stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
f98cea3bcfb4730b238ab8605ce6d48c2998aa44
git.stella-ops.org/docs/implplan/SPRINT_100_identity_signing.md
master f98cea3bcf Add Authority Advisory AI and API Lifecycle Configuration 
- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings.
- Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations.
- Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration.
- Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options.
- Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations.
- Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client.
- Updated project file to include necessary package references for the new Issuer Directory Client library.
2025-11-02 13:50:25 +02:00

18 KiB
Raw Blame History

Sprint 100 - Identity & Signing

[Identity & Signing] 100.A) Attestor.I Summary: Identity & Signing focus on Attestor (phase I).

Task ID State Task description Owners (Source)
ATTEST-ENVELOPE-72-001 DONE (2025-11-01) Implement DSSE canonicalization, JSON normalization, multi-signature structures, and hashing helpers. Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-ENVELOPE-72-002 DONE (2025-11-01) Support compact and expanded JSON output, payload compression, and detached payload references. Dependencies: ATTEST-ENVELOPE-72-001. Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-ENVELOPE-73-001 DONE Implement Ed25519 & ECDSA signature create/verify helpers, key identification (keyid) scheme, and error mapping. Dependencies: ATTEST-ENVELOPE-72-002. Envelope Guild, KMS Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-ENVELOPE-73-002 DONE Add fuzz tests for envelope parsing, signature verification, and canonical JSON round-trips. Dependencies: ATTEST-ENVELOPE-73-001. Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-TYPES-72-001 DONE Draft JSON Schemas for BuildProvenance v1, SBOMAttestation v1, VEXAttestation v1, ScanResults v1, PolicyEvaluation v1, RiskProfileEvidence v1, CustomEvidence v1. Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-TYPES-72-002 DONE Generate Go/TS models from schemas with validation helpers and canonical JSON serialization. Dependencies: ATTEST-TYPES-72-001. Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-TYPES-73-001 DONE Create golden payload samples for each type; integrate into tests and documentation. Dependencies: ATTEST-TYPES-72-002. Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-TYPES-73-002 DONE Publish schema reference docs (/docs/modules/attestor/payloads.md) with annotated JSON examples. Dependencies: ATTEST-TYPES-73-001. Attestation Payloads Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-VERIFY-73-001 DONE Implement verification engine: policy evaluation, issuer trust resolution, freshness, signature count, transparency checks; produce structured reports. Verification Guild, Policy Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTEST-VERIFY-73-002 DONE Add caching layer keyed by (subject, envelope_id, policy_version) with TTL and invalidation on new evidence. Dependencies: ATTEST-VERIFY-73-001. Verification Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTEST-VERIFY-74-001 DONE Emit telemetry (spans/metrics) tagged by subject, issuer, policy, result; integrate with dashboards. Dependencies: ATTEST-VERIFY-73-002. Verification Guild, Observability Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTEST-VERIFY-74-002 DONE (2025-11-01) Document verification report schema and explainability in /docs/modules/attestor/workflows.md. Dependencies: ATTEST-VERIFY-74-001. Verification Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTESTOR-72-001 DONE Scaffold service (REST API skeleton, storage interfaces, KMS integration stubs) and DSSE validation pipeline. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-72-002 DONE Implement attestation store (DB tables, object storage integration), CRUD, and indexing strategies. Dependencies: ATTESTOR-72-001. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-73-001 DONE (2025-11-01) Implement signing endpoint with Ed25519/ECDSA support, KMS integration, and audit logging. Dependencies: ATTESTOR-72-002. Attestor Service Guild, KMS Guild (src/Attestor/StellaOps.Attestor/TASKS.md)

[Identity & Signing] 100.A) Attestor.II Depends on: Sprint 100.A - Attestor.I Summary: Identity & Signing focus on Attestor (phase II).

Task ID State Task description Owners (Source)
ATTESTOR-73-002 DONE (2025-11-01) Build verification pipeline evaluating DSSE signatures, issuer trust, and verification policies; persist reports. Dependencies: ATTESTOR-73-001. Attestor Service Guild, Policy Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-73-003 DONE Implement listing/fetch APIs with filters (subject, type, issuer, scope, date). Dependencies: ATTESTOR-73-002. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-74-001 DONE (2025-11-02) Integrate transparency witness client, inclusion proof verification, and caching. Dependencies: ATTESTOR-73-003. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-74-002 DONE Implement bulk verification worker + API with progress tracking, rate limits, and caching. Dependencies: ATTESTOR-74-001. Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-75-001 DONE Add export/import flows for attestation bundles and offline verification mode. Dependencies: ATTESTOR-74-002. Attestor Service Guild, Export Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-75-002 DONE Harden APIs with rate limits, auth scopes, threat model mitigations, and fuzz testing. Dependencies: ATTESTOR-75-001. Attestor Service Guild, Security Guild (src/Attestor/StellaOps.Attestor/TASKS.md)

2025-11-01: ATTESTOR-73-002 completed — verification endpoints emit structured reports, cache hits, and telemetry; Attestor verification test suites cover success, failure, and cached paths. Transparency witness integration continues under ATTESTOR-74-001. 2025-11-02: ATTESTOR-74-001 completed — witness client wired into proof refresh, repository model stores witness statements, and verification warns on missing endorsements. Tests updated for witness refresh, bundle export/import, and signing stubs.

[Identity & Signing] 100.B) Authority.I Summary: Identity & Signing focus on Authority (phase I).

Task ID State Task description Owners (Source)
AUTH-AIAI-31-001 DONE (2025-11-01) Define Advisory AI scopes (advisory-ai:view, advisory-ai:operate, advisory-ai:admin) and remote inference toggles; update discovery metadata/offline defaults. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIAI-31-002 DONE (2025-11-01) Enforce anonymized prompt logging, tenant consent for remote inference, and audit logging of assistant tasks. Dependencies: AUTH-AIAI-31-001. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIRGAP-56-001 DOING (2025-11-01) Provision new scopes (airgap:seal, airgap:import, airgap:status:read) in configuration metadata, offline kit defaults, and issuer templates. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIRGAP-56-002 DOING (2025-11-01) Audit import actions with actor, tenant, bundle ID, and trace ID; expose /authority/audit/airgap endpoint. Dependencies: AUTH-AIRGAP-56-001. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIRGAP-57-001 BLOCKED (2025-11-01) Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. Dependencies: AUTH-AIRGAP-56-002. Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority/TASKS.md)

2025-11-01: AUTH-AIRGAP-57-001 blocked pending definition of sealed-confirmation evidence and configuration shape before gating (Authority Core & Security Guild, DevOps Guild). AUTH-NOTIFY-38-001 | DONE (2025-11-01) | Define Notify.Viewer, Notify.Operator, Notify.Admin scopes/roles, update discovery metadata, offline defaults, and issuer templates. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-01: AUTH-NOTIFY-38-001 completed—Notify scope catalog, discovery metadata, docs, configuration samples, and service tests updated for new roles. AUTH-NOTIFY-40-001 | DONE (2025-11-02) | Implement signed ack token key rotation, webhook allowlists, admin-only escalation settings, and audit logging of ack actions. Dependencies: AUTH-NOTIFY-38-001. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: /notify/ack-tokens/rotate (notify.admin) now rotates DSSE keys with audit coverage and integration tests. Webhook allowlist + escalation scope enforcement verified. AUTH-OAS-62-001 | DONE (2025-11-02) | Provide SDK helpers for OAuth2/PAT flows, tenancy override header; add integration tests. | Authority Core & Security Guild, SDK Generator Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Added HttpClient auth helper (OAuth2 + PAT) with tenant header support, plus coverage in StellaOps.Auth.Client.Tests. AUTH-OAS-63-001 | DONE (2025-11-02) | Emit deprecation headers and notifications for legacy auth endpoints. Dependencies: AUTH-OAS-62-001. | Authority Core & Security Guild, API Governance Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: AUTH-OAS-63-001 marked DONE — legacy /oauth/* shims now emit Deprecation/Sunset/Warning headers, audit events (authority.api.legacy_endpoint) validated by tests, and migration guide docs/api/authority-legacy-auth-endpoints.md published (Authority Core & Security Guild, API Governance Guild). AUTH-OBS-50-001 | DONE (2025-11-02) | Introduce scopes obs:read, timeline:read, timeline:write, evidence:create, evidence:read, evidence:hold, attest:read, and obs:incident (all tenant-scoped). Update discovery metadata, offline defaults, and scope grammar docs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Observability scope bundle published in discovery metadata, OpenAPI, docs, and offline configs; issuer templates + roles updated with deterministic scope ordering and tests refreshed. AUTH-OBS-52-001 | DONE (2025-11-02) | Configure resource server policies for Timeline Indexer, Evidence Locker, Exporter, and Observability APIs enforcing new scopes + tenant claims. Emit audit events including scope usage and trace IDs. Dependencies: AUTH-OBS-50-001. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Timeline/Evidence/Export resource servers now register observability policies, enforce tenant claims, and emit enriched authorization audit events; config samples + tests updated. AUTH-OBS-55-001 | DONE (2025-11-02) | Harden incident mode authorization: require obs:incident scope + fresh auth, log activation reason, and expose verification endpoint for auditors. Update docs/runbooks. Dependencies: AUTH-OBS-52-001. | Authority Core & Security Guild, Ops Guild (src/Authority/StellaOps.Authority/TASKS.md) 2025-11-02: Resource servers now enforce a five-minute fresh-auth window for obs:incident, incident reasons are stamped into authorization audits and /authority/audit/incident, and sample configs/tests updated to require tenant headers across observability endpoints. AUTH-ORCH-34-001 | DOING (2025-11-02) | Introduce Orch.Admin role with quota/backfill scopes, enforce audit reason on quota changes, and update offline defaults/docs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) AUTH-PACKS-41-001 | TODO | Define CLI SSO profiles and pack scopes (Packs.Read, Packs.Write, Packs.Run, Packs.Approve), update discovery metadata, offline defaults, and issuer templates. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) AUTH-PACKS-43-001 | BLOCKED (2025-10-27) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. Dependencies: AUTH-PACKS-41-001. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)

[Identity & Signing] 100.B) Authority.II Depends on: Sprint 100.B - Authority.I Summary: Identity & Signing focus on Authority (phase II).

Task ID State Task description Owners (Source)
AUTH-POLICY-23-002 BLOCKED (2025-10-29) Implement optional two-person rule for activation: require two distinct policy:activate approvals when configured; emit audit logs. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-POLICY-23-003 BLOCKED (2025-10-29) Update documentation and sample configs for policy roles, approval workflow, and signing requirements. Dependencies: AUTH-POLICY-23-002. Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-POLICY-27-002 TODO Provide attestation signing service bindings (OIDC token exchange, cosign integration) and enforce publish/promote scope checks, fresh-auth requirements, and audit logging. Dependencies: AUTH-POLICY-23-003. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-POLICY-27-003 TODO Update Authority configuration/docs for Policy Studio roles, signing policies, approval workflows, and CLI integration; include compliance checklist. Dependencies: AUTH-POLICY-27-002. Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-TEN-49-001 TODO Implement service accounts & delegation tokens (act chain), per-tenant quotas, audit stream of auth decisions, and revocation APIs. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-VULN-29-001 TODO Define Vuln Explorer scopes/roles (vuln:view, vuln:investigate, vuln:operate, vuln:audit) with ABAC attributes (env, owner, business_tier) and update discovery metadata/offline kit defaults. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-VULN-29-002 TODO Enforce CSRF/anti-forgery tokens for workflow actions, sign attachment tokens, and record audit logs with ledger event hashes. Dependencies: AUTH-VULN-29-001. Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-VULN-29-003 TODO Update security docs/config samples for Vuln Explorer roles, ABAC policies, attachment signing, and ledger verification guidance. Dependencies: AUTH-VULN-29-002. Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md)
PLG4-6.CAPABILITIES BLOCKED (2025-10-12) Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
PLG6.DIAGRAM TODO Export final sequence/component diagrams for the developer guide and add offline-friendly assets under docs/assets/authority. Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
PLG7.RFC REVIEW Socialize LDAP plugin RFC (docs/rfcs/authority-plugin-ldap.md) and capture guild feedback. BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
SEC2.PLG BLOCKED (2025-10-21) Emit audit events from password verification outcomes and persist via IAuthorityLoginAttemptStore.
Waiting on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 to stabilise Authority auth surfaces before final verification + publish.		 Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
SEC3.PLG BLOCKED (2025-10-21) Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after).
Pending AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 so limiter telemetry contract matches final authority surface.		 Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
SEC5.PLG BLOCKED (2025-10-21) Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog.
Final documentation depends on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 outcomes.		 Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)

[Identity & Signing] 100.C) IssuerDirectory Summary: Identity & Signing focus on IssuerDirectory.

Task ID State Task description Owners (Source)
ISSUER-30-001 DONE (2025-11-01) Implement issuer CRUD API with RBAC, audit logging, and tenant scoping; seed CSAF publisher metadata. Issuer Directory Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-002 DONE (2025-11-01) Implement key management endpoints (add/rotate/revoke keys), enforce expiry, validate formats (Ed25519, X.509, DSSE). Dependencies: ISSUER-30-001. Issuer Directory Guild, Security Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-003 DOING Provide trust weight APIs and tenant overrides with validation (+/- bounds) and audit trails. Dependencies: ISSUER-30-002. Issuer Directory Guild, Policy Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-004 DONE (2025-11-01) Integrate with VEX Lens and Excitator signature verification (client SDK, caching, retries). Dependencies: ISSUER-30-003. Issuer Directory Guild, VEX Lens Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-005 DONE (2025-11-01) Instrument metrics/logs (issuer changes, key rotation, verification failures) and dashboards/alerts. Dependencies: ISSUER-30-004. Issuer Directory Guild, Observability Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-006 TODO Provide deployment manifests, backup/restore, secure secret storage, and offline kit instructions. Dependencies: ISSUER-30-005. Issuer Directory Guild, DevOps Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)

[Identity & Signing] 100.D) __Libraries Summary: Identity & Signing focus on Libraries.

Task ID State Task description Owners (Source)
KMS-73-001 TODO Add cloud KMS driver (e.g., AWS KMS, GCP KMS) with signing and key metadata retrieval. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)
KMS-73-002 TODO Implement PKCS#11/HSM driver plus FIDO2 signing support for high assurance workflows. Dependencies: KMS-73-001. KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)

If all tasks are done - read next sprint section - SPRINT_110_ingestion_evidence.md