# openalice-clone-lab

> Cloning Lab: the security-critical ingestion worker for the Soul Vault — consent-gated media distillation → sealed .soul bundles. Default-deny on non-consensual clones.

## At a glance
| field | value |
|---|---|
| kind | `service` |
| priority | `—` |
| default branch | `main` |
| last activity | 2026-06-17T16:11:52+00:00 |
| features catalogued | **2** |
| runtime deps declared | **1** |

## Env drift

**Code reads, manifest omits (15):**
- `CLONELAB_PORT`
- `CLONELAB_PROVENANCE_KEY_PATH`
- `CLONELAB_RATE_LIMIT_PER_MINUTE`
- `CLONELAB_REAL_INGEST`
- `CLONELAB_RLS_ENFORCE`
- `CLONELAB_STAGING_DIR`
- `DATABASE_URL`
- `INTERNAL_SECRET`
- `OPENALICE_CLONELAB_MODE`
- `OPENALICE_ENV`
- `PASSPORT_SERVICE_TOKEN`
- `PASSPORT_URL`
- `SHARED_JWT_SECRET`
- `VAULT_SERVICE_TOKEN`
- `VAULT_URL`

## Features (2)

### clonelab/crate
- **`clonelab.crate.ingestion-worker`** — Rust/Axum service (port 3994) that ingests media for the Soul Vault program, runs the consent-by-class anti-deepfake gate (default-deny on non-consensual clones), distills the soul through a graceful pipeline, and calls the downstream openalice-vault /seal. Produces self-clones (with verified liveness) and random-synthetic NPCs; other-clone + encore are default-denied (M3/M5). The ACTUAL biometric liveness verification is a clearly-named STUB — the GATE LOGIC is the solid, exhaustively-tested part. Owner isolation is enforced by Postgres Row-Level Security keyed on `app.owner_id` (see [`db`]); the app role MUST be NOSUPERUSER NOBYPASSRLS for FORCE RLS to bite (applied at boot via `CLONELAB_RLS_ENFORCE`). # @feature clonelab.crate.consent-gate The pure consent-by-class decision function ([`consent::gate`]): self → requires verified self-liveness (else DENY); random → ALLOW (synthetic-none); other → DEFAULT-DENY with ONE narrow fail-closed Allow door (M3) — a verified, identity-bound, fresh, non-revoked subject consent ([`consent::SubjectConsentDoc`] + [`consent::ThirdPartyConsentVerifier`] + [`consent::RevocationRegistry`]) → 'subject-signed'; encore → DENY (M5). The biometric liveness check + the third-party consent verifier are stub traits; two boot hard-guards forbid a stub in real-ingest mode; the class-decision logic is exhaustively unit-tested. # @feature clonelab.crate.synthetic-npc Deterministic procedural synthetic-NPC generation ([`synthetic::generate`]) — seed → reproducible SOUL.md envelope + voice/visual style refs (NO real person) → pipeline with subject_kind=random (gate ALLOWs) → seal. # @feature clonelab.abuse.provenance-watermark §6.9 abuse control (#720): every synthetic clone output carries an embedded, ed25519-signed provenance marker ([`provenance::ProvenanceMarker`] + [`provenance::ProvenanceSigner`], same self-contained raw-keyfile/base64-sig pattern as openalice-vault crypto::sign) — 'synthetic · clone-lab-generated · <timestamp>' staged as PROVENANCE.json and sealed with the bundle. HONEST: a tamper-evident provenance artifact + deterrent, NOT an unforgeable lock (mirrors the C2PA / vault-escrow honesty rail — strippable / re-encodable). # @feature clonelab.abuse.dua-gate §6.9 abuse control (#720): a default-deny Data-Use-Agreement gate for random/synthetic ingest ([`dua::require_dua_acceptance`]). The caller must accept a versioned DUA ('no real-person likeness under the random label', etc.) whose terms-hash an acceptance binds to (subject/timestamp/terms-hash recorded); without a matching acceptance random ingest is REFUSED. Closes the contractual side of the random-label-trust gap (the technical side is the identity-detection hook). # @feature clonelab.abuse.identity-detection-hook §6.9 abuse control (#720): a fail-closed verifier-trait hook ([`identity_detection::IdentityDetector`]) run on random-label uploads that (in real mode) flags real-person likeness → block. The real ML is GATED: ships a fail-closed STUB ([`identity_detection::StubIdentityDetector`]) + a hard-guard ([`identity_detection::real_ingest_identity_detection_precondition`]) that refuses to boot if the stub is active in real-ingest mode — mirrors the liveness / consent stub-guards. Technical floor under the random-label-trust gap.  
  *src/lib.rs:3*

### clonelab/middleware
- **`clonelab.middleware.rate-limit`** — Per-owner token-bucket rate limiter on the JWT-gated owner surface (default 600 req/min ≈ 10 RPS, overridable via CLONELAB_RATE_LIMIT_PER_MINUTE). Provided by openalice-axum-common::rate_limit. default-rpm: 600 Routes: * `/health`  — Traefik liveness probe (public). * `/metrics` — Prometheus scrape. * owner surface (ingest / status / synthetic) — JWT-gated, rate-limited. Boot guard: if a required prerequisite is absent, the CloneLabService is `None` and owner endpoints return 503 while /health stays up.  
  *src/main.rs:3*

---

*Generated by [openalice-atlas](https://atlas.blal.pro) — single source of truth for the openalicelabs ecosystem.*
