Files
awoooi/config/signoz/metadata-export-policy.json

205 lines
5.7 KiB
JSON

{
"schema": "awoooi_signoz_metadata_export_policy_v1",
"policy_version": "2026-07-15",
"work_item_id": "P0-OBS-002",
"source_runtime": {
"canonical_id": "signoz-110-control-plane",
"signoz_version": "v0.113.0",
"minimum_python_version": "3.10",
"raw_database_access_allowed": false,
"raw_volume_access_allowed": false,
"github_supply_chain_allowed": false
},
"authentication": {
"header_name": "SIGNOZ-API-KEY",
"secret_value_in_arguments_allowed": false,
"secret_reference_type": "root_owned_regular_file",
"accepted_file_modes": [
"0400",
"0600"
]
},
"limits": {
"request_timeout_seconds": 15,
"max_response_bytes": 4194304,
"max_asset_count": 16,
"max_items_per_asset": 1000,
"max_restore_actions": 500,
"stable_read_count": 2
},
"forbidden_key_names": [
"access_key",
"access_token",
"api_key",
"authorization",
"client_secret",
"cookie",
"credential",
"password",
"private_key",
"refresh_token",
"routing_key",
"secret",
"service_account_json",
"session",
"token",
"webhook_url"
],
"forbidden_value_patterns": [
"-----BEGIN [A-Z ]*PRIVATE KEY-----",
"(?i)\\bBearer\\s+[A-Za-z0-9._~+/-]{16,}={0,2}\\b",
"(?i)https?://[^/@\\s]+:[^/@\\s]+@"
],
"forbidden_endpoints": [
{
"id": "personal_access_tokens",
"path": "/api/v1/pats",
"reason": "response may contain an API token"
},
{
"id": "authentication_domains",
"path": "/api/v1/domains",
"reason": "response may contain OIDC or Google client secrets"
},
{
"id": "notification_channels",
"path": "/api/v1/channels",
"reason": "response may contain webhook and routing credentials"
},
{
"id": "users_and_credentials",
"path": "/api/v1/user",
"reason": "credential lifecycle is reconstructed, not exported"
},
{
"id": "invitations",
"path": "/api/v1/invite",
"reason": "invitation tokens are non-portable credentials"
},
{
"id": "sessions",
"path": "/api/v1/sessions",
"reason": "sessions are explicitly outside backup scope"
}
],
"assets": [
{
"id": "dashboards",
"endpoint": "/api/v1/dashboards",
"method": "GET",
"response_pointer": "/data",
"response_kind": "collection",
"classification": "portable",
"restore": {
"method": "POST",
"endpoint": "/api/v1/dashboards",
"strategy": "collection_items",
"strip_top_level_fields": [
"createdAt",
"id",
"orgId",
"updatedAt",
"uuid"
]
}
},
{
"id": "alert_rules",
"endpoint": "/api/v1/rules",
"method": "GET",
"response_pointer": "/data",
"response_kind": "collection",
"classification": "portable",
"restore": {
"method": "POST",
"endpoint": "/api/v1/rules",
"strategy": "collection_items",
"strip_top_level_fields": [
"createdAt",
"id",
"orgId",
"updatedAt"
]
}
},
{
"id": "explorer_views",
"endpoint": "/api/v1/explorer/views",
"method": "GET",
"response_pointer": "/data",
"response_kind": "collection",
"classification": "portable",
"restore": {
"method": "POST",
"endpoint": "/api/v1/explorer/views",
"strategy": "collection_items",
"strip_top_level_fields": [
"createdAt",
"id",
"orgId",
"updatedAt",
"userId"
]
}
},
{
"id": "roles",
"endpoint": "/api/v1/roles",
"method": "GET",
"response_pointer": "/data",
"response_kind": "collection",
"classification": "export_only",
"coverage_gap": "role relation objects require a separately bounded enumerator"
},
{
"id": "organization_preferences",
"endpoint": "/api/v1/org/preferences",
"method": "GET",
"response_pointer": "/data",
"response_kind": "collection",
"classification": "export_only",
"coverage_gap": "preference names require a reviewed per-name restore allowlist"
},
{
"id": "user_preferences",
"endpoint": "/api/v1/user/preferences",
"method": "GET",
"response_pointer": "/data",
"response_kind": "collection",
"classification": "export_only",
"coverage_gap": "principal-scoped preferences are not portable without identity reconstruction"
},
{
"id": "global_config",
"endpoint": "/api/v1/global/config",
"method": "GET",
"response_pointer": "/data",
"response_kind": "document",
"classification": "export_only",
"coverage_gap": "readback-only configuration has no supported write endpoint"
}
],
"restore_isolation": {
"target_url_scope": "loopback_only",
"required_image_ref": "signoz/signoz:v0.113.0",
"image_id_sha256_required": true,
"image_pull_allowed": false,
"production_network_attachment_allowed": false,
"production_volume_attachment_allowed": false,
"ephemeral_volumes_only": true,
"cleanup_controller_required": true,
"zero_residue_verifier_required": true,
"resource_label_key": "awoooi.signoz.metadata.restore.run_id"
},
"completion_contract": {
"portable_export_alone_is_completion": false,
"independent_bundle_verifier_required": true,
"isolated_restore_semantic_readback_required": true,
"zero_residue_terminal_required": true,
"durable_terminal_receipt_required_for_apply": true,
"failure_terminal_receipt_required": true,
"secret_assets_reissue_required": true,
"full_sqlite_completion_claim_allowed": false
}
}