Skip to main content

Authorized Discovery Runtime-Lite

Status

Implemented Runtime-Lite

  • ADR references: docs/adr/ADR-0012-discovery-authorization-contracts.md.
  • Architecture references: docs/architecture/discovery-authorization-contracts.md.
  • Task board references: OP-035R.

What Was Implemented

  • Postgres/RLS and SQLite local tables for tenant-scoped discovery policies, authorization decisions, and redacted observation metadata.
  • FastAPI routes for policy list/create/detail/update, authorization decision request/list, observation metadata write/list, and discovery status.
  • Lifecycle events and audit records for discovery.policy.configured, discovery.authorization.granted, discovery.authorization.denied, and discovery.observation.received.
  • Deny-by-default authorization checks for missing/expired policies, disallowed methods, untrusted source identities, scope mismatches, and safety-window violations.
  • Read-only console panel on Assets that shows policies, decisions, observations, and status without exposing scan or command controls.

APIs / Events / Schemas

  • API: GET /api/v1/discovery/policies
  • API: POST /api/v1/discovery/policies
  • API: GET /api/v1/discovery/policies/{policy_id}
  • API: PATCH /api/v1/discovery/policies/{policy_id}
  • API: GET /api/v1/discovery/authorizations
  • API: POST /api/v1/discovery/authorizations
  • API: POST /api/v1/discovery/authorizations/{authorization_id}/observations
  • API: GET /api/v1/discovery/observations
  • API: GET /api/v1/discovery/status
  • Events: discovery.policy.configured, discovery.authorization.granted, discovery.authorization.denied, discovery.observation.received

Security / Tenant Isolation

Every stored row is tenant-scoped. User actors can create/read policy according to role, while authorization and observation writes require tenant-scoped service-account context. Raw scan, DHCP, ARP, NetFlow, SNMP, or WMI payloads are not accepted inline; observation APIs require a reference URI and mark redaction applied.

Non-Scope

  • No Nmap, SNMP, or WMI execution.
  • No DHCP, ARP, or NetFlow ingestion runtime.
  • No topology mapping.
  • No command execution, SSH, patching, or remote desktop.
  • No Helm, Terraform, AWS, or CI changes.

Validation

make validate-contracts
make typecheck-python
make lint
make test-sqlite
npm --prefix frontend test -- --run
make docs-build