Patch State Observer (Reserved Slot) — Adapter Technical Specification
Patch State Observer (Reserved Slot) — Adapter Technical Specification
Status: reserved · Class: conformance · Mission: telemetry · Phase: phase-planning
Canon source: canon/adapter-registry.yaml (propagated by uiao/tools/sync_canon.py).
The YAML frontmatter and this banner are regenerated from canon on every sync. Do not hand-edit. Author new material only below the ## Overview heading.
This document is a stub. Replace every _TODO — ..._ block with authored content that is consistent with UIAO canon. Canon invariants (gcc-boundary, ssot-mutation: never, etc.) must never be contradicted.
Overview
The Patch State Adapter is a conformance-class telemetry adapter that observes patch/update state across managed endpoints. It ingests device-level patch status data and normalizes it into canonical claims tracking missing patches per device.
Key capabilities: per-device missing-patch enumeration, OS-level patch state tracking, missing-patch count aggregation, and KSI-anchored evidence generation with total-missing-patches summary.
Implementation: uiao/src/uiao/adapters/patchstate_adapter.py. Conformance: 30/30 PASS.
Scope
Target surfaces / subsystems: (not yet defined)
Reads: Patch status data (JSON with device_id, OS, missing_patches list per device) from WSUS, SCCM, Intune, or OS-native sources. Emits: ClaimSet with one claim per device (including missing_count and missing_patches list), EvidenceObject with total device count and total missing patches. Does NOT: install patches, modify device configuration, or access device content. Read-only telemetry.
Controls
NIST SP 800-53 Rev 5 controls this adapter supports: SI-2, CM-8, CA-7
| Control | Role | Adapter capability |
|---|---|---|
| SI-2 Flaw Remediation | Primary | Missing-patch tracking provides evidence of patch remediation status per device. |
| CM-8 Component Inventory | Supporting | Device enumeration with OS version supports component inventory. |
| CA-7 Continuous Monitoring | Supporting | Scheduled patch state collection provides continuous remediation evidence. |
Operational profile
| Field | Value |
|---|---|
| Runtime | TBD |
| Runtime pin | TBD |
| Runner class | TBD |
| Tenancy | per-customer |
| Evidence class | interval |
| Retention | 3 year(s) |
Canon invariants
gcc-boundary: gcc-moderatessot-mutation: nevercertificate-anchored: trueobject-identity-only: true
Notes from canon
Slot reserved per ARCHITECTURE.md §3.5 and §13 open decision ODA-14. Candidates include Azure Arc Update Manager (read-only mode), Intune compliance reports, or WSUS reporting exports. Selection deferred to Phase 2 planning.
References
- UIAO-CANON-003
- ADR-025
Generated by uiao/tools/sync_canon.py. See uiao/ARCHITECTURE.md §4 for the cross-repo sync contract. See uiao-docs/_quarto.yml for rendering configuration.