docs: record owner decisions on re-import authority and path-escape

- DEPLOYMENT §6: clarify re-import keeps person/tag scalar human edits but re-applies document sender/receivers/tags from the canonical export (canonical-authoritative), per owner sign-off. - ADR-025: path-escape/symlink aborts the whole import (fail-closed) by deliberate owner decision, chosen over a per-file skip. Refs #669
2026-05-27 11:20:39 +02:00
parent 151d6aa03f
commit e4a154406e
2 changed files with 6 additions and 1 deletions
--- a/docs/adr/025-canonical-import-and-single-migration-schema-foundation.md
+++ b/docs/adr/025-canonical-import-and-single-migration-schema-foundation.md
@@ -138,6 +138,11 @@ Settled sub-decisions:
  the same state, so the operational recovery for a partial failure is simply to fix the
  offending artifact and re-trigger the import — no manual cleanup of half-written data is
  required. A future maintainer must not assume all-or-nothing semantics.
+- **Path-escape aborts the whole import (fail-closed), by design.** A path-traversal or
+  symlink-escape in a row's file path is treated as an attack signal: the import aborts rather
+  than recording the row as a `SkippedFile` and continuing. This is a deliberate owner decision
+  (2026-05-27) over a per-file skip — a malicious path must surface loudly, not be silently
+  tolerated.
 - **`PersonSummaryDTO` coupling.** `provisional` was added to the `PersonSummaryDTO` native
  interface projection; because the projection is backed by native SQL, the column had to be
  added to all three native `SELECT`s (`findAllWithDocumentCount`, `searchWithDocumentCount`,