d63af51f84
Some checks failed
api-governance / spectral-lint (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
oas-ci / oas-validate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
3.5 KiB
3.5 KiB
Reachability Runtime Ingestion Runbook
Imposed rule: Runtime traces must never bypass CAS/DSSE verification; ingest only CAS-addressed NDJSON with hashes logged to Timeline and Evidence Locker.
This runbook guides operators through ingesting runtime reachability evidence (EntryTrace, probes, Signals ingestion) and wiring it into the reachability evidence chain.
1. Prerequisites
- Services:
SignalsAPI,Zastava Observer(or other probes),Evidence Locker, optionalAttestorfor DSSE. - Reachability schema:
docs/reachability/function-level-evidence.md,docs/reachability/evidence-schema.md. - CAS: configured bucket/path for
cas://reachability/runtime/*and.../graphs/*. - Time sync: AirGap Time anchor if sealed; otherwise NTP with drift <200ms.
2. Ingestion workflow (online)
- Capture traces from Observer/probes → NDJSON (
runtime-trace.ndjson.gz) withsymbol_id,purl,timestamp,pid,container,count. - Stage to CAS: upload file, record
sha256, store atcas://reachability/runtime/<sha256>. - Optionally sign: wrap CAS digest in DSSE (
stella attest runtime --bundle runtime.dsse.json). - Ingest via Signals API:
Headers returned:
curl -H "X-Stella-Tenant: acme" \ -H "Content-Type: application/x-ndjson" \ --data-binary @runtime-trace.ndjson.gz \ "https://signals.example/api/v1/runtime-facts?graph_hash=<graph>"Content-SHA256,X-Graph-Hash,X-Ingest-Id. - Emit timeline: ensure Timeline event
reach.runtime.ingestedwith CAS digest and ingest id. - Verify: run
stella graph verify --runtime runtime-trace.ndjson.gz --graph <graph_hash>to confirm edges mapped.
3. Ingestion workflow (air-gap)
- Receive runtime bundle containing
runtime-trace.ndjson.gz,manifest.json(hashes), optional DSSE. - Validate hashes against manifest; if present, verify DSSE bundle.
- Import into CAS path
cas://reachability/runtime/<sha256>using offline loader. - Run Signals offline ingest tool:
signals-offline ingest-runtime \ --tenant acme \ --graph-hash <graph_hash> \ --runtime runtime-trace.ndjson.gz \ --manifest manifest.json - Export ingest receipt and add to Evidence Locker; update Timeline when reconnected.
4. Checks & alerts
- Drift: block ingest if time anchor age > configured budget; surface
staleness_seconds. - Hash mismatch: fail ingest; write
runtime.ingest.failedevent with reason. - Orphan traces: if no matching
graph_hash, queue for retry and alertreachability.orphan_tracescounter.
5. Troubleshooting
- 400 Bad Request: validate NDJSON schema; run
scripts/reachability/validate_runtime_trace.py. - Hash mismatch: recompute
sha256sum runtime-trace.ndjson.gz; compare to manifest. - Missing symbols: ensure symbol manifest ingested (see
docs/specs/symbols/SYMBOL_MANIFEST_v1.md); rerunstella graph verify. - High drift: refresh time anchor (AirGap Time service) or resync NTP; retry ingest.
6. Artefact checklist
runtime-trace.ndjson.gz(or.json),sha256recorded.- Optional
runtime.dsse.jsonDSSE bundle. - Ingest receipt (ingest id, graph hash, CAS digest, tenant).
- Timeline event
reach.runtime.ingestedand Evidence Locker record (bundle + receipt).
7. References
docs/reachability/DELIVERY_GUIDE.mddocs/reachability/function-level-evidence.mddocs/reachability/evidence-schema.mddocs/specs/symbols/SYMBOL_MANIFEST_v1.md