git.stella-ops.org/docs/features/checked/timeline/immutable-audit-log.md

# Immutable Audit Log (Timeline)

## Module
Timeline

## Status
VERIFIED

## Description
Immutable timeline audit log with a dedicated web service and indexer for recording all scan, attestation, and verdict events.

## Implementation Details
- **TimelineQueryService**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/TimelineQueryService.cs` -- append-only event store query layer: GetByCorrelationIdAsync (with HLC range, service/kind filters, pagination), GetCriticalPathAsync (causal latency analysis), GetByServiceAsync (service-scoped queries)
- **ITimelineEventStore**: referenced from `StellaOps.Eventing.Storage` -- append-only persistence interface: events stored with deterministic EventId (SHA-256 of correlation_id+t_hlc+service+kind), HLC timestamps, payload digests, engine version fingerprints
- **TimelineEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/TimelineEndpoints.cs` -- REST API at `/api/v1/timeline`: GET /{correlationId} returns immutable event chain, GET /{correlationId}/critical-path for latency analysis
- **ExportEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/ExportEndpoints.cs` -- forensic export at `/api/v1/timeline/{correlationId}/export`: NDJSON/JSON bundle with optional DSSE signing for evidence preservation
- **TimelineBundleBuilder**: `src/Timeline/__Libraries/StellaOps.Timeline.Core/Export/TimelineBundleBuilder.cs` -- builds NDJSON/JSON export bundles with event metadata (event_id, t_hlc, ts_wall, service, kind, payload_digest, engine_version); optional DSSE signing via IEventSigner
- **HealthEndpoints**: `src/Timeline/StellaOps.Timeline.WebService/Endpoints/HealthEndpoints.cs` -- service health monitoring
- **TimelineAuthorizationMiddleware**: `src/Timeline/StellaOps.Timeline.WebService/Authorization/TimelineAuthorizationMiddleware.cs` -- authorization for timeline access
- **Tests**: `src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests/TimelineApiIntegrationTests.cs`
- **Source**: Feature matrix scan

## E2E Test Plan
- [x] Verify events stored are immutable (no update/delete operations exposed)
- [x] Verify event IDs are deterministic based on correlation_id + t_hlc + service + kind
- [x] Test export endpoint produces valid NDJSON bundle with all event metadata
- [x] Verify DSSE-signed export bundles can be verified with the signing key
- [x] Test JSON export format includes event metadata section with count and export timestamp
- [x] Verify payload digests in exported events match original payloads
- [x] Test authorization middleware restricts timeline access to authorized users

## Verification

**Run ID**: run-001
**Date**: 2026-02-10
**Verdict**: PASS

**Implementation Verification**:
- Append-only enforced architecturally: ITimelineEventStore has AppendAsync only (no update/delete)
- REST API has GET-only endpoints for events
- TimelineAuthorizationMiddleware with tenant isolation
- DSSE-signed forensic export via TimelineBundleBuilder
- Integration tests verify GET-only access pattern

**Test Execution**:
- Immutability tests PASS
- Deterministic event ID tests PASS
- Export format tests PASS
- Authorization tests PASS

**Build Status**:
- 0 errors
- 0 warnings
- Build: PASS

**Overall Verdict**: PASS

## Recheck (run-002)
- **Date**: 2026-02-10
- **Result**: PASS after export endpoint wiring fix
- **Key fix verified**: unknown export status/download IDs now return 404 instead of synthetic 200 responses.
- **Tests**: Timeline.WebService.Tests 19/19 pass.
- **Evidence**: `docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-002/tier2-api-check.json`

## Recheck (run-003)
- **Date**: 2026-02-10
- **Result**: PASS
- **Verification**: unknown export IDs continue to return 404 for status/download paths.
- **Tests**: Timeline.Core.Tests 7/7, Timeline.WebService.Tests 19/19 (26 total).
- **Evidence**: `docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-003/tier2-api-check.json`


## Recheck (Run-004)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay via in-process WebApplicationFactory + full suite replay.
- **Tests**: PASS (`src/Timeline/__Tests/StellaOps.Timeline.Core.Tests`: 7/7; `src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests`: 19/19).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-004/tier2-api-check.json`
- **Outcome**: Audit export status/download behavior remains stable and non-synthetic.

## Recheck (Run-005)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay validated via Timeline integration suites.
- **Tests**: PASS (`src/Timeline/__Tests/StellaOps.Timeline.Core.Tests`: 7/7; `src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests`: 19/19).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-005/tier2-api-check.json`
- **Outcome**: Immutable audit-log export/status behaviors remain healthy.

## Recheck (Run-006)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay (API + integration) with deterministic suite verification.
- **Tests**: PASS (src/Timeline/__Tests/StellaOps.Timeline.Core.Tests: 7/7; src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests: 19/19).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-006/tier2-api-check.json
- **Outcome**: Checked timeline behavior remains healthy in continued replay.

## Recheck (Run-007)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay (API + integration) with deterministic suite verification.
- **Tests**: PASS (src/Timeline/__Tests/StellaOps.Timeline.Core.Tests: 7/7; src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests: 19/19).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-007/tier2-api-check.json
- **Outcome**: Checked timeline behavior remains healthy in continued replay.

## Recheck (Run-008)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay + deterministic integration suite replay.
- **Tests**: PASS (src/Timeline/__Tests/StellaOps.Timeline.Core.Tests: 7/7, src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests: 19/19).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-008/tier2-api-check.json
- **Outcome**: Checked Timeline behavior remains healthy in continued replay.


## Recheck (Run-009)
- **Verified**: 2026-02-10
- **Method**: Tier 2a API replay + deterministic integration suite replay.
- **Tests**: PASS (src/Timeline/__Tests/StellaOps.Timeline.Core.Tests: 7/7, src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests: 19/19).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-009/tier2-api-check.json
- **Outcome**: Checked Timeline behavior remains healthy in continued replay.


## Recheck (Run-010)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (Timeline.Core 7/7, Timeline.WebService 19/19; total 26/26).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-010/tier2-integration-check.json
- **Outcome**: Checked timeline behavior remains healthy in continued replay.
## Recheck (Run-011)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (Timeline.Core 7/7, Timeline.WebService 19/19; total 26/26).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-011/tier2-integration-check.json
- **Outcome**: Checked timeline behavior remains healthy in continued replay.
## Recheck (Run-012)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay + deterministic integration suite replay.
- **Tests**: PASS (src/Timeline/__Tests/StellaOps.Timeline.Core.Tests: 7/7; src/Timeline/__Tests/StellaOps.Timeline.WebService.Tests: 19/19; total 26/26).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/timeline/immutable-audit-log/run-012/tier2-api-check.json
- **Outcome**: Checked timeline behavior remains healthy in continued replay.