stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity
Files
66cb6c4b8af58a33efa1521b7953dda834431497
git.stella-ops.org/docs/forensics/timeline.md
master 66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add guild charters and task boards for various components 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
2025-11-01 02:21:46 +02:00

1.8 KiB
Raw Blame History

Timeline Forensics Guide

The Timeline Indexer service aggregates structured events (scanner runs, policy verdicts, runtime posture, evidence locker activity) so operators can audit changes over time. This guide summarises the event schema, query surfaces, and integration points.

1. Event Model

Field Description
event_id ULID identifying the event.
tenant Tenant scope.
timestamp UTC ISO-8601 time the event occurred.
category Logical grouping (scanner, policy, runtime, evidence).
details JSON payload describing the event; contract defined per producer.
trace_id Optional distributed trace correlation ID.

Events are stored append-only with tenant-specific partitions. Producers include Scanner WebService, Policy Engine, Zastava Observer, Evidence Locker, and Notify.

2. APIs

  • GET /api/v1/timeline/events paginated event stream with filters (tenant, category, time window, correlation IDs).
  • GET /api/v1/timeline/events/{id} fetch single event payload.
  • GET /api/v1/timeline/export NDJSON export for offline review.

3. Query Tips

  • Use category + trace_id to follow a scan-to-policy-to-notification flow.
  • Combine tenant and timestamp filters for SLA audits.
  • CLI command stella timeline list mirrors the API for automation.

4. Integration

  • Evidence Locker attaches evidence bundle digests; the console links from timeline to evidence viewer.
  • Notifier creates acknowledgement events for incident workflows.
  • Offline kits package timeline exports for compliance reviews.

5. References

  • docs/modules/telemetry/architecture.md
  • docs/modules/zastava/architecture.md
  • docs/modules/export-center/architecture.md
  • src/TimelineIndexer/StellaOps.TimelineIndexer