Capablio

ADR-002: Encryption and trust boundary (draft for 02A)

Status: accepted (query-string remediated; body-key path disclosed as service-assisted) Date: 2026-07-17 Feature: CAP-SEC-001

Updated

Context

Survey UI states ratings are encrypted in the browser and the server stores sealed envelopes only. Discovery found private_key_b64 accepted by server handlers for results, PDP, wrap-up, and export (including query string on export.zip). consented_scores may expose individual ratings outside the envelope.

Decision (target architecture)

Supported mode (Phase 1 uplift): Service-assisted decryption under disclosed policy

  • Server may decrypt subject envelopes only when the subject (or authorized methodology role) explicitly requests report/PDP operations in-session.
  • Private keys must not appear in URLs, logs, analytics, or support tooling.
  • private_key_b64 in request bodies is deprecated — migrate to client-side decrypt or ephemeral session-bound key handles with TTL.
  • consented_scores for Peer/Team/Customer: document as aggregated-input path with retention and deletion policy; not marketed as zero-knowledge for those raters until removed or re-sealed.

Not approved until evidence: "zero-knowledge", "server cannot read answers", "end-to-end encrypted feedback" in public copy.

Migration steps

  1. Remove private_key_b64 from query strings (export endpoint).
  2. Add wiki/internal/security/claim-freeze.md enforcement in marketing/docs generators.
  3. Introduce scoring-policy and report rendering without server-held subject private keys where feasible (14A).
  4. Independent security review before lifting claim freeze.

Consequences

  • Prompts 04–05 blocked for strong privacy language until this ADR is accepted and checks green.
  • PDP and results APIs need refactor tranches in 02A, 14A, 15.