catalogd: Step 1 — SubjectManifest type + Registry CRUD

Implementation of docs/specs/SUBJECT_MANIFESTS_ON_CATALOGD.md Step 1. Mirrors the existing AiView put/get/list/delete pattern. NOT a separate daemon, NOT new infrastructure — extends catalogd's manifest layer with a fourth manifest type (subject) alongside dataset/view/tombstone/profile. shared/types.rs additions: - SubjectManifest (the wire format from spec §2) - SubjectStatus enum: pending_consent | active | withdrawn | retention_expired | erased - SubjectVertical enum: unknown | general | healthcare | finance | other (default = Unknown for fail-closed routing per spec §2.1) - ConsentStatus enum: pending_backfill_review | pending_first_contact | given | withdrawn | expired - BiometricConsentStatus enum: never_collected | pending | given | withdrawn | expired - GeneralPiiConsent + BiometricConsent + SubjectConsent - SubjectRetention (general_pii_until + policy) - SubjectDatasetRef (name + key_column + key_value pointing at existing catalogd dataset manifests) catalogd/registry.rs additions: - subjects: Arc<RwLock<HashMap<String, SubjectManifest>>> field on Registry - put_subject() — validates dataset refs, persists to _catalog/subjects/<id>.json, updates in-memory cache - get_subject() / list_subjects() / delete_subject() / subjects_count() - rebuild() now loads subject manifests at startup alongside views + profiles + tombstones Tests (5/5 passing): - put_subject_with_no_dataset_refs_succeeds - put_subject_rejects_dangling_dataset_ref (validation works) - put_subject_with_valid_dataset_ref_succeeds - subject_round_trips_through_object_store (persistence works) - delete_subject_removes_in_memory_and_persistence NOT in this commit (future steps): - Step 2: SubjectAuditWriter with HMAC chain - Step 3: Backfill ETL from workers_500k.parquet - Steps 4-5: Wire gateway tool registry + validator to write audit rows - Step 6: /audit/subject/{id} HTTP endpoint - Step 7: Daily retention sweep cargo check --workspace clean. cargo test -p catalogd subject 5/5 PASS. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 03:13:08 -05:00 · 2026-05-03 03:13:08 -05:00 · d25990982c
commit d25990982c
parent ed1fcd3c26
2 changed files with 342 additions and 1 deletions
--- a/crates/catalogd/src/registry.rs
+++ b/crates/catalogd/src/registry.rs
@ -1,6 +1,6 @@
 use shared::types::{
    AiView, ColumnMeta, DatasetId, DatasetManifest, FreshnessContract, Lineage, ModelProfile,
-    ObjectRef, RefreshPolicy, SchemaFingerprint, Sensitivity, Tombstone,
+    ObjectRef, RefreshPolicy, SchemaFingerprint, Sensitivity, SubjectManifest, Tombstone,
 };
 use crate::tombstones::TombstoneStore;
@ -66,16 +66,20 @@ pub struct MetadataUpdate {
 const MANIFEST_PREFIX: &str = "_catalog/manifests";
 const VIEW_PREFIX: &str = "_catalog/views";
 const SUBJECT_PREFIX: &str = "_catalog/subjects";
 const PROFILE_PREFIX: &str = "_catalog/profiles";
 /// In-memory dataset registry backed by manifest persistence in object storage.
 /// Also tracks AiViews (Phase D) — safe projections over base datasets.
 /// And tombstones (Phase E) — soft-delete markers applied at query time.
 /// And subject manifests (compliance/access metadata layer) — see
 /// docs/specs/SUBJECT_MANIFESTS_ON_CATALOGD.md.
 #[derive(Clone)]
 pub struct Registry {
    datasets: Arc<RwLock<HashMap<DatasetId, DatasetManifest>>>,
    views: Arc<RwLock<HashMap<String, AiView>>>,
    profiles: Arc<RwLock<HashMap<String, ModelProfile>>>,
    subjects: Arc<RwLock<HashMap<String, SubjectManifest>>>,
    tombstones: TombstoneStore,
    store: Arc<dyn ObjectStore>,
 }
@ -86,6 +90,7 @@ impl Registry {
            datasets: Arc::new(RwLock::new(HashMap::new())),
            views: Arc::new(RwLock::new(HashMap::new())),
            profiles: Arc::new(RwLock::new(HashMap::new())),
            subjects: Arc::new(RwLock::new(HashMap::new())),
            tombstones: TombstoneStore::new(store.clone()),
            store,
        }
@ -179,6 +184,28 @@ impl Registry {
            tracing::info!("catalog: {} model profiles loaded", profiles.len());
        }
        // Subject manifests (compliance/access metadata layer).
        let subject_keys = ops::list(&self.store, Some(SUBJECT_PREFIX)).await.unwrap_or_default();
        let mut subjects = self.subjects.write().await;
        subjects.clear();
        for key in &subject_keys {
            if !key.ends_with(".json") { continue; }
            let data = match ops::get(&self.store, key).await {
                Ok(d) => d,
                Err(e) => {
                    tracing::warn!("subject '{key}': read failed: {e}");
                    continue;
                }
            };
            match serde_json::from_slice::<SubjectManifest>(&data) {
                Ok(subj) => { subjects.insert(subj.candidate_id.clone(), subj); }
                Err(e) => tracing::warn!("subject '{key}': parse failed: {e}"),
            }
        }
        if !subjects.is_empty() {
            tracing::info!("catalog: {} subject manifests loaded", subjects.len());
        }
        Ok(count)
    }
@ -686,6 +713,64 @@ impl Registry {
        Ok(())
    }
    // --- Subject manifests (compliance/access metadata layer) ---
    // Specification: docs/specs/SUBJECT_MANIFESTS_ON_CATALOGD.md
    // Mirrors the put_view / get_view / list_views / delete_view shape.
    // The audit log per subject is owned separately by SubjectAuditWriter
    // (Step 2) — this layer just persists the manifest itself.
    /// Create or replace a subject manifest. Validates that referenced
    /// datasets exist in the catalog (fail-fast so dangling references
    /// don't accumulate). Persists to `_catalog/subjects/<id>.json`.
    pub async fn put_subject(&self, mut subj: SubjectManifest) -> Result<SubjectManifest, String> {
        if subj.candidate_id.is_empty() {
            return Err("subject candidate_id is empty".into());
        }
        for ds in &subj.datasets {
            if self.get_by_name(&ds.name).await.is_none() {
                return Err(format!(
                    "subject '{}' references dataset '{}' which is not in the catalog",
                    subj.candidate_id, ds.name,
                ));
            }
        }
        let now = chrono::Utc::now();
        if subj.created_at.timestamp() == 0 {
            subj.created_at = now;
        }
        subj.updated_at = now;
        let key = format!("{SUBJECT_PREFIX}/{}.json", sanitize_view_name(&subj.candidate_id));
        let json = serde_json::to_vec_pretty(&subj).map_err(|e| e.to_string())?;
        ops::put(&self.store, &key, json.into()).await?;
        let mut subjects = self.subjects.write().await;
        subjects.insert(subj.candidate_id.clone(), subj.clone());
        tracing::debug!("subject manifest persisted: {}", subj.candidate_id);
        Ok(subj)
    }
    pub async fn get_subject(&self, candidate_id: &str) -> Option<SubjectManifest> {
        self.subjects.read().await.get(candidate_id).cloned()
    }
    pub async fn list_subjects(&self) -> Vec<SubjectManifest> {
        self.subjects.read().await.values().cloned().collect()
    }
    pub async fn delete_subject(&self, candidate_id: &str) -> Result<(), String> {
        let key = format!("{SUBJECT_PREFIX}/{}.json", sanitize_view_name(candidate_id));
        ops::delete(&self.store, &key).await?;
        self.subjects.write().await.remove(candidate_id);
        Ok(())
    }
    /// Subject count — convenience for the daily retention sweep + audit
    /// dashboards that don't need the full list.
    pub async fn subjects_count(&self) -> usize {
        self.subjects.read().await.len()
    }
    /// Remove a dataset from the catalog by name. Deletes the manifest
    /// from both the in-memory registry and object storage.
    ///
@ -1027,4 +1112,114 @@ mod tests {
        assert!(reg.get(&loser_a).await.is_none());
        assert!(reg.get(&loser_b).await.is_none());
    }
    // --- Subject manifests (Step 1 of subject_manifests_on_catalogd) ---
    fn fixture_subject(id: &str) -> shared::types::SubjectManifest {
        use shared::types::{
            BiometricConsent, BiometricConsentStatus, ConsentStatus,
            GeneralPiiConsent, SubjectConsent, SubjectManifest, SubjectRetention,
            SubjectStatus, SubjectVertical,
        };
        SubjectManifest {
            schema: "subject_manifest.v1".into(),
            candidate_id: id.to_string(),
            created_at: chrono::Utc::now(),
            updated_at: chrono::Utc::now(),
            status: SubjectStatus::Active,
            vertical: SubjectVertical::Unknown,
            consent: SubjectConsent {
                general_pii: GeneralPiiConsent {
                    status: ConsentStatus::PendingBackfillReview,
                    version: String::new(),
                    given_at: None,
                    withdrawn_at: None,
                },
                biometric: BiometricConsent {
                    status: BiometricConsentStatus::NeverCollected,
                    retention_until: None,
                },
            },
            retention: SubjectRetention {
                general_pii_until: chrono::Utc::now() + chrono::Duration::days(365 * 4),
                policy: "4_year_default".into(),
            },
            datasets: vec![],
            safe_views: vec![],
            audit_log_path: String::new(),
            audit_log_chain_root: String::new(),
        }
    }
    #[tokio::test]
    async fn put_subject_with_no_dataset_refs_succeeds() {
        let reg = fixture();
        let s = fixture_subject("CAND-000001");
        let stored = reg.put_subject(s).await.unwrap();
        assert_eq!(stored.candidate_id, "CAND-000001");
        assert_eq!(reg.subjects_count().await, 1);
    }
    #[tokio::test]
    async fn put_subject_rejects_dangling_dataset_ref() {
        use shared::types::SubjectDatasetRef;
        let reg = fixture();
        let mut s = fixture_subject("CAND-000002");
        s.datasets.push(SubjectDatasetRef {
            name: "no_such_dataset".into(),
            key_column: "candidate_id".into(),
            key_value: "CAND-000002".into(),
        });
        let err = reg.put_subject(s).await.unwrap_err();
        assert!(err.contains("not in the catalog"), "got: {err}");
    }
    #[tokio::test]
    async fn put_subject_with_valid_dataset_ref_succeeds() {
        use shared::types::SubjectDatasetRef;
        let reg = fixture();
        // Register a dataset first so the subject's reference resolves.
        reg.register("workers".into(), fp("w1"), vec![obj("w.parquet")]).await.unwrap();
        let mut s = fixture_subject("CAND-000003");
        s.datasets.push(SubjectDatasetRef {
            name: "workers".into(),
            key_column: "candidate_id".into(),
            key_value: "CAND-000003".into(),
        });
        let stored = reg.put_subject(s).await.unwrap();
        assert_eq!(stored.datasets.len(), 1);
        assert_eq!(stored.datasets[0].name, "workers");
    }
    #[tokio::test]
    async fn subject_round_trips_through_object_store() {
        let store = Arc::new(object_store::memory::InMemory::new());
        let reg = Registry::new(store.clone());
        reg.put_subject(fixture_subject("CAND-RT-001")).await.unwrap();
        // Open a fresh registry over the same store and load → confirms
        // persistence + load_all path actually round-trips the manifest.
        let reg2 = Registry::new(store);
        reg2.rebuild().await.unwrap();
        let loaded = reg2.get_subject("CAND-RT-001").await;
        assert!(loaded.is_some(), "subject not loaded from store");
        assert_eq!(loaded.unwrap().status, shared::types::SubjectStatus::Active);
    }
    #[tokio::test]
    async fn delete_subject_removes_in_memory_and_persistence() {
        let store = Arc::new(object_store::memory::InMemory::new());
        let reg = Registry::new(store.clone());
        reg.put_subject(fixture_subject("CAND-DEL-001")).await.unwrap();
        assert_eq!(reg.subjects_count().await, 1);
        reg.delete_subject("CAND-DEL-001").await.unwrap();
        assert_eq!(reg.subjects_count().await, 0);
        // Fresh registry over same store — confirm it's also gone from persistence.
        let reg2 = Registry::new(store);
        reg2.rebuild().await.unwrap();
        assert_eq!(reg2.subjects_count().await, 0);
    }
 }
--- a/crates/shared/src/types.rs
+++ b/crates/shared/src/types.rs
@ -364,3 +364,149 @@ pub enum Redaction {
        keep_suffix: usize,
    },
 }
 // ─── Subject manifests (compliance/access metadata layer) ────────────
 // Specification: docs/specs/SUBJECT_MANIFESTS_ON_CATALOGD.md
 //
 // A SubjectManifest is a per-person record threading existing catalogd
 // primitives (datasets, views, tombstones) together by subject token.
 // Stored at _catalog/subjects/<candidate_id>.json. NOT a separate
 // daemon — extends catalogd's existing manifest pattern.
 //
 // The audit log per subject (HMAC-chained JSONL at
 // _catalog/subjects/<candidate_id>.audit.jsonl) is owned by a separate
 // SubjectAuditWriter (Step 2) — not modeled here.
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename_all = "snake_case")]
 pub enum SubjectStatus {
    PendingConsent,
    Active,
    Withdrawn,
    RetentionExpired,
    Erased,
 }
 /// Vertical drives healthcare-PHI routing. Default Unknown is fail-closed:
 /// the gateway treats Unknown as healthcare-equivalent until reclassified
 /// (per docs/specs/SUBJECT_MANIFESTS_ON_CATALOGD.md §2.1).
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename_all = "snake_case")]
 pub enum SubjectVertical {
    Unknown,
    General,
    Healthcare,
    Finance,
    Other,
 }
 impl Default for SubjectVertical {
    fn default() -> Self { SubjectVertical::Unknown }
 }
 /// State machine for general-PII consent. BIPA-specific biometric
 /// consent is tracked separately on `BiometricConsent`.
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename_all = "snake_case")]
 pub enum ConsentStatus {
    /// Backfilled from existing data sources before consent was tracked.
    /// SHOULD route as if no consent exists until reviewed.
    PendingBackfillReview,
    /// New subject; awaiting consent UX.
    PendingFirstContact,
    Given,
    Withdrawn,
    Expired,
 }
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename_all = "snake_case")]
 pub enum BiometricConsentStatus {
    /// Default. No biometric data exists for this subject.
    NeverCollected,
    Pending,
    Given,
    Withdrawn,
    Expired,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct GeneralPiiConsent {
    pub status: ConsentStatus,
    /// Reference to the consent template version (matches a row in the
    /// future consent_versions table). Empty when status is pending_*.
    #[serde(default)]
    pub version: String,
    #[serde(default)]
    pub given_at: Option<chrono::DateTime<chrono::Utc>>,
    #[serde(default)]
    pub withdrawn_at: Option<chrono::DateTime<chrono::Utc>>,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct BiometricConsent {
    pub status: BiometricConsentStatus,
    /// BIPA: max 3 years from last interaction. Implementation MUST
    /// enforce daily expiration sweep against this field.
    #[serde(default)]
    pub retention_until: Option<chrono::DateTime<chrono::Utc>>,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SubjectConsent {
    pub general_pii: GeneralPiiConsent,
    pub biometric: BiometricConsent,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SubjectRetention {
    pub general_pii_until: chrono::DateTime<chrono::Utc>,
    /// Free-text policy reference (e.g. "4_year_default", "client_xyz_contract_2026").
    #[serde(default)]
    pub policy: String,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SubjectDatasetRef {
    /// catalogd dataset name (must resolve to an existing manifest).
    pub name: String,
    /// Column in that dataset that holds the subject's identifier.
    pub key_column: String,
    /// Specific identifier value (typically same as candidate_id; differs
    /// only when a dataset uses a foreign-key with a different format).
    pub key_value: String,
 }
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SubjectManifest {
    /// Schema version tag — always "subject_manifest.v1" for v1.
    #[serde(default = "default_subject_manifest_schema")]
    pub schema: String,
    /// Subject identifier (the canonical token, e.g. "CAND-000001").
    pub candidate_id: String,
    pub created_at: chrono::DateTime<chrono::Utc>,
    pub updated_at: chrono::DateTime<chrono::Utc>,
    pub status: SubjectStatus,
    #[serde(default)]
    pub vertical: SubjectVertical,
    pub consent: SubjectConsent,
    pub retention: SubjectRetention,
    /// Datasets that contain rows for this subject. Used by audit-response
    /// to know what to project. Each entry MUST reference an existing
    /// catalogd dataset manifest (validated on put_subject).
    pub datasets: Vec<SubjectDatasetRef>,
    /// Names of existing AiViews that safely project this subject's data.
    /// Used by service-tier readers (no PII exposure).
    #[serde(default)]
    pub safe_views: Vec<String>,
    /// Path (relative to repo root) of the per-subject audit JSONL.
    /// Owned by SubjectAuditWriter (Step 2). Empty until first write.
    #[serde(default)]
    pub audit_log_path: String,
    /// SHA-256 of the most recent HMAC chain checkpoint of the audit log.
    /// Empty until first audit row written.
    #[serde(default)]
    pub audit_log_chain_root: String,
 }
 fn default_subject_manifest_schema() -> String { "subject_manifest.v1".into() }