From 577d784fb8cb7864bbfaade60fb7062552c15906 Mon Sep 17 00:00:00 2001 From: Scott Idem Date: Fri, 13 Feb 2026 19:22:33 -0500 Subject: [PATCH] Serious notes about security updates. --- documentation/AGENT_TODO.md | 30 +++++++++++++++--------- documentation/ARCH__V3_CRUD_LEARNINGS.md | 3 +++ 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/documentation/AGENT_TODO.md b/documentation/AGENT_TODO.md index 215142e..d5d0ff8 100644 --- a/documentation/AGENT_TODO.md +++ b/documentation/AGENT_TODO.md @@ -1,19 +1,27 @@ # Backend Agent Task List > Use this file to track steps for complex features or bug fixes. -> **Status:** 🔵 Active - ID Vision Phase 2 complete. +> **Status:** 🟢 STABLE - Security Hardening Complete. -## 📋 Active Task: ID Vision Audit & Compliance -- [ ] **Step 1:** Audit remaining MariaDB models for ID Vision compliance. -- [ ] **Step 2:** Harden `root_validator(pre=True)` on remaining models to prevent integer leakage. -- [ ] **Step 3:** Refactor `api_crud_v2.py` and `person_methods.py` (Reduce file size < 800 lines). -- [ ] **Step 4:** Coordination (Handshake with Frontend regarding "Badge Rendering" corrupted IDs). -- [ ] **Step 5:** Finalize & Commit. +## 📋 Active Tasks +- [x] **Core Isolation:** Harden `apply_forced_account_filter` to Fail-Closed. +- [x] **IDAA Baseline:** Remove `public_read` from Event, CMS, and Archive objects. +- [x] **Detailed Feedback:** Implement descriptive 403 Forbidden reasons. +- [x] **Audit Suite:** Establish `test_e2e_v3_security_audit.py` as a permanent safeguard. +- [ ] **Step 1:** Audit low-priority MariaDB models for ID Vision parity. +- [ ] **Step 2:** Refactor `api_crud_v2.py` (Reduce file size < 800 lines). +- [ ] **Step 3:** Coordination (Verify Frontend uses `x-account-id` instead of token). + +## 🛡️ Security & Privacy Baseline (IDAA) +- **Status:** **ENFORCED**. +- **Principle:** Every object requires an Account Context except `site_domain`. +- **Maintenance:** Run `tests/e2e/test_e2e_v3_security_audit.py` after ANY router or registry change. ## 🚧 Upcoming Strategic Goals - **Zoom Events Integration:** Implement cron synchronization for OAuth2 ticket retrieval. - **Aether V4 Architecture:** Migration to V4 core standards (Lifecycle fields). -## 📝 Session Notes (Feb 11, 2026) -- **Resolved:** Finalized 'Heal-on-Read' fallback resolution for relational IDs. -- **Verification:** `test_e2e_v3_demo_parity.py` verified at 100% pass rate. -- **Optimization:** Refactored `api_crud.py` and `hosted_file.py` to Registry pattern. +## 📝 Session Notes (Feb 13, 2026) +- **Resolved:** Critical "Fail Open" search leak where missing context returned all records. +- **Hardened:** Removed `public_read` from Events, Presentations, Posts, and Files. +- **Standardized:** Updated 10+ core models with Vision Transformer pattern. +- **Verification:** Security Audit Suite verified at 100% pass rate. diff --git a/documentation/ARCH__V3_CRUD_LEARNINGS.md b/documentation/ARCH__V3_CRUD_LEARNINGS.md index 6b43aa0..7cc7a30 100644 --- a/documentation/ARCH__V3_CRUD_LEARNINGS.md +++ b/documentation/ARCH__V3_CRUD_LEARNINGS.md @@ -65,7 +65,10 @@ Implemented in Jan 2026, the V3 architecture enforces strict data isolation and - **Role Scoping**: These flags are used to bypass account isolation for support and system maintenance tasks. ### Multi-Tenant Isolation +- **Fail-Closed Strategy (Feb 2026)**: The API enforces a strict "Fail-Closed" mindset. If an authentication context or account ID is missing, the system defaults to a blocking filter (e.g., `account_id IS NULL`). It no longer allows "Fail-Open" behavior where missing context returns all records. +- **IDAA Privacy Baseline**: Based on the International Drunk Doctors Anonymous requirement, the system defaults to **Maximum Isolation**. No object (Events, Files, Posts, Meetings) is public by default. Every object requires an `x-account-id` context, with the sole exception of `site_domain` used for bootstrapping. - **Forced Account Filtering**: For all non-super users, the API automatically injects an `account_id` filter into every list and search query. This is enforced at the SQL level via `apply_forced_account_filter`. +- **Detailed 403 Feedback**: Security failures now return descriptive error messages (e.g., "API Key expired", "Account context required") to assist developers in debugging header/context issues while maintaining strict isolation. - **Post-Retrieval Verification**: Single object retrievals (`GET`), updates (`PATCH`), and deletions (`DELETE`) include a secondary ownership check (`check_account_access`). If a user attempts to access an ID belonging to another account, they receive a `403 Forbidden` response. - **Hierarchical Verification**: Child/Nested endpoints verify the ownership of the parent object before allowing operations on children, preventing cross-tenant "sideways" traversal. - **Creation Guard**: When creating records (`POST`), the user's `account_id` is automatically forced onto the new record, preventing a user from creating data for another account.