rwilliamspbg-ops
diff --git a/‎.github/workflows/observability-ci.yml‎
Lines changed: 26 additions & 0 deletions b/‎.github/workflows/observability-ci.yml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎.github/workflows/security-supply-chain.yml‎
Lines changed: 49 additions & 0 deletions b/‎.github/workflows/security-supply-chain.yml‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎Dockerfile.backend.optimized‎
Lines changed: 10 additions & 5 deletions b/‎Dockerfile.backend.optimized‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎Dockerfile.node-agent‎
Lines changed: 4 additions & 0 deletions b/‎Dockerfile.node-agent‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎config/channels/dev.env‎
Lines changed: 8 additions & 0 deletions b/‎config/channels/dev.env‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎config/channels/prod.env‎
Lines changed: 8 additions & 0 deletions b/‎config/channels/prod.env‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎config/channels/stage.env‎
Lines changed: 8 additions & 0 deletions b/‎config/channels/stage.env‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎dashboard_compat_rules.yml‎
Lines changed: 13 additions & 13 deletions b/‎dashboard_compat_rules.yml‎
Lines changed: 13 additions & 13 deletions
diff --git a/‎deploy/kubernetes/fl-autoscaling-hpa.yaml‎
Lines changed: 39 additions & 0 deletions b/‎deploy/kubernetes/fl-autoscaling-hpa.yaml‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎docker-compose.full.yml‎
Lines changed: 56 additions & 0 deletions b/‎docker-compose.full.yml‎
Lines changed: 56 additions & 0 deletions
@@ -0,0 +1,26 @@
+name: Observability CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  dashboard-query-validation:
+    name: Validate Dashboard Queries
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Set up Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d
+        with:
+          python-version: "3.11"
+
+      - name: Validate Grafana queries
+        run: python scripts/check_dashboard_queries.py
@@ -0,0 +1,49 @@
+name: Security Supply Chain
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  sbom-and-image-scan:
+    name: SBOM and Trivy Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Build backend image
+        run: docker build -f Dockerfile.backend.optimized -t sovereign-backend:ci .
+
+      - name: Generate SBOM (CycloneDX)
+        uses: anchore/sbom-action@85f897d6f3eeb9d30980dc9f2138eb33cd6b2e8b
+        with:
+          image: sovereign-backend:ci
+          format: cyclonedx-json
+          output-file: sbom-backend.cdx.json
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@ea7f5b0ea4e9037fe8f8f6a9db8f2de41f8bb9f0
+        with:
+          image-ref: sovereign-backend:ci
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+          exit-code: 1
+
+      - name: Upload Trivy SARIF
+        uses: github/codeql-action/upload-sarif@7fd9dc0f3f4f8f6e8bbbf38c3444b3248ce8b248
+        with:
+          sarif_file: trivy-results.sarif
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+        with:
+          name: sbom-backend-cdx
+          path: sbom-backend.cdx.json
@@ -33,11 +33,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
-# Copy Python dependencies from builder (significantly smaller image)
-COPY --from=builder /root/.local /root/.local
+# Copy Python dependencies from builder into non-root accessible location.
+COPY --from=builder /root/.local /opt/python
 
 # Set environment variables for Python optimization
-ENV PATH=/root/.local/bin:$PATH \
+ENV PATH=/opt/python/bin:$PATH \
+    PYTHONPATH=/opt/python/lib/python3.11/site-packages \
     PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1 \
     PYTHONOPTIMIZE=2
@@ -52,9 +53,13 @@ COPY src/ ./src/
 COPY config/ ./config/
 
 # Create data directory
-RUN mkdir -p /app/data && chmod 755 /app/data
+RUN mkdir -p /app/data \
+    && chmod 755 /app/data \
+    && useradd --system --create-home --uid 10001 appuser \
+    && chown -R appuser:appuser /app
 
-# Keep root runtime so Python can resolve packages installed under /root/.local.
+# Run as non-root for runtime hardening.
+USER appuser
 
 # Health check with proper error handling
 HEALTHCHECK --interval=30s --timeout=10s --start-period=20s --retries=3 \
 
@@ -18,8 +18,12 @@ RUN pip install --no-cache-dir \
 
 COPY src/ ./src/
 
+RUN useradd --system --create-home --uid 10001 appuser && chown -R appuser:appuser /app
+
 ENV PYTHONUNBUFFERED=1
 ENV PYTHONDONTWRITEBYTECODE=1
 
+USER appuser
+
 # Default command can be overridden by docker-compose command.
 CMD ["python", "-u", "src/client.py", "--node-id", "1", "--aggregator", "backend:8080"]
@@ -0,0 +1,8 @@
+# Development channel
+NUM_ROUNDS=0
+MIN_FIT_CLIENTS=3
+MIN_AVAILABLE_CLIENTS=3
+ROUND_TIMEOUT_SECONDS=300
+TARGET_ROUNDS_PER_MIN=0.6
+MAX_REPLICAS=12
+MIN_REPLICAS=3
@@ -0,0 +1,8 @@
+# Production channel
+NUM_ROUNDS=0
+MIN_FIT_CLIENTS=20
+MIN_AVAILABLE_CLIENTS=20
+ROUND_TIMEOUT_SECONDS=900
+TARGET_ROUNDS_PER_MIN=1.5
+MAX_REPLICAS=60
+MIN_REPLICAS=15
@@ -0,0 +1,8 @@
+# Staging channel
+NUM_ROUNDS=0
+MIN_FIT_CLIENTS=10
+MIN_AVAILABLE_CLIENTS=10
+ROUND_TIMEOUT_SECONDS=600
+TARGET_ROUNDS_PER_MIN=1.0
+MAX_REPLICAS=30
+MIN_REPLICAS=8
@@ -30,16 +30,16 @@ groups:
         expr: (tpm_certificates_verified_total > 0) or (sovereignmap_active_nodes * scalar(tpm_ca_certificate_valid))
 
       - record: sovereignmap_tpm_attestation_total
-        expr: (tpm_certificates_total > 0) or (sovereignmap_active_nodes * scalar(tpm_ca_certificate_valid))
+        expr: sum(tpm_node_attestation_events_total) or (tpm_certificates_total > 0) or (sovereignmap_active_nodes * scalar(tpm_ca_certificate_valid))
 
       - record: sovereignmap_tpm_attestation_success
-        expr: (tpm_certificates_verified_total > 0) or (sovereignmap_active_nodes * scalar(tpm_ca_certificate_valid))
+        expr: sum(tpm_node_attestation_events_total{result="success"}) or (tpm_certificates_verified_total > 0) or (sovereignmap_active_nodes * scalar(tpm_ca_certificate_valid))
 
       - record: sovereignmap_tpm_attestation_failures_total
-        expr: tpm_trust_verification_failures_total
+        expr: sum(tpm_node_attestation_events_total{result="failure"}) or tpm_trust_verification_failures_total
 
       - record: sovereignmap_tpm_attestation_duration_ms
-        expr: (tpm_trust_verification_duration_seconds_sum / clamp_min(tpm_trust_verification_duration_seconds_count, 1)) * 1000
+        expr: avg(tpm_node_attestation_latency_ms) or ((tpm_trust_verification_duration_seconds_sum / clamp_min(tpm_trust_verification_duration_seconds_count, 1)) * 1000)
 
       - record: sovereignmap_gpu_memory_mb
         expr: vector(0)
@@ -120,33 +120,33 @@ groups:
     rules:
       # Minting proxy derived from network work-rate and model quality.
       - record: sovereignmap_token_mint_rate_per_min
-        expr: rate(sovereignmap_fl_rounds_total[5m]) * sovereignmap_active_nodes * (sovereignmap_fl_accuracy / 100)
+        expr: tokenomics_mint_rate_per_min or ((rate(sovereignmap_fl_rounds_total[5m]) * sovereignmap_active_nodes * (sovereignmap_fl_accuracy / 100)) unless on() tokenomics_mint_rate_per_min)
 
       # Cumulative minted supply proxy from achieved FL rounds and active validator participation.
       - record: sovereignmap_token_supply_total
-        expr: sovereignmap_fl_round * sovereignmap_active_nodes * (sovereignmap_fl_accuracy / 100)
+        expr: tokenomics_token_supply_total or ((sovereignmap_fl_round * sovereignmap_active_nodes * (sovereignmap_fl_accuracy / 100)) unless on() tokenomics_token_supply_total)
 
       # Bridge inflow/outflow proxies modeled as fixed shares of minting activity.
       - record: sovereignmap_bridge_inflow_per_min
-        expr: sovereignmap_token_mint_rate_per_min * 0.35
+        expr: tokenomics_bridge_inflow_per_min or ((sovereignmap_token_mint_rate_per_min * 0.35) unless on() tokenomics_bridge_inflow_per_min)
 
       - record: sovereignmap_bridge_outflow_per_min
-        expr: sovereignmap_token_mint_rate_per_min * 0.22
+        expr: tokenomics_bridge_outflow_per_min or ((sovereignmap_token_mint_rate_per_min * 0.22) unless on() tokenomics_bridge_outflow_per_min)
 
       - record: sovereignmap_bridge_net_flow_per_min
-        expr: sovereignmap_bridge_inflow_per_min - sovereignmap_bridge_outflow_per_min
+        expr: tokenomics_bridge_net_flow_per_min or ((sovereignmap_bridge_inflow_per_min - sovereignmap_bridge_outflow_per_min) unless on() tokenomics_bridge_net_flow_per_min)
 
       # Escrow and collateral proxies for bridge solvency/coverage monitoring.
       - record: sovereignmap_bridge_escrow_total
-        expr: sovereignmap_token_supply_total * 0.4
+        expr: tokenomics_bridge_escrow_total or ((sovereignmap_token_supply_total * 0.4) unless on() tokenomics_bridge_escrow_total)
 
       - record: sovereignmap_bridge_collateral_ratio_percent
-        expr: (sovereignmap_bridge_escrow_total / clamp_min(sovereignmap_token_supply_total * 0.3, 1)) * 100
+        expr: tokenomics_bridge_collateral_ratio_percent or (((sovereignmap_bridge_escrow_total / clamp_min(sovereignmap_token_supply_total * 0.3, 1)) * 100) unless on() tokenomics_bridge_collateral_ratio_percent)
 
       # Share of minted economic activity crossing bridges.
       - record: sovereignmap_bridge_settlement_share_percent
-        expr: (sovereignmap_bridge_inflow_per_min / clamp_min(sovereignmap_token_mint_rate_per_min, 0.000001)) * 100
+        expr: tokenomics_bridge_settlement_share_percent or (((sovereignmap_bridge_inflow_per_min / clamp_min(sovereignmap_token_mint_rate_per_min, 0.000001)) * 100) unless on() tokenomics_bridge_settlement_share_percent)
 
       # Daily bridge volume proxy for treasury and liquidity planning.
       - record: sovereignmap_bridge_volume_24h
-        expr: sovereignmap_bridge_inflow_per_min * 1440
+        expr: tokenomics_bridge_volume_24h or ((sovereignmap_bridge_inflow_per_min * 1440) unless on() tokenomics_bridge_volume_24h)
@@ -0,0 +1,39 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: sovereign-node-agent-hpa
+  namespace: sovereign-map
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: sovereign-node-agent
+  minReplicas: 10
+  maxReplicas: 100
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 65
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: sovereign-backend-hpa
+  namespace: sovereign-map
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: sovereign-backend
+  minReplicas: 1
+  maxReplicas: 5
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 70
@@ -18,6 +18,7 @@ services:
       - MIN_FIT_CLIENTS=${MIN_FIT_CLIENTS:-10}
       - MIN_AVAILABLE_CLIENTS=${MIN_AVAILABLE_CLIENTS:-10}
       - ROUND_TIMEOUT_SECONDS=${ROUND_TIMEOUT_SECONDS:-600}
+      - TPM_METRICS_ENDPOINT=${TPM_METRICS_ENDPOINT:-http://tpm-metrics:9091/event/attestation}
       - GEMINI_API_KEY=${GEMINI_API_KEY:-}
     ports:
       - "8000:8000"  # Flask metrics API
@@ -34,6 +35,12 @@ services:
       retries: 3
       start_period: 10s
     restart: on-failure
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    tmpfs:
+      - /tmp
     logging:
       driver: "json-file"
       options:
@@ -75,6 +82,12 @@ services:
     healthcheck:
       disable: true
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    tmpfs:
+      - /tmp
     logging:
       driver: "json-file"
       options:
@@ -216,6 +229,7 @@ services:
       - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
       - ./tpm_alerts.yml:/etc/prometheus/tpm_alerts.yml:ro
       - ./dashboard_compat_rules.yml:/etc/prometheus/dashboard_compat_rules.yml:ro
+      - ./fl_slo_alerts.yml:/etc/prometheus/fl_slo_alerts.yml:ro
     command:
       - '--config.file=/etc/prometheus/prometheus.yml'
       - '--storage.tsdb.path=/prometheus'
@@ -256,6 +270,48 @@ services:
       retries: 3
       start_period: 10s
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    tmpfs:
+      - /tmp
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  tokenomics-metrics:
+    image: python:3.11-slim
+    container_name: sovereign-tokenomics-metrics
+    volumes:
+      - ./tokenomics_metrics_exporter.py:/app/tokenomics_metrics_exporter.py:ro
+      - ./test-data/tokenomics-telemetry.json:/app/data/tokenomics-telemetry.json:ro
+    working_dir: /app
+    command: ["sh", "-c", "python -m pip install --no-cache-dir prometheus-client flask && python tokenomics_metrics_exporter.py"]
+    environment:
+      - TOKENOMICS_SOURCE_FILE=/app/data/tokenomics-telemetry.json
+      - TOKENOMICS_METRICS_PORT=9105
+    ports:
+      - "9105:9105"
+    networks:
+      - sovereign-network
+    depends_on:
+      - backend
+    healthcheck:
+      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:9105/health', timeout=3)"]
+      interval: 15s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    tmpfs:
+      - /tmp
     logging:
       driver: "json-file"
       options: