600f3a7a3c
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Console CI / console-ci (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
- Added graph.inspect.v1 documentation outlining payload structure and determinism rules. - Created JSON schema for graph.inspect.v1 to enforce payload validation. - Defined mapping rules for graph relationships, advisories, and VEX statements. feat(notifications): establish remediation blueprint for gaps NR1-NR10 - Documented requirements, evidence, and tests for Notifier runtime. - Specified deliverables and next steps for addressing identified gaps. docs(notifications): organize operations and schemas documentation - Created README files for operations, schemas, and security notes to clarify deliverables and policies. feat(advisory): implement PostgreSQL caching for Link-Not-Merge linksets - Created database schema for advisory linkset cache. - Developed repository for managing advisory linkset cache operations. - Added tests to ensure correct functionality of the AdvisoryLinksetCacheRepository.
2.6 KiB
2.6 KiB
Evidence Locker Incident Mode
Sprint 55 / Task EVID-OBS-55-001 – retention & debug hooks
Incident mode is a service-wide switch that increases forensic fidelity when StellaOps enters a suspected compromise or SLO breach. The Evidence Locker reacts to the flag in four ways:
- Extended retention. Every newly sealed bundle receives an
ExpiresAttimestamp ofCreatedAt + Incident.RetentionExtensionDaysso downstream TTL jobs keep artefacts long enough for investigation. - Debug artefacts. Snapshot requests emit an
incident/request-*.jsonpayload into the object store. The payload captures the normalized request metadata/materials plus the incident stamp so offline replay tooling has everything it needs. The manifest surfaces the artefact under theincident/section and packaging streams it alongside the canonical bundle files. - Manifest metadata. Bundles carry
incident.mode,incident.changedAt, andincident.retentionExtensionDaysmetadata so verifiers and auditors can see exactly when the mode toggled and how long retention was extended. - Operational signals. Activation/deactivation events are published to the Timeline Indexer (and, via the notifier stub, to the future Notify integration). The
IEvidenceTimelinePublishernow emitsevidence.incident.modewithstateand retention attributes, giving Ops a canonical audit trail. - Signed activation/exit (EB7). Incident toggles MUST be recorded inside the bundle manifest (
incidentblock) and in the DSSE predicate with signer identity and timestamp. Offline environments must still include the activation record even when no Rekor entry is possible; when online, include transparency log pointers alongside the incident record.
Configuration lives under EvidenceLocker:Incident:
"EvidenceLocker": {
"Incident": {
"Enabled": true,
"RetentionExtensionDays": 60,
"CaptureRequestSnapshot": true
}
}
IncidentModeManager watches the options and raises events whenever the state flips. Tests cover retention math, timeline/notifier fan-out, and the new debug artefact path.
Recording rules (EB7)
- Manifest fields (see
bundle.manifest.schema.json):incident.activatedAt,incident.activatedBy,incident.reason, and optionalincident.deactivatedAt,incident.deactivatedBy. - DSSE predicate: include
incidentblock mirroring the manifest plussigner(provider/keyid) andlog_policy(submit|skip-offline). - CLI/API: activation/deactivation commands must require a reason string and emit a signed record even when the state is unchanged (idempotent write with identical payload hash).