voidforge-build 23.10.0 → 23.11.0

package/dist/docs/patterns/llm-state-dedup.ts

@@ -0,0 +1,246 @@
+/**
+ * Pattern: LLM State Dedup — IDs are NOT keys
+ *
+ * Rule: LLM-emitted identifiers are display labels, not primary keys.
+ *
+ * Why: each LLM invocation is stateless from the model's perspective. Two
+ * cycles that propose the same fix will produce DIFFERENT id strings, even
+ * for substantively identical commands. The model has no memory of prior
+ * ids; it generates a fresh string from current context, drifts every cycle.
+ *
+ * Field report #330 (threadplex-ops): an hourly run asked Claude to emit
+ * `approval_needed[]` entries with an `id` field. The runtime keyed dedup
+ * on `id`. Over 5 hours of identical context, Claude emitted ids:
+ *
+ *   `a3f9c2` (cycle 1)
+ *   `a3f7c2` (cycle 2)
+ *   `a3f7b2` (cycle 3)
+ *   `a3f9c1` (cycle 4)
+ *
+ * Four proposals to stop the same container. Four Telegram approval cards.
+ * Zero collapse. The dedup key was wrong by construction.
+ *
+ * This pattern applies to ANY VoidForge project using an LLM as a decision
+ * engine that emits actionable items (approvals, tickets, tasks, queued ops).
+ *
+ * Agents: Hari Seldon (AI architecture), Bayta Darell (eval), Stark (backend)
+ */
+
+import { createHash } from 'node:crypto'
+
+// --- The rule ---
+
+/**
+ * Dedup keys must be derived from the OPERATIVE CONTENT, not from the LLM's
+ * id field. The operative content is the part of the proposal that, if
+ * executed, would produce the same observable outcome.
+ *
+ * For shell commands: the canonical command string.
+ * For HTTP requests: (method, path, normalized body).
+ * For database operations: (table, primary key, op-type).
+ * For user notifications: (recipient, channel, message-hash).
+ */
+
+export interface ProposalDedupKey {
+  /** Content-hash of the operative payload — the actual dedup key. */
+  contentHash: string
+
+  /**
+   * Optional looser key for command-string drift collapse — `docker stop X`,
+   * `docker compose stop X`, `docker rm -f X` all collapse to the same
+   * (verb, target) tuple even though contentHash differs.
+   */
+  logicalKey?: string
+
+  /** The LLM-emitted id, retained as a display label only. NEVER as primary key. */
+  displayId?: string
+}
+
+// --- Hash the operative content ---
+
+/**
+ * For shell commands: hash the canonical command string. Normalize whitespace
+ * and quoting before hashing so cosmetically-different but semantically-
+ * identical commands collapse.
+ */
+export function shellCommandHash(command: string): string {
+  const canonical = command
+    .trim()
+    .replace(/\s+/g, ' ')         // Collapse whitespace
+    .replace(/(['"])\s+/g, '$1 ') // Normalize quote-adjacent spaces
+
+  return createHash('sha256').update(canonical).digest('hex').slice(0, 12)
+}
+
+/**
+ * For HTTP request proposals: hash (method, path, sorted-body-keys).
+ * Sort body keys so `{a: 1, b: 2}` and `{b: 2, a: 1}` hash identically.
+ */
+export function httpRequestHash(req: {
+  method: string
+  path: string
+  body?: Record<string, unknown>
+}): string {
+  const sortedBody = req.body
+    ? JSON.stringify(req.body, Object.keys(req.body).sort())
+    : ''
+  const canonical = `${req.method.toUpperCase()} ${req.path} ${sortedBody}`
+  return createHash('sha256').update(canonical).digest('hex').slice(0, 12)
+}
+
+// --- Logical-key fallback for command-string drift ---
+
+/**
+ * Some commands have multiple syntactic forms that produce the same outcome.
+ * Extract (verb, target) tuple so all forms collapse to the same logical key.
+ *
+ * Examples that all map to ('stop', 'kometa-run'):
+ *   docker stop kometa-run
+ *   docker compose stop kometa-run
+ *   docker rm -f kometa-run     (different verb but same target — flag separately)
+ */
+export function dockerLogicalKey(command: string): string | null {
+  const verbs = ['stop', 'start', 'restart', 'rm', 'kill', 'pause']
+  for (const verb of verbs) {
+    const re = new RegExp(`\\bdocker\\s+(?:compose\\s+)?${verb}\\b\\s+(?:-\\S+\\s+)*([\\w.-]+)`, 'i')
+    const m = command.match(re)
+    if (m) return `${verb}:${m[1]}`
+  }
+  return null
+}
+
+// --- Lifecycle states must enumerate every in-flight status ---
+
+/**
+ * Even with correct dedup keys, the snapshot used for dedup-comparison must
+ * cover ALL operator-visible in-flight states — not just `pending`.
+ *
+ * Field report #330: the threadplex-ops snapshot filtered only
+ * `status == "pending"`, missing `executing` and `interrupted` rows that
+ * were also operator-visible. The dedup key was correct but the snapshot
+ * was incomplete, producing the same duplication symptom.
+ *
+ * The lifecycle table below is the reference. Extend per-project.
+ */
+export const PROPOSAL_LIFECYCLE_STATES = [
+  'pending',      // Awaiting operator approval
+  'executing',    // Operator approved; runtime executing the action
+  'interrupted',  // Execution paused (operator pause, system pause, retry-backoff)
+  'completed',    // Execution succeeded
+  'failed',       // Execution failed (terminal — operator must re-issue)
+  'cancelled',    // Operator cancelled before execution
+  'expired',      // Approval window timed out
+] as const
+
+export type LifecycleState = typeof PROPOSAL_LIFECYCLE_STATES[number]
+
+/** In-flight states the dedup snapshot must include to prevent duplicate proposals. */
+export const IN_FLIGHT_STATES: readonly LifecycleState[] = [
+  'pending',
+  'executing',
+  'interrupted',
+]
+
+// --- AUTHORITY-style contract: tell the LLM the key shape ---
+
+/**
+ * The LLM cannot enforce a dedup contract it doesn't know about. Document
+ * the contract in the agent's authority/instruction document so the LLM
+ * understands what "same target" means.
+ *
+ * Example AUTHORITY.md fragment:
+ *
+ *   ## Approval Identifier Contract
+ *
+ *   Each proposal you emit MUST include both:
+ *
+ *     id          — a human-readable display label. NOT a key. You may
+ *                   emit any short label that helps the operator scan.
+ *
+ *     cmd_hash    — sha256(command)[:12]. The runtime keys dedup on this.
+ *                   Two proposals with the same cmd_hash collapse into one
+ *                   approval card.
+ *
+ *   The runtime also computes a logical_key from the command verb + target
+ *   name. Proposals with the same logical_key are surfaced as a cluster
+ *   even if cmd_hash differs (e.g., `docker stop X` and `docker rm -f X`
+ *   both target X with different verbs — operator sees both, decides once).
+ */
+
+export const AUTHORITY_FRAGMENT_TEMPLATE = `
+## Approval Identifier Contract
+
+Each proposal MUST include:
+
+  id          — display label. Not a key. You may emit any short label.
+  cmd_hash    — sha256(command)[:12]. The runtime keys dedup on this.
+
+The runtime also computes a logical_key from (verb, target). Proposals
+sharing logical_key are surfaced as a cluster even with different
+cmd_hash values.
+`.trim()
+
+// --- Putting it together ---
+
+export interface ApprovalProposal {
+  id: string                    // Display only — DO NOT USE AS KEY
+  cmdHash: string               // Primary dedup key
+  logicalKey: string | null     // Secondary cluster key
+  command: string
+  proposedAt: string            // ISO timestamp
+  state: LifecycleState
+}
+
+export function dedupProposals(
+  newProposal: { id: string; command: string },
+  existing: ApprovalProposal[]
+): { duplicate: boolean; collapsedInto?: ApprovalProposal; logicalCluster?: ApprovalProposal[] } {
+  const cmdHash = shellCommandHash(newProposal.command)
+  const logicalKey = dockerLogicalKey(newProposal.command)
+
+  // Snapshot covers ALL in-flight states — not just pending
+  const inFlight = existing.filter((p) => IN_FLIGHT_STATES.includes(p.state))
+
+  // Hard duplicate: same cmd_hash
+  const exact = inFlight.find((p) => p.cmdHash === cmdHash)
+  if (exact) {
+    return { duplicate: true, collapsedInto: exact }
+  }
+
+  // Soft cluster: same logical_key, different command form
+  if (logicalKey) {
+    const cluster = inFlight.filter((p) => p.logicalKey === logicalKey)
+    if (cluster.length > 0) {
+      return { duplicate: false, logicalCluster: cluster }
+    }
+  }
+
+  return { duplicate: false }
+}
+
+// --- Anti-patterns ---
+
+/* ANTI-PATTERN 1: LLM ids as primary keys
+ *   `INSERT INTO approvals (id, ...) VALUES (?, ...)` where `id` is the
+ *   LLM-emitted string. Two LLM calls with substantively identical input
+ *   will produce different ids; the database rows do NOT collapse.
+ *
+ *   Fix: store `cmd_hash` as the PK and `display_id` as a label column.
+ */
+
+/* ANTI-PATTERN 2: Dedup snapshot filtered to a single state
+ *   `SELECT * FROM approvals WHERE state = 'pending'` for dedup comparison.
+ *   Misses `executing` and `interrupted` rows that are operator-visible.
+ *
+ *   Fix: use IN_FLIGHT_STATES list. Document which states are excluded
+ *   from dedup (typically `completed`, `failed`, `cancelled`, `expired`).
+ */
+
+/* ANTI-PATTERN 3: Hash the LLM's whole emitted JSON
+ *   `sha256(JSON.stringify(proposal))` includes display_id, timestamps,
+ *   reasoning prose — all of which drift per cycle even when the action
+ *   is identical. Hash explodes; collapse never happens.
+ *
+ *   Fix: hash only the operative payload (the command, the request body,
+ *   the target identifier — never the LLM's free-text fields).
+ */

package/dist/docs/patterns/middleware.ts

@@ -154,6 +154,89 @@ export function withRequestLogging(
   }
 }
 
+// --- Hot-path logging gate (fire-once / rate-limited) ---
+//
+// Source: Field report #319 §5. Stark's RlsDeadlineMiddleware originally
+// emitted `logger.critical(...)` on every 503 — at 100 rps × 24h = 8.6M
+// critical-level lines/day. No rate-limit, no fire-once. Would crater the
+// log aggregator and Sentry quota.
+//
+// ANY middleware that emits log lines on a hot path (every request, every
+// connection) MUST gate the emission. Two acceptable patterns:
+//
+// 1. Fire-once flag (preferred for state transitions): emit once when
+//    state changes, then suppress until reset. Pair with an audit row
+//    + Sentry capture inside the same fire-once branch.
+// 2. Rate-limit window (sample-based): emit at most N per window via a
+//    token-bucket or last-emit-timestamp gate.
+//
+// Naked `logger.critical(...)` per-request is a denial-of-service vector
+// against your own observability pipeline.
+
+type FireOnceState = { fired: boolean; firedAt: number | null };
+const fireOnceStates = new Map<string, FireOnceState>();
+
+/**
+ * Fire-once gate. Returns true if the caller should emit; false if
+ * emission has already happened for this key (until reset()).
+ *
+ * Use for state-transition events (deadline tripped, circuit opened,
+ * degraded mode entered) where the climactic event matters once.
+ */
+export function fireOnce(key: string): boolean {
+  const state = fireOnceStates.get(key) ?? { fired: false, firedAt: null };
+  if (state.fired) return false;
+  state.fired = true;
+  state.firedAt = Date.now();
+  fireOnceStates.set(key, state);
+  return true;
+}
+
+export function resetFireOnce(key: string): void {
+  fireOnceStates.delete(key);
+}
+
+/**
+ * Token-bucket rate limiter for hot-path logs. Returns true if the caller
+ * should emit; false if the bucket is empty.
+ *
+ * Use for sampled logging where you want N emissions per window
+ * (e.g., 1 per minute, 10 per hour).
+ */
+const tokenBuckets = new Map<string, { tokens: number; lastRefill: number }>();
+
+export function shouldEmit(
+  key: string,
+  maxPerWindow: number,
+  windowMs: number,
+): boolean {
+  const now = Date.now();
+  const bucket = tokenBuckets.get(key) ?? { tokens: maxPerWindow, lastRefill: now };
+  const elapsed = now - bucket.lastRefill;
+  if (elapsed >= windowMs) {
+    bucket.tokens = maxPerWindow;
+    bucket.lastRefill = now;
+  }
+  if (bucket.tokens > 0) {
+    bucket.tokens -= 1;
+    tokenBuckets.set(key, bucket);
+    return true;
+  }
+  tokenBuckets.set(key, bucket);
+  return false;
+}
+
+// Usage example: 503 deadline middleware
+//
+//   if (deadlinePassed) {
+//     if (fireOnce('rls-deadline-tripped')) {
+//       logger.fatal({ deadline_iso, evidence }, 'RLS migration deadline tripped');
+//       writeAuditRow({ action: 'rls_deadline_tripped', decisions: { ... } });
+//       Sentry.captureMessage('rls_deadline_tripped', 'fatal');
+//     }
+//     return new Response('Service Unavailable', { status: 503 });
+//   }
+
 // --- Rate limiting middleware ---
 // Simple in-memory rate limiter. Replace with Redis for multi-instance.
 const rateLimitMap = new Map<string, { count: number; resetAt: number }>()

package/dist/docs/patterns/multi-tenant-pool-bypass.ts

@@ -0,0 +1,134 @@
+/**
+ * Pattern: Multi-Tenant Pool Bypass (pre-org-resolution scope)
+ *
+ * Source: Field report #316 §8 (Union Station, M-04c W2). FORCE RLS with a
+ * non-owner runtime role means every connection acquired from the tenant
+ * pool MUST have `app.current_org_id` set before the first query. But some
+ * code paths legitimately need cross-tenant access:
+ *
+ *   - Auth pre-resolution (looking up which org a session belongs to)
+ *   - System daemons (queue cleanup, retention sweeps, leader-elected work)
+ *   - Admin endpoints (cross-tenant reports, ops tooling)
+ *
+ * These can't set org_id (they don't have one), so they need to bypass the
+ * tenant pool entirely and acquire from the admin pool. The
+ * `pre_org_resolution_scope` ContextVar wrapper makes this explicit and
+ * mechanically enforceable.
+ *
+ * The TS version below is illustrative; the canonical implementation in
+ * Union Station is Python (asyncpg). Same shape ports cleanly.
+ */
+
+import { AsyncLocalStorage } from 'node:async_hooks';
+
+// ── ContextVar / AsyncLocalStorage ────────────────────────────────────────
+
+type TenantContext = {
+  org_id: number | null;       // null when in pre-resolution scope
+  pre_resolution: boolean;     // true ⇒ acquire from admin pool, not tenant pool
+};
+
+const tenantContext = new AsyncLocalStorage<TenantContext>();
+
+// ── Tenant scope (per-request, normal path) ──────────────────────────────
+
+export async function withTenant<T>(
+  org_id: number,
+  fn: () => Promise<T>,
+): Promise<T> {
+  return tenantContext.run({ org_id, pre_resolution: false }, fn);
+}
+
+// ── Pre-org-resolution scope (cross-tenant or auth lookup) ───────────────
+
+export async function preOrgResolutionScope<T>(fn: () => Promise<T>): Promise<T> {
+  return tenantContext.run({ org_id: null, pre_resolution: true }, fn);
+}
+
+// ── Pool acquisition routes by ContextVar ─────────────────────────────────
+
+import type { Pool, PoolClient } from 'pg'; // illustrative — real types vary
+
+declare const tenantPool: Pool;     // BYPASSRLS=f, RLS enforced
+declare const adminPool: Pool;      // BYPASSRLS=t, cross-tenant work
+
+export async function acquireConnection(): Promise<PoolClient> {
+  const ctx = tenantContext.getStore();
+
+  if (!ctx) {
+    throw new Error(
+      'acquireConnection called outside any tenant context. ' +
+      'Wrap caller with withTenant(orgId, ...) or preOrgResolutionScope(...).',
+    );
+  }
+
+  if (ctx.pre_resolution) {
+    // Cross-tenant work — acquire from the admin pool.
+    return adminPool.connect();
+  }
+
+  // Normal request — acquire from the tenant pool. The pool callback is
+  // expected to SET app.current_org_id so RLS policies can reference it.
+  if (ctx.org_id === null) {
+    throw new Error(
+      'Tenant context missing org_id outside pre_resolution scope. ' +
+      'This indicates a callsite that should have called preOrgResolutionScope().',
+    );
+  }
+  return tenantPool.connect();
+}
+
+// ── Usage examples ────────────────────────────────────────────────────────
+
+// 1. HTTP middleware (per-request)
+//
+//    app.use(async (req, res, next) => {
+//      await withTenant(req.user.org_id, () => next());
+//    });
+//
+// 2. Daemon (cross-tenant queue cleanup)
+//
+//    cron.schedule('*/5 * * * *', async () => {
+//      await preOrgResolutionScope(async () => {
+//        const conn = await acquireConnection(); // → admin pool
+//        await conn.query('DELETE FROM job_queue WHERE completed_at < NOW() - INTERVAL \'30 days\'');
+//        conn.release();
+//      });
+//    });
+//
+// 3. Auth lookup (caller doesn't yet know org_id)
+//
+//    async function resolveSession(sessionToken: string): Promise<{ org_id: number; user_id: string }> {
+//      return preOrgResolutionScope(async () => {
+//        const conn = await acquireConnection(); // → admin pool
+//        try {
+//          const row = await conn.query(
+//            'SELECT org_id, user_id FROM sessions WHERE token = $1 AND expires_at > NOW()',
+//            [sessionToken],
+//          );
+//          return row.rows[0];
+//        } finally {
+//          conn.release();
+//        }
+//      });
+//    }
+
+// ── Anti-patterns ─────────────────────────────────────────────────────────
+//
+// 1. Acquiring from the tenant pool in a daemon. Without org_id set, the RLS
+//    policy denies every query → daemon crashes on first tick. Or worse:
+//    the policy uses a fail-open arm and the daemon silently sees zero rows.
+//
+// 2. Bypassing FORCE RLS by hard-coding the connection string with the
+//    runtime role's password. The whole point of the admin pool is the
+//    BYPASSRLS=t identity — preserve that boundary.
+//
+// 3. preOrgResolutionScope wrapping per-request handlers. The middleware
+//    already set the tenant context; switching to admin pool there is a
+//    privilege escalation. preOrgResolutionScope is for code paths that
+//    legitimately don't have an org_id yet (or never will).
+//
+// 4. Forgetting to wrap lifespan startup. Field report #319 §2: 4 lifespan
+//    paths in Union Station's M-05 cutover failed-fast immediately because
+//    the RLS-strict role rejected unscoped queries. See BACKEND_ENGINEER.md
+//    "Lifespan & Daemon ContextVar Coverage" for the sweep checklist.

package/dist/docs/patterns/multi-tenant-property-test.ts

@@ -0,0 +1,127 @@
+/**
+ * Pattern: Multi-Tenant Property Test
+ *
+ * Source: Field report #315 M4 (Caroline first-user-test, 2026-03-31).
+ * Caroline found 10 multi-tenant bugs that prior gauntlets missed because
+ * regression tests lock known cases — they don't test the underlying
+ * property: "for any two orgs A and B, A's writes never appear in B's reads."
+ *
+ * This pattern provides the property-based test that closes the gap. Use it
+ * on every project with org_id (or tenant_id, workspace_id) scoping.
+ *
+ * The TS version below is illustrative (vitest + fast-check). Python
+ * (Hypothesis) and Go variants follow the same shape — generate random
+ * org pairs and write payloads, assert no cross-tenant leak.
+ */
+
+import { describe, test, expect, beforeEach, afterEach } from 'vitest';
+import fc from 'fast-check';
+
+// ── Test harness contract ────────────────────────────────────────────────
+//
+// The harness must provide:
+//   - createOrg() → { id, apiKey, userId }      (fresh tenant per call)
+//   - writeAsOrg(org, endpoint, payload)        (authenticated POST/PUT)
+//   - readAsOrg(org, endpoint)                  (authenticated GET, paginated)
+//   - listAllReadEndpoints() → string[]         (every GET that returns rows)
+//   - listAllWriteEndpoints() → string[]        (every POST/PUT/DELETE)
+//   - resetDb()                                  (drop + reseed schema)
+
+declare const harness: {
+  createOrg(): Promise<{ id: number; apiKey: string; userId: string }>;
+  writeAsOrg(org: { apiKey: string }, endpoint: string, payload: unknown): Promise<{ id: string }>;
+  readAsOrg(org: { apiKey: string }, endpoint: string): Promise<Array<{ id: string; org_id?: number }>>;
+  listAllReadEndpoints(): string[];
+  listAllWriteEndpoints(): string[];
+  resetDb(): Promise<void>;
+};
+
+// ── The Property ─────────────────────────────────────────────────────────
+
+describe('multi-tenant isolation property', () => {
+  beforeEach(async () => harness.resetDb());
+
+  test('writes by org A never appear in reads by org B', async () => {
+    await fc.assert(
+      fc.asyncProperty(
+        // Random pair of orgs (always distinct)
+        fc.tuple(fc.constant(null), fc.constant(null)),
+        // Random write endpoint
+        fc.constantFrom(...harness.listAllWriteEndpoints()),
+        // Random payload — your codebase's payload generator goes here
+        randomPayload(),
+        async (_pair, writeEndpoint, payload) => {
+          const orgA = await harness.createOrg();
+          const orgB = await harness.createOrg();
+
+          // 1. Org A writes
+          const written = await harness.writeAsOrg(orgA, writeEndpoint, payload);
+
+          // 2. Every read endpoint, queried as Org B, must NOT contain the write
+          for (const readEndpoint of harness.listAllReadEndpoints()) {
+            const rowsB = await harness.readAsOrg(orgB, readEndpoint);
+            const leaked = rowsB.find((row) => row.id === written.id);
+            if (leaked) {
+              throw new Error(
+                `LEAK: ${writeEndpoint} write by org ${orgA.id} surfaced in ` +
+                `${readEndpoint} read by org ${orgB.id}. Row: ${JSON.stringify(leaked)}`,
+              );
+            }
+          }
+        },
+      ),
+      { numRuns: 100, timeout: 60_000 },
+    );
+  });
+
+  test('superuser/admin pool acquisition does NOT bypass per-org reads', async () => {
+    // Companion property: admin-pool callers (cross-tenant by design) must
+    // still respect org_id when calling tenant endpoints. Field report #318
+    // §5: SUPERUSER + BYPASSRLS=t hides policy bugs. Test under non-owner role.
+    const orgA = await harness.createOrg();
+    const orgB = await harness.createOrg();
+
+    await harness.writeAsOrg(orgA, '/api/people', { name: 'A1' });
+    const rowsB = await harness.readAsOrg(orgB, '/api/people');
+    expect(rowsB.find((r) => r.org_id === orgA.id)).toBeUndefined();
+  });
+});
+
+function randomPayload(): fc.Arbitrary<unknown> {
+  // Generic structure — narrow per-endpoint in real implementations.
+  return fc.record({
+    name: fc.string({ minLength: 1, maxLength: 50 }),
+    note: fc.option(fc.string({ maxLength: 200 })),
+    tags: fc.array(fc.string(), { maxLength: 5 }),
+  });
+}
+
+// ── Python (Hypothesis) sketch ───────────────────────────────────────────
+//
+// from hypothesis import given, strategies as st, settings
+//
+// @given(write_endpoint=st.sampled_from(WRITE_ENDPOINTS),
+//        payload=payload_strategy())
+// @settings(max_examples=100, deadline=None)
+// def test_no_cross_tenant_leak(write_endpoint, payload):
+//     reset_db()
+//     org_a, org_b = create_org(), create_org()
+//     written = write_as_org(org_a, write_endpoint, payload)
+//     for read_endpoint in READ_ENDPOINTS:
+//         rows_b = read_as_org(org_b, read_endpoint)
+//         assert not any(r['id'] == written['id'] for r in rows_b), \
+//             f"LEAK: {write_endpoint} -> {read_endpoint}"
+//
+// ── Anti-patterns ────────────────────────────────────────────────────────
+//
+// 1. Testing isolation only on known endpoints. The bug is in the endpoint
+//    you forgot. Property tests enumerate the full surface.
+// 2. Using SUPERUSER fixtures. They silently bypass FORCE RLS at the engine
+//    level. Use the runtime non-owner role (`{project}_app`, BYPASSRLS=f).
+//    See /docs/patterns/rls-test-fixture.py.
+// 3. Locking the property to "100% pass" without expanding the endpoint
+//    list as the codebase grows. listAll{Read,Write}Endpoints() must be
+//    derived dynamically (route enumeration, not hardcoded).
+// 4. Testing only "row id leaks." Add field-level checks for any column
+//    holding semi-sensitive data (emails, internal notes) — leaks of
+//    *content* without row visibility are equally bad.