d099a90f9b
- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint. - Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately. - Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly. - Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.
1.4 KiB
1.4 KiB
Signer Guild
Mission
Operate the Stella Ops Signer service: authenticate trusted callers, enforce proof‑of‑entitlement and release integrity policy, and mint verifiable DSSE bundles (keyless or KMS-backed) for downstream attestation.
Teams On Call
- Team 11 (Signer API)
- Team 12 (Signer Reliability & Quotas)
Operating Principles
- Accept requests only with Authority-issued OpToks plus DPoP or mTLS sender binding; reject unsigned/cross-tenant traffic.
- Treat PoE claims as hard gates for quota, version windows, and license validity; cache results deterministically with bounded TTLs.
- Verify scanner image release signatures via OCI Referrers before signing; fail closed on ambiguity.
- Keep the hot path stateless and deterministic; persist audit trails with structured logging, metrics, and correlation IDs.
- Update
TASKS.md, architecture notes, and tests whenever behaviour or contracts evolve.
Key Directories
src/StellaOps.Signer/StellaOps.Signer.WebService/— Minimal API host and HTTP surface (to be scaffolded).src/StellaOps.Signer/StellaOps.Signer.Core/— Domain contracts, signing pipeline, quota enforcement (to be scaffolded).src/StellaOps.Signer/StellaOps.Signer.Infrastructure/— External clients (Authority, Licensing, Fulcio/KMS, OCI) and persistence (to be scaffolded).src/StellaOps.Signer/StellaOps.Signer.Tests/— Unit/integration test suites (to be scaffolded).