Phase 0 Sprint 0.1 - Telemetry Capability Removal
Scope
This sprint removes telemetry ingestion from the client API and keeps the client API focused on tenant portal read and compliance access patterns.
Threat Model
- Asset: tenant telemetry data, client API attack surface, tenant isolation boundaries.
- Adversary: external actor abusing public write routes, compromised integration client, replay actor.
- Trust boundary: all public client API endpoints.
Attack Vectors Considered
- Unauthorized telemetry POST attempts to
/api/v1/client/events. - Abuse of
/api/v1/integrations/spectrastrike/*ingestion endpoints. - Replay or forged ingestion payload submissions.
- Lateral tenant probing through ingest status APIs.
Mitigations Implemented
- Removed SpectraStrike telemetry ingestion router from the runtime API.
- Removed client telemetry event ingestion endpoint from
vv_client_api.py. - Removed ingestion DTO/controller/service modules previously used by SpectraStrike ingest flows.
- Added security regression tests to enforce endpoint absence and write-method rejection on read-only resources.
- Added SQL cleanup script to drop telemetry ingestion tables:
spectrastrike_ingest_requestsspectrastrike_idempotencyspectrastrike_eventsspectrastrike_findingsclient_activity_events
Residual Risk
- Portal code may still attempt telemetry calls; these now fail closed (
404). - Existing deployed databases require explicit cleanup script execution.
- Legacy docs/manual references can reintroduce confusion if not retired consistently.
Future Improvements
- Introduce dedicated private telemetry gateway (Phase 1) with mandatory mTLS and signature verification.
- Add startup policy checks that fail service boot when public telemetry ingestion routes are present.
- Add CI policy gate that scans OpenAPI for forbidden ingestion endpoints.