docs: add ADAPTERS.md EDR contributor guide#10
Merged
Conversation
Standalone contributor guide for adding a new EDR vendor to the ingestion pipeline. Targets external contributors who want to ship the fifth adapter. Contents: - The four contract rules every adapter must enforce, with the preview-parse pattern and the why-it-is-safe explanation - The NormalizedAlert dataclass shape with conventions on optional defaults - Six concrete steps to add a new adapter, end to end, including a worked example for a hypothetical bearer-token vendor - A patch-style route example that the contributor can copy - The five failure modes their tests must cover - The anti-patterns the reviewer has actually rejected in past PRs - A table of existing adapters with their auth scheme and tenant ID source - A review checklist Sketches the private code shape without leaking the private code itself; the existing four adapters are referenced by name and auth scheme only, never by their pattern weights or detection logic. Cross-refs to ARCHITECTURE.md, THREAT_MODEL.md, API_REFERENCE.md resolve once the foundation PR (#8) merges.
2 tasks
3 tasks
keirsalterego
added a commit
that referenced
this pull request
May 23, 2026
The previous ROADMAP carried ARR targets, pilot counts, quarterly revenue numbers, and an MSP channel percentage. That material moved to vyrox-design-partners/docs/gtm/INTERNAL_ROADMAP_WITH_TARGETS.md in PR #9 of that repo. This commit lands its replacement. The new ROADMAP is organised by capability, not by quarter or by revenue tier. Sections: - Recently shipped: the sixteen blockers from the May 2026 audits (eight P0 + eight P0.5), each described as a public contract change with the file paths a reader can verify. - In flight: items that touch a public contract, with the actual bottleneck called out (Postgres before tenant 25, retry runner not yet wired into worker entrypoint, etc). - Planned, not started: public OpenAPI spec, customer-side audit verifier binary, EU data region, web operator interface trigger conditions. - Adapter coverage: shipped vendors plus on-demand future adapters. - Compliance and certification: where we are honest about what is in flight versus planned versus not started. - Versioning and release cadence: semver intent for the public repos. - "Intentionally not on the roadmap": SIEM, managed human SOC, web dashboard during alpha, free public ingestion endpoint. Cross-refs to ARCHITECTURE.md, API_REFERENCE.md, AUDIT_CHAIN.md, ADAPTERS.md, SECURITY.md resolve after the foundation and specialty PRs (#8, #9, #10, #11) land.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
ADAPTERS.md— the contributor guide for adding a new EDR vendor to the ingestion pipeline.Contents
NormalizedAlertdataclass shape with conventions on optional defaultsWhy
The fifth EDR adapter is the easiest path for an external contributor to add real value. The contract was previously documented only in the private monorepo. Lifting the public-safe portion here lets contributors propose adapters without needing access to the private side.
Confidentiality
References existing adapters by name and auth scheme only. No pattern weights, no detection logic, no proprietary mapping tables.
Depends on / merges after
#8 — foundation rewrite. Cross-refs to
ARCHITECTURE.md,THREAT_MODEL.md,API_REFERENCE.mdresolve once that lands.Test plan