Note

    0003_privacy-redaction-publication-pipeline

    Define the safety gates required before Chronicle-derived visuals can be...

    Document Metadata

    • title: 0003 - Privacy Redaction And Publication Pipeline
    • description: Define the safety gates required before Chronicle-derived visuals can become public.
    • status: active
    • lastUpdated: "2026-06-04 12:42 ET (America/New_York)"
    • owner: Product/Engineering
    • priority: high
    • projectType: child
    • parentProject: 0001_public-site-context-layer-setup
    • programTrack: priv

    Document Metadata

    • title: 0003 - Privacy Redaction And Publication Pipeline
    • description: Define the safety gates required before Chronicle-derived visuals can become public.
    • status: active
    • lastUpdated: "2026-06-04 12:42 ET (America/New_York)"
    • owner: Product/Engineering
    • priority: high
    • projectType: child
    • parentProject: 0001_public-site-context-layer-setup
    • programTrack: privacy-publication

    0003 - Privacy Redaction And Publication Pipeline

    Operating Assumption

    Chronicle raw screenshots are sensitive. Do not assume Chronicle automatically redacts secrets, SSNs, account pages, medical/financial data, private messages, or admin surfaces. Do not assume OpenAI immediately deletes a screen recording just because sensitive information appears in it.

    Goals

    • Create a redaction and review workflow that can safely produce public Chronicle-derived visuals.
    • Keep raw captures, OCR sidecars, and private summaries out of the public repo.
    • Publish only derivative images with redaction burned into pixels.
    • Clearly label inferred metadata and confidence boundaries.

    Pipeline

    1. Ingest private raw frame from the archive or rolling local spool.
    2. Classify screen context using path, app/window hints when available, OCR sidecars, and visual detection.
    3. Burn redactions into derivative images rather than hiding areas with CSS overlays.
    4. Generate review boards with numbered frames and risk labels.
    5. Manual review before any public upload.
    6. Publish public manifest only after approval, including source date, redaction status, and confidence labels.

    Publication Labels

    • raw-private: never public.
    • candidate-redacted: derivative exists but review is pending.
    • approved-public: reviewed and safe for public site.
    • quarantined: do not publish without explicit manual decision.

    Project labels, summary links, and state labels must be marked as inferred unless confirmed by Git, docs, issue/PR state, or other durable artifacts.

    Scope

    In Scope

    • Redaction rules and review workflow.
    • Sensitive-data assumptions.
    • Public/private storage split.
    • Review Board evidence requirements.

    Out Of Scope

    • Training or fine-tuning a custom redaction model in this setup pass.
    • Publishing a public dataset.
    • Legal/privacy sign-off.

    Success Criteria

    • Raw captures cannot be committed by default due .gitignore protections.
    • Every public frame has a redaction status in metadata.
    • Redaction is pixel-level and survives standalone image download.
    • Review board packets exist for representative examples before public launch.
    • Public copy does not imply automatic OpenAI deletion or automatic Chronicle redaction.

    Supporting Docs And Evidence

    • Review process: DOCS/development/review-board-operating-pattern.md
    • Evidence template: DOCS/evidence/templates/review-board-operating-pattern/
    • Completed archive setup: DOCS/PROJECTS/completed/0002_capture-archive-storage-design.md

    Visual/UX Quality Gate

    This stream requires visual review before any public example gallery ships.

    • Critique verdict: Pending.
    • Evidence paths: Pending.
    • Must-fix issues: Pending.
    • Approved deviations: None yet.
    • Follow-up verification: Pending.

    Checkpoint Log

    Checkpoint 01 - 2026-06-04 12:42 ET (America/New_York)

    Completed Since Prior Checkpoint

    • Documented the core privacy assumption: raw Chronicle captures are not publication-safe.
    • Defined redaction statuses and required public/private storage boundary.
    • Added Review Board dependency for visual review.

    Next Checkpoint Targets

    • Draft sensitive-surface denylist and regex detector list.
    • Prototype a local redaction manifest format.
    • Generate synthetic/redacted-only examples for public design exploration.

    Risks

    • OCR is noisy and can miss sensitive text; it cannot be the only detection layer.
    • Visual redaction can fail if overlays are not burned into the final pixels.
    • Public timeline context can reveal sensitive work patterns even when visible text is redacted.

    Open Questions

    • What categories of work should be excluded from public publication entirely?
    • Should any human/private communications be categorically quarantined?

    MAGGIE TODO

    • MAGGIE TODO: Review and approve the first denylist of apps/sites/surfaces that must never be public.

    Provenance

    Dataset Preview

    • Raw CSV row/table content is available in the source artifact.

    Metadata

    Created
    Not recorded
    Last updated
    Not recorded