stela ops usage fixes roles propagation and timoeut, one account to support multi tenants, migrations consolidation, search to support documentation, doctor and open api vector db search

devops/compose/postgres-init/07-attestor-watchlist-schema.sql

@@ -0,0 +1,95 @@
+-- -----------------------------------------------------------------------------
+-- Migration: 20260129_001_create_identity_watchlist
+-- Sprint: SPRINT_0129_001_ATTESTOR_identity_watchlist_alerting
+-- Task: WATCH-004
+-- Description: Creates identity watchlist and alert deduplication tables.
+-- -----------------------------------------------------------------------------
+
+-- Watchlist entries table
+CREATE TABLE IF NOT EXISTS attestor.identity_watchlist (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id TEXT NOT NULL,
+    scope TEXT NOT NULL DEFAULT 'Tenant',
+    display_name TEXT NOT NULL,
+    description TEXT,
+
+    -- Identity matching fields (at least one required)
+    issuer TEXT,
+    subject_alternative_name TEXT,
+    key_id TEXT,
+    match_mode TEXT NOT NULL DEFAULT 'Exact',
+
+    -- Alert configuration
+    severity TEXT NOT NULL DEFAULT 'Warning',
+    enabled BOOLEAN NOT NULL DEFAULT TRUE,
+    channel_overrides JSONB,
+    suppress_duplicates_minutes INT NOT NULL DEFAULT 60,
+
+    -- Metadata
+    tags TEXT[],
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    created_by TEXT NOT NULL,
+    updated_by TEXT NOT NULL,
+
+    -- Constraints
+    CONSTRAINT chk_at_least_one_identity CHECK (
+        issuer IS NOT NULL OR
+        subject_alternative_name IS NOT NULL OR
+        key_id IS NOT NULL
+    ),
+    CONSTRAINT chk_scope_valid CHECK (scope IN ('Tenant', 'Global', 'System')),
+    CONSTRAINT chk_match_mode_valid CHECK (match_mode IN ('Exact', 'Prefix', 'Glob', 'Regex')),
+    CONSTRAINT chk_severity_valid CHECK (severity IN ('Info', 'Warning', 'Critical')),
+    CONSTRAINT chk_suppress_duplicates_positive CHECK (suppress_duplicates_minutes >= 1)
+);
+
+-- Performance indexes for active entry lookup
+CREATE INDEX IF NOT EXISTS idx_watchlist_tenant_enabled
+    ON attestor.identity_watchlist(tenant_id)
+    WHERE enabled = TRUE;
+
+CREATE INDEX IF NOT EXISTS idx_watchlist_scope_enabled
+    ON attestor.identity_watchlist(scope)
+    WHERE enabled = TRUE;
+
+CREATE INDEX IF NOT EXISTS idx_watchlist_issuer
+    ON attestor.identity_watchlist(issuer)
+    WHERE enabled = TRUE AND issuer IS NOT NULL;
+
+CREATE INDEX IF NOT EXISTS idx_watchlist_san
+    ON attestor.identity_watchlist(subject_alternative_name)
+    WHERE enabled = TRUE AND subject_alternative_name IS NOT NULL;
+
+CREATE INDEX IF NOT EXISTS idx_watchlist_keyid
+    ON attestor.identity_watchlist(key_id)
+    WHERE enabled = TRUE AND key_id IS NOT NULL;
+
+-- Alert deduplication table
+CREATE TABLE IF NOT EXISTS attestor.identity_alert_dedup (
+    watchlist_id UUID NOT NULL,
+    identity_hash TEXT NOT NULL,
+    last_alert_at TIMESTAMPTZ NOT NULL,
+    alert_count INT NOT NULL DEFAULT 0,
+    PRIMARY KEY (watchlist_id, identity_hash)
+);
+
+-- Index for cleanup
+CREATE INDEX IF NOT EXISTS idx_alert_dedup_last_alert
+    ON attestor.identity_alert_dedup(last_alert_at);
+
+-- Comment documentation
+COMMENT ON TABLE attestor.identity_watchlist IS
+    'Watchlist entries for monitoring signing identity appearances in transparency logs.';
+
+COMMENT ON COLUMN attestor.identity_watchlist.scope IS
+    'Visibility scope: Tenant (owning tenant only), Global (all tenants), System (read-only).';
+
+COMMENT ON COLUMN attestor.identity_watchlist.match_mode IS
+    'Pattern matching mode: Exact, Prefix, Glob, or Regex.';
+
+COMMENT ON COLUMN attestor.identity_watchlist.suppress_duplicates_minutes IS
+    'Deduplication window in minutes. Alerts for same identity within window are suppressed.';
+
+COMMENT ON TABLE attestor.identity_alert_dedup IS
+    'Tracks alert deduplication state to prevent alert storms.';