git.stella-ops.org/docs/updates/2025-11-01-orch-admin-scope.md

2025-11-01 · Authority adds Orch.Admin quota controls

What changed

• Introduced new orch:quota scope and expanded Orch.Admin role for Orchestrator quota, burst, and historical backfill adjustments.
• Client credential requests for orch:quota now require quota_reason (≤256 chars) and accept optional quota_ticket (≤128 chars). Authority records both values under quota.reason / quota.ticket audit properties.
• Added dedicated orch:backfill scope. Tokens must include backfill_reason (≤256 chars) and backfill_ticket (≤128 chars); Authority persists them as backfill.reason / backfill.ticket claims and audit properties alongside operator metadata.
• Tokens embedding orch:quota or orch:backfill expose the corresponding reason/ticket claims so downstream services and audit tooling can trace quota increases or emergency backfills.
• Console, CLI, and configuration samples include the updated role plus environment variables (STELLAOPS_ORCH_QUOTA_REASON, STELLAOPS_ORCH_QUOTA_TICKET, STELLAOPS_ORCH_BACKFILL_REASON, STELLAOPS_ORCH_BACKFILL_TICKET) for automation.

Why

Quotas and replay backfills materially affect tenant isolation and platform capacity. Capturing explicit operator intent keeps change windows reviewable and aligns with platform audit requirements.

Actions

1. Update Authority configuration/offline bundles to seed Orch.Admin role for the handful of ops identities that manage quotas.
2. Adjust automation to pass quota_reason/quota_ticket when exchanging tokens for orch:quota and backfill_reason/backfill_ticket for orch:backfill.
3. Monitor authority.client_credentials.grant records for the new quota.* and backfill.* audit properties when reviewing change windows.