Capablio

Private key handling audit (Prompt 02A)

Date: 2026-07-17. Status: remediated query-string path; body transmission remains under ADR-002.

Updated

Findings

Location Transport Risk Status
routes_survey_report.py export ~~GET query~~ POST body URL logging fixed
routes_results.py render POST body Server decrypt documented ADR-002
routes_pdp.py * POST body Server decrypt documented ADR-002
routes_wrapup.py POST body Server decrypt documented ADR-002
routes_keys.py reseal POST body Server decrypt documented ADR-002
ui/static/app.js sessionStorage JWK → b64 XSS/session theft threat model 17
consented_scores on submit POST with envelope Plaintext scores documented

Grep contract (CI)

No private_key in FastAPI query parameters:

rg 'private_key.*: str' forge360/api/ --glob '*.py' | rg -v 'Body|BaseModel'
# export endpoint must be POST only

Remaining work (14A/15)

  • Client-side decrypt path for official reports where policy allows
  • Remove subject weight override from participant UI
  • PDP without server-bound subject private key when subject-private mode selected