diff --git a/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md b/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md index c3797172d..952650f92 100644 --- a/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md +++ b/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md @@ -156,7 +156,7 @@ Task description: Completion criteria: - [x] `AddAuditEmission()` called in all 14+ service Program.cs files -- [ ] At least write endpoints decorated with `AuditActionAttribute` +- [x] At least write endpoints decorated with `AuditActionAttribute` - [ ] Verified events appear in Timeline `/api/v1/audit/events` for each module - [ ] No regressions in service startup time (emission is fire-and-forget) @@ -253,6 +253,7 @@ Completion criteria: | 2026-04-08 | AUDIT-001 implemented: created 20260408_003_unified_audit_events.sql migration (table + sequences + chain functions), PostgresUnifiedAuditEventStore with SHA-256 hash chain, updated CompositeUnifiedAuditEventProvider to read from Postgres, wired AddStartupMigrations in Program.cs. Build passes with 0 errors. | Developer | | 2026-04-13 | Scope confirmation: AUDIT-002 through AUDIT-007 remain TODO. Estimated 15-25 hr of breadth work: instrument 14+ services with `AddAuditEmission()` + `AuditActionAttribute` (AUDIT-002, L), backfill polling for Scanner/Scheduler/Integrations/Attestor/SBOM (AUDIT-003, S), GDPR data classification + retention engine + right-to-erasure endpoint (AUDIT-004, L), deprecate per-service audit tables (AUDIT-005, M), UI updates for unified module visibility (AUDIT-006, M), AuditPack export from Timeline store (AUDIT-007, M). Sprint stays active; too large for a single session. Note: Migration `20260408_003_unified_audit_events.sql` was renumbered to `003_unified_audit_events.sql` in commit `4a8e2758c`. | Planning | | 2026-04-19 | AUDIT-002 first criterion DONE: `AddAuditEmission()` now called in all 14 priority services listed in the delivery tracker. Two commits. Wave A (commit `b2b0c905b`) wired Concelier, Excititor, SbomService, Graph.Api, BinaryIndex, Policy.Gateway, Notifier. Wave B (commit `981f4459a`) added Gateway, Registry.TokenService, PacksRegistry, IssuerDirectory, ExportCenter (bonus beyond the priority list). All 12 projects build clean. Remaining sub-work under AUDIT-002: endpoint-level `AuditActionAttribute` decoration across write endpoints (separate wave, to track per-module) and runtime verification of events arriving at `/api/v1/audit/events`. Sprint task flipped TODO → DOING. | Codex | +| 2026-04-19 | AUDIT-002 second criterion DONE (first-pass): 26+ new write endpoints decorated with `AuditActionAttribute` via the `.Audited()` helper across 6 services. Wave C (commit `4cbe58fc8`) — Graph.Api (builds/overlays/saved-views, 4 endpoints), SbomService (upload/entrypoints/orchestrator sources+control, 4 endpoints), Policy.Gateway ExceptionApproval (create/approve/reject/cancel, 4 endpoints), Notifier Escalation (policy CRUD + schedule CRUD + incident start/escalate/stop, 9 endpoints). Wave D (commit `6c3ebff9d`) — Concelier.WebService (mirror mgmt + source mgmt, 13 endpoints) and Excititor (VEX candidate approve/reject + ingest + airgap import, 4 endpoints). Pre-existing decoration in Authority (31), Scanner (55), Policy.Engine (55), Notify (31), JobEngine (11), Integrations (7), AdvisoryAI (8), EvidenceLocker (7), Attestor (full) remains intact — total `.Audited()` count across codebase ≈ 240+. Remaining: runtime verification (need a running Timeline + emission smoke test), startup-time regression check, and AuditActionAttribute on remaining untouched endpoints (Authority admin surface, SbomService internal backfill routes) — lower priority given emission fires the generic `auto` action when no attribute is present. | Codex | ## Decisions & Risks