Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
oas-ci / oas-validate (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
oas-ci / oas-validate (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -1,15 +1,15 @@
|
||||
# Notifier OAS Discovery — ETag Guidance
|
||||
|
||||
The Notifier WebService exposes its OpenAPI document at `/.well-known/openapi` with headers:
|
||||
|
||||
- `X-OpenAPI-Scope: notify`
|
||||
- `ETag: "<sha256>"` (stable per spec bytes)
|
||||
- `Cache-Control: public, max-age=300`
|
||||
|
||||
Usage notes:
|
||||
|
||||
- SDK generators and CI smoke tests should re-use the `ETag` for conditional GETs (`If-None-Match`) to avoid redundant downloads.
|
||||
- Mirror/Offline bundles should copy `openapi/notify-openapi.yaml` and retain the `ETag` alongside the file hash used in air-gap validation.
|
||||
- When the spec changes, the SHA-256 and `ETag` change together; callers can detect breaking/non-breaking updates via the published changelog (source of truth in `docs/api/notify-openapi.yaml`).
|
||||
|
||||
Applies to tasks: NOTIFY-OAS-61-001/61-002/63-001.
|
||||
# Notifier OAS Discovery — ETag Guidance
|
||||
|
||||
The Notifier WebService exposes its OpenAPI document at `/.well-known/openapi` with headers:
|
||||
|
||||
- `X-OpenAPI-Scope: notify`
|
||||
- `ETag: "<sha256>"` (stable per spec bytes)
|
||||
- `Cache-Control: public, max-age=300`
|
||||
|
||||
Usage notes:
|
||||
|
||||
- SDK generators and CI smoke tests should re-use the `ETag` for conditional GETs (`If-None-Match`) to avoid redundant downloads.
|
||||
- Mirror/Offline bundles should copy `openapi/notify-openapi.yaml` and retain the `ETag` alongside the file hash used in air-gap validation.
|
||||
- When the spec changes, the SHA-256 and `ETag` change together; callers can detect breaking/non-breaking updates via the published changelog (source of truth in `docs/api/notify-openapi.yaml`).
|
||||
|
||||
Applies to tasks: NOTIFY-OAS-61-001/61-002/63-001.
|
||||
|
||||
@@ -1,86 +1,86 @@
|
||||
{
|
||||
"rules": [
|
||||
{
|
||||
"ruleId": "attest-key-rotation",
|
||||
"name": "Attestation key rotation/revocation",
|
||||
"enabled": true,
|
||||
"tenantId": "<tenant-id>",
|
||||
"match": {
|
||||
"eventKinds": [
|
||||
"authority.keys.rotated",
|
||||
"authority.keys.revoked"
|
||||
]
|
||||
},
|
||||
"actions": [
|
||||
{
|
||||
"actionId": "email-kms",
|
||||
"enabled": true,
|
||||
"channel": "email-kms",
|
||||
"template": "tmpl-attest-key-rotation"
|
||||
},
|
||||
{
|
||||
"actionId": "webhook-kms",
|
||||
"enabled": true,
|
||||
"channel": "webhook-kms",
|
||||
"template": "tmpl-attest-key-rotation"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "attest-transparency-anomaly",
|
||||
"name": "Transparency witness anomaly",
|
||||
"enabled": true,
|
||||
"tenantId": "<tenant-id>",
|
||||
"match": {
|
||||
"eventKinds": [
|
||||
"attestor.transparency.anomaly",
|
||||
"attestor.transparency.witness.failed"
|
||||
]
|
||||
},
|
||||
"actions": [
|
||||
{
|
||||
"actionId": "slack-soc",
|
||||
"enabled": true,
|
||||
"channel": "slack-soc",
|
||||
"template": "tmpl-attest-transparency-anomaly"
|
||||
},
|
||||
{
|
||||
"actionId": "webhook-siem",
|
||||
"enabled": true,
|
||||
"channel": "webhook-siem",
|
||||
"template": "tmpl-attest-transparency-anomaly"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"channels": [
|
||||
{
|
||||
"channelId": "email-kms",
|
||||
"type": "email",
|
||||
"name": "KMS security",
|
||||
"target": "kms-security@example.com",
|
||||
"secretRef": "ref://notify/channels/email/kms-security"
|
||||
},
|
||||
{
|
||||
"channelId": "webhook-kms",
|
||||
"type": "webhook",
|
||||
"name": "KMS webhook",
|
||||
"endpoint": "https://hooks.internal/kms",
|
||||
"secretRef": "ref://notify/channels/webhook/kms"
|
||||
},
|
||||
{
|
||||
"channelId": "slack-soc",
|
||||
"type": "slack",
|
||||
"name": "SOC high-priority",
|
||||
"endpoint": "https://hooks.slack.com/services/T000/B000/XYZ",
|
||||
"secretRef": "ref://notify/channels/slack/soc"
|
||||
},
|
||||
{
|
||||
"channelId": "webhook-siem",
|
||||
"type": "webhook",
|
||||
"name": "SIEM ingest",
|
||||
"endpoint": "https://siem.example.internal/hooks/notifier",
|
||||
"secretRef": "ref://notify/channels/webhook/siem"
|
||||
}
|
||||
]
|
||||
}
|
||||
{
|
||||
"rules": [
|
||||
{
|
||||
"ruleId": "attest-key-rotation",
|
||||
"name": "Attestation key rotation/revocation",
|
||||
"enabled": true,
|
||||
"tenantId": "<tenant-id>",
|
||||
"match": {
|
||||
"eventKinds": [
|
||||
"authority.keys.rotated",
|
||||
"authority.keys.revoked"
|
||||
]
|
||||
},
|
||||
"actions": [
|
||||
{
|
||||
"actionId": "email-kms",
|
||||
"enabled": true,
|
||||
"channel": "email-kms",
|
||||
"template": "tmpl-attest-key-rotation"
|
||||
},
|
||||
{
|
||||
"actionId": "webhook-kms",
|
||||
"enabled": true,
|
||||
"channel": "webhook-kms",
|
||||
"template": "tmpl-attest-key-rotation"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "attest-transparency-anomaly",
|
||||
"name": "Transparency witness anomaly",
|
||||
"enabled": true,
|
||||
"tenantId": "<tenant-id>",
|
||||
"match": {
|
||||
"eventKinds": [
|
||||
"attestor.transparency.anomaly",
|
||||
"attestor.transparency.witness.failed"
|
||||
]
|
||||
},
|
||||
"actions": [
|
||||
{
|
||||
"actionId": "slack-soc",
|
||||
"enabled": true,
|
||||
"channel": "slack-soc",
|
||||
"template": "tmpl-attest-transparency-anomaly"
|
||||
},
|
||||
{
|
||||
"actionId": "webhook-siem",
|
||||
"enabled": true,
|
||||
"channel": "webhook-siem",
|
||||
"template": "tmpl-attest-transparency-anomaly"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"channels": [
|
||||
{
|
||||
"channelId": "email-kms",
|
||||
"type": "email",
|
||||
"name": "KMS security",
|
||||
"target": "kms-security@example.com",
|
||||
"secretRef": "ref://notify/channels/email/kms-security"
|
||||
},
|
||||
{
|
||||
"channelId": "webhook-kms",
|
||||
"type": "webhook",
|
||||
"name": "KMS webhook",
|
||||
"endpoint": "https://hooks.internal/kms",
|
||||
"secretRef": "ref://notify/channels/webhook/kms"
|
||||
},
|
||||
{
|
||||
"channelId": "slack-soc",
|
||||
"type": "slack",
|
||||
"name": "SOC high-priority",
|
||||
"endpoint": "https://hooks.slack.com/services/T000/B000/XYZ",
|
||||
"secretRef": "ref://notify/channels/slack/soc"
|
||||
},
|
||||
{
|
||||
"channelId": "webhook-siem",
|
||||
"type": "webhook",
|
||||
"name": "SIEM ingest",
|
||||
"endpoint": "https://siem.example.internal/hooks/notifier",
|
||||
"secretRef": "ref://notify/channels/webhook/siem"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user