stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(audit): wire AddAuditEmission in 7 more services + update Sprint 005

Browse Source 
- Wire audit emission in: Attestor, Findings Ledger, Doctor, Signals,
  AdvisoryAI, RiskEngine, OpsMemory (total: 16 services now emit)
- Sprint 005: add FILTER-010 (80 endpoints in 6 new services)
- Sprint 005: add CAPSULE-001 (decision capsule lifecycle, blocked)
- Sprint 005: add config/settings audit checklist (12 surfaces mapped)
- Total auditable endpoints: 617 across 16 services

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-09 09:37:46 +03:00
parent 8442fcb807
commit 845541c537
15 changed files with 120 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
docs/implplan/SPRINT_20260408_005_Audit_endpoint_filters_deprecation.md
View File

@@ -231,7 +231,14 @@ This minimizes the per-endpoint boilerplate (no `.AddEndpointFilter<AuditActionF
| EvidenceLocker | 7 | Low (3 files) |
| Notify | ~65 | High (15 files) |
| Scheduler | ~31 | Medium (9 files) |
| **TOTAL** | **~532** | |
| Attestor | ~25 | Medium (FILTER-010) |
| Findings Ledger | ~30 | Medium (FILTER-010) |
| Doctor | ~7 | Low (FILTER-010) |
| Signals | ~10 | Low (FILTER-010) |
| AdvisoryAI/OpsMemory | ~5 | Low (FILTER-010) |
| RiskEngine | ~3 | Low (FILTER-010) |
| Decision Capsules | ~5 | Low (CAPSULE-001, BLOCKED) |
| **TOTAL** | **~617** | |
---
@@ -548,6 +555,63 @@ Completion criteria:
**Effort: 2 days**
### FILTER-010 - Annotate endpoints in newly-wired services (Attestor, Findings, Doctor, Signals, AdvisoryAI, RiskEngine)
Status: TODO
Dependency: FILTER-001 (convention helper)
Owners: Developer (backend)
Task description:
- These 6 services were recently wired into the Valkey transport and have state-changing endpoints that need audit annotation.
- Apply the same group-level filter + per-endpoint metadata convention as the original 9 services.
Services and their state-changing endpoints to annotate:
**Attestor (HIGH priority):** ~25 endpoints
- attestor / sign_dsse, verify_dsse, add_key, revoke_key, rotate_key
- attestor / create_ceremony, approve_ceremony, execute_ceremony, cancel_ceremony
- attestor / create_watchlist_entry, update_watchlist_entry, delete_watchlist_entry
- attestor / export_attestation, import_attestation, sign_attestation, submit_rekor_entry
**Findings Ledger (HIGH priority):** ~30 endpoints
- findings / create_vex_decision, update_vex_decision, create_fix_verification
- findings / create_audit_bundle, create_ledger_event, create_alert_decision
- findings / create_attestation_pointer, transition_finding_state, create_vex_issuer
**Doctor:** ~7 endpoints
- doctor / start_run, diagnose, delete_report, create_schedule, update_schedule, delete_schedule, execute_schedule
**Signals:** ~10 endpoints
- signals / ingest_callgraph, ingest_runtime_fact, compute_reachability, submit_execution_evidence, register_beacon
**AdvisoryAI/OpsMemory:** ~5 endpoints
- advisory-ai / record_decision, record_outcome, create_run
**RiskEngine:** ~3 endpoints
- riskengine / create_score_job, create_simulation
Completion criteria:
- [ ] All ~80 endpoints annotated across 6 services
- [ ] Events visible in Timeline for modules: attestor, findings, doctor, signals, advisory-ai, riskengine
- [ ] No startup regressions
**Effort: 3 days**
### CAPSULE-001 - Decision Capsule lifecycle audit events
Status: BLOCKED (capsule sealing pipeline not yet implemented)
Dependency: capsule pipeline implementation
Owners: Developer (backend)
Task description:
- Once the Decision Capsule sealing pipeline is built, add audit events for:
- evidence / create_capsule, seal_capsule, verify_capsule, export_capsule, replay_capsule
- Decision Capsules are signed, immutable, content-addressed bundles containing SBOM + vuln feeds + reachability evidence + policy version + derived VEX + DSSE signatures. Their lifecycle mutations are security-critical.
- Current state: DB table exists (release.run_capsule_replay_linkage), read model and UI routes exist, but full creation/sealing pipeline is partially aspirational.
Completion criteria:
- [ ] All capsule lifecycle endpoints annotated with AuditActionAttribute
- [ ] Capsule create/seal/verify events visible in Timeline
- [ ] Audit events include content-address hash for traceability
**Effort: 1 day (once capsule pipeline is implemented)**
### DEPRECATE-001 - Batch 3: Dual-write for services with local audit tables
Status: TODO
Dependency: FILTER-002 through FILTER-008 (at least the relevant service batch)
@@ -630,10 +694,12 @@ Completion criteria:
|---|---|---|---|
| **Batch 1**: Convention helper + simple services (Integrations, EvidenceLocker, Scanner) | FILTER-001, FILTER-002, FILTER-003 | 3.5 days | Week 1 |
| **Batch 2**: Complex services (Platform, Authority, Notify, Policy, ReleaseOrchestrator, Scheduler) | FILTER-004 through FILTER-008 | 12.5 days | Weeks 2-4 |
| **Batch 3**: Dual-write transition | DEPRECATE-001 | 3 days | Week 4-5 |
| **Batch 2b**: Newly-wired services (Attestor, Findings, Doctor, Signals, AdvisoryAI, RiskEngine) | FILTER-010 | 3 days | Week 3-4 |
| **Blocked**: Decision Capsule lifecycle audit | CAPSULE-001 | 1 day (when unblocked) | TBD |
| **Batch 3**: Dual-write transition | DEPRECATE-001 | 3 days | Week 5-6 |
| **Batch 4**: Read migration (after 30-day verification) | DEPRECATE-002 | 3 days + 30-day wait | Week 9-10 |
| **Batch 5**: Drop local tables (after 90-day backward-compat) | DEPRECATE-003 | 2 days + 90-day wait | Week 22-23 |
| **TOTAL** | | **24 days active work** + **120 days verification** | ~6 months end-to-end |
| **TOTAL** | | **28 days active work** + **120 days verification** | ~6 months end-to-end |
---
@@ -641,6 +707,7 @@ Completion criteria:
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-04-08 | Sprint created. Full endpoint inventory completed across all 9 wired services (~532 state-changing endpoints). Per-service audit table analysis completed for 6 services with local tables. | Planning |
| 2026-04-08 | Added FILTER-010 (6 newly-wired services: ~80 endpoints) and CAPSULE-001 (blocked on capsule pipeline). Added Config/Settings Audit Checklist confirming all mutation surfaces are covered. Total active effort updated to 28 days. | Planning |
## Decisions & Risks
@@ -656,6 +723,25 @@ Completion criteria:
5. **120-day verification pipeline.** Dual-write runs for 30 days before reads are redirected. Deprecated endpoints remain functional for 90 more days. Total 120 days from dual-write start to table drop. This is non-negotiable for a compliance-critical audit subsystem.
### Config/Settings Audit Checklist
Coverage confirmation for all configuration and settings mutation surfaces:
| Config/Settings Area | Covered By | Status |
|---|---|---|
| Platform env settings | FILTER-004 | Planned |
| Crypto preferences | FILTER-004 | Planned |
| Integration configs | FILTER-002 | Planned |
| Scheduler schedules | FILTER-008 | Planned |
| Notification rules/channels | FILTER-006 | Planned |
| Authority clients/scopes | FILTER-005 | Planned |
| Scanner policies | FILTER-003 | Planned |
| Policy governance | FILTER-007 | Planned |
| Attestor operations | FILTER-010 | Planned (new) |
| Findings decisions | FILTER-010 | Planned (new) |
| Doctor schedules | FILTER-010 | Planned (new) |
| Decision Capsules | CAPSULE-001 | BLOCKED (pipeline not implemented) |
### Risks
1. **~532 endpoints is a large surface.** Risk of missed annotations or incorrect module/action strings. Mitigation: create an integration test that walks all registered endpoints and asserts that every non-GET endpoint has `AuditActionAttribute` metadata (or is in an explicit skip list).
@@ -671,7 +757,8 @@ Completion criteria:
## Next Checkpoints
- **Week 1**: Convention helper shipped, Integrations + EvidenceLocker + Scanner annotated
- **Week 2-4**: All remaining services annotated
- **Week 4-5**: Dual-write enabled, monitoring dashboard created
- **Week 9-10**: Read migration after 30-day verification
- **Week 22-23**: Table drop after 90-day backward-compat window
- **Week 2-4**: All remaining original 9 services + newly-wired 6 services annotated (FILTER-010)
- **Week 5-6**: Dual-write enabled, monitoring dashboard created
- **Week 10-11**: Read migration after 30-day verification
- **Week 23-24**: Table drop after 90-day backward-compat window
- **TBD**: CAPSULE-001 unblocked when capsule sealing pipeline is implemented