> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.

# Operating Lerian SISBAJUD

> The operational realities of Lerian SISBAJUD — per-institution isolation, reconciliation grain, permanent-block cadence, credential and key rotation, the encryption and audit guarantees over personal data, contingency handling, and the administrative API surface.

Lerian SISBAJUD runs against the operational realities of judicial asset blocking: orders that must be fulfilled and reported per institution, permanent orders that re-attempt for weeks, personal data that must never sit in plaintext, and a legal obligation to prove what happened. It manages each under per-institution isolation.

## Per-institution isolation

***

Lerian SISBAJUD is multi-tenant, with **`institution_id` equal to the tenant**. Each institution's orders, files, credentials, and encryption keys are isolated; one deployment serves many institutions with no cross-institution visibility.

## Reconciliation

***

Reconciliation runs at the grain of **one monitoring or judicial order against a ledger balance snapshot**. A **scheduled scan** compares outstanding orders to the ledger and recovers any gaps; an operator can also fire a **manual reconciliation** on demand. Monitoring orders that have passed their ceiling or deadline are **swept closed** so nothing lingers in monitoring past its legal life.

## Permanent-block cadence

***

Permanent orders re-attempt the block **daily and business-day aware**, bounded by the CNJ **60-day reiteration ceiling** or the order's determined deadline. Reattempts are also woken by ledger balance-change events, so a deposit that lands between daily cycles is captured promptly rather than waiting for the next scheduled pass.

## Credentials and key rotation

***

Two things rotate per institution, both administrative:

* **Connector credentials** — the credentials Lerian SISBAJUD uses to reach the ledger and the file-exchange channel — can be **registered and rotated**.
* The **master encryption key (KEK)** can be **rotated**; a rotation emits a **key-rotated** event. The per-record **data key (DEK)** sits under the master key, so rotating the master key re-seals data keys without re-encrypting every field.

## Data protection

***

Personal data is protected at rest by design:

* **Envelope encryption.** Each record has its own data key, sealed under the institution's master key, with **AES-256-GCM** and per-field additional authenticated data — so a ciphertext cannot be swapped between fields or records.
* **Searchable tokenization.** A **blind index** enables exact-match lookup on fiscal identifiers (CPF/CNPJ) and the process number without decryption; free text and monetary values are encrypted only, never tokenized.
* **Tamper-evident audit trail.** Every state change is appended to a gap-free, cryptographically protected log — per-event authentication codes bind each entry to its position, and Merkle leaf hashes let the trail be **verified without decrypting** any payload.
* **LGPD.** Subject-access requests **export** a data subject's held data; erasure is honoured by **crypto-erasure** — destroying the record's key so its ciphertext is irrecoverable while the audit record of the change survives.

## Contingency

***

Failed orders are driven to a **FAILED** terminal state rather than left stuck in processing, and an operator can **reprocess** them. **SLA-status** and **processing-statistics** views expose where orders stand. Connector resolution **fails closed**: if the integration cannot safely resolve an account or a credential, it refuses the operation rather than acting on an ambiguous target.

## Administrative API

***

Because orders arrive only by file, the HTTP surface **submits no orders** — it is administrative and observational. It lets an operator:

* list orders and files, and read the detail of a single order or file;
* **reprocess** failed orders;
* run and list **reconciliation**;
* view **SLA status** and **processing statistics**;
* **verify** the audit trail;
* handle **LGPD** requests — create and resolve them, run an erasure, and export a subject's data;
* register **non-compliance justifications**; and
* configure the institution and **register or rotate** connector credentials.
