stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/evidencelocker/s3-object-lock-for-evidence-locker.md

2.2 KiB
Raw Blame History

S3 Object Lock (WORM Retention) for Evidence Locker

Module

EvidenceLocker

Status

IMPLEMENTED

Description

Object Lock configuration in EvidenceLockerOptions with mode, default retention days, legal hold; enforcement headers in S3 storage for WORM retention and legal hold behavior with startup validation.

Implementation Details

  • Modules: src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/, src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Configuration/
  • Key Classes:
    • S3EvidenceObjectStore (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/S3EvidenceObjectStore.cs) - S3 storage with Object Lock headers for WORM retention
    • EvidenceLockerOptions (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Configuration/EvidenceLockerOptions.cs) - configuration including Object Lock mode, retention days, and legal hold settings
    • EvidenceObjectStore (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Storage/EvidenceObjectStore.cs) - base object store abstraction
    • StorageKeyGenerator (src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/StorageKeyGenerator.cs) - generates storage keys for evidence objects
  • Interfaces: IEvidenceLockerStorage
  • Source: SPRINT_20260112_002_EVIDENCE_evidence_locker_audit_pack_hardening.md

E2E Test Plan

  • Configure EvidenceLockerOptions with Object Lock mode=COMPLIANCE and retention=365 days and verify S3EvidenceObjectStore applies WORM headers on write
  • Verify stored objects cannot be deleted before retention period expires
  • Enable legal hold via EvidenceLockerOptions and verify objects are locked regardless of retention period
  • Verify startup validation rejects invalid Object Lock configurations (e.g., retention days < 1)
  • Verify S3EvidenceObjectStore sends correct S3 headers (x-amz-object-lock-mode, x-amz-object-lock-retain-until-date, x-amz-object-lock-legal-hold)
  • Verify Object Lock mode=GOVERNANCE allows deletion with proper override permissions