git.stella-ops.org/docs/security/export-hardening.md

# Export Hardening Guide

Status: Draft (2025-11-26) — DOCS-EXPORT-37-004.

## Scope
Protect export flows (Export Center, Graph exports, SBOM exports) in online and air-gapped deployments.

## RBAC & tenancy
- Enforce `export:*` scopes per service:
  - Graph: `graph:export`
  - Export Center: `export:read`, `export:write`
  - SBOM: `sbom:export`
- Require `X-Stella-Tenant` on every export request; deny if missing/mismatched.
- Default deny cross-tenant access even for admins.

## Encryption & integrity
- All exports must include SHA256 (and size) headers; prefer DSSE manifest for multi-file bundles.
- When storing or staging bundles, encrypt at rest (KMS or sealed disk); in air-gap, keep CMK/KEK offline-ready.
- For downloadable endpoints, set `X-Content-SHA256`; clients must verify hash before use.

## Redaction & minimization
- Default exclude secrets, tokens, and credentials from exports; add allowlist only when required.
- For policy/VEX overlays, strip explain traces unless explicitly requested.
- Include only tenant-scoped data; avoid global caches in exported bundles.

## Network & paths
- Disallow direct external URLs in exports; use content-addressed blobs or gateway download paths.
- In air-gap mode, block egress during export and rely on local object storage.
- Set `Content-Security-Policy: sandbox` for HTML/PNG exports where applicable.

## Imposed rule reminder
- Follow platform “imposed rule” banner: **No external distribution without cryptographic integrity + tenant proof.**
- Every export must be reproducible: document source snapshot IDs, overlay versions, tool version, and hash.

## Runbook (abridged)
- If hash mismatch: stop distribution, regenerate export, open incident with bundle hash and source snapshot IDs.
- If RBAC failure spike: check gateway policy and scope mappings; verify tenant header presence in clients.
- Air-gap: verify bundle catalog signatures before ingest; reject if trust root mismatches.