stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
a7cd10020aebdc6a20794953194bebc74c001840
git.stella-ops.org/docs/modules/findings-ledger/tenant-isolation-redaction.md
StellaOps Bot 47168fec38 feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports 
- Introduced a new VEX compact fixture for testing purposes.
- Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests.
- Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations.
- Documented tasks related to the Mirror Creator.
- Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs.
- Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases.
- Added tests for symbol ID normalization in the reachability scanner.
- Enhanced console status service with comprehensive unit tests for connection handling and error recovery.
- Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00

2.1 KiB
Raw Blame History

Tenant Isolation & Redaction Manifest (FL5)

Purpose: Document how Findings Ledger enforces tenant boundaries and which fields are redacted in deterministic exports.

Isolation controls

  • Storage: all ledger, projection, history, and merkle tables are LIST-partitioned by tenant_id (PostgreSQL). Cross-tenant queries are disallowed at repo level.
  • Queueing: Merkle batches and projector pipelines are keyed by (tenant_id, chain_id); no mixing.
  • Exports: /ledger/export/* requires X-Stella-Tenant; service rejects multi-tenant requests.
  • Hashing: event/projection hashes include tenant_id as part of canonical envelope, preventing replay across tenants.

Redaction policy

  • User-generated content (comments, attachments metadata) is excluded from compact exports and masked in canonical exports per manifest.
  • Actor identifiers are truncated to realm (user:<realm>); emails/PII never emitted.
  • Evidence bundle references are retained, but inline evidence payloads are not stored in ledger.

Manifest

  • Path: docs/modules/findings-ledger/redaction-manifest.yaml (JSON twin: redaction-manifest.json for offline tooling).
  • Content: declarative list of fields redacted or truncated for each export shape.
  • The manifest is signed in checksum list docs/modules/findings-ledger/golden-checksums.json; sha256 must match before release.

Applying the manifest

  • Canonical exports apply redact: mask rules only to PII (actorId, comment); compact exports drop (drop: true) the same fields plus verbose rationale arrays.
  • Log pipelines ensure event_body is never written to logs; only metadata/hashes appear (see observability.md).

Validation steps

  1. sha256sum docs/modules/findings-ledger/redaction-manifest.yaml matches golden-checksums.json.
  2. Run python tools/LedgerReplayHarness/scripts/verify_export.py --input fixtures/golden/findings-canonical.ndjson --schema export.v1.canonical --manifest docs/modules/findings-ledger/redaction-manifest.json (script enforces mask/drop rules offline).
  3. Confirm export responses in staging omit masked fields for the requesting tenant.