alldigital/PSA
2
0
Fork 0
Code Issues Pull Requests Actions 15 Packages Projects Releases Wiki Activity
PSA/ee/docs/plans/2026-04-29-tanium-criticality-asset-facts/SCRATCHPAD.md
Hermes 284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Details
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Details
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
Details
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
Details
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Details
Integration Tests / Check for relevant changes (push) Waiting to run
Details
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Details
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Details
Mobile checks / Mobile unit tests (push) Waiting to run
Details
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Details
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Details
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Details
Temporal Readiness / fast-readiness (push) Waiting to run
Details
Temporal Readiness / docker-parity (push) Waiting to run
Details
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Details
Unit Tests / Skipped-test budget (push) Waiting to run
Details
Unit Tests / Nx affected unit tests (push) Waiting to run
Details
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Details
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Details
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
Details
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Details
Initial import of AlgaPSA codebase from PSA server 
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz

Source: /opt/alga-psa on psa.joliet.tech
2026-06-22 16:12:17 -05:00

126 lines
9.7 KiB
Markdown
Raw Blame History

# Scratchpad — Tanium Criticality Asset Facts
- Plan slug: `tanium-criticality-asset-facts`
- Created: `2026-04-29`
## What This Is
Working notes for adding CE asset facts and using them as the Tanium criticality display/persistence surface.
## Decisions
- (2026-04-29) Use the term `facts` for asset metadata that is observed/synced from a provider or system. Rationale: it avoids implying a full custom-fields platform while preserving a path to queryable workflow/AI/filtering consumers.
- (2026-04-29) Put the generic `asset_facts` data structure in CE/base migrations, not EE-only. Rationale: integrations can remain feature-gated, but the neutral data primitive should be available broadly.
- (2026-04-29) Keep Tanium criticality provider-sourced and read-only for day one. Do not promote it to a first-class Alga asset column yet.
- (2026-04-29) Fetch Tanium criticality separately from the main endpoint inventory query. Rationale: Gateway returns errors when a requested sensor is unavailable, and missing Criticality content-set access should not break normal inventory sync.
- (2026-04-29) Use Tanium `Endpoint Criticality with Level`, not just `Endpoint Criticality`, because Alga needs display text in addition to any numeric multiplier.
- (2026-04-29) If global criticality enrichment fails for a scope, leave existing facts untouched. If an endpoint explicitly returns no result, mark that endpoint fact unavailable and preserve raw metadata.
- (2026-04-29) Day-one UI should only display an available Tanium Criticality fact; no generic editable custom/facts UI in this phase.
## Discoveries / Constraints
- (2026-04-29) Existing Tanium sync already has a best-effort separate sensor enrichment pattern for `Last Reboot` in `ee/server/src/lib/integrations/tanium/taniumGatewayClient.ts`.
- (2026-04-29) Existing shared RMM ingestion returns `assetId` for created/updated assets, which is the right point to upsert facts.
- (2026-04-29) Existing normalized RMM extension fields and `system_info` are useful for raw provider metadata, but are not a good long-term query surface for workflows/AI/filtering.
- (2026-04-29) Tanium developer docs browser pane `a4169d08-2203-48d1-8845-330185626c87` showed `Endpoint Criticality` and `Endpoint Criticality with Level` in Sensor Inventory, not as first-class `Endpoint` GraphQL fields.
- (2026-04-29) Tanium Sensor Inventory details found:
- `Endpoint Criticality`: Criticality virtual sensor. Returns number of endpoints with each criticality. Multipliers: Low = 1, Medium = 1.33, High = 1.67, Critical = 2.
- `Endpoint Criticality with Level`: Criticality virtual sensor. Returns number of endpoints with each endpoint criticality value and text.
- (2026-04-29) Gateway schema supports arbitrary endpoint sensor reads through `Endpoint.sensorReading(sensor: EndpointSensorRef!)` and `Endpoint.sensorReadings(sensors: [EndpointSensorRef!]!)`.
- (2026-04-29) Gateway docs say `sensorReading` returns raw `values` and can return `floatValues` for numeric/integer conversion. For multi-column sensors, `sensorReading` requires exactly one column; `sensorReadings` should be used for multiple sensors/columns.
- (2026-04-29) Gateway docs say unavailable sensors return query errors, reinforcing the separate best-effort enrichment design.
## Commands / Runbooks
- (2026-04-29) Scaffold plan:
- `python3 /Users/roberisaacs/.agents/skills/alga-plan/scripts/scaffold_plan.py --slug tanium-criticality-asset-facts "Tanium Criticality Asset Facts"`
- (2026-04-29) Inspect Tanium docs browser URL/content:
- `alga-dev browser-get-url --paneId=a4169d08-2203-48d1-8845-330185626c87 --pretty`
- `alga-dev browser-eval --paneId=a4169d08-2203-48d1-8845-330185626c87 --script='(() => ({title: document.title, url: location.href, text: (document.body.innerText || "").slice(0, 12000)}))()'`
- (2026-04-29) Fetch Gateway schema text from authenticated browser pane:
- `alga-dev browser-eval --paneId=a4169d08-2203-48d1-8845-330185626c87 --script='(async () => (await fetch("/_spec-gql/apis/tanium_gateway_schema.graphql?download")).text())()'`
- (2026-04-29) Fetch Sensor Inventory page data from authenticated browser pane:
- `alga-dev browser-eval --paneId=a4169d08-2203-48d1-8845-330185626c87 --script='(async () => fetch("/page-data/sensor-inventory/sensor_list/data.json").then(r=>r.json()))()'`
## Links / References
- Tanium docs page used: `https://developer.tanium.com/apis/api_intro`
- Tanium Gateway schema download path in authenticated browser: `/_spec-gql/apis/tanium_gateway_schema.graphql?download`
- Tanium Sensor Inventory page data: `/page-data/sensor-inventory/sensor_list/data.json`
- Existing Tanium client: `ee/server/src/lib/integrations/tanium/taniumGatewayClient.ts`
- Existing Tanium actions/sync: `ee/server/src/lib/actions/integrations/taniumActions.ts`
- Shared RMM contracts: `packages/integrations/src/lib/rmm/contracts.ts`
- Shared RMM ingestion: `packages/integrations/src/lib/rmm/sharedAssetIngestionService.ts`
- Prior design reference: `ee/docs/plans/2026-04-15-tanium-asset-enrichment-design.md`
- Tanium integration plan reference: `ee/docs/plans/2026-04-06-tanium-rmm-integration-plan/`
## Open Questions
- What exact columns does `Endpoint Criticality with Level` return in customer tenants? Implementation should preserve raw columns and parse defensively.
- Should future facts uniqueness include `integration_id` to support multiple providers/instances publishing same namespace/key for one asset? V1 plan uses one current fact per asset/source_type/namespace/key.
- Should unavailable facts be exposed in a future admin/debug panel? Day one hides unavailable facts from primary asset detail.
## Implementation Updates
- (2026-04-29) Implemented CE/base migration `server/migrations/20260429133000_create_asset_facts_table.cjs` for `asset_facts` with:
- tenant-aware PK (`tenant`, `asset_fact_id`),
- tenant+asset FK to `assets`,
- typed value columns + raw `value_json`,
- availability + sync/source timestamps,
- uniqueness on (`tenant`, `asset_id`, `source_type`, `namespace`, `fact_key`).
Rationale: provides a neutral, queryable fact primitive while preserving Citus tenant key patterns.
- (2026-04-29) Added shared asset fact typing and service:
- `AssetFact` and `AssetFactSourceType` in `packages/types/src/interfaces/asset.interfaces.ts`.
- `server/src/lib/assets/assetFactsService.ts` with `upsertAssetFact(...)` and `listAvailableAssetFactsForAsset(...)`.
Rationale: central reusable read/upsert behavior for provider-sourced facts with tenant+asset scoping.
- (2026-04-29) Extended Tanium Gateway client (`ee/server/src/lib/integrations/tanium/taniumGatewayClient.ts`):
- Added metadata lookup for `Endpoint Criticality with Level`.
- Added paginated endpoint criticality sensor reading query via `sensorReadings`.
- Added defensive parser that preserves raw columns, maps known labels to multipliers, and tolerates unknown columns.
- (2026-04-29) Integrated best-effort criticality enrichment into `triggerTaniumFullSync` (`ee/server/src/lib/actions/integrations/taniumActions.ts`):
- Criticality query runs separately from endpoint inventory query.
- Global criticality failure logs warning and does not fail full sync.
- Existing facts remain untouched on global failure.
- For successful criticality query, endpoint with explicit no result is upserted unavailable.
- Criticality fact upsert happens only after ingestion returns `assetId`.
- Fact shape stored with `source_type=integration`, `provider=tanium`, `namespace=tanium`, `fact_key=criticality`, source metadata for sensor.
- (2026-04-29) Added asset detail facts read path:
- `getAvailableAssetFacts(asset_id)` in `packages/assets/src/actions/assetActions.ts` with tenant-scoped auth checks.
- `useAssetDetail` now loads facts.
- (2026-04-29) Added Tanium criticality UI rendering on asset detail (`packages/assets/src/components/panels/RmmVitalsPanel.tsx`):
- Shows `Tanium Criticality` only when available Tanium criticality fact exists.
- Known labels map to compact badge variants (`Low/Medium/High/Critical`).
- Missing/unavailable facts are hidden.
## Test Updates
- (2026-04-29) Added/updated tests:
- `ee/server/src/__tests__/unit/integrations/taniumGatewayClient.test.ts`
- endpoint criticality parse coverage (known + unknown columns).
- `ee/server/src/__tests__/unit/integrations/taniumActions.test.ts`
- criticality enrichment isolation from sync failure,
- upsert only when `assetId` exists,
- leave existing facts untouched on global criticality failure.
- `packages/assets/src/components/panels/RmmVitalsPanel.test.tsx`
- renders Tanium criticality only when available fact exists.
- (2026-04-29) Verification commands:
- `npx nx test sebastian-ee -- --run src/__tests__/unit/integrations/taniumGatewayClient.test.ts src/__tests__/unit/integrations/taniumActions.test.ts` (pass)
- `npx nx test @alga-psa/assets -- --run src/components/panels/RmmVitalsPanel.test.tsx --reporter=verbose` (our panel tests pass; suite still reports pre-existing unrelated failures in `QuickAddAsset.quick-add-client.contract.test.ts` and `CreateTicketFromAssetButton.boardScopedStatuses.test.tsx`).
## Gotchas
- (2026-04-29) EE action tests use `withAuth` wrappers directly; test invocations must pass explicit `(user, { tenant })` args.
- (2026-04-29) Asset package targeted test runs currently include additional files in this workspace, exposing unrelated baseline failures outside this change.
- (2026-04-29) Added `server/src/test/unit/assets/assetFactsService.test.ts` to cover T001/T002/T003 service behaviors:
- tenant-scoped insert/read,
- uniqueness/upsert semantics for current fact key,
- explicit unavailable upsert preserving raw metadata.
- (2026-04-29) Verification command:
- `cd server && npx vitest run src/test/unit/assets/assetFactsService.test.ts` (pass)
Reference in New Issue View Git Blame Copy Permalink