# surface-screening — Client-screening platforms as a managed surface category Deep brief for **third-party client-screening platforms** — Preferred411, VerifyHim, SafeForSelect, NotABlacklist, ProviderScreening, TheLastResort, BookingBlacklist, ClientBlacklist (per [O §N6](./O-surfaces-roster.brief.md)). These are **safety-critical** surfaces distinct from native directory reviews (per [surface-tryst.brief.md §8](./surface-tryst.brief.md)) and distinct from Cocotte's own provider-coop ([brief N](./N-provider-coop.brief.md)). They live in their own per-surface brief because the verbs, UX, and risk profile differ meaningfully from N1 content or N2 directories. Follows the [surface-tryst.brief.md](./surface-tryst.brief.md) 13-section template with *Generalization callouts* — written so additional category briefs (`surface-bio-links.brief.md`, `surface-reviews.brief.md`, etc.) inherit structure. ## §1 Surface identity - **What screening platforms are**: subscription services that vet prospective clients. Quinn submits a prospect's identifiers (phone / email / handle); the platform returns a risk-tier verdict based on its database of prior reports + community blocklist. - **Audience model**: providers-only. Clients never directly interact (some require client-side cooperation, e.g. preferred411 client-side verify-form, but Quinn drives). - **Quinn's positioning**: Quinn pays for ~3 screening services concurrently (subscription redundancy = better signal). She runs prospects through them before high-stakes engagements (overnight, tours, premium-tier). - **Why screening is a managed surface**: every "is this prospect safe?" question Cocotte must answer involves a screening lookup. Automating this is high-leverage for safety AND time-saved. *Generalization callout*: every per-surface brief opens with surface identity. Screening shares the safety-critical positioning with N-coop intel; distinguishes itself by being *third-party paid services* vs *peer-coop* vs *Quinn's personal K1*. ## §2 Auth & connect Each screening platform has its own auth shape. Common patterns: - **Preferred411 / VerifyHim / SafeForSelect**: subscription login (username + password + optional 2FA), web-session adapter. - **NotABlacklist / BookingBlacklist / ClientBlacklist**: free-tier read-only access, may not require auth at all (public-blocklist style). - **ProviderScreening / TheLastResort**: subscription + per-lookup credits. Connect flow follows the [tryst-connect.screen.md](./tryst-connect.screen.md) pattern with surface-specific overrides: - Most use Quinn's stored credentials from v2-ported credentials vault (see [_engineering-credentials-vault.md](./_engineering-credentials-vault.md)). - 2FA challenges handled by surface-side flow; Cocotte yields and resumes. *Generalization callout*: same connect pattern as Tryst — per-surface variants differ in credential shape (cookie / login+pwd / API key) and verify-call. The shared `tryst-connect.screen.md` template generalizes to screening + reviews + bio-links. ## §3 Profile data model Screening platforms have **no Quinn-side profile** — they're consumer-only. Quinn's account exists; her "profile" is just subscription state. **The data model is per-lookup**: each screening request is a transaction. | Field | Type | Notes | |---|---|---| | `prospect_identifier` | text (hashed at rest) | phone / email / handle Quinn submits | | `screening_service` | enum | which platform handled the lookup | | `verdict` | enum | `green` / `caution` / `red` / `not_found` / `unverified` | | `risk_factors` | json | platform-specific flag list (NON_PAY / AGGRESSIVE / NO_SHOW / etc.) | | `report_count` | int | how many prior reports underpin this verdict | | `last_report_at` | timestamp | most recent prior incident | | `submitted_at` | timestamp | when Cocotte ran the lookup | | `subscriber_notes` | text | community-submitted free-form context | Screens consuming this: [screening-lookup.screen.md](./screening-lookup.screen.md), [screening-history.screen.md](./screening-history.screen.md) (both to be written; deferred). *Generalization callout*: surfaces that are **lookup services** (not posting-driven) have transaction-based data models rather than profile-state models. Per-surface brief documents transaction shape; this pattern applies to all N6 + N4 partial (e.g. coop intel lookups). ## §4 Visibility heartbeat (N/A) Screening platforms have **no bump-equivalent** — they're consumer-only. Quinn's subscription stays active or lapses; that's the only ambient state. *Generalization callout*: not every surface has a bump-equivalent. Per-surface brief flags absent + documents subscription-state UX (renewal notices, cancel flows) instead. ## §5 Inbox / DM mechanics (N/A) Screening platforms have no inbound DMs. Their "inbox" is the queue of screening requests Quinn submitted + their results. *Generalization callout*: same — lookup services have no DM model. The "inbox" UX is replaced by a "history" UX (per-lookup transactions list, similar to brief I audit-drawer). ## §6 Verification (cross-platform-shared identity) Screening platforms don't verify Quinn; they verify prospects. Quinn's identity is verified only via subscription-payment (per [brief Z](./Z-billing-payments.brief.md)). Per-prospect verification flow varies: - **Preferred411 "client-cooperative" verify**: prospect must submit their own info to Preferred411 (an alternative to Quinn-side lookup). When this happens, Cocotte ingests the result via P411's webhook + surfaces in the screening-history view. - **NotABlacklist / BookingBlacklist**: pure read-only lookups; no prospect-cooperation. *Generalization callout*: lookup surfaces don't have provider-side KYC. They may have *prospect-side* verification flows; per-surface brief documents which support this. ## §7 Location lock (N/A) Screening services are jurisdiction-agnostic (mostly). Per-surface brief flags absent. ## §8 Reviews & testimonials (N/A — but related) Screening platforms aren't review sites (those are N7 — [theeroticreview, punternet, etc.](./O-surfaces-roster.brief.md)). The two are conceptually adjacent: - **Screening (N6)**: "is this client safe?" — verdict-based. - **Reviews (N7)**: "what was this provider like?" — narrative-based. Cocotte ingests both into the same `safety_intel` graph (with provenance per source). *Generalization callout*: per-surface brief flags cross-references to adjacent categories. Important for not duplicating UX across briefs. ## §9 Native metrics Each screening platform exposes consumption metrics: lookups-remaining (for credit-based services), subscription expiry, queue depth (if any). Cocotte surfaces these in settings → screening category. Aggregate metric: **screening coverage rate** — what % of new engagement_events get auto-screened before Quinn engages? Trended in analytics-dashboard.screen.md T2 funnel panel. *Generalization callout*: most surfaces expose consumption / subscription metrics. Per-surface brief documents. ## §10 Surface-side blocklist (the inversion) Unlike directories where Tryst-side block hides Quinn from a client (per [surface-tryst.brief.md §10](./surface-tryst.brief.md)), screening-side block works the *other way*: - Quinn submits a prospect to NotABlacklist / BookingBlacklist (these are *submission targets*, not consumption sources). - The submitted entry becomes visible to *other providers* on the platform. - Quinn's K1 personal block is *also* mirrored to screening platforms with an opt-in chip on [add-blocklist-entry.screen.md](./add-blocklist-entry.screen.md): "Also submit to NotABlacklist / BookingBlacklist (other providers will see)." This is structurally similar to brief N coop reporting (provider-to-provider warning). *Generalization callout*: submission-target surfaces (where Quinn contributes data to a peer network) have inverted block UX vs consumption-target surfaces. Per-surface brief documents direction. ## §11 Rate / service editing UX (N/A) No structured-field editing on screening platforms — Quinn doesn't have a Tryst-style profile here. *Generalization callout*: per-surface brief flags absent for non-posting surfaces. ## §12 Failure modes Screening-specific failure dictionary: | Failure | Detection | UX surface | Voice register | |---|---|---|---| | Subscription lapsed | platform returns "subscriber inactive" on lookup | high-stakes interrupt; auto-pause auto-screening | plain | | Lookup credits exhausted | per-lookup credit balance hits 0 | banner + refill route | plain | | 2FA challenge mid-lookup | platform redirects | high-stakes interrupt | plain | | Prospect not found | empty verdict | inform Quinn + log "no prior reports" — neutral, not failure | hearth/working | | Platform downtime | timeout on lookup endpoint | per brief M §M2a soft-degrade; alternate-screening fallback | plain | | Subscription cancellation surprise | next-billing-cycle email surfaces in iMessage / email | banner: "Your Preferred411 sub canceled. Re-subscribe to keep screening?" | plain | | Platform deprecation / merger | platform tells Cocotte it's shutting down | banner with migration recommendations | plain | *Generalization callout*: every surface has a failure dictionary. Per-surface brief documents the surface-specific symptoms. ## §13 Voice register on screening surfaces When Cocotte surfaces screening results to Quinn (in chat or audit), voice register is **plain** — safety-critical, no metaphor. "Felix verified green on Preferred411" not "Felix passed muster." When Cocotte communicates *to* the screening platform (e.g. submitting a blocklist report), it uses the platform's own form-shape (typically structured fields, not free text). *Generalization callout*: per-surface persona / voice differs. Screening uses plain throughout because misread verdicts are dangerous. Brief T's analytics dashboard uses working register on screening-related metrics (e.g. coverage rate). ## §14 Conversational management (canonical entry points) Per [00-system-conversational-ux.md](./00-system-conversational-ux.md). Screening is **almost entirely conversational** — most interactions are single lookups or submission decisions, both well-suited to chat. Screens (planned but not yet written) only appear for browse-history or moderator-queue depths. ### §14a Verbs Quinn uses Quinn-says → routes to `triage` specialist (per [specialist-triage.contract.md](./specialist-triage.contract.md), which extends to screening platforms) or to a `screening-coordinator` (P2+ specialist if it gets dedicated): | Quinn says | Action | Screen invoked? | |---|---|---| | "screen this client" / "run @felix through screening" | One-shot lookup across active screening services | No — chat receipt with verdict | | "what's @felix look like on preferred411" | Single-service lookup | No | | "submit @felix to bookingblacklist" / "report @felix to NAB" | Submission to a peer-network platform | Single-tap high-stakes confirmation in chat; no full screen unless multi-platform | | "auto-screen new inbounds" / "screen everyone before drafting" | Triage policy: enable auto-screening | No — settings toggle in chat | | "stop auto-screening" / "pause screening" | Policy off | No | | "what screening services am I on" / "subscription status" | Read status | No — chat answers; user can tap "see details" to invoke `screening-history.screen.md` (when written) | | "show me my recent screenings" / "screening history" | Browse history | Invokes `screening-history.screen.md` (planned) — browse-shape | | "what's my screening coverage" / "what % of inbounds get screened" | Metric query | No — chat answers; analytics-dashboard T2 panel renders the trend | | "connect preferred411" / "sign in to verifyhim" | Per-platform auth-grant | Uses the `tryst-connect.flow.md` template pattern (per surface; planned per-platform flows) | | "re-verify my preferred411 subscription" | Subscription renewal | Routes Quinn to the platform's billing flow; Cocotte yields | ### §14b Pure-chat actions (no screen) - All single-prospect lookups (the most common interaction by far). - Submissions to peer-network platforms (one decision per submission; high-stakes confirmation is inline). - Auto-screening policy toggles. - Subscription-status queries. - Coverage metric queries. ### §14c Screen-invoking actions (browse / depth) Only two screening interactions invoke screens: - **Browse screening history** — list view of past lookups (rich-output shape; chat couldn't carry 50+ rows efficiently). `screening-history.screen.md` planned. - **Per-lookup detail** — full record of a single screening result with risk-factors / report-count / notes / subscriber-notes (depth-shape). `screening-lookup.screen.md` planned. Both are **inspector**-shape per [00-system-conversational-ux.md](./00-system-conversational-ux.md). Neither edits state — they show it. ### §14d Cross-surface participation Screening **is a fanout target** for *submission* actions (per [cross-surface-fanout.brief.md §10](./cross-surface-fanout.brief.md)). When Quinn says "block @felix everywhere and submit to peer networks," the resolved audience includes: - Quinn's K1 personal blocklist - All connected screening platforms (NotABlacklist, BookingBlacklist, ClientBlacklist) as submission targets - Coop intel ([brief N](./N-provider-coop.brief.md)) optionally as a publish-target **NOT fanout-participants**: lookups (one prospect per lookup is the design; multi-prospect-batch is a separate feature). Subscription management (per-platform; doesn't generalize). ### §14e Voice-mode adaptations Per [voice-input-settings.screen.md](./voice-input-settings.screen.md). Screening over voice works identically: - "Screen Felix" → spoken verdict + risk summary. - Submission confirmations use the same high-stakes pattern; voice readback of the confirmation phrase before commit. - History browse: spoken summary first; "tap to see screen" for visual. *Generalization callout*: this §14 follows the surface-tryst template ([surface-tryst.brief.md §14](./surface-tryst.brief.md)). The shape is consistent across per-surface briefs; the per-surface contents differ. Future per-surface briefs MUST include §14. ## Related - [O §N6](./O-surfaces-roster.brief.md) — the surfaces roster. - [Brief N](./N-provider-coop.brief.md) — coop intel (peer network); screening is *third-party paid services*. Both feed Cocotte's safety graph. - [Brief K §K1](./K-safety-blocklist.brief.md) — Quinn's personal blocklist (companion). - [Brief I](./I-audit-trust-replay.brief.md) — every screening lookup = audit row. - [Brief M](./M-error-degraded-modes.brief.md) — degradation playbook. - [specialist-triage.contract.md](./specialist-triage.contract.md) — primary consumer; auto-screens before drafting replies. - [Brief Z](./Z-billing-payments.brief.md) — screening subscriptions appear in billing. - [add-blocklist-entry.screen.md](./add-blocklist-entry.screen.md) — opt-in to also-submit-to-screening-platforms. - [analytics-dashboard.screen.md](./analytics-dashboard.screen.md) — T2 panel surfaces screening coverage rate. - [_engineering-credentials-vault.md](./_engineering-credentials-vault.md) — v2 credentials-vault port enables stored screening logins. ## Out of scope - Per-screening-platform screens — defer to future `screening-lookup.screen.md` and `screening-history.screen.md` once specialist code starts. - Bulk-import of historical screening results from Quinn's existing manual workflow — defer to a one-time migration tool. - AI risk-scoring on top of screening results — defer; today Cocotte surfaces the platform's verdict directly. ## Generalization summary This brief established the **second per-surface brief shape**. Differs from surface-tryst.brief.md (which is for *operate-on-this-platform* surfaces) by: - Multiple sections marked N/A (no bumps, no DMs, no profile schema, no location lock, no native reviews). - §10 blocklist is *inverted* (submission target, not consumption target). - §3 data model is per-transaction (not per-profile). Per-surface briefs split roughly into: - **Operate-on** (Tryst, TS4Rent, Slixa, Eros, OnlyFans, X, IG…) — full 13-section completion. - **Consume-from / lookup** (screening, reviews, bio-link aggregators) — partial sections with N/A flags. - **Submit-to** (community blocklists, coop intel) — inverted §10 + submission UX. Future briefs declare which shape they're using upfront; sections N/A are explicit, never skipped.