save checkpoint. addition features and their state. check some ofthem

2026-02-10 07:54:44 +02:00
parent 4bdc298ec1
commit 5593212b41
211 changed files with 10248 additions and 1208 deletions
--- a/docs/features/checked/timeline/immutable-audit-log.md
+++ b/docs/features/checked/timeline/immutable-audit-log.md
@@ -0,0 +1,56 @@
+# Immutable Audit Log (Timeline)
+
+## Module
+Timeline
+
+## Status
+VERIFIED
+
+## Description
+Immutable timeline audit log with a dedicated web service and indexer for recording all scan, attestation, and verdict events.
+
+## Implementation Details
+- **TimelineQueryService**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/TimelineQueryService.cs` -- append-only event store query layer: GetByCorrelationIdAsync (with HLC range, service/kind filters, pagination), GetCriticalPathAsync (causal latency analysis), GetByServiceAsync (service-scoped queries)
+- **ITimelineEventStore**: referenced from `StellaOps.Eventing.Storage` -- append-only persistence interface: events stored with deterministic EventId (SHA-256 of correlation_id+t_hlc+service+kind), HLC timestamps, payload digests, engine version fingerprints
+- **TimelineEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/TimelineEndpoints.cs` -- REST API at `/api/v1/timeline`: GET /{correlationId} returns immutable event chain, GET /{correlationId}/critical-path for latency analysis
+- **ExportEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/ExportEndpoints.cs` -- forensic export at `/api/v1/timeline/{correlationId}/export`: NDJSON/JSON bundle with optional DSSE signing for evidence preservation
+- **TimelineBundleBuilder**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Export/TimelineBundleBuilder.cs` -- builds NDJSON/JSON export bundles with event metadata (event_id, t_hlc, ts_wall, service, kind, payload_digest, engine_version); optional DSSE signing via IEventSigner
+- **HealthEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/HealthEndpoints.cs` -- service health monitoring
+- **TimelineAuthorizationMiddleware**: `src/Timeline/StellaOps.Timeline.WebService/Authorization/TimelineAuthorizationMiddleware.cs` -- authorization for timeline access
+- **Tests**: `src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests/TimelineApiIntegrationTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [x] Verify events stored are immutable (no update/delete operations exposed)
+- [x] Verify event IDs are deterministic based on correlation_id + t_hlc + service + kind
+- [x] Test export endpoint produces valid NDJSON bundle with all event metadata
+- [x] Verify DSSE-signed export bundles can be verified with the signing key
+- [x] Test JSON export format includes event metadata section with count and export timestamp
+- [x] Verify payload digests in exported events match original payloads
+- [x] Test authorization middleware restricts timeline access to authorized users
+
+## Verification
+
+**Run ID**: run-001
+**Date**: 2026-02-10
+**Verdict**: PASS
+
+**Implementation Verification**:
+- Append-only enforced architecturally: ITimelineEventStore has AppendAsync only (no update/delete)
+- REST API has GET-only endpoints for events
+- TimelineAuthorizationMiddleware with tenant isolation
+- DSSE-signed forensic export via TimelineBundleBuilder
+- Integration tests verify GET-only access pattern
+
+**Test Execution**:
+- Immutability tests PASS
+- Deterministic event ID tests PASS
+- Export format tests PASS
+- Authorization tests PASS
+
+**Build Status**:
+- 0 errors
+- 0 warnings
+- Build: PASS
+
+**Overall Verdict**: PASS