57 lines
1.5 KiB
Markdown
57 lines
1.5 KiB
Markdown
# Security Guardrails (Read-only)
|
|
|
|
Date: 2026-03-23
|
|
Status: active constraints for current environment
|
|
|
|
## 1. Core principle
|
|
|
|
Integration is analytics-only.
|
|
Source 1C remains system of record and is never mutated by this stack.
|
|
|
|
## 2. Hard restrictions
|
|
|
|
1. Read-only access to 1C in operational path.
|
|
2. `execute_code` is forbidden in operational contour.
|
|
3. No document posting/editing/deletion from bridge layer.
|
|
4. No config modification in client production 1C for analytics needs.
|
|
5. Proxy endpoint should remain local/internal (`127.0.0.1` / trusted network).
|
|
|
|
## 3. Runtime guardrails
|
|
|
|
- `ALLOW_DANGEROUS_WITH_APPROVAL=false`
|
|
- bounded query windows (`limit_per_set`)
|
|
- explicit refresh runs with audit (`refresh_runs`)
|
|
- feature/risk runs fully auditable (`feature_runs`, `risk_runs`)
|
|
|
|
## 4. Access segregation
|
|
|
|
Use separate technical 1C account with minimal read rights:
|
|
|
|
- metadata read
|
|
- approved query execution
|
|
- object read by reference
|
|
|
|
No write role grants.
|
|
|
|
## 5. Data handling
|
|
|
|
- Canonical/feature/risk stores are derivative analytical caches.
|
|
- They do not become write-back channels to 1C.
|
|
- Logs should avoid unnecessary sensitive payload duplication.
|
|
|
|
## 6. Operational checks
|
|
|
|
Before daily operation:
|
|
|
|
1. verify `/health` for bridge/proxy
|
|
2. verify no dangerous flags are enabled
|
|
3. verify latest runs are successful and recent
|
|
|
|
## 7. Incident policy
|
|
|
|
If abnormal or risky behavior is detected:
|
|
|
|
1. stop proxy access
|
|
2. preserve logs and run records
|
|
3. require manual review before restart
|