Three classes. Every field in the schema belongs to exactly one; when in doubt, a field is private until classified otherwise.
Public (world-readable, cache-friendly)
- Registry reference, asset type, name, summary, verification status
- Region / district / locality (administrative location)
- Generalised geometry only: centroid ~1 km, tree points ~100 m, simplified parcel boundaries
- Species, planting year, health class, measurement summaries
- Claim roles + public-safe party display names + claim statuses (e.g. "Krapa Stool — customary interest holder — document verified")
- Evidence index entries marked public/permissioned: title, kind, capture date, sha256 hash — not the file
- Inspection summaries, version history, dispute existence + reference + status
- Certificate state incl.
simulatedflag; for real issuance: contract, token id, tx hash, metadata CID - Sponsorship dedication + sponsor name only with recorded consent (
show_publicly)
Permissioned (institutions/staff, granted + time-boxed + logged)
- Evidence files themselves (survey plans, leases, attestations, agreements) via short-lived signed URLs from private storage
- Precise parcel boundaries and tree points
- Full inspection data payloads (structured measurements)
- Farm data room: buyers, insurance detail, production records, risk notes
- Dispute case detail beyond the public summary
Private (Corngate staff need-to-know; never in client bundles)
- Party legal names, contact details, identity documents
- Claimant declarations and consents (content)
- User accounts, role grants, audit log
- Payment records; sponsor identity when
show_publicly = false - All secrets/keys (see
docs/KEY_MANAGEMENTsection in THREAT_MODEL.md)
Enforcement
- Schema: precise geometry and private fields live in tables with no anonymous RLS policy; the public site reads the
registry_publicview / public policies only. - Storage: evidence bucket is private (migration
0005); registrants can write only inside their ownpending/{uid}/prefix,register_assetrefuses paths outside the caller's prefix, and reviewer access is a short-lived signed URL issued server-side after a role check (verifier review today;data_room_grantsfor institutional access). Files carry a sha256 recorded at upload. - Chain/IPFS: only Public-class fields may appear in token metadata. Blockchain data cannot be deleted — therefore metadata is reviewed against this document before any pin/mint, and precise coordinates are never pinned.
- Fixtures: the seeded demo data in
src/lib/data/fixtures/contains only Public-class equivalents (already generalised, display names only, simulated certificates).
