jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/internal/worker
History
Jeremie Fraeys a8180f1f26
feat(security): HIPAA compliance mode and PHI denylist validation 
Add compliance_mode field to Config with strict HIPAA validation:
- Requires SnapshotStore.Secure=true in HIPAA mode
- Requires NetworkMode="none" for tenant isolation
- Requires non-empty SeccompProfile
- Requires NoNewPrivileges=true
- Enforces credentials via environment variables only (no inline YAML)

Add PHI denylist validation for AllowedSecrets:
- Blocks secrets matching patterns: patient, ssn, mrn, medical_record,
  diagnosis, dob, birth, mrn_number, patient_id, patient_name
- Prevents accidental PHI exfiltration via secret channels

Add comprehensive test coverage in hipaa_validation_test.go:
- Network mode enforcement tests
- NoNewPrivileges requirement tests
- Seccomp profile validation tests
- Inline credential rejection tests
- PHI denylist validation tests

Closes: compliance_mode, PHI denylist items from security plan
2026-02-23 19:43:19 -05:00
..
errors refactor(api): internal refactoring for TUI and worker modules 2026-02-20 15:51:23 -05:00
execution feat: Worker sandboxing and security configuration 2026-02-18 21:27:59 -05:00
executor feat(security): implement comprehensive security hardening phases 1-5,7 2026-02-23 18:00:33 -05:00
integrity feat: add manifest signing and native hashing support 2026-02-19 15:34:39 -05:00
interfaces refactor: Phase 1 - Extract worker interfaces 2026-02-17 14:10:03 -05:00
lifecycle refactor(api): internal refactoring for TUI and worker modules 2026-02-20 15:51:23 -05:00
artifacts.go feat(security): implement comprehensive security hardening phases 1-5,7 2026-02-23 18:00:33 -05:00
config.go feat(security): HIPAA compliance mode and PHI denylist validation 2026-02-23 19:43:19 -05:00
factory.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00
gpu_detector.go feat: GPU detection transparency and artifact scanner improvements 2026-02-23 12:29:34 -05:00
gpu_macos.go feat: GPU detection transparency and artifact scanner improvements 2026-02-23 12:29:34 -05:00
gpu_macos_stub.go feat: native GPU detection and NVML bridge for macOS and Linux 2026-02-21 17:59:59 -05:00
gpu_nvml_native.go feat: native GPU detection and NVML bridge for macOS and Linux 2026-02-21 17:59:59 -05:00
gpu_nvml_stub.go feat: native GPU detection and NVML bridge for macOS and Linux 2026-02-21 17:59:59 -05:00
native_bridge.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00
native_bridge_libs.go feat: GPU detection transparency and artifact scanner improvements 2026-02-23 12:29:34 -05:00
native_bridge_nocgo.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00
snapshot_store.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00
worker.go refactor(worker): update worker tests and native bridge 2026-02-23 18:04:22 -05:00