Continues the SPRINT_20260422_004_Concelier_full_connector_control_plane
feature stream started in commit 5c1b59580 (Excititor provider management
endpoints + contracts + service + tests). Adds the CLI + Web surfaces on
top of that backend.
CLI (src/Cli/**):
- CommandHandlers + BackendOperationsClient extended with provider
management calls
- ExcititorProviderSummary model added to the CLI's service models
- NonCoreCliCommandModule wires the new commands; tests updated
- TASKS.md entries synced
Web console (src/Web/StellaOps.Web/**):
- New vex-provider-catalog.component + vex-provider-management.api client
- advisory-source-catalog + advisory-vex-route-helpers extended to route
users to the new VEX provider surface
- integration-hub.routes.ts registers the new route
- security-disposition-page.component.ts updated for the flow
Excititor/Concelier docs + contracts:
- docs/modules/excititor/operations/provider-control-plane.md — operator
guide for the new control plane
- docs/modules/excititor/README.md + docs/modules/concelier/{README,
connectors}.md — cross-links + refs
- ConfiguredAdvisorySourceService.cs — additional provider plumbing
- StellaOps.Excititor.WebService/TASKS.md synced
Sprint doc (docs/implplan/SPRINT_20260422_004_*.md) reflects the
in-flight progress.
This is external-stream work picked up during the 2026-04-22 session's
closeout — bundling it now so the working tree is clean and main stays
in sync with local feature-branch state.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Companion to commit 4fea1ec72. That commit shipped the ProxyZone bootstrap
that unblocked ~450 fakeAsync specs but three residual failure families
remain, exceeding SPRINT_20260420_003's closeout window:
1. FE-STAB3-001 — signal-input JIT NG0303/NG0950 across setup-wizard,
deploy-diff, sbom-diff, evidence-drawer, verdict-proof-panel, etc.
2. FE-STAB3-002 — TestBed lifecycle/provider drift (e.g.
findings-container missing SCORING_API).
3. FE-STAB3-003 — expectation drift (e.g. simulation-history selectors).
4. FE-STAB3-004 — full-suite green + parent sprint archival.
Each family is per-spec repair, not shared infra. Sprint 20260420_003
stays open with its two BLOCKED tasks until FE-STAB3-004 lands; at that
point both sprints archive together.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the bootstrap gap two parallel QA agents surfaced on 2026-04-22:
fresh Authority DBs lacked the `default` tenant row so setup-wizard admin
creation failed with users_tenant_id_fkey and /connect/token returned
invalid_grant. Fix is on the migration path per AGENTS.md §2.7; the init
script stays seeds-only as established in SPRINT_20260422_003.
- New embedded migration 003_seed_default_tenants.sql performs
`INSERT ... ON CONFLICT (tenant_id) DO NOTHING` for `default` and
`installation`. Numeric prefix (not S-prefix) so the migration runner's
Startup category auto-applies it; S-prefix files route to Seed category
which is intentionally manual-only per
StartupMigrationHost.cs:158.
- `default` is strictly required (Authority's
StandardPluginBootstrapper.DefaultTenantId; /internal/users bootstrap
inserts under this FK). `installation` is not Authority-FK-referenced
today but matches the empirical workaround both QA agents converged on
and serves as defense for cross-service inserts that join
authority.tenants.tenant_id.
Fresh-volume verification (docs/qa/authority-default-tenant-20260422/):
1. docker compose down -v (20 volumes removed incl. compose_postgres-data)
2. docker compose up -d — 62 containers, Authority healthy in ~15s.
3. Startup log: applying 001 (144ms) → 002 (13ms) → 003 (7ms).
authority.tenants contains default + installation.
4. POST /api/v1/setup/sessions → 201; database/valkey/migrations prereqs
ran; admin/execute with admin/Admin@Stella2026! → 200 "Bootstrap
administrator 'admin' ensured successfully."
5. POST /connect/token (password, stellaops-cli, ui.admin openid) → 200
+ JWT carrying role=admin, stellaops:tenant=default.
6. docker compose restart authority → "Database is up to date for
Authority." Clean no-op.
Docs: docs/modules/authority/architecture.md §1.1 "Seeded bootstrap
tenants (migration-owned)". Cross-link added to the archived prior
sprint's Decisions & Risks so the lineage is traceable.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two parallel QA agents (fe-qa-006-relsec, fe-qa-007-evidops) independently
hit the same bootstrap bug on 2026-04-22: fresh Authority DBs lack the
`default` tenant row, so setup-wizard Admin creation fails with
users_tenant_id_fkey and admin/connect/token returns invalid_grant.
The gap appeared because SPRINT_20260422_003 (Authority §2.7 compliance,
archived) correctly trimmed 04-authority-schema.sql to "seeds only" — but
the guarded tenant seed runs only when the schema exists at init-script
time, which it doesn't for migration-owned schemas.
Both agents worked around it in-session by manually inserting `default` +
`installation` tenants and calling POST /api/v1/setup/sessions/{id}/
steps/admin/execute. This sprint puts the seed on the migration path so
the fix converges automatically.
Three tasks: add seed migration (AUTH-SEED-001), verify fresh-volume
bootstrap works without manual SQL (AUTH-SEED-002), document the contract
(AUTH-SEED-003).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds provider management control plane for Excititor: contracts, service,
endpoint group, focused tests. Matching plan shipped as
SPRINT_20260422_004_Concelier_full_connector_control_plane.md.
- VexProviderManagementContracts: request/response shapes
- ProviderManagementEndpoints: REST surface under the Excititor WebService
- VexProviderManagementService: business logic + persistence hooks
- ProviderManagementEndpointsTests: focused coverage
- TestAuthentication + csproj wiring updates for the new test surface
Work picked up mid-session; code was already on disk when this commit
series started. Bundling under the new sprint's plan here so the history
shows a coherent feature rather than a stray dirty diff.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260421_007 — all 4 tasks DONE. Full Tier 2c behavioral
verification per docs/qa/feature-checks/FLOW.md. 34 assertions, 0 fail,
0 deferred.
FE-QA-EVID-001 — Evidence: 7/7 PASS
/evidence/{overview, audit-log, verify-replay, exports, capsules, proofs,
bundles}. Alias chains to /ops/operations/audit confirmed intentional per
evidence.routes.ts.
FE-QA-OPS-002 — Ops: 8/8 PASS
/ops/operations/{jobengine, feeds-airgap, doctor, audit, notifications,
health-slo, watchlist} + /ops/scripts. Doctor full diagnostics grid
rendered with real data.
FE-QA-SETUP-003 — Setup + Admin: 12 + 7 PASS
Setup: /setup{, /integrations, /trust-signing (+ issuers/keys/certificates
/audit sub-tabs aliased correctly), /identity-providers, /tenant-branding,
/workflows, /ai-preferences, /topology}.
Admin: all /console-admin/{tenants, users, roles, clients, audit, branding,
assistant} preserved console origin under "Console Administration" heading.
FE-QA-EVIDOPS-004 — Retention coverage:
New e2e/routes/sprint-007-evidence-ops-setup-admin.e2e.spec.ts with 27
Playwright assertions covering origin, canonical-or-alias URL, and
identity-matching body text. Uses the existing auth.fixture.ts pattern.
Evidence: docs/qa/feature-checks/runs/web/sprint-007-evidence-ops-setup-admin/
run-001/ (EVIDENCE.md + tier2-ui-check.json + 36 screenshots + verify.mjs).
Authority default-tenant gap (same as FE-QA-REL-001 discovery):
stellaops_authority had zero tenants and zero users; setup wizard admin
bootstrap failed with users_tenant_id_fkey FK violation. Worked around
in-session by inserting `installation` + `default` tenants and calling
POST /api/v1/setup/sessions/{id}/steps/admin/execute. This is the same
bug two parallel agents independently hit — needs a real Authority sprint
to seed `default` through migrations or StandardPluginRegistrar init.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes SPRINT_20260421_006 — all 4 tasks DONE. Full Tier 2c behavioral
verification per docs/qa/feature-checks/FLOW.md. Evidence directories
include per-route screenshots + tier2-ui-check JSON with PASS/FAIL/DEFERRED
assertions.
FE-QA-REL-001 — Release Control: 9/9 PASS
/environments/overview, /releases, /releases/deployments, /releases/bundles,
/releases/promotions, /releases/approvals, /releases/hotfixes,
/releases/investigation/timeline, /releases/workflows
FE-QA-REL-002 — Release Policy: 7/9 PASS, 2 DEFERRED
/ops/policy/{packs, governance, vex, simulation, governance/budget,
governance/profiles, vex/exceptions} — all PASS.
DEFERRED: /ops/policy/governance/audit (redirects to sprint-007-owned
/ops/operations/audit — scope lock), /ops/policy/governance/trust-weights
(tab URL doesn't persist — flagged as follow-up).
FE-QA-SEC-003 — Security: 10/10 effective PASS
Direct PASS: /security{,/images,/risk,/advisory-sources,/findings,
/vulnerabilities,/reachability}
Redirect PASS matching SEC-005/006/007 consolidation contracts:
/security/vex → /ops/policy/vex, /security/artifacts → /triage/artifacts,
/security/exceptions → /ops/policy/vex/exceptions.
FE-QA-RELSEC-004 — Retention coverage:
New e2e/routes/release-security-identity.e2e.spec.ts with 24 route-identity
assertions + 1 Release interaction guard. Uses auth.fixture.ts test-session
so CI does not require live Authority credentials.
Environmental gap surfaced (worked around in-session, NOT a code fix here):
stellaops_authority was missing the `default` tenant row, breaking setup-
wizard Admin bootstrap with FK users_tenant_id_fkey=(default) and causing
admin login to return invalid_grant. Manually seeded `default` into
authority.tenants and finalized the setup session via Platform Setup API.
Should be addressed in a follow-up Authority sprint — the default tenant
seed needs to land in startup migrations or StandardPluginRegistrar init.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the last open task in SPRINT_20260422_003. Persisted operator
enablement is now separated from runtime readiness so credential-gated
sources can show an explicit blocked state instead of collapsing into a
generic failed/disabled shape.
Readiness model:
- new SourceReadiness constants class: Disabled | Unsupported | Blocked | Ready
- ConfiguredAdvisorySourceStatus gains Readiness + BlockedReason alongside
existing SyncState (kept as backward-compatible alias)
- enabled = persisted operator intent (untouched)
- readiness = blocked when persisted-enabled and credentials/URIs missing
- blockedReason = free-form list of missing fields
- blockingReason.errorCode = SOURCE_CONFIG_REQUIRED for structured drill-down
Endpoint propagation:
- /status: persisted enabled=true kept; readiness=blocked; readyForSync=false
- /{id}/enable: 200 with readiness=blocked; sourceRegistry left disabled
until credentials land (pre-existing behaviour retained)
- /{id}/sync: 422 readiness=blocked + SOURCE_CONFIG_REQUIRED;
**connector never invoked**, no job run created
- /sync (batch): per-result outcome=blocked with readiness/errorCode/
blockedReason; excluded from totalTriggered; other sources proceed
- Transition: PUT /{id}/configuration with missing credential →
runtimeOptionsInvalidator.Invalidate → next /status flips to ready.
No disable/re-enable cycle needed.
Tests: 8 targeted xUnit methods via scripts/test-targeted-xunit.ps1,
8/8 pass. Includes: blocked status exposure, blocked-to-ready transition
on persisted credential, connector-not-invoked-when-blocked, plus 4
pre-existing SRC-CREDS-002 regression tests.
Docs:
- docs/modules/concelier/connectors.md — new "Blocked / sleeping
readiness state" section with field contract, per-endpoint behaviour
table, UI/CLI rendering guidance, resolution flow
- docs/modules/cli/guides/commands/db.md — short note under
`db connectors configure` cross-linking the connectors.md contract
Sprint SPRINT_20260422_003 archived — all 5 tasks DONE.
New fields are additive; existing UI types in
source-management.api.ts ignore unknown fields so no UI breakage. A
future FE pass can wire explicit readiness/blockedReason rendering.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bundled pre-session FE work from multiple sprints:
- SPRINT_20260420_003 FE web full-suite stabilization (partial)
- SPRINT_20260420_007 FE local stack reset + UI bootstrap
- SPRINT_20260421_002 FE advisory source consistency and visibility
- SPRINT_20260421_005 FE console route identity (partial)
Touches advisory-vex-sources catalog + API client, secret detection
components + tests, policy-studio, and various features. File-level
granularity preserved for blame.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SPRINT_20260422_001 (Notify compat surface restoration) — closes
NOTIFY-COMPAT-003 final criterion. notify-web rebuilt, 7/7 gateway probes
green post-rebuild (8th returns contracted 501 notify_overrides_not_supported).
Browser replay via direct Node+Playwright driver (MCP bridge rejected the
self-signed cert) confirmed Dashboard/Channels/Quiet Hours/Overrides/
Escalation/Throttle tabs render without runtime-unavailable banners. All 3
tasks DONE.
SPRINT_20260421_003 (Concelier advisory connector runtime alignment) —
all 7 tasks were already DONE before this session; archival is purely
administrative.
Evidence bundle at docs/qa/notify-compat-20260422/ includes EVIDENCE.md,
verify.mjs + verify_with_token.mjs, verify-results.json, and screenshots
for each verified tab.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Brings Authority into §2.7 compliance. Previously AutoMigrate=true was set
in Program.cs but no runner was wired; 001_initial_schema.sql was
non-idempotent so wiring AddStartupMigrations against a pre-bootstrapped
DB crash-looped. Discovered during DEPRECATE-003 when the new drop
migration couldn't apply via Authority's own startup path.
Idempotency fixes in 001_initial_schema.sql:
- CREATE INDEX → CREATE INDEX IF NOT EXISTS (27 indexes)
- CREATE TRIGGER → DROP TRIGGER IF EXISTS + CREATE TRIGGER (3 triggers)
- CREATE POLICY → DROP POLICY IF EXISTS + CREATE POLICY (12 policies)
- CREATE TABLE / FUNCTION (OR REPLACE) / RLS ENABLE / role DO blocks were
already idempotent — left unchanged
Wiring:
- AddStartupMigrations("authority", "Authority", typeof(AuthorityDataSource)
.Assembly) called inside RegisterAuthorityServices (canonical
Signals/Scanner pattern).
- Stale options.AutoMigrate = true + options.MigrationsPath removed from
Program.cs.
- Migrations\_archived\** excluded from the EmbeddedResource glob.
Init script cleanup (migrations own schema authority now):
- 04-authority-schema.sql: 569 lines → 60 lines (schema shells + guarded
default-tenant seed fallback only; all DDL removed)
- 04b-authority-dedicated-schema.sql: same reduction for dedicated DB
Verification sequence — all PASS:
1. Green-field replay: 001 runs twice with zero semantic drift (pg_dump
diff shows only session restrict nonce).
2. Wire against pre-migrated volume: runner applies 001+002 in 209ms, no
crash-loop.
3. Wire + fresh schema: migrates 20 tables from empty in 395ms.
4. Idempotent restart: "Database is up to date", pure no-op.
Sprint SPRINT_20260422_003_Authority_auto_migration_compliance created
and archived in the same pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per-service audit read endpoints now source their data from
timeline.unified_audit_events instead of local repositories. Closes
DEPRECATE-002 in SPRINT_20260408_005.
New shared abstraction:
- ITimelineAuditQueryClient + HttpTimelineAuditQueryClient in
StellaOps.Audit.Emission, reusing AuditEmission:TimelineBaseUrl and a
named HttpClient "StellaOps.AuditQuery". 6 focused tests.
Endpoints redirected (module=X filter per service):
- Authority ConsoleAdminEndpointExtensions.ListAuditEvents (was a 501 stub)
- Policy Engine + Gateway GovernanceEndpoints (list + by-id, were 501 stubs)
- Notify /api/v1/notify/audit (was INotifyAuditRepository.ListAsync)
- ReleaseOrchestrator AuditEndpoints list / by-id / resource-history /
latest / sequence-range / summary. /verify stays local per Decision #2.
HttpUnifiedAuditEventProvider.GetEventsAsync neutered to empty list +
debug log; per-module legacy polling preserved under [Obsolete]
GetEventsLegacyAsync so CompositeUnifiedAuditEventProvider +
DurableAuditEmissionEndpointTests keep compiling.
Notify Program.cs also carries SPRINT_20260422_001 compat-endpoint wiring
(NotifyAdminCompatEndpoints mapping, INotifySimulationEngine DI, compat
simulation [FromBody]/[FromServices] binding) — bundled here because both
changes live in the same file.
Attestor has no public /audit read endpoint to redirect (write-only
IAttestorAuditSink); documented in sprint as N/A.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. Execution log entry for the SbomService
backfill + Notifier wave E coverage extensions.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-002 (final decoration wave).
Five internal-only SbomService endpoints now emit audit events:
- POST /internal/sbom/events/backfill -> sbom.execute sbom_events_backfill
- POST /internal/sbom/inventory/backfill -> sbom.execute sbom_inventory_backfill
- POST /internal/sbom/resolver-feed/backfill -> sbom.execute sbom_resolver_feed_backfill
- POST /internal/sbom/retention/prune -> sbom.delete sbom_retention_prune
- POST /internal/orchestrator/watermarks -> sbom.update orchestrator_watermark
These are recovery / retention / watermark-manipulation routes that
previously slipped past audit because of their `internal` prefix. They
produce high-value audit events (data mutations that operators run
during incidents) and deserve the same coverage as the user-facing
surface.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. Every per-service audit LIST endpoint
now advertises the Timeline successor link and Sunset 2027-10-19.
Remaining AUDIT-005 criteria (Timeline as SoT, no-data-loss) stay
gated on the 30-day production verification window.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-005 (criterion 1 fully DONE).
- Authority `/console/admin/audit` list endpoint advertises Sunset
2027-10-19 and successor /api/v1/audit/events?modules=authority.
- Policy.Gateway `/api/v1/governance/audit/events` (list + by-id) do
the same with modules=policy; both still honour the PolicyAudit scope.
- EvidenceLocker `/api/v1/evidence/audit` advertises modules=evidencelocker.
- EvidenceLocker csproj picks up the Audit.Emission project reference.
Together with the earlier Notify + ReleaseOrchestrator coverage, every
per-service audit LIST endpoint now emits the RFC-style Sunset /
Deprecation / Link headers pointing at Timeline's unified endpoint.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. Audit dashboard now renders the retention
tile and the log table shows classification / hold / redaction pills
alongside each event. All three criteria checked.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-006 component layer.
audit-log-table:
- New Class. column between Severity and Actor shows the GDPR data
classification pill with module-aware tooltip explaining what each
class means (restricted > sensitive > personal > none).
- Compliance hold pill ("hold") surfaces when complianceHold is true.
- Redaction pill ("redacted") surfaces when piiRedactedAt is set, with
the redaction timestamp in the title attr.
- Detail panel mirrors the three new pieces of metadata as labelled rows.
- formatModule() table extended with the 13 newly-emitting modules.
- Styles for classification/hold/redacted pills reuse the existing status
colour tokens so dark/light themes inherit.
audit-log-dashboard:
- Fetches /api/v1/audit/retention-policies on open (catchError downgrades
to a non-blocking warning banner).
- Renders a per-tenant retention tile above the tabs with a 4-column grid
showing none/personal/sensitive/restricted retention days and a
footnote linking to docs/modules/timeline/audit-retention.
Type-check clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. AUDIT-006 flipped TODO → DOING with the
model + client layer complete for all three criteria (module filter,
classification visibility, retention display). Angular component
renders (badges, overview tile) are a component follow-up since they
live in separate component templates the background agent owns.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-006 (first slice).
- AuditModule union expanded with the 13 modules newly wired for unified
emission during AUDIT-002 waves A/B (graph, concelier, notifier, notify,
binaryindex, exportcenter, issuerdirectory, packsregistry, registry,
router, signer, timeline, evidencelocker).
- New AuditDataClassification type + optional AuditEvent.dataClassification,
complianceHold, and piiRedactedAt fields surface the AUDIT-004 state so
the dashboard can render classification badges and retention context.
- New AuditRetentionPolicies interface paired with
AuditLogClient.getRetentionPolicies() hitting Timeline's
/api/v1/audit/retention-policies endpoint for the retention display.
- AuditLogClient.redactActorPii() wraps the DELETE
/api/v1/audit/actors/{actorId}/pii endpoint for GDPR right-to-erasure.
- endpoints dictionary updated: new modules prefer the unified
/api/v1/audit/events endpoint as the fallback path, with tagged
module= query strings so operators can still slice by service.
Type-check clean. Table/dashboard component updates to render badges
follow in a later commit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. First criterion of AUDIT-005 met: two
per-service audit list endpoints now advertise Sunset/Deprecation/Link
headers pointing at Timeline's unified endpoint. Remaining two criteria
are gated on the 30-day production verification window.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprints SPRINT_20260408_004 AUDIT-005 + SPRINT_20260408_005
DEPRECATE-002 (early, non-waiting half).
- StellaOps.Audit.Emission gains a `DeprecatedAuditEndpoint` helper:
.DeprecatedForTimeline(sunset, successorLink) + a
DeprecationHeaderEndpointFilter that writes RFC-style Sunset,
Deprecation, and Link: <successor>; rel="successor-version" headers.
- Notify GET /api/v1/notify/audit + ReleaseOrchestrator
GET /api/v1/release-orchestrator/audit now advertise Sunset
2027-10-19 and link to /api/v1/audit/events?modules={notify|jobengine}.
Chain-verify / summary / single-entry lookups on ReleaseOrchestrator
are intentionally NOT deprecated — they serve service-level chain-of-
custody evidence (sprint Decision 2) that the unified store cannot
replace.
Both services build clean. Remaining per-service deprecation headers
(Authority /console/admin/audit, Policy /governance/audit/events,
EvidenceLocker /evidence/audit) follow the same pattern and can land
as a wave when those endpoints are touched for other reasons.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. 2 of 3 criteria DONE: Timeline event pull
and chain-verification certificate are now included in AuditBundles.
DSSE manifest signing deferred as a follow-up (cross-service signer
handshake scope).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-007 backend half.
- ITimelineAuditSource + HttpTimelineAuditSource talk to Timeline's
/api/v1/audit/events with pagination, tenant header forwarding, and a
hard MaxPages cap (default 200 ≈ 100k events). GetChainProofAsync
pulls /api/v1/audit/verify-chain for the bundle manifest.
- AuditBundleContentSelection gains an AuditEvents flag (default true)
and BundleSubjectRefDto gains a TenantId so the handler can route.
- AuditBundleJobHandler, when AuditEvents is selected and the source is
registered, writes NDJSON events to audit/events.ndjson and a chain
proof to audit/chain-proof.json, adds both as AUDIT_EVENTS /
AUDIT_CHAIN_PROOF artifacts with sha256 digests; failures are logged
and do not abort the bundle.
- AddTimelineAuditBundleSource DI helper binds to the
ExportCenter:TimelineAudit config section; the truthful runtime
registers it alongside the existing in-memory job handler.
Remaining AUDIT-007 work: DSSE-sign the audit bundle manifest via
Attestor integration — separate sprint because it requires cross-service
signer handshake.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 reaches DONE with migration 005,
AuditDataClassifier (16 tests), RedactActorPiiAsync + DELETE endpoint,
AuditRetentionPurgeService, docs/modules/timeline/audit-retention.md,
and the new TimelineAuditRetentionCheck Doctor plugin all shipped.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 — finishes the Doctor-side
completion criterion.
- Timeline: new GET /api/v1/audit/retention-policies endpoint returns
the effective retention window in days per classification for the
caller's tenant, with platform-default fallback applied via the
existing resolve_audit_retention_days SQL function.
- PostgresUnifiedAuditEventStore.GetRetentionPoliciesAsync queries the
function once per classification (none/personal/sensitive/restricted).
- Doctor Compliance plugin: new TimelineAuditRetentionCheck hits the
endpoint, compares each bucket against minimums
(none/personal ≥180d, sensitive ≥365d, restricted ≥1095d) and
warns with remediation steps when a tenant override drops too low.
Pairs with the existing AuditReadinessCheck but focuses on the
unified-store retention side.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 documentation criterion.
docs/modules/timeline/audit-retention.md covers:
- Four-rung classification ladder and the "narrowest wins" rule
- Retention table structure, platform defaults, per-tenant overrides,
and legal holds via compliance_hold
- AuditRetentionPurgeService config + operator recommendations
- Right-to-erasure endpoint contract, hash-chain integrity guarantees,
and the idempotency semantics via pii_redacted_at
- Sequence-chain gap behaviour after purge and how chain verification
should window its checks
- Compliance checklist for operators
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. AUDIT-004 flipped TODO → DOING with the
first three completion criteria checked. Migration 005, classifier,
retention purge host, and right-to-erasure endpoint all shipped across
commits 44c0e2b34..AUDIT-004 (migration + store + endpoint) and the
purge background host. Docs dossier + Doctor check deferred.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004 (retention enforcement).
AuditRetentionPurgeService BackgroundService enumerates tenants that
have any rows in timeline.unified_audit_events, then calls
timeline.purge_expired_audit_events(tenantId, dryRun) per tenant.
The SQL function honours per-classification retention windows and the
compliance_hold flag (legal holds pass through unaffected).
AuditRetentionPurgeOptions bound from the AuditRetentionPurge config
section: Enabled (default true), DryRun (default false), InitialDelay
(default 5 min), Interval (default 6h). Failures on a single tenant
are logged and do not stop the rest of the cycle.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 AUDIT-004.
Schema (migration 005_audit_data_classification_retention.sql):
- ALTER timeline.unified_audit_events adds data_classification
(none|personal|sensitive|restricted, default 'none'), compliance_hold
(default false, exempts from purge), pii_redacted_at (null until
right-to-erasure redaction).
- New timeline.audit_retention_policies table holds per-tenant /
per-classification retention windows; seed row tenant_id='*' = platform
default (none/personal=365d, sensitive=730d, restricted=2555d ≈ 7y).
- Function resolve_audit_retention_days falls back tenant→platform→365d.
- Function purge_expired_audit_events iterates classes, honours
compliance_hold, supports dry-run counting.
- Function redact_actor_pii replaces actor_email/actor_ip/actor_user_agent
(+actor_name for personal/sensitive rows) with '[REDACTED]', preserves
actor_id so the content_hash chain stays intact.
Code:
- AuditDataClassifier implements the none/personal/sensitive/restricted
ladder: restricted (signer+attestor key/ceremony ops, cross-module
key_escrow actions) > sensitive (authority auth-protocol events) >
personal (actor email/ip/user_agent present). 16/16 unit tests pass.
- PostgresUnifiedAuditEventStore inserts include data_classification,
defaulting to AuditDataClassifier.Classify() when the payload's
precomputed value is absent. New RedactActorPiiAsync delegates to the
SQL function.
- UnifiedAuditEvent record gets an optional DataClassification property
so services that already classify events can bypass auto-classification.
- DELETE /api/v1/audit/actors/{actorId}/pii endpoint exposes
right-to-erasure, scoped to the new Timeline.Admin policy backed by
the timeline:admin scope (StellaOpsScopes.TimelineAdmin).
Remaining AUDIT-004 work: scheduled background purge host, Doctor
AuditReadinessCheck update to verify retention config, UI badges.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_005 DEPRECATE-001 (JobEngine/ReleaseOrchestrator,
fifth service).
PostgresAuditRepository.AppendAsync now fans out to Timeline via the
optional IAuditEventEmitter after the local transaction commits. The
hash chain (content_hash, previous_entry_hash, sequence_number) stays
in the local audit_entries table as service-level chain-of-custody
evidence; Timeline receives only the summary event for cross-service
correlation, with the content hash surfaced as a detail field.
Same pattern as Authority/Policy/Notify/Scheduler dual-write:
fire-and-forget, optional DI, local write stays authoritative.
Remaining: Attestor dual-write (existing audit is already decorated
with .Audited() on endpoints — verifying the attestor audit log insert
path needs separate review).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_005 DEPRECATE-001 (Scheduler, fourth service).
PostgresSchedulerAuditService.WriteAsync now fans out to Timeline
via the optional IAuditEventEmitter after the local scheduler.audit
row insert. Fire-and-forget, same pattern as Authority/Policy/Notify.
AuditActor is mapped to actor.{id, name, type} with kind -> type,
ActorId -> id, DisplayName -> name. Metadata tuples flatten as
`metadata.{key}` fields in Details. ScheduleId/RunId included.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_005 DEPRECATE-001 (Notify, third service).
Same pattern as Authority + Policy dual-write: NotifyAuditRepository
now fans out to Timeline via the optional IAuditEventEmitter.
Fire-and-forget; local write stays authoritative.
Remaining DEPRECATE-001 services: Scheduler (ISchedulerAuditService),
JobEngine/ReleaseOrchestrator (PostgresAuditRepository.AppendAsync),
Attestor (audit log inserts).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_005 DEPRECATE-001 (Policy, second service).
PolicyAuditRepository.CreateAsync now fans out to Timeline's unified
audit store via the optional IAuditEventEmitter (injected via
AddAuditEmission in Policy.Engine / Policy.Gateway Program.cs).
Same pattern as Authority dual-write in commit a947c8df6:
- Optional constructor dependency (default null) for DI compatibility
- Fire-and-forget emission wrapped in try/catch
- MapToTimelinePayload builds a UnifiedAuditEvent-compatible payload
with actor (UserId or "policy-system"), resource (audit.ResourceType,
audit.ResourceId), severity "info", and details including old/new
value strings plus the local audit id.
Remaining DEPRECATE-001 services: Notify, Scheduler, JobEngine,
Attestor dual-write on the same pattern.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_005 DEPRECATE-001 (Authority, first service).
AuthorityAuditSink.WriteAsync now fans out to Timeline's unified audit
store via the optional IAuditEventEmitter (injected via AddAuditEmission
in Program.cs). The local authority.audit table write remains the
authoritative path; the Timeline emission is strictly fire-and-forget:
- Optional constructor dependency (default null) keeps existing tests
that construct the sink without the emitter working unchanged.
- Emission is wrapped in try/catch so any Timeline-side failure (DNS,
timeout, auth) is logged as a warning and never impacts the local
write or calling endpoint.
- MapToTimelinePayload builds a UnifiedAuditEvent-compatible payload
with actor (subject id/name/IP/UA), resource (authority_session
keyed by correlationId), severity derived from outcome, and event
details including client, reason, and event type.
Existing AuthorityAuditSinkTests (2/2) still pass — backward compat
verified via direct xUnit run.
Remaining DEPRECATE-001 work: Policy, Notify, Scheduler, JobEngine,
Attestor dual-write wiring on the same pattern. Tracked as follow-ups.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004. After AUDIT-002 wired Emission in all 14+
priority services, the original AUDIT-003 scope of "add more polling
targets" is no longer load-bearing. The remaining candidate modules
(Scanner, Scheduler, Integrations, Attestor) do not expose HTTP audit
endpoints — they rely on Emission. SbomService's ledger audit endpoint
is artifact-specific and does not fit the unified polling contract.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sprint SPRINT_20260408_004 execution log entry for the 26+ new
.Audited() decorations across Graph, SbomService, Policy.Gateway,
Notifier, Concelier, Excititor (commits 4cbe58fc8 + 6c3ebff9d).
Combined with pre-existing decoration in Authority/Scanner/Policy.Engine/
Notify/JobEngine/Integrations/AdvisoryAI/EvidenceLocker/Attestor, the
codebase now has ~240 .Audited() call sites.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
