git.stella-ops.org/src/StellaOps.Cryptography/TASKS.md

Team 8 — Security Guild Task Board (UTC 2025-10-10)

ID	Status	Owner	Description	Dependencies	Exit Criteria
SEC1.A	DONE (2025-10-11)	Security Guild	Introduce Argon2idPasswordHasher backed by Konscious defaults. Wire options into StandardPluginOptions (PasswordHashOptions) and StellaOpsAuthorityOptions.Security.PasswordHashing.	PLG3, CORE3	✅ Hashes emit PHC string $argon2id$v=19$m=19456,t=2,p=1$...; ✅ NeedsRehash promotes PBKDF2 → Argon2; ✅ Integration tests cover tamper, legacy rehash, perf p95 < 250 ms.
SEC1.B	DONE (2025-10-12)	Security Guild	Add compile-time switch to enable libsodium/Core variants later (STELLAOPS_CRYPTO_SODIUM). Document build variable.	SEC1.A	✅ Conditional compilation path compiles; ✅ README snippet in docs/security/password-hashing.md.
SEC2.A	DONE (2025-10-13)	Security Guild + Core	Define audit event contract (AuthEventRecord) with subject/client/scope/IP/outcome/correlationId and PII tags.	CORE5–CORE7	✅ Contract shipped in StellaOps.Cryptography (or shared abstractions); ✅ Docs in docs/security/audit-events.md.
SEC2.B	DONE (2025-10-13)	Security Guild	Emit audit records from OpenIddict handlers (password + client creds) and bootstrap APIs. Persist via IAuthorityLoginAttemptStore.	SEC2.A	✅ Tests assert three flows (success/failure/lockout); ✅ Serilog output contains correlationId + PII tagging; ✅ Mongo store holds summary rows.
SEC3.A	DONE (2025-10-12)	Security Guild + Core	Configure ASP.NET rate limiter (AddRateLimiter) with fixed-window policy keyed by IP + client_id. Apply to /token and /internal/*.	CORE8 completion	✅ Middleware active; ✅ Configurable limits via options; ✅ Integration test hits 429.
SEC3.B	DONE (2025-10-13)	Security Guild	Document lockout + rate-limit tuning guidance and escalation thresholds.	SEC3.A	✅ Section in docs/security/rate-limits.md; ✅ Includes SOC alert recommendations.
SEC4.A	DONE (2025-10-12)	Security Guild + DevOps	Define revocation JSON schema (revocation_bundle.schema.json) and detached JWS workflow.	CORE9, OPS3	✅ Schema + sample committed; ✅ CLI command stellaops auth revoke export scaffolded with acceptance tests; ✅ Verification script + docs.
SEC4.B	DONE (2025-10-12)	Security Guild	Integrate signing keys with crypto provider abstraction (initially ES256 via BCL).	SEC4.A, D5	✅ ICryptoProvider.GetSigner stub + default BCL signer; ✅ Unit tests verifying signature roundtrip.
SEC5.A	DONE (2025-10-12)	Security Guild	Author STRIDE threat model (docs/security/authority-threat-model.md) covering token, bootstrap, revocation, CLI, plugin surfaces.	All SEC1–SEC4 in progress	✅ DFDs + trust boundaries drawn; ✅ Risk table with owners/actions; ✅ Follow-up backlog issues created.
SEC5.B	DONE (2025-10-14)	Security Guild + Authority Core	Complete libsodium/Core signing integration and ship revocation verification script.	SEC4.A, SEC4.B, SEC4.HOST	✅ libsodium/Core signing provider wired; ✅ stellaops auth revoke verify script published; ✅ Revocation docs updated with verification workflow.
SEC5.B1	DONE (2025-10-14)	Security Guild + Authority Core	Introduce LibsodiumCryptoProvider implementing ECDSA signing/verification via libsodium, register under feature flag, and validate against existing ES256 fixtures.	SEC5.B	✅ Provider resolves via ICryptoProviderRegistry; ✅ Integration tests cover sign/verify parity with default provider; ✅ Fallback to managed provider documented.
SEC5.B2	DONE (2025-10-14)	Security Guild + DevEx/CLI	Extend stellaops auth revoke verify to detect provider metadata, reuse registry for verification, and document CLI workflow.	SEC5.B	✅ CLI uses registry signers for verification; ✅ End-to-end test invokes verify against sample bundle; ✅ docs/11_AUTHORITY.md references CLI procedure.
SEC5.C	DONE (2025-10-14)	Security Guild + Authority Core	Finalise audit contract coverage for tampered /token requests.	SEC2.A, SEC2.B	✅ Tamper attempts logged with correlationId/PII tags; ✅ SOC runbook updated; ✅ Threat model status reviewed.
SEC5.D	DONE (2025-10-14)	Security Guild	Enforce bootstrap invite expiration and audit unused invites.	SEC5.A	✅ Bootstrap tokens auto-expire; ✅ Audit entries emitted for expiration/reuse attempts; ✅ Operator docs updated.

Remark (2025-10-14): Cleanup service wired to store; background sweep + invite audit tests added. | SEC5.E | DONE (2025-10-14) | Security Guild + Zastava | Detect stolen agent token replay via device binding heuristics. | SEC4.A | ✅ Device binding guidance published; ✅ Alerting pipeline raises stale revocation acknowledgements; ✅ Tests cover replay detection. | Remark (2025-10-14): Token usage metadata persisted with replay audits + handler/unit coverage. | SEC5.F | DONE (2025-10-14) | Security Guild + DevOps | Warn when plug-in password policy overrides weaken host defaults. | SEC1.A, PLG3 | ✅ Static analyser flags weaker overrides; ✅ Runtime warning surfaced; ✅ Docs call out mitigation. | Remark (2025-10-14): Analyzer surfaces warnings during CLI load; docs updated with mitigation steps. | SEC5.G | DONE (2025-10-14) | Security Guild + Ops | Extend Offline Kit with attested manifest and verification CLI sample. | OPS3 | ✅ Offline Kit build signs manifest with detached JWS; ✅ Verification CLI documented; ✅ Supply-chain attestation recorded. | Remark (2025-10-14): Offline kit docs include manifest verification workflow; attestation artifacts referenced. | SEC5.H | DONE (2025-10-13) | Security Guild + Authority Core | Ensure /token denials persist audit records with correlation IDs. | SEC2.A, SEC2.B | ✅ Audit store captures denials; ✅ Tests cover success/failure/lockout; ✅ Threat model review updated. | | D5.A | DONE (2025-10-12) | Security Guild | Flesh out StellaOps.Cryptography provider registry, policy, and DI helpers enabling sovereign crypto selection. | SEC1.A, SEC4.B | ✅ ICryptoProviderRegistry implementation with provider selection rules; ✅ StellaOps.Cryptography.DependencyInjection extensions; ✅ Tests covering fallback ordering. | | SEC6.A | DONE (2025-10-19) | Security Guild | Ship BouncyCastle-backed Ed25519 signing as a StellaOps.Cryptography plug-in and migrate Scanner WebService signing to consume the provider registry; codify the plug-in rule in AGENTS.
2025-10-19: Added StellaOps.Cryptography.Plugin.BouncyCastle, updated DI and ReportSigner, captured provider tests (BouncyCastleEd25519CryptoProviderTests). | D5.A | ✅ Plug-in registered via DI (AddStellaOpsCrypto + AddBouncyCastleEd25519Provider); ✅ Report signer resolves keys through registry; ✅ Unit tests cover Ed25519 sign/verify via provider. |

Remark (2025-10-13, SEC2.B): Coordinated with Authority Core — audit sinks now receive /token success/failure events; awaiting host test suite once signing fixture lands.

Remark (2025-10-13, SEC3.B): Pinged Docs & Plugin guilds — rate limit guidance published in docs/security/rate-limits.md and flagged for PLG6.DOC copy lift.

Remark (2025-10-13, SEC5.B): Split follow-up into SEC5.B1 (libsodium provider) and SEC5.B2 (CLI verification) after scoping registry integration; work not yet started.

Notes

• Target Argon2 parameters follow OWASP Cheat Sheet (memory ≈ 19 MiB, iterations 2, parallelism 1). Allow overrides via configuration.
• When CORE8 lands, pair with Team 2 to expose request context information required by the rate limiter (client_id enrichment).
• Revocation bundle must be consumable offline; include issue timestamp, signing key metadata, and reasons.
• All crypto usage in Authority code should funnel through the new abstractions (ICryptoProvider), enabling future CryptoPro/OpenSSL providers.

Done Definition

• Code merges include unit/integration tests and documentation updates.
• TASKS.md status transitions (TODO → DOING → DONE/BLOCKED) must happen in the same PR as the work.
• Prior to marking DONE: run dotnet test for touched solutions and attach excerpt to PR description.