stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
ae69b1a8a1da7e0d01298f2ad94e60c2d3a007ca
git.stella-ops.org/docs/implplan/SPRINT_100_identity_signing.md
master ae69b1a8a1 feat: Add documentation and task tracking for Sprints 508 to 514 in Ops & Offline 
- Created detailed markdown files for Sprints 508 (Ops Offline Kit), 509 (Samples), 510 (AirGap), 511 (Api), 512 (Bench), 513 (Provenance), and 514 (Sovereign Crypto Enablement) outlining tasks, dependencies, and owners.
- Introduced a comprehensive Reachability Evidence Delivery Guide to streamline the reachability signal process.
- Implemented unit tests for Advisory AI to block known injection patterns and redact secrets.
- Added AuthoritySenderConstraintHelper to manage sender constraints in OpenIddict transactions.
2025-11-08 23:18:28 +02:00

4.5 KiB
Raw Blame History

Sprint 100 - Identity & Signing

Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED.

Sprint 100 tracks Identity & Signing readiness; sections below list only in-flight tasks.

100.B) Authority.I

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on Authority (phase I).

# Task ID & handle State Key dependency / next step Owners
1 AUTH-AIRGAP-57-001 DOING (2025-11-08) Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority/TASKS.md)
2 AUTH-PACKS-43-001 BLOCKED (2025-10-27) Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)

100.B) Authority.II

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on Authority (phase II).

# Task ID & handle State Key dependency / next step Owners
1 AUTH-DPOP-11-001 DONE (2025-11-08) DPoP validation now runs for every /token grant, interactive tokens inherit cnf.jkt/sender claims, and docs/tests document the expanded coverage. (Deps: AUTH-AOC-19-002.) Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
2 AUTH-MTLS-11-002 DOING (2025-11-07) Deliver mTLS-bound token issuance/validation (cert thumbprint storage, JWKS rotation hooks) required for high-assurance tenants and plugin mitigations. (Deps: AUTH-DPOP-11-001.) Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
3 PLG4-6.CAPABILITIES BLOCKED (2025-10-12) Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
4 PLG6.DIAGRAM DONE (2025-11-03) Component + sequence diagrams rendered (Mermaid + SVG) and offline assets published under docs/assets/authority; dev guide now references final exports. Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
5 PLG7.RFC DONE (2025-11-03) LDAP plugin RFC reviewed; guild sign-off captured and follow-up implementation issues filed per review notes. BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
6 SEC2.PLG BLOCKED (2025-10-21) Emit audit events from password verification outcomes and persist via IAuthorityLoginAttemptStore. Waiting on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 to stabilise Authority auth surfaces (PLUGIN-DI-08-001 closed 2025-10-21; re-run once sender constraints land). Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
7 SEC3.PLG BLOCKED (2025-10-21) Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after). Pending AUTH-DPOP-11-001 / AUTH-MTLS-11-002; PLUGIN-DI-08-001 already merged, so limiter telemetry just awaits final Authority surface. Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
8 SEC5.PLG BLOCKED (2025-10-21) Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog. Final documentation now hinges on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 (PLUGIN-DI-08-001 landed 2025-10-21). Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)

100.D) __Libraries

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on __Libraries.

# Task ID & handle State Key dependency / next step Owners
1 KMS-73-001 DONE (2025-11-03) AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)
2 KMS-73-002 DONE (2025-11-03) PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)