Skip to content

Court-ready evidence bundle, E2E case sharing, and repair-request letters#16

Open
ChelseaKR wants to merge 3 commits into
mainfrom
feat/evidence-bundle-and-sharing
Open

Court-ready evidence bundle, E2E case sharing, and repair-request letters#16
ChelseaKR wants to merge 3 commits into
mainfrom
feat/evidence-bundle-and-sharing

Conversation

@ChelseaKR

Copy link
Copy Markdown
Owner

Three recipient-facing features for getting documented habitability evidence in front of a court, an organizer, or a landlord — built on the existing crypto + CRDT primitives, preserving the offline-first and end-to-end-encryption guarantees. No bundle-schema change, no packet_version bump; the golden-packet corpus is unaffected.

1. Court-ready PDF evidence bundle export

packet.html and packet.pdf now open with a cover sheet (case, scope, counts, producer device, date range), a single chronological evidence timeline interleaving logged notes with captured photos across every issue in time order, and a chain-of-custody / integrity summary (per-item content hashes, RFC 3161 timestamp authorities + archive counts, the append-only custody-chain head).

  • New pure bundleview module derives all three views from the already-signed bundle.json, so the HTML and PDF cannot drift and the views are as reproducible as the bundle.
  • Accessible HTML remains the conformant rendering (ADR 0004) and passes the axe-core gate with the new sections; the PDF keeps its accessibility hygiene (declared language, displayed title, navigable outline, selectable text). No PDF/UA claim is made — reportlab still can't emit a structure tree.

2. E2E-encrypted, redactable case sharing with an organizer

New habitable share / receive: a tenant hands a case — or a chosen subset of issues, optionally with the unit label redacted — to an organizer who was not on the case.

  • Payload is a CRDT subset (CaseDocument.subset_state) plus the sealed originals/tokens for the selected captures, signed by the tenant and sealed to the organizer's X25519 public key. A relay/courier sees only ciphertext; a wrong recipient opens nothing; a share for a different case is rejected; re-import is idempotent.
  • Trust is direct and out-of-band (verify the short fingerprint), no key directory — see docs/sharing-trust-model.md.

3. Repair-request letter generator

New habitable letter turns the logged evidence into a dated repair-request / notice letter to the landlord, as an accessible HTML letter (axe-clean) and a PDF.

  • Jurisdiction-awareness is framing-only: built-in profiles (generic, us_habitability) make no statute-specific claim (a test guards against §/U.S.C creeping in), overridable via a new [letter] config block; a standing "not legal advice" disclaimer travels with every letter. Assumptions in docs/letter-generator.md.

Verification

  • make verify green: ruff + mypy --strict + pytest with coverage 87% (floor 85).
  • axe-core a11y gate green for the new packet sections and the letter HTML.
  • 31 new tests (views, both renderings, letter, sharing round-trips/redaction/idempotency, CLI wiring). Existing golden-packet and verifier tests unchanged and passing.

For human review

  • Sharing trust/key-exchange model — security rests on the out-of-band fingerprint check; a field rollout should make that step hard to skip (e.g. QR exchange). Sharing original bytes to a verified organizer is a deliberate, documented disclosure (they retain full metadata); a "shared-copies-only" lower-trust mode is noted as future work.
  • Letter jurisdiction assumptions — the 14-day default cure period is a placeholder, not a legal deadline; the implied-warranty framing is hedged ("most"/"where recognized"). Locally-verified statutory citations belong in [letter] config, never hard-coded.

🤖 Generated with Claude Code

ChelseaKR and others added 3 commits June 29, 2026 21:52
…ganizer

Add `habitable share` / `receive` so a tenant can hand a case — or a chosen
subset of issues, optionally with the unit label redacted — to a tenant-union
organizer who was not previously on the case, preserving end-to-end encryption.

Reuses the existing primitives unchanged: the payload is a CRDT *subset*
(new `CaseDocument.subset_state`, a well-formed subset state that is still a
valid commutative/idempotent join) plus the sealed originals and RFC 3161
tokens for the selected captures, signed by the tenant's device key and sealed
to the organizer's X25519 public key. A relay or courier sees only ciphertext;
a wrong recipient opens nothing; a share for a different case is rejected
(`import_messages` gains a `require_case_id` guard); re-import is idempotent.

Trust is direct and out-of-band (verify the short fingerprint), with no key
directory — documented in docs/sharing-trust-model.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…etter

Two recipient-facing features that build on the signed bundle and the logged
evidence:

Court-ready bundle. Every exported packet.html and packet.pdf now opens with a
cover sheet (case, scope, counts, producer device, date range), a single
chronological evidence timeline interleaving logged notes and captured photos
across all issues, and a chain-of-custody / integrity summary (per-item content
hashes, RFC 3161 timestamp authorities and archive counts, the append-only
custody-chain head). A new pure `bundleview` module derives all three views
from the existing, already-signed bundle.json — no schema change, no
packet_version bump, golden packets unaffected — so the HTML and PDF cannot
drift. The accessible HTML stays the conformant rendering (ADR 0004) and passes
the axe-core gate with the new sections.

Repair-request letter. `habitable letter` turns the logged evidence into a
dated repair-request / notice letter to the landlord, rendered as an accessible
HTML letter (axe-clean) and a PDF. Jurisdiction-awareness is framing-only:
built-in profiles (generic, us_habitability) make no statute-specific claim and
are overridable via a new [letter] config block; a standing "not legal advice"
disclaimer travels with every letter. Assumptions documented in
docs/letter-generator.md.

Adds tests for the views, both renderings, the letter, sharing CLI wiring, and
the letter CLI. make verify green (ruff + mypy strict + pytest, 87% coverage);
axe-core a11y gate green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…e claims

The no-hard-coded-statute contract covers the whole built-in profile, but
the guard only scanned legal_reference. Iterate all PROFILES and assert no
§ / U.S.C. (and spaced variant) in label, framing, and legal_reference —
the framing string also renders into the letter a recipient reads.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants