Skip to content

docs: design encrypted run artifacts#24

Merged
matthewod11-stack merged 1 commit into
mainfrom
docs/run-artifact-encryption-design
Jul 3, 2026
Merged

docs: design encrypted run artifacts#24
matthewod11-stack merged 1 commit into
mainfrom
docs/run-artifact-encryption-design

Conversation

@matthewod11-stack

Copy link
Copy Markdown
Owner

Summary

  • adds a concrete design for optional encryption of PII-bearing run artifacts
  • covers key storage, AES-GCM envelope format, plaintext metadata boundaries, purge behavior, migration, and failure modes
  • adds implementation slices so Encrypt local run artifacts at rest #21 is agent-ready instead of a vague security bucket
  • links the design from README and ROADMAP

Refs #21

Verification

  • git diff --check

Notes

This is the design/grounding pass, not the encryption implementation. The next PR should start with the crypto primitive + tests, then wire candidates.json through an artifact store behind opt-in config.

- add #21 design covering key storage, artifact format, metadata visibility, purge behavior, migration, and tests

- link the design from README and ROADMAP so the next implementation slice is obvious
Copilot AI review requested due to automatic review settings July 3, 2026 21:47

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a concrete, implementation-oriented design doc for optional encryption of PII-bearing local run artifacts, and wires references to that design into the project’s README and roadmap to make Issue #21 actionable.

Changes:

  • Adds docs/security/run-artifact-encryption-design.md describing config, envelope format, touchpoints, migration, and tests for at-rest encryption of run artifacts.
  • Links the new design doc from the README’s security section.
  • Adds an item to ROADMAP.md pointing Issue #21 to the drafted design.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
ROADMAP.md Adds #21 roadmap entry referencing the new encryption design doc.
README.md Links to the new encryption design doc from the security guidance section.
docs/security/run-artifact-encryption-design.md Introduces the proposed design for encrypting sensitive run artifacts with AES-256-GCM and an artifact-store boundary.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +47 to +48
Protected files are written as an envelope with an `.enc.json` suffix:

runArtifacts:
encryption:
enabled: false
keyProvider: env # env | keychain-later

| Failure | Behavior |
|---|---|
| Encryption enabled but key missing | Abort before writing sensitive artifacts; explain `SOURCERER_ARTIFACT_KEY`. |
@matthewod11-stack matthewod11-stack merged commit 4e1ecbb into main Jul 3, 2026
1 check passed
@matthewod11-stack matthewod11-stack deleted the docs/run-artifact-encryption-design branch July 3, 2026 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants