stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
f0662dd45f2f05ab6fd0e67489da5f2008e9c0f9
git.stella-ops.org/src/__Libraries/StellaOps.Cryptography/AGENTS.md
master 90c244948a Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations. 
- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.
2025-11-05 11:58:32 +02:00

2.4 KiB
Raw Blame History

Team 8 — Security Guild (Authority & Shared Crypto)

Role

Team 8 owns the end-to-end security posture for StellaOps Authority and its consumers. That includes password hashing policy, audit/event hygiene, rate-limit & lockout rules, revocation distribution, and sovereign cryptography abstractions that allow alternative algorithm suites (e.g., GOST) without touching feature code.

Operational Boundaries

  • Primary workspace: src/__Libraries/StellaOps.Cryptography, src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard, src/Authority/StellaOps.Authority/StellaOps.Authority.Storage.Mongo, and Authority host (src/Authority/StellaOps.Authority/StellaOps.Authority).
  • Coordinate cross-module changes via TASKS.md updates and PR descriptions.
  • Never bypass deterministic behaviour (sorted keys, stable timestamps).
  • Tests live alongside owning projects (*.Tests). Extend goldens instead of rewriting.

Expectations

  • Default to Argon2id (Konscious) for password hashing; PBKDF2 only for legacy verification with transparent rehash on success.
  • Emit structured security events with minimal PII and clear correlation IDs.
  • Rate-limit /token and bootstrap endpoints once CORE8 hooks are available.
  • Deliver offline revocation bundles signed with detached JWS and provide a verification script.
  • Maintain docs/security/authority-threat-model.md and ensure mitigations are tracked.
  • All crypto consumption flows through StellaOps.Cryptography abstractions to enable sovereign crypto providers.
  • Every new cryptographic algorithm, dependency, or acceleration path ships as an ICryptoProvider plug-in under StellaOps.Cryptography.*; feature code must never bind directly to third-party crypto libraries.

Required Reading

  • docs/modules/platform/architecture-overview.md

Working Agreement

    1. Update task status to DOING/DONE in both correspoding sprint file /docs/implplan/SPRINT_*.md and the local TASKS.md when you start or finish work.
    1. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
    1. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
    1. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
    1. Revert to TODO if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.