things

Security.md

@@ -0,0 +1,151 @@
+# 🔐 SECURITY.md
+_Nature In Pots Community – Data & Platform Security Policy_
+
+---
+
+## 🔒 Overview
+
+This document outlines the security practices, encryption policies, and recovery procedures used by the **Nature In Pots Community** platform. Our goal is to maintain the privacy and integrity of user data while offering secure collaboration, recovery, and administrative tooling where appropriate.
+
+---
+
+## ✅ Security Principles
+
+We follow a simple core policy:
+
+> **Your data is yours.** You choose who sees it, how it's stored, and what happens to it.
+
+To support this, we implement:
+
+- **End-to-End Encryption (E2EE)** for sensitive records.
+- **User-controlled privacy flags** and public visibility toggles.
+- **Role-based access control** for owners, groups, vendors, and admins.
+- **Optional key escrow** to allow secure, auditable recovery when necessary.
+- **Strict audit trails** for all user and admin actions.
+- **Granular ownership transfers** that preserve privacy unless explicitly permitted.
+
+---
+
+## 🧑‍🌾 User Data Encryption
+
+When a user creates or imports plants, grow logs, health reports, media, or related records, the following options apply for encryption and recovery:
+
+### 🔐 Option 1: Maximum Privacy Mode (No Escrow)
+
+- Data is encrypted with a user-owned key never shared with the server.
+- Only the user can decrypt or transfer ownership.
+- If the key is lost, **data is unrecoverable**. Even admins cannot assist.
+
+### 🗝️ Option 2: Recovery-Enabled Mode (Escrow)
+
+- A securely wrapped recovery key is stored using *key escrow*.
+- Admins may **transfer ownership** of encrypted records to a new user (e.g., due to account inactivity or verified reassignment), but cannot read or decrypt the data.
+- All access and recovery actions are **audited** and must be explicitly justified.
+
+Users are prompted to choose between these options on signup and may change their preference at any time from **Account Settings → Privacy Options**.
+
+#### TL;DR (Explain Like I’m 5)
+
+- **Full Privacy Mode**: Only you have the key to your secret garden. Lose it = locked out forever.
+- **Recovery Mode (Default)**: Still private, but we keep a spare key in a vault. We can give your garden to a new gardener if needed, but we still can’t peek inside.
+
+---
+
+## 🧑‍🤝‍🧑 Groups, Vendors, and Collectives
+
+A "collective identity" (e.g., vendor, grow group, brand) may be created and owned by one or more users.
+
+- Each collective has its own permission rules.
+- Permissions include: `read`, `edit`, `propose changes`, `submit grow logs`, `mark as sold`, and `manage members`.
+- Collective-owned content inherits the encryption mode of the creator or the designated owner.
+
+All actions taken under a collective identity are tagged with the acting user and timestamped.
+
+---
+
+## 🔁 Ownership & Record Transfers
+
+Records (plants, logs, vendors, mixes, etc.) can be transferred between:
+
+- Individuals ↔ Individuals  
+- Individuals ↔ Vendors / Groups  
+- Vendors ↔ Vendors
+
+**Transfer rules:**
+
+| Encryption Mode | Owner Action Required | Admin Recovery Allowed |
+|------------------|------------------------|-------------------------|
+| No Escrow        | ✅ Yes                 | ❌ No                   |
+| Escrow Enabled   | 🚫 Optional (if owner inactive) | ✅ Yes           |
+
+All transfers are logged with before/after states and include initiator ID, reason, and timestamp.
+
+---
+
+## 🪵 Audit Logging
+
+All significant actions are audit-logged:
+
+- Logins, failed logins, and 2FA attempts
+- Data modifications (create, edit, delete)
+- Media uploads
+- Grow log entries
+- Transfers and permission changes
+- Escrow-based recoveries
+
+Logs are not publicly accessible but may be disclosed to the user on request or subpoena.
+
+---
+
+## ⚠️ Admin Privileges & Limitations
+
+Admins can:
+
+- Approve or remove public content
+- Recover records **only** under escrow-enabled mode
+- View metadata (timestamps, image hashes, plant IDs)
+- **Not** decrypt user content in maximum privacy mode
+- **Not** alter audit trails or impersonate users
+
+---
+
+## 🧪 Developer Guidelines
+
+### Secret Management
+
+- All crypto secrets must be kept in `.env` or secure vaults.
+- Never commit user-generated keys or tokens to Git.
+
+### Input Sanitization
+
+- All user inputs are escaped before rendering.
+- Media uploads are validated and stripped of EXIF/GPS metadata.
+
+### TLS & HTTPS
+
+- All public and private routes must use HTTPS.
+- Local dev servers use self-signed certs or SSL proxy.
+
+---
+
+## 🛡️ Future Features (Planned)
+
+- ✅ Invite-only registration support
+- ✅ Per-record expiration and auto-archival
+- 🔒 Self-destructing records (for sensitive notes)
+- 🧬 Cryptographic signatures on propagation history
+- 🧾 Printable audit exports per plant/vendor
+
+---
+
+## 📞 Contact & Reporting Security Issues
+
+If you find a vulnerability or need to report a breach:
+
+- Email: [security@natureinpots.com](mailto:security@natureinpots.com)
+- PGP Key: Coming soon
+- Please include reproduction steps and affected data
+
+---
+
+_This document is maintained by the Nature In Pots security team. Last updated: {{ current_year }}._