stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
40e7f827da764e39ca67fc27a74813a98e9a38d2
git.stella-ops.org/docs/modules/evidence-locker/incident-mode.md
master 2eb6852d34
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add unit tests for SBOM ingestion and transformation 
- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly.
- Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps.
- Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges.
- Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges.
- Set up project file for the test project with necessary dependencies and configurations.
- Include JSON fixture files for testing purposes.
2025-11-04 07:49:39 +02:00

1.7 KiB
Raw Blame History

Evidence Locker Incident Mode

Sprint 55 / Task EVID-OBS-55-001 retention & debug hooks

Incident mode is a service-wide switch that increases forensic fidelity when StellaOps enters a suspected compromise or SLO breach. The Evidence Locker reacts to the flag in four ways:

  1. Extended retention. Every newly sealed bundle receives an ExpiresAt timestamp of CreatedAt + Incident.RetentionExtensionDays so downstream TTL jobs keep artefacts long enough for investigation.
  2. Debug artefacts. Snapshot requests emit an incident/request-*.json payload into the object store. The payload captures the normalized request metadata/materials plus the incident stamp so offline replay tooling has everything it needs. The manifest surfaces the artefact under the incident/ section and packaging streams it alongside the canonical bundle files.
  3. Manifest metadata. Bundles carry incident.mode, incident.changedAt, and incident.retentionExtensionDays metadata so verifiers and auditors can see exactly when the mode toggled and how long retention was extended.
  4. Operational signals. Activation/deactivation events are published to the Timeline Indexer (and, via the notifier stub, to the future Notify integration). The IEvidenceTimelinePublisher now emits evidence.incident.mode with state and retention attributes, giving Ops a canonical audit trail.

Configuration lives under EvidenceLocker:Incident:

"EvidenceLocker": {
  "Incident": {
    "Enabled": true,
    "RetentionExtensionDays": 60,
    "CaptureRequestSnapshot": true
  }
}

IncidentModeManager watches the options and raises events whenever the state flips. Tests cover retention math, timeline/notifier fan-out, and the new debug artefact path.