Circuit-Forge/turnstone
5
0
Fork 0
Code Issues 11 Pull requests 1 Projects Releases 6 Packages Wiki Activity Actions

chore: compliance audit checklist -- data isolation, audit logging, PII egress #48

New issue
Closed
opened 2026-05-26 23:05:26 -07:00 by pyr0ball · 1 comment
pyr0ball commented 2026-05-26 23:05:26 -07:00
Owner
Copy link

Before Turnstone is deployed to a compliance-sensitive environment, verify and document the following:

Data isolation:

  • Log entries from different sources are queryable in isolation (source filter enforced in all API endpoints)
  • No cross-source data leakage in FTS5 queries
  • SQLite DB file permissions (readable only by the Turnstone process user)

Audit logging:

  • All API queries logged with timestamp, endpoint, query string (no log body -- just metadata)
  • Glean operations logged with source ID, entry count, timestamp
  • Errors logged with enough context for post-hoc audit without PII in message field

PII egress:

  • LLM diagnose calls: review what fields are sent to the LLM provider (no raw log messages unless explicitly acknowledged by operator)
  • Avocet harvester: confirm only pattern-tagged entries are exported, and export can be disabled
  • No external telemetry, analytics, or crash reporting calls

Output: Completed checklist committed to docs/compliance/checklist.md.

Before Turnstone is deployed to a compliance-sensitive environment, verify and document the following: **Data isolation:** - [ ] Log entries from different sources are queryable in isolation (source filter enforced in all API endpoints) - [ ] No cross-source data leakage in FTS5 queries - [ ] SQLite DB file permissions (readable only by the Turnstone process user) **Audit logging:** - [ ] All API queries logged with timestamp, endpoint, query string (no log body -- just metadata) - [ ] Glean operations logged with source ID, entry count, timestamp - [ ] Errors logged with enough context for post-hoc audit without PII in message field **PII egress:** - [ ] LLM diagnose calls: review what fields are sent to the LLM provider (no raw log messages unless explicitly acknowledged by operator) - [ ] Avocet harvester: confirm only pattern-tagged entries are exported, and export can be disabled - [ ] No external telemetry, analytics, or crash reporting calls **Output:** Completed checklist committed to `docs/compliance/checklist.md`.
pyr0ball added this to the Enterprise POC Deliverable milestone 2026-05-26 23:05:26 -07:00
pyr0ball added the
security
docs
compliance
 labels 2026-05-26 23:05:26 -07:00
pyr0ball commented 2026-05-28 10:39:38 -07:00
Author
Owner
Copy link

Implemented:

Audit logging middleware (_audit_middleware in app/rest.py):

  • Logs every /turnstone/api/* request: method, path, query string (no body), status code, duration ms
  • Named logger turnstone.audit hooked to uvicorn's error handler at startup
  • Static files and health endpoint are excluded

Compliance checklist at docs/compliance/checklist.md:

  • All criteria from the issue verified against current code
  • Data isolation: source_filter enforced in all query paths
  • Audit logging: middleware + glean scheduler
  • PII egress: multi-agent path (not multi-agent legacy path — documented as known limitation)
  • No external telemetry: confirmed
  • GDPR anonymization disclaimer added: anonymized exports cannot be selectively deleted per right-to-erasure

Note: ! sudo kill -9 1551899 1554109 1697462 needed on Heimdall to clear stale uvicorn instances before clean restart.

Implemented: **Audit logging middleware** (`_audit_middleware` in `app/rest.py`): - Logs every `/turnstone/api/*` request: method, path, query string (no body), status code, duration ms - Named logger `turnstone.audit` hooked to uvicorn's error handler at startup - Static files and health endpoint are excluded **Compliance checklist** at `docs/compliance/checklist.md`: - All criteria from the issue verified against current code - Data isolation: ✅ source_filter enforced in all query paths - Audit logging: ✅ middleware + glean scheduler - PII egress: ✅ multi-agent path (not multi-agent legacy path — documented as known limitation) - No external telemetry: ✅ confirmed - GDPR anonymization disclaimer added: anonymized exports cannot be selectively deleted per right-to-erasure Note: `! sudo kill -9 1551899 1554109 1697462` needed on Heimdall to clear stale uvicorn instances before clean restart.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/42-50-postgres-multitenant
feat/32-domain-view
feat/15-hybrid-rag
feat/41-hybrid-bert-shim
feat/60-incidents-db
feat/pipeline-cleanup
feat/29-multi-agent-diagnose
feat/ssh-remote-glean
feat/live-watch
feat/llm-reasoning
feat/frictionless-capture
v0.7.0
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
compliance

   
demo

   
deployment

   
docs

   
enhancement

   
parser

   
patterns

   
performance

   
security

   
ux
No labels
compliance
demo
deployment
docs
enhancement
parser
patterns
performance
security
ux
Milestone
Clear milestone
No items
No milestone
Enterprise POC Deliverable
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/turnstone#48
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?