Platform: maximize PII protection and data safety for cloud users #20

New issue

Open

opened 2026-03-10 21:46:14 -07:00 by pyr0ball · 0 comments

pyr0ball commented

2026-03-10 21:46:14 -07:00

Owner

Overview

As a privacy-first platform, we should continuously improve how user PII and sensitive data is protected across all managed cloud instances.

Current state (as of 2026-03-10)

staging.db — SQLCipher encrypted per-user ✅
user.yaml, plain_text_resume.yaml, search profiles, etc. — now isolated per user in per-user config dirs, but stored as plaintext YAML ⚠️
Auth session tokens — validated server-side, never stored ✅
Resume text stored in user.yaml as _raw_resume_text (up to 8000 chars of PII) ⚠️

Backlog ideas

Encrypt YAML config files at rest (user.yaml, plain_text_resume.yaml) using a per-user key derived from CF_SERVER_SECRET + user_id (same approach as SQLCipher key derivation)
Add a read/write helper (cloud_session.get_config() / cloud_session.save_config()) that transparently encrypts/decrypts YAML in cloud mode
Audit all file write paths in wizard and settings for any remaining shared-path leaks
Consider short TTL on _raw_resume_text stored in user.yaml — strip after career summary is generated
Data retention policy — configurable auto-purge of inactive user data trees
At-rest encryption audit before public launch

Context

This came up while hardening the Peregrine cloud/menagerie instance. The per-user config dir isolation fix (PR/commit 2026-03-10) is a prerequisite for YAML encryption.

## Overview As a privacy-first platform, we should continuously improve how user PII and sensitive data is protected across all managed cloud instances. ## Current state (as of 2026-03-10) - `staging.db` — SQLCipher encrypted per-user ✅ - `user.yaml`, `plain_text_resume.yaml`, search profiles, etc. — now **isolated per user** in per-user config dirs, but stored as **plaintext YAML** ⚠️ - Auth session tokens — validated server-side, never stored ✅ - Resume text stored in `user.yaml` as `_raw_resume_text` (up to 8000 chars of PII) ⚠️ ## Backlog ideas - [ ] Encrypt YAML config files at rest (user.yaml, plain_text_resume.yaml) using a per-user key derived from `CF_SERVER_SECRET` + `user_id` (same approach as SQLCipher key derivation) - [ ] Add a read/write helper (`cloud_session.get_config()` / `cloud_session.save_config()`) that transparently encrypts/decrypts YAML in cloud mode - [ ] Audit all file write paths in wizard and settings for any remaining shared-path leaks - [ ] Consider short TTL on `_raw_resume_text` stored in user.yaml — strip after career summary is generated - [ ] Data retention policy — configurable auto-purge of inactive user data trees - [ ] At-rest encryption audit before public launch ## Context This came up while hardening the Peregrine cloud/menagerie instance. The per-user config dir isolation fix (PR/commit 2026-03-10) is a prerequisite for YAML encryption.