Project · Saas Lifebot · Runbooks

Runbook — Pre-invite security gate

Block inviting friends with real health data until encryption and isolation checks pass.

type runbookstatus activelifebot · security · checklist

Prerequisites

  • App running on ThinkCentre via Docker
  • You have shell access

Steps / checklist

  1. [ ] LUKS (or equiv) active on Docker/data volume (lsblk, cryptsetup status)
  2. [ ] Postgres not published to 0.0.0.0 (compose ports internal or 127.0.0.1 only)
  3. [ ] Friend URL is HTTPS or Tailscale — not raw http://192.168… for real data
  4. [ ] .env mode 600; not in git
  5. [ ] Two test accounts: A seed/stats invisible to B
  6. [ ] psql: sealed_payload not human-readable health numbers
  7. [ ] Browser Network tab: /api/stats is ciphertext until client unlock
  8. [ ] Ingest wrong key → 401
  9. [ ] Backups encrypted if any exist
  10. [ ] Privacy + consent pages reachable
  11. [ ] Automated isolation/E2EE unit tests green

Verification

All boxes checked → proceed to SAAS-Lifebot/runbooks/friend-invite-and-consent.

Rollback

Do not invite; fix failing control first.

Compiled from wiki/projects/SAAS-Lifebot/runbooks/pre-invite-security-gate.md · git is the source of truth