Skip to main content

PaaS State Classification Policy

Last updated: 2026-02-17
Scope: si paas local state, secret material, runtime data, and telemetry

Policy Objective

Define mandatory data classes and allowed storage locations so operational state for dogfood/customer contexts never leaks into OSS-tracked source locations.

Data Classes and Storage Matrix

ClassExamplesAllowed StorageForbidden Storage
public_sourcesource code, public docs, non-sensitive schemasOSS repo treeprivate vault/state roots
private_statetargets, release history, webhook mappings, addon configSI_PAAS_STATE_ROOT/contexts/<ctx>/... (default ~/.si/paas/contexts/<ctx>/...)OSS repo tree
private_secretSSH credentials, API tokens, webhook secrets, env secret valuessi vault managed files and trust storesOSS repo tree, plain command output, event logs
runtime_datacontainer volumes, DB files, queue persistencetarget-node Docker volumes/host runtime pathsOSS repo tree, local control-plane state root
audit_telemetrydeploy/alert/audit events, operational status artifactscontext-scoped events/ or private sinksOSS repo tree unless explicitly redacted summaries

Context Boundary Requirements

  1. Every stateful si paas operation resolves an active context (default or --context).
  2. Reads/writes must stay under that single context path.
  3. Cross-context transfer must be explicit (si paas context export|import) and non-secret by default.
  4. Commands fail safe when context resolution or policy checks cannot be verified.

Enforcement Mapping

  1. Repo-state refusal guardrail blocks repo-local state roots unless explicit unsafe override is set.
  2. Output redaction and plaintext guardrails prevent secret leakage in command output.
  3. Context-scoped stores (targets, deploy history, addons, alert/audit/events) enforce per-context separation.
  4. Export/import secret-like key rejection blocks accidental secret transport in metadata payloads.

Review Checklist

  1. New state file writes are context-scoped under contexts/<ctx>/....
  2. New command outputs avoid exposing secret-bearing fields.
  3. New integration points define class + storage location in this policy.
  4. Any exception path is documented with explicit unsafe-override semantics.