Skip to main content

Asset Discovery Contracts

Asset Discovery v1 now has contracts, a Postgres/RLS storage and read-model foundation, a narrow heartbeat ingestion flow, and an enrolled-agent telemetry endpoint. Agent enrollment runtime-lite exists, but production CA runtime, enforced mTLS, osquery/Fleet, OTel integration, network scanning, SNMP discovery, topology mapping, command execution, patching, and remote shell work are not implemented yet.

Implemented:

  • Asset identity model with stable, semi-stable, and low-confidence fields.
  • Deterministic fingerprint strategy.
  • Collector/source model.
  • Rule-based classification model.
  • JSON Schemas for agent.enrolled, collector.enrolled, asset.*, and command.* lifecycle events.
  • AsyncAPI channels for the new events.
  • OpenAPI read endpoints for assets, asset timelines, collectors, and command jobs.
  • Postgres/RLS tables for assets, fingerprints, sources, collectors, and command jobs/results.
  • Internal projection functions for the approved asset/collector/command events.
  • Minimal heartbeat ingestion that emits agent.enrolled, asset.discovered, and asset.telemetry.received through the event path.
  • Agent identity-bound heartbeat telemetry using POST /api/v1/agents/{agent_id}/telemetry/heartbeat.
  • Unmanaged asset detection that reuses the existing alert/evidence/audit/delivery flow.

Still future:

  • osquery/Fleet integration.
  • OpenTelemetry host telemetry ingestion.
  • Production CA runtime and enforced mTLS against the accepted identity contract.
  • Offline/stale asset detection.
  • Command dispatch/runtime.
  • Network scanning.
  • Asset UI mutation controls.

Source architecture note: docs/architecture/asset-discovery-contracts.md.