contracts: add Exodus evidence-fabric contract bootstrap#5
Conversation
|
Follow-up update: this PR now also adds |
|
Follow-up update: this PR now adds first-class notes-provider ingest planning and contracts for Google Keep, Apple/iCloud Notes, and Microsoft OneNote. Added:
The notes path follows the same custody rule as the rest of the evidence fabric: preserve raw exports first, treat provider metadata as source aliases/evidence rather than authority, and normalize rich text, attachments, OCR/transcripts, and open-format derivatives only after raw custody is established. |
|
Follow-up update: added the aggregate validator and dashboard backlog. New files:
The aggregate validator runs the dashboard-state, migration/proof-pack, and notes-source validators together. The backlog maps the contracts to concrete Exodus Dashboard panels: provider control overview, migration wave planner, evidence landing monitor, notes migration, proof-pack center, and blocker/next-action review. |
|
Follow-up update: added a repo-level New targets:
|
|
Follow-up update: added owned-media migration coverage so Exodus can capture and plan export/conversion for user-owned music and videos. New files:
This intentionally keeps the next discussion open for codec/container policy. The current tranche freezes the custody-first rule: preserve raw media first, create Linux-ready derivatives later, record conversion targets and metadata, and treat DRM-locked/non-exportable assets as blocked or metadata-only rather than attempting bypass behavior. |
|
Follow-up update: added a complete evidence-fabric validator that includes owned media. New files:
Preferred complete validation command: python3 scripts/validate_all_evidence_fabric_contracts.pyThis runs dashboard state, migration/proof-pack, notes-provider, and owned-media validators together. A later small follow-up should update the current |
|
Follow-up update: added provider coverage roadmap and conversation reuse policy. New files:
The provider roadmap now establishes that Exodus should eventually cover all major personal cloud, AI chat, email/calendar/contact, notes/document/knowledge-base, collaboration, media, developer, financial/legal/medical, and social/creator export surfaces. The conversation reuse policy defines safe reuse of imported AI chats in future open chat/workspace surfaces: historical outputs remain historical records, citation is required, redaction review is required for SourceOS chat reuse, and imported provider chats do not become verified truth by default. |
|
Follow-up update: added the first report/visibility tranche for provider discovery, source aliases, and blocked objects. New files:
These reports are central to the Exodus proof story: what provider surfaces were discovered, which original aliases map to canonical blobs, and which objects remain blocked, metadata-only, or require next actions. |
|
Follow-up update: added conversion receipt and redaction review records. New files:
These contracts close two important proof gaps: every derived conversion can carry tool/profile/input/output/raw-custody evidence, and sensitive exports can be gated by redaction review while preserving raw private custody. |
|
Review / merge guidance: This PR is now a complete Exodus evidence-fabric contract bootstrap. Recommended merge options:
Either way, this PR should stop growing here. The next work should move into implementation repos ( |
…#25) * feat(tokenize): Chameleon pseudonyms + key-evolving re-keying + FPE (reference engine) Implements the masking-layer desensitisation primitives (the one piece not yet on main after the gate + sealing PRs landed). Algebraic pseudonym is homomorphic under re-keying, so domain re-tokenisation and key rotation never touch cleartext: token = H(value)^2 ^ k(domain,epoch) mod P; retoken tweak = k2 * k1^-1 mod Q scripts/exodus_tokenize.py - chameleon_token / domain_tweak / retokenize (domain-scoped, cross-domain unlinkable, key-evolving epochs). - hmac_pseudonym + build_reid_lookup (governed re-identification dictionary). - fpe_encrypt/decrypt (reference balanced Feistel, even-length digits). - one_way_hash / redact / generalize / suppress. - apply_profile() dispatches by tokenization-profile.v1 scheme. - stdlib-only; BLAKE3 opportunistic like exodus_seal.py. scripts/test_exodus_tokenize.py (8 tests, plain-assert idiom) - verifies the 256-bit reference group is a safe prime; determinism; cross-domain unlinkability; homomorphic re-tokenisation == native token; epoch-rotation consistency; FPE round-trip + format; re-id lookup; dispatch. Reference impl: production needs >=2048-bit MODP/EC group, constant-time bigint, HSM-held scalars, and NIST FF1 FPE (documented in the module). * feat(mask): masking PDP — policy veto + tokenize + BEACON_COMMIT seal -> masking-decision Composes the shipped pieces into one enforcement step (P1 #5), evaluated at read/export/activate/re-identify time: policy veto (forbidden identity mixtures, e.g. no_health_adtech) + exodus_tokenize (per-field Chameleon/FPE/hash/redact) + exodus_seal (BEACON_COMMIT receipt over the decision) -> a masking-decision.v1 record (the decision is itself verifiable evidence) scripts/exodus_mask.py - evaluate_masking(record, requesting_realm, audience, profiles, policy, ...): verdict allow / allow_masked / deny / review_required; applies field transforms; re-identification is reason-gated + profile-attr gated; emits masking-decision.v1 with a policy-decision ref + (signed) BEACON_COMMIT receipt. - unlinkable-identifier / side-channel mitigations recorded on every decision. scripts/test_exodus_mask.py (5 tests) - no_health_adtech veto (deny, no record returned); allow_masked tokenizes the field; re-identify requires reason + authz; signed receipt verifies via exodus_seal.verify_receipt; masking-decision.v1 shape. Depends on exodus_tokenize (PR #24). Gateway HTTP wiring (prophet-platform) is the remaining P1 #6 integration; this is the reusable PDP engine.
Summary
Adds the initial Exodus evidence-fabric contract bootstrap: dashboard state, migration planning, proof packs, provider/source coverage, notes, owned media, playlists, AI chat exports, report/visibility records, conversion/redaction records, and exit-readiness records.
What this PR adds
Core dashboard and migration contracts
docs/evidence-fabric-integration.mdpackages/contracts/evidence-dashboard-state.schema.jsonpackages/contracts/migration-wave-plan.schema.jsonpackages/contracts/proof-pack-summary.schema.jsonProvider/source coverage
backlog/provider-coverage-roadmap.mdpackages/contracts/provider-topology-snapshot.schema.jsonpackages/contracts/source-alias-report.schema.jsonpackages/contracts/blocked-object-report.schema.jsonNotes and AI chat exports
docs/notes-provider-ingest.mdpackages/contracts/notes-source-profile.schema.jsondocs/ai-chat-export-ingest.mdpackages/contracts/ai-chat-source-profile.schema.jsonpackages/contracts/ai-chat-conversation-document.schema.jsonpackages/contracts/conversation-reuse-policy.schema.jsonOwned media, playlists, and attestation
docs/owned-media-ingest.mddocs/owned-media-export-conversion-architecture.mddocs/owned-media-ownership-attestation.mdpackages/contracts/owned-media-source-profile.schema.jsonpackages/contracts/owned-media-conversion-profile.schema.jsonpackages/contracts/owned-media-attestation-record.schema.jsonpackages/contracts/playlist-migration-record.schema.jsonReceipts, redaction, and exit readiness
packages/contracts/conversion-receipt.schema.jsonpackages/contracts/redaction-review-record.schema.jsonpackages/contracts/deletion-eligibility-record.schema.jsonpackages/contracts/provider-downgrade-plan.schema.jsonExamples and validators
scripts/validate_exodus_evidence_fabric_all.pyMakefilewiring somake validateruns the final aggregate evidence-fabric validatorDesign posture
Validation
Run:
This runs:
Boundary
Exodus owns user experience, migration planning, scoring, proof summaries, and provider-exit guidance.
The evidence fabric owns raw custody, hash identity, source alias preservation, manifests, parser runs, and validation records.
Follow-on
evidence-contracts,evidence-broker, andevidence-storage-infra;