14 docs tagged with "connector"

Decision to move all detection/finding logic to the platform evaluator and remove connector-side detectors

Introduce type='permission_set' for AWS IAM Policies (and analogous policy-holder entities) rather than reusing type='role'

Define the source_system tenancy scheme for AWS entities — account-scoped identifiers to support multi-account and multi-customer deployments

scan_runs is the pipeline-run root; stage outcomes are stamped onto scan_runs.category_results under reserved __stage keys; a typed CredentialBroker is the only runtime path that resolves CredentialsRef; deploy-gate rematerialization (ADR-026 path b) is one job kind, generalised to all derived collections.

Quick-reference runbook for any agent, CI job, connector, or external script that needs to authenticate against the sv0-platform API. Covers the three live machine-auth paths and explicitly forbids replicating the deprecated personal-agent bridge.

Current-state audit of sv0-platform's connector → ingest → chain-assemble → evaluate pipeline. Confirms Stream-1 Phases 1-3 already shipped (scheduler, atomic scope claim, execute_scan worker, connector-driver seam, sync→eval→evidence cascade). Identifies the single hard blocker (inert credential broker — `InProcessSubprocessDriver` constructed at `src/index.ts:98` with `env: undefined`) and ten secondary gaps. Drives the decision in ADR-027; lays out the seven-slice migration.

High-level implementation plan and graph-enhancement research for a SecurityV0 AWS connector — covering IAM identity graph, workload metadata, ECR/code-deploy chain, and cross-account trust modelling

Synthesized plan from three concurrent architectural reviews (Gemini3, Codex, fresh architect review) to make the connector ETL pipeline produce audit-grade, deterministic execution evidence

Comprehensive feasibility study for execution-determined authority paths

Plan to give ServiceNow scheduled jobs that call Azure Function Apps via function-key auth a discoverable identity binding so they produce complete authority paths instead of unlinked workloads with empty execution_paths.

Plan to harden scan safety (no automatic large soft-removals from a single suspect scan) and add connector observability after a fresh scan removed all 5 authority paths for the default tenant on 2026-02-26.

Plan to extend the azure-foundry connector to synthesize the data-plane authority chain (workload to RUNS_AS to identity to HAS_ROLE to role to GRANTS to permission to APPLIES_TO to resource) without platform-side changes.

Per-tenant AWS connector that scans N accounts × M service categories independently, with role-chain auth and partial-failure isolation.

Concrete connector reference implementing the abstract interface from 05-connectors.md