<!-- CANARY: REQ=REQ-SEC-AUDIT-LOG-001; FEATURE="Security"; ASPECT=AuditLog; STATUS=TESTED; OWNER=security; UPDATED=2026-01-16 -->
<h2 id="security-and-compliance-guide" class="position-relative d-flex align-items-center group">
<span>Security and Compliance Guide</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-and-compliance-guide"
aria-haspopup="dialog"
aria-label="Share link: Security and Compliance Guide">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h2><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>Comprehensive security features for enterprise deployments: authentication, authorization, encryption, and audit logging.</p>
<blockquote>
<p><strong>Implementation note (2026-03-30)</strong></p>
<ul>
<li>Implemented today: username/password, sessions, API keys, MFA, mTLS, TDE, FLE, audit logging, and RLS</li>
<li>Planned, not implemented: LDAP/Active Directory and OAuth2/OIDC</li>
<li>Current open auth gap: CLI auth management commands still operate on the local auth store rather than delegating to a running server</li>
</ul>
</blockquote>
<h3 id="security-model-overview" class="position-relative d-flex align-items-center group">
<span>Security Model Overview</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-model-overview"
aria-haspopup="dialog"
aria-label="Share link: Security Model Overview">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Geode provides defense-in-depth security:</p>
<ul>
<li><strong>Authentication (AuthN)</strong>: Verify user identity with username/password, session tokens, API keys, MFA, and mTLS</li>
<li><strong>Authorization (AuthZ)</strong>: RBAC/ABAC with Enhanced Row-Level Security (RLS) policies</li>
<li><strong>Encryption</strong>:
<ul>
<li><strong>TDE</strong>: Transparent Data Encryption for data-at-rest</li>
<li><strong>FLE</strong>: Field-Level Encryption for selective column encryption</li>
</ul>
</li>
<li><strong>Audit Logging</strong>: Tamper-evident logs with cryptographic signatures</li>
<li><strong>Transport Security</strong>: QUIC+TLS 1.3 for data-in-transit</li>
</ul>
<h3 id="authentication-and-user-bootstrapping" class="position-relative d-flex align-items-center group">
<span>Authentication and User Bootstrapping</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authentication-and-user-bootstrapping"
aria-haspopup="dialog"
aria-label="Share link: Authentication and User Bootstrapping">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>From <code>USER_AUTH.md</code>:</p>
<h4 id="default-user-creation" class="position-relative d-flex align-items-center group">
<span>Default User Creation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="default-user-creation"
aria-haspopup="dialog"
aria-label="Share link: Default User Creation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>On first startup</strong>, Geode creates the bootstrap admin user if environment variables are set:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Set admin credentials</span>
</span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">GEODE_ADMIN_USERNAME</span><span class="o">=</span><span class="s2">"geode"</span>
</span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">GEODE_DEFAULT_PASSWORD</span><span class="o">=</span><span class="s2">"change-me-immediately"</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Start server (creates admin user on first run)</span>
</span></span><span class="line"><span class="cl">./geode serve
</span></span></code></pre></div><p>If <code>GEODE_ADMIN_USERNAME</code> is not set, the default bootstrap username is <code>geode</code>.</p>
<p><strong>Security note</strong>: Change the bootstrap password immediately after first login.</p>
<h4 id="current-auth-management-surface" class="position-relative d-flex align-items-center group">
<span>Current Auth Management Surface</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="current-auth-management-surface"
aria-haspopup="dialog"
aria-label="Share link: Current Auth Management Surface">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Online login/session workflows</span>
</span></span><span class="line"><span class="cl">geode auth login -U geode --save-session
</span></span><span class="line"><span class="cl">geode auth <span class="nb">logout</span>
</span></span><span class="line"><span class="cl">geode auth token
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Offline/on-host auth integrity workflows</span>
</span></span><span class="line"><span class="cl">geode auth init --data-dir /var/lib/geode
</span></span><span class="line"><span class="cl">geode auth reseal --data-dir /var/lib/geode
</span></span><span class="line"><span class="cl">geode auth verify --data-dir /var/lib/geode
</span></span></code></pre></div><p><code>geode user</code>, <code>role</code>, <code>policy</code>, <code>grant</code>, <code>revoke</code>, and <code>apikey</code> currently operate on the <strong>local auth store</strong> rather than a live server connection. Treat them as offline/on-host admin tools until the <code>GAP-0270</code> delegation fix lands.</p>
<h4 id="password-policy" class="position-relative d-flex align-items-center group">
<span>Password Policy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="password-policy"
aria-haspopup="dialog"
aria-label="Share link: Password Policy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>From <code>USER_AUTH.md</code>:</p>
<p><strong>Configurable policies</strong>:</p>
<ul>
<li>Minimum length (default: 12 characters)</li>
<li>Complexity requirements (uppercase, lowercase, digits, special chars)</li>
<li>Password expiration (default: 90 days)</li>
<li>History (prevent reuse of last N passwords)</li>
</ul>
<p><strong>Example configuration</strong> (<code>geode.yaml</code>):</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password_policy</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">min_length</span><span class="p">:</span><span class="w"> </span><span class="m">16</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_uppercase</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_lowercase</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_digits</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_special</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expiration_days</span><span class="p">:</span><span class="w"> </span><span class="m">90</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">history_count</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="password-hashing-argon2id" class="position-relative d-flex align-items-center group">
<span>Password Hashing: Argon2id</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="password-hashing-argon2id"
aria-haspopup="dialog"
aria-label="Share link: Password Hashing: Argon2id">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>From <code>ARGON2ID_IMPLEMENTATION.md</code>:</p>
<p><strong>Geode uses Argon2id</strong> for password hashing:</p>
<ul>
<li><strong>Memory-hard</strong>: Resistant to GPU/ASIC attacks</li>
<li><strong>Side-channel resistant</strong>: Constant-time operations</li>
<li><strong>Configurable cost</strong>: Adjust for security/performance trade-off</li>
</ul>
<p><strong>Parameters</strong>:</p>
<ul>
<li><strong>Time cost</strong> (t): Number of iterations (default: 3)</li>
<li><strong>Memory cost</strong> (m): Memory in KiB (default: 65536 = 64MB)</li>
<li><strong>Parallelism</strong> (p): Threads (default: 4)</li>
</ul>
<p><strong>Example hash</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$argon2id$v=19$m=65536,t=3,p=4$salt$hash
</span></span></code></pre></div><p><strong>Security benefit</strong>: Even with database breach, passwords are computationally infeasible to crack.</p>
<h3 id="authorization" class="position-relative d-flex align-items-center group">
<span>Authorization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authorization"
aria-haspopup="dialog"
aria-label="Share link: Authorization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="role-based-access-control-rbac" class="position-relative d-flex align-items-center group">
<span>Role-Based Access Control (RBAC)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="role-based-access-control-rbac"
aria-haspopup="dialog"
aria-label="Share link: Role-Based Access Control (RBAC)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">READ</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">WRITE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="err">.</span><span class="py">Person</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">WRITE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">SocialNetwork</span><span class="err">.</span><span class="py">Person</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Permission levels</strong>:</p>
<ul>
<li><code>READ</code> - Query data</li>
<li><code>WRITE</code> - Insert/update/delete</li>
<li><code>ADMIN</code> - Manage users, roles, schema</li>
</ul>
<h4 id="attribute-based-access-control-abac" class="position-relative d-flex align-items-center group">
<span>Attribute-Based Access Control (ABAC)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="attribute-based-access-control-abac"
aria-haspopup="dialog"
aria-label="Share link: Attribute-Based Access Control (ABAC)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Policy-based authorization</strong> using node/relationship attributes:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="p">:</span><span class="w"> </span><span class="nc">Users</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">department</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">department_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Person</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_department</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="enhanced-row-level-security-rls" class="position-relative d-flex align-items-center group">
<span>Enhanced Row-Level Security (RLS)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="enhanced-row-level-security-rls"
aria-haspopup="dialog"
aria-label="Share link: Enhanced Row-Level Security (RLS)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>From <code>ADVANCED_SECURITY_FEATURES_OCTOBER_2025.md</code>:</p>
<p><strong>RLS policies control row-level access</strong> based on user context.</p>
<p><strong>Policy types</strong>:</p>
<ul>
<li><code>SELECT</code> - Control which rows are visible</li>
<li><code>INSERT</code> - Control which rows can be inserted</li>
<li><code>UPDATE</code> - Control which rows can be updated</li>
<li><code>DELETE</code> - Control which rows can be deleted</li>
</ul>
<p><strong>Example: Tenant isolation</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">policy</span><span class="p">:</span><span class="w"> </span><span class="nc">users</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="kd">on</span><span class="py">ly</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">tenant</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Person</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">policy</span><span class="p">:</span><span class="w"> </span><span class="nc">prevent</span><span class="w"> </span><span class="py">cross</span><span class="err">-</span><span class="py">tenant</span><span class="w"> </span><span class="py">updates</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_update_policy</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Person</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">UPDATE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_tenant_id</span><span class="p">())</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Example: Data classification</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Policy</span><span class="p">:</span><span class="w"> </span><span class="nc">only</span><span class="w"> </span><span class="py">analysts</span><span class="w"> </span><span class="py">can</span><span class="w"> </span><span class="py">see</span><span class="w"> </span><span class="py">PII</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">pii_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">Person</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">has_role</span><span class="p">(</span><span class="err">'</span><span class="py">analyst</span><span class="err">'</span><span class="p">)</span><span class="w"> </span><span class="py">OR</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">pii_classification</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">public</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Policy evaluation</strong>:</p>
<ul>
<li>Evaluated <strong>before</strong> query execution</li>
<li>Policies are <strong>combined with AND</strong> (all must pass)</li>
<li>Policies are <strong>transparent</strong> to application (no query rewriting needed)</li>
</ul>
<p><strong>See also</strong>: <code>kb/RLS_IMPLEMENTATION.md</code> for implementation details</p>
<h3 id="encryption" class="position-relative d-flex align-items-center group">
<span>Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption"
aria-haspopup="dialog"
aria-label="Share link: Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="transparent-data-encryption-tde" class="position-relative d-flex align-items-center group">
<span>Transparent Data Encryption (TDE)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="transparent-data-encryption-tde"
aria-haspopup="dialog"
aria-label="Share link: Transparent Data Encryption (TDE)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>From <code>DESIGN_TDE_KMS.md</code> and <code>KMS_PROVIDER_SYSTEM.md</code>:</p>
<p><strong>TDE encrypts data-at-rest</strong> transparently.</p>
<p><strong>Architecture</strong>:</p>
<ul>
<li><strong>Encryption</strong>: AES-256-GCM</li>
<li><strong>Key hierarchy</strong>: Master key → Database keys → Page keys</li>
<li><strong>Scope</strong>: Disk storage, WAL (Write-Ahead Log)</li>
</ul>
<p><strong>Configuration</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tde</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">vault </span><span class="w"> </span><span class="c"># or 'env', 'aws-kms'</span><span class="w">
</span></span></span></code></pre></div><p><strong>KMS Providers</strong>:</p>
<h5 id="1-environment-variable-development" class="position-relative d-flex align-items-center group">
<span>1. Environment Variable (Development)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="1-environment-variable-development"
aria-haspopup="dialog"
aria-label="Share link: 1. Environment Variable (Development)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 32-byte hex key for AES-256-GCM</span>
</span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">GEODE_TDE_KEY</span><span class="o">=</span><span class="s2">"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">./geode serve
</span></span></code></pre></div>
<h5 id="2-hashicorp-vault-recommended" class="position-relative d-flex align-items-center group">
<span>2. HashiCorp Vault (Recommended)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="2-hashicorp-vault-recommended"
aria-haspopup="dialog"
aria-label="Share link: 2. HashiCorp Vault (Recommended)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tde</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">vault</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vault</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">address</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://vault.example.com:8200"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">token</span><span class="p">:</span><span class="w"> </span><span class="s2">"s.VAULT_TOKEN"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_path</span><span class="p">:</span><span class="w"> </span><span class="s2">"secret/geode/tde-key"</span><span class="w">
</span></span></span></code></pre></div>
<h5 id="3-aws-kms" class="position-relative d-flex align-items-center group">
<span>3. AWS KMS</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="3-aws-kms"
aria-haspopup="dialog"
aria-label="Share link: 3. AWS KMS">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tde</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">aws-kms</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">aws_kms</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_id</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"</span><span class="w">
</span></span></span></code></pre></div><p><strong>Key rotation</strong>: Online key rotation supported (re-encrypts pages with new key).</p>
<p><strong>Current storage scope</strong>:</p>
<ul>
<li>per-graph store files and checkpointed storage pages</li>
<li>write-ahead log / recovery path</li>
<li>encrypted-at-rest operation through the graph-storage pager on current <code>main</code></li>
</ul>
<p><strong>Performance</strong>: Optimized with memory-mapped I/O and hardware AES acceleration where available.</p>
<h4 id="field-level-encryption-fle" class="position-relative d-flex align-items-center group">
<span>Field-Level Encryption (FLE)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="field-level-encryption-fle"
aria-haspopup="dialog"
aria-label="Share link: Field-Level Encryption (FLE)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>From <code>FIELD_LEVEL_ENCRYPTION.md</code>:</p>
<p><strong>FLE encrypts individual properties</strong> while leaving others in plaintext.</p>
<p><strong>Use cases</strong>:</p>
<ul>
<li>Encrypt PII (SSN, credit cards) while leaving non-sensitive data searchable</li>
<li>Comply with data residency regulations</li>
<li>Minimize exposure in case of SQL injection or data breach</li>
</ul>
<p><strong>Architecture</strong>:</p>
<ul>
<li><strong>Encryption</strong>: AES-256-GCM per field</li>
<li><strong>Blind indexes</strong>: Enable equality search on encrypted data</li>
<li><strong>Key derivation</strong>: Per-column keys derived from master key</li>
</ul>
<p><strong>Example</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">table</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">FLE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">TABLE</span><span class="w"> </span><span class="py">users</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">id</span><span class="w"> </span><span class="py">UUID</span><span class="w"> </span><span class="py">PRIMARY</span><span class="w"> </span><span class="py">KEY</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">name</span><span class="w"> </span><span class="py">TEXT</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">email</span><span class="w"> </span><span class="py">TEXT</span><span class="w"> </span><span class="py">ENCRYPTED</span><span class="p">,</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Field</span><span class="err">-</span><span class="py">level</span><span class="w"> </span><span class="py">encrypted</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ssn</span><span class="w"> </span><span class="py">TEXT</span><span class="w"> </span><span class="py">ENCRYPTED</span><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">BLIND</span><span class="w"> </span><span class="py">INDEX</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Encrypted</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">searchable</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Insert</span><span class="w"> </span><span class="p">(</span><span class="py">encryption</span><span class="w"> </span><span class="py">transparent</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="p">(:</span><span class="nc">User</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">id</span><span class="p">:</span><span class="w"> </span><span class="nc">gen_random_uuid</span><span class="p">(),</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">name</span><span class="p">:</span><span class="w"> </span><span class="s">"Alice"</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nc">email</span><span class="p">:</span><span class="w"> </span><span class="s">"[email protected]"</span><span class="p">,</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="nc">Encrypted</span><span class="w"> </span><span class="py">before</span><span class="w"> </span><span class="py">storage</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ssn</span><span class="p">:</span><span class="w"> </span><span class="s">"123-45-6789"</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="nc">Encrypted</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">blind</span><span class="w"> </span><span class="py">index</span><span class="w"> </span><span class="py">created</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">})</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Query</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">blind</span><span class="w"> </span><span class="py">index</span><span class="w"> </span><span class="p">(</span><span class="py">equality</span><span class="w"> </span><span class="py">search</span><span class="w"> </span><span class="py">works</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">u</span><span class="err">.</span><span class="py">ssn</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"123-45-6789"</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Uses</span><span class="w"> </span><span class="py">blind</span><span class="w"> </span><span class="py">index</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">u</span><span class="err">.</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">u</span><span class="err">.</span><span class="py">email</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Decrypted</span><span class="w"> </span><span class="py">transparently</span><span class="w">
</span></span></span></code></pre></div><p><strong>Blind Index</strong>: Hash-based index allowing equality search without decryption.</p>
<p><strong>Known issue</strong>: <code>GAP-0271</code> tracks a remaining role-parser bug on <code>main</code> where semicolon-delimited role input must be rejected to prevent FLE plaintext access bypass. See the dedicated FLE guide for the current limitation note.</p>
<p><strong>Key rotation</strong>:</p>
<ul>
<li><strong>Online rotation</strong>: Re-encrypt fields with new key without downtime</li>
<li><strong>Rotation strategy</strong>: Rotate per-column keys periodically (e.g., quarterly)</li>
</ul>
<p><strong>See also</strong>: <code>FIELD_LEVEL_ENCRYPTION.md</code> for key derivation and rotation procedures</p>
<h3 id="audit-logging" class="position-relative d-flex align-items-center group">
<span>Audit Logging</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="audit-logging"
aria-haspopup="dialog"
aria-label="Share link: Audit Logging">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>From <code>AUDIT_LOGGING.md</code>:</p>
<p><strong>Tamper-evident audit logs</strong> for compliance and forensics.</p>
<p><strong>Architecture</strong>:</p>
<ul>
<li><strong>Format</strong>: JSONL (one JSON object per line)</li>
<li><strong>Integrity</strong>: Hash-chained logs with cryptographic signatures</li>
<li><strong>Redaction</strong>: Query text NOT logged (only metadata)</li>
<li><strong>Tracing</strong>: Correlation IDs for distributed tracing</li>
</ul>
<p><strong>What’s logged</strong>:</p>
<ul>
<li>Authentication events (login, logout, failed attempts)</li>
<li>Authorization decisions (policy evaluations)</li>
<li>Schema changes (CREATE/ALTER/DROP)</li>
<li>Administrative actions (user/role management)</li>
<li>Query metadata (timestamp, user, graph, execution time)</li>
</ul>
<p><strong>What’s NOT logged</strong>:</p>
<ul>
<li>Query text (to avoid logging sensitive data)</li>
<li>Query parameters</li>
<li>Result sets</li>
</ul>
<p><strong>Log entry example</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"timestamp"</span><span class="p">:</span> <span class="s2">"2024-01-15T14:30:00.123Z"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"event_type"</span><span class="p">:</span> <span class="s2">"query_executed"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"user"</span><span class="p">:</span> <span class="s2">"alice"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"graph"</span><span class="p">:</span> <span class="s2">"SocialNetwork"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"session_id"</span><span class="p">:</span> <span class="s2">"550e8400-e29b-41d4-a716-446655440000"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"trace_id"</span><span class="p">:</span> <span class="s2">"7c9e8d6f-5b4a-3c2d-1e0f-9a8b7c6d5e4f"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"execution_time_ms"</span><span class="p">:</span> <span class="mf">23.5</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"rows_returned"</span><span class="p">:</span> <span class="mi">150</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"prev_log_hash"</span><span class="p">:</span> <span class="s2">"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nt">"signature"</span><span class="p">:</span> <span class="s2">"3045022100..."</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span></code></pre></div><p><strong>Hash chain</strong>: Each log entry includes <code>prev_log_hash</code> (SHA-256 of previous entry), making tampering detectable.</p>
<p><strong>Signatures</strong>: Entries signed with server private key for non-repudiation.</p>
<p><strong>Configuration</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">audit</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log_path</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/log/geode/audit.jsonl"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syslog</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">address</span><span class="p">:</span><span class="w"> </span><span class="s2">"syslog.example.com:514"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">format</span><span class="p">:</span><span class="w"> </span><span class="s2">"CEF"</span><span class="w"> </span><span class="c"># Common Event Format</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retention_days</span><span class="p">:</span><span class="w"> </span><span class="m">365</span><span class="w">
</span></span></span></code></pre></div><p><strong>Syslog/CEF integration</strong>: Forward logs to SIEM for centralized monitoring.</p>
<p><strong>See also</strong>: <code>AUDIT_LOGGING.md</code> for log analysis and compliance mapping</p>
<h3 id="hardening-checklist" class="position-relative d-flex align-items-center group">
<span>Hardening Checklist</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="hardening-checklist"
aria-haspopup="dialog"
aria-label="Share link: Hardening Checklist">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="1-tls-certificate-management" class="position-relative d-flex align-items-center group">
<span>1. TLS Certificate Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="1-tls-certificate-management"
aria-haspopup="dialog"
aria-label="Share link: 1. TLS Certificate Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Production</strong>: Use valid certificates from trusted CA</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate CSR</span>
</span></span><span class="line"><span class="cl">openssl req -new -newkey rsa:4096 -nodes <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -keyout server-key.pem -out server-csr.pem <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -subj <span class="s2">"/CN=geode.example.com"</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Get certificate from CA (e.g., Let's Encrypt)</span>
</span></span><span class="line"><span class="cl">certbot certonly --standalone -d geode.example.com
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Configure Geode</span>
</span></span><span class="line"><span class="cl">./geode serve <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --cert /etc/letsencrypt/live/geode.example.com/fullchain.pem <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --key /etc/letsencrypt/live/geode.example.com/privkey.pem
</span></span></code></pre></div>
<h4 id="2-admin-password-rotation" class="position-relative d-flex align-items-center group">
<span>2. Admin Password Rotation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="2-admin-password-rotation"
aria-haspopup="dialog"
aria-label="Share link: 2. Admin Password Rotation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Rotate admin password</strong> periodically:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">SET</span><span class="w"> </span><span class="py">PASSWORD</span><span class="w"> </span><span class="err">'</span><span class="py">new</span><span class="err">-</span><span class="py">strong</span><span class="err">-</span><span class="py">password</span><span class="err">-</span><span class="py">789</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div><p><strong>Enforce expiration</strong> in <code>geode.yaml</code>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password_policy</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expiration_days</span><span class="p">:</span><span class="w"> </span><span class="m">90</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="3-logging-destinations" class="position-relative d-flex align-items-center group">
<span>3. Logging Destinations</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="3-logging-destinations"
aria-haspopup="dialog"
aria-label="Share link: 3. Logging Destinations">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Centralized logging</strong> for audit trails:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">audit</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syslog</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">address</span><span class="p">:</span><span class="w"> </span><span class="s2">"siem.example.com:514"</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="4-kms-integration" class="position-relative d-flex align-items-center group">
<span>4. KMS Integration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="4-kms-integration"
aria-haspopup="dialog"
aria-label="Share link: 4. KMS Integration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Use external KMS</strong> for production:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tde</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">vault </span><span class="w"> </span><span class="c"># Not 'env'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vault</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">address</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://vault.example.com:8200"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">token_path</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/run/secrets/vault-token"</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="5-network-isolation" class="position-relative d-flex align-items-center group">
<span>5. Network Isolation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="5-network-isolation"
aria-haspopup="dialog"
aria-label="Share link: 5. Network Isolation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Firewall rules</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Allow QUIC (UDP) on port 3141</span>
</span></span><span class="line"><span class="cl">sudo ufw allow 3141/udp
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Allow metrics endpoint (localhost only)</span>
</span></span><span class="line"><span class="cl">sudo ufw allow from 127.0.0.1 to any port <span class="m">8080</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Deny all other traffic</span>
</span></span><span class="line"><span class="cl">sudo ufw default deny incoming
</span></span></code></pre></div>
<h3 id="compliance-mapping" class="position-relative d-flex align-items-center group">
<span>Compliance Mapping</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="compliance-mapping"
aria-haspopup="dialog"
aria-label="Share link: Compliance Mapping">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="gdpr-general-data-protection-regulation" class="position-relative d-flex align-items-center group">
<span>GDPR (General Data Protection Regulation)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="gdpr-general-data-protection-regulation"
aria-haspopup="dialog"
aria-label="Share link: GDPR (General Data Protection Regulation)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><table>
<thead>
<tr>
<th>GDPR Requirement</th>
<th>Geode Feature</th>
</tr>
</thead>
<tbody>
<tr>
<td>Right to erasure</td>
<td><code>DETACH DELETE</code> + FLE key deletion</td>
</tr>
<tr>
<td>Data minimization</td>
<td>RLS policies + FLE selective encryption</td>
</tr>
<tr>
<td>Audit trails</td>
<td>Tamper-evident audit logs</td>
</tr>
<tr>
<td>Encryption</td>
<td>TDE + FLE</td>
</tr>
<tr>
<td>Access control</td>
<td>RBAC/ABAC + RLS</td>
</tr>
</tbody>
</table>
<h4 id="hipaa-health-insurance-portability-and-accountability-act" class="position-relative d-flex align-items-center group">
<span>HIPAA (Health Insurance Portability and Accountability Act)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="hipaa-health-insurance-portability-and-accountability-act"
aria-haspopup="dialog"
aria-label="Share link: HIPAA (Health Insurance Portability and Accountability Act)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><table>
<thead>
<tr>
<th>HIPAA Control</th>
<th>Geode Feature</th>
</tr>
</thead>
<tbody>
<tr>
<td>Access controls (§164.312(a)(1))</td>
<td>RBAC/ABAC + RLS</td>
</tr>
<tr>
<td>Audit controls (§164.312(b))</td>
<td>Audit logging with signatures</td>
</tr>
<tr>
<td>Integrity (§164.312(c)(1))</td>
<td>Hash chains + checksums</td>
</tr>
<tr>
<td>Encryption (§164.312(a)(2)(iv))</td>
<td>TDE + FLE</td>
</tr>
</tbody>
</table>
<h4 id="pci-dss-payment-card-industry-data-security-standard" class="position-relative d-flex align-items-center group">
<span>PCI DSS (Payment Card Industry Data Security Standard)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="pci-dss-payment-card-industry-data-security-standard"
aria-haspopup="dialog"
aria-label="Share link: PCI DSS (Payment Card Industry Data Security Standard)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><table>
<thead>
<tr>
<th>PCI DSS Requirement</th>
<th>Geode Feature</th>
</tr>
</thead>
<tbody>
<tr>
<td>Encrypt cardholder data (Req 3)</td>
<td>FLE with blind indexes</td>
</tr>
<tr>
<td>Restrict access (Req 7)</td>
<td>RLS policies</td>
</tr>
<tr>
<td>Track access (Req 10)</td>
<td>Audit logging</td>
</tr>
<tr>
<td>Regularly test security (Req 11)</td>
<td>CANARY governance + test coverage</td>
</tr>
</tbody>
</table>
<p><strong>Note</strong>: Compliance requires operational procedures beyond database features. Consult with compliance experts.</p>
<h3 id="security-status-and-evidence" class="position-relative d-flex align-items-center group">
<span>Security Status and Evidence</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-status-and-evidence"
aria-haspopup="dialog"
aria-label="Share link: Security Status and Evidence">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>From <code>SECURITY_PROGRESS.md</code>:</p>
<p><strong>Evidence-based development</strong>: All security features tracked with CANARY markers and test evidence.</p>
<p><strong>Current status</strong>:</p>
<ul>
<li>✅ Authentication: Argon2id hashing, password policies</li>
<li>✅ RLS: Enhanced policies (SELECT/INSERT/UPDATE/DELETE)</li>
<li>✅ TDE: AES-256-GCM with KMS integration</li>
<li>✅ FLE: Blind indexes + online key rotation</li>
<li>✅ Audit Logging: Hash-chained + signatures</li>
</ul>
<p>See <code>docs/SECURITY_PROGRESS.md</code> for detailed status matrix.</p>
<h3 id="next-steps" class="position-relative d-flex align-items-center group">
<span>Next Steps</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="next-steps"
aria-haspopup="dialog"
aria-label="Share link: Next Steps">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><strong><a
href="/docs/ops/deployment"
>Deployment Guide</a>
</strong> - Production security setup (Vault, Nginx, TLS)</li>
<li><strong><a
href="/docs/ops/observability"
>Monitoring and Telemetry</a>
</strong> - Audit log analysis</li>
<li><strong><a
href="/docs/security/password-hashing/"
>User Authentication</a>
</strong> - Detailed AuthN reference</li>
<li><strong><a
href="/docs/security/overview/#enhanced-row-level-security-rls"
>RLS Implementation</a>
</strong> - Deep dive into RLS evaluation</li>
<li><strong><a
href="/docs/security/kms-integration/"
>KMS Provider System</a>
</strong> - KMS configuration guide</li>
</ul>
Security and Compliance Guide
Configure Geode authentication and policies, enable row-level security, use TDE/FLE with KMS integration, and deploy tamper-evident audit logging