Authorship procedure

# Authors

This file records release-level authorship acknowledgements for `infra-resources`.
Update it as part of the formal release procedure documented in `compliance/governance/release-ip-procedure.md`.

## Current project owner

- MeetKai

# Notice

This repository contains configuration, deployment manifests, and documentation for MeetKai infrastructure.
Third-party software remains subject to its own license and notice requirements.

Release reviewers must confirm whether new third-party notices are required for each version and record that review in `compliance/governance/release-ip-ledger.csv`.

This directory collects the repo-owned controls and evidence procedures.

## What is implemented here

- `tools/compliance/capture_no_telemetry.sh`: runs the no-telemetry overlay and records packet capture plus Kubernetes state.
- `tools/compliance/verify_tls13.sh`: proves public endpoints negotiate TLS 1.3 and records ciphers and certificate details.
- `tools/compliance/verify_storage_encryption.sh`: captures EKS secrets encryption and storage encryption settings.
- `tools/compliance/verify_ai_marking.sh`: records response headers that prove AI marking at the API edge.
- `helm/kyverno/`: admission policy that rejects unsigned images.
- `compliance/audit-log-contract.md`: shared event contract for per-user and per-unit audit pipelines.
- `compliance/governance/`: formal release authorship and copyright procedure.

# Audit event contract

This repo can standardize gateway-side correlation and route metadata.

## Required fields

- `request_id`: propagated from Kong `X-Request-ID`
- `actor_id`: end user or service principal
- `unit_id`: organizational unit or tenant
- `route_name`: logical API route name
- `action`: create, read, update, delete, generate, tool_call, or admin action
- `resource_type`: conversation, response, file, vector_store, prompt, or service-specific type
- `resource_id`: stable identifier for the affected object
- `outcome`: success, denied, throttled, validation_error, or policy_violation
- `policy_action`: warn, block, or escalate when misuse detection triggers

## Infra-owned behavior

- Kong emits `X-Request-ID` on AI and search routes.
- Kong adds `X-AI-Generated` headers on AI generation routes.
- SigNoz dashboards should group on `actor_id`, `unit_id`, `route_name`, and `outcome` once services emit these dimensions.

# Release authorship and copyright procedure

This procedure covers bid requirement `4.25`.
Git history alone is not treated as sufficient evidence for authorship updates.
Each release must produce a small set of explicit records.

## Required release records

1. Update `AUTHORS.md` when a new contributor or organization materially contributes to the release.
2. Review `NOTICE.md` for third-party notices or attribution changes.
3. Add a row to `compliance/governance/release-ip-ledger.csv` for the version being released.
4. Store the signed release evidence bundle produced by `tools/compliance/render_evidence_bundle.sh`.
5. Link the release tag or PR in the ledger entry so the review trail is explicit.

## Required reviewer assertions

The release reviewer confirms all of the following for the version:

- authorship additions or removals were reviewed
- third-party notices were reviewed
- any generated documentation or compliance evidence reflects the current release
- the release PR contains the final evidence locations

## Verification

`tools/compliance/check_release_governance.sh` validates that the required files exist and that the release ledger has a non-header entry for the target version.