cocottetech/@platform/codebase/@features/prospecting/docs/cross-provider-graph.contract.md

5 KiB

specialist-graph-resolver.contract

Subfeature: cross-provider-graph Tier: P5 (operates above specialist-prospect-resolver) Tenancy: Per-Person specialist instance; query-scoped to consented network. API plane: platform.api (black, :3060). New routes prefixed /prospect-graph/*.

Scope

specialist-graph-resolver answers: given a subject-key derived from this Person's specialist-prospect-resolver output, what does the consented network know? It is read-mostly across the network, write-only within its own tenant.

Reads

Source Purpose
prospect_subject_keys (new table, network-shared, anonymised) Map provider-local prospect rows → cross-provider subject-key.
prospect_subject_aggregates (new, network-shared) Outcomes histogram, qualification fingerprint, velocity hints per subject-key.
provider_graph_consents (new) Per-Person opt-in state for contribution + query.
subject_opt_outs (new) Tombstone list of subject-keys excluded from all surfaces.
prospects, prospect_touchpoints (existing, per-tenant) Resolve outbound subject-key from local row at query time.
coop_peer_attestations (from N-provider-coop) Surface safety flags inline.

Writes

Target Purpose
prospect_subject_aggregates Append-only contributions on outcome events (booked, blocked, ghosted) for consented subjects. Differentially-private noise applied at contribution time, not query time.
graph_query_audit (new) Every cross-provider query is auditable to both contributing and consuming Person.

Never list

  • Never return raw messages, per-provider conversation excerpts, or any free-text from another provider's tenant.
  • Never attribute aggregate signal to a named provider unless that provider opted into attributed contribution for that specific subject-key.
  • Never key on un-hashed PII (phone, email, name); always on the hash chain produced by specialist-prospect-resolver.
  • Never re-surface signal from a Person who has revoked graph consent (their historical contributions remain in aggregates, but attribution and replay are denied).
  • Never auto-merge prospect rows across providers (hard rule per Y §Y4).
  • Never export aggregates outside the platform; the graph is a query interface, not a dataset.

Correction lens

The specialist consumes corrections from upstream peer specialists via mcp__quinn-prospector__* (correction-pattern store). Two correction classes:

  1. Subject-key collisions — provider corrects "this isn't the same person." Specialist down-weights the matching hash dimension for that subject-key and records the correction; if N≥3 providers correct the same collision, the key is split.
  2. Outcome mislabels — provider corrects "this wasn't a no-show, they rescheduled." Specialist updates the contribution and recomputes the velocity hint.

Inputs (MCP tools / endpoints)

  • mcp__platform-prospecting__graph_query(subject_key, scope) — returns aggregates + confidence band.
  • mcp__platform-prospecting__graph_contribute(prospect_id, outcome) — emits a contribution event for the local prospect row (idempotent on (provider_id, prospect_id, outcome_version)).
  • mcp__platform-prospecting__graph_consent(person_id, action) — toggle contribution/query consent.
  • mcp__platform-prospecting__subject_opt_out(subject_key) — tombstone a subject (privileged; requires DSR provenance).

All endpoints are routes on platform.api. The MCP tools live under @ai/@skills/platform-prospecting/actions/ (upstream, not vendored here).

Outputs (to peer specialists)

  • To specialist-prospect-resolver: enriched confidence score on row creation.
  • To specialist-auto-qualify: qualification fingerprint + outcomes histogram for the matched subject.
  • To specialist-warm-intro: network reachability signal (is there a consented peer who has a positive outcome with this subject?).
  • To specialist-strategist: aggregated graph-contribution metrics for the dashboard.

Failure modes

Mode Behaviour
Network partition from black Specialist degrades to provider-local resolver; logs a degraded-mode breadcrumb (per degraded-mode.flow.md). Never silently returns stale aggregates.
Subject erasure mid-query Query returns "subject opted out" sentinel; no aggregates leak.
Consent revoked mid-query Same sentinel; query is denied for that subject only.
Differential-privacy budget exhausted for a subject Aggregates return with widened confidence band; specialist must surface the band to the consuming copilot.
  • cross-provider-graph.brief.md (parent)
  • cross-provider-graph.screen.md (web FE)
  • @features/ai-copilot/docs/specialist-prospect-resolver.contract.md (upstream producer)
  • @features/ai-copilot/docs/L-specialists-fleet.brief.md (fleet topology)
  • @features/ai-copilot/docs/I-audit-trust-replay.brief.md (audit semantics)
  • INFRA.md §4 (where platform.api lives)