Skip to content
Gestalt

Connector credential policy

Status: customer boundary doc. Required topic connector_credential_policy from contracts/production-admission.v0.json customer_boundary_lane.required_doc_topics.

Posture

Section titled “Posture”

A connector is the hosted bridge that moves evidence between the customer’s external system (bank, accounting system, register) and Gestalt. The customer authorises a connector once, and the connector holds the credential. Gestalt never sees the credential.

The membrane only accepts hash-only consent and evidence references from a connector. Raw connector payloads and credential secrets are refused. This is enforced at the central evaluator, not by convention.

What hits the membrane

Section titled “What hits the membrane”

The connector evidence operations and their maturity labels (from contracts/production-admission.v0.json operation_maturity) are:

  • evidence.connector.consent (staging-durable) — records sandbox connector consent, scope, and a credential reference. No credential secret is accepted.
  • evidence.connector.ingest (staging-durable) — accepts fixture or sandbox hash-only evidence references. Raw connector payloads and credential secrets are refused.
  • evidence.connector.revoke (staging-durable) — records revocation; future ingestion against the revoked consent refuses.
  • evidence.connector.status (staging-durable) — counts fixture connector and evidence records.

Connector ingest also requires reviewer standing for evidence kinds that need a hash-only reviewer signature provenance. The customer_boundary_lane.consistency_invariants requirement that docs match runtime route labels is satisfied by reading these labels from the contract.

What stays at the connector

Section titled “What stays at the connector”

The connector holds:

  • The customer’s plaintext API credential or OAuth token for the external system.
  • The raw response payloads pulled from the external system.

The connector reduces those payloads to hash-only evidence references before crossing the membrane. A pilot customer’s data processing agreement with the connector operator must reflect this; Gestalt’s pilot admission record names the connector and the connector’s credential reference, not the credential itself.

Production admission

Section titled “Production admission”

A connector can only participate in an admitted operation if it is named in the signed pilot admission record’s connector_id field (see contracts/production-admission.v0.json pilot_admission_lane.signed_record_required_fields). Outside the pilot record, every connector operation continues to refuse production admission and returns the runtime’s default refusal.

Refusals you will see

Section titled “Refusals you will see”
  • connector_payload_raw_refused — a raw connector payload was submitted to ingest.
  • connector_credential_secret_refused — a credential secret value reached the membrane.
  • connector_consent_revoked — ingestion attempted against a revoked consent.

The full list lives in contracts/refusal-codes.v0.json and is mirrored in docs/reference/refusal-codes.md.

See also

Section titled “See also”