note/work/教育E卡通/report_safe/CLAUDE.md

# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## Repository Overview

This repository contains security operation manuals and compliance documentation for the Suzhou Education E-Card platform, implementing China's Multi-Level Protection Scheme (MLPS) Level 3 requirements.

### Key Documents

- **苏州教育E卡通数据安全运维操作手册.md** - Main operational manual with 5-tier risk classification system, role-based access control, and MLPS Level 3 compliance measures
- **ff.md** - Original formal compliance document with theoretical security framework

### Architecture Focus

The operational manual implements a **5-tier risk classification system**:

1. **Level 1 Operations** (Critical Management Operations)
   - Special sensitive data modifications (ID cards, names, student numbers)
   - System core configuration changes
   - Security policy modifications
   - MLPS Level 3 required: 2FA + screen recording + dual-person execution + complete audit trail

2. **Level 2 Operations** (Important Data Modifications)
   - Secondary sensitive data modifications
   - MLPS Level 3 required: 2FA + approval + backup + audit logging

3. **Level 3 Operations** (General Permission Operations)
   - New student registration, account creation
   - MLPS Level 3 required: 2FA for critical actions + approval + session management

4. **Level 4 Operations** (Data Query Operations)
   - Information queries, report generation
   - MLPS Level 3 required: Access control + query audit + data masking

5. **Level 5 Operations** (Read-only Operations)
   - Public information viewing, help documentation
   - MLPS Level 3 required: Basic authentication + session management

### Technical Implementation

- **Field-level Access Control**: Row-level security policies with role-based data masking
- **MLPS Level 3 Authentication**: Multi-factor authentication with specific application scenarios
- **Audit Trail Integrity**: Digital signatures, SHA256 hashing, WORM storage
- **Data Integrity Protection**: Transmission validation, storage constraints, automated integrity checks

## Development Context

This is a **documentation-only repository** focused on security compliance and operational procedures rather than application code development. The main work involves:

- Updating security operation manuals based on regulatory requirements
- Implementing MLPS Level 3 compliance measures
- Creating audit and monitoring procedures
- Defining role-based access control matrices

## Common Development Tasks

Since this is primarily a documentation repository, common tasks include:

1. **Manual Updates**: Revise operational procedures based on new MLPS requirements
2. **Compliance Reviews**: Audit existing procedures against MLPS Level 3 standards
3. **Template Creation**: Develop new operation forms and checklists
4. **Policy Documentation**: Write technical implementation guidelines for security measures

## Review Guidelines

When updating documentation:

1. **MLPS Level 3 Compliance**: Ensure all procedures align with China's Multi-Level Protection Scheme requirements
2. **Practical Implementation**: Focus on operational feasibility rather than theoretical security
3. **Role Separation**: Maintain clear separation between operations, audit, and technical roles
4. **Audit Completeness**: Ensure all security controls have corresponding audit procedures

## File Structure

```
/
├── 苏州教育E卡通数据安全运维操作手册.md  # Main operational manual
├── ff.md                              # Original formal compliance document
└── CLAUDE.md                          # This file
```

## Important Notes

- This repository handles **sensitive student data** - always follow MLPS Level 3 requirements
- The operational manual implements **practical security measures** rather than theoretical frameworks
- All procedures should maintain **separation of duties** between operational roles
- Documentation should be **actionable** and suitable for immediate implementation