stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e0ec5261dead38923e8dc151e70d14ea712556fd
git.stella-ops.org/docs/modules/findings-ledger/README.md
StellaOps Bot 0103defcff docs consolidation work
2025-12-25 19:09:48 +02:00

2.1 KiB
Raw Blame History

Findings Ledger

Immutable, append-only event ledger for tracking vulnerability findings, policy decisions, and workflow state changes across the StellaOps platform.

Purpose

  • Audit trail: Every finding state change (open, triage, suppress, resolve) is recorded with cryptographic hashes and actor metadata.
  • Deterministic replay: Events can be replayed to reconstruct finding states at any point in time.
  • Merkle anchoring: Event chains are Merkle-linked for tamper-evident verification.
  • Tenant isolation: All events are partitioned by tenant with cross-tenant access forbidden.

Quick links

  • FL1FL10 remediation tracker: gaps-FL1-FL10.md
  • Schema catalog (events/projections/exports): schema-catalog.md
  • Merkle & external anchor policy: merkle-anchor-policy.md
  • Tenant isolation & redaction manifest: tenant-isolation-redaction.md

Implementation Status

Delivery Phases

  • Phase 1 Observability baselines: Instrument writer/projector with metrics, structured logs, OTLP exporters, Grafana dashboards + alert rules
  • Phase 2 Determinism harness: Finalize NDJSON fixtures for ≥5M findings/tenant, implement replay harness CLI, add CI pipeline jobs
  • Phase 3 Deployment & backup collateral: Integrate ledger service into Compose/Helm, automate PostgreSQL migrations, document backup cadence
  • Phase 4 Provenance & air-gap extensions: Ingest orchestrator run export metadata, extend ledger events for bundle provenance, store attestation pointers

Key Dependencies

  • AdvisoryAI Sprint 110.A completion (raw findings parity)
  • Observability schema approval to unblock Phase 1 instrumentation
  • QA lab capacity for 5M replay checkpoint
  • DevOps review of Compose/Helm overlays
  • Orchestrator export schema freeze for provenance linkage

Acceptance Criteria

  • Metrics/logging/tracing implementation merged with dashboards exported
  • Harness CLI + fixtures + signed reports committed
  • Compose/Helm overlays + backup/restore runbooks validated
  • Air-gap provenance fields documented + implemented
  • Sprint tracker and release notes updated after each phase