bundle.schema.json) and detached JWS workflow. |
CORE9, OPS3 | ✅ Schema + sample committed; ✅ CLI command stellaops auth revoke export scaffolded with acceptance tests; ✅ Verification script + docs. |
| SEC4.B | DONE (2025-10-12) | Security Guild | Integrate signing keys with crypto provider abstraction (initially ES256 via BCL). | SEC4.A, D5 | ✅ ICryptoProvider.GetSigner stub + default BCL signer; ✅ Unit tests verifying signature roundtrip. |
| SEC5.A | DONE (2025-10-12) | Security Guild | Author STRIDE threat model (docs/security/authority-threat-model.md) covering token, bootstrap, revocation, CLI, plugin surfaces. |
All SEC1–SEC4 in progress | ✅ DFDs + trust boundaries drawn; ✅ Risk table with owners/actions; ✅ Follow-up backlog issues created. |
| SEC5.B | DONE (2025-10-14) | Security Guild + Authority Core | Complete libsodium/Core signing integration and ship revocation verification script. | SEC4.A, SEC4.B, SEC4.HOST | ✅ libsodium/Core signing provider wired; ✅ stellaops auth revoke verify script published; ✅ Revocation docs updated with verification workflow. |
| SEC5.B1 | DONE (2025-10-14) | Security Guild + Authority Core | Introduce LibsodiumCryptoProvider implementing ECDSA signing/verification via libsodium, register under feature flag, and validate against existing ES256 fixtures. |
SEC5.B | ✅ Provider resolves via ICryptoProviderRegistry; ✅ Integration tests cover sign/verify parity with default provider; ✅ Fallback to managed provider documented. |
| SEC5.B2 | DONE (2025-10-14) | Security Guild + DevEx/CLI | Extend stellaops auth revoke verify to detect provider metadata, reuse registry for verification, and document CLI workflow. |
SEC5.B | ✅ CLI uses registry signers for verification; ✅ End-to-end test invokes verify against sample bundle; ✅ docs/11_AUTHORITY.md references CLI procedure. |
| SEC5.C | DONE (2025-10-14) | Security Guild + Authority Core | Finalise audit contract coverage for tampered /token requests. |
SEC2.A, SEC2.B | ✅ Tamper attempts logged with correlationId/PII tags; ✅ SOC runbook updated; ✅ Threat model status reviewed. |
| SEC5.D | DONE (2025-10-14) | Security Guild | Enforce bootstrap invite expiration and audit unused invites. | SEC5.A | ✅ Bootstrap tokens auto-expire; ✅ Audit entries emitted for expiration/reuse attempts; ✅ Operator docs updated. |
| SEC5.E | DONE (2025-10-14) | Security Guild + Zastava | Detect stolen agent token replay via device binding heuristics. | SEC4.A | ✅ Device binding guidance published; ✅ Alerting pipeline raises stale revocation acknowledgements; ✅ Tests cover replay detection. |
| SEC5.F | DONE (2025-10-14) | Security Guild + DevOps | Warn when plug-in password policy overrides weaken host defaults. | SEC1.A, PLG3 | ✅ Static analyser flags weaker overrides; ✅ Runtime warning surfaced; ✅ Docs call out mitigation. |
| SEC5.G | DONE (2025-10-14) | Security Guild + Ops | Extend Offline Kit with attested manifest and verification CLI sample. | OPS3 | ✅ Offline Kit build signs manifest with detached JWS; ✅ Verification CLI documented; ✅ Supply-chain attestation recorded. |
| SEC5.H | DONE (2025-10-13) | Security Guild + Authority Core | Ensure /token denials persist audit records with correlation IDs. |
SEC2.A, SEC2.B | ✅ Audit store captures denials; ✅ Tests cover success/failure/lockout; ✅ Threat model review updated. |
| D5.A | DONE (2025-10-12) | Security Guild | Flesh out StellaOps.Cryptography provider registry, policy, and DI helpers enabling sovereign crypto selection. |
SEC1.A, SEC4.B | ✅ ICryptoProviderRegistry implementation with provider selection rules; ✅ StellaOps.Cryptography.DependencyInjection extensions; ✅ Tests covering fallback ordering. |
| SEC5.H | DONE (2025-10-13) | Security Guild + Authority Core | Ensure /token denials persist audit records with correlation IDs. | SEC2.A, SEC2.B | ✅ Audit store captures denials; ✅ Tests cover success/failure/lockout; ✅ Threat model review updated. |
| D5.A | DONE (2025-10-12) | Security Guild | Flesh out StellaOps.Cryptography provider registry, policy, and DI helpers enabling sovereign crypto selection. | SEC1.A, SEC4.B | ✅ ICryptoProviderRegistry implementation with provider selection rules; ✅ StellaOps.Cryptography.DependencyInjection extensions; ✅ Tests covering fallback ordering. |
| SEC6.A | DONE (2025-10-19) | Security Guild | Ship BouncyCastle-backed Ed25519 signing as a StellaOps.Cryptography plug-in and migrate Scanner WebService signing to consume the provider registry; codify the plug-in rule in AGENTS.
2025-10-19: Added StellaOps.Cryptography.Plugin.BouncyCastle, updated DI and ReportSigner, captured provider tests (BouncyCastleEd25519CryptoProviderTests). | D5.A | ✅ Plug-in registered via DI (AddStellaOpsCrypto + AddBouncyCastleEd25519Provider); ✅ Report signer resolves keys through registry; ✅ Unit tests cover Ed25519 sign/verify via provider. |