coulomb/kontextual-engine
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
199ffe2a56febe8113543a89d606f9f5c1ce330d
kontextual-engine/docs/release-security-configuration-storage-review.md
tegwick 199ffe2a56 Release readiness polish
2026-05-14 03:29:05 +02:00

4.4 KiB
Raw Blame History

Release Security, Configuration, And Storage Review

Date: 2026-05-14 Release: 0.1.0 controlled preview Status: reviewed for release readiness

Security Boundary

kontextual-engine uses explicit operation contexts, actor metadata, profile gates, policy decisions, and audit records. The preview release is suitable for controlled integrations, not anonymous internet exposure.

Production-facing deployments must provide:

  • HTTPS termination for CMIS and native API access,
  • authentication and trusted actor-header injection at the edge,
  • request logging without leaking secrets or content bytes,
  • restricted network exposure for admin/export profiles,
  • backup and restore procedures for registry and blob storage.

CMIS Access-Point Profiles

Profile Exposure Release note
readonly-browser Public/internal read subset; no mutations. Safe default profile for controlled read clients.
governed-authoring Public/internal read plus governed object/content mutations. Requires authenticated actors and policy review before external use.
admin-export Broad sensitivity visibility, service-account actor type required. Must not be exposed to general users; service-account routing only.
compat-tck Browser Binding compatibility profile with selected mutation support. Intended for OpenCMIS harness and compatibility testing, not normal production traffic.

CMIS optional capabilities are advertised conservatively. Unsupported services return structured CMIS diagnostics rather than partial silent behavior.

Actor Headers

The service runtime accepts actor context through headers such as:

  • X-Actor-Id,
  • X-Actor-Type,
  • X-Actor-Display-Name,
  • X-Actor-Groups,
  • X-Delegated-Actor-*,
  • X-Correlation-Id,
  • X-Request-Scope,
  • X-Policy-Scope.

These headers are trust-bearing. A production gateway must authenticate the caller, strip inbound spoofed actor headers, and inject the trusted actor context itself. Service-account routes such as admin-export must be restricted to service-account identities.

Secrets

No committed example, target profile, or runtime default embeds service secrets. The OpenCMIS harness currently uses anonymous local loopback access for the compatibility profile. S3 credentials must come from the deployment environment, standard AWS provider chain, or secret manager, not from repository files.

Storage Configuration

Supported storage posture:

  • InMemoryAssetRegistryRepository and InMemoryBlobStorage: tests and local smoke only; no persistence.
  • SQLiteAssetRegistryRepository: local-first durable preview registry.
  • LocalBlobStorage: content-addressed local blob root with digest-derived paths.
  • S3BlobStorage: optional kontextual-engine[s3] backend using digest-derived object keys behind the blob port.

The domain model stores representation metadata and storage_ref; the blob backend is an infrastructure choice.

Backup And Restore Expectations

For a durable preview:

  • back up the registry database and blob storage together at a consistent point,
  • record the package version, configuration, and active access-point profiles,
  • for local blobs, back up the complete content-addressed root,
  • for S3, enable bucket versioning or object-lock-equivalent safeguards where available,
  • restore registry and blob storage into a staging environment before declaring backup coverage sufficient.

Blob cleanup must use dry-run first. Active cleanup may delete only blobs proven unreferenced by the registry.

Dependency And Packaging Review

Default install dependencies:

  • pydantic>=2.0.

Release extras:

  • service: FastAPI, HTTPX, Uvicorn.
  • storage: SQLAlchemy.
  • s3: Boto3.
  • dev: Pytest.
  • markdown and llm: local sibling-repository extras for this controlled workspace preview.

The local sibling extras are explicit optional extras and are not needed for the default or service install. Before publishing outside this workspace, either replace those file URLs with published package references or omit those extras from the published distribution.

Release Decision

Security/configuration/storage posture is acceptable for a controlled preview when deployed behind authenticated HTTPS routing with explicit durable storage configuration and documented backup/restore procedures. It is not acceptable to expose the default in-memory runtime or the compat-tck profile as a general production endpoint.

Reference in New Issue View Git Blame Copy Permalink