Skip to main content

Platform overview

This document is the starting point for anyone new to Find My Data — evaluators and buyers who want to know what the product does and how far along it is, engineers who need a map of the concepts before reading code, and administrators preparing a deployment. It summarizes the product, the roles, the vocabulary, the honest state of every capability, and the invariants the platform is built on. Facts current as of release 26.7.15.0 (2026-07-15; versioning is year.month.day.x, so a same-day follow-up release would be 26.7.15.1), with 196 tests passing on Bun 1.3.14.

What Find My Data is

Find My Data is a data ownership and sensitive-data intelligence platform. It finds enterprise content that may belong to a business domain, asks the people who understand that data to confirm or correct it, connects those decisions to related assets and risks, and enables governed remediation. It combines policy-grounded AI, conventional detectors, metadata, identity and permission signals, exact and near-duplicate fingerprints, human confirmation, and graph-based relationship analysis. The Microsoft-focused MVP covers SharePoint, OneDrive, Teams, Exchange, Entra ID, and Microsoft Purview sensitivity labels. The product loop — and tagline — is:
Find it. Confirm it. Connect it. Govern it.
The end-to-end loop runs locally with zero credentials against a deterministic Microsoft 365–shaped fixture tenant for the fictional demo organization Meridian Grove Holdings (all fixture people and documents are synthetic). See the README for the quick start and demo script, and STATUS.md for the authoritative build state.

Personas and visible roles

The UI presents five understandable roles; enforcement underneath uses granular capabilities with scopes (tenant or domain), not roles. The role and capability definitions live in packages/shared/src/capabilities.ts. A person may hold multiple roles, subject to policy. Domain isolation is enforced and tested: a Finance owner probing an HR asset gets a 404 with no existence leak.

Core concepts glossary

Terminology is defined canonically in the handoff product and data model documents; enumerations live in packages/shared/src/domain-enums.ts.

Capability matrix — what is built, honestly

Find My Data never overstates its state. Every capability is in one of these states, surfaced in the UI and the /api/ready readiness endpoint as an integration mode (mock, live, blocked, disabled):
  • Built + validated live (CDX) — implemented and exercised against the live Contoso CDX tenant (read-only inventory path only; see ADR-0013 and the CDX test runbook).
  • Built, mock-validated, live path feature-gated — implemented and tested against deterministic fixtures; the live path refuses to run (with an explicit error, never a fake integration) until configuration/permissions are provided.
  • Not built — a seam, contract, or backlog item only.
The table below reproduces the ground truth from STATUS.md: Beyond that table, the core product loop — kernel (config, capability authorization, hash-chained audit, redacting logger), governance and taxonomy, fixture connector and staged scan pipeline, intelligence (detectors, similarity, ensemble, risk, findings), review with propagation, the scoped Analyst, and the action state machine — is implemented and tested end-to-end (196 tests: unit, integration, security, acceptance). Only the read-only inventory path has ever touched a live tenant. Remaining work is prioritized in roadmap.md and the STATUS.md backlog.

Architecture at a glance

Find My Data is a Bun/TypeScript modular monolith (ADR-0001, ADR-0002): one deployable server process hosts the HTTP API and an embedded durable worker (the worker can also run standalone via bun run worker against the same queue). All persistence is a single SQLite file (WAL) behind logical role interfaces — system of record, full-text search projection, typed graph nodes/edges, durable work queue with leases and dead letters, and a purpose-flagged artifact store (82 tables across 12 migrations) — so each role can later migrate to a dedicated technology without rewriting callers (ADR-0003). Sources plug in through a versioned connector contract (ADR-0008) with a deterministic mock M365 tenant as the default and the live Graph connector config-gated; AI goes through a provider-neutral gateway (deterministic mock default; Azure OpenAI and Anthropic adapters config-gated, ADR-0005); and the web UI is a React (Vite) app in packages/web/. The full actual-code diagram and staged-pipeline detail are in architecture.md; consequential decisions are recorded in docs/adr/.

Product invariants

These properties come from the original handoff package and do not change without an explicit, documented decision:
  1. Data-domain-owner first. The main experience serves people who understand the business meaning of data, not only security engineers. The home page, review queue, landscape, and Analyst are all built for the domain owner.
  2. Evidence before assertion. Every finding, classification, relationship, and AI answer exposes its evidence, confidence, provenance, and version. The Analyst answers with interpretation, scope, evidence-row IDs, coverage, freshness, and blind spots (ADR-0009).
  3. Human authority. AI proposes; authorized humans confirm ownership, material classifications, and remediation. Propagation reprioritizes related candidates but never auto-confirms; actions require separate approval (ADR-0010).
  4. Honest staging. The platform reports what is mocked, gated, blocked, or unknown — in the UI, in /api/ready, and in STATUS.md. Unknown, unsupported, and inaccessible states stay distinct; coverage, confidence, and risk are reported separately; gated integrations fail with explicit errors rather than pretending to work.
  5. Deny-by-default authorization. A request is allowed only when the session principal holds the required capability at a scope covering the resource. Roles are a UI convenience; capabilities and domain scopes are the enforcement, with deliberate exclusions (e.g., platform admins get no evidence access).
The handoff README lists the full set of ten invariants, including customer control of content, incremental-by-design scanning, provider-neutral AI, and approved remediation. Related reading: threat model, permissions manifest, capacity model.