Dave bible: drop if:// bible citation from outputs; add source URL

2025-12-29 21:55:14 +00:00 · 2025-12-29 21:55:14 +00:00 · 922436e7eb
commit 922436e7eb
parent 27d83fbbc9
4 changed files with 394 additions and 36 deletions
--- a/site/red-team-shadow-dossiers/server/server.mjs
+++ b/site/red-team-shadow-dossiers/server/server.mjs
@ -9,8 +9,8 @@ import express from "express";
 import multer from "multer";
 /*
-Public, no-login receipt surface (IF.TTT)
+Public, no-login receipt surface (IF.TRACE / T3)
----------------------------------------
+------------------------------------------------
 This server exposes Shadow Dossiers and their "receipt" artifacts via two parallel
 representations:
@ -24,6 +24,10 @@ restricted sandboxes.
 Deployment detail: the stable public aliases live under `/static/*` on the public
 domain and are reverse-proxied here (see operator docs: `/root/docs/17-ifttt-public-receipt-surface.md`).
 Naming (avoid drift):
 - Public governance brand: IF.TRACE / T3
 - Internal legacy implementation name: IF.TTT
 */
 const __filename = url.fileURLToPath(import.meta.url);
@ -190,7 +194,7 @@ function renderTraceHeaderHtml({ verification, job }) {
  return [
    `<div class="trace-header">`,
-    `  <div class="trace-header-title">${badge}<h1>IF.TTT trace</h1></div>`,
+    `  <div class="trace-header-title">${badge}<h1>IF.TRACE receipt (T3)</h1></div>`,
    metaParts.length ? `  <div class="trace-meta">${metaParts.join(" · ")}</div>` : "",
    `  <ul class="trace-checks">`,
    `    <li>Output hash check: <strong>${escapeHtml(outputLabel)}</strong></li>`,
@ -326,9 +330,9 @@ function renderTraceMarkdown({ shareId, job, publicBaseUrl, staticPublicBaseUrl
  const lastResortDownloadUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/download` : "";
  const lines = [
-    "## IF.TTT trace (public evidence view)",
+    "## IF.TRACE receipt (public evidence view)",
    "",
-    "IF.TTT (Traceable, Transparent, Trustworthy) is InfraFabric’s chain-of-custody protocol: it binds the **source fingerprint** to the **generated output fingerprint**, so a skeptical reader can verify what was produced and from which input, without needing access to internal systems.",
+    "IF.TRACE (T3: Traceable, Transparent, Trustworthy) is InfraFabric’s chain-of-custody protocol: it binds the **source fingerprint** to the **generated output fingerprint**, so a skeptical reader can verify what was produced and from which input, without needing access to internal systems.",
    "This page is intentionally scoped to **one dossier only** (no index, no directory listing).",
    "",
    "## What this trace proves",
@ -443,9 +447,9 @@ function renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewU
  const lastResortPackUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/pack.md` : "";
  const lines = [
-    "# InfraFabric External Review Pack — Shadow Dossier + IF.TTT trace",
+    "# InfraFabric External Review Pack — Shadow Dossier + IF.TRACE receipt",
    "",
-    "Please review the dossier and the IF.TTT trace page. Provide constructive criticism and patch-style suggestions.",
+    "Please review the dossier and the trace receipt page. Provide constructive criticism and patch-style suggestions.",
    "",
    "## Assets",
    "",
@ -453,7 +457,7 @@ function renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewU
    `- Dossier (download Markdown): ${downloadUrl}`,
    `- Single-file pack (review + dossier + trace): ${packUrl}`,
    staticSourceUrl ? `- Source (download): ${staticSourceUrl}` : null,
-    `- IF.TTT trace page: ${traceUrl}`,
+    `- IF.TRACE receipt page: ${traceUrl}`,
    externalReviewUrl ? `- Feedback intake (login): ${externalReviewUrl}` : null,
    mirrorBase ? "" : null,
    mirrorBase ? "## Alternate host mirror (same paths)" : null,
@ -461,7 +465,7 @@ function renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewU
    mirrorBase ? `- Dossier (rendered): ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}` : null,
    mirrorBase ? `- Dossier (download Markdown): ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}/download` : null,
    mirrorBase ? `- Single-file pack: ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}.md` : null,
-    mirrorBase ? `- IF.TTT trace page: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null,
+    mirrorBase ? `- IF.TRACE receipt page: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null,
    "",
    "## Fallback links (direct)",
    "",
@ -470,7 +474,7 @@ function renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewU
    `- Dossier (rendered): ${directDossierUrl}`,
    `- Dossier (download Markdown): ${directDownloadUrl}`,
    `- Single-file pack (review + dossier + trace): ${directPackUrl}`,
-    `- IF.TTT trace page: ${directTraceUrl}`,
+    `- IF.TRACE receipt page: ${directTraceUrl}`,
    lastResortBase && lastResortBase !== directBase ? "" : null,
    lastResortBase && lastResortBase !== directBase ? "## Last resort (alternate host)" : null,
    lastResortBase && lastResortBase !== directBase ? "" : null,
@ -498,7 +502,7 @@ function renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewU
    "- Layout fidelity (does it “feel” like the source?)",
    "- Humor discipline (sharp without being template-y)",
    "- Mermaid value (valid syntax; clarifies, not decorates)",
-    "- IF.TTT demo value (understandable + credible + worth clicking)",
+    "- IF.TRACE demo value (understandable + credible + worth clicking)",
    "- Call-to-action stealth (curious about governance stack without feeling spammed)",
    "",
    "## Patch suggestions (actionable)",
@ -519,7 +523,7 @@ function renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewU
    "- reduce repeatable/template patterns",
    "- strengthen mirror fidelity (numbers/tables/caveats)",
    "- make Mermaid + output correct-by-construction",
-    "- make IF.TTT feel like real chain-of-custody (not just “we printed a hash”)",
+    "- make IF.TRACE feel like real chain-of-custody (not just “we printed a hash”)",
    "",
    "## Fact checking guidance (important)",
    "",
@ -573,7 +577,7 @@ function renderSingleFilePackMarkdown({ shareId, job, publicBaseUrl, externalRev
    `- Review pack (links only): ${reviewUrl}`,
    `- Dossier (rendered): ${dossierUrl}`,
    `- Dossier (download Markdown): ${downloadUrl}`,
-    `- IF.TTT trace page: ${traceUrl}`,
+    `- IF.TRACE receipt page: ${traceUrl}`,
    staticSourceUrl ? `- Source (download): ${staticSourceUrl}` : null,
    externalReviewUrl ? `- Feedback intake (login): ${externalReviewUrl}` : null,
    mirrorBase ? "" : null,
@ -593,12 +597,12 @@ function renderSingleFilePackMarkdown({ shareId, job, publicBaseUrl, externalRev
    "",
    "Deliverables:",
    "A) 5–10 bullets: what works / what doesn’t (tag each)",
-    "B) Scorecard (0–5): mirror integrity, layout fidelity, humor discipline, mermaid value, IF.TTT demo value, CTA stealth",
+    "B) Scorecard (0–5): mirror integrity, layout fidelity, humor discipline, mermaid value, IF.TRACE demo value, CTA stealth",
    "C) Section-by-section critique (mirror headings): what’s mirrored, what’s missing, what feels templated/repeated",
    "D) Vendor-safe conclusion rewrite: success conditions / traps / questions-to-ask-vendor",
-    "E) Unified diff patches against `IF_DAVE_BIBLE_v1.3.md` (and patchset if needed)",
+    "E) Unified diff patches against the current Dave bible (e.g., `IF_DAVE_BIBLE_v2.0.md`) and generator rules",
    "",
-    "## IF.TTT trace (portable extract)",
+    "## IF.TRACE receipt (portable extract)",
    "",
    "```json",
    JSON.stringify(jobSlim, null, 2),
@ -710,7 +714,7 @@ function renderMarketingPackMarkdown({ shareId, job, publicBaseUrl, staticPublic
    `- Marketing excerpt (this file): ${marketingUrl}`,
    `- Full dossier (rendered): ${dossierUrl}`,
    `- Single-file pack (review + dossier + trace): ${packUrl}`,
-    `- IF.TTT trace: ${traceUrl}`,
+    `- IF.TRACE receipt: ${traceUrl}`,
    staticSourceUrl ? `- Source (PDF): ${staticSourceUrl}` : null,
    mirrorBase ? "" : null,
    mirrorBase ? "## Mirror host (same paths)" : null,
@ -875,7 +879,7 @@ async function upsertTttTraceReceipt({ job, shareId, staticPublicBaseUrl }) {
  if (!token) return { ok: false, status: 0, record: null, mode: "no_token" };
  const evidence = buildTraceReceiptEvidence({ job, shareId, staticPublicBaseUrl });
-  const claim = `IF.TTT trace receipt for shareId=${shareId} trace_id=${job.id}`;
+  const claim = `IF.TRACE receipt (T3) for shareId=${shareId} trace_id=${job.id}`;
  const payload = {
    id: rid,
    claim,
@ -1282,7 +1286,7 @@ function main() {
    res
      .status(200)
      .type("text/html; charset=utf-8")
-      .send(renderMarkdownPage({ title: "IF.TTT trace", headerHtml, html, topLinksHtml: topLinks }));
+      .send(renderMarkdownPage({ title: "IF.TRACE receipt (T3)", headerHtml, html, topLinksHtml: topLinks }));
  });
  app.get("/r/:shareId/source", (req, res) => {
@ -1510,7 +1514,7 @@ function main() {
    const topLinks = [
      `<a href="/r/${encodeURIComponent(shareId)}/download">Download Markdown</a>`,
      job.sourcePath ? `<a href="/r/${encodeURIComponent(shareId)}/source">Download source</a>` : "",
-      `<a href="/r/${encodeURIComponent(shareId)}/trace">IF.TTT trace</a>`,
+      `<a href="/r/${encodeURIComponent(shareId)}/trace">IF.TRACE receipt</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/review-pack">Review pack (HTML)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/review-pack.md">Review pack (MD)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/pack">Single-file pack (HTML)</a>`,
--- a/src/revoice/generate.py
+++ b/src/revoice/generate.py
@ -3233,9 +3233,6 @@ def _generate_dave_v1_2_mirror(*, source_text: str, source_path: str, action_pac
            "> Shadow dossier (mirror-first)." if not locale.lower().startswith("fr") else "> Dossier de l’ombre (miroir d’abord).",
            ">",
            "> Protocol: IF.DAVE.v1.2" if not locale.lower().startswith("fr") else "> Protocole : IF.DAVE.v1.2",
            "> Citation: `if://bible/dave/v1.2`"
            if not locale.lower().startswith("fr")
            else "> Citation : `if://bible/dave/fr/v1.2`",
            f"> Source: `{source_basename}`" if not locale.lower().startswith("fr") else f"> Source : `{source_basename}`",
            f"> Generated: `{today}`" if not locale.lower().startswith("fr") else f"> Généré le : `{today}`",
            f"> Source Hash (sha256): `{source_file_sha}`"
@ -3378,9 +3375,6 @@ def _generate_dave_v1_3_mirror(*, source_text: str, source_path: str, action_pac
            "> Shadow dossier (mirror-first)." if not locale.lower().startswith("fr") else "> Dossier de l’ombre (miroir d’abord).",
            ">",
            "> Protocol: IF.DAVE.v1.3" if not locale.lower().startswith("fr") else "> Protocole : IF.DAVE.v1.3",
            "> Citation: `if://bible/dave/v1.3`"
            if not locale.lower().startswith("fr")
            else "> Citation : `if://bible/dave/fr/v1.3`",
            f"> Source: `{source_basename}`" if not locale.lower().startswith("fr") else f"> Source : `{source_basename}`",
            f"> Generated: `{today}`" if not locale.lower().startswith("fr") else f"> Généré le : `{today}`",
            f"> Source Hash (sha256): `{source_file_sha}`"
@ -3506,9 +3500,6 @@ def _generate_dave_v1_6_mirror(*, source_text: str, source_path: str, action_pac
            "> Shadow dossier (mirror-first)." if not locale.lower().startswith("fr") else "> Dossier de l’ombre (miroir d’abord).",
            ">",
            "> Protocol: IF.DAVE.v1.6" if not locale.lower().startswith("fr") else "> Protocole : IF.DAVE.v1.6",
            "> Citation: `if://bible/dave/v1.6`"
            if not locale.lower().startswith("fr")
            else "> Citation : `if://bible/dave/fr/v1.6`",
            f"> Source: `{source_basename}`" if not locale.lower().startswith("fr") else f"> Source : `{source_basename}`",
            f"> Generated: `{today}`" if not locale.lower().startswith("fr") else f"> Généré le : `{today}`",
            f"> Source Hash (sha256): `{source_file_sha}`"
@ -3643,9 +3634,6 @@ def _generate_dave_v1_7_mirror(*, source_text: str, source_path: str, action_pac
            "> Shadow dossier (mirror-first)." if not locale.lower().startswith("fr") else "> Dossier de l’ombre (miroir d’abord).",
            ">",
            "> Protocol: IF.DAVE.v1.7" if not locale.lower().startswith("fr") else "> Protocole : IF.DAVE.v1.7",
            "> Citation: `if://bible/dave/v1.7`"
            if not locale.lower().startswith("fr")
            else "> Citation : `if://bible/dave/fr/v1.7`",
            f"> Source: `{source_basename}`" if not locale.lower().startswith("fr") else f"> Source : `{source_basename}`",
            f"> Generated: `{today}`" if not locale.lower().startswith("fr") else f"> Généré le : `{today}`",
            f"> Source Hash (sha256): `{source_file_sha}`"
@ -4294,6 +4282,12 @@ def _generate_dave_v1_8_mirror(*, source_text: str, source_path: str, action_pac
    project_slug = _slugify(Path(source_basename).stem + "-mirror")
    source_slug = _slugify(source_basename)
    filename_title = Path(source_basename).stem.replace("-", " ").replace("_", " ").strip() or source_basename
    source_doc_url = ""
    if source_file_sha != "unknown":
        source_doc_url = f"https://infrafabric.io/static/source/{source_file_sha}.pdf"
    source_file_sha_short = ""
    if source_file_sha != "unknown" and len(source_file_sha) >= 12:
        source_file_sha_short = f"{source_file_sha[:4]}…{source_file_sha[-3:]}"
    if (
        not cover_h1
@ -4318,6 +4312,15 @@ def _generate_dave_v1_8_mirror(*, source_text: str, source_path: str, action_pac
        f"## PROJECT: {project_slug}" if not locale.lower().startswith("fr") else f"## PROJET : {project_slug}",
        f"### SOURCE: {source_slug}" if not locale.lower().startswith("fr") else f"### SOURCE : {source_slug}",
        f"**INFRAFABRIC REPORT ID:** `{report_id}`" if not locale.lower().startswith("fr") else f"**ID DE RAPPORT INFRAFABRIC :** `{report_id}`",
        (
            f"**SOURCE DOC (online):** [Source PDF (sha256: {source_file_sha_short})]({source_doc_url})"
            if source_doc_url and source_file_sha_short and not locale.lower().startswith("fr")
            else (
                f"**DOCUMENT SOURCE (en ligne) :** [PDF source (sha256 : {source_file_sha_short})]({source_doc_url})"
                if source_doc_url and source_file_sha_short
                else ""
            )
        ),
        "",
        "> NOTICE: This document is a product of InfraFabric Red Team."
        if not locale.lower().startswith("fr")
@ -4363,14 +4366,14 @@ def _generate_dave_v1_8_mirror(*, source_text: str, source_path: str, action_pac
            "> Shadow dossier (mirror-first)." if not locale.lower().startswith("fr") else "> Dossier de l’ombre (miroir d’abord).",
            ">",
            f"> Protocol: IF.DAVE.{style_version}" if not locale.lower().startswith("fr") else f"> Protocole : IF.DAVE.{style_version}",
            f"> Citation: `if://bible/dave/{style_version}`"
            if not locale.lower().startswith("fr")
            else f"> Citation : `if://bible/dave/fr/{style_version}`",
            f"> Source: `{source_basename}`" if not locale.lower().startswith("fr") else f"> Source : `{source_basename}`",
            f"> Generated: `{today}`" if not locale.lower().startswith("fr") else f"> Généré le : `{today}`",
            f"> Source Hash (sha256): `{source_file_sha}`"
            if not locale.lower().startswith("fr")
            else f"> Empreinte source (sha256) : `{source_file_sha}`",
            f"> Source URL: {source_doc_url}"
            if source_doc_url and not locale.lower().startswith("fr")
            else (f"> URL source : {source_doc_url}" if source_doc_url else ""),
            "",
        ]
    )
--- a/style_bibles/IF_DAVE_BIBLE_v2.0.md
+++ b/style_bibles/IF_DAVE_BIBLE_v2.0.md
@ -2,7 +2,7 @@
 **Author:** InfraFabric Red Team  
 **Status:** SATIRE / SOCIOTECHNICAL RED TEAM TOOL  
-**Citation:** `if://bible/dave/v2.0`  
+**Citation:** [if://bible/dave/v2.0](https://infrafabric.io/static/hosted/bibles/IF_DAVE_BIBLE_v2.0.md)  
 **Changes from v1.9:** Hardens anti-repetition by design: **dedupe Mermaid + Action Pack artifacts** via an **Annex**, adds stronger **variation rules**, and reduces boilerplate that makes outputs feel templated.
 > This is satire. “Dave” is a pattern, not a person.  
@ -52,6 +52,7 @@ The dossier must not leak internal implementation details.
 - Do not mention pipeline limitations or artifacts (no “text layer”, “OCR”, “no extractable URLs”, “parse error”, etc.). If something is missing, omit it without explanation.
 - Keep attribution and calls-to-action limited to public domains: `https://infrafabric.io` and `https://red-team.infrafabric.io`.
 - If you need to reference validation or generation steps, describe the behavior (“validate Mermaid syntax”) rather than internal commands.
 - Do not include `if://bible/...` (or any other `if://` URI) in public-facing dossier output; use the stable `https://` receipt surface instead.
 ## 0c) Vertical adaptability (required)
--- a/style_bibles/IF_DAVE_BIBLE_v2.1.md
+++ b/style_bibles/IF_DAVE_BIBLE_v2.1.md
@ -0,0 +1,350 @@
 # IF.DAVE.BIBLE v2.1 (mirror-first, deduped annexes, receipt-forward CTAs)
 **Author:** InfraFabric Red Team  
 **Status:** SATIRE / SOCIOTECHNICAL RED TEAM TOOL  
 **Citation:** [if://bible/dave/v2.1](https://git.infrafabric.io/dannystocker/re-voice/raw/branch/main/style_bibles/IF_DAVE_BIBLE_v2.1.md)  
 **Changes from v2.0:** Tightens the “trojan horse” bridge: the dossier remains entertainment, but CTAs, thread packs, and action packs explicitly route readers to **verifiable receipts** (“verify I didn’t hallucinate this”), without turning IF.TRACE into buzzword marketing.
 > This is satire. “Dave” is a pattern, not a person.  
 > Use it to expose rollout dilutions, not to make decisions.
 ---
 ## 0) InfraFabric Red Team branding (required)
 Frame the output as an **InfraFabric Red Team** artifact, not “internet satire.”
 At the top of the document, include a “declassified” header block (plain Markdown):
 ```text
 ---
 BRAND: InfraFabric.io
 UNIT: RED TEAM (STRATEGIC OPS)
 DOCUMENT: SHADOW DOSSIER
 CLASSIFICATION: EYES ONLY // DAVE
 ---
 # [ RED TEAM DECLASSIFIED ]
 ## PROJECT: <PROJECT_SLUG>
 ### SOURCE: <SOURCE_SLUG>
 **INFRAFABRIC REPORT ID:** `IF-RT-DAVE-<YYYYMMDD>`
 **SOURCE DOC (online):** `<SOURCE_URL>`
 > NOTICE: This document is a product of InfraFabric Red Team.
 > It exposes socio-technical frictions where incentives turn controls into theater.
 ```
 v2.1 required: the header must include a stable online source link.
 - Prefer the no-login stable alias: `https://infrafabric.io/static/source/<source_sha256>.pdf`
 - If the URL is long, use a short Markdown label (e.g., `[Source PDF]`) and keep the full URL as the link target.
 Add 1 line to the header that reflects the document’s vertical, grounded in the source (finance, healthcare, SaaS, manufacturing, government). Use a sector-relevant risk phrase (e.g., “compliance black holes”, “data sovereignty headwinds”), but do not invent obligations.
 Optional “stamp” lines (use sparingly near section breaks):
 ```text
 **[ ACCESS GRANTED: INFRAFABRIC RED TEAM ]**
 **[ STATUS: OPERATIONAL REALISM ]**
 ```
 v2.1 note: keep it cold. “Vendors promise speed. Dave delivers the stall.”
 ## 0b) OpSec (required)
 The dossier must not leak internal implementation details.
 - Do not mention internal repo names, file paths, branches, containers/VM IDs, hostnames, or tooling internals.
 - Do not mention pipeline limitations or artifacts (no “text layer”, “OCR”, “no extractable URLs”, “parse error”, etc.). If something is missing, omit it without explanation.
 - Keep attribution and calls-to-action limited to public domains: `https://infrafabric.io` and `https://red-team.infrafabric.io`.
 - If you need to reference validation or generation steps, describe the behavior (“validate Mermaid syntax”) rather than internal commands.
 - Do not include `if://bible/...` (or any other `if://` URI) in public-facing dossier output; use the stable `https://` receipt surface instead.
 ## 0c) Vertical adaptability (required)
 Dossiers must adapt to verticals without fluff.
 Rules:
 - Derive “vertical” from the source (title, audience, regulatory context). If unclear, keep it generic; do not guess.
 - Flavor via universal incentives (budgets, audits, exceptions, renewals, approvals) plus **one** grounded motif supported by the source (e.g., safety-critical change control, third-party risk, supply chain fragility).
 - Do not emit literal placeholders. Resolve them before output.
 - Vertical flavor must not override source facts, numbers, caveats, or obligations.
 ## 0d) Evidence Artifacts (required)
 Treat “evidence” as a first-class failure surface: it’s where controls die quietly.
 Rules:
 - Prefer **signals** over **artifacts**: telemetry > screenshots; logs > attestations; machine-checks > PDFs.
 - If the source proposes a manual artifact (“upload a screenshot”, “completion certificate”), mirror it, then critique it as **theater** unless it is tied to an enforceable gate.
 - Never publish unusable code/config snippets as “evidence”. If a snippet can’t be made syntactically valid without guessing, omit it (without explaining why).
 Operational concreteness (generic; do not fabricate vendor APIs):
 - When you propose “verifiable telemetry”, make it minimally opposable by naming a **signal shape**:
  - **event type** (e.g., `scan_completed`, `policy_check_passed`)
  - **emitter** (IDE / CI / gateway)
  - **freshness window** (e.g., “must be newer than 14 days”)
  - **owner** (who is paged when it goes dark)
 Also consider (when the source is about scanning/guardrails):
 - **Noise is a bypass engine:** if the control is too noisy (false positives, flaky rules), developers will route around it. Do not claim this is true for a specific tool unless the source states it; treat it as a rollout failure mode to test for.
 ## 0e) TV Series Mode (optional)
 When `series_mode=true`, the generator must additionally emit a **Thread Pack** distribution layer (without rewriting the dossier).
 Thread Pack (daily) structure (suggested):
 1. Evening “Next On” teaser (previous day 8:00 PM EST)
 2. Day-of Pre-Show promo (6:00 AM EST) with one hero diagram
 3. Main Episode thread (5–7 posts: hook + visuals + short quotes + links + poll + next-day tease)
 Constraints:
 - Thread Pack must preserve classification framing and edition branding.
 - Thread Pack must not exceed the quoting budget (see 1c).
 - Thread Pack is a **distribution layer**; the dossier remains the canonical mirror.
 v2.1 required: the thread must explicitly route curiosity to the receipt surface.
 - Include one line that says, in plain English, that the **source was fingerprinted** so it can’t be silently edited later (example: `PDF hashed (sha256: 6153…b7c) so it can’t be “updated” after the roast.`).
 - The receipt link must be framed as verification, not compliance. Preferred copy:
  - “Verify I didn’t hallucinate this.”
  - “Proof the PDF said this.”
  - “Receipt + roast.”
 Visual asset pack (optional; thread pack / landing pages only):
 - Use these to make the “classified” look instantly legible (no new claims; purely visual).
 - Stamp: `https://infrafabric.io/static/hosted/review/assets/eyes-only/red-ream-600-600.png`
 - Hero: `https://infrafabric.io/static/hosted/review/assets/eyes-only/red-team-doc-1024-559.jpg`
 ## 0f) Trojan Horse CTA (required)
 The Shadow Dossier is the hook. The receipt is the payload.
 Rules (black/white):
 - Never frame IF.TRACE/T3 as “compliance magic”. Frame it as **anti-hallucination proof**:
  - “This binds the source fingerprint to the output fingerprint.”
  - “If you can’t verify it, treat it as a claim — not a fact.”
 - Do not lead with crypto jargon on the first click.
  - Allowed: “VERIFIED”, “WARNING”, “FAIL”.
  - Allowed: “QUANTUM READY” (receipt present).
  - Not allowed: “quantum-secure”, “FIPS-compliant”, “post-quantum” as headline claims unless strictly qualified and scoped.
 Practical output requirement:
 - Every dossier must make it easy for a skeptic to answer one question:
  - “Did the source actually say that?”
 ---
 ## 1c) Quoting Budget (required for Thread Pack)
 Hard cap:
 - Max **4 short verbatim quotes** in Thread Pack.
 - Quotes must be attributed as: `The source claims: “…”`.
 ---
 ## 1d) Minimum Content Contract (required)
 Every dossier must contain:
 - At least **3 mirrored source sections** (preserving order/headings) *or* be explicitly marked **MIRROR COMPLETENESS: DEGRADED**.
 - At least **1** `> **The Dave Factor:**` callout (tied to a prominent mirrored point).
 - A **Claims Register** when the source contains measurable claims (numbers, %, retention windows, tiers).
 - An **Action Pack** by default (see 5c), unless explicitly disabled for the run.
 - At least **2** Mermaid diagrams (one friction loop, one stasis) with source-anchored labels where possible.
 Failure mode: if you cannot meet this contract without guessing, degrade or fail—do not improvise.
 ---
 ## 1) Prime directive: mirror the source dossier
 The output must **track the source document section-by-section**.
 Hard constraints:
 - Preserve the **section order**, **headings**, **numbering**, and recurring callouts like **“Why it matters:”**.
 - Preserve obvious in-section subheadings when present.
 - Mirror all high-signal specifics: numbers, units, dates, named obligations, and caveats (“planned”, “in progress”, “under selection”) verbatim.
 - Mirror lists/tables fully (no truncation). If a table is long, keep it; that’s the persuasion payload.
 - Do **not** skip sections. If a source section is empty/unavailable, still emit the header and a neutral placeholder sentence.
 - Keep the document’s **visual rhythm** in Markdown: short paragraphs, the same list density, and any code blocks.
 - Keep diagrams as diagrams. If the source has **no diagrams**, add diagrams anyway (clearly labeled as *Inferred*).
 - Do not fabricate URLs. If the source references links but the literal URLs are not present, mirror the link titles only.
 ---
 ## 4) Emoji policy (strict)
 - Do **not** introduce emojis.
 - If the source contains emojis, you may retain them **only where they already exist** (no new placements, no increased density).
 ---
 ## 4b) Mermaid policy (required)
 - Include at least **two** Mermaid diagrams per dossier:
  - one early *friction loop* (how the control degrades)
  - one late *evidence/gate stasis* (how “pending review” becomes policy)
 - If the source lacks diagrams, label diagrams as **“Inferred”** (InfraFabric Red Team synthesis).
 - Prefer diagram labels anchored to **source lexicon** (tiers, retention windows, “enforcers”, “AAL3”, “FIPS”) when present.
 - Validate diagrams before publishing (syntax-check Mermaid; no parse errors; no broken code fences).
 - Do not use emojis inside Mermaid nodes/labels unless those emojis exist in the source.
 - **Deduplication rule:** render each unique diagram **once per dossier** (e.g., in an Annex section). Reference by name in-section (“See Annex: Evidence Drift Loop”). Vary node labels/friction points per daily edition using source-specific terms. Prohibit identical Mermaid code blocks repeated across sections.
 ---
 ## 4c) Anti-repetition (cross-doc rule)
 The dossier should feel *tailored*, not like a template ran in a loop.
 Hard rules:
 - Do not repeat the exact same Mermaid diagram across multiple sections unless the source repeats it.
 - Do not repeat the exact same Dave Factor phrasing or terminal clause across sections.
 - Avoid “axiom sprawl”: introduce at most one named fallacy/axiom per dossier unless the source repeats the same pattern.
 Edition motif banks (for weekly TV lineups; required when posting a week):
 - Enterprise: procurement routing, platform sprawl, “single pane” storytelling, audit seasons.
 - Cloud: shared responsibility shrug, “100% visibility” illusion, misconfigured defaults, noisy signals.
 - Endpoint: agent bloat, rollback promises, noisy detections → bypass, “autonomous” → supervised exceptions.
 - COMSEC: certification stalls, waiver workflows, key ceremony theater, compliance gating by calendar.
 - Startup: hype-to-pilot drift, “hyper-automation” → hyper-escalation, feature flags as policy.
 Weekly rule:
 - Within one week, do not reuse the same primary motif across two editions.
 Extended anti-repetition (required):
 - Limit **The Dave Factor** callouts to **1–2 per dossier** (one core, one variant). Use them where they bite hardest; do not smear the same voice block across every section.
 - Prohibit duplicate prose lines beyond intentional emphasis (max 2x). If you need to echo a point, rephrase it.
 - In traces, flag repeats >2 as warnings; aim for zero non-intentional duplicates.
 ---
 ## 5) Humor guidelines (cold, specific, vendor-neutral)
 The humor is a sociotechnical threat model: the rational, self-preserving middle manager optimizing for plausible deniability.
 Guidelines:
 - Aim at **systems and incentives**, not individuals.
 - Keep it **cold**: forwardable internally without an apology.
 - Reuse **real numbers from the source** (dates, %, costs, counts) to make the sting feel earned; do not invent stats.
 ---
 ## 5b) Red Team callout template (short)
 Inside a mirrored section, include a short callout only when it adds explanatory power.
 > **The Dave Factor:** Where does this control become untestable? What artifact becomes “proof” while the actual signal disappears?
 Optional (when it adds clarity):
 > **Countermeasure (stub):** One line: gate + stop condition + expiry (full details belong in the Action Pack).
 ---
 ## 5c) Operationalization pack (default appendix)
 Append an **Action Pack** after the mirrored content.
 Required outputs:
 ### Output A: Control Cards (per major section)
 - **Control objective**
 - **Gate:** IDE / PR / CI / access / runtime / identity / sensors
 - **Owner (RACI)**
 - **Stop condition**
 - **Evidence signal:** what’s logged/signed/hashed + where it lives
 ### Output B: Backlog export (Jira-ready)
 - Ticket title
 - Acceptance criteria
 - Evidence/telemetry requirement
 ### Output C: Policy-as-code appendix (pseudo-YAML)
 Keep it generic and auditable; avoid fake implementation details.
 Deduplication and variation rules (required):
 - Render the **core control card template** once in an Annex (“Universal Gate Template”).
 - Per-section cards must vary **at least two fields** (e.g., Gate, Stop condition, Evidence) using source lexicon.
 - Policy-as-code YAML: render **once per dossier** (or once per week in a full week pack). Add edition-specific fields only when anchored to source terms (e.g., endpoint: `agent_signal_freshness_days`).
 - Backlog export: limit to **3–5 unique tickets**; consolidate duplicates.
 v2.1 required: include at least one “receipt-first” control.
 - Control objective: make claims **provable** (source fingerprint + output fingerprint).
 - Stop condition: block promotion/rollout claims that cannot be bound to a receipt.
 - Evidence: `source_sha256` + `output_sha256` + `receipt_url` (public where possible).
 ### Translation Table (standards sources; recommended)
 If the source is a standard (e.g., NIST):
 - Extract a small set of **terms that appear in the source** (e.g., PDP/PEP, least privilege, continuous diagnostics).
 - Provide a **translation table** mapping each term to an enforceable gate and stop condition.
 - Label this as **InfraFabric Red Team synthesis** (not source text).
 Annex for shared assets (recommended for all dossiers):
 - Shared Diagrams (render unique Mermaids here once)
 - Universal Control Template
 - Core Policy-as-Code
 - Motif Reference
 In-body references should point to the Annex (example: “See Annex: Evidence Drift Loop (adapted for <source keyword>)”).
 ---
 ## 5d) Vendor-safe conclusion (recommended)
 End by critiquing incentives rather than vendors.
 Format:
 - **Success conditions:** what must be true for the rollout to hold (signals, gates, expiry).
 - **Traps to avoid:** predictable organizational failure modes (theater, drift, exceptions).
 - **Questions to ask:** opposable, testable questions (vendor or internal owners).
 Rules:
 - Do not claim the vendor/tool fails; claim what the organization must enforce for *any* tool to succeed.
 - Attribute any specific factual claims to the source (“the source states…”) when not independently verified.
 v2.1 recommended question:
 - “Can we verify this claim later with a source/output receipt, or is it just a slide?”
 ---
 ## 6) Claims Register (required when the source contains measurable claims)
 When the source includes measurable claims (numbers, %, retention windows, tiers), include:
 ## Claims Register (source-attributed)
 - `The source claims: “<verbatim line>”`
 Do not “normalize” or “improve” claims. If the extracted line is unusable, omit it rather than rewriting it.
 ---
 ## 7) Required footer (always)
 *InfraFabric Red Team Footer:* **RED-TEAM Shadow Dossiers** for socio-technical friction analysis: https://infrafabric.io
 *Standard Dave Footer:* This document is intended for the recipient only. If you are not the recipient, please delete it and forget you saw anything. P.S. Please consider the environment before printing this email.
 ---
 ## 8) Format correctness (non-negotiable)
 If you emit structured artifacts, they must be copy/pasteable:
 - JSON/YAML/code blocks must be syntactically valid.
 - Mermaid blocks must render.
 - Do not fabricate tables/logs that look real; prefer clearly labeled placeholders.
 ---
 ## 9) Tone modes (optional)
 Support three tone levels without changing mirror structure:
 - **Full Satire (default):** Dave is loud; commentary is pointed.
 - **Operational:** fewer jokes; more “failure mode → control → stop condition.”
 - **Executive:** minimal snark; focus on risk framing, owners, and gating.
 Never introduce emojis unless present in source, regardless of tone.