git.stella-ops.org/docs/security/export-hardening.md

Export Hardening Guide

Status: Draft (2025-11-26) — DOCS-EXPORT-37-004.

Scope

Protect export flows (Export Center, Graph exports, SBOM exports) in online and air-gapped deployments.

RBAC & tenancy

• Enforce export:* scopes per service:
  • Graph: graph:export
  • Export Center: export:read, export:write
  • SBOM: sbom:export
• Require X-Stella-Tenant on every export request; deny if missing/mismatched.
• Default deny cross-tenant access even for admins.

Encryption & integrity

• All exports must include SHA256 (and size) headers; prefer DSSE manifest for multi-file bundles.
• When storing or staging bundles, encrypt at rest (KMS or sealed disk); in air-gap, keep CMK/KEK offline-ready.
• For downloadable endpoints, set X-Content-SHA256; clients must verify hash before use.

Redaction & minimization

• Default exclude secrets, tokens, and credentials from exports; add allowlist only when required.
• For policy/VEX overlays, strip explain traces unless explicitly requested.
• Include only tenant-scoped data; avoid global caches in exported bundles.

Network & paths

• Disallow direct external URLs in exports; use content-addressed blobs or gateway download paths.
• In air-gap mode, block egress during export and rely on local object storage.
• Set Content-Security-Policy: sandbox for HTML/PNG exports where applicable.

Imposed rule reminder

• Follow platform “imposed rule” banner: No external distribution without cryptographic integrity + tenant proof.
• Every export must be reproducible: document source snapshot IDs, overlay versions, tool version, and hash.

Runbook (abridged)

• If hash mismatch: stop distribution, regenerate export, open incident with bundle hash and source snapshot IDs.
• If RBAC failure spike: check gateway policy and scope mappings; verify tenant header presence in clients.
• Air-gap: verify bundle catalog signatures before ingest; reject if trust root mismatches.