03e8a91d97
Reset gateway audit substrate after /tmp wipe disabled it on reboot:
- LH_SUBJECT_AUDIT_KEY moved /tmp/lakehouse_audit/ → /etc/lakehouse/
(canonical persistent path per spec line 112; /tmp wipes on reboot
and silently disabled /audit + /biometric endpoints)
- Fresh 32B HMAC + 44-char legal token at /etc/lakehouse/, mode 0400
- Systemd drop-in updated; gateway restarted; both endpoints 200
- Pre-rotation chains for WORKER-{1..5} (backfill data) will now
tamper-detect under the new key — expected and correct on rotation
Anchor wave-table backfilled with 3 commits that landed after the
last STATE_OF_PLAY refresh on 2026-05-03 evening:
- 7e0112b: retention_sweep stray indent fix
- 848a458: Phase 1.6 Gate 5 erasure endpoint POST /biometric/.../erase
- 8ec43e0: Phase 1.6 Gate 3b deepface integration design doc
Phase 1.6 status table: Gate 5 → eng-DONE; Gate 3b → design-doc-shipped
(recommends Option C defer). Calendar bottleneck text updated.
.gitignore extended for runtime ephemera that surfaced this session:
- data/biometric/ (BIPA-quarantined photos, regulated data)
- reports/scrum/ (local-only review forensics per feedback_audit_findings_log.md)
- experiments/ (per "experiments stay out of tracked tree" policy)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
68 lines
2.0 KiB
Plaintext
68 lines
2.0 KiB
Plaintext
/target
|
|
*.swp
|
|
*.swo
|
|
.env
|
|
__pycache__/
|
|
*.pyc
|
|
|
|
# Headshot pool — binary face JPGs are fetched by scripts/staffing/fetch_face_pool.py
|
|
# (synthetic StyleGAN, ~580MB for 1000 faces). Manifest + fetch script are tracked.
|
|
data/headshots/face_*.jpg
|
|
data/headshots/_thumbs/
|
|
# ComfyUI on-demand generated portraits (per-worker unique). Cached on first
|
|
# request; fully regeneratable via /headshots/generate/:key.
|
|
data/headshots_gen/
|
|
|
|
# Runtime data — all regeneratable from inputs or accumulated by daemons.
|
|
# Anything under data/_<name>/ is internal state (auditor outputs, KB caches,
|
|
# pathway memory snapshots, HNSW trial results, etc.). Anything under
|
|
# data/datasets/ or data/vectors/ is generated by ingest/index pipelines.
|
|
data/_*/
|
|
data/lance/
|
|
data/datasets/
|
|
data/vectors/
|
|
data/demo/
|
|
data/evidence/
|
|
data/face_test/
|
|
data/headshots_role_pool/
|
|
data/icons_pool/
|
|
data/scored-runs/
|
|
data/workspaces/
|
|
data/catalog/
|
|
data/**/*.bak-*
|
|
data/**/*.pre-*-bak
|
|
|
|
# Logs
|
|
logs/
|
|
|
|
# Build artifacts
|
|
node_modules/
|
|
exports/
|
|
mcp-server/data/
|
|
|
|
# Per-run distillation reports (timestamp-named); keep the parent dir tracked
|
|
# via .gitkeep if needed but don't carry every batch's report set.
|
|
reports/distillation/[0-9]*/
|
|
reports/distillation/*-*-*-*-*/
|
|
|
|
# Test scratch — scratchpads, traces, sessions are regenerated each run.
|
|
# PRD/scenario fixtures stay tracked (they ARE the test).
|
|
tests/agent_test/_*
|
|
tests/agent_test/sessions/
|
|
tests/real-world/runs/
|
|
|
|
# BIPA-quarantined photo uploads — Phase 1.6 Gate 3a writes to
|
|
# data/biometric/uploads/<safe_id>/<ts>_<uuid>.<ext> with mode 0700/0600.
|
|
# This is regulated subject-of-record data and must NEVER enter git.
|
|
data/biometric/
|
|
|
|
# Local-only scrum review evidence. Per `feedback_audit_findings_log.md`
|
|
# scrum runs fold fixes into a batch commit; the verdict / disposition
|
|
# files stay local for forensics.
|
|
reports/scrum/
|
|
|
|
# Local experiments scratchpad — per the "Test code in main is ACTIVELY
|
|
# being cleaned out" policy (commits 6aafd41 + f4ebd22), one-off
|
|
# experiments stay out of the tracked tree.
|
|
experiments/
|