Context
A sovereign public resolver is trusted on verifiable artifacts, not claims. Runbound already has: open-source (AGPL-3.0), 2-AI security audits + a pending third-party human audit (#170), reproducible signed-release builds (#171, done), and a GDPR doc. The missing piece is an auditable privacy posture.
Goal
A verifiable, default privacy posture + a transparency mechanism, so "we don't log your queries" is something an operator can demonstrate rather than assert.
Scope
- Audit the logging paths for PII: which paths can persist query names and client IPs.
- A
privacy: strict runtime mode: no per-query client-IP / qname persistence; only aggregate counters.
- Document data handling end-to-end (extends
docs/gdpr.md): what is and isn't kept, for how long.
- A transparency-report format (aggregate stats, zero PII).
- Optional: a signed attestation of query-log absence.
Status
The credibility layer. The "sovereign / nation-grade" label is earned from these artifacts and granted by others — never asserted by us (per the audit-doc wording conventions).
Context
A sovereign public resolver is trusted on verifiable artifacts, not claims. Runbound already has: open-source (AGPL-3.0), 2-AI security audits + a pending third-party human audit (#170), reproducible signed-release builds (#171, done), and a GDPR doc. The missing piece is an auditable privacy posture.
Goal
A verifiable, default privacy posture + a transparency mechanism, so "we don't log your queries" is something an operator can demonstrate rather than assert.
Scope
privacy: strictruntime mode: no per-query client-IP / qname persistence; only aggregate counters.docs/gdpr.md): what is and isn't kept, for how long.Status
The credibility layer. The "sovereign / nation-grade" label is earned from these artifacts and granted by others — never asserted by us (per the audit-doc wording conventions).