FED-M2: Step-CA + grant schema + admin CLI #461

New Issue

Open

opened 2026-04-19 22:02:00 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-04-19 22:02:00 +00:00

Owner

Copy Link

Epic: Federation v1 — see docs/federation/PRD.md and docs/federation/MILESTONES.md.

Goal

An admin can create a federation grant and its counterparty can enroll. No runtime federation traffic yet.

Scope

• Embed Step-CA as a Docker Compose sidecar with persistent CA volume
• Gateway exposes short-lived enrollment endpoint (single-use token from grant)
• DB schema: federation_grants, federation_peers, federation_audit_log
• Sealed storage for client_key_pem using existing credential sealing key
• Admin CLI: mosaic federation grant create|list|show, mosaic federation peer add|list
• Step-CA signs certs with SAN OIDs for grantId + subjectUserId
• Grant status transitions: pending → active on successful enrollment

Deliverables

• packages/db migration: three federation tables + enum types
• apps/gateway/src/federation/ca.service.ts (Step-CA client)
• apps/gateway/src/federation/grants.service.ts
• apps/gateway/src/federation/enrollment.controller.ts
• packages/mosaic/src/commands/federation/ (grant + peer subcommands)
• docker-compose.federated.yml adds Step-CA service
• Scope JSON schema + validator

Acceptance Tests

• grant create writes a pending row with scoped bundle
• Enrollment endpoint signs CSR and returns cert with expected SAN OIDs
• Enrollment token single-use; second attempt returns 410
• Cert subjectUserId OID matches grant's subject_user_id
• client_key_pem is at-rest encrypted; raw DB read shows ciphertext, not PEM
• peer add <url> yields active peer record with valid cert+key (two-gateway E2E, no traffic)
• Scope JSON with unknown resource type rejected at grant create
• grant list and peer list render active/pending/revoked accurately

Dependencies

Blocked by FED-M1 (federated tier must exist).

Estimated budget

~30K tokens

Risk notes

Step-CA API is well-documented but sealing integration with existing provider-credential encryption is a cross-module concern — walk that seam deliberately.

**Epic:** Federation v1 — see `docs/federation/PRD.md` and `docs/federation/MILESTONES.md`. ## Goal An admin can create a federation grant and its counterparty can enroll. No runtime federation traffic yet. ## Scope - Embed Step-CA as a Docker Compose sidecar with persistent CA volume - Gateway exposes short-lived enrollment endpoint (single-use token from grant) - DB schema: `federation_grants`, `federation_peers`, `federation_audit_log` - Sealed storage for `client_key_pem` using existing credential sealing key - Admin CLI: `mosaic federation grant create|list|show`, `mosaic federation peer add|list` - Step-CA signs certs with SAN OIDs for `grantId` + `subjectUserId` - Grant status transitions: `pending` → `active` on successful enrollment ## Deliverables - `packages/db` migration: three federation tables + enum types - `apps/gateway/src/federation/ca.service.ts` (Step-CA client) - `apps/gateway/src/federation/grants.service.ts` - `apps/gateway/src/federation/enrollment.controller.ts` - `packages/mosaic/src/commands/federation/` (grant + peer subcommands) - `docker-compose.federated.yml` adds Step-CA service - Scope JSON schema + validator ## Acceptance Tests - [ ] `grant create` writes a `pending` row with scoped bundle - [ ] Enrollment endpoint signs CSR and returns cert with expected SAN OIDs - [ ] Enrollment token single-use; second attempt returns 410 - [ ] Cert `subjectUserId` OID matches grant's `subject_user_id` - [ ] `client_key_pem` is at-rest encrypted; raw DB read shows ciphertext, not PEM - [ ] `peer add <url>` yields `active` peer record with valid cert+key (two-gateway E2E, no traffic) - [ ] Scope JSON with unknown resource type rejected at `grant create` - [ ] `grant list` and `peer list` render active/pending/revoked accurately ## Dependencies Blocked by **FED-M1** (federated tier must exist). ## Estimated budget ~30K tokens ## Risk notes Step-CA API is well-documented but sealing integration with existing provider-credential encryption is a cross-module concern — walk that seam deliberately.

jason.woltje added this to the Federation v1 milestone 2026-04-19 22:02:00 +00:00

jason.woltje referenced this issue from a commit 2026-04-19 22:05:16 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown

jason.woltje referenced this issue 2026-04-19 22:05:31 +00:00

docs(federation): PRD, milestones, mission manifest, and M1 task breakdown #467

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/federation-m1-doctor

feat/federation-m1-migrate

feat/federation-m1-detector

feat/federation-m1-pgvector

feat/federation-m1-compose

feat/federation-m1-tier-config

docs/mvp-mission-manifest

docs/federation-planning

release/mosaic-v0.0.29

fix/installer-idempotent-creds

feat/framework-superpowers-enforcement

feat/install-ux-intent

feat/install-ux-polish

docs/iuv-m01-complete

fix/build-vitest-allowdefault

fix/bootstrap-hotfix

docs/install-ux-v2-scaffold

release/mosaic-v0.0.25

docs/iuh-mission-complete

feat/unified-first-run

docs/iuh-m02-complete

feat/wizard-remediation

feat/mosaic-macp-cli

fix/gateway-token-recovery-review

feat/mosaic-auth-cli

feat/mosaic-forge-cli-v2

feat/mosaic-storage-cli

feat/mosaic-memory-cli

feat/gateway-token-recovery

feat/mosaic-forge-cli

feat/mosaic-config-command

feat/mosaic-queue-cli

feat/mosaic-brain-cli

feat/mosaic-help-alphabetize

docs/gateway-token-recovery-plan

chore/bump-mosaic-0.0.21

fix/populate-known-packages-list

fix/publish-loud-errors

fix/gitea-org-rename

fix/gateway-install-ux

fix/rename-mosaic-scope-391

fix/db-memory-queue-publish-drift

fix/updater-wrapper-gitea-387

fix/config-package-version-drift

fix/updater-mosaic-package-382

fix/merge-cli-into-mosaic

fix/metapackage-cli-dep

chore/bump-cli-mosaic-0.0.16

fix/gateway-deprecation-warnings

fix/gateway-install-prefix-eacces

chore/gateway-default-port-14242

fix/gateway-scoped-registry

fix/gateway-install-registry

chore/bump-0.0.11

feat/gateway-local-tier

feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3

fix/pnpm-build-scripts

fix/storage-sqlite-ci

feat/storage-abstraction

fix/idempotent-init

fed-v0.1.0-m1

mosaic-v0.0.29

mosaic-v0.0.28

mosaic-v0.0.27

mosaic-v0.0.26

mosaic-v0.0.25

mosaic-v0.0.24

v0.2.0

v0.1.0

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

Labels

No items

No Label

Milestone

No items

No Milestone Federation v1

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#461