Document audit-core mock sink handoff

This commit is contained in:
2026-06-01 23:44:06 +02:00
parent c0c6ead5dd
commit c0d4ec9037
2 changed files with 16 additions and 1 deletions

View File

@@ -272,7 +272,8 @@ Before any live application secrets move into OpenBao:
custody. The drill must prove that a fresh OpenBao instance can restore the
snapshot, unseal, and read a test secret.
5. Decide where audit logs are shipped durably. The audit PVC alone is not a
durable audit sink.
durable audit sink. The interim `audit-core` mock file backend can prove API
and setup wiring, but it writes to `/tmp` and is not production retention.
6. Run:
```bash
@@ -306,6 +307,12 @@ such as an encrypted platform backup/export path or the future centralized
logging stack. Do not treat non-secret hashes, screenshots, or State Hub notes
as substitutes for retained audit log custody.
Interim integration status: `/home/worsch/audit-core` provides a mock
Audit Core backend that writes JSONL records under
`/tmp/audit-core/audit-YYYYMMDDTHH.jsonl` and deletes files older than seven
days. Use it only to wire interfaces and setup validation before the durable
Audit Core archive exists.
Monitoring baseline:
- pod readiness and liveness from Kubernetes probes