35c8f9216f
- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality. - Created `PackRunWorkerOptions` for configuring worker paths and execution persistence. - Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports. - Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events. - Developed `RedisTimelineEventSubscriber` for reading from Redis Streams. - Added `TimelineEnvelopeParser` to normalize incoming event envelopes. - Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping. - Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.
3.3 KiB
3.3 KiB
Sprint 0123 · Excititor Ingestion & Evidence (Phase V)
Topic & Scope
- Feed VEX Lens and Vuln Explorer with enriched, canonical evidence while keeping Excititor aggregation-only.
- Lock raw storage validation/idempotency and ship portable evidence bundles plus mirror registration APIs for air-gapped parity.
- Working directory:
src/Excititor(WebService, Core, Storage.Mongo) and docs/airgap.
Dependencies & Concurrency
- Depends on Phase IV outputs (timeline/locker/attestation) and mirror registration contract.
- Concurrency: storage validators/indexes first; VEX Lens/Vuln endpoints rely on canonicalization; portable bundles depend on mirror registration endpoints.
Documentation Prerequisites
- docs/modules/excititor/architecture.md
- docs/modules/excititor/implementation_plan.md
- docs/airgap/portable-evidence-bundle-verification.md
- Excititor AGENTS.md files (WebService, Core, Storage)
Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---|---|---|---|---|
| 1 | EXCITITOR-VEXLENS-30-001 | DONE | None | Excititor WebService Guild · VEX Lens Guild | Export observations to VEX Lens with issuer hints, signature blobs, product tree snippets, staleness metadata; no consensus logic. |
| 2 | EXCITITOR-VULN-29-001 | DONE | None | Excititor WebService Guild | Canonicalize advisory/product keys (advisory_key), preserve originals in links[]; backfill + tests. |
| 3 | EXCITITOR-VULN-29-002 | DONE | Depends on 29-001 | Excititor WebService Guild | /vuln/evidence/vex/{advisory_key} returning tenant-scoped raw statements + provenance + attestation references; cursor pagination. |
| 4 | EXCITITOR-VULN-29-004 | DONE | Depends on 29-002 | Excititor WebService Guild · Observability Guild | Metrics/logs for normalization errors, suppression scopes, withdrawn statements for Vuln Explorer + Advisory AI dashboards. |
| 5 | EXCITITOR-STORE-AOC-19-001 | DONE | None | Excititor Storage Guild | Mongo JSON Schema validator for vex_raw; offline kit instructions. |
| 6 | EXCITITOR-STORE-AOC-19-002 | DONE | Depends on 19-001 | Excititor Storage Guild · DevOps Guild | Unique indexes/migrations/rollback steps for new validator. |
| 7 | EXCITITOR-AIRGAP-56-001 | DONE | None | Excititor WebService Guild · AirGap Importer Guild | Mirror bundle registration + provenance exposure, sealed-mode error mapping, staleness metrics. |
| 8 | EXCITITOR-AIRGAP-58-001 | DONE | Depends on 56-001 | Excititor Core Guild · Evidence Locker Guild | Portable evidence bundles linked to timeline + attestation metadata; verifier docs for Advisory AI. |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-03 | Normalised sprint to standard template; working directory set; preserved statuses. | Planning |
Decisions & Risks
- Aggregation-only posture retained: exports and APIs do not compute verdicts.
- Validator rollout could impact ingestion; staged with rollback docs. Ensure unique indexes deployed before enabling enforcement.
- Portable bundle contents and mirror registration must stay aligned with Evidence Locker schemas; refresh docs/tests if schema evolves.
Next Checkpoints
- Re-run bundle verification scripts after any Evidence Locker manifest changes.
- Validate VEX Lens/Vuln Explorer still ingest canonicalized keys after downstream schema tweaks.