205 lines
5.7 KiB
JSON
205 lines
5.7 KiB
JSON
{
|
|
"schema": "awoooi_signoz_metadata_export_policy_v1",
|
|
"policy_version": "2026-07-15",
|
|
"work_item_id": "P0-OBS-002",
|
|
"source_runtime": {
|
|
"canonical_id": "signoz-110-control-plane",
|
|
"signoz_version": "v0.113.0",
|
|
"minimum_python_version": "3.10",
|
|
"raw_database_access_allowed": false,
|
|
"raw_volume_access_allowed": false,
|
|
"github_supply_chain_allowed": false
|
|
},
|
|
"authentication": {
|
|
"header_name": "SIGNOZ-API-KEY",
|
|
"secret_value_in_arguments_allowed": false,
|
|
"secret_reference_type": "root_owned_regular_file",
|
|
"accepted_file_modes": [
|
|
"0400",
|
|
"0600"
|
|
]
|
|
},
|
|
"limits": {
|
|
"request_timeout_seconds": 15,
|
|
"max_response_bytes": 4194304,
|
|
"max_asset_count": 16,
|
|
"max_items_per_asset": 1000,
|
|
"max_restore_actions": 500,
|
|
"stable_read_count": 2
|
|
},
|
|
"forbidden_key_names": [
|
|
"access_key",
|
|
"access_token",
|
|
"api_key",
|
|
"authorization",
|
|
"client_secret",
|
|
"cookie",
|
|
"credential",
|
|
"password",
|
|
"private_key",
|
|
"refresh_token",
|
|
"routing_key",
|
|
"secret",
|
|
"service_account_json",
|
|
"session",
|
|
"token",
|
|
"webhook_url"
|
|
],
|
|
"forbidden_value_patterns": [
|
|
"-----BEGIN [A-Z ]*PRIVATE KEY-----",
|
|
"(?i)\\bBearer\\s+[A-Za-z0-9._~+/-]{16,}={0,2}\\b",
|
|
"(?i)https?://[^/@\\s]+:[^/@\\s]+@"
|
|
],
|
|
"forbidden_endpoints": [
|
|
{
|
|
"id": "personal_access_tokens",
|
|
"path": "/api/v1/pats",
|
|
"reason": "response may contain an API token"
|
|
},
|
|
{
|
|
"id": "authentication_domains",
|
|
"path": "/api/v1/domains",
|
|
"reason": "response may contain OIDC or Google client secrets"
|
|
},
|
|
{
|
|
"id": "notification_channels",
|
|
"path": "/api/v1/channels",
|
|
"reason": "response may contain webhook and routing credentials"
|
|
},
|
|
{
|
|
"id": "users_and_credentials",
|
|
"path": "/api/v1/user",
|
|
"reason": "credential lifecycle is reconstructed, not exported"
|
|
},
|
|
{
|
|
"id": "invitations",
|
|
"path": "/api/v1/invite",
|
|
"reason": "invitation tokens are non-portable credentials"
|
|
},
|
|
{
|
|
"id": "sessions",
|
|
"path": "/api/v1/sessions",
|
|
"reason": "sessions are explicitly outside backup scope"
|
|
}
|
|
],
|
|
"assets": [
|
|
{
|
|
"id": "dashboards",
|
|
"endpoint": "/api/v1/dashboards",
|
|
"method": "GET",
|
|
"response_pointer": "/data",
|
|
"response_kind": "collection",
|
|
"classification": "portable",
|
|
"restore": {
|
|
"method": "POST",
|
|
"endpoint": "/api/v1/dashboards",
|
|
"strategy": "collection_items",
|
|
"strip_top_level_fields": [
|
|
"createdAt",
|
|
"id",
|
|
"orgId",
|
|
"updatedAt",
|
|
"uuid"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "alert_rules",
|
|
"endpoint": "/api/v1/rules",
|
|
"method": "GET",
|
|
"response_pointer": "/data",
|
|
"response_kind": "collection",
|
|
"classification": "portable",
|
|
"restore": {
|
|
"method": "POST",
|
|
"endpoint": "/api/v1/rules",
|
|
"strategy": "collection_items",
|
|
"strip_top_level_fields": [
|
|
"createdAt",
|
|
"id",
|
|
"orgId",
|
|
"updatedAt"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "explorer_views",
|
|
"endpoint": "/api/v1/explorer/views",
|
|
"method": "GET",
|
|
"response_pointer": "/data",
|
|
"response_kind": "collection",
|
|
"classification": "portable",
|
|
"restore": {
|
|
"method": "POST",
|
|
"endpoint": "/api/v1/explorer/views",
|
|
"strategy": "collection_items",
|
|
"strip_top_level_fields": [
|
|
"createdAt",
|
|
"id",
|
|
"orgId",
|
|
"updatedAt",
|
|
"userId"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "roles",
|
|
"endpoint": "/api/v1/roles",
|
|
"method": "GET",
|
|
"response_pointer": "/data",
|
|
"response_kind": "collection",
|
|
"classification": "export_only",
|
|
"coverage_gap": "role relation objects require a separately bounded enumerator"
|
|
},
|
|
{
|
|
"id": "organization_preferences",
|
|
"endpoint": "/api/v1/org/preferences",
|
|
"method": "GET",
|
|
"response_pointer": "/data",
|
|
"response_kind": "collection",
|
|
"classification": "export_only",
|
|
"coverage_gap": "preference names require a reviewed per-name restore allowlist"
|
|
},
|
|
{
|
|
"id": "user_preferences",
|
|
"endpoint": "/api/v1/user/preferences",
|
|
"method": "GET",
|
|
"response_pointer": "/data",
|
|
"response_kind": "collection",
|
|
"classification": "export_only",
|
|
"coverage_gap": "principal-scoped preferences are not portable without identity reconstruction"
|
|
},
|
|
{
|
|
"id": "global_config",
|
|
"endpoint": "/api/v1/global/config",
|
|
"method": "GET",
|
|
"response_pointer": "/data",
|
|
"response_kind": "document",
|
|
"classification": "export_only",
|
|
"coverage_gap": "readback-only configuration has no supported write endpoint"
|
|
}
|
|
],
|
|
"restore_isolation": {
|
|
"target_url_scope": "loopback_only",
|
|
"required_image_ref": "signoz/signoz:v0.113.0",
|
|
"image_id_sha256_required": true,
|
|
"image_pull_allowed": false,
|
|
"production_network_attachment_allowed": false,
|
|
"production_volume_attachment_allowed": false,
|
|
"ephemeral_volumes_only": true,
|
|
"cleanup_controller_required": true,
|
|
"zero_residue_verifier_required": true,
|
|
"resource_label_key": "awoooi.signoz.metadata.restore.run_id"
|
|
},
|
|
"completion_contract": {
|
|
"portable_export_alone_is_completion": false,
|
|
"independent_bundle_verifier_required": true,
|
|
"isolated_restore_semantic_readback_required": true,
|
|
"zero_residue_terminal_required": true,
|
|
"durable_terminal_receipt_required_for_apply": true,
|
|
"failure_terminal_receipt_required": true,
|
|
"secret_assets_reissue_required": true,
|
|
"full_sqlite_completion_claim_allowed": false
|
|
}
|
|
}
|