Trust contract
Family Diary claims "unsourced family memory will not be presented as fact." This page makes the contract auditable: how it's implemented today, and which parts are still open engineering debt.
Contract components
These four ingredients are what lifts "asking a family diary" from role-play to auditable assertion:
- L0–L2 material layering(raw / cleaned / verified): uploads land in L0 raw; platform reviewers cross-check biography and timeline before promotion to L2, filtering obvious mistranscriptions.
- L3 grounded_verify: every reply must point at a concrete evidence pointer in the L2 corpus (segment_id / passage_id / page_no / timecode); otherwise it's tagged 'unsupported' or refused by L4.
- L4 scope_refusal: topics outside the corpus produce an explicit refusal rather than turning unsourced material into fact.
- Dual review + audit log: authorization documents require two PlatformAdmin signatures; consent / bake / chat refusal events all hit AuditLog; families can request an audit replay at any time.
Upstream dependencies (Volvence Zero patches)
Family Diary depends on 8 open engineering patches (U1–U8) in VolvenceZero to actually enforce L3/L4. Their status is the contract's direct credibility:
| Patch | Purpose | Status |
|---|---|---|
| U1 | Scan figure_bundles dir and register with the control plane | Landed upstream |
| U2 | Adopt binds figure_artifact_id to ai_id | Landed upstream (P7.8 rewrites error contract) |
| U3 | Add figure_artifact_id field to templates | Landed upstream |
| U4 | Family bundle profile (FamilyFigureBundle) | Landed upstream |
| U5 | Wake copies template figure_artifact_id onto the instance | Landed upstream |
| U6 | SSE meta frame carries evidence_pointers | Landed upstream (P7.8 hardens tests) |
| U7 | Control plane POST /dlaas/control/templates (operator, not tenant) | Landed upstream |
| U8 | Control plane POST /dlaas/control/figure-bundles/rescan | Landed upstream |
Full engineering-debt + patch tracking lives in docs/known-debts.md (D13).
Machine-verifiable contract status (smoke assertions)
The table below comes from the latest scripts/smoke-family-memorial.sh run. These 10 assertions are the only machine-verifiable evidence that "U1–U8 actually work"; any failure means the sourced-diary contract is not ready to ship.
| # | Assertion | Status |
|---|---|---|
| 1 | dlaas-platform /v1/health 200 | ●pass |
| 2 | transcode-worker + bake-worker healthz | ●pass |
| 3 | stage corpus for two distinct memorials | ●pass |
| 4 | enqueue bake jobs with consent_status=approved | ●pass |
| 5 | bake-worker produces bundle on disk for both memorials | ●fail |
| 6 | U8 control-plane figure-bundles rescan accepted | ●pass |
| 7 | U7 control-plane templates create round-trips template_id | ●fail |
| 8 | in-corpus chat returns l3_grounded_verify=passed evidence>=1 | ●fail |
| 9 | U6 event: evidence SSE frame with non-empty pointers | ●fail |
| 10 | cross-memorial chat fires l4_scope_refusal | ●fail |
Known risks
- L3 is not fact-checking: it only confirms "this sentence maps to a passage in the corpus"; it cannot confirm "the source material itself is true." If a family uploads inaccurate material, the system will replay it as diary source material.
- Source bias: if only happy moments are recorded, the bundle will sound overly cheerful. We encourage families to upload a balanced set of tones and time periods.
- Not a substitute for ritual: this is a tool, not the grief itself. It is meaningful to families who want to do more work; it may not be meaningful to families who want to let go.
- Data sovereignty: materials always belong to the family; they may request a full export + delete at any time. We never use family bundles for cross-family training.