feat(tess): add safe runtime observability #726

Merged
jason.woltje merged 1 commits from feat/tess-observability-terra into main 2026-07-13 01:29:19 +00:00
Owner

Refs #707

Task: TESS-M1-OBS-001

Adds metadata-only durable runtime/provider/tool audit records with correlation and latency/error codes, liveness/readiness, and credential-safe provider operational status. Resource identifiers are hashed before durable audit persistence.

Verification: pnpm typecheck, pnpm lint, pnpm format:check, pnpm test.

Refs #707 Task: TESS-M1-OBS-001 Adds metadata-only durable runtime/provider/tool audit records with correlation and latency/error codes, liveness/readiness, and credential-safe provider operational status. Resource identifiers are hashed before durable audit persistence. Verification: pnpm typecheck, pnpm lint, pnpm format:check, pnpm test.
jason.woltje added 1 commit 2026-07-13 00:52:36 +00:00
feat(tess): add safe runtime observability
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
adfa5c0697
Author
Owner

VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head adfa5c0697

Evidence:

  • Exact PR/branch head verified: adfa5c0697512853cafc7c442ec08b125a1f3e30.
  • PR CI green on exact head: ci/woodpecker/pr/ci pipeline 1720 success.
  • Runtime/provider audit remains fail-closed before side effects: RuntimeProviderService still awaits the requested audit record before provider lookup/capability/provider invocation, and the regression test verifies provider send is not called when audit persistence rejects.
  • Durable audit is metadata-only via createRuntimeAuditLogEntry(): explicit allowlist only, content fixed to runtime.provider.audit, no message bodies, tool args/output, credentials, or approval refs. Provider resource IDs are always SHA-256 hashed before persistence/log emission, with canary tests proving raw resource secret material is absent.
  • Correlation is propagated into durable audit metadata with duration and stable error codes; denied termination records policy_denied, provider failures record provider_error without provider error detail.
  • Provider health/status and effective policy output are safe-to-expose: provider errors are reduced to provider_unavailable, no endpoints/credentials/request content/error detail are returned, and /health/ready returns only readiness status.
  • git diff --check clean; no credential material or secret values in the PR diff beyond explicit canary test strings.
VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head adfa5c0697512853cafc7c442ec08b125a1f3e30 Evidence: - Exact PR/branch head verified: `adfa5c0697512853cafc7c442ec08b125a1f3e30`. - PR CI green on exact head: `ci/woodpecker/pr/ci` pipeline 1720 success. - Runtime/provider audit remains fail-closed before side effects: `RuntimeProviderService` still awaits the requested audit record before provider lookup/capability/provider invocation, and the regression test verifies provider send is not called when audit persistence rejects. - Durable audit is metadata-only via `createRuntimeAuditLogEntry()`: explicit allowlist only, content fixed to `runtime.provider.audit`, no message bodies, tool args/output, credentials, or approval refs. Provider resource IDs are always SHA-256 hashed before persistence/log emission, with canary tests proving raw resource secret material is absent. - Correlation is propagated into durable audit metadata with duration and stable error codes; denied termination records `policy_denied`, provider failures record `provider_error` without provider error detail. - Provider health/status and effective policy output are safe-to-expose: provider errors are reduced to `provider_unavailable`, no endpoints/credentials/request content/error detail are returned, and `/health/ready` returns only readiness status. - `git diff --check` clean; no credential material or secret values in the PR diff beyond explicit canary test strings.
jason.woltje force-pushed feat/tess-observability-terra from adfa5c0697 to 53f5414131 2026-07-13 01:18:03 +00:00 Compare
Author
Owner

VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head 53f5414131

Evidence:

  • Exact PR/branch head verified: 53f541413182a25a0edfd2758911a89eba16fe7c.
  • Prior approval at adfa5c0697512853cafc7c442ec08b125a1f3e30 discarded after head move; this is a fresh ROR on the new head.
  • PR CI green on exact head: ci/woodpecker/pr/ci pipeline 1723 success.
  • Rebase preserved both @mosaicstack/log barrel exports: redaction (redactSensitiveContent, RedactionResult, SensitiveClassification) and runtime audit (createRuntimeAuditLogEntry, RuntimeAuditEvent, RuntimeAuditErrorCode, RuntimeAuditOperation, RuntimeAuditOutcome).
  • Runtime audit remains metadata-only: fixed log content, explicit allowlist, no message bodies/tool args/tool output/credentials/approval refs, and provider resource IDs are SHA-256 hashed before persistence/log emission.
  • Fail-closed audit-before-side-effects remains intact: requested audit is awaited before provider lookup/capability/provider invocation, and tests still prove provider side effects do not run when audit persistence rejects.
  • Effective provider policy/status and readiness remain safe-to-expose: provider errors become stable provider_unavailable, readiness returns only status, and no endpoint/credential/request content/provider error detail is exposed.
  • git diff --check clean; no credential material in diff beyond canary test strings.
VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head 53f541413182a25a0edfd2758911a89eba16fe7c Evidence: - Exact PR/branch head verified: `53f541413182a25a0edfd2758911a89eba16fe7c`. - Prior approval at `adfa5c0697512853cafc7c442ec08b125a1f3e30` discarded after head move; this is a fresh ROR on the new head. - PR CI green on exact head: `ci/woodpecker/pr/ci` pipeline 1723 success. - Rebase preserved both `@mosaicstack/log` barrel exports: redaction (`redactSensitiveContent`, `RedactionResult`, `SensitiveClassification`) and runtime audit (`createRuntimeAuditLogEntry`, `RuntimeAuditEvent`, `RuntimeAuditErrorCode`, `RuntimeAuditOperation`, `RuntimeAuditOutcome`). - Runtime audit remains metadata-only: fixed log content, explicit allowlist, no message bodies/tool args/tool output/credentials/approval refs, and provider resource IDs are SHA-256 hashed before persistence/log emission. - Fail-closed audit-before-side-effects remains intact: requested audit is awaited before provider lookup/capability/provider invocation, and tests still prove provider side effects do not run when audit persistence rejects. - Effective provider policy/status and readiness remain safe-to-expose: provider errors become stable `provider_unavailable`, readiness returns only status, and no endpoint/credential/request content/provider error detail is exposed. - `git diff --check` clean; no credential material in diff beyond canary test strings.
jason.woltje merged commit 86a50138a9 into main 2026-07-13 01:29:19 +00:00
jason.woltje deleted branch feat/tess-observability-terra 2026-07-13 01:29:20 +00:00
Sign in to join this conversation.
No Reviewers
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaicstack/stack#726