{"ok":true,"checkedAt":"2026-06-02T19:06:57.248Z","contractVersion":"background-capability-gates-v0.1-2026-05","purpose":"Public gate for staged background-networking expansion: source connectors, AI shadow summarization, and privacy-preserving overlap may advance only through documented consent, DPIA, review, and non-mutation controls.","validation":{"blockers":[],"checks":[{"evidence":"source_connector_imports, ai_shadow_summarization, privacy_preserving_overlap","id":"required-gates","label":"Contract covers source connectors, AI shadow summarization, and privacy-preserving overlap","status":"pass"},{"evidence":"source_connector_imports:5, ai_shadow_summarization:5, privacy_preserving_overlap:5","id":"dpia-required-before-expansion","label":"Every higher-power gate requires DPIA or documented privacy-design review before expansion","status":"pass"},{"evidence":"Separate opt-in consent for optional enrichment; account creation consent is not enough. | Separate source-level AI shadow consent; refusal must not block ordinary deterministic matching. | Optional sensitive-overlap consent plus a documented processing record for the exact use case.","id":"separate-consent-and-lawful-basis","label":"Every gate separates optional consent from account creation and names a lawful-basis record","status":"pass"},{"evidence":"raw_private_feed_ingestion, continuous_source_search, counterparty_contact, analytics_copy_of_raw_content, live_match_suggestion, participant_disclosure, ranking_change, state_mutation, raw_private_feed_training, global_moral_ranking, raw_tag_upload, unbounded_counterparty_search, operator_bypass_of_consent","id":"raw-content-analytics-boundary","label":"Raw private feeds and raw source content are blocked from analytics and training","status":"pass"},{"evidence":"source_connector_imports:default_off, ai_shadow_summarization:shadow_only, privacy_preserving_overlap:design_only","id":"non-production-staging","label":"AI and PET expansion remains shadow-only or design-only until evidence and review gates pass","status":"pass"},{"evidence":"Higher-power background features remain default-off unless the participant grants separate, specific, informed consent. | DPIA and privacy-design review are required before live source connector workers, AI assist mode, or privacy-preserving overlap pilots. | Raw private feeds, exact private wishes, contact details, and raw source text cannot be copied into analytics. | Human review remains mandatory for safety blocking, matching disclosure, reviewed completion, and dispute resolution. | Design-only or shadow-only features must publish blockers instead of implying production readiness.","id":"human-control-boundary","label":"Safety, disclosure, completion, and dispute decisions stay human controlled","status":"pass"}],"contractVersion":"background-capability-gates-v0.1-2026-05","expansionReady":false,"status":"pass","validatorName":"background-capability-gates","validatorVersion":"background-capability-gates-validator-v0.1"},"publicContract":{"gates":[{"key":"source_connector_imports","label":"Source connector imports","releaseState":"default_off","purpose":"Let participants record source-scoped summaries for matching review without turning external systems into a searchable corpus.","allowedUse":"Consent ledger, approved manual summaries, field-scoped retention, and revocation controls only.","lawfulBasis":"Separate opt-in consent for optional enrichment; account creation consent is not enough.","retentionRule":"Use the selected source retention window; expired or revoked sources stop influencing matching.","dataInputs":["source_connection_consent_scope","allowed_field_keys","approved_manual_summary","retention_expires_at"],"prohibitedEffects":["raw_private_feed_ingestion","continuous_source_search","counterparty_contact","analytics_copy_of_raw_content"],"requiredBeforeExpansion":["DPIA and documented privacy-design review","lawful-basis record of processing","source-specific retention and deletion test","operator review and appeal path","external security/privacy review for connector worker"],"currentBlockers":["No live connector worker may run before DPIA completion.","No continuous raw source search is permitted.","No raw source content may be copied into analytics."],"publicEvidence":["dashboard_field_permissions","revocation_control","raw_ingestion_disabled_constraint"]},{"key":"ai_shadow_summarization","label":"AI shadow summarization","releaseState":"shadow_only","purpose":"Measure whether AI summary drafts improve explanation quality and reviewer endorsement without increasing unsafe exposure.","allowedUse":"Shadow-only comparison on approved, redacted source summaries from consenting users.","lawfulBasis":"Separate source-level AI shadow consent; refusal must not block ordinary deterministic matching.","retentionRule":"Do not retain raw prompts or raw source text; keep only aggregate readiness counts and redacted evaluation artifacts.","dataInputs":["approved_manual_summary","ai_shadow_mode_allowed","allowed_field_keys","retention_expires_at"],"prohibitedEffects":["live_match_suggestion","participant_disclosure","ranking_change","state_mutation","raw_private_feed_training"],"requiredBeforeExpansion":["DPIA and documented privacy-design review","measured precision, explanation-quality, and user-endorsement lift","unsafe-exposure regression review","human approval for every status or disclosure change","external security/privacy review before assist mode"],"currentBlockers":["No AI output may create live matches or disclosure decisions.","No AI output may rank users or change product state.","No raw private feed training is permitted."],"publicEvidence":["ai_shadow_contract","redacted_sample_evaluation","dashboard_readiness_counter"]},{"key":"privacy_preserving_overlap","label":"Privacy-preserving overlap computation","releaseState":"design_only","purpose":"Explore whether especially sensitive overlap can be discovered without revealing non-overlap, raw wishes, or hidden preference sets.","allowedUse":"Design-only exploration of blinded tags, VOPRF, HPKE sealed fields, PSI, or PIR-PSI for narrow sensitive overlap checks.","lawfulBasis":"Optional sensitive-overlap consent plus a documented processing record for the exact use case.","retentionRule":"Do not store raw sensitive tags; any future pilot must expire blinded tokens and publish deletion semantics.","dataInputs":["narrow_sensitive_tag_set","client_side_blinded_token","non_overlap_redaction"],"prohibitedEffects":["global_moral_ranking","raw_tag_upload","unbounded_counterparty_search","operator_bypass_of_consent"],"requiredBeforeExpansion":["DPIA and documented privacy-design review","formal cryptographic design review","narrow threat model and abuse case review","property tests for non-overlap redaction","external security/privacy review before pilot"],"currentBlockers":["No production private-set intersection lane exists.","No sensitive overlap tokens may be generated without a narrow use case.","No cryptographic matching design may ship without external review."],"publicEvidence":["design_status_only","published_gate_before_pilot","private_overlap_contract","no_live_private_overlap_endpoint"]}],"invariants":["Higher-power background features remain default-off unless the participant grants separate, specific, informed consent.","DPIA and privacy-design review are required before live source connector workers, AI assist mode, or privacy-preserving overlap pilots.","Raw private feeds, exact private wishes, contact details, and raw source text cannot be copied into analytics.","Human review remains mandatory for safety blocking, matching disclosure, reviewed completion, and dispute resolution.","Design-only or shadow-only features must publish blockers instead of implying production readiness."],"contractTests":["background_capability_gate_validator","background_capability_gate_public_route_smoke","background_capability_gate_page_copy_smoke","background_capability_gate_api_contract_profile_smoke"],"expansionReady":false},"bg14Rollout":{"version":"background-networking-bg14-rollout-v1","stage":"internal","flags":[{"key":"background_source_summary_enabled","label":"Consented source summaries","enabled":false,"defaultEnabled":false,"gatedSurfaces":["/api/background/source-summaries","/api/background/source-summaries/:id/approve","dashboard_manual_source_summary_panel"],"purpose":"Let users approve redacted source summaries as matching signals without importing raw feeds.","rollbackAction":"Set BACKGROUND_SOURCE_SUMMARY_ENABLED=false, stop promoting new summaries, and keep existing approved summaries revocable through the source permission controls."},{"key":"background_wish_interview_enabled","label":"Wish interview assistant","enabled":false,"defaultEnabled":false,"gatedSurfaces":["/api/background/profile/interview","dashboard_structured_elicitation_panel","profile_signal_recompute_from_interview_answers"],"purpose":"Collect user-approved answers to deterministic clarification prompts before any profile signal changes.","rollbackAction":"Set BACKGROUND_WISH_INTERVIEW_ENABLED=false and leave saved answers private until the user edits or deletes them."},{"key":"background_opportunity_briefs_enabled","label":"Opportunity briefs and intro requests","enabled":false,"defaultEnabled":false,"gatedSurfaces":["/api/background/opportunity-briefs","/api/background/opportunity-briefs/:id/feedback","/api/background/intro-packets","dashboard_opportunity_briefs_panel"],"purpose":"Package broad-preview match leads as reviewed next steps without autonomous outreach or contact disclosure.","rollbackAction":"Set BACKGROUND_OPPORTUNITY_BRIEFS_ENABLED=false, pause brief generation jobs, and keep existing intro packets in operator review."}],"deploymentNote":{"broadenOnlyAfter":["zero unresolved privacy incidents","operator-reviewed disclosure and appeal metrics","route-backed API contract evidence for every background lane","documented rollback rehearsal for every enabled flag"],"currentStageLabel":"internal","stageOrder":["internal","tiny_cohort","pilot_pack","public_beta"],"summary":"Deploy bg14 lanes to internal/staff profiles first, then a tiny consenting cohort, then a pilot pack; broaden only after transparency, privacy, and operator-review checks stay clean."},"rollbackPlan":{"actions":["Turn off the affected BACKGROUND_*_ENABLED flag in production.","Pause background opportunity and source-promotion jobs while reviewing incident scope.","Leave route handlers private/no-store and return safe status metadata rather than raw detail.","Use revocation, grant expiry, and intro-packet review states to stop further disclosure."],"owner":"Moral Trade operator on call","summary":"Disable the specific bg14 flag, pause new promotion, preserve user revocation paths, and review audit rows before re-enabling."},"hardInvariants":["Broad previews are shown before exact private details.","Exact details move only through field-level privacy grants.","No autonomous outreach is sent by background networking.","No raw private-feed ingestion is enabled for matching.","AI promotion remains shadow-first and user/operator approved before live state mutation.","Operator review is required before introduced-stage contact disclosure."],"validation":{"blockers":[],"checks":[{"evidence":"background_source_summary_enabled, background_wish_interview_enabled, background_opportunity_briefs_enabled","id":"required-bg14-flags","label":"Rollout plan defines the three bg14 feature flags","status":"pass"},{"evidence":"background_source_summary_enabled:false, background_wish_interview_enabled:false, background_opportunity_briefs_enabled:false","id":"default-off","label":"Every bg14 lane is default-off unless its env flag is enabled","status":"pass"},{"evidence":"Disable the specific bg14 flag, pause new promotion, preserve user revocation paths, and review audit rows before re-enabling. Turn off the affected BACKGROUND_*_ENABLED flag in production. Pause background opportunity and source-promotion jobs while reviewing incident scope. Leave route handlers private/no-store and return safe status metadata rather than raw detail. Use revocation, grant expiry, and intro-packet review states to stop further disclosure. Set BACKGROUND_SOURCE_SUMMARY_ENABLED=false, stop promoting new summaries, and keep existing approved summaries revocable through the source permission controls. Set BACKGROUND_WISH_INTERVIEW_ENABLED=false and leave saved answers private until the user edits or deletes them. Set BACKGROUND_OPPORTUNITY_BRIEFS_ENABLED=false, pause brief generation jobs, and keep existing intro packets in operator review.","id":"rollback-actions","label":"Each flag and the overall plan names an explicit rollback action","status":"pass"},{"evidence":"Broad previews are shown before exact private details. Exact details move only through field-level privacy grants. No autonomous outreach is sent by background networking. No raw private-feed ingestion is enabled for matching. AI promotion remains shadow-first and user/operator approved before live state mutation. Operator review is required before introduced-stage contact disclosure.","id":"privacy-invariants","label":"Plan preserves broad previews, grants, no outreach, no raw ingestion, shadow-first AI, and contact review","status":"pass"},{"evidence":"Deploy bg14 lanes to internal/staff profiles first, then a tiny consenting cohort, then a pilot pack; broaden only after transparency, privacy, and operator-review checks stay clean. zero unresolved privacy incidents operator-reviewed disclosure and appeal metrics route-backed API contract evidence for every background lane documented rollback rehearsal for every enabled flag internal tiny_cohort pilot_pack public_beta","id":"deployment-note","label":"Deployment note stages internal, tiny cohort, pilot pack, and broaden-only-after checks","status":"pass"}],"contractVersion":"background-networking-bg14-rollout-v1","status":"pass","validatorName":"background-networking-bg14-rollout","validatorVersion":"background-networking-bg14-rollout-validator-v1"}},"blockers":[]}