Skip to content

Revise architecture document with end-to-end FixOps view#27

Merged
DevOpsMadDog merged 3 commits into
mainfrom
codex/find-algorithm-used-with-markov
Oct 4, 2025
Merged

Revise architecture document with end-to-end FixOps view#27
DevOpsMadDog merged 3 commits into
mainfrom
codex/find-algorithm-used-with-markov

Conversation

@DevOpsMadDog
Copy link
Copy Markdown
Owner

@DevOpsMadDog DevOpsMadDog commented Oct 4, 2025

Summary

  • rewrite the FixOps architecture documentation to cover platform scope, layered design, and SSDLC process mapping
  • document the major services, tooling stack, and enhancement implementation matrix across the platform
  • add deployment, security, and roadmap details that align the current build with upcoming FixOps initiatives

Testing

  • not run (documentation only)

https://chatgpt.com/codex/tasks/task_e_68dfceb1b460832998c5c08248afd5d9

@DevOpsMadDog DevOpsMadDog merged commit df2dc34 into main Oct 4, 2025
DevOpsMadDog added a commit that referenced this pull request May 1, 2026
@DevOpsMadDog @claude
beast-mode(endpoint): wire DefenderXDRLiveConnector → /api/v1/ai-soc/…
0a1eb98 
…detections — close type-a #27

Type-a empty endpoint #27 (`/api/v1/ai-soc/detections`) was the last connector-
backed slot in the 30-row triage with no live source. This commit makes the
list endpoint self-heal against Microsoft Defender XDR via the existing
DefenderXDRLiveConnector (Microsoft Graph Security API) instead of returning
the static "not yet implemented" hint.

Why
---
Triage doc `docs/empty_endpoints_triage_2026-04-26.md` row #27 was DEFERRED
because no XDR adapter was wired to the AI-SOC engine, even though
`suite-core/connectors/defender_xdr_live_connector.py` already shipped a real
OAuth-2/Graph client that calls /security/alerts_v2 and normalizes payloads.
The router was returning [] + a stale hint, causing the endpoint to fail the
NO MOCKS contract for any tenant whose org never POSTed a manual detection.

What
----
- suite-core/core/ai_powered_soc_engine.py
  + new `_DEFENDER_TYPE_TO_SOURCE` mapping (Defender finding_type → ALDECI
    source_data_type enum: malware/secret-exposure/data-leak/policy-violation/
    vulnerability/anomaly).
  + new `_project_defender_alert_as_detection()` projects each normalized
    alert into the canonical `aps_detection` row shape (CVSS×10 → confidence,
    informational/info → low, drops alerts missing title/severity).
  + new `list_detections_with_xdr_fallback()` returns a 5-state envelope:
      1. `org_registered`     — org has rows
      2. `defender_xdr`       — connector returned alerts (deduped on
                                stable Defender alert_id; severity/status/
                                source_data_type filters applied to derived
                                rows too)
      3. `needs_credentials`  — DEFENDER_TENANT_ID/CLIENT_ID/CLIENT_SECRET
                                missing (or connector import failed) —
                                returns structured hint, never mocks
      4. `needs_data`         — connector OK but zero alerts
      5. `connector_error`    — fetch_alerts raised or returned non-dict /
                                non-ok status — error captured (truncated
                                500 chars), never crashes the list view
- suite-api/apps/api/ai_powered_soc_router.py
  + GET /api/v1/ai-soc/detections now delegates to the new method; preserves
    org_id/severity/status/source_data_type query params verbatim.
- tests/test_ai_soc_detections_real_data.py (281 LOC, 7 tests)
  + org_registered precedence
  + needs_credentials when no env vars
  + connector returns alerts → projected & deduped
  + filter pushdown against derived rows
  + needs_data on empty alert list
  + connector exception → connector_error envelope
  + router wired (TestClient against /api/v1/ai-soc/detections)
- docs/empty_endpoints_triage_2026-04-26.md
  + row #27 marked DONE-2026-05-02 SHA=<commit>
  + class tally updated: type-a 5→6 closed, 5→4 deferred

NEVER mocks. NEVER fabricates detections. NEVER crashes when creds absent.

Multica: tracks as type-a closure batch (issue created post-commit).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog added a commit that referenced this pull request May 1, 2026
@DevOpsMadDog @claude
beast-mode(triage): backfill SHA=0a1eb980 into row #27
8b1e749 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog added a commit that referenced this pull request May 1, 2026
@DevOpsMadDog @claude
beast-mode(docs): session metrics 2026-05-02 + HANDOFF v3 with type-a…
eaf917b 
… 6/10 closed

Wrap-v3 captures the post-handoff wave (5 commits past SHA 56be3df):
- fb3b051 HANDOFF refresh (44 -> 50 hub correction)
- 7df4318 smoke extended to 50 hubs
- 8bb26ae MobSF type-a #25 closed
- 0a1eb98 Defender XDR type-a #27 closed
- 8b1e749 triage backfill

Net effect:
- type-a tally 4/10 -> 6/10 closed
- Beast Mode canonical 753 -> 760 (+7 real-data tests)
- smoke coverage now spans all 50 hubs (42/42 pass)

New doc: docs/SESSION_METRICS_2026-05-02.md
- 172 commits this session, +30787/-1507 LOC across 545 files
- Multica issues 3604-3662 range cited (15 explicit + broader fold)
- ~30 new tests/test_*_real_data.py + tests/test_*hub*.py listed
- 50 hubs grouped by CTEM+ category (Discover/Validate/Remediate/Comply/etc)

HANDOFF updates:
- Section 1 TL;DR refreshed (122 commits, 760 canonical Beast Mode)
- Section 8 type-a deferred dropped from 6 to 4 (closed #25 + #27)
- Section 13 wrap-v3 addendum with the 5 post-handoff commits + dast_router stash note

Loose end carried forward: suite-attack/api/dast_router.py held a 6-line
/status alias endpoint dirty all session. Stashed as stash@{0} pre-wrap;
recover with `git stash pop` if intended, drop if obsolete.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog added a commit that referenced this pull request May 2, 2026
@DevOpsMadDog @claude
beast-mode(cloud-creds): implement 4 empty endpoints — real engine wi…
dcbd499 
…ring, no stubs

Closes 4 type-a deferred empty endpoints from `docs/empty_endpoints_triage_2026-04-26.md`
by wiring **existing** cloud-credential-backed connectors (no new stubs; followed
the canonical fallback pattern from cloud-posture/findings + cwp/workloads):

| # | Endpoint                              | Connector / fallback source           |
|---|---------------------------------------|---------------------------------------|
| 14| /api/v1/session-recording/sessions    | CyberArkConnector (PAM)               |
| 20| /api/v1/sspm/apps                     | AppOmniConnector (SSPM)               |
| 18| /api/v1/cloud-cost/snapshots          | NEW AWSCostExplorerConnector (FinOps) |
|  3| /api/v1/asset-criticality/assets      | SecurityFindingsEngine projection     |

Pattern (5-state envelope, NEVER mocks):
  - org_registered      → real org rows from engine SQLite
  - {connector_source}  → projected from connector live data
  - needs_credentials   → structured hint listing required env vars
  - needs_data          → connector reachable but empty / filters miss
  - connector_error     → connector returned status != ok

For #18, built a brand-new `AWSCostExplorerConnector` (env-gated boto3 import;
gracefully no-ops without AWS creds OR boto3) — no behavioural dep on boto3 at
import time.

For #3, asset-criticality projects distinct asset_id from any
SecurityFindingsEngine row (CSPM/SSPM/PAM/EDR rows already include asset_id) →
derives criticality_score from severity weights (critical=25, high=15,
medium=7, low=2) → maps to tier (80+ critical / 60+ high / 40+ medium / <40
low).

Tests: 33 new (all passing) — 8 PSR/PAM, 8 SSPM/AppOmni, 8 cloud-cost/AWS, 9
asset-criticality. Each suite covers: org_registered precedence, projection
accuracy, filter application, connector_error envelope, needs_credentials
envelope, full HTTP path through TestClient + an error path (404).

Beast Mode: 753/753 baseline hold, +33 new = 786 passing. Zero regressions.

Type-a tally: 4 closed → tally now 8 closed / 2 deferred (was 6 deferred:
#3, #14, #18, #20 closed; #25 mobile-app-security and #27 ai-soc/detections
already wired in prior sessions).

Files changed:
  suite-core/connectors/aws_cost_explorer_connector.py            (NEW, +260)
  suite-core/core/privileged_session_recording_engine.py          (+ fallback)
  suite-core/core/saas_security_posture_engine.py                 (+ fallback)
  suite-core/core/cloud_cost_security_engine.py                   (+ fallback)
  suite-core/core/asset_criticality_engine.py                     (+ fallback)
  suite-api/apps/api/privileged_session_recording_router.py       (wire fallback)
  suite-api/apps/api/saas_security_posture_router.py              (wire fallback)
  suite-api/apps/api/cloud_cost_security_router.py                (wire fallback)
  suite-api/apps/api/asset_criticality_router.py                  (wire fallback)
  tests/test_session_recording_pam_real_data.py                   (NEW, 8 tests)
  tests/test_sspm_appomni_real_data.py                            (NEW, 8 tests)
  tests/test_cloud_cost_aws_real_data.py                          (NEW, 8 tests)
  tests/test_asset_criticality_findings_real_data.py              (NEW, 9 tests)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog added a commit that referenced this pull request May 5, 2026
@DevOpsMadDog @claude
beast-mode(qa): regression sweep #27 — micro verify, all green at HEAD
69dcf1b 
…4e5e408

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DevOpsMadDog