m5/org/openalice-clone-lab

openalice-clone-lab

Features
2
Status
·unknown
Last activity
1mo ago
Branch
main

Architecture rating

F1mo ago
securityC-

Rate-limit env (CLONELAB_RATE_LIMIT_PER_MINUTE), RLS toggle (CLONELAB_RLS_ENFORCE), JWT+Passport authn, consent-gated pipeline with deny-on-revoke tested — but all 14 env vars undeclared in manifest, no exposed health endpoint to verify headers/SSRF guards

data layerC-

RLS enforcement toggle + acceptance test (rls_isolates_jobs_by_owner), single migration 0001_init.sql present — but manifest_owns_tables is empty, only 1 migration suggests thin schema governance, no GDPR/retention signals visible

testingD

6 acceptance tests covering consent deny/revoke, self-clone liveness, synthetic NPC seal, RLS isolation — critical paths touched but no unit tests, single test file, no coverage metric; too thin for a security-critical ingestion worker

reliabilityD

Max cyclomatic complexity 18, 5 god modules, 2 deep-nesting sites, 3 complexity flags — no evidence of graceful shutdown, timeouts, retries, or idempotency; health probe returns up:false with no https endpoint exposed

consistencyF

Atlas drift 0/100, manifest_present:false despite 14 undeclared env vars, 5 duplicate signatures, 6 format issues, 5 god modules — clean on cycles and dead imports but substrate conventions largely unadopted

observabilityF

Health endpoint missing ('no https endpoint in manifest exposes', up:false), zero console statements suggests no structured logging, no evidence of metrics/tracing/readiness probes in source tree

docsF

README empty, manifest_present:false, 78 missing docstrings across codebase, roadmap 30/100, only 2 features annotated — effectively undocumented service

source · auto-grader-2026-06-17

Code composition

tokei · loc
4.1kloc
  • Rust96.4%
  • TOML2.5%
  • SQL1.1%
  • Rust96.4%· 3,998
  • TOML2.5%· 102
  • SQL1.1%· 47
Language% codecodecommentsblanksfiles
Rust96.4%3,99831247323
TOML2.5%10280122
SQL1.1%4748101

Telemetry ribbon · last 90 days

4 events
MAYJUNJUL2026-06-16 · lifecycle · first scan — repo indexed2026-06-17 · commit · new commit 904d366 → 87bed5a2026-06-17 · commit · new commit 87bed5a → ce9c6ab2026-06-17 · commit · new commit ce9c6ab → c0994f3NOW
commitmanifestlifecyclekind

clonelab/crate

1 feature
  • clonelab.crate.ingestion-worker
    src/lib.rs:3
    Rust/Axum service (port 3994) that ingests media for the Soul Vault program, runs the consent-by-class anti-deepfake gate (default-deny on non-consensual clones), distills the soul through a graceful pipeline, and calls the downstream openalice-vault /seal. Produces self-clones (with verified liveness) and random-synthetic NPCs; other-clone + encore are default-denied (M3/M5). The ACTUAL biometric liveness verification is a clearly-named STUB — the GATE LOGIC is the solid, exhaustively-tested part. Owner isolation is enforced by Postgres Row-Level Security keyed on `app.owner_id` (see [`db`]); the app role MUST be NOSUPERUSER NOBYPASSRLS for FORCE RLS to bite (applied at boot via `CLONELAB_RLS_ENFORCE`). # @feature clonelab.crate.consent-gate The pure consent-by-class decision function ([`consent::gate`]): self → requires verified self-liveness (else DENY); random → ALLOW (synthetic-none); other → DEFAULT-DENY with ONE narrow fail-closed Allow door (M3) — a verified, identity-bound, fresh, non-revoked subject consent ([`consent::SubjectConsentDoc`] + [`consent::ThirdPartyConsentVerifier`] + [`consent::RevocationRegistry`]) → 'subject-signed'; encore → DENY (M5). The biometric liveness check + the third-party consent verifier are stub traits; two boot hard-guards forbid a stub in real-ingest mode; the class-decision logic is exhaustively unit-tested. # @feature clonelab.crate.synthetic-npc Deterministic procedural synthetic-NPC generation ([`synthetic::generate`]) — seed → reproducible SOUL.md envelope + voice/visual style refs (NO real person) → pipeline with subject_kind=random (gate ALLOWs) → seal. # @feature clonelab.abuse.provenance-watermark §6.9 abuse control (#720): every synthetic clone output carries an embedded, ed25519-signed provenance marker ([`provenance::ProvenanceMarker`] + [`provenance::ProvenanceSigner`], same self-contained raw-keyfile/base64-sig pattern as openalice-vault crypto::sign) — 'synthetic · clone-lab-generated · <timestamp>' staged as PROVENANCE.json and sealed with the bundle. HONEST: a tamper-evident provenance artifact + deterrent, NOT an unforgeable lock (mirrors the C2PA / vault-escrow honesty rail — strippable / re-encodable). # @feature clonelab.abuse.dua-gate §6.9 abuse control (#720): a default-deny Data-Use-Agreement gate for random/synthetic ingest ([`dua::require_dua_acceptance`]). The caller must accept a versioned DUA ('no real-person likeness under the random label', etc.) whose terms-hash an acceptance binds to (subject/timestamp/terms-hash recorded); without a matching acceptance random ingest is REFUSED. Closes the contractual side of the random-label-trust gap (the technical side is the identity-detection hook). # @feature clonelab.abuse.identity-detection-hook §6.9 abuse control (#720): a fail-closed verifier-trait hook ([`identity_detection::IdentityDetector`]) run on random-label uploads that (in real mode) flags real-person likeness → block. The real ML is GATED: ships a fail-closed STUB ([`identity_detection::StubIdentityDetector`]) + a hard-guard ([`identity_detection::real_ingest_identity_detection_precondition`]) that refuses to boot if the stub is active in real-ingest mode — mirrors the liveness / consent stub-guards. Technical floor under the random-label-trust gap.

clonelab/middleware

1 feature
  • clonelab.middleware.rate-limit
    src/main.rs:3
    Per-owner token-bucket rate limiter on the JWT-gated owner surface (default 600 req/min ≈ 10 RPS, overridable via CLONELAB_RATE_LIMIT_PER_MINUTE). Provided by openalice-axum-common::rate_limit. default-rpm: 600 Routes: * `/health` — Traefik liveness probe (public). * `/metrics` — Prometheus scrape. * owner surface (ingest / status / synthetic) — JWT-gated, rate-limited. Boot guard: if a required prerequisite is absent, the CloneLabService is `None` and owner endpoints return 503 while /health stays up.