Revised to reflect verified end-to-end state on the local dev stack:
Concelier (9 wired backend connectors, 8 healthy, 787 advisories ingested):
- redhat (651 docs), osv (59), debian (41), suse (26), alpine (8),
ubuntu (2), auscert (0), vmware (0), stella-mirror (404 on dev — OK)
- all respond to `sources check` probes
Excititor (4 wired providers):
- excititor:{redhat, ubuntu, cisco, oracle} all enabled
- Cisco VEX uses the public CSAF feed (unauthenticated) — different
from the Concelier advisory side of Cisco which would need PSIRT OAuth
Aspirational catalog (~65 entries): present in `stellaops-cli sources list`
but NOT backend-wired. `sources enable <id>` returns OK but is a no-op
because no source_type → connector mapping exists. Tracked in
SPRINT_20260422_004 / _007.
Credential steps (GHSA, Cisco PSIRT, Microsoft MSRC) retained but flagged
as ready-for-when-the-connector-backend-lands. Currently all three
connectors they'd apply to are in the aspirational catalog only.
Operator commands documented + known CLI asymmetry (Concelier.Advisories.Read
policy needs aoc:verify scope which stellaops-cli client can't mint;
affects read endpoints only, write path works).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Authored as the Excititor mirror of SPRINT_20260422_003 Concelier source
credential entry paths. Extends the persisted-credentials control plane
to VEX providers (excititor:cisco, excititor:msrc,
excititor:suse-rancher, then binary-material flows for OCI attests).
Tasks (all TODO, 5 total):
- EXCITITOR-CFG-01: persisted provider settings store + API contracts
- EXCITITOR-CFG-02: drive readiness + execution from persisted settings
- EXCITITOR-CFG-03: CLI + Web surfaces for scalar providers
- (plus later tasks for binary-material + closeout)
Authored by an external stream during the 2026-04-22 session; committing
as-is so it joins the sprint index.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Operator reference for bringing up the full Concelier + Excititor
connector estate. Authored alongside the 2026-04-22 session's connector
setup work.
Covers:
- Credential requirements matrix: GHSA, Cisco PSIRT, MSRC require
operator-created credentials; all other ~26 connectors use public
endpoints.
- Exact click-paths for creating credentials:
- GitHub PAT at github.com/settings/tokens (read:packages +
public_repo scopes, SSO authorize if org requires).
- Cisco PSIRT openVuln OAuth2 client at apiconsole.cisco.com/apps.
- Microsoft Entra confidential app + client secret + Security
Updates API permission at entra.microsoft.com.
- Where to paste credentials in the UI (/setup/integrations) and CLI
(stellaops-cli db connectors configure ...).
- Retained-secret contract: server never echoes secrets; UI shows a
retained-secret badge; unrelated edits don't require re-entering.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260422_006 (FE-STAB3) + SPRINT_20260420_003 (parent).
Both archived. Residual deep-drift tracked under new SPRINT_20260422_008
(FE-STAB4).
Infrastructure (test-setup.ts + test-setup.jasmine-bootstrap.ts):
- Auto-enrich ɵcmp.inputs/.outputs/.inputConfig by scanning class source
for `this.x = input(...)` / `model(...)` / `output(...)` patterns
(~2KB scan cap per class to avoid OOM on bundle wrappers). Eliminates
NG0303/NG0950 without any component edits.
- ComponentRef.prototype.setInput fallback writes through the
InputSignal node's per-instance SIGNAL symbol when Angular's default
lookup misses.
- jest-global compat shim (jest.fn/spyOn/etc map to vi).
- navigator.clipboard polyfill for jsdom.
Per-family fixes:
- FE-STAB3-001 (signal-input JIT): infrastructure-only. Cluster results:
deploy-diff/component-diff-row 19/19, sbom-diff-view 25/25,
evidence-drawer 37/37, vex-trust-chip 27/27, simulation-history 51/51,
findings-list 26/26, step-content 18/26 (8 are drift → FE-STAB4),
simulation-console 53/53, batch-evaluation 40/40, promotion-gate 52/52.
- FE-STAB3-002 (TestBed lifecycle/providers): findings-container 9/9
after SCORING_API provider + BehaviorSubject<ParamMap> refactor;
integration-detail 53/64 with provideRouter([]); vex-create-workflow
51/58 after searchStatements mock return.
- FE-STAB3-003 (expectation drift): per-spec selector/assertion updates
across simulation-history, vex-trust-chip, sbom-diff-view,
evidence-drawer, admin-notifications. simulation-dashboard NG0303
gone via overrideComponent imports restore (29/41 remaining are
product-contract drift → FE-STAB4).
Component public contracts unchanged — zero component edits.
8 .todo() markers added in verdict-proof-panel (7) and
patch-diff-viewer (1) pointing to FE-STAB4-001/004 for removed-method
coverage that can't be repaired without feature changes.
Honest caveat: no single full-suite wallclock `vitest run` completed in
session — the config (pool=forks, fileParallelism=false, maxWorkers=1)
serializes ~785 specs under jsdom+Angular JIT, each run >15min.
Verification is cluster-level targeted runs. CI should run the full
suite as the final gate.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Continues the SPRINT_20260422_004_Concelier_full_connector_control_plane
feature stream started in commit 5c1b59580 (Excititor provider management
endpoints + contracts + service + tests). Adds the CLI + Web surfaces on
top of that backend.
CLI (src/Cli/**):
- CommandHandlers + BackendOperationsClient extended with provider
management calls
- ExcititorProviderSummary model added to the CLI's service models
- NonCoreCliCommandModule wires the new commands; tests updated
- TASKS.md entries synced
Web console (src/Web/StellaOps.Web/**):
- New vex-provider-catalog.component + vex-provider-management.api client
- advisory-source-catalog + advisory-vex-route-helpers extended to route
users to the new VEX provider surface
- integration-hub.routes.ts registers the new route
- security-disposition-page.component.ts updated for the flow
Excititor/Concelier docs + contracts:
- docs/modules/excititor/operations/provider-control-plane.md — operator
guide for the new control plane
- docs/modules/excititor/README.md + docs/modules/concelier/{README,
connectors}.md — cross-links + refs
- ConfiguredAdvisorySourceService.cs — additional provider plumbing
- StellaOps.Excititor.WebService/TASKS.md synced
Sprint doc (docs/implplan/SPRINT_20260422_004_*.md) reflects the
in-flight progress.
This is external-stream work picked up during the 2026-04-22 session's
closeout — bundling it now so the working tree is clean and main stays
in sync with local feature-branch state.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Companion to commit 4fea1ec72. That commit shipped the ProxyZone bootstrap
that unblocked ~450 fakeAsync specs but three residual failure families
remain, exceeding SPRINT_20260420_003's closeout window:
1. FE-STAB3-001 — signal-input JIT NG0303/NG0950 across setup-wizard,
deploy-diff, sbom-diff, evidence-drawer, verdict-proof-panel, etc.
2. FE-STAB3-002 — TestBed lifecycle/provider drift (e.g.
findings-container missing SCORING_API).
3. FE-STAB3-003 — expectation drift (e.g. simulation-history selectors).
4. FE-STAB3-004 — full-suite green + parent sprint archival.
Each family is per-spec repair, not shared infra. Sprint 20260420_003
stays open with its two BLOCKED tasks until FE-STAB3-004 lands; at that
point both sprints archive together.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the bootstrap gap two parallel QA agents surfaced on 2026-04-22:
fresh Authority DBs lacked the `default` tenant row so setup-wizard admin
creation failed with users_tenant_id_fkey and /connect/token returned
invalid_grant. Fix is on the migration path per AGENTS.md §2.7; the init
script stays seeds-only as established in SPRINT_20260422_003.
- New embedded migration 003_seed_default_tenants.sql performs
`INSERT ... ON CONFLICT (tenant_id) DO NOTHING` for `default` and
`installation`. Numeric prefix (not S-prefix) so the migration runner's
Startup category auto-applies it; S-prefix files route to Seed category
which is intentionally manual-only per
StartupMigrationHost.cs:158.
- `default` is strictly required (Authority's
StandardPluginBootstrapper.DefaultTenantId; /internal/users bootstrap
inserts under this FK). `installation` is not Authority-FK-referenced
today but matches the empirical workaround both QA agents converged on
and serves as defense for cross-service inserts that join
authority.tenants.tenant_id.
Fresh-volume verification (docs/qa/authority-default-tenant-20260422/):
1. docker compose down -v (20 volumes removed incl. compose_postgres-data)
2. docker compose up -d — 62 containers, Authority healthy in ~15s.
3. Startup log: applying 001 (144ms) → 002 (13ms) → 003 (7ms).
authority.tenants contains default + installation.
4. POST /api/v1/setup/sessions → 201; database/valkey/migrations prereqs
ran; admin/execute with admin/Admin@Stella2026! → 200 "Bootstrap
administrator 'admin' ensured successfully."
5. POST /connect/token (password, stellaops-cli, ui.admin openid) → 200
+ JWT carrying role=admin, stellaops:tenant=default.
6. docker compose restart authority → "Database is up to date for
Authority." Clean no-op.
Docs: docs/modules/authority/architecture.md §1.1 "Seeded bootstrap
tenants (migration-owned)". Cross-link added to the archived prior
sprint's Decisions & Risks so the lineage is traceable.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two parallel QA agents (fe-qa-006-relsec, fe-qa-007-evidops) independently
hit the same bootstrap bug on 2026-04-22: fresh Authority DBs lack the
`default` tenant row, so setup-wizard Admin creation fails with
users_tenant_id_fkey and admin/connect/token returns invalid_grant.
The gap appeared because SPRINT_20260422_003 (Authority §2.7 compliance,
archived) correctly trimmed 04-authority-schema.sql to "seeds only" — but
the guarded tenant seed runs only when the schema exists at init-script
time, which it doesn't for migration-owned schemas.
Both agents worked around it in-session by manually inserting `default` +
`installation` tenants and calling POST /api/v1/setup/sessions/{id}/
steps/admin/execute. This sprint puts the seed on the migration path so
the fix converges automatically.
Three tasks: add seed migration (AUTH-SEED-001), verify fresh-volume
bootstrap works without manual SQL (AUTH-SEED-002), document the contract
(AUTH-SEED-003).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds provider management control plane for Excititor: contracts, service,
endpoint group, focused tests. Matching plan shipped as
SPRINT_20260422_004_Concelier_full_connector_control_plane.md.
- VexProviderManagementContracts: request/response shapes
- ProviderManagementEndpoints: REST surface under the Excititor WebService
- VexProviderManagementService: business logic + persistence hooks
- ProviderManagementEndpointsTests: focused coverage
- TestAuthentication + csproj wiring updates for the new test surface
Work picked up mid-session; code was already on disk when this commit
series started. Bundling under the new sprint's plan here so the history
shows a coherent feature rather than a stray dirty diff.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260421_007 — all 4 tasks DONE. Full Tier 2c behavioral
verification per docs/qa/feature-checks/FLOW.md. 34 assertions, 0 fail,
0 deferred.
FE-QA-EVID-001 — Evidence: 7/7 PASS
/evidence/{overview, audit-log, verify-replay, exports, capsules, proofs,
bundles}. Alias chains to /ops/operations/audit confirmed intentional per
evidence.routes.ts.
FE-QA-OPS-002 — Ops: 8/8 PASS
/ops/operations/{jobengine, feeds-airgap, doctor, audit, notifications,
health-slo, watchlist} + /ops/scripts. Doctor full diagnostics grid
rendered with real data.
FE-QA-SETUP-003 — Setup + Admin: 12 + 7 PASS
Setup: /setup{, /integrations, /trust-signing (+ issuers/keys/certificates
/audit sub-tabs aliased correctly), /identity-providers, /tenant-branding,
/workflows, /ai-preferences, /topology}.
Admin: all /console-admin/{tenants, users, roles, clients, audit, branding,
assistant} preserved console origin under "Console Administration" heading.
FE-QA-EVIDOPS-004 — Retention coverage:
New e2e/routes/sprint-007-evidence-ops-setup-admin.e2e.spec.ts with 27
Playwright assertions covering origin, canonical-or-alias URL, and
identity-matching body text. Uses the existing auth.fixture.ts pattern.
Evidence: docs/qa/feature-checks/runs/web/sprint-007-evidence-ops-setup-admin/
run-001/ (EVIDENCE.md + tier2-ui-check.json + 36 screenshots + verify.mjs).
Authority default-tenant gap (same as FE-QA-REL-001 discovery):
stellaops_authority had zero tenants and zero users; setup wizard admin
bootstrap failed with users_tenant_id_fkey FK violation. Worked around
in-session by inserting `installation` + `default` tenants and calling
POST /api/v1/setup/sessions/{id}/steps/admin/execute. This is the same
bug two parallel agents independently hit — needs a real Authority sprint
to seed `default` through migrations or StandardPluginRegistrar init.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260421_006 — all 4 tasks DONE. Full Tier 2c behavioral
verification per docs/qa/feature-checks/FLOW.md. Evidence directories
include per-route screenshots + tier2-ui-check JSON with PASS/FAIL/DEFERRED
assertions.
FE-QA-REL-001 — Release Control: 9/9 PASS
/environments/overview, /releases, /releases/deployments, /releases/bundles,
/releases/promotions, /releases/approvals, /releases/hotfixes,
/releases/investigation/timeline, /releases/workflows
FE-QA-REL-002 — Release Policy: 7/9 PASS, 2 DEFERRED
/ops/policy/{packs, governance, vex, simulation, governance/budget,
governance/profiles, vex/exceptions} — all PASS.
DEFERRED: /ops/policy/governance/audit (redirects to sprint-007-owned
/ops/operations/audit — scope lock), /ops/policy/governance/trust-weights
(tab URL doesn't persist — flagged as follow-up).
FE-QA-SEC-003 — Security: 10/10 effective PASS
Direct PASS: /security{,/images,/risk,/advisory-sources,/findings,
/vulnerabilities,/reachability}
Redirect PASS matching SEC-005/006/007 consolidation contracts:
/security/vex → /ops/policy/vex, /security/artifacts → /triage/artifacts,
/security/exceptions → /ops/policy/vex/exceptions.
FE-QA-RELSEC-004 — Retention coverage:
New e2e/routes/release-security-identity.e2e.spec.ts with 24 route-identity
assertions + 1 Release interaction guard. Uses auth.fixture.ts test-session
so CI does not require live Authority credentials.
Environmental gap surfaced (worked around in-session, NOT a code fix here):
stellaops_authority was missing the `default` tenant row, breaking setup-
wizard Admin bootstrap with FK users_tenant_id_fkey=(default) and causing
admin login to return invalid_grant. Manually seeded `default` into
authority.tenants and finalized the setup session via Platform Setup API.
Should be addressed in a follow-up Authority sprint — the default tenant
seed needs to land in startup migrations or StandardPluginRegistrar init.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the last open task in SPRINT_20260422_003. Persisted operator
enablement is now separated from runtime readiness so credential-gated
sources can show an explicit blocked state instead of collapsing into a
generic failed/disabled shape.
Readiness model:
- new SourceReadiness constants class: Disabled | Unsupported | Blocked | Ready
- ConfiguredAdvisorySourceStatus gains Readiness + BlockedReason alongside
existing SyncState (kept as backward-compatible alias)
- enabled = persisted operator intent (untouched)
- readiness = blocked when persisted-enabled and credentials/URIs missing
- blockedReason = free-form list of missing fields
- blockingReason.errorCode = SOURCE_CONFIG_REQUIRED for structured drill-down
Endpoint propagation:
- /status: persisted enabled=true kept; readiness=blocked; readyForSync=false
- /{id}/enable: 200 with readiness=blocked; sourceRegistry left disabled
until credentials land (pre-existing behaviour retained)
- /{id}/sync: 422 readiness=blocked + SOURCE_CONFIG_REQUIRED;
**connector never invoked**, no job run created
- /sync (batch): per-result outcome=blocked with readiness/errorCode/
blockedReason; excluded from totalTriggered; other sources proceed
- Transition: PUT /{id}/configuration with missing credential →
runtimeOptionsInvalidator.Invalidate → next /status flips to ready.
No disable/re-enable cycle needed.
Tests: 8 targeted xUnit methods via scripts/test-targeted-xunit.ps1,
8/8 pass. Includes: blocked status exposure, blocked-to-ready transition
on persisted credential, connector-not-invoked-when-blocked, plus 4
pre-existing SRC-CREDS-002 regression tests.
Docs:
- docs/modules/concelier/connectors.md — new "Blocked / sleeping
readiness state" section with field contract, per-endpoint behaviour
table, UI/CLI rendering guidance, resolution flow
- docs/modules/cli/guides/commands/db.md — short note under
`db connectors configure` cross-linking the connectors.md contract
Sprint SPRINT_20260422_003 archived — all 5 tasks DONE.
New fields are additive; existing UI types in
source-management.api.ts ignore unknown fields so no UI breakage. A
future FE pass can wire explicit readiness/blockedReason rendering.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bundled pre-session FE work from multiple sprints:
- SPRINT_20260420_003 FE web full-suite stabilization (partial)
- SPRINT_20260420_007 FE local stack reset + UI bootstrap
- SPRINT_20260421_002 FE advisory source consistency and visibility
- SPRINT_20260421_005 FE console route identity (partial)
Touches advisory-vex-sources catalog + API client, secret detection
components + tests, policy-studio, and various features. File-level
granularity preserved for blame.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SPRINT_20260422_001 (Notify compat surface restoration) — closes
NOTIFY-COMPAT-003 final criterion. notify-web rebuilt, 7/7 gateway probes
green post-rebuild (8th returns contracted 501 notify_overrides_not_supported).
Browser replay via direct Node+Playwright driver (MCP bridge rejected the
self-signed cert) confirmed Dashboard/Channels/Quiet Hours/Overrides/
Escalation/Throttle tabs render without runtime-unavailable banners. All 3
tasks DONE.
SPRINT_20260421_003 (Concelier advisory connector runtime alignment) —
all 7 tasks were already DONE before this session; archival is purely
administrative.
Evidence bundle at docs/qa/notify-compat-20260422/ includes EVIDENCE.md,
verify.mjs + verify_with_token.mjs, verify-results.json, and screenshots
for each verified tab.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Brings Authority into §2.7 compliance. Previously AutoMigrate=true was set
in Program.cs but no runner was wired; 001_initial_schema.sql was
non-idempotent so wiring AddStartupMigrations against a pre-bootstrapped
DB crash-looped. Discovered during DEPRECATE-003 when the new drop
migration couldn't apply via Authority's own startup path.
Idempotency fixes in 001_initial_schema.sql:
- CREATE INDEX → CREATE INDEX IF NOT EXISTS (27 indexes)
- CREATE TRIGGER → DROP TRIGGER IF EXISTS + CREATE TRIGGER (3 triggers)
- CREATE POLICY → DROP POLICY IF EXISTS + CREATE POLICY (12 policies)
- CREATE TABLE / FUNCTION (OR REPLACE) / RLS ENABLE / role DO blocks were
already idempotent — left unchanged
Wiring:
- AddStartupMigrations("authority", "Authority", typeof(AuthorityDataSource)
.Assembly) called inside RegisterAuthorityServices (canonical
Signals/Scanner pattern).
- Stale options.AutoMigrate = true + options.MigrationsPath removed from
Program.cs.
- Migrations\_archived\** excluded from the EmbeddedResource glob.
Init script cleanup (migrations own schema authority now):
- 04-authority-schema.sql: 569 lines → 60 lines (schema shells + guarded
default-tenant seed fallback only; all DDL removed)
- 04b-authority-dedicated-schema.sql: same reduction for dedicated DB
Verification sequence — all PASS:
1. Green-field replay: 001 runs twice with zero semantic drift (pg_dump
diff shows only session restrict nonce).
2. Wire against pre-migrated volume: runner applies 001+002 in 209ms, no
crash-loop.
3. Wire + fresh schema: migrates 20 tables from empty in 395ms.
4. Idempotent restart: "Database is up to date", pure no-op.
Sprint SPRINT_20260422_003_Authority_auto_migration_compliance created
and archived in the same pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per-service audit read endpoints now source their data from
timeline.unified_audit_events instead of local repositories. Closes
DEPRECATE-002 in SPRINT_20260408_005.
New shared abstraction:
- ITimelineAuditQueryClient + HttpTimelineAuditQueryClient in
StellaOps.Audit.Emission, reusing AuditEmission:TimelineBaseUrl and a
named HttpClient "StellaOps.AuditQuery". 6 focused tests.
Endpoints redirected (module=X filter per service):
- Authority ConsoleAdminEndpointExtensions.ListAuditEvents (was a 501 stub)
- Policy Engine + Gateway GovernanceEndpoints (list + by-id, were 501 stubs)
- Notify /api/v1/notify/audit (was INotifyAuditRepository.ListAsync)
- ReleaseOrchestrator AuditEndpoints list / by-id / resource-history /
latest / sequence-range / summary. /verify stays local per Decision #2.
HttpUnifiedAuditEventProvider.GetEventsAsync neutered to empty list +
debug log; per-module legacy polling preserved under [Obsolete]
GetEventsLegacyAsync so CompositeUnifiedAuditEventProvider +
DurableAuditEmissionEndpointTests keep compiling.
Notify Program.cs also carries SPRINT_20260422_001 compat-endpoint wiring
(NotifyAdminCompatEndpoints mapping, INotifySimulationEngine DI, compat
simulation [FromBody]/[FromServices] binding) — bundled here because both
changes live in the same file.
Attestor has no public /audit read endpoint to redirect (write-only
IAttestorAuditSink); documented in sprint as N/A.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. Execution log entry for the SbomService
backfill + Notifier wave E coverage extensions.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-002 (final decoration wave).
Five internal-only SbomService endpoints now emit audit events:
- POST /internal/sbom/events/backfill -> sbom.execute sbom_events_backfill
- POST /internal/sbom/inventory/backfill -> sbom.execute sbom_inventory_backfill
- POST /internal/sbom/resolver-feed/backfill -> sbom.execute sbom_resolver_feed_backfill
- POST /internal/sbom/retention/prune -> sbom.delete sbom_retention_prune
- POST /internal/orchestrator/watermarks -> sbom.update orchestrator_watermark
These are recovery / retention / watermark-manipulation routes that
previously slipped past audit because of their `internal` prefix. They
produce high-value audit events (data mutations that operators run
during incidents) and deserve the same coverage as the user-facing
surface.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. Every per-service audit LIST endpoint
now advertises the Timeline successor link and Sunset 2027-10-19.
Remaining AUDIT-005 criteria (Timeline as SoT, no-data-loss) stay
gated on the 30-day production verification window.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-005 (criterion 1 fully DONE).
- Authority `/console/admin/audit` list endpoint advertises Sunset
2027-10-19 and successor /api/v1/audit/events?modules=authority.
- Policy.Gateway `/api/v1/governance/audit/events` (list + by-id) do
the same with modules=policy; both still honour the PolicyAudit scope.
- EvidenceLocker `/api/v1/evidence/audit` advertises modules=evidencelocker.
- EvidenceLocker csproj picks up the Audit.Emission project reference.
Together with the earlier Notify + ReleaseOrchestrator coverage, every
per-service audit LIST endpoint now emits the RFC-style Sunset /
Deprecation / Link headers pointing at Timeline's unified endpoint.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. Audit dashboard now renders the retention
tile and the log table shows classification / hold / redaction pills
alongside each event. All three criteria checked.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-006 component layer.
audit-log-table:
- New Class. column between Severity and Actor shows the GDPR data
classification pill with module-aware tooltip explaining what each
class means (restricted > sensitive > personal > none).
- Compliance hold pill ("hold") surfaces when complianceHold is true.
- Redaction pill ("redacted") surfaces when piiRedactedAt is set, with
the redaction timestamp in the title attr.
- Detail panel mirrors the three new pieces of metadata as labelled rows.
- formatModule() table extended with the 13 newly-emitting modules.
- Styles for classification/hold/redacted pills reuse the existing status
colour tokens so dark/light themes inherit.
audit-log-dashboard:
- Fetches /api/v1/audit/retention-policies on open (catchError downgrades
to a non-blocking warning banner).
- Renders a per-tenant retention tile above the tabs with a 4-column grid
showing none/personal/sensitive/restricted retention days and a
footnote linking to docs/modules/timeline/audit-retention.
Type-check clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. AUDIT-006 flipped TODO → DOING with the
model + client layer complete for all three criteria (module filter,
classification visibility, retention display). Angular component
renders (badges, overview tile) are a component follow-up since they
live in separate component templates the background agent owns.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-006 (first slice).
- AuditModule union expanded with the 13 modules newly wired for unified
emission during AUDIT-002 waves A/B (graph, concelier, notifier, notify,
binaryindex, exportcenter, issuerdirectory, packsregistry, registry,
router, signer, timeline, evidencelocker).
- New AuditDataClassification type + optional AuditEvent.dataClassification,
complianceHold, and piiRedactedAt fields surface the AUDIT-004 state so
the dashboard can render classification badges and retention context.
- New AuditRetentionPolicies interface paired with
AuditLogClient.getRetentionPolicies() hitting Timeline's
/api/v1/audit/retention-policies endpoint for the retention display.
- AuditLogClient.redactActorPii() wraps the DELETE
/api/v1/audit/actors/{actorId}/pii endpoint for GDPR right-to-erasure.
- endpoints dictionary updated: new modules prefer the unified
/api/v1/audit/events endpoint as the fallback path, with tagged
module= query strings so operators can still slice by service.
Type-check clean. Table/dashboard component updates to render badges
follow in a later commit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. First criterion of AUDIT-005 met: two
per-service audit list endpoints now advertise Sunset/Deprecation/Link
headers pointing at Timeline's unified endpoint. Remaining two criteria
are gated on the 30-day production verification window.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprints SPRINT_20260408_004 AUDIT-005 + SPRINT_20260408_005
DEPRECATE-002 (early, non-waiting half).
- StellaOps.Audit.Emission gains a `DeprecatedAuditEndpoint` helper:
.DeprecatedForTimeline(sunset, successorLink) + a
DeprecationHeaderEndpointFilter that writes RFC-style Sunset,
Deprecation, and Link: <successor>; rel="successor-version" headers.
- Notify GET /api/v1/notify/audit + ReleaseOrchestrator
GET /api/v1/release-orchestrator/audit now advertise Sunset
2027-10-19 and link to /api/v1/audit/events?modules={notify|jobengine}.
Chain-verify / summary / single-entry lookups on ReleaseOrchestrator
are intentionally NOT deprecated — they serve service-level chain-of-
custody evidence (sprint Decision 2) that the unified store cannot
replace.
Both services build clean. Remaining per-service deprecation headers
(Authority /console/admin/audit, Policy /governance/audit/events,
EvidenceLocker /evidence/audit) follow the same pattern and can land
as a wave when those endpoints are touched for other reasons.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. 2 of 3 criteria DONE: Timeline event pull
and chain-verification certificate are now included in AuditBundles.
DSSE manifest signing deferred as a follow-up (cross-service signer
handshake scope).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-007 backend half.
- ITimelineAuditSource + HttpTimelineAuditSource talk to Timeline's
/api/v1/audit/events with pagination, tenant header forwarding, and a
hard MaxPages cap (default 200 ≈ 100k events). GetChainProofAsync
pulls /api/v1/audit/verify-chain for the bundle manifest.
- AuditBundleContentSelection gains an AuditEvents flag (default true)
and BundleSubjectRefDto gains a TenantId so the handler can route.
- AuditBundleJobHandler, when AuditEvents is selected and the source is
registered, writes NDJSON events to audit/events.ndjson and a chain
proof to audit/chain-proof.json, adds both as AUDIT_EVENTS /
AUDIT_CHAIN_PROOF artifacts with sha256 digests; failures are logged
and do not abort the bundle.
- AddTimelineAuditBundleSource DI helper binds to the
ExportCenter:TimelineAudit config section; the truthful runtime
registers it alongside the existing in-memory job handler.
Remaining AUDIT-007 work: DSSE-sign the audit bundle manifest via
Attestor integration — separate sprint because it requires cross-service
signer handshake.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 reaches DONE with migration 005,
AuditDataClassifier (16 tests), RedactActorPiiAsync + DELETE endpoint,
AuditRetentionPurgeService, docs/modules/timeline/audit-retention.md,
and the new TimelineAuditRetentionCheck Doctor plugin all shipped.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 — finishes the Doctor-side
completion criterion.
- Timeline: new GET /api/v1/audit/retention-policies endpoint returns
the effective retention window in days per classification for the
caller's tenant, with platform-default fallback applied via the
existing resolve_audit_retention_days SQL function.
- PostgresUnifiedAuditEventStore.GetRetentionPoliciesAsync queries the
function once per classification (none/personal/sensitive/restricted).
- Doctor Compliance plugin: new TimelineAuditRetentionCheck hits the
endpoint, compares each bucket against minimums
(none/personal ≥180d, sensitive ≥365d, restricted ≥1095d) and
warns with remediation steps when a tenant override drops too low.
Pairs with the existing AuditReadinessCheck but focuses on the
unified-store retention side.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 documentation criterion.
docs/modules/timeline/audit-retention.md covers:
- Four-rung classification ladder and the "narrowest wins" rule
- Retention table structure, platform defaults, per-tenant overrides,
and legal holds via compliance_hold
- AuditRetentionPurgeService config + operator recommendations
- Right-to-erasure endpoint contract, hash-chain integrity guarantees,
and the idempotency semantics via pii_redacted_at
- Sequence-chain gap behaviour after purge and how chain verification
should window its checks
- Compliance checklist for operators
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. AUDIT-004 flipped TODO → DOING with the
first three completion criteria checked. Migration 005, classifier,
retention purge host, and right-to-erasure endpoint all shipped across
commits 44c0e2b34..AUDIT-004 (migration + store + endpoint) and the
purge background host. Docs dossier + Doctor check deferred.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 (retention enforcement).
AuditRetentionPurgeService BackgroundService enumerates tenants that
have any rows in timeline.unified_audit_events, then calls
timeline.purge_expired_audit_events(tenantId, dryRun) per tenant.
The SQL function honours per-classification retention windows and the
compliance_hold flag (legal holds pass through unaffected).
AuditRetentionPurgeOptions bound from the AuditRetentionPurge config
section: Enabled (default true), DryRun (default false), InitialDelay
(default 5 min), Interval (default 6h). Failures on a single tenant
are logged and do not stop the rest of the cycle.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004.
Schema (migration 005_audit_data_classification_retention.sql):
- ALTER timeline.unified_audit_events adds data_classification
(none|personal|sensitive|restricted, default 'none'), compliance_hold
(default false, exempts from purge), pii_redacted_at (null until
right-to-erasure redaction).
- New timeline.audit_retention_policies table holds per-tenant /
per-classification retention windows; seed row tenant_id='*' = platform
default (none/personal=365d, sensitive=730d, restricted=2555d ≈ 7y).
- Function resolve_audit_retention_days falls back tenant→platform→365d.
- Function purge_expired_audit_events iterates classes, honours
compliance_hold, supports dry-run counting.
- Function redact_actor_pii replaces actor_email/actor_ip/actor_user_agent
(+actor_name for personal/sensitive rows) with '[REDACTED]', preserves
actor_id so the content_hash chain stays intact.
Code:
- AuditDataClassifier implements the none/personal/sensitive/restricted
ladder: restricted (signer+attestor key/ceremony ops, cross-module
key_escrow actions) > sensitive (authority auth-protocol events) >
personal (actor email/ip/user_agent present). 16/16 unit tests pass.
- PostgresUnifiedAuditEventStore inserts include data_classification,
defaulting to AuditDataClassifier.Classify() when the payload's
precomputed value is absent. New RedactActorPiiAsync delegates to the
SQL function.
- UnifiedAuditEvent record gets an optional DataClassification property
so services that already classify events can bypass auto-classification.
- DELETE /api/v1/audit/actors/{actorId}/pii endpoint exposes
right-to-erasure, scoped to the new Timeline.Admin policy backed by
the timeline:admin scope (StellaOpsScopes.TimelineAdmin).
Remaining AUDIT-004 work: scheduled background purge host, Doctor
AuditReadinessCheck update to verify retention config, UI badges.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_005 DEPRECATE-001 (JobEngine/ReleaseOrchestrator,
fifth service).
PostgresAuditRepository.AppendAsync now fans out to Timeline via the
optional IAuditEventEmitter after the local transaction commits. The
hash chain (content_hash, previous_entry_hash, sequence_number) stays
in the local audit_entries table as service-level chain-of-custody
evidence; Timeline receives only the summary event for cross-service
correlation, with the content hash surfaced as a detail field.
Same pattern as Authority/Policy/Notify/Scheduler dual-write:
fire-and-forget, optional DI, local write stays authoritative.
Remaining: Attestor dual-write (existing audit is already decorated
with .Audited() on endpoints — verifying the attestor audit log insert
path needs separate review).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
