coulomb/kontextual-engine
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c450fcaa5d7de8a184ccd760f0353a0715cb76f
kontextual-engine/docs/release-security-configuration-storage-review.md
tegwick 199ffe2a56 Release readiness polish
2026-05-14 03:29:05 +02:00

115 lines
4.4 KiB
Markdown
Raw Blame History

# Release Security, Configuration, And Storage Review
Date: 2026-05-14
Release: `0.1.0` controlled preview
Status: reviewed for release readiness
## Security Boundary
`kontextual-engine` uses explicit operation contexts, actor metadata, profile
gates, policy decisions, and audit records. The preview release is suitable for
controlled integrations, not anonymous internet exposure.
Production-facing deployments must provide:
- HTTPS termination for CMIS and native API access,
- authentication and trusted actor-header injection at the edge,
- request logging without leaking secrets or content bytes,
- restricted network exposure for admin/export profiles,
- backup and restore procedures for registry and blob storage.
## CMIS Access-Point Profiles
| Profile | Exposure | Release note |
| --- | --- | --- |
| `readonly-browser` | Public/internal read subset; no mutations. | Safe default profile for controlled read clients. |
| `governed-authoring` | Public/internal read plus governed object/content mutations. | Requires authenticated actors and policy review before external use. |
| `admin-export` | Broad sensitivity visibility, service-account actor type required. | Must not be exposed to general users; service-account routing only. |
| `compat-tck` | Browser Binding compatibility profile with selected mutation support. | Intended for OpenCMIS harness and compatibility testing, not normal production traffic. |
CMIS optional capabilities are advertised conservatively. Unsupported services
return structured CMIS diagnostics rather than partial silent behavior.
## Actor Headers
The service runtime accepts actor context through headers such as:
- `X-Actor-Id`,
- `X-Actor-Type`,
- `X-Actor-Display-Name`,
- `X-Actor-Groups`,
- `X-Delegated-Actor-*`,
- `X-Correlation-Id`,
- `X-Request-Scope`,
- `X-Policy-Scope`.
These headers are trust-bearing. A production gateway must authenticate the
caller, strip inbound spoofed actor headers, and inject the trusted actor
context itself. Service-account routes such as `admin-export` must be restricted
to service-account identities.
## Secrets
No committed example, target profile, or runtime default embeds service secrets.
The OpenCMIS harness currently uses anonymous local loopback access for the
compatibility profile. S3 credentials must come from the deployment environment,
standard AWS provider chain, or secret manager, not from repository files.
## Storage Configuration
Supported storage posture:
- `InMemoryAssetRegistryRepository` and `InMemoryBlobStorage`: tests and local
smoke only; no persistence.
- `SQLiteAssetRegistryRepository`: local-first durable preview registry.
- `LocalBlobStorage`: content-addressed local blob root with digest-derived
paths.
- `S3BlobStorage`: optional `kontextual-engine[s3]` backend using
digest-derived object keys behind the blob port.
The domain model stores representation metadata and `storage_ref`; the blob
backend is an infrastructure choice.
## Backup And Restore Expectations
For a durable preview:
- back up the registry database and blob storage together at a consistent point,
- record the package version, configuration, and active access-point profiles,
- for local blobs, back up the complete content-addressed root,
- for S3, enable bucket versioning or object-lock-equivalent safeguards where
available,
- restore registry and blob storage into a staging environment before declaring
backup coverage sufficient.
Blob cleanup must use dry-run first. Active cleanup may delete only blobs proven
unreferenced by the registry.
## Dependency And Packaging Review
Default install dependencies:
- `pydantic>=2.0`.
Release extras:
- `service`: FastAPI, HTTPX, Uvicorn.
- `storage`: SQLAlchemy.
- `s3`: Boto3.
- `dev`: Pytest.
- `markdown` and `llm`: local sibling-repository extras for this controlled
workspace preview.
The local sibling extras are explicit optional extras and are not needed for
the default or service install. Before publishing outside this workspace, either
replace those file URLs with published package references or omit those extras
from the published distribution.
## Release Decision
Security/configuration/storage posture is acceptable for a controlled preview
when deployed behind authenticated HTTPS routing with explicit durable storage
configuration and documented backup/restore procedures. It is not acceptable to
expose the default in-memory runtime or the `compat-tck` profile as a general
production endpoint.
Reference in New Issue View Git Blame Copy Permalink