ICSCISA / KISA Feed Provenance Notes (2025-12-08)

Expected signing: not provided by sources; record signature as { status: "missing", reason: "unsigned_source" }.
Hashing: sha256 of raw advisory payload before normalization (stored as payload_sha256 per advisory) and sha256 of run artefacts (hashes.sha256).
Transport: HTTPS; mirror to internal cache; record fetched_at UTC and source_url.
Verification: compare hash vs previous run; emit delta report.
Staleness guard: alert if fetched_at >14 days.

Run 2025-12-08 (run_id=icscisa-kisa-20251208T0205Z)

Artefacts: out/feeds/icscisa-kisa/20251208/advisories.ndjson, delta.json, fetch.log, hashes.sha256.
Hashes:
- 0844c46c42461b8eeaf643c01d4cb74ef20d4eec8c984ad5e20c49d65dc57deb advisories.ndjson
- 1273beb246754382d2e013fdc98b11b06965fb97fe9a63735b51cc949746418f delta.json
- 8fedaa9fb2b146a1ef500b0d2e4c1592ddbc770a8f15b7d03723f8034fc12a75 fetch.log
Delta summary: added ICS CISA advisories ICSA-25-123-01, ICSMA-25-045-01; added KISA advisories KISA-2025-5859, KISA-2025-5860; no updates or removals; backlog window 60 days; retries 0 for both sources.
Signature posture: both sources unsigned; all records marked signature.missing with reason unsigned_source.
Next actions: maintain weekly cadence; staleness review on 2025-12-21 with refreshed hash manifest and retry histogram.

Scheduled workflow .gitea/workflows/icscisa-kisa-refresh.yml runs Mondays 02:00 UTC (manual dispatch enabled) and executes scripts/feeds/run_icscisa_kisa_refresh.py with live fetch + offline fallback.
Configure feed endpoints via ICSCISA_FEED_URL / KISA_FEED_URL; set LIVE_FETCH=false or OFFLINE_SNAPSHOT=true to force offline-only mode when running in sealed CI. Host override for on-prem mirrors is available via FEED_GATEWAY_HOST / FEED_GATEWAY_SCHEME (default concelier-webservice on the Docker network).
Fetch log traces: fetch.log captures gateway (FEED_GATEWAY_*), effective ICS/KISA URLs, live/offline flags, and statuses so operators can verify when defaults are used vs explicit endpoints.