master
66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
StellaOps Registry Token Service
The registry module issues scoped pull tokens for mirrored container registries while enforcing plan and licence constraints.
Responsibilities
- Validate Authority-issued OpToks and tenant scopes before issuance.
- Mint time-bound registry tokens and record issuance ledgers.
- Expose revocation and audit endpoints for security teams.
- Integrate with Offline Kit for deterministic token manifests.
Key components
StellaOps.Registry.TokenServiceminimal API host.- Mongo-backed issuance ledger.
- Tests under
src/Registry/__Tests.
Integrations & dependencies
- Authority for identity & scope verification.
- Export Center/Offline Kit for distribution.
- DevOps runbooks for deployment and rotation.
Operational notes
- Operational guide at ./operations/token-service.md.
- Telemetry dashboards pending (see ../../TASKS.md).
Related resources
- ./operations/token-service.md
Backlog references
- DEVOPS-REGISTRY items in ../../TASKS.md (future work).
- Registry automation stories tracked in src/Registry/TASKS.md if present.
Epic alignment
- Epic 10 – Export Center: provide signed, auditable registry token bundles for mirror distribution.
- Epic 14 – Identity & Tenancy: enforce tenant-aware scopes, PoE alignment, and revocation policies.