Asset Inventory¶

Effective Date: 2026-03-02 Last Review: 2026-03-02 Next Review: 2026-09-02 Owner: Greg Felice, Project Lead

1. Purpose¶

This document maintains a comprehensive inventory of all information assets in the tomo ecosystem, including hardware, software, services, and accounts. It provides the foundation for access control, vulnerability management, and incident response by ensuring all assets are identified, classified, and assigned an owner.

2. Scope¶

All systems, services, accounts, and data stores that support the development, distribution, hosting, and monitoring of the tomo project.

3. Asset Classification¶

Classification	Description	Security Requirements
Critical	Compromise would result in data breach, supply chain attack, or complete service loss	Highest security controls, redundant backups, immediate incident response
High	Compromise would result in significant disruption or partial data exposure	Strong access controls, regular patching, monitored
Medium	Compromise would cause inconvenience or limited operational impact	Standard access controls, regular updates
Low	Minimal impact if compromised	Basic security hygiene

4. Infrastructure Assets¶

4.1 Servers¶

Asset	Hostname	Purpose	Classification	Owner	Location	OS
Primary server	dweezil	All tomo infrastructure (database, CI/CD, monitoring, web)	Critical	Greg Felice	On-premises	Ubuntu 24.04 LTS

dweezil specifications:

Runs all tomo services (PostgreSQL, Forgejo, Woodpecker, Grafana, Authentik, nginx)
LUKS-encrypted data volumes
Automatic security updates enabled
fail2ban + ufw firewall
SSH key-only access

4.2 Databases¶

Asset	Version	Port	Purpose	Classification	Owner
PostgreSQL 18	18.2	5432	tomo development and hosted service database	Critical	Greg Felice
PostgreSQL 16	16.x	5432	Legacy / other workloads	Medium	Greg Felice

PostgreSQL 18 extensions:

Extension	Version	Purpose
Apache AGE	1.7.0	Graph database engine (Cypher queries)
pgvector	0.8.1	Vector similarity search (embeddings)

4.3 Web Services (Self-Hosted)¶

Asset	Version	URL	Purpose	Classification	Owner	Authentication
Forgejo	Latest	git.rizlabs.com	Git hosting, issue tracking, code review	Critical	Greg Felice	Authentik SSO
Woodpecker CI	Latest	ci.rizlabs.com	Continuous integration and deployment	Critical	Greg Felice	Authentik SSO
Authentik	Latest	auth.rizlabs.com	Identity provider, SSO, MFA	Critical	Greg Felice	Local admin + MFA
Grafana	Latest	grafana.rizlabs.com	Monitoring dashboards and alerting	High	Greg Felice	Authentik SSO
Prometheus	Latest	Internal only	Metrics collection	High	Greg Felice	Not exposed externally
postgres-exporter	Latest	Internal only	PostgreSQL metrics for Prometheus	Medium	Greg Felice	Not exposed externally
nginx	Latest	dweezil	Reverse proxy, TLS termination	Critical	Greg Felice	N/A (infrastructure)
MkDocs (tomo docs)	Latest	tomo.rizlabs.com	Project documentation	Low	Greg Felice	Public (read-only)

4.4 Network Assets¶

Asset	Purpose	Classification	Owner
rizlabs.com domain	Primary domain for all services	Critical	Greg Felice
TLS certificates (Let's Encrypt)	HTTPS for all web services	High	Greg Felice (auto-renewed via certbot)
UFW firewall rules	Network access control on dweezil	Critical	Greg Felice

5. Distribution Channel Assets¶

Asset	URL	Purpose	Classification	Owner	Authentication
PyPI (tomo package)	pypi.org/project/tomo	Python SDK distribution	Critical	Greg Felice	MFA + API token
Docker Hub (tomo image)	hub.docker.com/r/tomo	Container image distribution	Critical	Greg Felice	MFA + access token
GitHub (tomo repo)	github.com/*/tomo	Public source code mirror, community engagement	High	Greg Felice	MFA + SSH key
Forgejo (tomo repo)	git.rizlabs.com/*/tomo	Primary source code repository	Critical	Greg Felice	Authentik SSO

6. Third-Party Service Accounts¶

Asset	Purpose	Classification	Owner	MFA Enabled
PyPI account	Package publishing	Critical	Greg Felice	Yes (hardware key)
Docker Hub account	Image publishing	Critical	Greg Felice	Yes
GitHub account	Repository hosting, community	High	Greg Felice	Yes (hardware key)
Backblaze B2 account	Offsite backup storage	High	Greg Felice	Yes
Cloudflare account	DNS management, DDoS protection	High	Greg Felice	Yes
Hetzner account (future)	Cloud infrastructure for hosted service	Critical (future)	Greg Felice	Planned
Stripe account (future)	Payment processing for hosted service	Critical (future)	Greg Felice	Planned

See Vendor Register for third-party compliance details.

7. CI/CD Service Accounts¶

Account	System	Purpose	Credential Type	Rotation Schedule
Woodpecker CI bot	Forgejo	Trigger builds, report status	OAuth token	90 days
PyPI publish token	Woodpecker CI	Publish Python package to PyPI	Scoped API token	90 days
Docker Hub publish token	Woodpecker CI	Push container images	Scoped access token	90 days
postgres-exporter	PostgreSQL	Read-only metrics collection	Database password (scram-sha-256)	90 days

8. Software Assets¶

8.1 Tomo SDK Dependencies (Core)¶

Package	Purpose	License
psycopg (3.x)	PostgreSQL driver	LGPL-3.0
antlr4-python3-runtime	agtype parser	BSD-3-Clause

8.2 Tomo SDK Dependencies (Optional)¶

Package	Purpose	License
python-igraph	Graph algorithms (C backend)	GPL-2.0
networkit	Graph algorithms (C++ backend)	MIT
pyarrow	Apache Arrow export	Apache-2.0
pandas	DataFrame export	BSD-3-Clause

8.3 Development / CI Dependencies¶

Package	Purpose	License
pytest	Test framework	MIT
ruff	Linter and formatter	MIT
mypy	Static type checker	MIT
bandit	Security linter (SAST)	Apache-2.0
pip-audit	Dependency vulnerability scanner	Apache-2.0
trivy	Container vulnerability scanner	Apache-2.0
trufflehog	Secret scanner	AGPL-3.0

9. Data Assets¶

Data Category	Location	Classification	Backup	Encryption
SDK source code	Forgejo, GitHub	Public	Git (distributed)	At rest (LUKS)
Documentation	Forgejo, tomo.rizlabs.com	Public	Git (distributed)	At rest (LUKS)
CI/CD secrets	Woodpecker secrets store	Restricted	Encrypted in Woodpecker DB	At rest (encrypted store)
Infrastructure configs	Forgejo (Ansible repo)	Internal	Git (distributed)	At rest (LUKS)
Database data (dev)	PostgreSQL on dweezil	Internal	pg_basebackup, WAL	At rest (LUKS)
Database data (hosted, future)	PostgreSQL on dweezil / cloud	Confidential-Restricted	pg_basebackup, WAL, offsite B2	At rest (LUKS), in transit (TLS), offsite (AES-256)
User credentials (hosted, future)	Authentik	Restricted	Authentik export	At rest (encrypted), hashed (scram-sha-256)
Monitoring metrics	Prometheus on dweezil	Internal	Not backed up (regenerable)	At rest (LUKS)
Audit logs	PostgreSQL, systemd journal	Internal	Log rotation + offsite	At rest (LUKS)

10. Asset Lifecycle¶

10.1 Provisioning¶

New assets are documented in this inventory before deployment
Classification and owner assigned at provisioning time
Security controls applied according to classification level
Access granted per Access Control Policy

10.2 Decommissioning¶

Data migrated or securely deleted (see Data Classification Policy)
Credentials rotated or revoked
Asset removed from this inventory
Decommission date and reason documented

11. Review Schedule¶

Activity	Frequency	Owner
Full inventory review	Semi-annually	Project Lead
New asset registration	At provisioning time	Project Lead
Decommission review	At decommission time	Project Lead
Classification reassessment	Annually, or after significant changes	Project Lead

12. Compliance Mapping¶

SOC 2 Criteria	Control
CC6.1	Inventory of system components
CC6.4	Physical and logical access to assets
CC3.2	Identification of assets and associated risks
CC8.1	Configuration management and change tracking