Epic 12 — WORM evidence storage (ops)
Application-layer WORM enforcement lives in app/lib/evidence/wormStoragePolicy.ts. Cloud buckets must mirror the same immutability contract.
Environment
| Variable | Default | Purpose |
|---|---|---|
EVIDENCE_STORAGE_BUCKET | evidence-locker | Primary Supabase bucket for forensic uploads (worm/<tenant>/…) |
EVIDENCE_WORM_BUCKET | <EVIDENCE_STORAGE_BUCKET>-worm | Optional dedicated WORM bucket (reserved for future split) |
INCIDENT_REPORTS_BUCKET | same as evidence bucket | Post-mortem PDFs under incident-reports/<tenant>/… |
EVIDENCE_WORM_OBJECT_LOCK | enabled (set false to disable app guard) | Fail-closed delete/overwrite checks in shredder and storage helpers |
Protected path prefixes
Deletes and shredder expunge are blocked when the stored reference matches:
worm/(Supabase object prefix)incident-reports/uploads/evidence/(local Ironbloom / evidence locker)storage/worm/(local post-mortem mirror)
Supabase Storage (recommended)
- Create bucket
evidence-locker(or yourEVIDENCE_STORAGE_BUCKETvalue). - Enable Object versioning and Object lock (Compliance mode) on the bucket if your Supabase project tier supports it; otherwise use RLS policies that deny
DELETEand denyUPDATEon existing objects. - RLS policy sketch: allow
INSERTfor service role only; denyDELETEon all objects; allowSELECTfor authenticated tenant-scoped reads. - Uploads from the app use
upsert: falseand immutable cache headers — duplicate object keys return an error instead of overwriting.
AWS S3 (alternate)
If evidence is mirrored to S3 (AWS_EVIDENCE_PREFIX):
- Enable Bucket Versioning.
- Apply a Object Lock retention policy (Compliance mode) on
ironframe/evidence/andironframe/incident-reports/prefixes. - Deny
s3:DeleteObjectands3:PutObjectwith overwrite semantics for locked prefixes via bucket policy.
Repo migration (drift sync)
Remote migration on Ironframe-GRC: epic12_worm_evidence_locker_rls (20260529154334).
Local mirror:
supabase/migrations/20260529154334_epic12_worm_evidence_locker_rls.sql
Re-apply on another project:
supabase db push
# or paste the SQL in Dashboard → SQL Editor
Verification
npm run test:integration:epic12
Expect attestation guard tests plus WORM path delete blocks (10 tests in the Epic 12 matrix).