- Add CaService (@Injectable) that POSTs CSRs to step-ca /1.0/sign over
HTTPS with a pinned CA root cert; builds HS256 OTT with custom claims
mosaic_grant_id and mosaic_subject_user_id plus step.sha CSR fingerprint
- Add CaServiceError with cause + remediation for fail-loud contract
- Add IssueCertRequestDto and IssuedCertDto with class-validator decorators
- Add FederationModule exporting CaService; wire into AppModule
- Replace federation.tpl TODO placeholder with real step-ca Go template
emitting OID 1.3.6.1.4.1.99999.1 (grantId) and .2 (subjectUserId) as
DER UTF8String extensions (tag 0x0C, length 0x24, base64-encoded value)
- Update infra/step-ca/init.sh to patch mosaic-fed provisioner config with
templateFile path via jq on first boot (idempotent)
- Append OID assignment registry and CA env var table to docs/federation/SETUP.md
- 11 unit tests pass: happy path, certChain fallbacks, HTTP 401/4xx, malformed
CSR (no HTTP call), non-JSON response, connection error, JWT claim assertions
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
9f5c28c0ce