Handbook
Private key handling audit (Prompt 02A)
Date: 2026-07-17. Status: remediated query-string path; body transmission remains under ADR-002.
Updated
Findings
| Location | Transport | Risk | Status |
|---|---|---|---|
routes_survey_report.py export |
~~GET query~~ POST body | URL logging | fixed |
routes_results.py render |
POST body | Server decrypt | documented ADR-002 |
routes_pdp.py * |
POST body | Server decrypt | documented ADR-002 |
routes_wrapup.py |
POST body | Server decrypt | documented ADR-002 |
routes_keys.py reseal |
POST body | Server decrypt | documented ADR-002 |
ui/static/app.js |
sessionStorage JWK → b64 | XSS/session theft | threat model 17 |
consented_scores on submit |
POST with envelope | Plaintext scores | documented |
Grep contract (CI)
No private_key in FastAPI query parameters:
rg 'private_key.*: str' forge360/api/ --glob '*.py' | rg -v 'Body|BaseModel'
# export endpoint must be POST only
Remaining work (14A/15)
- Client-side decrypt path for official reports where policy allows
- Remove subject weight override from participant UI
- PDP without server-bound subject private key when subject-private mode selected