NODEDC_1C/docs/security_guardrails_readonly.md

Security Guardrails (Read-only)

Date: 2026-03-23
Status: active constraints for current environment

1. Core principle

Integration is analytics-only. Source 1C remains system of record and is never mutated by this stack.

2. Hard restrictions

1. Read-only access to 1C in operational path.
2. execute_code is forbidden in operational contour.
3. No document posting/editing/deletion from bridge layer.
4. No config modification in client production 1C for analytics needs.
5. Proxy endpoint should remain local/internal (127.0.0.1 / trusted network).

3. Runtime guardrails

• ALLOW_DANGEROUS_WITH_APPROVAL=false
• bounded query windows (limit_per_set)
• explicit refresh runs with audit (refresh_runs)
• feature/risk runs fully auditable (feature_runs, risk_runs)

4. Access segregation

Use separate technical 1C account with minimal read rights:

• metadata read
• approved query execution
• object read by reference

No write role grants.

5. Data handling

• Canonical/feature/risk stores are derivative analytical caches.
• They do not become write-back channels to 1C.
• Logs should avoid unnecessary sensitive payload duplication.

6. Operational checks

Before daily operation:

1. verify /health for bridge/proxy
2. verify no dangerous flags are enabled
3. verify latest runs are successful and recent

7. Incident policy

If abnormal or risky behavior is detected:

1. stop proxy access
2. preserve logs and run records
3. require manual review before restart