root 4708717f6b phase 1.6 BIPA gates — engineering wave (4 of 7 staged)

Per docs/PHASE_1_6_BIPA_GATES.md. Status table now reflects:

  DONE (engineering-only, no counsel dependency):
  - Gate 4: name→ethnicity inference removed from mcp-server.
    Removal note in search.html:3372 + new Bun absence test
    (mcp-server/phase_1_6_gate_4.test.ts) with 3 assertions:
    walker actually scans files, regex catches synthetic positives,
    no offending DEFINITION patterns in any .html/.ts/.js source.
    3/3 pass.

  ENG-DONE, signature pending:
  - §2 attestation: scripts/staffing/attest_pre_identityd_biometric_state.sh
    runs three checks against the live state:
      1. workers_500k.parquet schema has no biometric/photo/face/image col
      2. data/_kb/*.jsonl + pathway state contain no base64 image magic
         bytes (JPEG /9j/, PNG iVBOR), no data:image/* MIME prefixes,
         no field-name patterns ("photo", "biometric", "deepface_*")
      3. data/headshots/manifest.jsonl is entirely synthetic-tagged
    3/3 evidence checks pass on the live data dir. Generates a
    signed-by-operator+counsel attestation document committed at
    docs/attestations/BIPA_PRE_IDENTITYD_ATTESTATION_2026-05-03.md
    with SHA-256 of the evidence summary so post-signature tampering
    is detectable.

  ENG-STAGED, awaiting counsel review:
  - Gate 1 retention schedule scaffold at
    docs/policies/consent/biometric_retention_schedule_v1.md (BIPA
    §15(a)). Engineering facts (categories, 18-month operational
    ceiling vs 3-year statutory cap, destruction procedure pointer
    to Gate 5 runbook) plus ⚖ COUNSEL markers for the binding text.
  - Gate 2 consent template scaffold at
    docs/policies/consent/biometric_consent_template_v1.md (BIPA
    §15(b)(1)-(3)). Required disclosures + plain-language summary +
    withdrawal procedure + the structured fields the consent UI must
    post to identityd.
  - Gate 5 destruction runbook at docs/runbooks/BIPA_DESTRUCTION_RUNBOOK.md.
    Triggers, pre-destruction checks (incl. chain-verified gate via
    /audit/subject/{id}), procedure (legal-tier endpoint), automatic
    audit row append (subject_audit.v1 with kind=biometric_erasure),
    backup-window disclosure, monthly reporting cadence, audit-trail
    attestation procedure cross-referencing the cross-runtime parity
    probe.

  BLOCKED on engineering design:
  - Gate 3 photo-upload endpoint. Requires identityd photo intake
    design + deepface integration scope. Deferred to its own session.

  DEFERRED:
  - §3 employee training material. Gate 5 runbook §7 may serve as
    substrate; counsel decides whether a separate program is needed.

Calendar bottleneck is now counsel review. Engineering can stage no
further deliverables until either (a) Gate 3's design conversation
happens or (b) counsel completes review of items 1/2/5/6.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 04:38:49 -05:00

2.1 KiB

Raw Blame History

BIPA Pre-IdentityD Biometric Attestation

Date: 2026-05-03 Spec: docs/PHASE_1_6_BIPA_GATES.md §2 Generator: scripts/staffing/attest_pre_identityd_biometric_state.sh

Purpose

This is a one-time defense artifact establishing that, as of 2026-05-03, no biometric identifiers or biometric information from real candidates have been collected, processed, or stored by the Lakehouse system. It is intended to be signed by J (operator of record) and outside counsel, then anchored to a tamper-evident store (filesystem with backups + version control).

Evidence

Check 1 — workers_500k.parquet schema (no biometric columns)

Source: data/datasets/workers_500k.parquet

Schema columns (18 total):

worker_id
name
role
email
phone
city
state
zip
skills
certifications
archetype
reliability
responsiveness
engagement
compliance
availability
communications
resume_text

Schema SHA-256: 4ba17870ce25a186a62bdfc29a3b336947dc2fba8a62c42ca249c81f41d32e30

PASS: no biometric / photo / face / image column present

Check 2 — KB + pathway memory contain no biometric payloads

Sources scanned:

data/_kb/*.jsonl (knowledge base)
data/_pathway_memory/state.json (pathway memory state)

Files scanned: 33 Forbidden-pattern hits: 0

PASS: no biometric payload patterns found in scanned files

Check 3 — Headshots manifest is synthetic-only

Source: data/headshots/manifest.jsonl

Total rows: 1000 Rows tagged real/candidate_upload/photo_upload: 0

PASS: all 1000 rows are synthetic (no real-candidate uploads)

Summary

3 / 3 evidence checks pass.

Attestation

I, the undersigned, attest that the above evidence accurately reflects the state of the Lakehouse system as of 2026-05-03. No biometric identifiers or biometric information from real candidates have been collected, processed, or stored prior to the deployment of the Phase 1.6 BIPA pre-launch gates.

Evidence SHA-256: 230fffeb77b502717bcd7161cc74d5a3401b8722acc8d6ed3d524f93e261cd0b

Operator (J): _______________________________ Date: __________

Outside counsel: ___________________________ Date: __________

2.1 KiB Raw Blame History