stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
b1e78fe41273a80c09ca56e37f273fc64d2a0a32
git.stella-ops.org/src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md
master b1e78fe412
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Implement vulnerability token signing and verification utilities 
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
2025-11-03 10:04:10 +02:00

1.8 KiB
Raw Blame History

Issuer Directory Guild Charter (Epic 7)

Mission

Manage trusted VEX issuer metadata, keys, and trust overrides used by the VEX Lens, Policy Engine, and downstream services.

Scope

  • Service src/IssuerDirectory/StellaOps.IssuerDirectory providing REST APIs and admin tooling for issuers, keys, trust weights, audit logs.
  • Integration with Excitor/VEX Lens/Policy Engine for signature verification and trust weighting.
  • Tenant overrides, import of CSAF publisher metadata, and compliance logging.

Principles

  1. Security first enforce least privilege, key expiry, rotation, and audit logs.
  2. Tenant awareness global issuer defaults with per-tenant overrides.
  3. Deterministic trust weights reproducible; changes logged.
  4. Audit ready all modifications recorded with actor, reason, signature.
  5. API-first CLI/Console/automation consume same endpoints.

Definition of Done

  • APIs documented, RBAC enforced, audit logs persisted.
  • Key verification integrated with VEX Lens and Excitor; rotation tooling delivered.
  • Docs/runbooks updated with compliance checklist.

Required Reading

  • docs/modules/platform/architecture-overview.md

Working Agreement

    1. Update task status to DOING/DONE in both docs/implplan/SPRINTS.md and the local TASKS.md when you start or finish work.
    1. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
    1. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
    1. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
    1. Revert to TODO if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.