scrub / DOCX_RESIDUAL_PLACEHOLDER_COMMENTS_TRIAGE.md
solidprivacy-nl
Fix DOCX triage no-cleaner boundary wording
880bf8d
|
Raw
History Blame Contribute Delete
6.93 kB

WP36A — DOCX residual placeholder and comments risk triage

Status: completed triage/test/documentation-only
Repository: solidprivacy-nl/scrub

This triage records an app-verification finding: DOCX reinsert can still leave residual placeholders in restored DOCX output, and Word comments / margin comments are outside the current scrub/reinsert processing scope.

This is a high-risk document hygiene issue. It affects privacy trust and must not be treated as a cosmetic bug.


1. Finding

During app verification, DOCX restore/reinsert was observed to work partly, but restored DOCX output could still contain placeholders such as:

[PERSOON_01]
[PERSOON_02]

A second finding is that Word comments / margin comments are not currently processed. Sensitive names, references or other confidential information inside comment parts can remain outside the current scrub/reinsert path.

The current behavior is consistent with the documented foundation limitation: current DOCX reinsert processes only word/document.xml text nodes and does not process headers, footers, comments, tracked changes or metadata.


2. Why this is high risk

This is high risk because a user may open the restored DOCX and believe the document was fully restored or fully checked while:

  • visible body text may still contain residual placeholders;
  • placeholders may remain because the placeholder format differs, for example [PERSOON_01] versus [PERSOON_1];
  • placeholders may remain because Word split a placeholder across multiple runs/text nodes;
  • Word comments / margin comments may still contain sensitive values;
  • comment author/person metadata may still identify reviewers or staff;
  • tracked changes may preserve deleted sensitive text;
  • unsupported DOCX parts are copied through unchanged by the current foundation helper.

This directly affects privacy trust. It also affects legal and professional trust because the user may not notice the residual risk before sharing the document.


3. Current technical scope

Current DOCX reinsert foundation scope:

DOCX package → word/document.xml → WordprocessingML text nodes → deterministic placeholder reinsert → restored DOCX package

Current support:

  • normal body paragraphs in word/document.xml;
  • table text in word/document.xml;
  • deterministic exact placeholder replacement when a placeholder appears in a single text node and exists in the Scrub Key.

Current unsupported/high-risk areas:

  • residual placeholders not present in the Scrub Key mapping;
  • placeholders with numbering or formatting mismatch;
  • placeholders split across multiple Word runs/text nodes;
  • word/comments.xml;
  • word/commentsExtended.xml;
  • word/person.xml;
  • tracked changes;
  • headers and footers;
  • document metadata;
  • footnotes and endnotes;
  • text boxes, drawings, charts and embedded objects;
  • custom XML.

4. Residual placeholder scenarios

Residual placeholders can appear when:

Scenario Example Current expected outcome
Numbering mismatch Scrub Key contains [PERSOON_1], DOCX contains [PERSOON_01] Placeholder remains visible and should be treated as unresolved.
Split Word runs [PERS + OON_1] across two w:t nodes Placeholder is not restored by exact per-node replacement.
Missing mapping Placeholder exists in DOCX but not in Scrub Key Placeholder remains visible and should be reported/audited.
Corrupted by editing/AI [Persoon 1], [PERSOON - 1], translated label Placeholder remains unresolved unless later placeholder-audit logic reports it.
Duplicate or ambiguous mapping Same placeholder maps to multiple original values Current helper excludes duplicate placeholders to avoid wrong reinsert.

Residual placeholders should be visible to the user and audit, not silently repaired or guessed.


5. Comments / margin comments risk

Word comments are commonly stored in package parts such as:

word/comments.xml
word/commentsExtended.xml
word/person.xml

These parts may contain:

  • reviewer names;
  • initials;
  • staff or lawyer identities;
  • internal legal strategy;
  • care notes;
  • old client names;
  • BSN/client/matter references;
  • comment author/person metadata.

In the current foundation helper, these parts are not processed and are copied through unchanged. That means a restored DOCX may still contain sensitive comment content even when body text was restored correctly.


6. Risk classification

Risk level:

high

Reason:

  • The problem can leave sensitive or operationally meaningful markers in the restored output.
  • Comments can contain hidden or side-channel sensitive information.
  • Users often overlook Word comments, tracked changes and metadata before sharing a document.
  • This undermines trust in restored DOCX output and future clean-export claims.

This should be handled as a document hygiene issue, not as UI polish.


7. MVP policy boundary

WP36A does not implement a DOCX cleaner and does not implement a fix.

WP36A explicitly does not:

  • implement a DOCX cleaner;
  • process comments;
  • remove comments;
  • remove tracked changes;
  • block export;
  • change export semantics;
  • change reinsert behavior;
  • change Streamlit UI;
  • change Scrub Key schema;
  • add cloud processing;
  • add real-data fixtures.

Existing behavior remains unchanged. The goal is to make the risk explicit and test-visible.


8. Test expectation added in WP36A

The WP36A regression test should show, with synthetic data only, that:

  • a residual placeholder such as [PERSOON_01] remains if the loaded Scrub Key only contains [PERSOON_1];
  • the helper reports that the unmatched placeholder remains unresolved;
  • comment parts such as word/comments.xml are not processed by current DOCX reinsert;
  • comment content is copied through unchanged in the restored DOCX package;
  • the triage document records this as high risk;
  • no cleaner/export blocking/UI behavior is introduced.

9. Recommended next step

Recommended next workpackage:

WP37 — Headers/footers/comments/tracked-changes extraction helper

Purpose:

  • Detect and extract high-risk DOCX parts such as headers, footers, comments and tracked changes.
  • Produce audit-visible signals before any cleaner or export-blocking policy is considered.
  • Keep extraction local and synthetic-test-only.

Do not jump directly to comment removal or export blocking without extraction/audit tests and explicit policy.


10. Relationship to WP35

WP35 already documented that comments and tracked changes are high-risk hidden content. WP36A adds a concrete app-verification finding and locks it into tests/documentation so future work cannot treat it as cosmetic or already solved.

WP36A is narrower than a DOCX cleaner package. It is a risk triage and regression visibility package only.