stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 14 Releases Wiki Activity
Files
ba4c935182406c64d22111f005ecd9528bc27250
git.stella-ops.org/docs/implplan/SPRINT_100_identity_signing.md
master ba4c935182 feat: Enhance Authority Identity Provider Registry with Bootstrap Capability 
- Added support for bootstrap providers in AuthorityIdentityProviderRegistry.
- Introduced a new property for bootstrap providers and updated AggregateCapabilities.
- Updated relevant methods to handle bootstrap capabilities during provider registration.

feat: Introduce Sealed Mode Status in OpenIddict Handlers

- Added SealedModeStatusProperty to AuthorityOpenIddictConstants.
- Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence.
- Implemented logic to handle airgap seal confirmation requirements.

feat: Update Program Configuration for Sealed Mode

- Registered IAuthoritySealedModeEvidenceValidator in Program.cs.
- Added logging for bootstrap capabilities in identity provider plugins.
- Implemented checks for bootstrap support in API endpoints.

chore: Update Tasks and Documentation

- Marked AUTH-MTLS-11-002 as DONE in TASKS.md.
- Updated documentation to reflect changes in sealed mode and bootstrap capabilities.

fix: Improve CLI Command Handlers Output

- Enhanced output formatting for command responses and prompts in CommandHandlers.cs.

feat: Extend Advisory AI Models

- Added Response property to AdvisoryPipelineOutputModel for better output handling.

fix: Adjust Concelier Web Service Authentication

- Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging.

test: Enhance Web Service Endpoints Tests

- Added detailed logging for authentication failures in WebServiceEndpointsTests.
- Enabled PII logging for better debugging of authentication issues.

feat: Introduce Air-Gap Configuration Options

- Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions.
- Implemented validation logic for air-gap configurations to ensure proper setup.
2025-11-09 12:18:14 +02:00

4.8 KiB
Raw Blame History

Sprint 100 - Identity & Signing

Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED.

Sprint 100 tracks Identity & Signing readiness; sections below list only in-flight tasks.

100.B) Authority.I

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on Authority (phase I).

# Task ID & handle State Key dependency / next step Owners
1 AUTH-AIRGAP-57-001 DOING (2025-11-08) Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority/TASKS.md)
2 AUTH-PACKS-43-001 BLOCKED (2025-10-27) Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)

100.B) Authority.II

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on Authority (phase II).

# Task ID & handle State Key dependency / next step Owners
1 AUTH-DPOP-11-001 DONE (2025-11-08) DPoP validation now runs for every /token grant, interactive tokens inherit cnf.jkt/sender claims, and docs/tests document the expanded coverage. (Deps: AUTH-AOC-19-002.) Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
2 AUTH-MTLS-11-002 DONE (2025-11-08) Refresh grants now enforce the original client certificate, tokens persist x5t#S256/hex metadata via shared helper, and docs/JWKS guidance call out the mTLS binding expectations. (Deps: AUTH-DPOP-11-001.) Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
3 PLG4-6.CAPABILITIES DONE (2025-11-08) Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
4 PLG6.DIAGRAM DONE (2025-11-03) Component + sequence diagrams rendered (Mermaid + SVG) and offline assets published under docs/assets/authority; dev guide now references final exports. Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
5 PLG7.RFC DONE (2025-11-03) LDAP plugin RFC reviewed; guild sign-off captured and follow-up implementation issues filed per review notes. BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
6 SEC2.PLG BLOCKED (2025-10-21) Emit audit events from password verification outcomes and persist via IAuthorityLoginAttemptStore. Waiting on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 to stabilise Authority auth surfaces (PLUGIN-DI-08-001 closed 2025-10-21; re-run once sender constraints land). Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
7 SEC3.PLG BLOCKED (2025-10-21) Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after). Pending AUTH-DPOP-11-001 / AUTH-MTLS-11-002; PLUGIN-DI-08-001 already merged, so limiter telemetry just awaits final Authority surface. Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
8 SEC5.PLG BLOCKED (2025-10-21) Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog. Final documentation now hinges on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 (PLUGIN-DI-08-001 landed 2025-10-21). Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
  • 2025-11-08: PLG4-6.CAPABILITIES marked DONE bootstrap capability surfaced in code/docs, registry logs updated, and bootstrap APIs now gate on providers that advertise it (dotnet test across plugins + Authority core).

100.D) __Libraries

Dependency: None specified; follow module prerequisites. Focus: Identity & Signing focus on __Libraries.

# Task ID & handle State Key dependency / next step Owners
1 KMS-73-001 DONE (2025-11-03) AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)
2 KMS-73-002 DONE (2025-11-03) PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)