Visibility phase 3: redaction-safe public read API + leak test #44

Merged
justin merged 1 commits from visibility-phase3-public-api into main 2026-06-09 09:17:56 -04:00
Owner

Phase 3 — the privacy-critical anonymous read surface (/api/v1/public).

  • CurrentUserOrNone optional-auth dep (never 401s).
  • public_view_service: every projection passes through privacy.person_visibility. Persons redacted (living→"Living person", hidden dropped); relationships only when both endpoints non-hidden; events only for FULL persons (partnership events only when both partners full); names only for FULL persons. Non-viewable trees → 404 (not 403) so the surface can't probe private trees. Media deferred (own pass).
  • Read-only router: directory + tree + persons/relationships/events + person detail/names/events. Directory lists public to all, adds site_members for authed; never lists unlisted/private. PublicTreeRead omits owner_id.

Tests (ran locally, green — CI has no pytest): anonymous end-to-end leak test (a living person's real name/alias/birth-year appear in NO public response; deceased data does), private=404, unlisted-by-link-only, site_members-requires-login, directory visibility. Full suite 70 passed. Regenerated openapi.json + TS client.

⚠️ The AUTHED list endpoints still leak per-person for non-members (pre-existing) — fixed next, separately.

🤖 Generated with Claude Code

Phase 3 — the privacy-critical anonymous read surface (`/api/v1/public`). - `CurrentUserOrNone` optional-auth dep (never 401s). - `public_view_service`: every projection passes through `privacy.person_visibility`. Persons redacted (living→"Living person", hidden dropped); relationships only when both endpoints non-hidden; events only for FULL persons (partnership events only when both partners full); names only for FULL persons. Non-viewable trees → 404 (not 403) so the surface can't probe private trees. **Media deferred** (own pass). - Read-only router: directory + tree + persons/relationships/events + person detail/names/events. Directory lists `public` to all, adds `site_members` for authed; never lists unlisted/private. `PublicTreeRead` omits owner_id. **Tests (ran locally, green — CI has no pytest):** anonymous end-to-end leak test (a living person's real name/alias/birth-year appear in NO public response; deceased data does), private=404, unlisted-by-link-only, site_members-requires-login, directory visibility. Full suite **70 passed**. Regenerated openapi.json + TS client. ⚠️ The AUTHED list endpoints still leak per-person for non-members (pre-existing) — fixed next, separately. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
justin added 1 commit 2026-06-09 09:17:55 -04:00
Adds the anonymous read surface (/api/v1/public) — the privacy-critical core.

- CurrentUserOrNone dependency: optional auth that never 401s (anonymous OK).
- public_view_service: every projection passes through privacy.person_visibility.
  persons redacted (living → "Living person", hidden dropped); relationships
  only when both endpoints non-hidden; events only for FULL-visibility persons
  (partnership events only when both partners full); names only for FULL
  persons. Not-viewable trees raise 404 (not 403) so the surface can't probe
  for private trees. Media deferred (higher-sensitivity; own pass later).
- public router: read-only directory + tree + persons/relationships/events +
  person detail/names/events. Directory lists `public` to all and adds
  `site_members` for authenticated callers; never lists unlisted/private.
- PublicTreeRead omits owner_id.

Tests (ran locally — CI does not run pytest): an anonymous end-to-end leak test
asserting a living person's real name, alias, and birth year appear in NO public
response while the deceased person's data does; plus private=404, unlisted
viewable-by-link-but-unlisted, site_members requires login, and directory
visibility. Full suite: 70 passed. Regenerated openapi.json + TS client.

Note: the AUTHED list endpoints still leak per-person for non-members
(pre-existing) — fixed next, separately.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
justin merged commit 3810b65de0 into main 2026-06-09 09:17:56 -04:00
justin deleted branch visibility-phase3-public-api 2026-06-09 09:17:56 -04:00
Sign in to join this conversation.