stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
c11d87d2522efe734fead57b7842e3b8982fe0de
git.stella-ops.org/docs/api/gateway/tenant-auth.md
StellaOps Bot c11d87d252
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
feat: Add tests for RichGraphPublisher and RichGraphWriter 
- Implement unit tests for RichGraphPublisher to verify graph publishing to CAS.
- Implement unit tests for RichGraphWriter to ensure correct writing of canonical graphs and metadata.

feat: Implement AOC Guard validation logic

- Add AOC Guard validation logic to enforce document structure and field constraints.
- Introduce violation codes for various validation errors.
- Implement tests for AOC Guard to validate expected behavior.

feat: Create Console Status API client and service

- Implement ConsoleStatusClient for fetching console status and streaming run events.
- Create ConsoleStatusService to manage console status polling and event subscriptions.
- Add tests for ConsoleStatusClient to verify API interactions.

feat: Develop Console Status component

- Create ConsoleStatusComponent for displaying console status and run events.
- Implement UI for showing status metrics and handling user interactions.
- Add styles for console status display.

test: Add tests for Console Status store

- Implement tests for ConsoleStatusStore to verify event handling and state management.
2025-12-01 07:34:50 +02:00

42 lines
2.7 KiB
Markdown
Raw Blame History

# Gateway Tenant Auth & ABAC Contract (Web V)
## Status
- Draft v0.1 (2025-12-01); to be confirmed at 2025-12-02 checkpoint with Policy Guild.
## Scope
- Gateway header/claim contract for tenant activation and scope validation across Web V endpoints.
- ABAC overlay hooks with Policy Engine (attributes, evaluation order, failure modes).
- Audit emission requirements for auth decisions (RBAC + ABAC).
## Header & Claim Inputs
- `Authorization: Bearer <jwt>` — RS256/ES256, optionally DPoP-bound; claims: `iss`, `sub`, `aud`, `exp`, `iat`, `nbf`, `jti`, optional `scp` (scopes) and `ten` (tenant).
- `X-Stella-Tenant` — required, tenant slug or UUID; must match `ten` claim when present.
- `X-Stella-Project` — optional project/workspace slug; required for project-scoped routes.
- `X-Stella-Scopes` — optional override for service tokens; space-delimited (`policy:run notifier:emit`).
- `X-Stella-Trace-Id` — propagated trace ID for audit linking; if absent, gateway generates ULID-based trace ID.
- `X-Request-Id` — optional client request ID; echoed for idempotency diagnostics.
## Processing Rules
- Validate JWT signature against offline bundle trust roots; enforce `aud` ∈ {`stellaops-web`, `stellaops-gateway`} and `exp/nbf`.
- Resolve tenant: prefer `X-Stella-Tenant`; fallback to `ten` claim when header missing; mismatch → `ERR_TENANT_MISMATCH`.
- Scope evaluation:
- Base scopes from JWT `scp` or `X-Stella-Scopes`.
- Enforce required scopes per route; deny with `ERR_SCOPE_MISMATCH` on missing scope.
- ABAC overlay:
- Attribute sources: JWT claims (`sub`, `roles`, `org`), headers (`X-Stella-Tenant`, `X-Stella-Project`), request path/query/body attributes per route contract.
- Evaluation order: RBAC allow → ABAC evaluate → deny overrides → allow.
- Failure → `ERR_ABAC_DENY` with `reason` and `trace_id`.
- Determinism: reject requests lacking tenant header; no fallback to anonymous; enforce stable error codes.
## Outputs
- On success: downstream context includes `tenant_id`, `project_id`, `subject`, `scopes`, `abac_result`, `trace_id`, `request_id`.
- On failure: structured envelope with `error.code`, `error.message`, `trace_id`, `request_id`; HTTP 401 for token errors, 403 for scope/ABAC denials, 400 for tenant mismatch/missing.
## Audit & Telemetry
- Emit DSSE-wrapped audit record: `{ tenant_id, project_id, subject, scopes, decision, reason_code, trace_id, request_id, route, ts_utc }`.
- Counters: `gateway.auth.success`, `gateway.auth.denied`, `gateway.auth.abac_denied`, `gateway.auth.tenant_missing`, labeled by route and tenant.
## Open Questions
- Confirm whether DPoP binding is mandatory for Web gateway tokens.
- Confirm canonical scope names for service tokens and whether `X-Stella-Scopes` should be allowed in prod.
Reference in New Issue View Git Blame Copy Permalink