Security Architecture
Enterprise-grade security for audit data — RBAC, encryption, evidence integrity, and multi-layer protection.
Security Model
5-Layer Middleware Chain
| Layer | Purpose | Technology |
|---|---|---|
| 1. CORS | Domain isolation | FastAPI CORSMiddleware |
| 2. Security Headers | HSTS, CSP, X-Frame | Custom middleware |
| 3. Rate Limiting | DoS protection | Redis-backed |
| 4. CSRF | Request forgery prevention | Double-submit cookie |
| 5. Audit | Immutable logging | AuditLogEvent |
Authentication
Keycloak OIDC
- JWT tokens issued by Keycloak
- Token validation at API gateway
- Refresh token rotation
- Session management
API Keys
- For system integrations
- Scoped permissions
- Expiry dates
- Revocation support
Guest Tokens
- For PBC portal access
- Time-limited
- Engagement-scoped
- No Keycloak account needed
Authorization (RBAC)
Permission Model
resource:action
Enforced at two layers:
- API Layer:
PermissionCheckerFastAPI dependency - UI Layer: Frontend permission context hides unauthorized elements
SoD Enforcement
Segregation of Duties prevents:
- Self-review of workpapers
- Self-approval of findings
- Conflicting role assignments
Data Isolation
Multi-Tenancy
| Layer | Mechanism |
|---|---|
| API | OrgScopedQuery filter |
| Database | PostgreSQL RLS (19 policies) |
| Session | app.current_org_id variable |
| Storage | Org-prefixed MinIO paths |
RLS Policies
19 Row-Level Security policies enforce data isolation:
CREATE POLICY org_isolation ON engagement
USING (org_id = current_setting('app.current_org_id')::int);
Applied to all tenant-scoped tables.
Evidence Integrity
Chain of Custody
Every evidence file receives:
- SHA-256 hash — computed on upload
- Virus scan — ClamAV integration
- Uploader identity — from auth context
- Timestamp — UTC server time
- Immutability — cannot be modified after upload
Encryption
| Data | Method |
|---|---|
| Data in transit | TLS 1.3 |
| Data at rest | PostgreSQL encryption |
| API keys | AES-256-GCM |
| License keys | RS256 asymmetric |
| Passwords | Keycloak (bcrypt) |
Audit Trail
Every CUD operation, state transition, approval, export, and AI action creates an immutable AuditLogEvent:
| Field | Description |
|---|---|
| user_id | Who performed the action |
| action | What was done |
| resource_type | Which entity |
| resource_id | Which record |
| details | JSON change details |
| ip_address | Client IP |
| timestamp | When it happened |
See Audit Trail for querying and compliance.