Add LDAP Distinguished Name Helper and Credential Audit Context
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values. - Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context. - Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events. - Introduced AuthorityAuditSink for persisting audit records with structured logging. - Added CryptoPro related classes for certificate resolution and signing operations.
This commit is contained in:
master
@@ -1,9 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
|EXCITITOR-ATTEST-01-003 – Verification suite & observability|Team Excititor Attestation|EXCITITOR-ATTEST-01-002|TODO (2025-11-06) – Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands.<br>2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests.<br>2025-11-05 14:35Z: Picking up diagnostics record/ActivitySource work and aligning metrics dimensions before wiring verifier into WebService/Worker paths.|
|
||||
> 2025-11-05 19:10Z: Worker signature verifier now emits structured diagnostics/metrics via `VexAttestationDiagnostics`; attestation verification results flow into metric labels and logs.
|
||||
> 2025-11-06 07:12Z: Export verifier builds unblocked; Excititor worker + web service test suites pass with diagnostics wiring (`dotnet test` invocations succeed with staged libssl1.1).
|
||||
> 2025-11-06 07:55Z: Paused after documenting OpenSSL shim usage; follow-up automation tracked under `DEVOPS-OPENSSL-11-001/002`.
|
||||
> Remark (2025-10-22): Added verifier implementation + metrics/tests; next steps include wiring into WebService/Worker flows and expanding negative-path coverage.
|
||||
@@ -1,4 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
@@ -1,4 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
@@ -1,5 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
|EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints|Team Excititor Connectors – MSRC|EXCITITOR-CONN-MS-01-002, EXCITITOR-POLICY-01-001|TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration.|
|
||||
@@ -1,4 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
@@ -1,5 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
|EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment|Team Excititor Connectors – Oracle|EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001|TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion.|
|
||||
@@ -1,4 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
@@ -1,5 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
|EXCITITOR-CONN-SUSE-01-003 – Trust metadata provenance|Team Excititor Connectors – SUSE|EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001|TODO – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion.|
|
||||
@@ -1,6 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
|EXCITITOR-CONN-UBUNTU-01-003 – Trust provenance enrichment|Team Excititor Connectors – Ubuntu|EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001|TODO – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting.|
|
||||
> Remark (2025-10-29, EXCITITOR-CONN-UBUNTU-01-002): Offline + network regression pass validated resume tokens, dedupe skips, checksum enforcement, and ETag handling before closing the task.
|
||||
@@ -1,101 +0,0 @@
|
||||
# TASKS — Epic 1: Aggregation-Only Contract
|
||||
> **AOC Reminder:** ingestion captures raw VEX statements/linksets only—no precedence, suppression, or severity derivation within Excititor.
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|---|
|
||||
> 2025-10-31: Raw guard now enforced by `MongoVexRawStore` and worker DI via `AddExcititorAocGuards`; repository + backfill tests cover guard pass/fail and storage rollback.
|
||||
> 2025-10-29: Added `VexRawWriteGuard` + DI hooks consuming `AocWriteGuard`; unit coverage validates minimal and invalid signature cases. Integration with raw sinks remains outstanding.
|
||||
| EXCITITOR-CORE-AOC-19-002 `VEX linkset extraction` | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Implement deterministic extraction of advisory IDs, component PURLs, and references into `linkset`, capturing reconciled-from metadata for traceability. |
|
||||
| EXCITITOR-CORE-AOC-19-003 `Idempotent VEX raw upsert` | TODO | Excititor Core Guild | EXCITITOR-STORE-AOC-19-002 | Enforce `(vendor, upstreamId, contentHash, tenant)` uniqueness, generate supersedes chains, and ensure append-only versioning of raw VEX documents. |
|
||||
| EXCITITOR-CORE-AOC-19-004 `Remove ingestion consensus` | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-002, POLICY-AOC-19-003 | Excise consensus/merge/severity logic from Excititor ingestion paths, updating exports/tests to rely on Policy Engine materializations instead. |
|
||||
| EXCITITOR-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Excititor Core Guild | AUTH-AOC-19-002 | Update Excititor smoke/e2e suites to seed tenant-aware Authority clients and ensure cross-tenant VEX ingestion is rejected. | Required for Authority docs (`AUTH-AOC-19-003`) sign-off; share results with Authority Core. |
|
||||
|
||||
## Policy Engine v2
|
||||
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-POLICY-20-002 `Scope-aware linksets` | TODO | Excititor Core Guild, Policy Guild | EXCITITOR-CORE-AOC-19-002, POLICY-ENGINE-20-001 | Enhance VEX linkset extraction with scope resolution (product/component) + version range matching to boost policy join accuracy; refresh fixtures/tests. |
|
||||
|
||||
## Graph Explorer v1
|
||||
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-GRAPH-21-001 `Inspector linkouts` | BLOCKED (2025-10-27) | Excititor Core Guild, Cartographer Guild | EXCITITOR-POLICY-20-002, CARTO-GRAPH-21-005 | Provide batched VEX/advisory reference fetches keyed by graph node PURLs so UI inspector can display raw documents and justification metadata. |
|
||||
> 2025-10-27: Pending policy-driven linkset enrichment (`EXCITITOR-POLICY-20-002`) and Cartographer inspector contract (`CARTO-GRAPH-21-005`). No stable payload to target.
|
||||
> 2025-10-29: Handshake actions in `docs/dev/cartographer-graph-handshake.md` — draft batch linkout API skeleton + fixture plan once Cartographer delivers query patterns.
|
||||
| EXCITITOR-GRAPH-21-002 `Overlay enrichment` | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-001, POLICY-ENGINE-30-001 | Ensure overlay metadata includes VEX justification summaries and document versions for Cartographer overlays; update fixtures/tests. |
|
||||
> 2025-10-27: Requires inspector linkouts (`EXCITITOR-GRAPH-21-001`) and Policy Engine overlay schema (`POLICY-ENGINE-30-001`) before enrichment can be implemented.
|
||||
> 2025-10-29: Align overlay schema work with the handshake doc once Policy Guild publishes the overlay additions; collect sample payloads for review.
|
||||
|
||||
## Link-Not-Merge v1
|
||||
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-LNM-21-001 `VEX observation model` | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Define immutable `vex_observations` schema capturing raw statements, product PURLs, justification, and AOC metadata. `DOCS-LNM-22-002` blocked pending this schema. |
|
||||
| EXCITITOR-LNM-21-002 `Linkset correlator` | TODO | Excititor Core Guild | EXCITITOR-LNM-21-001 | Build correlation pipeline combining alias + product PURL signals to form `vex_linksets` with confidence metrics. Docs waiting to finalize VEX aggregation guide. |
|
||||
| EXCITITOR-LNM-21-003 `Conflict annotator` | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Record status/justification disagreements within linksets and expose structured conflicts. Provide structured payloads for `DOCS-LNM-22-002`. |
|
||||
| EXCITITOR-LNM-21-004 `Merge removal` | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Remove legacy VEX merge logic, enforce immutability, and add guards/tests to prevent future merges. |
|
||||
| EXCITITOR-LNM-21-005 `Event emission` | TODO | Excititor Core Guild, Platform Events Guild | EXCITITOR-LNM-21-002 | Emit `vex.linkset.updated` events for downstream consumers with delta descriptions and tenant context. |
|
||||
|
||||
## Policy Engine + Editor v1
|
||||
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-POLICY-23-001 `Evidence indexes` | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Provide indexes/materialized views for policy runtime (status, justification, product PURL) to accelerate queries; document contract. |
|
||||
| EXCITITOR-POLICY-23-002 `Event guarantees` | TODO | Excititor Core Guild, Platform Events Guild | EXCITITOR-LNM-21-005 | Ensure `vex.linkset.updated` events include correlation confidence, conflict summaries, and idempotent ids for evaluator consumption. |
|
||||
|
||||
## Graph & Vuln Explorer v1
|
||||
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
|
||||
## Reachability v1
|
||||
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-SIG-26-001 `Vendor exploitability hints` | TODO | Excititor Core Guild, Signals Guild | SIGNALS-24-004 | Surface vendor-provided exploitability indicators and affected symbol lists to Signals service via projection endpoints. |
|
||||
|
||||
## Authority-Backed Scopes & Tenancy (Epic 14)
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-TEN-48-001 `Tenant-aware VEX linking` | TODO | Excititor Core Guild | AUTH-TEN-47-001 | Apply tenant context to VEX linkers, enable RLS, and expose capability endpoint confirming aggregation-only behavior. |
|
||||
|
||||
## Observability & Forensics (Epic 15)
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-OBS-50-001 `Telemetry adoption` | DONE (2025-11-07) | Excititor Core Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs. |
|
||||
| EXCITITOR-OBS-51-001 `Metrics & SLOs` | TODO | Excititor Core Guild, DevOps Guild | EXCITITOR-OBS-50-001, TELEMETRY-OBS-51-001 | Publish metrics for VEX ingest latency, scope resolution success, conflict rate, signature verification failures. Define SLOs (link latency P95 <30s) and configure burn-rate alerts. |
|
||||
| EXCITITOR-OBS-52-001 `Timeline events` | TODO | Excititor Core Guild | EXCITITOR-OBS-50-001, TIMELINE-OBS-52-002 | Emit `timeline_event` entries for VEX ingest/linking/outcome changes with trace IDs, justification summaries, and evidence placeholders. |
|
||||
| EXCITITOR-OBS-53-001 `Evidence snapshots` | TODO | Excititor Core Guild, Evidence Locker Guild | EXCITITOR-OBS-52-001, EVID-OBS-53-002 | Build evidence payloads for VEX statements (raw doc, normalization diff, precedence notes) and push to evidence locker with Merkle manifests. |
|
||||
| EXCITITOR-OBS-54-001 `Attestation & verification` | TODO | Excititor Core Guild, Provenance Guild | EXCITITOR-OBS-53-001, PROV-OBS-54-001 | Attach DSSE attestations to VEX batch processing, verify chain-of-custody via Provenance library, and link attestation IDs to timeline + ledger. |
|
||||
| EXCITITOR-OBS-55-001 `Incident mode` | TODO | Excititor Core Guild, DevOps Guild | EXCITITOR-OBS-51-001, DEVOPS-OBS-55-001 | Implement incident sampling bump, additional raw payload retention, and activation events for VEX pipelines with redaction guard rails. |
|
||||
|
||||
## Air-Gapped Mode (Epic 16)
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Excititor Core Guild | AIRGAP-IMP-57-002, MIRROR-CRT-56-001 | Add mirror-based VEX ingestion, preserving statement digests and bundle IDs. |
|
||||
| EXCITITOR-AIRGAP-56-002 `Bundle provenance` | TODO | Excititor Core Guild, AirGap Importer Guild | EXCITITOR-AIRGAP-56-001, AIRGAP-IMP-57-001 | Persist bundle metadata on VEX observations/linksets with provenance references. |
|
||||
| EXCITITOR-AIRGAP-57-001 `Sealed-mode enforcement` | TODO | Excititor Core Guild, AirGap Policy Guild | EXCITITOR-AIRGAP-56-001, AIRGAP-POL-56-001 | Block non-mirror connectors in sealed mode and surface remediation errors. |
|
||||
| EXCITITOR-AIRGAP-57-002 `Staleness annotations` | TODO | Excititor Core Guild, AirGap Time Guild | EXCITITOR-AIRGAP-56-002, AIRGAP-TIME-58-001 | Annotate VEX statements with staleness metrics and expose via API. |
|
||||
| EXCITITOR-AIRGAP-58-001 `Portable VEX evidence` | TODO | Excititor Core Guild, Evidence Locker Guild | EXCITITOR-OBS-53-001, EVID-OBS-54-001 | Package VEX evidence segments into portable evidence bundles linked to timeline. |
|
||||
|
||||
## SDKs & OpenAPI (Epic 17)
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-OAS-61-001 `Spec coverage` | TODO | Excititor Core Guild, API Contracts Guild | OAS-61-001 | Update VEX OAS to include observation/linkset endpoints with provenance fields and examples. |
|
||||
| EXCITITOR-OAS-61-002 `Example catalog` | TODO | Excititor Core Guild | EXCITITOR-OAS-61-001 | Provide examples for VEX justifications, statuses, conflicts; ensure SDK docs reference them. |
|
||||
| EXCITITOR-OAS-62-001 `SDK smoke tests` | TODO | Excititor Core Guild, SDK Generator Guild | EXCITITOR-OAS-61-001, SDKGEN-63-001 | Add SDK scenarios for VEX observation queries and conflict handling to language smoke suites. |
|
||||
| EXCITITOR-OAS-63-001 `Deprecation headers` | TODO | Excititor Core Guild, API Governance Guild | APIGOV-63-001 | Add deprecation metadata and notifications for legacy VEX routes. |
|
||||
|
||||
## Risk Profiles (Epic 18)
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-RISK-66-001 `VEX gate provider` | TODO | Excititor Core Guild, Risk Engine Guild | RISK-ENGINE-67-002 | Supply VEX status and justification data for risk engine gating with full source provenance. |
|
||||
| EXCITITOR-RISK-66-002 `Reachability inputs` | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Provide component/product scoping metadata enabling reachability and runtime factor mapping. |
|
||||
| EXCITITOR-RISK-67-001 `Explainability metadata` | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Include VEX justification, status reasoning, and source digests in explainability artifacts. |
|
||||
| EXCITITOR-RISK-68-001 `Policy Studio integration` | TODO | Excititor Core Guild, Policy Studio Guild | POLICY-RISK-68-001 | Surface VEX-specific gates/weights within profile editor UI and validation messages. |
|
||||
|
||||
## Attestor Console (Epic 19)
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-ATTEST-73-001 `VEX attestation payloads` | TODO | Excititor Core Guild, Attestation Payloads Guild | ATTEST-TYPES-72-001 | Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. |
|
||||
| EXCITITOR-ATTEST-73-002 `Chain provenance` | TODO | Excititor Core Guild | EXCITITOR-ATTEST-73-001 | Expose linkage from VEX statements to subject/product for chain of custody graph. |
|
||||
@@ -1,4 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
@@ -1,4 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
@@ -1,4 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
@@ -1,4 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
@@ -1,5 +0,0 @@
|
||||
If you are working on this file you need to read docs/modules/excititor/ARCHITECTURE.md and ./AGENTS.md).
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
|EXCITITOR-POLICY-02-002 – Diagnostics for scoring signals|Team Excititor Policy|EXCITITOR-POLICY-02-001|BACKLOG – Update diagnostics reports to surface missing severity/KEV/EPSS mappings, coefficient overrides, and provide actionable recommendations for policy tuning.|
|
||||
@@ -1,29 +0,0 @@
|
||||
# TASKS — Epic 1: Aggregation-Only Contract
|
||||
> **AOC Reminder:** storage enforces raw VEX documents only—no consensus/precedence data in ingestion collections.
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|---|
|
||||
| EXCITITOR-STORE-AOC-19-001 `vex_raw schema validator` | TODO | Excititor Storage Guild | Mongo cluster ops sign-off | Define Mongo JSON schema for `vex_raw` enforcing required fields and forbidding derived/consensus/severity fields. Ship unit tests with Mongo2Go to validate rejects. |
|
||||
| EXCITITOR-STORE-AOC-19-002 `idempotency unique index` | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-001 | Create `(source.vendor, upstream.upstream_id, upstream.content_hash, tenant)` unique index with backfill checker, updating migrations + bootstrapper for offline installs. |
|
||||
| EXCITITOR-STORE-AOC-19-003 `append-only migration plan` | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002 | Migrate legacy consensus collections to `_backup_*`, seed supersedes chain for raw docs, and document rollback path + dry-run verification. |
|
||||
| EXCITITOR-STORE-AOC-19-004 `validator deployment docset` | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-STORE-AOC-19-001 | Update migration runbooks and Offline Kit packaging to bundle schema validator scripts, with smoke instructions for air-gapped clusters. |
|
||||
|
||||
## Policy Engine v2
|
||||
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-POLICY-20-003 `Selection cursors` | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002, POLICY-ENGINE-20-003 | Introduce VEX selection cursor collections + indexes powering incremental policy runs; bundle change-stream checkpoint migrations and Offline Kit tooling. |
|
||||
|
||||
## Graph Explorer v1
|
||||
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-GRAPH-21-005 `Inspector indexes` | BLOCKED (2025-10-27) | Excititor Storage Guild | EXCITITOR-GRAPH-21-001 | Add indexes/materialized views for VEX lookups by PURL/policy to support Cartographer inspector performance; document migrations. |
|
||||
> 2025-10-27: Indexed workload requirements depend on Inspector linkouts (`EXCITITOR-GRAPH-21-001`) which are themselves blocked on Cartographer contract. Revisit once access patterns are defined.
|
||||
> 2025-10-29: Per `docs/dev/cartographer-graph-handshake.md`, prepare index sizing doc once Cartographer shares query shapes; include perf targets + migration plan before unblocking.
|
||||
|
||||
## Link-Not-Merge v1
|
||||
|
||||
| ID | Status | Owner(s) | Depends on | Notes |
|
||||
|----|--------|----------|------------|-------|
|
||||
| EXCITITOR-LNM-21-101 `Observations collections` | TODO | Excititor Storage Guild | EXCITITOR-LNM-21-001 | Provision `vex_observations`/`vex_linksets` collections with shard keys, indexes over aliases & product PURLs, and multi-tenant guards. |
|
||||
| EXCITITOR-LNM-21-102 `Migration/backfill` | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-LNM-21-101 | Backfill legacy merged VEX docs into observations/linksets, add provenance notes, and produce rollback scripts. |
|
||||
Reference in New Issue
Block a user