stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a6a7e0a134619ff80dd1c27694e71b9fef2de63e
git.stella-ops.org/docs/modules/authority/README.md
master bc569931d4 fix(authority): retry transient bootstrap failures with configurable attempts 
StandardPluginBootstrapper now retries up to 15 times (2s delay) so the
admin user and client seeds converge after PostgreSQL becomes reachable.
Exceptions bubble through the retry loop instead of being swallowed per-step.
Tests cover the retry path with a FlakyUserRepository that fails once then
succeeds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 12:28:36 +03:00

4.2 KiB
Raw Blame History

StellaOps Authority

Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.

Latest updates (2025-12-04)

  • Added gap remediation package for AU1AU10 and RR1RR10 (31-Nov-2025 FINDINGS) under docs/modules/authority/gaps/; includes deliverable map + evidence layout.
  • Sprint tracker docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md and module TASKS.md mirror status.
  • Monitoring/observability references consolidated; Grafana JSON remains offline import (operations/grafana-dashboard.json).
  • Prior content retained: OpTok/DPoP/mTLS responsibilities, backup/restore, key rotation.

Responsibilities

  • Expose device-code, auth-code, and client-credential flows with DPoP or mTLS binding.
  • Manage signing keys, JWKS rotation, and PoE integration for plan enforcement.
  • Emit structured audit events and enforce tenant-aware scope policies.
  • Provide plugin surface for custom identity providers and credential validators.

Key components

  • StellaOps.Authority web host.
  • StellaOps.Authority.Plugin.* extensions for secret stores, identity bridges, and OpTok validation.
  • Telemetry and audit pipeline feeding Security/Observability stacks.

Integrations & dependencies

  • Signer/Attestor for PoE and OpTok introspection.
  • CLI/UI for login flows and token management.
  • Scheduler/Scanner for machine-to-machine scope enforcement.

Operational notes

  • PostgreSQL (schema authority) for tenant, client, and token state.
  • Standard plugin bootstrap provisioning retries transient storage failures during startup so seeded local users/clients converge after PostgreSQL becomes reachable.
  • Key material in KMS/HSM with rotation runbooks (operations/key-rotation.md).
  • Monitoring runbook (operations/monitoring.md) and offline-import Grafana JSON (operations/grafana-dashboard.json).

Related resources

  • ./operations/backup-restore.md
  • ./operations/key-rotation.md
  • ./operations/monitoring.md
  • ./operations/grafana-dashboard.json
  • ./crypto-provider-contract.md
  • ./gaps/2025-12-04-auth-gaps-au1-au10.md
  • ./gaps/2025-12-04-rekor-receipt-gaps-rr1-rr10.md
  • Sprint/status mirrors: docs/implplan/SPRINT_0314_0001_0001_docs_modules_authority.md, docs/modules/authority/TASKS.md

Backlog references

  • DOCS-SEC-62-001 (scope hardening doc) in ../../TASKS.md.
  • AUTH-POLICY-20-001/002 follow-ups in src/Authority/StellaOps.Authority/TASKS.md.

Epic alignment

  • Epic 1 AOC enforcement: enforce OpTok scopes and guardrails supporting raw ingestion boundaries.
  • Epic 2 Policy Engine & Editor: supply policy evaluation/principal scopes and short-lived tokens for evaluator workflows.
  • Epic 4 Policy Studio: integrate approval/promotion signatures and policy registry access controls.
  • Epic 14 Identity & Tenancy: deliver tenant isolation, RBAC hierarchies, and governance tooling for authentication.

Implementation Status

Epic Milestones:

  • Epic 1 (AOC enforcement) Complete: OpTok scopes, guardrails, AOC role templates, and scope policies operational
  • Epic 2 (Policy Engine & Editor) Complete: DPoP validation and mTLS sender-constraint flows operational
  • Epic 4 (Policy Studio) Complete: pack signing policies, approval RBAC, CLI CI token scopes, audit logging
  • Epic 14 (Identity & Tenancy) In progress: tenancy contract published, sovereign crypto provider integration ongoing
  • Future (Attestation support) Not started: DSSE predicate types and verification helpers pending upstream dependencies

Key Technical Decisions:

  • DPoP validation on token grants with cnf.jkt inheritance for interactive tokens
  • Refresh grants enforce original client cert with x5t#S256 metadata persistence
  • Sealed-mode CI gating refuses tokens when sealed install lacks confirmation
  • Tenant-scope contract published for cross-module coordination

Risks & Mitigations:

  • Sovereign crypto keystore migration in progress, key-loading path updates required
  • DSSE predicate schema draft pending coordination with Signer guild
  • Provenance harness dependency for verification helpers