Skip to main content

Three layers: a short note at the top, the key lines with our take in the middle, the full source at the bottom.

Runbook

demo-anonymous-retention.md

How long anonymous demo runs are kept and what triggers their deletion.

Repo path runbooks/demo-anonymous-retention.mdLanguage Markdown

Short note — more on the way

What this is

How long anonymous demo runs are kept and what triggers their deletion.

What it proves

This file backs one or more of the privacy promises. It is a operations runbook that lives versioned in the repository. Read the promise →

What to look for in the source below

  • Comments and headers that name what each section does.
  • File edges: imports at the top, exports or run-blocks at the bottom.
  • Any list, configuration, or assertion that looks load-bearing.
Show the full file (120 lines)

Anonymous Demo — Retention Posture

Route: POST /v1/demo/extract Source: apps/api/src/routes/demo-extract.ts CI gate: scripts/check-demo-no-persistence.mjs Promise: /promises#anonymous-demo Date: 2026-05-21 (lands with P1 A2)

The anonymous demo at /demo reads the visitor's invoice once and forgets the bytes. This document is the operational record of what that promise means, what enforces it, and what to do if it ever breaks.

§1 — What the route does NOT do (the privacy invariants)

The route MUST NOT:

  1. Write the bytes to R2. r2Put() is grep-banned in the route file by check-demo-no-persistence.mjs.
  2. Create a documents table row. documentsStore / documents-store are grep-banned.
  3. Enter an entry in the hash-chained audit log. audit.append() / auditLog() are grep-banned.
  4. Touch the D1 database directly. c.env.DB is grep-banned in the route file.
  5. Log the file bytes. JSON.stringify(bytes|buf|file|body|content) and console.log(bytes|buf|file|body|content|formData) are grep-banned.
  6. Enqueue into the persistent ingest queue. enqueueIngest() is grep-banned. The route calls runExtraction directly, in-process.

The CI gate runs on every commit. A build that introduces any of these patterns into the route file fails before merge.

§2 — What the route DOES retain (intentional, bounded)

The route writes three values to Cloudflare Workers KV (AUTH_KV binding). All three have explicit expirations and none contain the visitor's invoice content.

KV key Value TTL Purpose
demo:runs:<ip>:<YYYY-MM-DD> integer count 24h per-IP daily rate-limit (5/day default)
demo:budget:<YYYY-MM-DD> integer cents spent 48h org-wide $50/day budget breaker
demo:replay:<ip>:<sha256-of-bytes> parsed invoice JSON 1h replay cache so a re-upload of the same bytes from the same IP doesn't burn another extraction

The SHA-256 hash in the replay key is a uniformly-random 256-bit value derived from the bytes; it is not reversible to the original content. The cached JSON IS the parsed invoice envelope the visitor saw — vendor name, total, line items. That cached value is identical to what we returned to her browser; it represents NO additional data we collected beyond what she saw.

The bytes themselves never reach KV. Only KV-only counters + the parsed envelope.

§3 — What the route logs

One of two events per request (apps/api/src/lib/logger.ts):

  • funnel.demo_upload_parsed (success): { format, parse_ms, vendor_recognised: boolean, ip_run_count }
  • funnel.demo_upload_failed (failure): { format, reason, parse_ms }

Neither event contains:

  • The file bytes
  • The vendor name (only vendor_recognised: true|false)
  • The visitor's IP
  • The visitor's User-Agent
  • The visitor's email (we don't have one)
  • The SHA-256 of the bytes

scripts/check-funnel-no-pii.mjs (lands in P1 A14) greps these log call-sites for forbidden field names and fails the build if any appear.

§4 — Abuse-safety guarantees

Threat Mitigation
Budget-burn (cost attack) $50/day org-wide breaker; route returns 503 + fallback: "static" past cap
Per-IP flood 5/day per IP; returns 429 + retry_after_sec: 86400
Bot abuse Turnstile required from run-2-of-day (when TURNSTILE_SECRET_KEY provisioned). Until provisioned, route degrades to 1/day-per-IP hard cap.
Oversized file 5MB content-length cap, pre-body via Content-Length header + post-read enforcement
Decompression bomb Format restricted via detectFormat: only PDF / JPEG / PNG / WebP / HEIC accepted (no zips, no archives)
Replay (cost-amortisation attack) SHA-256 + per-IP key, 1h TTL — same bytes from same IP within 1h return the cached result without re-extracting
Weaponised content (CSAM) NCMEC hash check — STUBBED in P1 (returns false); founder enrolment + KV import required to activate. Documented in p1-done.md.
Emergency rollback DEMO_ANONYMOUS_EXTRACT=off env-flag drains the route to 503 + fallback: "static" without code revert

§5 — What to do if the route breaks the promise

If a future commit accidentally introduces persistence (the CI gate should prevent this; the recovery procedure here is for the case where the gate is somehow bypassed):

  1. Immediate. Flip DEMO_ANONYMOUS_EXTRACT=off in the Worker's secrets — the route returns 503 + static fallback within seconds.
  2. Within 1 hour. File a security incident at security@muntin.digital. Revert the offending commit.
  3. Within 24 hours. Publish a post-mortem on /promises naming the incident, the leak surface, the affected window, and the fix.
  4. Within 48 hours. Audit-log the incident in the public transparency report (/legal/transparency).
  5. Pre-relaunch. Confirm the CI gate is back to green; add a new grep pattern to check-demo-no-persistence.mjs covering whatever the regression was.

The promise is the contract. If we cannot keep it, we say so and we stop the route until we can.

§6 — How to verify yourself (visitor's perspective)

  1. Open /demo and drop a real PDF.
  2. Watch the parsed row appear.
  3. Open the browser's DevTools → Network → confirm the only request is POST /v1/demo/extract and its response is JSON (not a redirect, not a follow-up to R2).
  4. Wait 24 hours.
  5. Refresh /demo — the dropzone is back to clean. No history. No "your previous run" surface.

For the privacy-skeptical (a journalist, a regulator, a bookkeeper auditing the operator's stack):

  • Read apps/api/src/routes/demo-extract.ts end-to-end (~350 LOC).
  • Read scripts/check-demo-no-persistence.mjs (~140 LOC).
  • Confirm the patterns the gate bans match the patterns a persistence regression would introduce.

The whole privacy mechanism for the anonymous demo lives in two files. You can verify it in under five minutes.

§7 — Open items (P1 debt → P2)

These are real, named, dated:

  • NCMEC binding — stubbed in P1; requires founder NCMEC enrolment.
  • ASN-aware rate-limit — caps per-/24 to prevent DigitalOcean / AWS / GCP egress floods. Deferred to P2.
  • Docling-Fly cold-start pre-warm cron0 8 * to warm a docling machine ahead of the morning's first chef-owner. Deferred to P2.

Each of these tightens the safety floor without changing the privacy promise. The promise stands as-is.

This is the file as it lives at the moment of this build. The canonical history lives in git. If you want the full history or a specific commit, write to hello@muntin.digital.

demo-anonymous-retention.md · Verify · Muntin Ledger · Muntin