stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

docs(implplan): AUDIT-002 DOING — 14/14 priority services wired

Browse Source 
Sprint SPRINT_20260408_004. First completion criterion of AUDIT-002
("AddAuditEmission() called in all 14+ service Program.cs files") is
now DONE after waves A (commit b2b0c905b) + B (commit 981f4459a).
Remaining: endpoint-level AuditActionAttribute decoration, runtime
verification at /api/v1/audit/events, startup-time regression check.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-19 16:05:59 +03:00
parent 981f4459a2
commit abb9012c69
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md
View File

@@ -130,7 +130,7 @@ Completion criteria:
- [ ] Integration test for hash chain verification (valid + tampered)
### AUDIT-002 - Wire Audit.Emission in all HTTP services
Status: TODO
Status: DOING
Dependency: AUDIT-001
Owners: Developer (backend)
Task description:
@@ -155,7 +155,7 @@ Task description:
- For services with ILogger-only audit (EvidenceLocker, Concelier): ILogger audit remains for operational logging; Emission provides structured audit to Timeline.
Completion criteria:
- [ ] `AddAuditEmission()` called in all 14+ service Program.cs files
- [x] `AddAuditEmission()` called in all 14+ service Program.cs files
- [ ] At least write endpoints decorated with `AuditActionAttribute`
- [ ] Verified events appear in Timeline `/api/v1/audit/events` for each module
- [ ] No regressions in service startup time (emission is fire-and-forget)
@@ -252,6 +252,7 @@ Completion criteria:
| 2026-04-08 | Sprint created from deep audit landscape investigation. Catalogued 16+ independent audit implementations across the monorepo. | Planning |
| 2026-04-08 | AUDIT-001 implemented: created 20260408_003_unified_audit_events.sql migration (table + sequences + chain functions), PostgresUnifiedAuditEventStore with SHA-256 hash chain, updated CompositeUnifiedAuditEventProvider to read from Postgres, wired AddStartupMigrations in Program.cs. Build passes with 0 errors. | Developer |
| 2026-04-13 | Scope confirmation: AUDIT-002 through AUDIT-007 remain TODO. Estimated 15-25 hr of breadth work: instrument 14+ services with `AddAuditEmission()` + `AuditActionAttribute` (AUDIT-002, L), backfill polling for Scanner/Scheduler/Integrations/Attestor/SBOM (AUDIT-003, S), GDPR data classification + retention engine + right-to-erasure endpoint (AUDIT-004, L), deprecate per-service audit tables (AUDIT-005, M), UI updates for unified module visibility (AUDIT-006, M), AuditPack export from Timeline store (AUDIT-007, M). Sprint stays active; too large for a single session. Note: Migration `20260408_003_unified_audit_events.sql` was renumbered to `003_unified_audit_events.sql` in commit `4a8e2758c`. | Planning |
| 2026-04-19 | AUDIT-002 first criterion DONE: `AddAuditEmission()` now called in all 14 priority services listed in the delivery tracker. Two commits. Wave A (commit `b2b0c905b`) wired Concelier, Excititor, SbomService, Graph.Api, BinaryIndex, Policy.Gateway, Notifier. Wave B (commit `981f4459a`) added Gateway, Registry.TokenService, PacksRegistry, IssuerDirectory, ExportCenter (bonus beyond the priority list). All 12 projects build clean. Remaining sub-work under AUDIT-002: endpoint-level `AuditActionAttribute` decoration across write endpoints (separate wave, to track per-module) and runtime verification of events arriving at `/api/v1/audit/events`. Sprint task flipped TODO → DOING. | Codex |
## Decisions & Risks