lilfade/natureinpots_community
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
13d56066abe1726c99e1a3f7ec77fbde8eceae23
natureinpots_community/Security.md
Lilfade 13d56066ab things
2025-06-27 17:43:50 -05:00

152 lines
5.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 🔐 SECURITY.md
_Nature In Pots Community Data & Platform Security Policy_
---
## 🔒 Overview
This document outlines the security practices, encryption policies, and recovery procedures used by the **Nature In Pots Community** platform. Our goal is to maintain the privacy and integrity of user data while offering secure collaboration, recovery, and administrative tooling where appropriate.
---
## ✅ Security Principles
We follow a simple core policy:
> **Your data is yours.** You choose who sees it, how it's stored, and what happens to it.
To support this, we implement:
- **End-to-End Encryption (E2EE)** for sensitive records.
- **User-controlled privacy flags** and public visibility toggles.
- **Role-based access control** for owners, groups, vendors, and admins.
- **Optional key escrow** to allow secure, auditable recovery when necessary.
- **Strict audit trails** for all user and admin actions.
- **Granular ownership transfers** that preserve privacy unless explicitly permitted.
---
## 🧑‍🌾 User Data Encryption
When a user creates or imports plants, grow logs, health reports, media, or related records, the following options apply for encryption and recovery:
### 🔐 Option 1: Maximum Privacy Mode (No Escrow)
- Data is encrypted with a user-owned key never shared with the server.
- Only the user can decrypt or transfer ownership.
- If the key is lost, **data is unrecoverable**. Even admins cannot assist.
### 🗝️ Option 2: Recovery-Enabled Mode (Escrow)
- A securely wrapped recovery key is stored using *key escrow*.
- Admins may **transfer ownership** of encrypted records to a new user (e.g., due to account inactivity or verified reassignment), but cannot read or decrypt the data.
- All access and recovery actions are **audited** and must be explicitly justified.
Users are prompted to choose between these options on signup and may change their preference at any time from **Account Settings → Privacy Options**.
#### TL;DR (Explain Like Im 5)
- **Full Privacy Mode**: Only you have the key to your secret garden. Lose it = locked out forever.
- **Recovery Mode (Default)**: Still private, but we keep a spare key in a vault. We can give your garden to a new gardener if needed, but we still cant peek inside.
---
## 🧑‍🤝‍🧑 Groups, Vendors, and Collectives
A "collective identity" (e.g., vendor, grow group, brand) may be created and owned by one or more users.
- Each collective has its own permission rules.
- Permissions include: `read`, `edit`, `propose changes`, `submit grow logs`, `mark as sold`, and `manage members`.
- Collective-owned content inherits the encryption mode of the creator or the designated owner.
All actions taken under a collective identity are tagged with the acting user and timestamped.
---
## 🔁 Ownership & Record Transfers
Records (plants, logs, vendors, mixes, etc.) can be transferred between:
- Individuals ↔ Individuals
- Individuals ↔ Vendors / Groups
- Vendors ↔ Vendors
**Transfer rules:**
| Encryption Mode | Owner Action Required | Admin Recovery Allowed |
|------------------|------------------------|-------------------------|
| No Escrow | ✅ Yes | ❌ No |
| Escrow Enabled | 🚫 Optional (if owner inactive) | ✅ Yes |
All transfers are logged with before/after states and include initiator ID, reason, and timestamp.
---
## 🪵 Audit Logging
All significant actions are audit-logged:
- Logins, failed logins, and 2FA attempts
- Data modifications (create, edit, delete)
- Media uploads
- Grow log entries
- Transfers and permission changes
- Escrow-based recoveries
Logs are not publicly accessible but may be disclosed to the user on request or subpoena.
---
## ⚠️ Admin Privileges & Limitations
Admins can:
- Approve or remove public content
- Recover records **only** under escrow-enabled mode
- View metadata (timestamps, image hashes, plant IDs)
- **Not** decrypt user content in maximum privacy mode
- **Not** alter audit trails or impersonate users
---
## 🧪 Developer Guidelines
### Secret Management
- All crypto secrets must be kept in `.env` or secure vaults.
- Never commit user-generated keys or tokens to Git.
### Input Sanitization
- All user inputs are escaped before rendering.
- Media uploads are validated and stripped of EXIF/GPS metadata.
### TLS & HTTPS
- All public and private routes must use HTTPS.
- Local dev servers use self-signed certs or SSL proxy.
---
## 🛡️ Future Features (Planned)
- ✅ Invite-only registration support
- ✅ Per-record expiration and auto-archival
- 🔒 Self-destructing records (for sensitive notes)
- 🧬 Cryptographic signatures on propagation history
- 🧾 Printable audit exports per plant/vendor
---
## 📞 Contact & Reporting Security Issues
If you find a vulnerability or need to report a breach:
- Email: [security@natureinpots.com](mailto:security@natureinpots.com)
- PGP Key: Coming soon
- Please include reproduction steps and affected data
---
_This document is maintained by the Nature In Pots security team. Last updated: {{ current_year }}._
Reference in New Issue View Git Blame Copy Permalink