Spaces:

gemma-challenge
/

gemma-bucket-sync

Running

cmpatino HF Staff Claude Opus 4.8 (1M context) commited on about 7 hours ago

Commit

f05c667

1 Parent(s): ec0742d

Log audit to a private out-of-org bucket

Audit records carry sensitive metadata (caller_ip, user_agent, source
URIs). They were written to gemma-main-bucket/audit/, readable by every
org contributor. Move them to a private bucket outside the org
(cmpatino/gemma-challenge-audit), owned by the Space's HF_TOKEN (Option A).

- config.py: new fixed audit_bucket constant.
- hub.py: append_jsonl_central -> append_jsonl_audit, backed by a generic
_append_jsonl(bucket, ...) targeting the audit bucket (read-modify-write
now reads+writes there).
- audit.py: retarget the single call site.
- DESIGN.md: update §8, constants, file layout, and deployment bootstrap.

Existing audit history was moved to the new bucket out-of-band.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Files changed (4) hide show

DESIGN.md +12 -6
app/audit.py +1 -1
app/config.py +3 -0
app/hub.py +11 -3

DESIGN.md CHANGED Viewed

@@ -34,7 +34,7 @@ This Space holds the API for **one** collab (here: the Gemma collab in `gemma-ch
 | Shared resource | `shared_resources/…_{agent_id}{.ext|/…}` (the `_{agent_id}` segment is mandatory somewhere in the leaf path) |
 | Audit log | `audit/{YYYYMM}.jsonl` |
-Space-config constants: `ORG=gemma-challenge`, `COLLAB_SLUG=gemma`, `CENTRAL_BUCKET=gemma-challenge/gemma-main-bucket`.
 ### HF Hub dependencies
 - `huggingface_hub` SDK (or equivalent REST calls): bucket existence check, bucket creator metadata, bucket list, bucket cp/sync, bucket-to-bucket copy.
@@ -237,7 +237,7 @@ Rate-limit responses include `Retry-After`.
 ## 8. Audit Log
-Append-one-JSON-line-per-write to `audit/{YYYYMM}.jsonl` in the central bucket, via admin token. Append-only; readable by every contributor.
 ```json
 {
@@ -292,7 +292,7 @@ bucket-sync/
   DESIGN.md                       ← this document
   app/
     main.py                       ← FastAPI entry; mounts routers
-    config.py                     ← fixed: ORG, COLLAB_SLUG, CENTRAL_BUCKET; env: HF_TOKEN
     hub.py                        ← huggingface_hub wrapper (read/write/copy/list/whoami/creator)
     naming.py                     ← derives bucket names, filenames, target paths
     frontmatter.py                ← parse / merge / serialise YAML frontmatter
@@ -322,15 +322,21 @@ Synchronous: the client waits for the copy to finish. Implementation streams obj
 # 1. Create central bucket as admin
 hf buckets create gemma-challenge/gemma-main-bucket
-# 2. Seed it
 hf buckets cp ./README.md  hf://buckets/gemma-challenge/gemma-main-bucket/
 hf buckets cp ./enwik8     hf://buckets/gemma-challenge/gemma-main-bucket/shared_resources/
 hf buckets cp ./shared_resources/README.md \
                             hf://buckets/gemma-challenge/gemma-main-bucket/shared_resources/
 # 3. Configure this Space (Settings → Secrets)
-#    HF_TOKEN        = <admin token, scope: org-admin, repo write>
-#    (ORG, COLLAB_SLUG, CENTRAL_BUCKET are fixed in config.py — no env needed)
 # 4. Push code. Space rebuilds. Health-check:
 curl https://gemma-challenge-gemma-bucket-sync.hf.space/v1/healthz

 | Shared resource | `shared_resources/…_{agent_id}{.ext|/…}` (the `_{agent_id}` segment is mandatory somewhere in the leaf path) |
 | Audit log | `audit/{YYYYMM}.jsonl` |
+Space-config constants: `ORG=gemma-challenge`, `COLLAB_SLUG=gemma`, `CENTRAL_BUCKET=gemma-challenge/gemma-main-bucket`, `AUDIT_BUCKET=cmpatino/gemma-challenge-audit` (private, out-of-org).
 ### HF Hub dependencies
 - `huggingface_hub` SDK (or equivalent REST calls): bucket existence check, bucket creator metadata, bucket list, bucket cp/sync, bucket-to-bucket copy.
 ## 8. Audit Log
+Append-one-JSON-line-per-write to `audit/{YYYYMM}.jsonl` in the **private audit bucket** (`cmpatino/gemma-challenge-audit`), via admin token. Append-only. This bucket lives **outside the org** so collab contributors cannot read it — audit records carry sensitive metadata (`caller_ip`, `user_agent`, source URIs). The Space's `HF_TOKEN` owns the bucket and is the only reader/writer (Option A; see §11).
 ```json
 {
   DESIGN.md                       ← this document
   app/
     main.py                       ← FastAPI entry; mounts routers
+    config.py                     ← fixed: ORG, COLLAB_SLUG, CENTRAL_BUCKET, AUDIT_BUCKET; env: HF_TOKEN
     hub.py                        ← huggingface_hub wrapper (read/write/copy/list/whoami/creator)
     naming.py                     ← derives bucket names, filenames, target paths
     frontmatter.py                ← parse / merge / serialise YAML frontmatter
 # 1. Create central bucket as admin
 hf buckets create gemma-challenge/gemma-main-bucket
+# 1b. Create the PRIVATE audit bucket, outside the org, owned by the
+#     account whose token is the Space's HF_TOKEN (Option A). Contributors
+#     must NOT be able to read it.
+hf buckets create cmpatino/gemma-challenge-audit --private
+# 2. Seed the central bucket
 hf buckets cp ./README.md  hf://buckets/gemma-challenge/gemma-main-bucket/
 hf buckets cp ./enwik8     hf://buckets/gemma-challenge/gemma-main-bucket/shared_resources/
 hf buckets cp ./shared_resources/README.md \
                             hf://buckets/gemma-challenge/gemma-main-bucket/shared_resources/
 # 3. Configure this Space (Settings → Secrets)
+#    HF_TOKEN        = <token that is BOTH gemma-challenge org-admin AND owner
+#                       of cmpatino/gemma-challenge-audit, with repo write>
+#    (ORG, COLLAB_SLUG, CENTRAL_BUCKET, AUDIT_BUCKET are fixed in config.py)
 # 4. Push code. Space rebuilds. Health-check:
 curl https://gemma-challenge-gemma-bucket-sync.hf.space/v1/healthz

app/audit.py CHANGED Viewed

@@ -51,6 +51,6 @@ class AuditLogger:
         line = json.dumps(record, separators=(",", ":"), ensure_ascii=False)
         path = audit_log_path(now)
         try:
-            self._hub.append_jsonl_central(path, line)
         except Exception:
             log.exception("audit append failed; record=%s", record)

         line = json.dumps(record, separators=(",", ":"), ensure_ascii=False)
         path = audit_log_path(now)
         try:
+            self._hub.append_jsonl_audit(path, line)
         except Exception:
             log.exception("audit append failed; record=%s", record)

app/config.py CHANGED Viewed

@@ -13,6 +13,9 @@ class Settings(BaseSettings):
     org: ClassVar[str] = "gemma-challenge"
     collab_slug: ClassVar[str] = "gemma"
     central_bucket: ClassVar[str] = "gemma-challenge/gemma-main-bucket"
     hf_token: str | None = Field(None, alias="HF_TOKEN")

     org: ClassVar[str] = "gemma-challenge"
     collab_slug: ClassVar[str] = "gemma"
     central_bucket: ClassVar[str] = "gemma-challenge/gemma-main-bucket"
+    # Audit log lives in a private bucket OUTSIDE the org so collab members
+    # cannot read it. The Space's HF_TOKEN owns this bucket (Option A).
+    audit_bucket: ClassVar[str] = "cmpatino/gemma-challenge-audit"
     hf_token: str | None = Field(None, alias="HF_TOKEN")

app/hub.py CHANGED Viewed

@@ -142,14 +142,22 @@ class HubClient:
     def write_text_central(self, target_path: str, text: str) -> None:
         self.write_bytes_central(target_path, text.encode("utf-8"))
-    def append_jsonl_central(self, target_path: str, line: str) -> None:
         try:
-            existing = self.read_central_bytes(target_path)
         except FileNotFoundError:
             existing = b""
         if existing and not existing.endswith(b"\n"):
             existing += b"\n"
-        self.write_bytes_central(target_path, existing + line.encode("utf-8") + b"\n")
     # ───────────────────────── Cross-bucket copy ─────────────────────────

     def write_text_central(self, target_path: str, text: str) -> None:
         self.write_bytes_central(target_path, text.encode("utf-8"))
+    def append_jsonl_audit(self, target_path: str, line: str) -> None:
+        """Append to the audit log in the private (out-of-org) audit bucket."""
+        self._append_jsonl(self._settings.audit_bucket, target_path, line)
+    def _append_jsonl(self, bucket: str, target_path: str, line: str) -> None:
         try:
+            existing = self._download_one(bucket, target_path)
         except FileNotFoundError:
             existing = b""
         if existing and not existing.endswith(b"\n"):
             existing += b"\n"
+        batch_bucket_files(
+            bucket_id=bucket,
+            add=[(existing + line.encode("utf-8") + b"\n", target_path)],
+            token=self._token,
+        )
     # ───────────────────────── Cross-bucket copy ─────────────────────────