15b4a1de6a
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys. - Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations. - Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
1.6 KiB
1.6 KiB
Completed Tasks
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|---|---|---|---|---|---|
| SIGNER-API-11-101 | DONE (2025-10-21) | Signer Guild | — | /sign/dsse pipeline with Authority auth, PoE introspection, release verification, DSSE signing. |
✅ POST /api/v1/signer/sign/dsse enforces OpTok audience/scope, DPoP/mTLS binding, PoE introspection, and rejects untrusted scanner digests.✅ Signing pipeline supports keyless (Fulcio) plus optional KMS modes, returning DSSE bundles + cert metadata; deterministic audits persisted. ✅ Regression coverage in SignerEndpointsTests (dotnet test src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj). |
| SIGNER-REF-11-102 | DONE (2025-10-21) | Signer Guild | — | /verify/referrers endpoint with OCI lookup, caching, and policy enforcement. |
✅ GET /api/v1/signer/verify/referrers validates trusted scanner digests via release verifier and surfaces signer metadata; JSON responses served deterministically.✅ Integration tests cover trusted/untrusted digests and validation failures ( SignerEndpointsTests). |
| SIGNER-QUOTA-11-103 | DONE (2025-10-21) | Signer Guild | — | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. | ✅ Quota middleware derives plan limits from PoE claims, applies per-tenant concurrency/QPS/size caps, and surfaces remaining capacity in responses. ✅ Unit coverage exercises throttled/artifact-too-large paths via in-memory quota service. |