Security principles for evidence-first RCA.

01

Scoped access

What it means

Agents should reach only the evidence path needed for a specific service, provider, cluster, or incident question.

What is not claimed

This is not framed as broad unsupervised access to every customer system.

02

Data boundaries

What it means

Useful RCA data is incident-focused: alerts, telemetry, deploys, provider state, affected scope, hypotheses, validation checks, and action notes.

What is not claimed

This does not define a full data-retention or archival policy.

03

Logs and evidence

What it means

Signals that support a cause should sit beside signals that still need validation so responders can inspect the RCA.

What is not claimed

This does not claim that every log source is automatically connected.

04

Secrets

What it means

Credential and secret paths are deployment-specific and should be scoped to the systems needed for RCA.

What is not claimed

This does not declare a universal secret-storage model.

05

Audit trail

What it means

The RCA flow should preserve ownership, validation steps, rollback candidates, mitigation notes, and handoff-ready summaries.

What is not claimed

This is not a replacement for a customer audit platform.

06

Least privilege

What it means

Agents query the MCP Servers and provider APIs needed for a specific incident path, then return consolidated evidence.

What is not claimed

This does not claim unrestricted provider or cluster permissions.

07

Deployment-specific isolation

What it means

OpsDiag is positioned as deployed close to the customer environment, with isolation details defined per deployment.

What is not claimed

This does not claim a fixed private-cloud or compliance model.