Handbook
ADR-002: Encryption and trust boundary (draft for 02A)
Status: accepted (query-string remediated; body-key path disclosed as service-assisted) Date: 2026-07-17 Feature: CAP-SEC-001
Updated
Context
Survey UI states ratings are encrypted in the browser and the server stores sealed envelopes only. Discovery found private_key_b64 accepted by server handlers for results, PDP, wrap-up, and export (including query string on export.zip). consented_scores may expose individual ratings outside the envelope.
Decision (target architecture)
Supported mode (Phase 1 uplift): Service-assisted decryption under disclosed policy
- Server may decrypt subject envelopes only when the subject (or authorized methodology role) explicitly requests report/PDP operations in-session.
- Private keys must not appear in URLs, logs, analytics, or support tooling.
private_key_b64in request bodies is deprecated — migrate to client-side decrypt or ephemeral session-bound key handles with TTL.consented_scoresfor Peer/Team/Customer: document as aggregated-input path with retention and deletion policy; not marketed as zero-knowledge for those raters until removed or re-sealed.
Not approved until evidence: "zero-knowledge", "server cannot read answers", "end-to-end encrypted feedback" in public copy.
Migration steps
- Remove
private_key_b64from query strings (export endpoint). - Add
wiki/internal/security/claim-freeze.mdenforcement in marketing/docs generators. - Introduce scoring-policy and report rendering without server-held subject private keys where feasible (14A).
- Independent security review before lifting claim freeze.
Consequences
- Prompts 04–05 blocked for strong privacy language until this ADR is accepted and checks green.
- PDP and results APIs need refactor tranches in 02A, 14A, 15.