Discovery Authorization Contracts
Active/passive discovery authorization is contract-designed in ADR-0012 and runtime-lite implemented in OP-035R. The model is tenant/site scoped and covers Nmap, SNMP, WMI, DHCP, ARP, and NetFlow authorization before any scanner or passive-ingest runtime is built.
Current status:
- Tenant/site policy storage and APIs are implemented.
- Service-account authorization grant/deny decisions are implemented.
- Redacted observation metadata reads/writes are implemented.
- Discovery status is visible in a read-only API-backed console panel.
- Nmap/SNMP/WMI runtime is not implemented.
- DHCP/ARP/NetFlow ingestion runtime is not implemented.
- osquery/Fleet/OTel bridges are not implemented.
- Topology mapping and command execution are not implemented.
- Policy/status APIs, event contracts, validation examples, and runtime-lite tests exist.
The contract freezes:
- tenant/site discovery policy shape;
- approved active and passive discovery methods;
- trusted collector/source identity expectations;
- safety profiles, rate/scope references, and authorization expiration;
- denial reasons, audit, redaction, and source confidence;
- future projection boundaries between discovery observations and asset events.
Source docs:
docs/adr/ADR-0012-discovery-authorization-contracts.mddocs/architecture/discovery-authorization-contracts.mdspecs/openapi.yamlspecs/asyncapi.yamlspecs/events/discovery.*.v1.schema.json