lakehouse

profit/lakehouse

Fork 0

Commit Graph

Author	SHA1	Message	Date
root	4708717f6b	phase 1.6 BIPA gates — engineering wave (4 of 7 staged) Per docs/PHASE_1_6_BIPA_GATES.md. Status table now reflects: DONE (engineering-only, no counsel dependency): - Gate 4: name→ethnicity inference removed from mcp-server. Removal note in search.html:3372 + new Bun absence test (mcp-server/phase_1_6_gate_4.test.ts) with 3 assertions: walker actually scans files, regex catches synthetic positives, no offending DEFINITION patterns in any .html/.ts/.js source. 3/3 pass. ENG-DONE, signature pending: - §2 attestation: scripts/staffing/attest_pre_identityd_biometric_state.sh runs three checks against the live state: 1. workers_500k.parquet schema has no biometric/photo/face/image col 2. data/_kb/.jsonl + pathway state contain no base64 image magic bytes (JPEG /9j/, PNG iVBOR), no data:image/ MIME prefixes, no field-name patterns ("photo", "biometric", "deepface_*") 3. data/headshots/manifest.jsonl is entirely synthetic-tagged 3/3 evidence checks pass on the live data dir. Generates a signed-by-operator+counsel attestation document committed at docs/attestations/BIPA_PRE_IDENTITYD_ATTESTATION_2026-05-03.md with SHA-256 of the evidence summary so post-signature tampering is detectable. ENG-STAGED, awaiting counsel review: - Gate 1 retention schedule scaffold at docs/policies/consent/biometric_retention_schedule_v1.md (BIPA §15(a)). Engineering facts (categories, 18-month operational ceiling vs 3-year statutory cap, destruction procedure pointer to Gate 5 runbook) plus ⚖ COUNSEL markers for the binding text. - Gate 2 consent template scaffold at docs/policies/consent/biometric_consent_template_v1.md (BIPA §15(b)(1)-(3)). Required disclosures + plain-language summary + withdrawal procedure + the structured fields the consent UI must post to identityd. - Gate 5 destruction runbook at docs/runbooks/BIPA_DESTRUCTION_RUNBOOK.md. Triggers, pre-destruction checks (incl. chain-verified gate via /audit/subject/{id}), procedure (legal-tier endpoint), automatic audit row append (subject_audit.v1 with kind=biometric_erasure), backup-window disclosure, monthly reporting cadence, audit-trail attestation procedure cross-referencing the cross-runtime parity probe. BLOCKED on engineering design: - Gate 3 photo-upload endpoint. Requires identityd photo intake design + deepface integration scope. Deferred to its own session. DEFERRED: - §3 employee training material. Gate 5 runbook §7 may serve as substrate; counsel decides whether a separate program is needed. Calendar bottleneck is now counsel review. Engineering can stage no further deliverables until either (a) Gate 3's design conversation happens or (b) counsel completes review of items 1/2/5/6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 04:38:49 -05:00
root	cd440d4cee	audit phase 1.6: BIPA pre-launch gates — block identity-service backfill Per IDENTITY_SERVICE_DESIGN v3 §5 Step 0, Phase 1.6 is hard prerequisite to identityd backfill. This doc specifies the 5 gates + 2 supporting deliverables that must ship before real-photo intake. Five gates (BIPA §15 compliance): 1. Public retention schedule — counsel writes; engineering files+hash 2. Informed written consent — counsel writes template; engineering wires identityd consent-status enforcement 3. Photo-upload endpoint with consent enforcement — POST /v1/identity/ subjects/{id}/photo with hard 403 when biometric_consent_status != 'given'; quarantined storage path; deepface output isolated to identityd subjects table (not synthetic-face manifest) 4. Deprecate name → ethnicity inference (mcp-server/search.html lookup tables removed; Phase 1.5 §1B finding closed) 5. Destruction runbook — operator-facing; ties to identityd /erase endpoint with biometric-specific erasure path; daily sweep job for biometric_retention_until expiry Plus: - Cryptographic attestation that no biometric data exists pre-identityd (per v3-B11) — defends against infrastructure-as-notice plaintiff argument - Employee BIPA-handling training acknowledgment Engineering effort: ~4-5 days (one week to stage everything ready). Counsel effort: ~3-6 weeks calendar (review cycles dominate). Calendar bottleneck is counsel, not engineering. Phase 1.6 exit = 7 checked gates + signoffs. Until done, identityd backfill cannot proceed (per identity service design v3 §5 Step 0). 5 open questions for J + counsel: photo-upload UX, consent mechanism (DocuSign/click/paper), named operator list, named counsel for sign-off, public privacy policy URL. No code changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 01:41:29 -05:00

Author

SHA1

Message

Date

root

4708717f6b

phase 1.6 BIPA gates — engineering wave (4 of 7 staged)

Per docs/PHASE_1_6_BIPA_GATES.md. Status table now reflects:

  DONE (engineering-only, no counsel dependency):
  - Gate 4: name→ethnicity inference removed from mcp-server.
    Removal note in search.html:3372 + new Bun absence test
    (mcp-server/phase_1_6_gate_4.test.ts) with 3 assertions:
    walker actually scans files, regex catches synthetic positives,
    no offending DEFINITION patterns in any .html/.ts/.js source.
    3/3 pass.

  ENG-DONE, signature pending:
  - §2 attestation: scripts/staffing/attest_pre_identityd_biometric_state.sh
    runs three checks against the live state:
      1. workers_500k.parquet schema has no biometric/photo/face/image col
      2. data/_kb/*.jsonl + pathway state contain no base64 image magic
         bytes (JPEG /9j/, PNG iVBOR), no data:image/* MIME prefixes,
         no field-name patterns ("photo", "biometric", "deepface_*")
      3. data/headshots/manifest.jsonl is entirely synthetic-tagged
    3/3 evidence checks pass on the live data dir. Generates a
    signed-by-operator+counsel attestation document committed at
    docs/attestations/BIPA_PRE_IDENTITYD_ATTESTATION_2026-05-03.md
    with SHA-256 of the evidence summary so post-signature tampering
    is detectable.

  ENG-STAGED, awaiting counsel review:
  - Gate 1 retention schedule scaffold at
    docs/policies/consent/biometric_retention_schedule_v1.md (BIPA
    §15(a)). Engineering facts (categories, 18-month operational
    ceiling vs 3-year statutory cap, destruction procedure pointer
    to Gate 5 runbook) plus ⚖ COUNSEL markers for the binding text.
  - Gate 2 consent template scaffold at
    docs/policies/consent/biometric_consent_template_v1.md (BIPA
    §15(b)(1)-(3)). Required disclosures + plain-language summary +
    withdrawal procedure + the structured fields the consent UI must
    post to identityd.
  - Gate 5 destruction runbook at docs/runbooks/BIPA_DESTRUCTION_RUNBOOK.md.
    Triggers, pre-destruction checks (incl. chain-verified gate via
    /audit/subject/{id}), procedure (legal-tier endpoint), automatic
    audit row append (subject_audit.v1 with kind=biometric_erasure),
    backup-window disclosure, monthly reporting cadence, audit-trail
    attestation procedure cross-referencing the cross-runtime parity
    probe.

  BLOCKED on engineering design:
  - Gate 3 photo-upload endpoint. Requires identityd photo intake
    design + deepface integration scope. Deferred to its own session.

  DEFERRED:
  - §3 employee training material. Gate 5 runbook §7 may serve as
    substrate; counsel decides whether a separate program is needed.

Calendar bottleneck is now counsel review. Engineering can stage no
further deliverables until either (a) Gate 3's design conversation
happens or (b) counsel completes review of items 1/2/5/6.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 04:38:49 -05:00

root

cd440d4cee

audit phase 1.6: BIPA pre-launch gates — block identity-service backfill

Per IDENTITY_SERVICE_DESIGN v3 §5 Step 0, Phase 1.6 is hard
prerequisite to identityd backfill. This doc specifies the 5 gates +
2 supporting deliverables that must ship before real-photo intake.

Five gates (BIPA §15 compliance):
1. Public retention schedule — counsel writes; engineering files+hash
2. Informed written consent — counsel writes template; engineering
   wires identityd consent-status enforcement
3. Photo-upload endpoint with consent enforcement — POST /v1/identity/
   subjects/{id}/photo with hard 403 when biometric_consent_status
   != 'given'; quarantined storage path; deepface output isolated
   to identityd subjects table (not synthetic-face manifest)
4. Deprecate name → ethnicity inference (mcp-server/search.html
   lookup tables removed; Phase 1.5 §1B finding closed)
5. Destruction runbook — operator-facing; ties to identityd
   /erase endpoint with biometric-specific erasure path; daily
   sweep job for biometric_retention_until expiry

Plus:
- Cryptographic attestation that no biometric data exists
  pre-identityd (per v3-B11) — defends against
  infrastructure-as-notice plaintiff argument
- Employee BIPA-handling training acknowledgment

Engineering effort: ~4-5 days (one week to stage everything ready).
Counsel effort: ~3-6 weeks calendar (review cycles dominate).
Calendar bottleneck is counsel, not engineering.

Phase 1.6 exit = 7 checked gates + signoffs. Until done, identityd
backfill cannot proceed (per identity service design v3 §5 Step 0).

5 open questions for J + counsel: photo-upload UX, consent
mechanism (DocuSign/click/paper), named operator list, named
counsel for sign-off, public privacy policy URL.

No code changes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 01:41:29 -05:00

2 Commits