# Majority Engine Security Baseline Majority Engine handles campaign financial planning data. Hosted deployment should assume that records may reveal strategy, cash timing, vendor commitments, payroll timing, bank-derived activity, and fundraising weaknesses. This file defines release gates for any hosted pilot or production deployment. ## Security Principles - Default deny access. - Tenant isolation is enforced server-side on every route and query. - UI visibility is never treated as authorization. - Sensitive data is minimized in logs, exports, prompts, and AI-facing responses. - Every material action is auditable. - Imports and uploads are treated as untrusted input. - Local development may be simple, but it cannot erase hosted security boundaries. ## Hosted Pilot Blockers Hosted pilot cannot launch until these are implemented and tested: - HTTPS only. - MFA-ready authentication path. - No first-party password storage for the hosted pilot; login should use managed authentication. If first-party credentials are ever introduced, password hashing and credential breach checks become mandatory release blockers. - Secure session handling with short-lived managed auth tokens. - Operator console access must use Google Identity Platform tokens plus an approved operator/admin email allowlist and explicit operator-only custom claim. Local operator access codes are forbidden in staging and production. - Role checks on every API route. - Tenant-scoped database queries. - Encrypted database storage. - Encrypted uploaded file/object storage. - Server-side audit events. - Rate limits on authentication, import, export, and mutation routes. - Upload size limits and file-type validation. - CSV/XLSX formula injection mitigation on export. - Backup and restore rehearsal. - Retention and deletion policy. - Secrets stored outside source control. - Production logging policy that excludes credentials, full bank statements, raw donor files, and unnecessary personally identifiable information. ## Authorization Matrix | Capability | Owner | Admin | Staff | Consultant | Read-only | |---|---:|---:|---:|---:|---:| | View dashboard | yes | yes | yes | yes | yes | | View records | yes | yes | yes | yes | yes | | Create/edit records | yes | yes | yes | yes | no | | Import files | yes | yes | yes | yes | no | | Promote imported rows | yes | yes | yes | yes | no | | Reconcile actuals | yes | yes | yes | yes | no | | Manage buckets/rules | yes | yes | limited | limited | no | | Manage users | yes | yes | no | no | no | | Export data | yes | yes | limited | limited | no | | Request deletion | yes | no | no | no | no | | Billing/plan settings | yes | no | no | no | no | ## API Security Requirements - Every route resolves the caller before reading request campaign data. - Managed identity accounts must map to invited Majority Engine users before any campaign data is returned. - Every campaign-scoped route verifies membership for that campaign or its organization. - Every query includes organization or campaign scope. - Mutations use server-side validation, not only frontend validation. - Mutations create audit events containing actor, action, entity, timestamp, and safe metadata. - Mutations that may be retried support idempotency keys. - Bulk actions support dry-run preview before commit. - Responses do not leak whether inaccessible resources exist; use `NOT_FOUND` for missing or forbidden cross-tenant resources where appropriate. ## Import And File Safety - Limit accepted file extensions and MIME types. - Enforce maximum file size. - Store uploads outside public web roots. - Never execute imported content. - Preserve source row traceability without exposing unnecessary raw contents. - Escape spreadsheet-leading characters on export: `=`, `+`, `-`, and `@`. - Add a malware scanning hook before hosted pilot even if the first implementation is a provider stub. ## AI Safety Requirements - AI actions use the same API auth and permissions as human users. - AI write actions must support dry-run mode. - High-impact writes require human confirmation before commit. - AI actions include a human-readable reason and audit action. - AI-readable responses should minimize sensitive raw source data. - AI tooling cannot receive secrets, session tokens, private keys, or raw credentials. - Any future prompt/log store must follow the same retention and deletion policy as campaign data. ## Operational Requirements - Keep a documented backup schedule. - Test restore before hosted pilot. - Keep a documented incident response checklist. - Rotate secrets if exposed. - Maintain separate development, pilot, and production configuration. - Review dependencies before hosted deployment. - Run static checks and dependency checks in CI once a package manager is introduced.