Pick a persistent store for delegated_agent audit log entries. Recommend Grafana Cloud Loki (already adopted by ADR-019, free at pilot scale) for general-purpose audit retention, with a small Mongo audit_logs collection reserved only for the customer-facing 'who did what' query surface once a tenant asks for one.
scan_runs is the pipeline-run root; stage outcomes are stamped onto scan_runs.category_results under reserved __stage keys; a typed CredentialBroker is the only runtime path that resolves CredentialsRef; deploy-gate rematerialization (ADR-026 path b) is one job kind, generalised to all derived collections.
Current-state audit of sv0-platform's connector → ingest → chain-assemble → evaluate pipeline. Confirms Stream-1 Phases 1-3 already shipped (scheduler, atomic scope claim, execute_scan worker, connector-driver seam, sync→eval→evidence cascade). Identifies the single hard blocker (inert credential broker — `InProcessSubprocessDriver` constructed at `src/index.ts:98` with `env: undefined`) and ten secondary gaps. Drives the decision in ADR-027; lays out the seven-slice migration.
Unified strategy for moving SecurityV0 from manual scans to autonomous operations with built-in cross-validation, observability, and an Azure VM hosting lane — ahead of the MediaPro pilot.
Deployment strategy options for SecurityV0 from MVP to production scale, including container orchestration paths, observability/logging tradeoffs, CLI operability, and CI/CD automation
One-page operations index — every SecurityV0 environment and the links to its dashboards, logs, uptime monitors, and infra consoles.
Honest per-connector accounting of how SecurityV0 derives execution counts, where those numbers match ground truth, and where they don't.
Plan to harden scan safety (no automatic large soft-removals from a single suspect scan) and add connector observability after a fresh scan removed all 5 authority paths for the default tenant on 2026-02-26.
Observability stack selection for sv0-platform: evaluates 10 options (Grafana Cloud, self-hosted LGTM, Datadog, BetterStack, Axiom, SigNoz, New Relic, Honeycomb, Cloudflare, stitched-minimum) against cost, agentic access (MCP availability), portability across Hetzner/Azure-VM/AWS-VM, and free-tier allowances. Pick: Grafana Cloud free + BetterStack free + grafana/mcp-grafana.
Operational resiliency plan — error capture, Grafana Cloud log aggregation, external probing, Slack alerting. Middle ground: shared visibility without overengineering.
Defines the batch processing pipeline from connector submission through findings and evidence packs