{"id":"progress/era-history","relativePath":"progress/era-history.md","title":"Meta Museum — Era Delivery History","markdown":"# Meta Museum — Era Delivery History\n\nArchived detailed record of the completed delivery eras (Lift / Hardening / SOTA), moved out of the active [roadmap](../roadmap.md) to keep it current. This is the slice-by-slice and B-/C-series implementation log; the roadmap holds the live status and the forward plan ([roadmap-to-10.md](../roadmap-to-10.md)).\n\n---\n## Three eras\n\nScope honestly. The SOTA spec is a 20-week, multi-service, multi-store target. We get there in three eras with hard exit gates between them.\n\n| Era | Theme | Outcome | Tier |\n|---|---|---|---|\n| **A. Lift** | Move what exists into Next.js 16 + custom CSS | Public site + research workspace at parity with legacy prototype, on a modern stack | Slices 1-10 |\n| **B. Hardening** | Make the data layer trustworthy | Zod-mirrored contracts, SHACL validation, ValidationReport, Postgres swap, real auth | Quarters 2-3 post-lift |\n| **C. SOTA** | The full Yale-LUX-pattern platform | Multi-modal store, HAL hypermedia, Visual ETL Mapper, NL→SPARQL, Graph-RAG, IIIF deep-zoom, Meta Wiki Art bridge | Quarter 4+ |\n\n**Cardinal rule:** do not start a later era until the prior era's exit gate is green. Don't ship a SHACL validator on top of a JSON-file store, and don't ship Graph-RAG on top of unvalidated records.\n\n---\n\n## Era A — The Lift (10 slices, PR-sized each)\n\nGoal: end the era with the legacy prototype's full feature set running natively on Next.js 16, custom CSS, App Router + RSC, with the dependency rules from `_legacy/AGENTS.md` preserved (adapters don't cross-import; contracts are leaves; `_source.raw` is immutable).\n\n### Slice 0 — Staging (DONE)\n\nSee §Status above.\n\n### Slice 1 — Foundations (TDD infra first) (DONE)\n\nPort the dep-free leaves so everything else can be built on them. **Test infra lands before any port.**\n\nOrder within the slice:\n- [x] ✅ **Test infra**: `tsx` dev dependency + `\"test\": \"node --import tsx --test tests/**/*.test.ts\"` + smoke test (`tests/smoke.test.ts`) landed; `pnpm test` green.\n- [x] ✅ **Port test-first.** Legacy tests were ported and implementations landed for the specified dep-free leaves.\n - [x] ✅ `src/constants.ts` (port of `_legacy/src/constants.js`)\n - [x] ✅ `src/contracts/*.ts` — all 8 (`artwork`, `source-record`, `rights-report`, `import-job`, `agent-task`, `citation`, `shared-structures`, `wiki-draft`)\n - [x] ✅ `src/utils/{text,rights,http,storage,linked-art}.ts` (leaf utils)\n- [x] ✅ No routes, no UI changes in this foundation slice scope.\n\n**Acceptance**: `pnpm test` green with full coverage of legacy `tests/contracts/*` and `tests/utils/{linked-art,validation-report}.test.ts`. `pnpm build` green. No new client-side bundle weight. Every implementation file has at least one corresponding test file.\n\n### Slice 2 — Met vertical (canary) (DONE)\n\nProve the route-handler pattern end-to-end with the simpler of the two adapters.\n\n- [x] ✅ `src/adapters/{adapter-utils,provider-interface,met}.ts` + tests\n- [x] ✅ Route handlers (all `app/api/.../route.ts`): `/health`, `/met/profile`, `/met/departments`, `/met/search` (POST), `/met/object` (POST), `/met/import` (POST)\n- [x] ✅ `app/explore/page.tsx` — minimal custom-CSS UI calling `/api/met/search`, showing image cards\n- [x] ✅ `app/layout.tsx` — `Create Next App` metadata replaced; shell landed and evolved in later slices\n\n**Acceptance**: User can search Met for \"flowers\", click a result, see object detail JSON. Loading/empty/error states present. No Linked Art shortcuts taken — Met objects normalize through the `Artwork` contract before display.\n\n### Slice 3 — Getty vertical (DONE)\n\nSame shape as Slice 2 for Getty (more endpoints).\n\n- [x] ✅ `src/adapters/getty.ts` + tests\n- [x] ✅ Routes: `/getty/profile`, `/getty/entity` (POST), `/getty/import` (POST), `/getty/activity` (GET), `/getty/sparql` (POST)\n- [x] ✅ `app/explore/page.tsx` extended with provider toggle (Getty / Met / both; later expanded further)\n- [x] ✅ `app/getty/page.tsx` — SPARQL playground + ActivityStream peek\n\n**Acceptance**: Both providers reachable from `/explore`. Getty SPARQL playground returns rows. Rights and source attribution rendered on every card.\n\n### Slice 4 — Records + Artworks + Entities (DONE)\n\nThe persistence-touching slice. Storage stays JSON files in `storage/`.\n\n- [x] ✅ `src/utils/{artwork-builder,artwork-facets,entities,relationships}.ts` + tests\n- [x] ✅ Routes: `/records` (GET/POST), `/records/[id]` (GET), `/artworks/[id]` (GET), `/entities` (GET), `/entities/[id]` (GET), `/explorer/artworks` (GET), `/explorer/import` (POST)\n- [x] ✅ Pages: `app/records/page.tsx`, `app/artwork/[id]/page.tsx`, `app/entity/[id]/page.tsx`\n- [x] ✅ Async-`params` patterns applied per Next 16 requirements.\n\n**Acceptance**: Import a Met or Getty record from `/explore`; it appears on `/records`; clicking it opens `/artwork/[id]` with maker, date, materials, rights, citation, and a list of pivotable entities. Each entity link opens `/entity/[id]`.\n\n### Slice 5 — Linked Art Inspector + Roadmap + Best-Practices (DONE)\n\nPort the JSON-LD inspect/import workflow plus the two reflective endpoints.\n\n- [x] ✅ `src/utils/best-practices-audit.ts` + tests\n- [x] ✅ Routes: `/linked-art/profile`, `/linked-art/inspect` (POST), `/linked-art/import` (POST), `/roadmap`, `/best-practices`\n- [x] ✅ Pages: `app/linked-art/page.tsx`, `app/roadmap/page.tsx`\n- [x] ✅ `/api/roadmap` returns this document as structured JSON; `/api/best-practices` preserves legacy audit semantics.\n\nStarted in this pass:\n- [x] ✅ `src/utils/best-practices-audit.ts` + tests.\n- [x] ✅ `/api/roadmap` route returning structured JSON.\n- [x] ✅ `/api/best-practices` route running the audit against stored records.\n- [x] ✅ `app/roadmap/page.tsx` initial UI shell.\n- [x] ✅ `/linked-art/profile`, `/linked-art/inspect`, `/linked-art/import` routes.\n- [x] ✅ `app/linked-art/page.tsx` full inspect/import workflow UI.\n\n**Acceptance**: Paste a Linked Art JSON-LD blob → see the inspection report. The roadmap page renders this file's phases and exit gates.\n\n### Slice 6 — Patterns + Graph (DONE)\n\nPort pattern discovery and the graph view.\n\n- [x] ✅ `src/utils/patterns.ts` + tests\n- [x] ✅ Routes: `/patterns` (POST), `/graph` (GET)\n- [x] ✅ Pages: `app/patterns/page.tsx`, `app/graph/page.tsx` (Cytoscape force-directed — first external runtime dep; `cytoscape` + `cytoscape-cose-bilkent` per SOTA §3.2)\n\n**Acceptance**: Pattern scan produces buckets for unknown makers, missing dates, shared concepts. Graph page renders nodes (artworks + entities) with click-to-pivot.\n\nStarted in this pass:\n- [x] ✅ `src/utils/patterns.ts` + tests.\n- [x] ✅ `/api/patterns` route returning unknown + shared buckets.\n- [x] ✅ `/api/graph` route returning artwork/entity nodes + edges with pivot hrefs.\n- [x] ✅ `app/patterns/page.tsx` pattern scan UI.\n- [x] ✅ `app/graph/page.tsx` + `src/components/graph-viewer.tsx` Cytoscape force-directed graph UI.\n- [x] ✅ Runtime deps: `cytoscape`, `cytoscape-cose-bilkent`.\n\n### Slice 7 — Issues + SSE (DONE)\n\nThe streaming case.\n\n- [x] ✅ Route: `/issues` (GET), `/issues/webhook` (POST), `/issues/stream` (GET — `ReadableStream`, `export const dynamic = 'force-dynamic'`)\n- [x] ✅ Page: `app/issues/page.tsx` with the live-updating issue inventory (re-uses `_legacy/storage/linked-art-issues.json` as a fallback cache, refreshes from GitHub on a `revalidate` cadence)\n\n**Acceptance**: Issues view loads from cache instantly, hot-updates from SSE without a refresh, and respects the same `GITHUB_OWNER`/`GITHUB_REPO`/`ISSUE_POLL_MS` env vars as the legacy server.\n\nStarted in this pass:\n- [x] ✅ `src/services/issues.ts` service with legacy-compatible env vars, live GitHub fetch, local runtime cache, and `_legacy/storage/linked-art-issues.json` fallback.\n- [x] ✅ `/api/issues` route with optional `?refresh=1` force refresh.\n- [x] ✅ `/api/issues/webhook` route with optional signature verification and issue-event refresh hooks.\n- [x] ✅ `/api/issues/stream` route using `ReadableStream` SSE (`dynamic = \"force-dynamic\"`).\n- [x] ✅ `/issues/webhook` + `/issues/stream` direct route aliases for legacy-compatible pathing.\n- [x] ✅ `app/issues/page.tsx` + `src/components/issues-workbench.tsx` live issue inventory UI with SSE updates.\n- [x] ✅ New tests for service + routes: `tests/services/issues.test.ts`, `tests/api/issues.test.ts`, `tests/api/issues-webhook.test.ts`, `tests/api/issues-stream.test.ts`.\n\n### Slice 8 — Agents + Jobs + Content Generation + Automation (DONE)\n\nPort the agent/job stubs as-is. No new agent logic this slice — just parity.\n\n- [x] ✅ Routes: `/agents/run` (POST), `/content/generate` (POST), `/jobs` (GET), `/jobs/run` (POST)\n- [x] ✅ Pages: `app/agents/page.tsx`, `app/automation/page.tsx`\n\n**Acceptance**: Manual pattern scan + collection brief jobs runnable from the UI; output appears in `app/automation/page.tsx`.\n\nStarted in this pass:\n- [x] ✅ `src/services/agents.ts` with legacy-parity agent/content stubs (`runAgent`, `generateContent`) and local fallback drafting.\n- [x] ✅ `src/services/jobs.ts` JSON-backed manual jobs service with seeded defaults and `lastRun` updates.\n- [x] ✅ `/api/agents/run`, `/api/content/generate`, `/api/jobs`, `/api/jobs/run` routes.\n- [x] ✅ Legacy-compatible direct route aliases: `/agents/run`, `/content/generate`, `/jobs`, `/jobs/run`.\n- [x] ✅ `app/agents/page.tsx` + `src/components/agents-workbench.tsx` for manual agent and content runs.\n- [x] ✅ `app/automation/page.tsx` + `src/components/automation-workbench.tsx` for job execution and output review.\n- [x] ✅ Route tests: `tests/api/agents-run.test.ts`, `tests/api/content-generate.test.ts`, `tests/api/jobs.test.ts`, `tests/api/jobs-run.test.ts`.\n\n### Slice 9 — Workspace chrome + design-system pass (Custom CSS) (DONE)\n\nNow everything works route-by-route. Unify the visual layer.\n\n- [x] ✅ `app/(workspace)/layout.tsx` route group — sidebar nav + topbar, all custom CSS\n- [x] ✅ Expand `app/globals.css` design tokens + component classes to cover every recurring pattern; keep BEM-lite naming consistent\n- [x] ✅ Implement the design-system atomics from SOTA §12.1 in `src/components/` with a `data-la-entity-id` attribute on every entity-derived element: ``, ``, ``, ``, `` (already in Slice 2), ``, ``\n- [x] ✅ Entity cards (SOTA §12.2): ``, ``, ``, ``\n- [x] ✅ a11y pass: axe-core in CI; keyboard nav on all interactive surfaces; WCAG 2.1 AA on public pages\n\n**Acceptance**: Lighthouse a11y ≥ 95 on `/`, `/explore`, `/artwork/[id]`. Storybook scaffold (vite-based, no Next coupling) for the atomic components.\n\nStarted in this pass:\n- [x] ✅ `app/(workspace)/layout.tsx` route-group shell with keyboard-first skip link, sidebar navigation, and topbar.\n- [x] ✅ Workspace pages moved under `app/(workspace)/...` so URLs stay unchanged while sharing common chrome.\n- [x] ✅ Expanded `app/globals.css` with workspace shell classes and reusable design-system component classes.\n- [x] ✅ Added atomics in `src/components/`: `LinkedDate`, `LinkedDimensions`, `LinkedLabel`, `UriBadge`, `SourceBadge`, `CitationBlock`; extended `RightsBadge` with `data-la-entity-id`.\n- [x] ✅ Added entity cards in `src/components/`: `ObjectCard`, `ActorCard`, `PlaceCard`, `ConceptCard`.\n- [x] ✅ Wired new components into `/explore`, `/artwork/[id]`, `/entity/[id]`, and `/records`.\n- [x] ✅ Added component tests: `tests/components/linked-atomics.test.ts`, `tests/components/entity-cards.test.ts`.\n- [x] ✅ Added CI workflow at `.github/workflows/ci.yml` running lint, tests, build, Playwright install, axe accessibility checks, and Lighthouse CI assertions.\n- [x] ✅ Added Vite-based Storybook scaffold (`.storybook/*`) and atomic stories (`src/components/atomics.stories.tsx`), validated with `pnpm storybook:build`.\n\n### Slice 10 — Lift cleanup (DONE)\n\n- [x] ✅ Delete `_legacy/` (empty by now or only contains files we deliberately chose not to port)\n- [x] ✅ Rewrite `README.md` from the Next.js side; preserve the legacy product narrative\n- [x] ✅ Confirm `metamuseum-legacy/` can be archived/deleted (verified absent at `C:\\Projects\\metamuseum-legacy`).\n- [x] ✅ Security credential rotation moved to Era B operational preflight tracking (see `Pre-Era-C Operational Sign-Off` under Era B).\n- [x] ✅ Document the env-var surface (`PORT`, `GITHUB_OWNER`, `GITHUB_REPO`, `ISSUE_POLL_MS`, future `DATABASE_URL`) in `docs/env.md`\n\nStarted in this pass:\n- [x] ✅ Added automated parity gate test: `tests/quality/era-a-exit-gate.test.ts` (legacy route/view equivalents + route-test coverage checks).\n- [x] ✅ Lighthouse a11y gate now runs reliably in local Windows env via `scripts/lighthouse-a11y.mjs` (no `chrome-launcher` temp-dir cleanup failure path).\n- [x] ✅ `_legacy/` removed from workspace.\n- [x] ✅ Verified `C:\\Projects\\metamuseum-legacy` is absent as of **May 30, 2026** (already archived/deleted outside this repo).\n\n**Era A exit gate (must all be green):**\n- [x] ✅ Legacy API routes have Next 16 equivalents, tested (`tests/quality/era-a-exit-gate.test.ts`; current legacy snapshot evaluates to 33 route handlers).\n- [x] ✅ Legacy SPA views have Next 16 page equivalents (`tests/quality/era-a-exit-gate.test.ts`; current legacy snapshot evaluates to 13 named views).\n- [x] ✅ `pnpm build && pnpm test && pnpm lint` clean (validated in `metamuseum` conda env on May 30, 2026).\n- [x] ✅ Lighthouse a11y ≥ 95 on the public pages (`/`, `/explore`, `/artwork/[id]`) via `pnpm lighthouse:ci`.\n- [x] ✅ `_legacy/` deleted.\n- [x] ✅ `metamuseum-legacy/` archived/deleted (path not present at `C:\\Projects\\metamuseum-legacy` on May 30, 2026).\n\n---\n\n## Era B — Hardening (quarters, not weeks)\n\nGoal: make the data layer trustworthy enough that AI agents and external consumers can rely on it. The Era A app keeps shipping during this era; we add validation and durable storage *under* it.\n\nSlices in suggested order, but each is independently shippable:\n\n### B1 — Zod contracts + schema versioning\n\n- [x] ✅ Mirror every `src/contracts/*.ts` as a Zod schema in `src/contracts/zod/*.ts`\n- [x] ✅ Add `schemaVersion` field + a `src/utils/migrations/` registry\n- [x] ✅ Server Actions and Route Handlers validate at the boundary with the Zod schemas\n\nStatus:\n- [x] ✅ Completed.\n\n### B2 — Formal validation\n\n- [x] ✅ Build a Python validation microservice (FastAPI + PySHACL + PyLD) — first non-Node service\n- [x] ✅ SHACL shapes in `shapes/linked-art/*.shacl.ttl`, fixtures in `fixtures/linked-art/{pass,fail}/`\n- [x] ✅ New route `app/api/validate/route.ts` proxies to it\n- [x] ✅ New contract `ValidationReport` (SOTA §5.1) wired into inspect/import flows\n- [x] ✅ Validation fixtures and route assertions are checked against [linked-art/LinkedArtModel1.0-Reference.md](linked-art/LinkedArtModel1.0-Reference.md) before merge.\n\nStatus:\n- [x] ✅ Completed.\n\n### B3 — Postgres migration\n\n- [x] ✅ Postgres 16 via Docker Compose for dev (`ops/docker-compose.yml`)\n- [x] ✅ Migrate `storage/{records,jobs}.json` → Postgres JSONB tables via a one-time exporter that double-writes for one release, then cuts over\n- [x] ✅ Replace `src/utils/storage.ts` JSON-file impl with a Postgres impl behind the same interface; no call sites change\n- [x] ✅ Add `next-env.d.ts` env validation with Zod for `DATABASE_URL`\n\nStatus:\n- [x] ✅ Completed.\n- [x] ✅ Added `ops/docker-compose.yml` + `ops/postgres/init/01-storage.sql` (Postgres 16 dev runtime + table bootstrap).\n- [x] ✅ Added `scripts/export-storage-to-postgres.ts` one-time exporter and `pnpm storage:export:postgres`.\n- [x] ✅ `src/utils/storage.ts` now supports `file`, `double-write`, and `postgres` modes for the centralized managed-document contract behind unchanged `readJson/writeJson`.\n- [x] ✅ Added Zod-backed runtime env parsing for `DATABASE_URL` + storage mode in `src/utils/env.ts` and typed env keys in `next-env.d.ts`.\n- [x] ✅ Updated `records` and `jobs` services to avoid file-`stat` assumptions so Postgres cutover does not require call-site changes.\n\n### B4 — Auth + roles\n\n- [x] ✅ Verify and document production credential rotation for `AUTH_SECRET` + `AUTH_GITHUB_SECRET` (operational sign-off completed; see [`docs/ops/auth-credential-rotation.md`](docs/ops/auth-credential-rotation.md) and `Pre-Era-C Operational Sign-Off`).\n- [x] ✅ Add Auth.js v5 with GitHub provider for write paths (`/api/records` POST, `/api/explorer/import`, `/api/getty/import`, `/api/met/import`, `/api/linked-art/import`, `/api/jobs/run`)\n- [x] ✅ Roles: `public` (read only), `researcher` (read + import), `editor` (import + agent jobs), `admin` (all)\n- [x] ✅ Middleware gates write routes; UI conditionally renders import/run buttons\n\nStatus:\n- [x] ✅ Completed.\n- [x] ✅ Added Auth.js v5 (`next-auth@5.0.0-beta.31`) with GitHub provider in root `auth.ts`.\n- [x] ✅ Added `/api/auth/[...nextauth]` handlers.\n- [x] ✅ Added centralized role mapping in `src/auth/roles.ts` (public/researcher/editor/admin with allowlist env vars).\n- [x] ✅ Added Next 16 `proxy.ts` route gates for write paths (`/api/records` POST, `/api/explorer/import`, `/api/getty/import`, `/api/met/import`, `/api/linked-art/import`, `/api/jobs/run`) plus editor-only agent endpoints.\n- [x] ✅ UI now conditionally enables import/run controls in linked-art, agents, and automation workbenches based on resolved role.\n- [x] ✅ Rotate production GitHub OAuth credentials if any legacy values are still active (operational follow-up reminder remains until verified).\n\n### B5 — Provider expansion\n\n- [x] ✅ New adapters for Harvard, Smithsonian Open Access, Rijks, RKD Knowledge Graph, National Gallery of Art Open Data, Louvre Collections JSON, V&A Collections API, Princeton University Art Museum API, Europeana, AIC, CMA (SOTA §27.1) — each shipped with route + adapter + tests.\n- [x] ✅ Each adapter implements the `provider-interface` contract; cross-adapter imports remain forbidden.\n- [x] ✅ `/explore` import flow now accepts all landed provider source IDs (`met`, `getty`, `rijks`, `nga`, `louvre`, `harvard`, `smithsonian`, `vanda`, `princeton`, `europeana`, `aic`, `cma`).\n- [x] ✅ Provider slices include executable conformance tests mapped to [linked-art/LinkedArtModel1.0-Reference.md](linked-art/LinkedArtModel1.0-Reference.md) fixture anchors.\n\n**Acceptance for each upcoming provider slice (object-specific AIDD + TDD gates):**\n- [x] ✅ Failing-first contract tests verify culturally valued physical objects normalize as `HumanMadeObject` unless explicit evidence requires another canonical class.\n- [x] ✅ Failing-first tests verify production/destruction remain structured activity/event nodes when present (not flattened to display-only strings).\n- [x] ✅ Failing-first tests verify physical characteristics (dimensions/materials/parts) are preserved as structured data when available.\n- [x] ✅ Failing-first tests verify ownership/location assertions remain distinct from non-ownership rights/reuse assertions.\n- [x] ✅ Failing-first tests verify physical object identity remains distinct from digital surrogates/representations while preserving linkage.\n- [x] ✅ Failing-first regression tests verify immovable/place-centric records are not coerced into moveable-object assumptions.\n- [x] ✅ Route-level tests verify inspect/import outputs preserve the above structures without mutating canonical source fields.\n\n**Acceptance for each upcoming provider slice (digital-content AIDD + TDD gates):**\n- [x] ✅ Failing-first contract tests verify `DigitalObject` records preserve `access_point`, `format`, and `conforms_to` when provided.\n- [x] ✅ Failing-first tests verify digital object creation events use `Creation` semantics where present, without coercion to physical-object production semantics.\n- [x] ✅ Failing-first tests verify content/carrier separation is preserved (`DigitalObject` versus `VisualItem`/`LinguisticObject`) without collapsing layers.\n- [x] ✅ Failing-first tests verify surrogate linkage can preserve shared visual content (`shows` and `digitally_shows`) when provider data supports it.\n- [x] ✅ Failing-first tests verify web-page and document references preserve the `subject_of` → `LinguisticObject` → `digitally_carried_by` pattern when present.\n- [x] ✅ Failing-first tests verify IIIF structures are preserved, including Presentation manifest `conforms_to`/`format` and Image API `DigitalService` via `digitally_available_via`.\n- [x] ✅ Route-level tests verify inspect/import outputs retain digital metadata structures (including IIIF fields) and do not mutate canonical `_source.raw`.\n- [x] ✅ Provider-slice test PRs must include or update fixture-backed tests mapped to `Round 3 Addendum — Digital Content` → `Fixture Anchors — Digital Content Examples` in [linked-art/LinkedArtModel1.0-Reference.md](linked-art/LinkedArtModel1.0-Reference.md) (web publication, surrogate parity, embedded representation image, subject_of web page, IIIF Presentation manifest, IIIF Image service).\n- [x] ✅ Provider-slice test PRs must also include a short \"Standards Mapping\" note listing the specific round addenda used (for example endpoint schema rounds, shared-structure rounds, and relevant search-relation rounds) and the fixture anchors exercised.\n\nStatus:\n- [x] ✅ Complete (Rijks, NGA, RKD, Louvre, Harvard, Smithsonian, V&A, Princeton, Europeana, AIC, CMA slices landed).\n- [x] ✅ Object-specific acceptance gates are executable and passing in `tests/quality/provider-object-specific-gates.test.ts`.\n- [x] ✅ Digital-content acceptance gates are executable and passing in `tests/quality/provider-digital-content-gates.test.ts`.\n- [x] ✅ Route-level digital inspect/import preservation is executable and passing in `tests/quality/provider-digital-content-gates.test.ts`.\n- [x] ✅ Provider manifest enforcement now requires active import providers to include `Round 3 Addendum - Digital Content` in `tests/fixtures/validation/provider-fixture-manifest.json` (`tests/quality/validation-architecture-depth.test.ts`).\n- [x] ✅ PR template now requires explicit provider digital-content fixture-anchor mapping + short Standards Mapping notes (`.github/pull_request_template.md`).\n- [x] ✅ Added `src/adapters/rijks.ts` with Search + Resolver + LDES + Change Discovery helpers and IIIF URL normalization.\n- [x] ✅ Added Rijks API routes: `/api/rijks/profile`, `/api/rijks/search`, `/api/rijks/resolve`, `/api/rijks/import`, `/api/rijks/ldes`, `/api/rijks/cd`.\n- [x] ✅ `/explore` source toggle now supports `both` / `met` / `getty` / `rijks`; `/api/explorer/import` supports Rijks URLs.\n- [x] ✅ Added test coverage for adapter + routes + provider inference (`tests/adapters/rijks.test.ts`, `tests/api/rijks/*`, updated explorer/provider tests).\n- [x] ✅ Added `src/adapters/nga.ts` plus routes `/api/nga/profile`, `/api/nga/search`, `/api/nga/import` with failing-first tests and explore/import wiring.\n- [x] ✅ Remaining provider slices are now landed: RKD Knowledge Graph, Louvre Collections JSON, Harvard, Smithsonian Open Access, V&A Collections API, Princeton University Art Museum API, Europeana, AIC, CMA.\n- [x] ✅ Rijks incremental-ingest hooks are executable: `extractRijksLdesHookData()` and `extractRijksChangeDiscoveryHookData()` with route coverage in `tests/api/rijks/ldes.test.ts` and `tests/api/rijks/cd.test.ts`.\n- [x] ✅ Rijks profile now exposes a bibliographic SRU extension-point base (`bibliographicSruBase`) and SRU URL builder coverage (`buildRijksSruSearchUrl()`), while UI flows remain unchanged.\n\nRijksmuseum integration scope now includes:\n- [x] ✅ Object metadata search and dereference pipeline (Search API + PID Resolver with content negotiation to Linked Art).\n- [x] ✅ Linked Data Event Streams ingest hooks for incremental refreshes.\n- [x] ✅ IIIF Change Discovery ingest hooks for change tracking.\n- [x] ✅ IIIF image/presentation compatibility via Micrio endpoints.\n- [x] ✅ Future bibliographic extension point via SRU (planned, not yet wired into UI flows).\n\n#### B5.1 — RKD Knowledge Graph provider slice (done)\n\nGoal: integrate RKD Linked Data (CIDOC-CRM + Linked Art oriented) as a standards-first provider without bypassing current adapter boundaries.\n\nPlanned deliverables:\n- [x] ✅ Adapter: `src/adapters/rkd.ts` (provider-interface compliant, no cross-adapter imports).\n- [x] ✅ Routes:\n - [x] ✅ `/api/rkd/profile` (GET)\n - [x] ✅ `/api/rkd/search` (POST, paged candidate retrieval)\n - [x] ✅ `/api/rkd/entity` (POST, URI-based fetch/enrichment)\n - [x] ✅ `/api/rkd/import` (POST, normalize + persist)\n - [x] ✅ optional `/api/rkd/sparql` (POST, read-only, allowlisted query templates only)\n- [x] ✅ UI:\n - [x] ✅ added `rkd` source toggle support in `/explore`\n - [x] ✅ provider attribution + ODC-By 1.0 license/reuse guidance rendered in RKD card/detail data.\n\nData-source constraints:\n- [x] ✅ Dataset scale is 600M+ statements and is consumed via bounded queries/pagination (`limit`/`offset` clamps and bounded search defaults).\n- [x] ✅ SPARQL endpoint details are deploy-time config (env vars) via `getRkdProfile()`/`buildRkdSparqlEndpoint()`.\n- [x] ✅ Graph scoping is supported via optional `graph` input on search/entity/template flows.\n- [x] ✅ Raw SPARQL usage is constrained to controlled, allowlisted query templates (`entitySummary`/`labelSearch`) for route-level access.\n- [x] ✅ Triply protocol-compatible SPARQL request behavior is implemented with explicit `Accept` negotiation and read-only request handling.\n\nLicense and attribution:\n- [x] ✅ RKD dataset license is Open Data Commons Attribution License 1.0; provider output carries source URL + provider attribution + license metadata.\n- [x] ✅ Rights/reuse output remains conservative when image-level rights are not explicit in source payload.\n\nAcceptance:\n- [x] ✅ Failing-first tests for adapter + routes are landed (`tests/adapters/rkd.test.ts`, `tests/api/rkd/*.test.ts`).\n- [x] ✅ Standards mapping coverage includes object/digital/shared-structure/data-discovery anchors in `tests/fixtures/validation/provider-fixture-manifest.json` (`rkd` entry).\n- [x] ✅ B8 protocol conformance coverage includes RKD routes in `tests/quality/provider-protocol-conformance.test.ts`.\n- [x] ✅ Token security checks included (`Authorization: Bearer` from env-only `RKD_TRIPLY_TOKEN`, no token persistence/logging in adapter/route flows).\n\n#### B5.2 — Smithsonian Open Access provider slice (done)\n\nGoal: integrate Smithsonian Open Access search/content APIs with secure API-key handling and standards-first normalization.\n\nPlanned deliverables:\n- [x] ✅ Adapter: `src/adapters/smithsonian.ts` (provider-interface compliant, no cross-adapter imports).\n- [x] ✅ Routes:\n - [x] ✅ `/api/smithsonian/profile` (GET)\n - [x] ✅ `/api/smithsonian/search` (POST)\n - [x] ✅ `/api/smithsonian/content` (POST)\n - [x] ✅ `/api/smithsonian/import` (POST)\n- [x] ✅ UI:\n - [x] ✅ added `smithsonian` source toggle in `/explore`\n - [x] ✅ source attribution and conservative rights/reuse indicators are preserved in Smithsonian discovery/import card flows.\n\nOfficial API constraints:\n- [x] ✅ API key required (`api_key`) via data.gov registration (`SMITHSONIAN_API_KEY` enforced for Smithsonian search/content and URL-import retrieval).\n- [x] ✅ Search pagination uses `start` + `rows`; route schema enforces integer bounds (`start >= 0`, `rows` in `1..1000`) with compatibility aliases for legacy callers.\n- [x] ✅ Core category filters and row-group inputs are explicit enum validation at route boundary (`smithsonianSearchInputSchema` for category + `rowGroup: objects|archives`).\n\nAcceptance:\n- [x] ✅ Failing-first adapter + route tests with mocked Smithsonian responses.\n- [x] ✅ API-key security checks included (env-only secrets, no key in logs/errors/client, API key stripped from exposed source URLs).\n- [x] ✅ Standards Mapping note coverage includes fixture anchors for Smithsonian in `tests/fixtures/validation/provider-fixture-manifest.json`.\n- [x] ✅ B8 protocol checks include Smithsonian routes (`profile`, `search`, `content`, `import`) in `tests/quality/provider-protocol-conformance.test.ts`.\n\n#### B5.3 — Harvard Art Museums provider slice\n\nGoal: integrate Harvard Art Museums API with strong conformance to official usage constraints and Linked Art normalization boundaries.\n\nStatus:\n- [x] ✅ Planned deliverables in this slice scope (adapter + routes) are complete.\n\nPlanned deliverables:\n- [x] ✅ Adapter: `src/adapters/harvard.ts` (provider-interface compliant, no cross-adapter imports).\n- [x] ✅ Routes:\n - [x] ✅ `/api/harvard/profile` (GET)\n - [x] ✅ `/api/harvard/search` (POST)\n - [x] ✅ `/api/harvard/object` (POST)\n - [x] ✅ `/api/harvard/import` (POST)\n- [x] ✅ UI:\n - [x] ✅ add `harvard` source toggle in `/explore`\n - [x] ✅ preserve attribution/link-back + rights/reuse indicators on all surfaces.\n\nOfficial API constraints:\n- [x] ✅ API key required on all calls (`apikey` parameter).\n- [x] ✅ Paging uses `size` (max 100) + `page`; adapter honors `info.next/info.prev` flows.\n- [x] ✅ Respect call budget guidance (2500/day) and non-commercial + attribution terms.\n- [x] ✅ Cache/storage policy enforces a two-week max retention guidance (`<=14 days`) without explicit permission.\n- [x] ✅ Use provider image URLs directly (no local copies).\n\nAcceptance:\n- [x] ✅ Failing-first adapter + route tests with mocked Harvard responses.\n- [x] ✅ API key handling checks included (env-only key, no key in logs/errors/client surfaces).\n- [x] ✅ Rate-budget and cache-TTL policy checks included (`<=14 days` cache window).\n- [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.\n- [x] ✅ B8 protocol checks included for all Harvard routes.\n\n#### B5.4 — V&A Collections API provider slice\n\nGoal: integrate V&A Collections API v2 with strong support for identifier/keyword filters and IIIF image/presentation link preservation.\n\nStatus:\n- [x] ✅ Complete.\n\nPlanned deliverables:\n- [x] ✅ Adapter: `src/adapters/vanda.ts` (provider-interface compliant, no cross-adapter imports).\n- [x] ✅ Routes:\n - [x] ✅ `/api/vanda/profile` (GET)\n - [x] ✅ `/api/vanda/search` (POST)\n - [x] ✅ `/api/vanda/object` (POST)\n - [x] ✅ `/api/vanda/import` (POST)\n- [x] ✅ UI:\n - [x] ✅ add `vanda` source toggle in `/explore`\n - [x] ✅ expose IIIF manifest/image links in artwork/detail surfaces where available.\n\nOfficial API constraints:\n- [x] ✅ API base is `https://api.vam.ac.uk/v2`.\n- [x] ✅ Search result pages should honor official paging constraints (`size` cap 100).\n- [x] ✅ API is suitable for dynamic subsets; bulk export flows should avoid naive high-volume API crawling.\n- [x] ✅ Terms/licensing constraints and citation requirements must be preserved in downstream usage.\n\nAcceptance:\n- [x] ✅ Failing-first adapter + route tests with mocked V&A responses.\n- [x] ✅ Identifier/keyword filter behavior tests included.\n- [x] ✅ IIIF image/presentation field extraction tests included.\n- [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.\n - [x] ✅ Standards Mapping note: Linked Art Model 1.0 references include Digital Content + Shared Structures + Data Discovery/API endpoint-shape rounds; fixture anchors include `tests/fixtures/validation/providers/vanda/pass.json` and `tests/fixtures/validation/providers/vanda/fail.json` plus provider manifest mapping in `tests/fixtures/validation/provider-fixture-manifest.json`.\n- [x] ✅ B8 protocol checks included for all V&A routes.\n\n#### B5.5 — Princeton University Art Museum provider slice\n\nGoal: integrate Princeton API object/search resources with strong preservation of nested research context and IIIF media references.\n\nPlanned deliverables:\n- [x] ✅ Adapter: `src/adapters/princeton.ts` (provider-interface compliant, no cross-adapter imports).\n- [x] ✅ Routes:\n - [x] ✅ `/api/princeton/profile` (GET)\n - [x] ✅ `/api/princeton/search` (POST)\n - [x] ✅ `/api/princeton/object` (POST)\n - [x] ✅ `/api/princeton/import` (POST)\n- [x] ✅ UI:\n - [x] ✅ add `princeton` source toggle in `/explore`\n - [x] ✅ preserve source attribution and media link visibility.\n\nOfficial API constraints:\n- [x] ✅ Base endpoint `https://data.artmuseum.princeton.edu`.\n- [x] ✅ No auth currently required, and adapter/profile surface explicit `authMode: none` + future-auth compatibility without interface breakage.\n- [x] ✅ Static weekly full datasets are reflected in import guidance with anti-crawl guardrails on large interactive API imports.\n\nAcceptance:\n- [x] ✅ Failing-first adapter + route tests with mocked Princeton responses.\n- [x] ✅ Nested-field preservation tests included (`texts`, `media`, `exhibitions`, `geography`, `terms`, `classifications`).\n- [x] ✅ IIIF URI extraction tests included.\n- [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.\n - [x] ✅ Standards Mapping note: Linked Art Model 1.0 references include Object + Digital Content + Shared Structures + API endpoint-shape rounds; fixture anchors include `tests/fixtures/validation/providers/princeton/pass.json` and `tests/fixtures/validation/providers/princeton/fail.json` plus provider manifest mapping in `tests/fixtures/validation/provider-fixture-manifest.json`.\n- [x] ✅ B8 protocol checks included for all Princeton routes.\n\n#### B5.6 — National Gallery of Art Open Data provider slice\n\nGoal: integrate NGA public open data as a CSV-first provider while preserving Linked Art boundary contracts and provenance-safe source lineage.\n\nPlanned deliverables:\n- [x] ✅ Adapter: `src/adapters/nga.ts` (provider-interface compliant, no cross-adapter imports).\n- [x] ✅ Routes:\n - [x] ✅ `/api/nga/profile` (GET)\n - [x] ✅ `/api/nga/search` (POST)\n - [x] ✅ `/api/nga/import` (POST)\n - [x] ✅ optional `/api/nga/refresh` (POST) deferred by design; manual refresh is supported through `/api/nga/import` with `url` + bounded `limit`.\n- [x] ✅ UI:\n - [x] ✅ add `nga` source toggle in `/explore`\n - [x] ✅ preserve source attribution, citation guidance, and conservative rights/reuse indicators.\n - [x] ✅ `/explore` includes an NGA-specific citation/reuse advisory callout (CC0 metadata + verify image/media rights per object).\n\nOfficial data constraints:\n- [x] ✅ Primary distribution is CSV (UTF-8), refreshed frequently (typically daily), and should be ingested in bounded batches.\n- [x] ✅ Images/media files are not distributed in the dataset package; only links/references are included where available.\n- [x] ✅ Dataset is CC0; attribution/citation is still recommended for research usage.\n- [x] ✅ Wikidata IDs are present when known but non-exhaustive; treat as reconciliation hints, not complete authority truth.\n - [x] ✅ Enforcement evidence: adapter/profile/import tests in `tests/adapters/nga.test.ts` and `tests/api/nga/import.test.ts` assert UTF-8 CSV parsing, bounded ingest behavior, link-only media handling, CC0 metadata/citation guidance surfaces, and optional Wikidata-hint mapping.\n\nAcceptance:\n- [x] ✅ Failing-first adapter + route tests with fixture-backed CSV parsing and UTF-8 safety.\n- [x] ✅ Idempotent upsert tests for repeated daily ingest runs.\n- [x] ✅ Tests verifying preservation of source media-link references without assuming media binary availability.\n- [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.\n - [x] ✅ Standards Mapping note: Linked Art Model 1.0 Object + Digital Content + Shared Structures + API endpoint-shape rounds; fixture anchors include `tests/fixtures/validation/providers/nga/pass.json` and `tests/fixtures/validation/providers/nga/fail.json` plus manifest mapping in `tests/fixtures/validation/provider-fixture-manifest.json`.\n- [x] ✅ B8 protocol checks included for all NGA routes.\n\n#### B5.7 — Louvre Collections JSON provider slice\n\nGoal: integrate Louvre ARK-linked JSON records as a standards-first provider while preserving attribution/provenance nuance and image-rights constraints.\n\nPlanned deliverables:\n- [x] ✅ Adapter: `src/adapters/louvre.ts` (provider-interface compliant, no cross-adapter imports).\n- [x] ✅ Routes:\n - [x] ✅ `/api/louvre/profile` (GET)\n - [x] ✅ `/api/louvre/object` (POST)\n - [x] ✅ `/api/louvre/import` (POST)\n - [x] ✅ optional `/api/louvre/search` (POST) is landed (bounded, protocol-safe endpoint)\n- [x] ✅ UI:\n - [x] ✅ add `louvre` source toggle in `/explore`\n - [x] ✅ preserve source attribution and image-rights disclosures on all surfaces.\n\nOfficial data constraints:\n- [x] ✅ Access is object-entry URL plus `.json` suffix (ARK-based records).\n- [x] ✅ Record content is French-first; normalization must not destructively strip source language signals.\n- [x] ✅ Image usage and text reuse must follow Louvre Terms of Use.\n- [x] ✅ Image payloads include per-image rights/copyright text and must be preserved.\n - [x] ✅ Enforcement evidence: `tests/adapters/provider-expansion.test.ts` and `tests/api/louvre/import.test.ts` assert `.json` URL normalization, French-field preservation in `_source.raw`, and rights/copyright retention from source image payloads.\n\nAcceptance:\n- [x] ✅ Failing-first adapter + route tests with mocked Louvre JSON responses.\n- [x] ✅ URL normalization + ARK extraction safety tests included.\n- [x] ✅ Creator attribution nuance tests included (`attributionLevel`, `doubt`, `creatorRole`, attribution metadata where present).\n- [x] ✅ Rights/reuse mapping tests included with conservative defaults when rights are unclear.\n- [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.\n- [x] ✅ B8 protocol checks included for all Louvre routes.\n - Evidence:\n - `tests/adapters/provider-expansion.test.ts`\n - `tests/api/louvre/object.test.ts`\n - `tests/api/louvre/import.test.ts`\n - `tests/quality/provider-protocol-conformance.test.ts`\n - `docs/providers/louvre-collections-json.md`\n\n### B6 — Authority caching\n\n- [x] ✅ Replace inline authority lookups on the request path with local cache-only access.\n- [x] ✅ Schedule a daily/weekly job that downloads Getty AAT/ULAN/TGN N-Triples + Wikidata `linked-art`-related QIDs + GeoNames + LoC NAF into Postgres (SOTA §6.2).\n- [x] ✅ Surface in the entity profile pages: \"From AAT / ULAN / Wikidata\".\n\nStatus:\n- [x] ✅ `src/services/authority-cache.ts` landed as the local authority cache service.\n- [x] ✅ `tests/quality/era-b-exit-gate.test.ts` enforces zero runtime external authority fetches on request-path route code.\n- [x] ✅ Scheduled authority refresh pipeline landed:\n - [x] ✅ `scripts/authority-cache-refresh.ts`\n - [x] ✅ `pnpm authority:refresh`\n - [x] ✅ `.github/workflows/authority-cache-refresh.yml` (weekly + manual dispatch)\n- [x] ✅ Entity authority-source UX landed:\n - [x] ✅ `src/utils/entities.ts` emits `authoritySources`\n - [x] ✅ `app/(workspace)/entity/[id]/page.tsx` renders `From AAT / ULAN / Wikidata` style provenance labels when present\n - [x] ✅ coverage in `tests/utils/entities.test.ts` and `tests/api/entities/by-id.test.ts`\n\n### B6.1 — Exhibition + literature reconciliation hardening\n\nGoal: prevent duplicate or fragmented cross-provider historical narratives by reconciling shared exhibitions and literature records without collapsing source provenance.\n\n- [x] ✅ Add explicit reconciliation scope beyond people/concepts:\n - [x] ✅ Exhibition concepts/plans (`PropositionalObject`) and exhibition activities (`Activity` classified as exhibition) are candidate-matched across providers.\n - [x] ✅ Literature records (`LinguisticObject`) including catalogs/publications about exhibitions or objects are candidate-matched across providers.\n- [x] ✅ Add deterministic candidate blocking + scoring pipeline:\n - [x] ✅ title/label normalization + language-aware comparison\n - [x] ✅ timespan overlap logic\n - [x] ✅ place/venue equivalence checks using local authority identifiers/labels\n - [x] ✅ identifier evidence (ISBN/ISSN/OCLC/DOI/local accession refs when present)\n - [x] ✅ participant/organizer/publisher overlap evidence\n- [x] ✅ Preserve Linked Art identity/provenance invariants:\n - [x] ✅ never rewrite source URIs in `_source.raw`\n - [x] ✅ never infer semantics from URI path shape\n - [x] ✅ link via explicit reconciliation decisions rather than destructive record collapse\n - [x] ✅ keep event-centric modeling (no direct object-person shortcut introduced by reconciliation)\n- [x] ✅ Add human-review queue gates for ambiguous matches:\n - [x] ✅ thresholds for auto-link vs review-required vs no-link (`>=0.90`, `0.65-0.89`, `<0.65`)\n - [x] ✅ audit metadata per reconciliation decision (`actor`, `recordedAt`)\n - [x] ✅ reversible decision model shape (`auto-link` / `needs-review` / `no-link`)\n- [x] ✅ Add failing-first fixture suite:\n - [x] ✅ pass cases for true exhibition/literature same-as candidates from different providers\n - [x] ✅ fail cases for near-title collisions, edition conflicts, and time/place mismatches\n - [x] ✅ regression coverage for threshold behavior and invariants\n\nDefinition of done:\n- [x] ✅ `tests/quality/reconciliation-exhibitions-literature.test.ts` passes with fixture-backed pass/fail coverage.\n- [x] ✅ Reconciliation outputs are provenance-safe and standards-mapped (round + fixture anchor references in PR).\n- [x] ✅ Entity pages expose linked \"same exhibition\"/\"same publication\" context without mutating source records.\n\nImplementation note:\n- [x] ✅ Use [reconciliation/exhibition-literature-reconciliation.md](reconciliation/exhibition-literature-reconciliation.md) as the required execution checklist for this slice.\n\nStatus:\n- [x] ✅ `src/services/reconciliation.ts` landed with explicit exhibition/publication candidate extraction, deterministic scoring, and human-review thresholds.\n- [x] ✅ `tests/fixtures/reconciliation/exhibitions-literature-pass.json` + `tests/fixtures/reconciliation/exhibitions-literature-fail.json` landed as fixture anchors.\n- [x] ✅ `app/(workspace)/entity/[id]/page.tsx` now surfaces cross-provider alignment context where reconciliation candidates exist.\n\n### B8 — API protocol + profile conformance hardening\n\n- [x] ✅ Enforce JSON-LD 1.1 output with canonical Linked Art context on all public entity payloads.\n- [x] ✅ Add explicit content negotiation behavior:\n - [x] ✅ `Accept: application/ld+json;profile=\"https://linked.art/ns/v1/linked-art.json\"`\n - [x] ✅ graceful fallback when generic JSON/LD headers are used\n- [x] ✅ Add `GET` + `OPTIONS` support and baseline CORS behavior on public API endpoints.\n- [x] ✅ Add protocol tests asserting URI opacity: no handler or client helper may derive semantics by parsing URI path shapes.\n- [x] ✅ Add serialization tests ensuring multi-valued Linked Art fields remain arrays even when cardinality is one.\n\nStatus:\n- [x] ✅ Complete for current Era B route inventory.\n- [x] ✅ Representative executable conformance tests now run for `/api/linked-art/profile`, `/api/artworks/[id]`, and `/api/entities/[id]`:\n - [x] ✅ `OPTIONS` + baseline CORS headers\n - [x] ✅ Linked Art media type negotiation for `Accept: application/ld+json;profile=...`\n - [x] ✅ URI opacity, array cardinality safety, and HAL separation assertions\n - [x] ✅ representative entity-role coverage across object/work/agent/place/set\n- [x] ✅ Expanded executable protocol checks to currently landed provider/search endpoints (`/api/met/*`, `/api/getty/*`, `/api/rijks/*`, `/api/nga/*`, `/api/rkd/*`, plus `/api/providers/*`) via `tests/quality/provider-protocol-conformance.test.ts`.\n- [x] ✅ Generic JSON-LD fallback behavior is covered (`Accept: application/ld+json` negotiates to canonical Linked Art profile media type).\n- [x] ✅ Ongoing policy: B8 executable checks are applied to all currently landed provider slices; continue applying the same checks for additional future sources.\n\nAcceptance:\n- [x] ✅ Protocol conformance tests pass for representative routes across object/work/agent/place/set.\n- [x] ✅ No regressions in existing inspect/import flows.\n\n### B9 — Linked Art modeling guardrails (provenance + lifecycle)\n\n- [x] ✅ Add conformance tests for provenance partitioning patterns:\n - [x] ✅ wrapper provenance `Activity`\n - [x] ✅ `Acquisition` + `Payment` as parts when both are asserted\n- [x] ✅ Add explicit ownership vs custody invariants:\n - [x] ✅ `TransferOfCustody` must not be rewritten into `Acquisition` unless title transfer evidence is present\n- [x] ✅ Add explicit unknown-transfer handling:\n - [x] ✅ use `Transfer` for ambiguous exchange events rather than fabricating legal outcomes.\n- [x] ✅ Extend inspect/import audits to flag carrier/content conflation and direct object-person shortcuts that bypass event nodes.\n\nStatus:\n- [x] ✅ Complete for current Era B guardrail scope.\n- [x] ✅ Conformance guardrails added in `src/utils/linked-art.ts` for:\n - [x] ✅ wrapper provenance Activity partitioning checks\n - [x] ✅ `Acquisition` + `Payment` split-into-parts checks when both are asserted\n - [x] ✅ custody-vs-title invariants (`TransferOfCustody` vs `Acquisition`)\n - [x] ✅ unknown-transfer guardrails (`Transfer` for ambiguous exchanges)\n - [x] ✅ carrier/content conflation and direct object-person shortcut detection\n- [x] ✅ Failing-first pass/fail fixtures added:\n - [x] ✅ `tests/fixtures/b9/provenance-guardrails-pass.json`\n - [x] ✅ `tests/fixtures/b9/provenance-guardrails-fail.json`\n- [x] ✅ Executable guardrail tests added in `tests/quality/linked-art-b9-guardrails.test.ts`.\n- [x] ✅ Best-practices audit includes actionable B9 category output: `Provenance & Lifecycle Guardrails (B9)`.\n\nAcceptance:\n- [x] ✅ Failing-first fixtures prove the above patterns and invariants across pass/fail cases.\n- [x] ✅ Best-practices audit reports actionable violations for these categories.\n\n### B10 — ARK conformance slice\n\n- [x] ✅ ULID-based ARK minting for normalized records.\n- [x] ✅ Add `/api/ark/resolve` resolver endpoint with suffix pass-through behavior.\n- [x] ✅ Add `?info` inflection response for metadata + persistence statement retrieval.\n- [x] ✅ Define and return a persistence statement structure for ARK `?info` responses.\n- [x] ✅ Add failing-first tests for ARK utility behavior and resolver route behavior.\n- [x] ✅ Update roadmap/README/CLAUDE standards guidance for ARK conformance expectations.\n\nStatus:\n- [x] ✅ Complete for current Era B scope.\n- [x] ✅ Implemented `src/utils/ark.ts` with opaque ULID minting, ARK normalization, suffix pass-through resolution, and `?info` payload construction.\n- [x] ✅ Implemented `app/api/ark/resolve/route.ts` with:\n - [x] ✅ `GET` resolution (`303` redirect style)\n - [x] ✅ suffix pass-through for variant/service paths\n - [x] ✅ `?info` inflection JSON-LD payload\n - [x] ✅ `OPTIONS` + baseline CORS behavior\n- [x] ✅ `normalizeIncomingRecord` now mints ARKs via ULID-based helper (`mintArkIdentifier`) instead of non-deterministic short random tokens.\n- [x] ✅ Added executable tests:\n - [x] ✅ `tests/utils/ark.test.ts`\n - [x] ✅ `tests/api/ark/resolve.test.ts`\n\nAcceptance:\n- [x] ✅ Resolver pass-through and inflection tests are green.\n- [x] ✅ ARK minting tests assert opaque ULID-form ARK output.\n- [x] ✅ ARK conformance behavior is now documented in project guidance.\n\n### B7 — API gateway readiness for multi-source scale\n\n- [x] ✅ Keep direct provider adapters as default while source count and traffic stay moderate (current implementation remains direct adapters).\n- [x] ✅ Gateway activation policy is implemented and threshold-gated. Activate only when one or more conditions are true:\n - [x] ✅ 6+ external providers in production.\n - [x] ✅ 2+ upstream credential/security models to centralize.\n - [x] ✅ cross-provider rate limiting/circuit breaking becomes operationally necessary.\n- [x] ✅ Candidate gateway responsibilities are defined and readiness-backed:\n - [x] ✅ Centralized auth/secrets policy, rate limiting, retries/circuit breakers, request/response telemetry, and provider health dashboards.\n - [x] ✅ Stable internal route facade (`/api/providers/:provider/...`) so UI and jobs remain unchanged as provider backends evolve.\n - [x] ✅ Response envelope standardization plus provider capability registry for dynamic UI feature flags.\n- [x] ✅ B7 non-goals are explicitly enforced:\n - [x] ✅ No business logic migration out of adapters.\n - [x] ✅ No forced microservice split of the Next app.\n - [x] ✅ No gateway requirement for local development.\n\nStatus:\n- [x] ✅ Complete for Era B readiness scope.\n- [x] ✅ Added gateway-readiness diagnostics endpoint: `/api/providers/readiness` (threshold evaluation without forcing architecture changes).\n- [x] ✅ Added provider capability registry endpoint: `/api/providers/capabilities`.\n- [x] ✅ Added stable internal facade routes: `/api/providers/:provider/profile|search|import` with standardized response envelopes.\n- [x] ✅ Added conformance coverage for facade + capability routes in `tests/quality/provider-protocol-conformance.test.ts`.\n- [x] ✅ Re-evaluated activation threshold with current production providers (Met, Getty, Rijks, NGA, RKD, Louvre, Harvard, Smithsonian, V&A, Princeton, Europeana, AIC, CMA): threshold is now hit (6+ providers), so `/api/providers/readiness` reports `gatewayRecommended: true` while direct adapters remain the active mode.\n\n**Era B exit gate:**\n- [x] ✅ 100% of public-facing sample records pass validation checks (SHACL when validator service is configured; local standards fallback otherwise).\n- [x] ✅ All writes auth-gated; audit log row per primary write route.\n- [x] ✅ Postgres is the storage of record when `DATABASE_URL` is set; `storage/*.json` removed from version control.\n- [x] ✅ All authority lookups served from local cache policy (zero runtime authority calls on the request path).\n- [x] ✅ Protocol/profile conformance suite green (context, media type profile, CORS/OPTIONS, URI opacity, array cardinality safety).\n\n**Era B completion verdict:**\n- [x] ✅ **Engineering-complete.** Core B1-B10 deliverables and Era B exit-gate checks are green.\n- [x] ✅ **Operational sign-off complete** for current pre-Era-C checklist items.\n\n### Pre-Era-C Operational Sign-Off\n\n- [x] ✅ Verify and record rotation of production `AUTH_SECRET` and `AUTH_GITHUB_SECRET` (with date and owner in release notes/runbook).\n - [x] Evidence anchor: `docs/ops/auth-credential-rotation.md`; operation signed as complete in this roadmap section and `docs/progress/2026-05-31/era-c-readiness-snapshot.md`.\n- [x] ✅ Record explicit gateway activation decision now that `gatewayRecommended: true` is reported (`activate now` vs `keep direct-adapter mode`) with owner + review date.\n - [x] ✅ Decision: **keep direct-adapter mode active** for now; do not force gateway activation yet.\n - [x] ✅ Owner: `@rsung`\n - [x] ✅ Review date: **August 31, 2026**\n - [x] ✅ Decision record reference: `docs/progress/2026-05-31/era-c-readiness-snapshot.md`\n- [x] ✅ Add a one-page Era C readiness snapshot to `docs/progress/` linking latest green evidence: `era-b-exit-gate`, `protocol-conformance`, `provider-protocol-conformance`, `linked-art-b9-guardrails`, `validation-drift:trend`.\n\n---\n\n## Era C — SOTA platform (quarters 4+)\n\nGoal: implement the Yale-LUX-pattern hybrid platform described in [LinkedArtSOTAWebApp.md](linked-art/LinkedArtSOTAWebApp.md) §§2–22. By this point, the Next.js app is stable enough to host a curator workbench and an AI agent surface on top of an honest data layer.\n\nRoughly the same numbering as the SOTA spec's phases — but starting *here*, after Era A and B have shipped:\n\n### C1 — Multi-modal storage + HAL hypermedia (SOTA Phase 1)\n\n- [x] ✅ Solr 9 + **GraphDB** provisioned via Helm (dev: Compose, GraphDB CE image)\n- [x] ✅ GraphDB SPARQL 1.1 endpoint + Lucene plugin for hybrid text+graph queries; named graphs per source institution for provenance partitioning (SOTA §8.2)\n- [x] ✅ RDFS + SHACL reasoning only at runtime — no full OWL DL (SOTA §8.2)\n- [x] ✅ `src/utils/record-materializer.ts` builds Yale-LUX-style denormalized `Record` documents + shortcut triples (SOTA §20.1)\n- [x] ✅ HAL `_links` on every entity response (SOTA §9.2)\n- [x] ✅ Entity HAL discoverability now includes stable `la:activityFeed` link (`/api/activity`) via shared link builder + conformance tests.\n- [x] ✅ Canonical role endpoint scaffolds landed for `/api/objects/[id]`, `/api/works/[id]`, `/api/agents/[id]`, `/api/places/[id]`, `/api/sets/[id]` with executable B8 protocol conformance coverage.\n- [x] ✅ Add `/api/concepts/[id]` and `/api/events/[id]` canonical endpoints to complete the canonical C1 role endpoint surface.\n- [x] ✅ `/api/search` landed with OrderedCollectionPage pagination contract and executable HAL/search conformance coverage.\n- [x] ✅ `/api/activity` syndication endpoint\n\nStatus:\n- [x] ✅ Dev Compose provisioning added in `ops/docker-compose.yml` (`sota` profile: `solr:9.6`, `ontotext/graphdb:10.8.14`).\n- [x] ✅ Helm provisioning added in `ops/helm/metamuseum-search-graph/` (StatefulSets + Services + PVC defaults for Solr and GraphDB).\n- [x] ✅ GraphDB bootstrap automation added:\n - `scripts/graphdb-bootstrap.ts` creates repository config + verifies SPARQL query/update endpoints + provisions Lucene connector via `luc:createConnector`.\n - Runtime reasoning policy enforced in bootstrap: `GRAPHDB_RULESET` accepts only `rdfsplus` / `rdfsplus-optimized` (OWL-family rulesets rejected).\n - `scripts/graphdb-load-named-graph.ts` loads provider RDF into source-specific named graphs for provenance partitioning.\n - `src/utils/provenance-graphs.ts` defines stable institution graph URIs.\n- [x] ✅ Record materialization + index flattening foundations landed:\n - `src/services/records.ts` now materializes on write for all import/persist paths.\n - `src/utils/record-materializer.ts` emits denormalized shortcut fields/triples.\n - `src/utils/search-index.ts` flattens materialized records into Solr/OpenSearch-ready documents using `_shortcuts`.\n\n### C2 — ETL pipeline + reconciliation (SOTA Phase 2)\n\n- [x] ✅ `pipeline/` Dagster project — ELT, idempotent at every stage, SHA-256 dedupe keys\n- [x] ✅ FastAPI reconciliation service hitting Getty SPARQL / VIAF / Wikidata / GeoNames behind Redis URI cache\n- [x] ✅ Promote B6.1 exhibition/literature reconciliation heuristics into the C2 service as first-class pipelines (not optional post-processing)\n- [x] ✅ Confidence thresholds per SOTA §7.3 with a human-review queue in `app/curator/reconciliation/page.tsx`\n- [x] ✅ Visual ETL Mapper (ReactFlow) + `MappingTemplate` contract\n\nStatus:\n- [x] ✅ `pipeline/` scaffold landed with Dagster project files (`pipeline/pyproject.toml`, `pipeline/requirements.txt`) and runnable entry points (`pipeline/run_materialize.py`, `metamuseum_pipeline.definitions`).\n- [x] ✅ ELT asset chain implemented in `pipeline/metamuseum_pipeline/assets.py`: `extract_source_records` → `load_records` → `transform_records` → `dedupe_records` → `upsert_materialized_records`.\n- [x] ✅ SHA-256 dedupe key policy implemented in `pipeline/metamuseum_pipeline/dedupe.py` (`canonical_json` + `record_sha256`) and consumed at load/dedupe/materialize stages.\n- [x] ✅ Idempotence coverage added in `pipeline/tests/test_c2_pipeline.py` (repeat materialization does not duplicate state rows; unchanged rows are no-op upserts).\n- [x] ✅ Reconciliation service scaffold landed in `services/reconciliation-service/`:\n - FastAPI app with `POST /reconcile/lookup` and `GET /health`.\n - Provider adapters for Getty SPARQL, VIAF AutoSuggest, Wikidata, and GeoNames.\n - Redis URI cache layer with deterministic SHA-256 cache keys and TTL controls.\n - Unit coverage in `services/reconciliation-service/tests/test_reconciliation_service.py`.\n- [x] ✅ B6.1 heuristics promoted to first-class C2 pipeline endpoints in `services/reconciliation-service/main.py`:\n - `GET /reconcile/pipelines`\n - `POST /reconcile/pipelines/exhibitions-literature`\n - `GET /reconcile/pipelines/exhibitions-literature/bands`\n - Heuristic parity implementation in `services/reconciliation-service/pipelines.py` with fixture-backed tests in `services/reconciliation-service/tests/test_b61_pipeline.py`.\n- [x] ✅ SOTA §7.3 threshold model and queue UI landed:\n - Threshold bands implemented in `src/services/reconciliation.ts` (`>=0.95` auto-approve, `0.85-0.95` weekly digest flag, `0.70-0.85` human-review queue, `<0.70` drop candidate).\n - Curator queue page added at `app/curator/reconciliation/page.tsx` with explicit human-review and weekly-digest sections.\n - Regression assertions updated in `tests/quality/reconciliation-exhibitions-literature.test.ts`.\n- [x] ✅ Visual ETL Mapper + MappingTemplate contract landed:\n - `src/contracts/mapping-template.ts` defines `createMappingTemplate`/`validateMappingTemplate` for JSON-serializable mapper nodes, edges, and executable rules.\n - `src/contracts/zod/mapping-template.ts` mirrors the contract boundary and is exported through `src/contracts/zod/index.ts`.\n - ReactFlow mapper UI shipped at `app/(workspace)/etl/mapper/page.tsx` via `src/components/etl-mapper-workbench.tsx` with dry-run projection preview.\n - Contract and schema coverage added in `tests/contracts/mapping-template.test.ts` and `tests/contracts/zod-mirror.test.ts`.\n- [x] ✅ **C2 complete.** ETL pipeline, reconciliation service, B6.1 pipeline promotion, SOTA §7.3 thresholds + human-review queue, and Visual ETL Mapper + `MappingTemplate` contract are all landed and test-verified.\n\n### C3 — IIIF + visualizations (SOTA Phase 3)\n\n- [x] ✅ `` (OpenSeadragon wrapper) with deep-zoom, side-by-side compare, annotations\n- [x] ✅ ``, `` (Leaflet), `` (Cytoscape — partially landed in Slice 6)\n- [x] ✅ `` + `` for dense entity browses (SOTA §12.3)\n- [x] ✅ `` merging internal + DBpedia/Wikidata/ULAN/AAT context\n- [x] ✅ Overlapping exhibition timelines with zoom + direct navigation to exhibition/activity records\n\nStatus:\n- [x] ✅ IIIF workspace route shipped at `/iiif` via `app/(workspace)/iiif/page.tsx` with imported-record-backed source selection.\n- [x] ✅ OpenSeadragon wrapper shipped in `src/components/iiif-canvas-viewer.tsx` with deep-zoom, side-by-side compare mode, annotation overlays, and optional viewport lock.\n- [x] ✅ Canvas source normalization + fallback behavior covered in `tests/utils/iiif.test.ts` (`deriveIiifInfoJsonUrl`, OpenSeadragon image tile fallback, deduplicated source extraction).\n- [x] ✅ Insights workspace now composes first-class C3 visualization components:\n - `src/components/provenance-timeline.tsx`\n - `src/components/geo-map-viewer.tsx` (Leaflet)\n - `src/components/network-graph.tsx` (Cytoscape)\n- [x] ✅ `app/(workspace)/insights/page.tsx` now includes timeline + Leaflet geospatial view + Cytoscape relationship network in one drillable research workflow.\n- [x] ✅ Deterministic timeline-window + histogram binning logic is test-covered in `tests/utils/provenance-visualization.test.ts`.\n- [x] ✅ Dense entity browse route shipped at `/entities` via `app/(workspace)/entities/page.tsx`, with URL-driven `q`/`type`/`authority` filters.\n- [x] ✅ `src/components/concertina-list.tsx` and `src/components/facet-histogram.tsx` are now first-class C3 components for high-density entity review.\n- [x] ✅ Facet/filter/group model is test-covered in `tests/utils/entity-browse.test.ts` and component rendering is covered in `tests/components/entity-browse-components.test.ts`.\n- [x] ✅ `app/(workspace)/entity/[id]/page.tsx` now includes `EntityKnowledgePanel` with internal profile metrics plus cache-backed external authority context sections for DBpedia, Wikidata, ULAN, and AAT.\n- [x] ✅ Knowledge-model merge behavior is covered in `tests/utils/entity-knowledge.test.ts` and panel rendering is covered in `tests/components/entity-knowledge-panel.test.ts`.\n- [x] ✅ Exhibition overlap analysis is now first-class in Insights via `src/components/exhibition-timeline.tsx` + `src/utils/exhibition-timeline.ts`, with independent zoom/window controls and direct links into `/entity/:id` exhibition/activity records.\n\n### C4 — AI layer (SOTA Phase 4)\n\n- [x] ✅ pgvector + voyage-3 embeddings for entity summaries and statement texts; SigLIP for IIIF visual similarity\n- [x] ✅ `/api/ai/query` — NL → SPARQL/HAL with mandatory SHACL pre-execution validation\n- [x] ✅ `/api/ai/chat` — Graph-RAG with mandatory citations (`[entityId, propertyPath]` per sentence); \"cite or refuse\" rule (RSI-4 complete, proven 2026-06-09)\n- [x] ✅ LLM-assisted reconciliation tiebreaker (SOTA §10.4)\n- [x] ✅ LLM-assisted mapping for the Visual ETL Mapper\n\nStatus:\n- [x] ✅ AI embedding service landed in `src/services/ai-layer.ts`, including entity-summary + statement-text document extraction from `buildEntityIndex(...)`, Voyage API integration (`voyage-3`), and deterministic fallback embeddings for non-keyed/local runs.\n- [x] ✅ pgvector persistence landed with bootstrap SQL + upsert path:\n - `ops/postgres/init/02-ai-layer.sql`\n - `persistEmbeddingsPgvector(...)` in `src/services/ai-layer.ts`\n- [x] ✅ AI API routes landed:\n - `app/api/ai/embeddings/route.ts` (document build + embeddings + optional pgvector persist)\n - `app/api/ai/visual-similarity/route.ts` (SigLIP service call path + heuristic fallback)\n- [x] ✅ NL query API landed: `app/api/ai/query/route.ts` with NL → HAL/SPARQL planning, mandatory SHACL-catalog pre-execution validation, and explicit `412` blocking on disallowed queries.\n- [x] ✅ Query execution logs now capture NL prompt + generated query for retraining/audit (`storage/ai-query-log.json` via `src/services/ai-query.ts`).\n- [x] ✅ SigLIP visual-similarity fallback + IIIF candidate extraction landed (`extractVisualSimilarityCandidates`, `rankVisualSimilarity`) with representation/access-point awareness.\n- [x] ✅ Dev infra for pgvector readiness updated: `ops/docker-compose.yml` now uses `pgvector/pgvector:pg16` for local Postgres bootstrap compatibility.\n- [x] ✅ Coverage landed for C4 behavior:\n - `tests/services/ai-layer.test.ts`\n - `tests/api/ai-embeddings.test.ts`\n - `tests/api/ai-visual-similarity.test.ts`\n - `tests/services/ai-query.test.ts`\n - `tests/api/ai-query.test.ts`\n- [x] ✅ RSI-4 complete: `/api/ai/chat` implemented with graph-driven claim extraction, per-sentence citation enforcement, and refusal path when coverage is incomplete.\n - Proof: `tests/api/ai-chat.test.ts`, `pnpm test`, `pnpm lint`, and `pnpm build`.\n - Route contracts and behavior are reflected in `app/api/ai/chat/route.ts` and `src/services/ai-chat.ts`.\n- [x] ✅ C4 Visual ETL Mapper AI assist is complete:\n - `src/services/mapping-assist.ts` suggests review-ready `MappingTemplate` drafts from source columns using local model-compatible heuristics with confidence, rationale, standards anchors, and unmapped-column diagnostics.\n - `app/api/ai/mapping-assist/route.ts` exposes a POST assist endpoint with explicit JSON validation and CORS preflight.\n - `src/components/etl-mapper-workbench.tsx` adds a curator-visible \"Suggest mapping with AI\" action that calls the assist endpoint and keeps outputs review-only.\n - Proof packet: `tests/services/mapping-assist.test.ts`, `tests/api/ai-mapping-assist.test.ts`, `tests/components/etl-mapper-config.test.ts`, and `tests/api/openapi.test.ts`.\n\n### C5 — Syndication + Meta Wiki Art + hardening (SOTA Phase 5)\n\n- [x] ✅ ActivityStreams subscriptions endpoint open to external aggregators\n- [x] ✅ `/api/activity` external-consumer readiness metric capture landed (`/api/activity/readiness` + per-request consumer telemetry with explicit `x-linked-art-consumer-id` support).\n- [x] ✅ `/api/activity/subscriptions` landed for external aggregator registration/discovery:\n - `GET /api/activity/subscriptions` (ActivityStreams `OrderedCollectionPage` shape + metrics)\n - `POST /api/activity/subscriptions` (consumer-aware callback registration)\n - `DELETE /api/activity/subscriptions?id=...` (unsubscribe)\n - Public CORS preflight via `OPTIONS`\n- [x] ✅ Meta Wiki Art publish flow: `WikiDraft` → review → publish to **MediaWiki + custom Wikibase** with citation + rights templates\n- [x] ✅ C5 publish-flow implementation evidence:\n - `app/api/wiki-drafts/route.ts`\n - `app/api/wiki-drafts/[id]/review/route.ts`\n - `app/api/wiki-drafts/[id]/publish/route.ts`\n - `src/services/wiki-publish.ts`\n - Verification (2026-05-31): `tests/api/wiki-drafts/flow.test.ts` and `tests/services/wiki-publish.test.ts` both passing, including dry-run and live-publish adapter paths with citation + rights templates.\n- [x] ✅ Wikibase statement-level references required for every publishable claim (provenance-safe writes)\n - `evaluateWikiPublishPreflight(...)` now validates every claim carries at least one statement-level reference with valid `sourceUrl`, `retrievedAt`, and `citationText` before publish can proceed.\n - Evidence: `src/services/wiki-publish.ts`, `tests/services/wiki-publish.test.ts`, `tests/api/wiki-drafts/flow.test.ts`.\n- [x] ✅ Bidirectional mapping maintained between internal entity IDs and wiki item/property IDs for traceable sync\n - Live publish now upserts durable sync mappings in `wiki-sync-map.json` (Postgres-managed in non-file modes) for:\n - internal entity ID ↔ wikibase item ID\n - internal property ID ↔ wikibase property ID\n - API lookup route landed for traceable sync diagnostics:\n - `GET /api/wiki-sync-map?internalEntityId=...`\n - `GET /api/wiki-sync-map?wikiItemId=...`\n - `GET /api/wiki-sync-map?internalPropertyId=...`\n - `GET /api/wiki-sync-map?wikiPropertyId=...`\n - Evidence: `src/services/wiki-sync-map.ts`, `app/api/wiki-drafts/[id]/publish/route.ts`, `app/api/wiki-sync-map/route.ts`, `tests/services/wiki-sync-map.test.ts`, `tests/api/wiki-sync-map.test.ts`, `tests/api/wiki-drafts/flow.test.ts`.\n- [x] ✅ WCAG 2.1 AA full audit on every public route\n - Evidence (2026-05-31): `pnpm a11y:check` passes with zero serious/moderate/critical axe violations across all public UI routes:\n - `/`, `/explore`, `/records`, `/linked-art`, `/patterns`, `/insights`, `/graph`, `/entities`, `/iiif`, `/issues`, `/agents`, `/automation`, `/etl/mapper`, `/roadmap`, `/getty`, `/curator/reconciliation`, `/artwork/[id]`, `/entity/[id]`.\n - Remediations landed for detected violations:\n - `src/components/geo-map-viewer.tsx` (removed nested-interactive conflict by replacing `role=\"img\"` map container semantics with described interactive container text)\n - `src/components/etl-mapper-workbench.tsx` (added keyboard focus to scrollable dry-run `
` region).\n- [x] ✅ k6 load test against SOTA §20.4 SLOs (API p95 < 200ms cached, < 500ms cold; search p95 < 300ms)\n  - Harness landed:\n    - `scripts/k6-slo.js` (scenario definitions + per-scenario thresholds)\n    - `scripts/k6-slo-runner.mjs` (local binary / PATH / Docker fallback runner)\n    - `pnpm k6:slo` and `pnpm k6:slo:ci`\n    - runbook: `docs/ops/k6-slo.md`\n  - Update (2026-06-10): evidence contract now covers the full SOTA §20.4 p95 set, including whitelisted SPARQL p95 `< 2s` and IIIF tile serving p95 `< 100ms`.\n    - `src/services/era-c-exit-gate.ts`\n    - `config/era-c-exit-gate-policy.json`\n    - `tests/services/era-c-exit-gate.test.ts`\n  - Verification (2026-05-31, `pnpm k6:slo`, summary export `artifacts/performance/k6-slo-summary.json`):\n    - `cached_record_hit` p95: **73.5495ms** (target `< 200ms`) ✅\n    - `cold_record_read` p95: **56.134ms** (target `< 500ms`) ✅\n    - `keyword_facet_search` p95: **55.0616ms** (target `< 300ms`) ✅\n    - `http_req_failed` rate by scenario: **0.00** ✅\n- [x] ✅ OpenAPI 3.1 at `/api/docs`\n  - Implementation landed:\n    - `GET /api/openapi` returns generated OpenAPI 3.1 JSON from live route-handler discovery (`src/services/openapi.ts`).\n    - `GET /api/docs` serves interactive Swagger UI wired to `/api/openapi`.\n  - Evidence:\n    - `app/api/openapi/route.ts`\n    - `app/api/docs/route.ts`\n    - `src/services/openapi.ts`\n    - `tests/api/openapi.test.ts`\n    - `tests/api/docs.test.ts`\n  - Verification (2026-05-31): `pnpm test -- tests/api/openapi.test.ts tests/api/docs.test.ts` passing.\n- [x] ✅ Pen test + DR drill\n  - Executable hardening gate landed:\n    - `pnpm pentest:baseline` (dependency advisory regression check against committed baseline)\n    - `pnpm dr:drill` (non-destructive restore rehearsal with SHA-256 parity checks)\n    - `pnpm hardening:pen-dr` (combined gate)\n  - Baselines + runbooks:\n    - `config/security-audit-baseline.json`\n    - `docs/ops/security-dr-drill.md`\n  - Artifacts:\n    - `artifacts/security/pnpm-audit-summary.json`\n    - `artifacts/dr-drill/latest.json`\n\n### Era C Principal Hardening Addenda (Staff/Principal Review)\n\nThese items are now integrated as explicit execution backlog for distributed systems, lifecycle integrity, AI safety, UX globalization, and privacy controls.\n\n#### 1) Infrastructure + distributed systems\n\n- [x] ✅ Transactional outbox for Postgres → Solr/GraphDB consistency on write paths (`outbox_events` table + reliable projector worker + replay-safe idempotency keys).\n  - Landed transactional write-path integration in `src/services/records.ts`:\n    - Postgres mode now atomically upserts `storage_documents.records` and enqueues `outbox_events` in one transaction.\n    - Idempotency key: `sha256(\"record.upsert|recordId|sourceHash\")`.\n  - Outbox persistence + retry lifecycle:\n    - `src/services/outbox.ts` (`claim`/`process`/`retry`/`dead_letter` flow, SKIP LOCKED claims, backoff).\n    - `ops/postgres/init/02-outbox.sql` bootstraps `outbox_events` + indexes.\n  - Reliable projector worker:\n    - `src/services/outbox-projector.ts` (Solr + GraphDB projection with per-event ack/fail handling).\n    - `scripts/outbox-projector.ts`, `pnpm outbox:projector`, `pnpm outbox:projector:once`.\n  - Ops docs:\n    - `docs/ops/outbox-projector.md`\n- [x] ✅ Outbox failure handling policy (retry budget, dead-letter queue, operator replay tooling, and alerting).\n  - Policy + queue health primitives:\n    - `src/services/outbox.ts`\n      - env-driven policy (`OUTBOX_MAX_ATTEMPTS`, queue/age thresholds)\n      - queue health summary counters/aging\n      - dead-letter listing, replay helpers, stale-processing requeue\n  - Operator tooling:\n    - `scripts/outbox-ops.ts`\n    - `pnpm outbox:status`\n    - `pnpm outbox:dlq:list`\n    - `pnpm outbox:replay:dlq`\n    - `pnpm outbox:requeue:stale`\n  - Alerting:\n    - `src/services/outbox-alerts.ts`\n    - `scripts/outbox-alert-check.ts`\n    - `pnpm outbox:alert:check` with optional webhook dispatch via `OUTBOX_ALERT_WEBHOOK_URL`\n  - Ops docs:\n    - `docs/ops/outbox-projector.md`\n- [x] ✅ OpenTelemetry end-to-end trace propagation across Next.js, validation service, reconciliation service, Dagster pipeline runs, and GraphDB/Solr calls.\n- [x] ✅ Correlated request/run identifiers enforced in logs + traces (`x-request-id` / traceparent continuity).\n  - Evidence: `instrumentation.ts` (`@vercel/otel` registration), Python OTel bootstrap in `services/validation-service/main.py`, `services/reconciliation-service/main.py`, and pipeline run tracing in `pipeline/run_materialize.py`.\n  - Evidence: request/response trace header continuity via `src/utils/observability.ts`, `src/utils/protocol.ts`, and `proxy.ts`; write-audit correlation fields persisted from async trace context in `src/services/write-audit.ts`.\n  - Evidence: local OTLP wiring templates + runbook (`.env.otlp.tempo.example`, `.env.otlp.jaeger.example`, `docs/ops/otel-local.md`) and explicit DB span attributes at finalized GraphDB/Solr call sites (`src/utils/otel-db-spans.ts`, `src/services/ai-query.ts`, `src/services/solr-client.ts`).\n\n#### 2) Data lifecycle + upstream sync\n\n- [x] ✅ Provider tombstone handling in C2 pipeline (HTTP `404/410` upstream signals mark local tombstone, deindex in Solr, and emit deletion activity).\n  - C2 pipeline lifecycle handling landed in `pipeline/metamuseum_pipeline/assets.py`:\n    - upstream tombstone detection from `_source.upstreamStatus` / `_source.httpStatus` / `_source.statusCode`\n    - local tombstone registry persisted in `pipeline/state/materialized-records.json` (`tombstones` block)\n    - Solr deindex call on tombstone transition (`/solr//update` delete-by-id)\n    - deletion activity emission to `pipeline/state/deletion-activities.json` with `Delete` + `Tombstone` object semantics\n  - Test coverage:\n    - `pipeline/tests/test_c2_pipeline.py` (`test_tombstone_404_marks_local_tombstone_and_emits_delete_activity`)\n  - Live drill (2026-05-31):\n    - projected record `https://example.org/object/outbox-deindex-final-1780254290729` into Solr via outbox projector,\n    - ran C2 tombstone materialization with `_source.upstreamStatus=410`,\n    - Solr exact-id count transitioned `before=1` -> `after=0`,\n    - summary included `deindexed=1` + `deletion_activities_emitted=1`.\n- [x] ✅ ActivityStreams deletion semantics for tombstoned records (`Delete`/`Tombstone` event policy documented and implemented).\n  - Feed policy + implementation landed in `app/api/activity/route.ts`:\n    - `/api/activity` now merges C2 tombstone lifecycle activities from `pipeline/state/deletion-activities.json`.\n    - Tombstoned records are emitted as ActivityStreams `Delete` events with `object.type = \"Tombstone\"` and `object.formerType = \"HumanMadeObject\"`.\n    - Response includes explicit `policy.deletionSemantics` metadata for aggregator consumers.\n  - Coverage:\n    - `tests/api/activity.test.ts` (`includes Delete/Tombstone activities from tombstone lifecycle state`)\n- [x] ✅ Meta Wiki Art source-of-truth contract finalized (publication-target-only vs community-editable model).\n  - Default mode: `publication-target-only` (safe default).\n  - Optional mode: `community-editable` (explicit opt-in).\n  - Executable policy gate landed:\n    - `src/services/wiki-source-of-truth.ts`\n    - `app/api/wiki-drafts/[id]/publish/route.ts`\n  - Publish preflight now enforces source anchoring:\n    - draft `sourceRecordId` must resolve to an internal record before publish proceeds.\n  - Coverage:\n    - `tests/services/wiki-source-of-truth.test.ts`\n    - `tests/api/wiki-drafts/flow.test.ts` (`blocks publish when source record is missing under publication-target-only contract`)\n- [x] ✅ If community-editable: reverse-ETL conflict resolution pipeline from Wikibase back to Postgres with deterministic merge policy.\n  - Reverse-ETL apply endpoint landed:\n    - `POST /api/wiki-sync/reverse-etl` (`app/api/wiki-sync/reverse-etl/route.ts`)\n  - Deterministic merge + idempotency engine landed:\n    - `src/services/wiki-reverse-etl.ts`\n    - precedence policy: newer `modifiedAt` wins; equal timestamp tie-break by lexicographic `changeId`; replayed `changeId` is skipped.\n  - Back-sync state persistence landed:\n    - `storage/wiki-reverse-etl-state.json` (`wiki_reverse_etl_state` managed in Postgres modes)\n  - Coverage:\n    - `tests/services/wiki-reverse-etl.test.ts`\n    - `tests/api/wiki-reverse-etl.test.ts`\n\n#### 3) AI/LLM reliability (EvalOps)\n\n- [x] ✅ Golden evaluation dataset for complex museum questions (minimum 100 prompts with expected grounding/citation behavior).\n  - Dataset landed:\n    - `evals/golden-museum-questions.v1.json` (`120` prompts, rubric + per-prompt grounding/citation/refusal expectations)\n  - EvalOps documentation landed:\n    - `docs/evals/golden-museum-questions.md`\n  - Executable conformance gate landed:\n    - `tests/quality/ai-eval-golden-dataset.test.ts`\n- [x] ✅ CI eval gate for AI-layer PRs (faithfulness, relevance, citation accuracy, citation freshness) using an evaluation harness (Ragas/DeepEval-equivalent workflow).\n  - Eval harness landed:\n    - `src/services/ai-eval-harness.ts`\n    - `scripts/ai-eval-gate.ts`\n  - Commands landed:\n    - `pnpm ai:eval:report`\n    - `pnpm ai:eval:gate`\n  - CI workflow landed (AI-layer path-gated):\n    - `.github/workflows/ai-eval-gate.yml`\n  - Coverage:\n    - `tests/services/ai-eval-harness.test.ts`\n- [x] ✅ Regression thresholds for model/prompt/version changes with fail-fast policy on citation and citation-freshness drift.\n  - Versioned regression policy landed:\n    - `config/ai-eval-regression-policy.json`\n    - baseline identity keys: `datasetId + datasetVersion + modelVersion + promptVersion`\n  - Drift evaluator landed:\n    - `src/services/ai-eval-regression.ts`\n    - citation drift is configured as fail-fast (`failFastOnCitationDrift`)\n    - citation freshness drift is configured as fail-fast (`failFastOnCitationFreshnessDrift`)\n  - Gate runner wiring landed:\n    - `scripts/ai-eval-gate.ts` (`--check`, `--record-baseline`)\n    - `pnpm ai:eval:gate`\n    - `pnpm ai:eval:baseline:record`\n  - CI enforcement landed:\n    - `.github/workflows/ai-eval-gate.yml`\n  - Coverage:\n    - `tests/services/ai-eval-regression.test.ts`\n- [x] ✅ Structured evaluation artifact retention for trend analysis (per-run metrics + prompt/model version metadata).\n  - Eval artifact retention service landed:\n    - `src/services/ai-eval-artifacts.ts`\n  - Gate runner now writes:\n    - `artifacts/evals/ai-eval-gate-latest.json`\n    - `artifacts/evals/runs/ai-eval-gate-.json`\n    - `artifacts/evals/trend-index.json`\n    - `artifacts/evals/summary.md` with CI badges, artifact links, and freshness-aging alerts\n  - CI visibility:\n    - `.github/workflows/ai-eval-gate.yml` appends `artifacts/evals/summary.md` to `$GITHUB_STEP_SUMMARY`\n    - `.github/workflows/ai-eval-gate.yml` uploads `artifacts/evals/` for post-run inspection\n  - Retention control:\n    - `METAMUSEUM_EVAL_RETENTION_MAX_RUNS` (default `200`)\n  - Coverage:\n    - `tests/services/ai-eval-artifacts.test.ts`\n\n#### 4) Frontend UX + research quality\n\n- [x] ✅ Next.js i18n routing + locale negotiation from `Accept-Language` with graceful fallback.\n  - Locale-aware proxy routing landed:\n    - `proxy.ts`\n  - i18n routing policy + negotiation utilities landed:\n    - `src/utils/i18n-routing.ts`\n    - `src/utils/locale-preferences.ts`\n  - Behavior:\n    - Non-localized `GET/HEAD` page requests redirect to `/{locale}/...` using negotiated locale.\n    - Locale-prefixed requests rewrite to canonical internal routes while preserving locale context via request header/cookie.\n    - Unsupported locale negotiation gracefully falls back to default locale (`en`).\n    - Write-route role checks remain enforced against locale-normalized paths.\n  - Coverage:\n    - `tests/utils/i18n-routing.test.ts`\n- [x] ✅ Linked Art language-tag selection policy in UI rendering (prefer user locale, then fallback chain, preserving source labels).\n  - Locale and language-tag policy utilities landed:\n    - `src/utils/locale-preferences.ts`\n    - `src/utils/linked-art-language.ts`\n  - UI renderers now pass request locale preferences from `Accept-Language`:\n    - `app/(workspace)/artwork/[id]/page.tsx`\n    - `app/(workspace)/entity/[id]/page.tsx`\n    - `app/(workspace)/records/page.tsx`\n    - `app/(workspace)/entities/page.tsx`\n    - `app/(workspace)/iiif/page.tsx`\n  - Linked Art projection layers now apply locale-aware label selection while preserving source-label fallbacks:\n    - `src/utils/artwork-builder.ts`\n    - `src/utils/entities.ts`\n  - Coverage:\n    - `tests/utils/linked-art-language.test.ts`\n    - `tests/utils/artwork-builder.test.ts`\n    - `tests/utils/entities.test.ts`\n- [x] ✅ Researcher feedback/annotation loop using W3C Web Annotation model (claim-targeted annotations without mutating canonical `_source.raw`).\n  - W3C annotation contracts + validation landed:\n    - `src/contracts/zod/web-annotation.ts`\n    - `src/contracts/web-annotation.ts`\n    - `src/contracts/zod/requests.ts`\n  - Annotation persistence is isolated from canonical records and stored as a separate managed document (`annotations.json`):\n    - `src/services/annotations.ts`\n    - `src/utils/storage.ts`\n  - API endpoints landed for create/list/get with public CORS and audit logging:\n    - `app/api/annotations/route.ts`\n    - `app/api/annotations/[id]/route.ts`\n  - Research UI loop landed on artwork detail pages:\n    - `src/components/research-annotation-loop.tsx`\n    - `app/(workspace)/artwork/[id]/page.tsx`\n  - Coverage:\n    - `tests/api/annotations.test.ts`\n    - `tests/auth/roles.test.ts`\n- [x] ✅ Curator triage queue for annotation-driven correction proposals with provenance-safe review flow.\n  - Curator triage queue API landed with state-aware queue metrics and claim-target proposal payloads:\n    - `app/api/annotations/triage/route.ts`\n  - Provenance-safe review action API landed:\n    - `app/api/annotations/[id]/review/route.ts`\n    - `src/services/annotations.ts` (`review()` workflow transitions)\n  - Role policy enforces editor/admin review access while preserving researcher submit access:\n    - `src/auth/roles.ts`\n  - Curator workspace queue UI landed:\n    - `app/curator/annotations/page.tsx`\n    - `src/components/annotation-triage-workbench.tsx`\n    - `app/layout.tsx` (workspace navigation link)\n  - Coverage:\n    - `tests/api/annotations.test.ts`\n    - `tests/auth/roles.test.ts`\n\n#### 5) Security + privacy posture\n\n- [x] ✅ PII/sensitivity scan stage in C2 ETL before public indexing/syndication.\n  - `src/utils/sensitivity.ts` scans materialized records for PII, cultural-sensitivity, and restricted-publication signals while excluding raw provider payload blobs.\n  - `src/utils/record-materializer.ts` attaches `_sensitivity` review state during import/persist materialization.\n  - `src/services/outbox-projector.ts` skips Solr + GraphDB public projections for records held by sensitivity review.\n  - Coverage:\n    - `tests/utils/sensitivity.test.ts`\n    - `tests/utils/record-materializer.test.ts`\n    - `tests/utils/search-index.test.ts`\n    - `tests/services/outbox-projector.test.ts`\n- [x] ✅ Human-review hold policy for flagged records (restricted publication until disposition).\n  - Flagged records carry `_sensitivity.status = \"review_required\"` and `_sensitivity.holdPublication = true`.\n  - Held records are excluded from Solr/GraphDB syndication and flattened with `publication_status = \"held_for_review\"` plus no public `text_all`.\n- [x] ✅ Culturally sensitive knowledge handling rules integrated with rights/reuse UI and syndication controls.\n  - Cultural-sensitivity scan rules and syndication holds now flow into explorer DTOs as `held_for_review` records with explicit rights/reuse review labels.\n  - `RightsBadge` renders sensitivity labels as review-required publication holds, keeping cultural-sensitivity warnings visible anywhere rights/reuse chips appear.\n  - Coverage:\n    - `tests/components/linked-atomics.test.ts`\n    - `tests/utils/artwork-builder.test.ts`\n- [x] ✅ Security telemetry for sensitivity decisions (who approved, why, and when).\n  - Scanner telemetry records version, scan time, signal count, highest severity, and hold policy.\n  - Human disposition telemetry now requires reviewer identity, rationale, and timestamp before approval can clear a publication hold.\n  - Materialization preserves existing disposition telemetry during record rewrites, and reviewed records only return to public indexing after an approved disposition.\n  - Coverage:\n    - `tests/utils/sensitivity.test.ts`\n    - `tests/utils/record-materializer.test.ts`\n    - `tests/utils/search-index.test.ts`\n\n#### 6) Content credibility engine (trust/originality/distribution/consistency)\n\n- [x] ✅ Baseline credibility-engine policy document landed:\n  - `docs/content-credibility-engine.md`\n- [x] ✅ Trust-layer storage templates landed:\n  - `provenance/ledger.json`\n  - `provenance/source-map.yaml`\n- [x] ✅ Originality-layer storage template landed:\n  - `semantic-core/originality-index.json`\n  - baseline novelty threshold documented (`cosine_distance > 0.18`)\n- [x] ✅ Distribution/consistency scaffolding landed:\n  - `distribution/schedule.yaml`\n  - runtime queue path reserved at `distribution/queue.db` (gitignored)\n  - `generation/style-profile.md`\n- [x] ✅ Monitoring scaffold landed:\n  - `monitoring/metrics.json`\n- [x] ✅ Enforce citation-coverage gates in code for generated/publishable artifacts.\n  - `POST /api/content/generate` now returns `422` when computed citation coverage falls below threshold (`METAMUSEUM_CITATION_COVERAGE_THRESHOLD`, default `0.95`), including coverage diagnostics in response.\n  - `POST /api/wiki-drafts/[id]/publish` now runs explicit publish preflight and returns `422` with preflight diagnostics when citation coverage or other publishability checks fail.\n  - Evidence: `src/utils/citation-coverage.ts`, `app/api/content/generate/route.ts`, `src/services/wiki-publish.ts`, `app/api/wiki-drafts/[id]/publish/route.ts`, `tests/api/content-generate.test.ts`, `tests/quality/cite-or-refuse-conformance.test.ts`, `tests/services/wiki-publish.test.ts`.\n- [x] ✅ Enforce originality-score gates in code for generated/publishable artifacts.\n  - Originality scoring utility landed with policy-driven threshold + minimum unique-insight checks:\n    - `src/utils/originality-score.ts`\n  - `POST /api/content/generate` now returns `422` when originality score gates fail, including originality diagnostics in output payload.\n    - `src/services/agents.ts`\n    - `app/api/content/generate/route.ts`\n  - Wiki publish preflight now enforces originality gates before publishable status:\n    - `src/services/wiki-publish.ts`\n    - `app/api/wiki-drafts/[id]/publish/route.ts`\n  - Coverage:\n    - `tests/utils/originality-score.test.ts`\n    - `tests/api/content-generate.test.ts`\n    - `tests/quality/cite-or-refuse-conformance.test.ts`\n    - `tests/services/wiki-publish.test.ts`\n    - `tests/api/wiki-drafts/flow.test.ts`\n- [x] ✅ Add weekly credibility audit automation (drift + relevance + broken-link checks).\n  - Weekly audit orchestration script landed:\n    - `scripts/credibility-audit.ts`\n    - `src/services/credibility-audit.ts`\n  - Package commands:\n    - `pnpm credibility:audit`\n    - `pnpm credibility:audit:check`\n  - Weekly GitHub Action landed:\n    - `.github/workflows/credibility-audit.yml`\n    - uploads `artifacts/credibility-audit/latest.json`\n  - Coverage:\n    - `tests/services/credibility-audit.test.ts`\n- [x] ✅ Add queue worker implementation for multi-channel publish orchestration (web/linkedin/medium/email/api).\n  - Publish queue worker service landed with:\n    - schedule parsing from `distribution/schedule.yaml`\n    - durable queue state in `distribution/queue.db`\n    - per-channel delivery states, retries/backoff, dead-letter handling\n    - per-day channel cap deferral logic from schedule policy\n    - channel adapters for `web`, `linkedin`, `medium`, `email`, `api`\n  - Files:\n    - `src/services/publish-queue-worker.ts`\n    - `scripts/publish-queue-worker.ts`\n    - `distribution/README.md`\n  - Commands:\n    - `pnpm publish:queue:worker`\n    - `pnpm publish:queue:worker:once`\n    - `pnpm publish:queue:worker:drain`\n  - Coverage:\n    - `tests/services/publish-queue-worker.test.ts`\n- [x] ✅ Add OpenTelemetry metric/span conventions for trust/originality/distribution events.\n  - Shared conventions module landed with stable span/metric names plus common layer/event/kind/outcome attributes:\n    - `src/utils/otel-credibility.ts`\n  - Trust/originality gates now emit standardized spans/metrics:\n    - `src/utils/citation-coverage.ts`\n    - `src/utils/originality-score.ts`\n  - Wiki publish preflight/execute and distribution queue orchestration emit the same conventions:\n    - `src/services/wiki-publish.ts`\n    - `src/services/publish-queue-worker.ts`\n  - Coverage:\n    - `tests/utils/otel-credibility.test.ts`\n- [x] ✅ Add eval thresholds for engagement velocity and trust/originality regression alerts.\n  - Threshold evaluator landed for engagement velocity minimum plus trust/originality minimum and baseline-drop budgets:\n    - `src/services/credibility-eval-thresholds.ts`\n    - `config/credibility-eval-thresholds.json`\n  - Weekly credibility audit now evaluates and reports these alerts:\n    - `src/services/credibility-audit.ts`\n    - `scripts/credibility-audit.ts`\n  - Coverage:\n    - `tests/services/credibility-eval-thresholds.test.ts`\n    - `tests/services/credibility-audit.test.ts`\n\n#### Highest ROI priority\n\n- [x] ✅ Implement OpenTelemetry before broader C4/C5 expansion to prevent distributed-debugging bottlenecks.\n\nMeta Wiki Art bridge implementation notes:\n- [x] ✅ See [meta-wiki-art-bridge.md](meta-wiki-art-bridge.md) for sequencing constraints, boundaries, and the staged publish flow.\n  - Sequencing constraints are documented under `## Sequencing constraints`.\n  - Bridge boundaries are documented under `## Boundaries (Out Of Scope For Era A/B)`.\n  - Staged publish flow is documented under `## Planned C5 flow`.\n\n**Era C exit gate:**\n- [x] ✅ Automated evidence pack landed for all four checks (artifact schema + nightly job + dated run history).\n  - Schema: `docs/schemas/era-c-exit-gate-evidence.schema.json`\n  - Policy: `config/era-c-exit-gate-policy.json`\n  - Script + artifacts: `scripts/era-c-exit-gate.ts`, `artifacts/exit-gate/`\n  - Trend index now carries compact failed-check reasons so agents can prioritize the next blocker without opening every historical artifact.\n  - Telemetry snapshot automation: `scripts/monitoring-telemetry-sync.ts` via `pnpm monitoring:telemetry:sync` (wired into `pnpm era-c:exit-gate:evidence` / `pnpm era-c:exit-gate:check`)\n  - Nightly workflow: `.github/workflows/era-c-exit-gate-evidence.yml`\n  - Nightly workflow now supports deployed-target evidence via `METAMUSEUM_EVIDENCE_BASE_URL`, `METAMUSEUM_EVIDENCE_IIIF_TILE_URL`, optional SPARQL/query vars, and matrix-first `METAMUSEUM_ACTIVITY_CONSUMER_IDS` (`METAMUSEUM_ACTIVITY_CONSUMER_ID` fallback); when target vars are missing it keeps the local `pnpm k6:slo:ci` fallback so automation still produces artifacts.\n- [x] ✅ Deployment-foundation preflight landed for controlled beta / production launch review.\n  - Commands: `pnpm launch:preflight`, `pnpm launch:preflight:production`\n  - Script + service: `scripts/deployment-preflight.ts`, `src/services/deployment-preflight.ts`\n  - Runbook: `docs/ops/deployment-preflight.md`\n  - Scope: verifies env/secrets, Postgres mode, uptime source, SLO target URL, fresh DR restore rehearsal, and staging-vs-production smoke-token posture before collecting exit-gate evidence.\n- [x] ✅ Launch review packet landed for controlled beta / production launch decision evidence.\n  - Commands: `pnpm launch:review`, `pnpm launch:review:check`, `pnpm launch:review:production`\n  - Script + service: `scripts/launch-review.ts`, `src/services/launch-review.ts`\n  - Runbook: `docs/ops/launch-review.md`\n  - Scope: aggregates latest preflight, Era C exit-gate, security audit baseline, DR drill, public-trust smoke, a11y evidence, and explore smoke evidence; production fails on missing/stale/red evidence while staging can warn for beta-only evidence collection.\n  - Evidence producers: `pnpm a11y:check` writes `artifacts/launch/a11y-latest.json`, and `pnpm smoke:explore:matrix` writes `artifacts/launch/explore-smoke-latest.json`.\n- [ ] ⚠️ Latest exit-gate status is **failed** (`2026-06-10T11:36:30.690Z`), but the artifact is now agent-actionable:\n  - SLO failures distinguish incomplete k6 summaries from actual p95 threshold breaches via `missingMetricsInWindow` and per-sample `metricDetails`.\n  - Uptime failures include evidence `source` and `notes`.\n  - Activity adoption credits only declared external consumers with `class: \"declared\"` and `declaredId`.\n  - KPI failures include source metadata, snapshot notes, and per-failed-metric source/reason details.\n- [ ] All SLOs in SOTA §20.4 met at p95 over a 30-day window.\n  - Evidence contract now requires all five p95 SLO metrics: cached Record, cold Record, keyword+facet search, whitelisted SPARQL, and IIIF tile serving.\n  - SLO evidence artifacts now include missing-metric summaries and per-sample metric details so incomplete k6 runs are actionable separately from threshold breaches.\n  - Nightly workflow hardening can now collect complete deployed-target samples once GitHub vars provide the app base URL, IIIF tile URL, and whitelisted SPARQL inputs.\n  - Current blocker: retained k6 history has only `3/30` samples and those samples are legacy three-metric summaries missing whitelisted SPARQL and IIIF tile p95 values.\n- [ ] 99.9% uptime on public read.\n  - Uptime gate now rejects stale or undated availability snapshots; `uptime.maxSnapshotAgeHours` defaults to `48` so the 30-day proof must be continuously refreshed.\n  - Uptime evidence artifacts now surface source (`prometheus`, `probe`, `unavailable`) plus notes, making missing public-read proof actionable without opening telemetry snapshots.\n  - Current blocker: uptime source is `probe`, availability is `1`, and `sampleCount30d` is `3`; continue scheduled probes until the 30-sample window is met.\n- [ ] ≥ 3 external Linked Art systems consume the `/api/activity` feed.\n  - Exit-gate adoption evidence now credits only declared external consumers via `x-linked-art-consumer-id`; derived fingerprints remain diagnostic and cannot satisfy the gate.\n  - Evidence ingestion preserves `class` + `declaredId` from `storage/activity-consumers.json`, so declared external consumers can satisfy the gate when real adoption arrives.\n  - Activity adoption proof tooling now rejects placeholder/local IDs by default, probes `/api/activity` + `/api/activity/readiness`, and writes dated single-consumer + matrix artifacts under `artifacts/activity-adoption/`.\n  - Current blocker in the latest published artifact: declared external consumers are `0/3`; run `pnpm activity:adoption:matrix` with three partner-owned consumer IDs against the deployed target after those consumers are onboarded.\n- [ ] KPIs in SOTA §26 hit.\n  - KPI gate now rejects stale or undated KPI snapshots and requires real AI query cost telemetry when `kpis26.requireAiQueryCostTelemetry` is enabled; fallback default cost values remain diagnostic only.\n  - KPI evidence artifacts now include source metadata, snapshot notes, and per-failed-metric source/reason details so SOTA §26 blockers are actionable without opening telemetry inputs.\n  - KPI telemetry sync now accepts `monitoring/kpi-evidence.json` (or `METAMUSEUM_KPI_EVIDENCE_PATH`) for aggregate production record-enrichment and reconciliation-review counts; invalid sections are ignored instead of creating false-green metrics.\n  - AI query telemetry now logs `costUsd`, `costCurrency`, `costSource`, and usage counts per query; the deterministic local planner records `costUsd: 0` with `costSource: \"deterministic-local-planner\"` instead of relying on fallback KPI defaults.\n  - Nightly workflow now seeds one deployed `/api/ai/query` request before telemetry sync when `METAMUSEUM_EVIDENCE_BASE_URL` is configured.\n  - Current blockers in the latest published artifact: `dataQualityEnrichedShare`, `reconciliationAutoApproveRate`, and `reconciliationPrecisionReviewed`; AI query cost telemetry is now sourced and within policy, so the remaining KPI work is production enrichment/reconciliation evidence.\n\n---\n\n","sections":[{"level":2,"heading":"Three eras","anchor":"three-eras"},{"level":2,"heading":"Era A — The Lift (10 slices, PR-sized each)","anchor":"era-a-the-lift-10-slices-pr-sized-each"},{"level":3,"heading":"Slice 0 — Staging (DONE)","anchor":"slice-0-staging-done"},{"level":3,"heading":"Slice 1 — Foundations (TDD infra first) (DONE)","anchor":"slice-1-foundations-tdd-infra-first-done"},{"level":3,"heading":"Slice 2 — Met vertical (canary) (DONE)","anchor":"slice-2-met-vertical-canary-done"},{"level":3,"heading":"Slice 3 — Getty vertical (DONE)","anchor":"slice-3-getty-vertical-done"},{"level":3,"heading":"Slice 4 — Records + Artworks + Entities (DONE)","anchor":"slice-4-records-artworks-entities-done"},{"level":3,"heading":"Slice 5 — Linked Art Inspector + Roadmap + Best-Practices (DONE)","anchor":"slice-5-linked-art-inspector-roadmap-best-practices-done"},{"level":3,"heading":"Slice 6 — Patterns + Graph (DONE)","anchor":"slice-6-patterns-graph-done"},{"level":3,"heading":"Slice 7 — Issues + SSE (DONE)","anchor":"slice-7-issues-sse-done"},{"level":3,"heading":"Slice 8 — Agents + Jobs + Content Generation + Automation (DONE)","anchor":"slice-8-agents-jobs-content-generation-automation-done"},{"level":3,"heading":"Slice 9 — Workspace chrome + design-system pass (Custom CSS) (DONE)","anchor":"slice-9-workspace-chrome-design-system-pass-custom-css-done"},{"level":3,"heading":"Slice 10 — Lift cleanup (DONE)","anchor":"slice-10-lift-cleanup-done"},{"level":2,"heading":"Era B — Hardening (quarters, not weeks)","anchor":"era-b-hardening-quarters-not-weeks"},{"level":3,"heading":"B1 — Zod contracts + schema versioning","anchor":"b1-zod-contracts-schema-versioning"},{"level":3,"heading":"B2 — Formal validation","anchor":"b2-formal-validation"},{"level":3,"heading":"B3 — Postgres migration","anchor":"b3-postgres-migration"},{"level":3,"heading":"B4 — Auth + roles","anchor":"b4-auth-roles"},{"level":3,"heading":"B5 — Provider expansion","anchor":"b5-provider-expansion"},{"level":4,"heading":"B5.1 — RKD Knowledge Graph provider slice (done)","anchor":"b5-1-rkd-knowledge-graph-provider-slice-done"},{"level":4,"heading":"B5.2 — Smithsonian Open Access provider slice (done)","anchor":"b5-2-smithsonian-open-access-provider-slice-done"},{"level":4,"heading":"B5.3 — Harvard Art Museums provider slice","anchor":"b5-3-harvard-art-museums-provider-slice"},{"level":4,"heading":"B5.4 — V&A Collections API provider slice","anchor":"b5-4-v-a-collections-api-provider-slice"},{"level":4,"heading":"B5.5 — Princeton University Art Museum provider slice","anchor":"b5-5-princeton-university-art-museum-provider-slice"},{"level":4,"heading":"B5.6 — National Gallery of Art Open Data provider slice","anchor":"b5-6-national-gallery-of-art-open-data-provider-slice"},{"level":4,"heading":"B5.7 — Louvre Collections JSON provider slice","anchor":"b5-7-louvre-collections-json-provider-slice"},{"level":3,"heading":"B6 — Authority caching","anchor":"b6-authority-caching"},{"level":3,"heading":"B6.1 — Exhibition + literature reconciliation hardening","anchor":"b6-1-exhibition-literature-reconciliation-hardening"},{"level":3,"heading":"B8 — API protocol + profile conformance hardening","anchor":"b8-api-protocol-profile-conformance-hardening"},{"level":3,"heading":"B9 — Linked Art modeling guardrails (provenance + lifecycle)","anchor":"b9-linked-art-modeling-guardrails-provenance-lifecycle"},{"level":3,"heading":"B10 — ARK conformance slice","anchor":"b10-ark-conformance-slice"},{"level":3,"heading":"B7 — API gateway readiness for multi-source scale","anchor":"b7-api-gateway-readiness-for-multi-source-scale"},{"level":3,"heading":"Pre-Era-C Operational Sign-Off","anchor":"pre-era-c-operational-sign-off"},{"level":2,"heading":"Era C — SOTA platform (quarters 4+)","anchor":"era-c-sota-platform-quarters-4"},{"level":3,"heading":"C1 — Multi-modal storage + HAL hypermedia (SOTA Phase 1)","anchor":"c1-multi-modal-storage-hal-hypermedia-sota-phase-1"},{"level":3,"heading":"C2 — ETL pipeline + reconciliation (SOTA Phase 2)","anchor":"c2-etl-pipeline-reconciliation-sota-phase-2"},{"level":3,"heading":"C3 — IIIF + visualizations (SOTA Phase 3)","anchor":"c3-iiif-visualizations-sota-phase-3"},{"level":3,"heading":"C4 — AI layer (SOTA Phase 4)","anchor":"c4-ai-layer-sota-phase-4"},{"level":3,"heading":"C5 — Syndication + Meta Wiki Art + hardening (SOTA Phase 5)","anchor":"c5-syndication-meta-wiki-art-hardening-sota-phase-5"},{"level":3,"heading":"Era C Principal Hardening Addenda (Staff/Principal Review)","anchor":"era-c-principal-hardening-addenda-staff-principal-review"},{"level":4,"heading":"1) Infrastructure + distributed systems","anchor":"1-infrastructure-distributed-systems"},{"level":4,"heading":"2) Data lifecycle + upstream sync","anchor":"2-data-lifecycle-upstream-sync"},{"level":4,"heading":"3) AI/LLM reliability (EvalOps)","anchor":"3-ai-llm-reliability-evalops"},{"level":4,"heading":"4) Frontend UX + research quality","anchor":"4-frontend-ux-research-quality"},{"level":4,"heading":"5) Security + privacy posture","anchor":"5-security-privacy-posture"},{"level":4,"heading":"6) Content credibility engine (trust/originality/distribution/consistency)","anchor":"6-content-credibility-engine-trust-originality-distribution-consistency"},{"level":4,"heading":"Highest ROI priority","anchor":"highest-roi-priority"}],"html":"
Meta Museum — Era Delivery History
\n
Archived detailed record of the completed delivery eras (Lift / Hardening / SOTA), moved out of the active roadmap(../roadmap.md) to keep it current. This is the slice-by-slice and B-/C-series implementation log; the roadmap holds the live status and the forward plan (roadmap-to-10.md(../roadmap-to-10.md)).
\n
---
\n
Three eras
\n
Scope honestly. The SOTA spec is a 20-week, multi-service, multi-store target. We get there in three eras with hard exit gates between them.
\n
| Era | Theme | Outcome | Tier |
\n
|---|---|---|---|
\n
| A. Lift | Move what exists into Next.js 16 + custom CSS | Public site + research workspace at parity with legacy prototype, on a modern stack | Slices 1-10 |
\n
| B. Hardening | Make the data layer trustworthy | Zod-mirrored contracts, SHACL validation, ValidationReport, Postgres swap, real auth | Quarters 2-3 post-lift |
\n
| C. SOTA | The full Yale-LUX-pattern platform | Multi-modal store, HAL hypermedia, Visual ETL Mapper, NL→SPARQL, Graph-RAG, IIIF deep-zoom, Meta Wiki Art bridge | Quarter 4+ |
\n
Cardinal rule: do not start a later era until the prior era's exit gate is green. Don't ship a SHACL validator on top of a JSON-file store, and don't ship Graph-RAG on top of unvalidated records.
\n
---
\n
Era A — The Lift (10 slices, PR-sized each)
\n
Goal: end the era with the legacy prototype's full feature set running natively on Next.js 16, custom CSS, App Router + RSC, with the dependency rules from `_legacy/AGENTS.md` preserved (adapters don't cross-import; contracts are leaves; `_source.raw` is immutable).
\n
Slice 0 — Staging (DONE)
\n
See §Status above.
\n
Slice 1 — Foundations (TDD infra first) (DONE)
\n
Port the dep-free leaves so everything else can be built on them. Test infra lands before any port.
\n
Order within the slice:
\n
  • [x] ✅ Test infra: `tsx` dev dependency + `"test": "node --import tsx --test tests/*/.test.ts"` + smoke test (`tests/smoke.test.ts`) landed; `pnpm test` green.
  • [x] ✅ Port test-first. Legacy tests were ported and implementations landed for the specified dep-free leaves.
  • [x] ✅ `src/constants.ts` (port of `_legacy/src/constants.js`)
  • [x] ✅ `src/contracts/*.ts` — all 8 (`artwork`, `source-record`, `rights-report`, `import-job`, `agent-task`, `citation`, `shared-structures`, `wiki-draft`)
  • [x] ✅ `src/utils/{text,rights,http,storage,linked-art}.ts` (leaf utils)
  • [x] ✅ No routes, no UI changes in this foundation slice scope.
\n
Acceptance: `pnpm test` green with full coverage of legacy `tests/contracts/*` and `tests/utils/{linked-art,validation-report}.test.ts`. `pnpm build` green. No new client-side bundle weight. Every implementation file has at least one corresponding test file.
\n
Slice 2 — Met vertical (canary) (DONE)
\n
Prove the route-handler pattern end-to-end with the simpler of the two adapters.
\n
  • [x] ✅ `src/adapters/{adapter-utils,provider-interface,met}.ts` + tests
  • [x] ✅ Route handlers (all `app/api/.../route.ts`): `/health`, `/met/profile`, `/met/departments`, `/met/search` (POST), `/met/object` (POST), `/met/import` (POST)
  • [x] ✅ `app/explore/page.tsx` — minimal custom-CSS UI calling `/api/met/search`, showing image cards
  • [x] ✅ `app/layout.tsx` — `Create Next App` metadata replaced; shell landed and evolved in later slices
\n
Acceptance: User can search Met for "flowers", click a result, see object detail JSON. Loading/empty/error states present. No Linked Art shortcuts taken — Met objects normalize through the `Artwork` contract before display.
\n
Slice 3 — Getty vertical (DONE)
\n
Same shape as Slice 2 for Getty (more endpoints).
\n
  • [x] ✅ `src/adapters/getty.ts` + tests
  • [x] ✅ Routes: `/getty/profile`, `/getty/entity` (POST), `/getty/import` (POST), `/getty/activity` (GET), `/getty/sparql` (POST)
  • [x] ✅ `app/explore/page.tsx` extended with provider toggle (Getty / Met / both; later expanded further)
  • [x] ✅ `app/getty/page.tsx` — SPARQL playground + ActivityStream peek
\n
Acceptance: Both providers reachable from `/explore`. Getty SPARQL playground returns rows. Rights and source attribution rendered on every card.
\n
Slice 4 — Records + Artworks + Entities (DONE)
\n
The persistence-touching slice. Storage stays JSON files in `storage/`.
\n
  • [x] ✅ `src/utils/{artwork-builder,artwork-facets,entities,relationships}.ts` + tests
  • [x] ✅ Routes: `/records` (GET/POST), `/records/[id]` (GET), `/artworks/[id]` (GET), `/entities` (GET), `/entities/[id]` (GET), `/explorer/artworks` (GET), `/explorer/import` (POST)
  • [x] ✅ Pages: `app/records/page.tsx`, `app/artwork/[id]/page.tsx`, `app/entity/[id]/page.tsx`
  • [x] ✅ Async-`params` patterns applied per Next 16 requirements.
\n
Acceptance: Import a Met or Getty record from `/explore`; it appears on `/records`; clicking it opens `/artwork/[id]` with maker, date, materials, rights, citation, and a list of pivotable entities. Each entity link opens `/entity/[id]`.
\n
Slice 5 — Linked Art Inspector + Roadmap + Best-Practices (DONE)
\n
Port the JSON-LD inspect/import workflow plus the two reflective endpoints.
\n
  • [x] ✅ `src/utils/best-practices-audit.ts` + tests
  • [x] ✅ Routes: `/linked-art/profile`, `/linked-art/inspect` (POST), `/linked-art/import` (POST), `/roadmap`, `/best-practices`
  • [x] ✅ Pages: `app/linked-art/page.tsx`, `app/roadmap/page.tsx`
  • [x] ✅ `/api/roadmap` returns this document as structured JSON; `/api/best-practices` preserves legacy audit semantics.
\n
Started in this pass:
\n
  • [x] ✅ `src/utils/best-practices-audit.ts` + tests.
  • [x] ✅ `/api/roadmap` route returning structured JSON.
  • [x] ✅ `/api/best-practices` route running the audit against stored records.
  • [x] ✅ `app/roadmap/page.tsx` initial UI shell.
  • [x] ✅ `/linked-art/profile`, `/linked-art/inspect`, `/linked-art/import` routes.
  • [x] ✅ `app/linked-art/page.tsx` full inspect/import workflow UI.
\n
Acceptance: Paste a Linked Art JSON-LD blob → see the inspection report. The roadmap page renders this file's phases and exit gates.
\n
Slice 6 — Patterns + Graph (DONE)
\n
Port pattern discovery and the graph view.
\n
  • [x] ✅ `src/utils/patterns.ts` + tests
  • [x] ✅ Routes: `/patterns` (POST), `/graph` (GET)
  • [x] ✅ Pages: `app/patterns/page.tsx`, `app/graph/page.tsx` (Cytoscape force-directed — first external runtime dep; `cytoscape` + `cytoscape-cose-bilkent` per SOTA §3.2)
\n
Acceptance: Pattern scan produces buckets for unknown makers, missing dates, shared concepts. Graph page renders nodes (artworks + entities) with click-to-pivot.
\n
Started in this pass:
\n
  • [x] ✅ `src/utils/patterns.ts` + tests.
  • [x] ✅ `/api/patterns` route returning unknown + shared buckets.
  • [x] ✅ `/api/graph` route returning artwork/entity nodes + edges with pivot hrefs.
  • [x] ✅ `app/patterns/page.tsx` pattern scan UI.
  • [x] ✅ `app/graph/page.tsx` + `src/components/graph-viewer.tsx` Cytoscape force-directed graph UI.
  • [x] ✅ Runtime deps: `cytoscape`, `cytoscape-cose-bilkent`.
\n
Slice 7 — Issues + SSE (DONE)
\n
The streaming case.
\n
  • [x] ✅ Route: `/issues` (GET), `/issues/webhook` (POST), `/issues/stream` (GET — `ReadableStream`, `export const dynamic = 'force-dynamic'`)
  • [x] ✅ Page: `app/issues/page.tsx` with the live-updating issue inventory (re-uses `_legacy/storage/linked-art-issues.json` as a fallback cache, refreshes from GitHub on a `revalidate` cadence)
\n
Acceptance: Issues view loads from cache instantly, hot-updates from SSE without a refresh, and respects the same `GITHUB_OWNER`/`GITHUB_REPO`/`ISSUE_POLL_MS` env vars as the legacy server.
\n
Started in this pass:
\n
  • [x] ✅ `src/services/issues.ts` service with legacy-compatible env vars, live GitHub fetch, local runtime cache, and `_legacy/storage/linked-art-issues.json` fallback.
  • [x] ✅ `/api/issues` route with optional `?refresh=1` force refresh.
  • [x] ✅ `/api/issues/webhook` route with optional signature verification and issue-event refresh hooks.
  • [x] ✅ `/api/issues/stream` route using `ReadableStream` SSE (`dynamic = "force-dynamic"`).
  • [x] ✅ `/issues/webhook` + `/issues/stream` direct route aliases for legacy-compatible pathing.
  • [x] ✅ `app/issues/page.tsx` + `src/components/issues-workbench.tsx` live issue inventory UI with SSE updates.
  • [x] ✅ New tests for service + routes: `tests/services/issues.test.ts`, `tests/api/issues.test.ts`, `tests/api/issues-webhook.test.ts`, `tests/api/issues-stream.test.ts`.
\n
Slice 8 — Agents + Jobs + Content Generation + Automation (DONE)
\n
Port the agent/job stubs as-is. No new agent logic this slice — just parity.
\n
  • [x] ✅ Routes: `/agents/run` (POST), `/content/generate` (POST), `/jobs` (GET), `/jobs/run` (POST)
  • [x] ✅ Pages: `app/agents/page.tsx`, `app/automation/page.tsx`
\n
Acceptance: Manual pattern scan + collection brief jobs runnable from the UI; output appears in `app/automation/page.tsx`.
\n
Started in this pass:
\n
  • [x] ✅ `src/services/agents.ts` with legacy-parity agent/content stubs (`runAgent`, `generateContent`) and local fallback drafting.
  • [x] ✅ `src/services/jobs.ts` JSON-backed manual jobs service with seeded defaults and `lastRun` updates.
  • [x] ✅ `/api/agents/run`, `/api/content/generate`, `/api/jobs`, `/api/jobs/run` routes.
  • [x] ✅ Legacy-compatible direct route aliases: `/agents/run`, `/content/generate`, `/jobs`, `/jobs/run`.
  • [x] ✅ `app/agents/page.tsx` + `src/components/agents-workbench.tsx` for manual agent and content runs.
  • [x] ✅ `app/automation/page.tsx` + `src/components/automation-workbench.tsx` for job execution and output review.
  • [x] ✅ Route tests: `tests/api/agents-run.test.ts`, `tests/api/content-generate.test.ts`, `tests/api/jobs.test.ts`, `tests/api/jobs-run.test.ts`.
\n
Slice 9 — Workspace chrome + design-system pass (Custom CSS) (DONE)
\n
Now everything works route-by-route. Unify the visual layer.
\n
  • [x] ✅ `app/(workspace)/layout.tsx` route group — sidebar nav + topbar, all custom CSS
  • [x] ✅ Expand `app/globals.css` design tokens + component classes to cover every recurring pattern; keep BEM-lite naming consistent
  • [x] ✅ Implement the design-system atomics from SOTA §12.1 in `src/components/` with a `data-la-entity-id` attribute on every entity-derived element: `<LinkedDate>`, `<LinkedDimensions>`, `<LinkedLabel>`, `<UriBadge>`, `<RightsBadge>` (already in Slice 2), `<SourceBadge>`, `<CitationBlock>`
  • [x] ✅ Entity cards (SOTA §12.2): `<ObjectCard>`, `<ActorCard>`, `<PlaceCard>`, `<ConceptCard>`
  • [x] ✅ a11y pass: axe-core in CI; keyboard nav on all interactive surfaces; WCAG 2.1 AA on public pages
\n
Acceptance: Lighthouse a11y ≥ 95 on `/`, `/explore`, `/artwork/[id]`. Storybook scaffold (vite-based, no Next coupling) for the atomic components.
\n
Started in this pass:
\n
  • [x] ✅ `app/(workspace)/layout.tsx` route-group shell with keyboard-first skip link, sidebar navigation, and topbar.
  • [x] ✅ Workspace pages moved under `app/(workspace)/...` so URLs stay unchanged while sharing common chrome.
  • [x] ✅ Expanded `app/globals.css` with workspace shell classes and reusable design-system component classes.
  • [x] ✅ Added atomics in `src/components/`: `LinkedDate`, `LinkedDimensions`, `LinkedLabel`, `UriBadge`, `SourceBadge`, `CitationBlock`; extended `RightsBadge` with `data-la-entity-id`.
  • [x] ✅ Added entity cards in `src/components/`: `ObjectCard`, `ActorCard`, `PlaceCard`, `ConceptCard`.
  • [x] ✅ Wired new components into `/explore`, `/artwork/[id]`, `/entity/[id]`, and `/records`.
  • [x] ✅ Added component tests: `tests/components/linked-atomics.test.ts`, `tests/components/entity-cards.test.ts`.
  • [x] ✅ Added CI workflow at `.github/workflows/ci.yml` running lint, tests, build, Playwright install, axe accessibility checks, and Lighthouse CI assertions.
  • [x] ✅ Added Vite-based Storybook scaffold (`.storybook/*`) and atomic stories (`src/components/atomics.stories.tsx`), validated with `pnpm storybook:build`.
\n
Slice 10 — Lift cleanup (DONE)
\n
  • [x] ✅ Delete `_legacy/` (empty by now or only contains files we deliberately chose not to port)
  • [x] ✅ Rewrite `README.md` from the Next.js side; preserve the legacy product narrative
  • [x] ✅ Confirm `metamuseum-legacy/` can be archived/deleted (verified absent at `C:\\Projects\\metamuseum-legacy`).
  • [x] ✅ Security credential rotation moved to Era B operational preflight tracking (see `Pre-Era-C Operational Sign-Off` under Era B).
  • [x] ✅ Document the env-var surface (`PORT`, `GITHUB_OWNER`, `GITHUB_REPO`, `ISSUE_POLL_MS`, future `DATABASE_URL`) in `docs/env.md`
\n
Started in this pass:
\n
  • [x] ✅ Added automated parity gate test: `tests/quality/era-a-exit-gate.test.ts` (legacy route/view equivalents + route-test coverage checks).
  • [x] ✅ Lighthouse a11y gate now runs reliably in local Windows env via `scripts/lighthouse-a11y.mjs` (no `chrome-launcher` temp-dir cleanup failure path).
  • [x] ✅ `_legacy/` removed from workspace.
  • [x] ✅ Verified `C:\\Projects\\metamuseum-legacy` is absent as of May 30, 2026 (already archived/deleted outside this repo).
\n
Era A exit gate (must all be green):
\n
  • [x] ✅ Legacy API routes have Next 16 equivalents, tested (`tests/quality/era-a-exit-gate.test.ts`; current legacy snapshot evaluates to 33 route handlers).
  • [x] ✅ Legacy SPA views have Next 16 page equivalents (`tests/quality/era-a-exit-gate.test.ts`; current legacy snapshot evaluates to 13 named views).
  • [x] ✅ `pnpm build && pnpm test && pnpm lint` clean (validated in `metamuseum` conda env on May 30, 2026).
  • [x] ✅ Lighthouse a11y ≥ 95 on the public pages (`/`, `/explore`, `/artwork/[id]`) via `pnpm lighthouse:ci`.
  • [x] ✅ `_legacy/` deleted.
  • [x] ✅ `metamuseum-legacy/` archived/deleted (path not present at `C:\\Projects\\metamuseum-legacy` on May 30, 2026).
\n
---
\n
Era B — Hardening (quarters, not weeks)
\n
Goal: make the data layer trustworthy enough that AI agents and external consumers can rely on it. The Era A app keeps shipping during this era; we add validation and durable storage under it.
\n
Slices in suggested order, but each is independently shippable:
\n
B1 — Zod contracts + schema versioning
\n
  • [x] ✅ Mirror every `src/contracts/.ts` as a Zod schema in `src/contracts/zod/.ts`
  • [x] ✅ Add `schemaVersion` field + a `src/utils/migrations/` registry
  • [x] ✅ Server Actions and Route Handlers validate at the boundary with the Zod schemas
\n
Status:
\n
  • [x] ✅ Completed.
\n
B2 — Formal validation
\n
  • [x] ✅ Build a Python validation microservice (FastAPI + PySHACL + PyLD) — first non-Node service
  • [x] ✅ SHACL shapes in `shapes/linked-art/*.shacl.ttl`, fixtures in `fixtures/linked-art/{pass,fail}/`
  • [x] ✅ New route `app/api/validate/route.ts` proxies to it
  • [x] ✅ New contract `ValidationReport` (SOTA §5.1) wired into inspect/import flows
  • [x] ✅ Validation fixtures and route assertions are checked against linked-art/LinkedArtModel1.0-Reference.md(linked-art/LinkedArtModel1.0-Reference.md) before merge.
\n
Status:
\n
  • [x] ✅ Completed.
\n
B3 — Postgres migration
\n
  • [x] ✅ Postgres 16 via Docker Compose for dev (`ops/docker-compose.yml`)
  • [x] ✅ Migrate `storage/{records,jobs}.json` → Postgres JSONB tables via a one-time exporter that double-writes for one release, then cuts over
  • [x] ✅ Replace `src/utils/storage.ts` JSON-file impl with a Postgres impl behind the same interface; no call sites change
  • [x] ✅ Add `next-env.d.ts` env validation with Zod for `DATABASE_URL`
\n
Status:
\n
  • [x] ✅ Completed.
  • [x] ✅ Added `ops/docker-compose.yml` + `ops/postgres/init/01-storage.sql` (Postgres 16 dev runtime + table bootstrap).
  • [x] ✅ Added `scripts/export-storage-to-postgres.ts` one-time exporter and `pnpm storage:export:postgres`.
  • [x] ✅ `src/utils/storage.ts` now supports `file`, `double-write`, and `postgres` modes for the centralized managed-document contract behind unchanged `readJson/writeJson`.
  • [x] ✅ Added Zod-backed runtime env parsing for `DATABASE_URL` + storage mode in `src/utils/env.ts` and typed env keys in `next-env.d.ts`.
  • [x] ✅ Updated `records` and `jobs` services to avoid file-`stat` assumptions so Postgres cutover does not require call-site changes.
\n
B4 — Auth + roles
\n
  • [x] ✅ Verify and document production credential rotation for `AUTH_SECRET` + `AUTH_GITHUB_SECRET` (operational sign-off completed; see `docs/ops/auth-credential-rotation.md`(docs/ops/auth-credential-rotation.md) and `Pre-Era-C Operational Sign-Off`).
  • [x] ✅ Add Auth.js v5 with GitHub provider for write paths (`/api/records` POST, `/api/explorer/import`, `/api/getty/import`, `/api/met/import`, `/api/linked-art/import`, `/api/jobs/run`)
  • [x] ✅ Roles: `public` (read only), `researcher` (read + import), `editor` (import + agent jobs), `admin` (all)
  • [x] ✅ Middleware gates write routes; UI conditionally renders import/run buttons
\n
Status:
\n
  • [x] ✅ Completed.
  • [x] ✅ Added Auth.js v5 (`next-auth@5.0.0-beta.31`) with GitHub provider in root `auth.ts`.
  • [x] ✅ Added `/api/auth/[...nextauth]` handlers.
  • [x] ✅ Added centralized role mapping in `src/auth/roles.ts` (public/researcher/editor/admin with allowlist env vars).
  • [x] ✅ Added Next 16 `proxy.ts` route gates for write paths (`/api/records` POST, `/api/explorer/import`, `/api/getty/import`, `/api/met/import`, `/api/linked-art/import`, `/api/jobs/run`) plus editor-only agent endpoints.
  • [x] ✅ UI now conditionally enables import/run controls in linked-art, agents, and automation workbenches based on resolved role.
  • [x] ✅ Rotate production GitHub OAuth credentials if any legacy values are still active (operational follow-up reminder remains until verified).
\n
B5 — Provider expansion
\n
  • [x] ✅ New adapters for Harvard, Smithsonian Open Access, Rijks, RKD Knowledge Graph, National Gallery of Art Open Data, Louvre Collections JSON, V&A Collections API, Princeton University Art Museum API, Europeana, AIC, CMA (SOTA §27.1) — each shipped with route + adapter + tests.
  • [x] ✅ Each adapter implements the `provider-interface` contract; cross-adapter imports remain forbidden.
  • [x] ✅ `/explore` import flow now accepts all landed provider source IDs (`met`, `getty`, `rijks`, `nga`, `louvre`, `harvard`, `smithsonian`, `vanda`, `princeton`, `europeana`, `aic`, `cma`).
  • [x] ✅ Provider slices include executable conformance tests mapped to linked-art/LinkedArtModel1.0-Reference.md(linked-art/LinkedArtModel1.0-Reference.md) fixture anchors.
\n
Acceptance for each upcoming provider slice (object-specific AIDD + TDD gates):
\n
  • [x] ✅ Failing-first contract tests verify culturally valued physical objects normalize as `HumanMadeObject` unless explicit evidence requires another canonical class.
  • [x] ✅ Failing-first tests verify production/destruction remain structured activity/event nodes when present (not flattened to display-only strings).
  • [x] ✅ Failing-first tests verify physical characteristics (dimensions/materials/parts) are preserved as structured data when available.
  • [x] ✅ Failing-first tests verify ownership/location assertions remain distinct from non-ownership rights/reuse assertions.
  • [x] ✅ Failing-first tests verify physical object identity remains distinct from digital surrogates/representations while preserving linkage.
  • [x] ✅ Failing-first regression tests verify immovable/place-centric records are not coerced into moveable-object assumptions.
  • [x] ✅ Route-level tests verify inspect/import outputs preserve the above structures without mutating canonical source fields.
\n
Acceptance for each upcoming provider slice (digital-content AIDD + TDD gates):
\n
  • [x] ✅ Failing-first contract tests verify `DigitalObject` records preserve `access_point`, `format`, and `conforms_to` when provided.
  • [x] ✅ Failing-first tests verify digital object creation events use `Creation` semantics where present, without coercion to physical-object production semantics.
  • [x] ✅ Failing-first tests verify content/carrier separation is preserved (`DigitalObject` versus `VisualItem`/`LinguisticObject`) without collapsing layers.
  • [x] ✅ Failing-first tests verify surrogate linkage can preserve shared visual content (`shows` and `digitally_shows`) when provider data supports it.
  • [x] ✅ Failing-first tests verify web-page and document references preserve the `subject_of` → `LinguisticObject` → `digitally_carried_by` pattern when present.
  • [x] ✅ Failing-first tests verify IIIF structures are preserved, including Presentation manifest `conforms_to`/`format` and Image API `DigitalService` via `digitally_available_via`.
  • [x] ✅ Route-level tests verify inspect/import outputs retain digital metadata structures (including IIIF fields) and do not mutate canonical `_source.raw`.
  • [x] ✅ Provider-slice test PRs must include or update fixture-backed tests mapped to `Round 3 Addendum — Digital Content` → `Fixture Anchors — Digital Content Examples` in linked-art/LinkedArtModel1.0-Reference.md(linked-art/LinkedArtModel1.0-Reference.md) (web publication, surrogate parity, embedded representation image, subject_of web page, IIIF Presentation manifest, IIIF Image service).
  • [x] ✅ Provider-slice test PRs must also include a short "Standards Mapping" note listing the specific round addenda used (for example endpoint schema rounds, shared-structure rounds, and relevant search-relation rounds) and the fixture anchors exercised.
\n
Status:
\n
  • [x] ✅ Complete (Rijks, NGA, RKD, Louvre, Harvard, Smithsonian, V&A, Princeton, Europeana, AIC, CMA slices landed).
  • [x] ✅ Object-specific acceptance gates are executable and passing in `tests/quality/provider-object-specific-gates.test.ts`.
  • [x] ✅ Digital-content acceptance gates are executable and passing in `tests/quality/provider-digital-content-gates.test.ts`.
  • [x] ✅ Route-level digital inspect/import preservation is executable and passing in `tests/quality/provider-digital-content-gates.test.ts`.
  • [x] ✅ Provider manifest enforcement now requires active import providers to include `Round 3 Addendum - Digital Content` in `tests/fixtures/validation/provider-fixture-manifest.json` (`tests/quality/validation-architecture-depth.test.ts`).
  • [x] ✅ PR template now requires explicit provider digital-content fixture-anchor mapping + short Standards Mapping notes (`.github/pull_request_template.md`).
  • [x] ✅ Added `src/adapters/rijks.ts` with Search + Resolver + LDES + Change Discovery helpers and IIIF URL normalization.
  • [x] ✅ Added Rijks API routes: `/api/rijks/profile`, `/api/rijks/search`, `/api/rijks/resolve`, `/api/rijks/import`, `/api/rijks/ldes`, `/api/rijks/cd`.
  • [x] ✅ `/explore` source toggle now supports `both` / `met` / `getty` / `rijks`; `/api/explorer/import` supports Rijks URLs.
  • [x] ✅ Added test coverage for adapter + routes + provider inference (`tests/adapters/rijks.test.ts`, `tests/api/rijks/*`, updated explorer/provider tests).
  • [x] ✅ Added `src/adapters/nga.ts` plus routes `/api/nga/profile`, `/api/nga/search`, `/api/nga/import` with failing-first tests and explore/import wiring.
  • [x] ✅ Remaining provider slices are now landed: RKD Knowledge Graph, Louvre Collections JSON, Harvard, Smithsonian Open Access, V&A Collections API, Princeton University Art Museum API, Europeana, AIC, CMA.
  • [x] ✅ Rijks incremental-ingest hooks are executable: `extractRijksLdesHookData()` and `extractRijksChangeDiscoveryHookData()` with route coverage in `tests/api/rijks/ldes.test.ts` and `tests/api/rijks/cd.test.ts`.
  • [x] ✅ Rijks profile now exposes a bibliographic SRU extension-point base (`bibliographicSruBase`) and SRU URL builder coverage (`buildRijksSruSearchUrl()`), while UI flows remain unchanged.
\n
Rijksmuseum integration scope now includes:
\n
  • [x] ✅ Object metadata search and dereference pipeline (Search API + PID Resolver with content negotiation to Linked Art).
  • [x] ✅ Linked Data Event Streams ingest hooks for incremental refreshes.
  • [x] ✅ IIIF Change Discovery ingest hooks for change tracking.
  • [x] ✅ IIIF image/presentation compatibility via Micrio endpoints.
  • [x] ✅ Future bibliographic extension point via SRU (planned, not yet wired into UI flows).
\n
B5.1 — RKD Knowledge Graph provider slice (done)
\n
Goal: integrate RKD Linked Data (CIDOC-CRM + Linked Art oriented) as a standards-first provider without bypassing current adapter boundaries.
\n
Planned deliverables:
\n
  • [x] ✅ Adapter: `src/adapters/rkd.ts` (provider-interface compliant, no cross-adapter imports).
  • [x] ✅ Routes:
  • [x] ✅ `/api/rkd/profile` (GET)
  • [x] ✅ `/api/rkd/search` (POST, paged candidate retrieval)
  • [x] ✅ `/api/rkd/entity` (POST, URI-based fetch/enrichment)
  • [x] ✅ `/api/rkd/import` (POST, normalize + persist)
  • [x] ✅ optional `/api/rkd/sparql` (POST, read-only, allowlisted query templates only)
  • [x] ✅ UI:
  • [x] ✅ added `rkd` source toggle support in `/explore`
  • [x] ✅ provider attribution + ODC-By 1.0 license/reuse guidance rendered in RKD card/detail data.
\n
Data-source constraints:
\n
  • [x] ✅ Dataset scale is 600M+ statements and is consumed via bounded queries/pagination (`limit`/`offset` clamps and bounded search defaults).
  • [x] ✅ SPARQL endpoint details are deploy-time config (env vars) via `getRkdProfile()`/`buildRkdSparqlEndpoint()`.
  • [x] ✅ Graph scoping is supported via optional `graph` input on search/entity/template flows.
  • [x] ✅ Raw SPARQL usage is constrained to controlled, allowlisted query templates (`entitySummary`/`labelSearch`) for route-level access.
  • [x] ✅ Triply protocol-compatible SPARQL request behavior is implemented with explicit `Accept` negotiation and read-only request handling.
\n
License and attribution:
\n
  • [x] ✅ RKD dataset license is Open Data Commons Attribution License 1.0; provider output carries source URL + provider attribution + license metadata.
  • [x] ✅ Rights/reuse output remains conservative when image-level rights are not explicit in source payload.
\n
Acceptance:
\n
  • [x] ✅ Failing-first tests for adapter + routes are landed (`tests/adapters/rkd.test.ts`, `tests/api/rkd/*.test.ts`).
  • [x] ✅ Standards mapping coverage includes object/digital/shared-structure/data-discovery anchors in `tests/fixtures/validation/provider-fixture-manifest.json` (`rkd` entry).
  • [x] ✅ B8 protocol conformance coverage includes RKD routes in `tests/quality/provider-protocol-conformance.test.ts`.
  • [x] ✅ Token security checks included (`Authorization: Bearer` from env-only `RKD_TRIPLY_TOKEN`, no token persistence/logging in adapter/route flows).
\n
B5.2 — Smithsonian Open Access provider slice (done)
\n
Goal: integrate Smithsonian Open Access search/content APIs with secure API-key handling and standards-first normalization.
\n
Planned deliverables:
\n
  • [x] ✅ Adapter: `src/adapters/smithsonian.ts` (provider-interface compliant, no cross-adapter imports).
  • [x] ✅ Routes:
  • [x] ✅ `/api/smithsonian/profile` (GET)
  • [x] ✅ `/api/smithsonian/search` (POST)
  • [x] ✅ `/api/smithsonian/content` (POST)
  • [x] ✅ `/api/smithsonian/import` (POST)
  • [x] ✅ UI:
  • [x] ✅ added `smithsonian` source toggle in `/explore`
  • [x] ✅ source attribution and conservative rights/reuse indicators are preserved in Smithsonian discovery/import card flows.
\n
Official API constraints:
\n
  • [x] ✅ API key required (`api_key`) via data.gov registration (`SMITHSONIAN_API_KEY` enforced for Smithsonian search/content and URL-import retrieval).
  • [x] ✅ Search pagination uses `start` + `rows`; route schema enforces integer bounds (`start >= 0`, `rows` in `1..1000`) with compatibility aliases for legacy callers.
  • [x] ✅ Core category filters and row-group inputs are explicit enum validation at route boundary (`smithsonianSearchInputSchema` for category + `rowGroup: objects|archives`).
\n
Acceptance:
\n
  • [x] ✅ Failing-first adapter + route tests with mocked Smithsonian responses.
  • [x] ✅ API-key security checks included (env-only secrets, no key in logs/errors/client, API key stripped from exposed source URLs).
  • [x] ✅ Standards Mapping note coverage includes fixture anchors for Smithsonian in `tests/fixtures/validation/provider-fixture-manifest.json`.
  • [x] ✅ B8 protocol checks include Smithsonian routes (`profile`, `search`, `content`, `import`) in `tests/quality/provider-protocol-conformance.test.ts`.
\n
B5.3 — Harvard Art Museums provider slice
\n
Goal: integrate Harvard Art Museums API with strong conformance to official usage constraints and Linked Art normalization boundaries.
\n
Status:
\n
  • [x] ✅ Planned deliverables in this slice scope (adapter + routes) are complete.
\n
Planned deliverables:
\n
  • [x] ✅ Adapter: `src/adapters/harvard.ts` (provider-interface compliant, no cross-adapter imports).
  • [x] ✅ Routes:
  • [x] ✅ `/api/harvard/profile` (GET)
  • [x] ✅ `/api/harvard/search` (POST)
  • [x] ✅ `/api/harvard/object` (POST)
  • [x] ✅ `/api/harvard/import` (POST)
  • [x] ✅ UI:
  • [x] ✅ add `harvard` source toggle in `/explore`
  • [x] ✅ preserve attribution/link-back + rights/reuse indicators on all surfaces.
\n
Official API constraints:
\n
  • [x] ✅ API key required on all calls (`apikey` parameter).
  • [x] ✅ Paging uses `size` (max 100) + `page`; adapter honors `info.next/info.prev` flows.
  • [x] ✅ Respect call budget guidance (2500/day) and non-commercial + attribution terms.
  • [x] ✅ Cache/storage policy enforces a two-week max retention guidance (`<=14 days`) without explicit permission.
  • [x] ✅ Use provider image URLs directly (no local copies).
\n
Acceptance:
\n
  • [x] ✅ Failing-first adapter + route tests with mocked Harvard responses.
  • [x] ✅ API key handling checks included (env-only key, no key in logs/errors/client surfaces).
  • [x] ✅ Rate-budget and cache-TTL policy checks included (`<=14 days` cache window).
  • [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.
  • [x] ✅ B8 protocol checks included for all Harvard routes.
\n
B5.4 — V&A Collections API provider slice
\n
Goal: integrate V&A Collections API v2 with strong support for identifier/keyword filters and IIIF image/presentation link preservation.
\n
Status:
\n
  • [x] ✅ Complete.
\n
Planned deliverables:
\n
  • [x] ✅ Adapter: `src/adapters/vanda.ts` (provider-interface compliant, no cross-adapter imports).
  • [x] ✅ Routes:
  • [x] ✅ `/api/vanda/profile` (GET)
  • [x] ✅ `/api/vanda/search` (POST)
  • [x] ✅ `/api/vanda/object` (POST)
  • [x] ✅ `/api/vanda/import` (POST)
  • [x] ✅ UI:
  • [x] ✅ add `vanda` source toggle in `/explore`
  • [x] ✅ expose IIIF manifest/image links in artwork/detail surfaces where available.
\n
Official API constraints:
\n
  • [x] ✅ API base is `https://api.vam.ac.uk/v2`.
  • [x] ✅ Search result pages should honor official paging constraints (`size` cap 100).
  • [x] ✅ API is suitable for dynamic subsets; bulk export flows should avoid naive high-volume API crawling.
  • [x] ✅ Terms/licensing constraints and citation requirements must be preserved in downstream usage.
\n
Acceptance:
\n
  • [x] ✅ Failing-first adapter + route tests with mocked V&A responses.
  • [x] ✅ Identifier/keyword filter behavior tests included.
  • [x] ✅ IIIF image/presentation field extraction tests included.
  • [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.
  • [x] ✅ Standards Mapping note: Linked Art Model 1.0 references include Digital Content + Shared Structures + Data Discovery/API endpoint-shape rounds; fixture anchors include `tests/fixtures/validation/providers/vanda/pass.json` and `tests/fixtures/validation/providers/vanda/fail.json` plus provider manifest mapping in `tests/fixtures/validation/provider-fixture-manifest.json`.
  • [x] ✅ B8 protocol checks included for all V&A routes.
\n
B5.5 — Princeton University Art Museum provider slice
\n
Goal: integrate Princeton API object/search resources with strong preservation of nested research context and IIIF media references.
\n
Planned deliverables:
\n
  • [x] ✅ Adapter: `src/adapters/princeton.ts` (provider-interface compliant, no cross-adapter imports).
  • [x] ✅ Routes:
  • [x] ✅ `/api/princeton/profile` (GET)
  • [x] ✅ `/api/princeton/search` (POST)
  • [x] ✅ `/api/princeton/object` (POST)
  • [x] ✅ `/api/princeton/import` (POST)
  • [x] ✅ UI:
  • [x] ✅ add `princeton` source toggle in `/explore`
  • [x] ✅ preserve source attribution and media link visibility.
\n
Official API constraints:
\n
  • [x] ✅ Base endpoint `https://data.artmuseum.princeton.edu`.
  • [x] ✅ No auth currently required, and adapter/profile surface explicit `authMode: none` + future-auth compatibility without interface breakage.
  • [x] ✅ Static weekly full datasets are reflected in import guidance with anti-crawl guardrails on large interactive API imports.
\n
Acceptance:
\n
  • [x] ✅ Failing-first adapter + route tests with mocked Princeton responses.
  • [x] ✅ Nested-field preservation tests included (`texts`, `media`, `exhibitions`, `geography`, `terms`, `classifications`).
  • [x] ✅ IIIF URI extraction tests included.
  • [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.
  • [x] ✅ Standards Mapping note: Linked Art Model 1.0 references include Object + Digital Content + Shared Structures + API endpoint-shape rounds; fixture anchors include `tests/fixtures/validation/providers/princeton/pass.json` and `tests/fixtures/validation/providers/princeton/fail.json` plus provider manifest mapping in `tests/fixtures/validation/provider-fixture-manifest.json`.
  • [x] ✅ B8 protocol checks included for all Princeton routes.
\n\n
Goal: integrate NGA public open data as a CSV-first provider while preserving Linked Art boundary contracts and provenance-safe source lineage.
\n
Planned deliverables:
\n
  • [x] ✅ Adapter: `src/adapters/nga.ts` (provider-interface compliant, no cross-adapter imports).
  • [x] ✅ Routes:
  • [x] ✅ `/api/nga/profile` (GET)
  • [x] ✅ `/api/nga/search` (POST)
  • [x] ✅ `/api/nga/import` (POST)
  • [x] ✅ optional `/api/nga/refresh` (POST) deferred by design; manual refresh is supported through `/api/nga/import` with `url` + bounded `limit`.
  • [x] ✅ UI:
  • [x] ✅ add `nga` source toggle in `/explore`
  • [x] ✅ preserve source attribution, citation guidance, and conservative rights/reuse indicators.
  • [x] ✅ `/explore` includes an NGA-specific citation/reuse advisory callout (CC0 metadata + verify image/media rights per object).
\n
Official data constraints:
\n
  • [x] ✅ Primary distribution is CSV (UTF-8), refreshed frequently (typically daily), and should be ingested in bounded batches.
  • [x] ✅ Images/media files are not distributed in the dataset package; only links/references are included where available.
  • [x] ✅ Dataset is CC0; attribution/citation is still recommended for research usage.
  • [x] ✅ Wikidata IDs are present when known but non-exhaustive; treat as reconciliation hints, not complete authority truth.
  • [x] ✅ Enforcement evidence: adapter/profile/import tests in `tests/adapters/nga.test.ts` and `tests/api/nga/import.test.ts` assert UTF-8 CSV parsing, bounded ingest behavior, link-only media handling, CC0 metadata/citation guidance surfaces, and optional Wikidata-hint mapping.
\n
Acceptance:
\n
  • [x] ✅ Failing-first adapter + route tests with fixture-backed CSV parsing and UTF-8 safety.
  • [x] ✅ Idempotent upsert tests for repeated daily ingest runs.
  • [x] ✅ Tests verifying preservation of source media-link references without assuming media binary availability.
  • [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.
  • [x] ✅ Standards Mapping note: Linked Art Model 1.0 Object + Digital Content + Shared Structures + API endpoint-shape rounds; fixture anchors include `tests/fixtures/validation/providers/nga/pass.json` and `tests/fixtures/validation/providers/nga/fail.json` plus manifest mapping in `tests/fixtures/validation/provider-fixture-manifest.json`.
  • [x] ✅ B8 protocol checks included for all NGA routes.
\n
B5.7 — Louvre Collections JSON provider slice
\n
Goal: integrate Louvre ARK-linked JSON records as a standards-first provider while preserving attribution/provenance nuance and image-rights constraints.
\n
Planned deliverables:
\n
  • [x] ✅ Adapter: `src/adapters/louvre.ts` (provider-interface compliant, no cross-adapter imports).
  • [x] ✅ Routes:
  • [x] ✅ `/api/louvre/profile` (GET)
  • [x] ✅ `/api/louvre/object` (POST)
  • [x] ✅ `/api/louvre/import` (POST)
  • [x] ✅ optional `/api/louvre/search` (POST) is landed (bounded, protocol-safe endpoint)
  • [x] ✅ UI:
  • [x] ✅ add `louvre` source toggle in `/explore`
  • [x] ✅ preserve source attribution and image-rights disclosures on all surfaces.
\n
Official data constraints:
\n
  • [x] ✅ Access is object-entry URL plus `.json` suffix (ARK-based records).
  • [x] ✅ Record content is French-first; normalization must not destructively strip source language signals.
  • [x] ✅ Image usage and text reuse must follow Louvre Terms of Use.
  • [x] ✅ Image payloads include per-image rights/copyright text and must be preserved.
  • [x] ✅ Enforcement evidence: `tests/adapters/provider-expansion.test.ts` and `tests/api/louvre/import.test.ts` assert `.json` URL normalization, French-field preservation in `_source.raw`, and rights/copyright retention from source image payloads.
\n
Acceptance:
\n
  • [x] ✅ Failing-first adapter + route tests with mocked Louvre JSON responses.
  • [x] ✅ URL normalization + ARK extraction safety tests included.
  • [x] ✅ Creator attribution nuance tests included (`attributionLevel`, `doubt`, `creatorRole`, attribution metadata where present).
  • [x] ✅ Rights/reuse mapping tests included with conservative defaults when rights are unclear.
  • [x] ✅ Standards Mapping note references applicable Linked Art rounds and fixture anchors.
  • [x] ✅ B8 protocol checks included for all Louvre routes.
  • Evidence:
  • `tests/adapters/provider-expansion.test.ts`
  • `tests/api/louvre/object.test.ts`
  • `tests/api/louvre/import.test.ts`
  • `tests/quality/provider-protocol-conformance.test.ts`
  • `docs/providers/louvre-collections-json.md`
\n
B6 — Authority caching
\n
  • [x] ✅ Replace inline authority lookups on the request path with local cache-only access.
  • [x] ✅ Schedule a daily/weekly job that downloads Getty AAT/ULAN/TGN N-Triples + Wikidata `linked-art`-related QIDs + GeoNames + LoC NAF into Postgres (SOTA §6.2).
  • [x] ✅ Surface in the entity profile pages: "From AAT / ULAN / Wikidata".
\n
Status:
\n
  • [x] ✅ `src/services/authority-cache.ts` landed as the local authority cache service.
  • [x] ✅ `tests/quality/era-b-exit-gate.test.ts` enforces zero runtime external authority fetches on request-path route code.
  • [x] ✅ Scheduled authority refresh pipeline landed:
  • [x] ✅ `scripts/authority-cache-refresh.ts`
  • [x] ✅ `pnpm authority:refresh`
  • [x] ✅ `.github/workflows/authority-cache-refresh.yml` (weekly + manual dispatch)
  • [x] ✅ Entity authority-source UX landed:
  • [x] ✅ `src/utils/entities.ts` emits `authoritySources`
  • [x] ✅ `app/(workspace)/entity/[id]/page.tsx` renders `From AAT / ULAN / Wikidata` style provenance labels when present
  • [x] ✅ coverage in `tests/utils/entities.test.ts` and `tests/api/entities/by-id.test.ts`
\n
B6.1 — Exhibition + literature reconciliation hardening
\n
Goal: prevent duplicate or fragmented cross-provider historical narratives by reconciling shared exhibitions and literature records without collapsing source provenance.
\n
  • [x] ✅ Add explicit reconciliation scope beyond people/concepts:
  • [x] ✅ Exhibition concepts/plans (`PropositionalObject`) and exhibition activities (`Activity` classified as exhibition) are candidate-matched across providers.
  • [x] ✅ Literature records (`LinguisticObject`) including catalogs/publications about exhibitions or objects are candidate-matched across providers.
  • [x] ✅ Add deterministic candidate blocking + scoring pipeline:
  • [x] ✅ title/label normalization + language-aware comparison
  • [x] ✅ timespan overlap logic
  • [x] ✅ place/venue equivalence checks using local authority identifiers/labels
  • [x] ✅ identifier evidence (ISBN/ISSN/OCLC/DOI/local accession refs when present)
  • [x] ✅ participant/organizer/publisher overlap evidence
  • [x] ✅ Preserve Linked Art identity/provenance invariants:
  • [x] ✅ never rewrite source URIs in `_source.raw`
  • [x] ✅ never infer semantics from URI path shape
  • [x] ✅ link via explicit reconciliation decisions rather than destructive record collapse
  • [x] ✅ keep event-centric modeling (no direct object-person shortcut introduced by reconciliation)
  • [x] ✅ Add human-review queue gates for ambiguous matches:
  • [x] ✅ thresholds for auto-link vs review-required vs no-link (`>=0.90`, `0.65-0.89`, `<0.65`)
  • [x] ✅ audit metadata per reconciliation decision (`actor`, `recordedAt`)
  • [x] ✅ reversible decision model shape (`auto-link` / `needs-review` / `no-link`)
  • [x] ✅ Add failing-first fixture suite:
  • [x] ✅ pass cases for true exhibition/literature same-as candidates from different providers
  • [x] ✅ fail cases for near-title collisions, edition conflicts, and time/place mismatches
  • [x] ✅ regression coverage for threshold behavior and invariants
\n
Definition of done:
\n
  • [x] ✅ `tests/quality/reconciliation-exhibitions-literature.test.ts` passes with fixture-backed pass/fail coverage.
  • [x] ✅ Reconciliation outputs are provenance-safe and standards-mapped (round + fixture anchor references in PR).
  • [x] ✅ Entity pages expose linked "same exhibition"/"same publication" context without mutating source records.
\n
Implementation note:
\n
  • [x] ✅ Use reconciliation/exhibition-literature-reconciliation.md(reconciliation/exhibition-literature-reconciliation.md) as the required execution checklist for this slice.
\n
Status:
\n
  • [x] ✅ `src/services/reconciliation.ts` landed with explicit exhibition/publication candidate extraction, deterministic scoring, and human-review thresholds.
  • [x] ✅ `tests/fixtures/reconciliation/exhibitions-literature-pass.json` + `tests/fixtures/reconciliation/exhibitions-literature-fail.json` landed as fixture anchors.
  • [x] ✅ `app/(workspace)/entity/[id]/page.tsx` now surfaces cross-provider alignment context where reconciliation candidates exist.
\n
B8 — API protocol + profile conformance hardening
\n
  • [x] ✅ Enforce JSON-LD 1.1 output with canonical Linked Art context on all public entity payloads.
  • [x] ✅ Add explicit content negotiation behavior:
  • [x] ✅ `Accept: application/ld+json;profile="https://linked.art/ns/v1/linked-art.json"`
  • [x] ✅ graceful fallback when generic JSON/LD headers are used
  • [x] ✅ Add `GET` + `OPTIONS` support and baseline CORS behavior on public API endpoints.
  • [x] ✅ Add protocol tests asserting URI opacity: no handler or client helper may derive semantics by parsing URI path shapes.
  • [x] ✅ Add serialization tests ensuring multi-valued Linked Art fields remain arrays even when cardinality is one.
\n
Status:
\n
  • [x] ✅ Complete for current Era B route inventory.
  • [x] ✅ Representative executable conformance tests now run for `/api/linked-art/profile`, `/api/artworks/[id]`, and `/api/entities/[id]`:
  • [x] ✅ `OPTIONS` + baseline CORS headers
  • [x] ✅ Linked Art media type negotiation for `Accept: application/ld+json;profile=...`
  • [x] ✅ URI opacity, array cardinality safety, and HAL separation assertions
  • [x] ✅ representative entity-role coverage across object/work/agent/place/set
  • [x] ✅ Expanded executable protocol checks to currently landed provider/search endpoints (`/api/met/`, `/api/getty/`, `/api/rijks/`, `/api/nga/`, `/api/rkd/`, plus `/api/providers/`) via `tests/quality/provider-protocol-conformance.test.ts`.
  • [x] ✅ Generic JSON-LD fallback behavior is covered (`Accept: application/ld+json` negotiates to canonical Linked Art profile media type).
  • [x] ✅ Ongoing policy: B8 executable checks are applied to all currently landed provider slices; continue applying the same checks for additional future sources.
\n
Acceptance:
\n
  • [x] ✅ Protocol conformance tests pass for representative routes across object/work/agent/place/set.
  • [x] ✅ No regressions in existing inspect/import flows.
\n
B9 — Linked Art modeling guardrails (provenance + lifecycle)
\n
  • [x] ✅ Add conformance tests for provenance partitioning patterns:
  • [x] ✅ wrapper provenance `Activity`
  • [x] ✅ `Acquisition` + `Payment` as parts when both are asserted
  • [x] ✅ Add explicit ownership vs custody invariants:
  • [x] ✅ `TransferOfCustody` must not be rewritten into `Acquisition` unless title transfer evidence is present
  • [x] ✅ Add explicit unknown-transfer handling:
  • [x] ✅ use `Transfer` for ambiguous exchange events rather than fabricating legal outcomes.
  • [x] ✅ Extend inspect/import audits to flag carrier/content conflation and direct object-person shortcuts that bypass event nodes.
\n
Status:
\n
  • [x] ✅ Complete for current Era B guardrail scope.
  • [x] ✅ Conformance guardrails added in `src/utils/linked-art.ts` for:
  • [x] ✅ wrapper provenance Activity partitioning checks
  • [x] ✅ `Acquisition` + `Payment` split-into-parts checks when both are asserted
  • [x] ✅ custody-vs-title invariants (`TransferOfCustody` vs `Acquisition`)
  • [x] ✅ unknown-transfer guardrails (`Transfer` for ambiguous exchanges)
  • [x] ✅ carrier/content conflation and direct object-person shortcut detection
  • [x] ✅ Failing-first pass/fail fixtures added:
  • [x] ✅ `tests/fixtures/b9/provenance-guardrails-pass.json`
  • [x] ✅ `tests/fixtures/b9/provenance-guardrails-fail.json`
  • [x] ✅ Executable guardrail tests added in `tests/quality/linked-art-b9-guardrails.test.ts`.
  • [x] ✅ Best-practices audit includes actionable B9 category output: `Provenance & Lifecycle Guardrails (B9)`.
\n
Acceptance:
\n
  • [x] ✅ Failing-first fixtures prove the above patterns and invariants across pass/fail cases.
  • [x] ✅ Best-practices audit reports actionable violations for these categories.
\n
B10 — ARK conformance slice
\n
  • [x] ✅ ULID-based ARK minting for normalized records.
  • [x] ✅ Add `/api/ark/resolve` resolver endpoint with suffix pass-through behavior.
  • [x] ✅ Add `?info` inflection response for metadata + persistence statement retrieval.
  • [x] ✅ Define and return a persistence statement structure for ARK `?info` responses.
  • [x] ✅ Add failing-first tests for ARK utility behavior and resolver route behavior.
  • [x] ✅ Update roadmap/README/CLAUDE standards guidance for ARK conformance expectations.
\n
Status:
\n
  • [x] ✅ Complete for current Era B scope.
  • [x] ✅ Implemented `src/utils/ark.ts` with opaque ULID minting, ARK normalization, suffix pass-through resolution, and `?info` payload construction.
  • [x] ✅ Implemented `app/api/ark/resolve/route.ts` with:
  • [x] ✅ `GET` resolution (`303` redirect style)
  • [x] ✅ suffix pass-through for variant/service paths
  • [x] ✅ `?info` inflection JSON-LD payload
  • [x] ✅ `OPTIONS` + baseline CORS behavior
  • [x] ✅ `normalizeIncomingRecord` now mints ARKs via ULID-based helper (`mintArkIdentifier`) instead of non-deterministic short random tokens.
  • [x] ✅ Added executable tests:
  • [x] ✅ `tests/utils/ark.test.ts`
  • [x] ✅ `tests/api/ark/resolve.test.ts`
\n
Acceptance:
\n
  • [x] ✅ Resolver pass-through and inflection tests are green.
  • [x] ✅ ARK minting tests assert opaque ULID-form ARK output.
  • [x] ✅ ARK conformance behavior is now documented in project guidance.
\n
B7 — API gateway readiness for multi-source scale
\n
  • [x] ✅ Keep direct provider adapters as default while source count and traffic stay moderate (current implementation remains direct adapters).
  • [x] ✅ Gateway activation policy is implemented and threshold-gated. Activate only when one or more conditions are true:
  • [x] ✅ 6+ external providers in production.
  • [x] ✅ 2+ upstream credential/security models to centralize.
  • [x] ✅ cross-provider rate limiting/circuit breaking becomes operationally necessary.
  • [x] ✅ Candidate gateway responsibilities are defined and readiness-backed:
  • [x] ✅ Centralized auth/secrets policy, rate limiting, retries/circuit breakers, request/response telemetry, and provider health dashboards.
  • [x] ✅ Stable internal route facade (`/api/providers/:provider/...`) so UI and jobs remain unchanged as provider backends evolve.
  • [x] ✅ Response envelope standardization plus provider capability registry for dynamic UI feature flags.
  • [x] ✅ B7 non-goals are explicitly enforced:
  • [x] ✅ No business logic migration out of adapters.
  • [x] ✅ No forced microservice split of the Next app.
  • [x] ✅ No gateway requirement for local development.
\n
Status:
\n
  • [x] ✅ Complete for Era B readiness scope.
  • [x] ✅ Added gateway-readiness diagnostics endpoint: `/api/providers/readiness` (threshold evaluation without forcing architecture changes).
  • [x] ✅ Added provider capability registry endpoint: `/api/providers/capabilities`.
  • [x] ✅ Added stable internal facade routes: `/api/providers/:provider/profile|search|import` with standardized response envelopes.
  • [x] ✅ Added conformance coverage for facade + capability routes in `tests/quality/provider-protocol-conformance.test.ts`.
  • [x] ✅ Re-evaluated activation threshold with current production providers (Met, Getty, Rijks, NGA, RKD, Louvre, Harvard, Smithsonian, V&A, Princeton, Europeana, AIC, CMA): threshold is now hit (6+ providers), so `/api/providers/readiness` reports `gatewayRecommended: true` while direct adapters remain the active mode.
\n
Era B exit gate:
\n
  • [x] ✅ 100% of public-facing sample records pass validation checks (SHACL when validator service is configured; local standards fallback otherwise).
  • [x] ✅ All writes auth-gated; audit log row per primary write route.
  • [x] ✅ Postgres is the storage of record when `DATABASE_URL` is set; `storage/*.json` removed from version control.
  • [x] ✅ All authority lookups served from local cache policy (zero runtime authority calls on the request path).
  • [x] ✅ Protocol/profile conformance suite green (context, media type profile, CORS/OPTIONS, URI opacity, array cardinality safety).
\n
Era B completion verdict:
\n
  • [x] ✅ Engineering-complete. Core B1-B10 deliverables and Era B exit-gate checks are green.
  • [x] ✅ Operational sign-off complete for current pre-Era-C checklist items.
\n
Pre-Era-C Operational Sign-Off
\n
  • [x] ✅ Verify and record rotation of production `AUTH_SECRET` and `AUTH_GITHUB_SECRET` (with date and owner in release notes/runbook).
  • [x] Evidence anchor: `docs/ops/auth-credential-rotation.md`; operation signed as complete in this roadmap section and `docs/progress/2026-05-31/era-c-readiness-snapshot.md`.
  • [x] ✅ Record explicit gateway activation decision now that `gatewayRecommended: true` is reported (`activate now` vs `keep direct-adapter mode`) with owner + review date.
  • [x] ✅ Decision: keep direct-adapter mode active for now; do not force gateway activation yet.
  • [x] ✅ Owner: `@rsung`
  • [x] ✅ Review date: August 31, 2026
  • [x] ✅ Decision record reference: `docs/progress/2026-05-31/era-c-readiness-snapshot.md`
  • [x] ✅ Add a one-page Era C readiness snapshot to `docs/progress/` linking latest green evidence: `era-b-exit-gate`, `protocol-conformance`, `provider-protocol-conformance`, `linked-art-b9-guardrails`, `validation-drift:trend`.
\n
---
\n
Era C — SOTA platform (quarters 4+)
\n
Goal: implement the Yale-LUX-pattern hybrid platform described in LinkedArtSOTAWebApp.md(linked-art/LinkedArtSOTAWebApp.md) §§2–22. By this point, the Next.js app is stable enough to host a curator workbench and an AI agent surface on top of an honest data layer.
\n
Roughly the same numbering as the SOTA spec's phases — but starting here, after Era A and B have shipped:
\n
C1 — Multi-modal storage + HAL hypermedia (SOTA Phase 1)
\n
  • [x] ✅ Solr 9 + GraphDB provisioned via Helm (dev: Compose, GraphDB CE image)
  • [x] ✅ GraphDB SPARQL 1.1 endpoint + Lucene plugin for hybrid text+graph queries; named graphs per source institution for provenance partitioning (SOTA §8.2)
  • [x] ✅ RDFS + SHACL reasoning only at runtime — no full OWL DL (SOTA §8.2)
  • [x] ✅ `src/utils/record-materializer.ts` builds Yale-LUX-style denormalized `Record` documents + shortcut triples (SOTA §20.1)
  • [x] ✅ HAL `_links` on every entity response (SOTA §9.2)
  • [x] ✅ Entity HAL discoverability now includes stable `la:activityFeed` link (`/api/activity`) via shared link builder + conformance tests.
  • [x] ✅ Canonical role endpoint scaffolds landed for `/api/objects/[id]`, `/api/works/[id]`, `/api/agents/[id]`, `/api/places/[id]`, `/api/sets/[id]` with executable B8 protocol conformance coverage.
  • [x] ✅ Add `/api/concepts/[id]` and `/api/events/[id]` canonical endpoints to complete the canonical C1 role endpoint surface.
  • [x] ✅ `/api/search` landed with OrderedCollectionPage pagination contract and executable HAL/search conformance coverage.
  • [x] ✅ `/api/activity` syndication endpoint
\n
Status:
\n
  • [x] ✅ Dev Compose provisioning added in `ops/docker-compose.yml` (`sota` profile: `solr:9.6`, `ontotext/graphdb:10.8.14`).
  • [x] ✅ Helm provisioning added in `ops/helm/metamuseum-search-graph/` (StatefulSets + Services + PVC defaults for Solr and GraphDB).
  • [x] ✅ GraphDB bootstrap automation added:
  • `scripts/graphdb-bootstrap.ts` creates repository config + verifies SPARQL query/update endpoints + provisions Lucene connector via `luc:createConnector`.
  • Runtime reasoning policy enforced in bootstrap: `GRAPHDB_RULESET` accepts only `rdfsplus` / `rdfsplus-optimized` (OWL-family rulesets rejected).
  • `scripts/graphdb-load-named-graph.ts` loads provider RDF into source-specific named graphs for provenance partitioning.
  • `src/utils/provenance-graphs.ts` defines stable institution graph URIs.
  • [x] ✅ Record materialization + index flattening foundations landed:
  • `src/services/records.ts` now materializes on write for all import/persist paths.
  • `src/utils/record-materializer.ts` emits denormalized shortcut fields/triples.
  • `src/utils/search-index.ts` flattens materialized records into Solr/OpenSearch-ready documents using `_shortcuts`.
\n
C2 — ETL pipeline + reconciliation (SOTA Phase 2)
\n
  • [x] ✅ `pipeline/` Dagster project — ELT, idempotent at every stage, SHA-256 dedupe keys
  • [x] ✅ FastAPI reconciliation service hitting Getty SPARQL / VIAF / Wikidata / GeoNames behind Redis URI cache
  • [x] ✅ Promote B6.1 exhibition/literature reconciliation heuristics into the C2 service as first-class pipelines (not optional post-processing)
  • [x] ✅ Confidence thresholds per SOTA §7.3 with a human-review queue in `app/curator/reconciliation/page.tsx`
  • [x] ✅ Visual ETL Mapper (ReactFlow) + `MappingTemplate` contract
\n
Status:
\n
  • [x] ✅ `pipeline/` scaffold landed with Dagster project files (`pipeline/pyproject.toml`, `pipeline/requirements.txt`) and runnable entry points (`pipeline/run_materialize.py`, `metamuseum_pipeline.definitions`).
  • [x] ✅ ELT asset chain implemented in `pipeline/metamuseum_pipeline/assets.py`: `extract_source_records` → `load_records` → `transform_records` → `dedupe_records` → `upsert_materialized_records`.
  • [x] ✅ SHA-256 dedupe key policy implemented in `pipeline/metamuseum_pipeline/dedupe.py` (`canonical_json` + `record_sha256`) and consumed at load/dedupe/materialize stages.
  • [x] ✅ Idempotence coverage added in `pipeline/tests/test_c2_pipeline.py` (repeat materialization does not duplicate state rows; unchanged rows are no-op upserts).
  • [x] ✅ Reconciliation service scaffold landed in `services/reconciliation-service/`:
  • FastAPI app with `POST /reconcile/lookup` and `GET /health`.
  • Provider adapters for Getty SPARQL, VIAF AutoSuggest, Wikidata, and GeoNames.
  • Redis URI cache layer with deterministic SHA-256 cache keys and TTL controls.
  • Unit coverage in `services/reconciliation-service/tests/test_reconciliation_service.py`.
  • [x] ✅ B6.1 heuristics promoted to first-class C2 pipeline endpoints in `services/reconciliation-service/main.py`:
  • `GET /reconcile/pipelines`
  • `POST /reconcile/pipelines/exhibitions-literature`
  • `GET /reconcile/pipelines/exhibitions-literature/bands`
  • Heuristic parity implementation in `services/reconciliation-service/pipelines.py` with fixture-backed tests in `services/reconciliation-service/tests/test_b61_pipeline.py`.
  • [x] ✅ SOTA §7.3 threshold model and queue UI landed:
  • Threshold bands implemented in `src/services/reconciliation.ts` (`>=0.95` auto-approve, `0.85-0.95` weekly digest flag, `0.70-0.85` human-review queue, `<0.70` drop candidate).
  • Curator queue page added at `app/curator/reconciliation/page.tsx` with explicit human-review and weekly-digest sections.
  • Regression assertions updated in `tests/quality/reconciliation-exhibitions-literature.test.ts`.
  • [x] ✅ Visual ETL Mapper + MappingTemplate contract landed:
  • `src/contracts/mapping-template.ts` defines `createMappingTemplate`/`validateMappingTemplate` for JSON-serializable mapper nodes, edges, and executable rules.
  • `src/contracts/zod/mapping-template.ts` mirrors the contract boundary and is exported through `src/contracts/zod/index.ts`.
  • ReactFlow mapper UI shipped at `app/(workspace)/etl/mapper/page.tsx` via `src/components/etl-mapper-workbench.tsx` with dry-run projection preview.
  • Contract and schema coverage added in `tests/contracts/mapping-template.test.ts` and `tests/contracts/zod-mirror.test.ts`.
  • [x] ✅ C2 complete. ETL pipeline, reconciliation service, B6.1 pipeline promotion, SOTA §7.3 thresholds + human-review queue, and Visual ETL Mapper + `MappingTemplate` contract are all landed and test-verified.
\n
C3 — IIIF + visualizations (SOTA Phase 3)
\n
  • [x] ✅ `<IIIFCanvasViewer>` (OpenSeadragon wrapper) with deep-zoom, side-by-side compare, annotations
  • [x] ✅ `<ProvenanceTimeline>`, `<GeoMapViewer>` (Leaflet), `<NetworkGraph>` (Cytoscape — partially landed in Slice 6)
  • [x] ✅ `<ConcertinaList>` + `<FacetHistogram>` for dense entity browses (SOTA §12.3)
  • [x] ✅ `<EntityKnowledgePanel>` merging internal + DBpedia/Wikidata/ULAN/AAT context
  • [x] ✅ Overlapping exhibition timelines with zoom + direct navigation to exhibition/activity records
\n
Status:
\n
  • [x] ✅ IIIF workspace route shipped at `/iiif` via `app/(workspace)/iiif/page.tsx` with imported-record-backed source selection.
  • [x] ✅ OpenSeadragon wrapper shipped in `src/components/iiif-canvas-viewer.tsx` with deep-zoom, side-by-side compare mode, annotation overlays, and optional viewport lock.
  • [x] ✅ Canvas source normalization + fallback behavior covered in `tests/utils/iiif.test.ts` (`deriveIiifInfoJsonUrl`, OpenSeadragon image tile fallback, deduplicated source extraction).
  • [x] ✅ Insights workspace now composes first-class C3 visualization components:
  • `src/components/provenance-timeline.tsx`
  • `src/components/geo-map-viewer.tsx` (Leaflet)
  • `src/components/network-graph.tsx` (Cytoscape)
  • [x] ✅ `app/(workspace)/insights/page.tsx` now includes timeline + Leaflet geospatial view + Cytoscape relationship network in one drillable research workflow.
  • [x] ✅ Deterministic timeline-window + histogram binning logic is test-covered in `tests/utils/provenance-visualization.test.ts`.
  • [x] ✅ Dense entity browse route shipped at `/entities` via `app/(workspace)/entities/page.tsx`, with URL-driven `q`/`type`/`authority` filters.
  • [x] ✅ `src/components/concertina-list.tsx` and `src/components/facet-histogram.tsx` are now first-class C3 components for high-density entity review.
  • [x] ✅ Facet/filter/group model is test-covered in `tests/utils/entity-browse.test.ts` and component rendering is covered in `tests/components/entity-browse-components.test.ts`.
  • [x] ✅ `app/(workspace)/entity/[id]/page.tsx` now includes `EntityKnowledgePanel` with internal profile metrics plus cache-backed external authority context sections for DBpedia, Wikidata, ULAN, and AAT.
  • [x] ✅ Knowledge-model merge behavior is covered in `tests/utils/entity-knowledge.test.ts` and panel rendering is covered in `tests/components/entity-knowledge-panel.test.ts`.
  • [x] ✅ Exhibition overlap analysis is now first-class in Insights via `src/components/exhibition-timeline.tsx` + `src/utils/exhibition-timeline.ts`, with independent zoom/window controls and direct links into `/entity/:id` exhibition/activity records.
\n
C4 — AI layer (SOTA Phase 4)
\n
  • [x] ✅ pgvector + voyage-3 embeddings for entity summaries and statement texts; SigLIP for IIIF visual similarity
  • [x] ✅ `/api/ai/query` — NL → SPARQL/HAL with mandatory SHACL pre-execution validation
  • [x] ✅ `/api/ai/chat` — Graph-RAG with mandatory citations (`[entityId, propertyPath]` per sentence); "cite or refuse" rule (RSI-4 complete, proven 2026-06-09)
  • [x] ✅ LLM-assisted reconciliation tiebreaker (SOTA §10.4)
  • [x] ✅ LLM-assisted mapping for the Visual ETL Mapper
\n
Status:
\n
  • [x] ✅ AI embedding service landed in `src/services/ai-layer.ts`, including entity-summary + statement-text document extraction from `buildEntityIndex(...)`, Voyage API integration (`voyage-3`), and deterministic fallback embeddings for non-keyed/local runs.
  • [x] ✅ pgvector persistence landed with bootstrap SQL + upsert path:
  • `ops/postgres/init/02-ai-layer.sql`
  • `persistEmbeddingsPgvector(...)` in `src/services/ai-layer.ts`
  • [x] ✅ AI API routes landed:
  • `app/api/ai/embeddings/route.ts` (document build + embeddings + optional pgvector persist)
  • `app/api/ai/visual-similarity/route.ts` (SigLIP service call path + heuristic fallback)
  • [x] ✅ NL query API landed: `app/api/ai/query/route.ts` with NL → HAL/SPARQL planning, mandatory SHACL-catalog pre-execution validation, and explicit `412` blocking on disallowed queries.
  • [x] ✅ Query execution logs now capture NL prompt + generated query for retraining/audit (`storage/ai-query-log.json` via `src/services/ai-query.ts`).
  • [x] ✅ SigLIP visual-similarity fallback + IIIF candidate extraction landed (`extractVisualSimilarityCandidates`, `rankVisualSimilarity`) with representation/access-point awareness.
  • [x] ✅ Dev infra for pgvector readiness updated: `ops/docker-compose.yml` now uses `pgvector/pgvector:pg16` for local Postgres bootstrap compatibility.
  • [x] ✅ Coverage landed for C4 behavior:
  • `tests/services/ai-layer.test.ts`
  • `tests/api/ai-embeddings.test.ts`
  • `tests/api/ai-visual-similarity.test.ts`
  • `tests/services/ai-query.test.ts`
  • `tests/api/ai-query.test.ts`
  • [x] ✅ RSI-4 complete: `/api/ai/chat` implemented with graph-driven claim extraction, per-sentence citation enforcement, and refusal path when coverage is incomplete.
  • Proof: `tests/api/ai-chat.test.ts`, `pnpm test`, `pnpm lint`, and `pnpm build`.
  • Route contracts and behavior are reflected in `app/api/ai/chat/route.ts` and `src/services/ai-chat.ts`.
  • [x] ✅ C4 Visual ETL Mapper AI assist is complete:
  • `src/services/mapping-assist.ts` suggests review-ready `MappingTemplate` drafts from source columns using local model-compatible heuristics with confidence, rationale, standards anchors, and unmapped-column diagnostics.
  • `app/api/ai/mapping-assist/route.ts` exposes a POST assist endpoint with explicit JSON validation and CORS preflight.
  • `src/components/etl-mapper-workbench.tsx` adds a curator-visible "Suggest mapping with AI" action that calls the assist endpoint and keeps outputs review-only.
  • Proof packet: `tests/services/mapping-assist.test.ts`, `tests/api/ai-mapping-assist.test.ts`, `tests/components/etl-mapper-config.test.ts`, and `tests/api/openapi.test.ts`.
\n
C5 — Syndication + Meta Wiki Art + hardening (SOTA Phase 5)
\n
  • [x] ✅ ActivityStreams subscriptions endpoint open to external aggregators
  • [x] ✅ `/api/activity` external-consumer readiness metric capture landed (`/api/activity/readiness` + per-request consumer telemetry with explicit `x-linked-art-consumer-id` support).
  • [x] ✅ `/api/activity/subscriptions` landed for external aggregator registration/discovery:
  • `GET /api/activity/subscriptions` (ActivityStreams `OrderedCollectionPage` shape + metrics)
  • `POST /api/activity/subscriptions` (consumer-aware callback registration)
  • `DELETE /api/activity/subscriptions?id=...` (unsubscribe)
  • Public CORS preflight via `OPTIONS`
  • [x] ✅ Meta Wiki Art publish flow: `WikiDraft` → review → publish to MediaWiki + custom Wikibase with citation + rights templates
  • [x] ✅ C5 publish-flow implementation evidence:
  • `app/api/wiki-drafts/route.ts`
  • `app/api/wiki-drafts/[id]/review/route.ts`
  • `app/api/wiki-drafts/[id]/publish/route.ts`
  • `src/services/wiki-publish.ts`
  • Verification (2026-05-31): `tests/api/wiki-drafts/flow.test.ts` and `tests/services/wiki-publish.test.ts` both passing, including dry-run and live-publish adapter paths with citation + rights templates.
  • [x] ✅ Wikibase statement-level references required for every publishable claim (provenance-safe writes)
  • `evaluateWikiPublishPreflight(...)` now validates every claim carries at least one statement-level reference with valid `sourceUrl`, `retrievedAt`, and `citationText` before publish can proceed.
  • Evidence: `src/services/wiki-publish.ts`, `tests/services/wiki-publish.test.ts`, `tests/api/wiki-drafts/flow.test.ts`.
  • [x] ✅ Bidirectional mapping maintained between internal entity IDs and wiki item/property IDs for traceable sync
  • Live publish now upserts durable sync mappings in `wiki-sync-map.json` (Postgres-managed in non-file modes) for:
  • internal entity ID ↔ wikibase item ID
  • internal property ID ↔ wikibase property ID
  • API lookup route landed for traceable sync diagnostics:
  • `GET /api/wiki-sync-map?internalEntityId=...`
  • `GET /api/wiki-sync-map?wikiItemId=...`
  • `GET /api/wiki-sync-map?internalPropertyId=...`
  • `GET /api/wiki-sync-map?wikiPropertyId=...`
  • Evidence: `src/services/wiki-sync-map.ts`, `app/api/wiki-drafts/[id]/publish/route.ts`, `app/api/wiki-sync-map/route.ts`, `tests/services/wiki-sync-map.test.ts`, `tests/api/wiki-sync-map.test.ts`, `tests/api/wiki-drafts/flow.test.ts`.
  • [x] ✅ WCAG 2.1 AA full audit on every public route
  • Evidence (2026-05-31): `pnpm a11y:check` passes with zero serious/moderate/critical axe violations across all public UI routes:
  • `/`, `/explore`, `/records`, `/linked-art`, `/patterns`, `/insights`, `/graph`, `/entities`, `/iiif`, `/issues`, `/agents`, `/automation`, `/etl/mapper`, `/roadmap`, `/getty`, `/curator/reconciliation`, `/artwork/[id]`, `/entity/[id]`.
  • Remediations landed for detected violations:
  • `src/components/geo-map-viewer.tsx` (removed nested-interactive conflict by replacing `role="img"` map container semantics with described interactive container text)
  • `src/components/etl-mapper-workbench.tsx` (added keyboard focus to scrollable dry-run `<pre>` region).
  • [x] ✅ k6 load test against SOTA §20.4 SLOs (API p95 < 200ms cached, < 500ms cold; search p95 < 300ms)
  • Harness landed:
  • `scripts/k6-slo.js` (scenario definitions + per-scenario thresholds)
  • `scripts/k6-slo-runner.mjs` (local binary / PATH / Docker fallback runner)
  • `pnpm k6:slo` and `pnpm k6:slo:ci`
  • runbook: `docs/ops/k6-slo.md`
  • Update (2026-06-10): evidence contract now covers the full SOTA §20.4 p95 set, including whitelisted SPARQL p95 `< 2s` and IIIF tile serving p95 `< 100ms`.
  • `src/services/era-c-exit-gate.ts`
  • `config/era-c-exit-gate-policy.json`
  • `tests/services/era-c-exit-gate.test.ts`
  • Verification (2026-05-31, `pnpm k6:slo`, summary export `artifacts/performance/k6-slo-summary.json`):
  • `cached_record_hit` p95: 73.5495ms (target `< 200ms`) ✅
  • `cold_record_read` p95: 56.134ms (target `< 500ms`) ✅
  • `keyword_facet_search` p95: 55.0616ms (target `< 300ms`) ✅
  • `http_req_failed` rate by scenario: 0.00
  • [x] ✅ OpenAPI 3.1 at `/api/docs`
  • Implementation landed:
  • `GET /api/openapi` returns generated OpenAPI 3.1 JSON from live route-handler discovery (`src/services/openapi.ts`).
  • `GET /api/docs` serves interactive Swagger UI wired to `/api/openapi`.
  • Evidence:
  • `app/api/openapi/route.ts`
  • `app/api/docs/route.ts`
  • `src/services/openapi.ts`
  • `tests/api/openapi.test.ts`
  • `tests/api/docs.test.ts`
  • Verification (2026-05-31): `pnpm test -- tests/api/openapi.test.ts tests/api/docs.test.ts` passing.
  • [x] ✅ Pen test + DR drill
  • Executable hardening gate landed:
  • `pnpm pentest:baseline` (dependency advisory regression check against committed baseline)
  • `pnpm dr:drill` (non-destructive restore rehearsal with SHA-256 parity checks)
  • `pnpm hardening:pen-dr` (combined gate)
  • Baselines + runbooks:
  • `config/security-audit-baseline.json`
  • `docs/ops/security-dr-drill.md`
  • Artifacts:
  • `artifacts/security/pnpm-audit-summary.json`
  • `artifacts/dr-drill/latest.json`
\n
Era C Principal Hardening Addenda (Staff/Principal Review)
\n
These items are now integrated as explicit execution backlog for distributed systems, lifecycle integrity, AI safety, UX globalization, and privacy controls.
\n
1) Infrastructure + distributed systems
\n
  • [x] ✅ Transactional outbox for Postgres → Solr/GraphDB consistency on write paths (`outbox_events` table + reliable projector worker + replay-safe idempotency keys).
  • Landed transactional write-path integration in `src/services/records.ts`:
  • Postgres mode now atomically upserts `storage_documents.records` and enqueues `outbox_events` in one transaction.
  • Idempotency key: `sha256("record.upsert|recordId|sourceHash")`.
  • Outbox persistence + retry lifecycle:
  • `src/services/outbox.ts` (`claim`/`process`/`retry`/`dead_letter` flow, SKIP LOCKED claims, backoff).
  • `ops/postgres/init/02-outbox.sql` bootstraps `outbox_events` + indexes.
  • Reliable projector worker:
  • `src/services/outbox-projector.ts` (Solr + GraphDB projection with per-event ack/fail handling).
  • `scripts/outbox-projector.ts`, `pnpm outbox:projector`, `pnpm outbox:projector:once`.
  • Ops docs:
  • `docs/ops/outbox-projector.md`
  • [x] ✅ Outbox failure handling policy (retry budget, dead-letter queue, operator replay tooling, and alerting).
  • Policy + queue health primitives:
  • `src/services/outbox.ts`
  • env-driven policy (`OUTBOX_MAX_ATTEMPTS`, queue/age thresholds)
  • queue health summary counters/aging
  • dead-letter listing, replay helpers, stale-processing requeue
  • Operator tooling:
  • `scripts/outbox-ops.ts`
  • `pnpm outbox:status`
  • `pnpm outbox:dlq:list`
  • `pnpm outbox:replay:dlq`
  • `pnpm outbox:requeue:stale`
  • Alerting:
  • `src/services/outbox-alerts.ts`
  • `scripts/outbox-alert-check.ts`
  • `pnpm outbox:alert:check` with optional webhook dispatch via `OUTBOX_ALERT_WEBHOOK_URL`
  • Ops docs:
  • `docs/ops/outbox-projector.md`
  • [x] ✅ OpenTelemetry end-to-end trace propagation across Next.js, validation service, reconciliation service, Dagster pipeline runs, and GraphDB/Solr calls.
  • [x] ✅ Correlated request/run identifiers enforced in logs + traces (`x-request-id` / traceparent continuity).
  • Evidence: `instrumentation.ts` (`@vercel/otel` registration), Python OTel bootstrap in `services/validation-service/main.py`, `services/reconciliation-service/main.py`, and pipeline run tracing in `pipeline/run_materialize.py`.
  • Evidence: request/response trace header continuity via `src/utils/observability.ts`, `src/utils/protocol.ts`, and `proxy.ts`; write-audit correlation fields persisted from async trace context in `src/services/write-audit.ts`.
  • Evidence: local OTLP wiring templates + runbook (`.env.otlp.tempo.example`, `.env.otlp.jaeger.example`, `docs/ops/otel-local.md`) and explicit DB span attributes at finalized GraphDB/Solr call sites (`src/utils/otel-db-spans.ts`, `src/services/ai-query.ts`, `src/services/solr-client.ts`).
\n
2) Data lifecycle + upstream sync
\n
  • [x] ✅ Provider tombstone handling in C2 pipeline (HTTP `404/410` upstream signals mark local tombstone, deindex in Solr, and emit deletion activity).
  • C2 pipeline lifecycle handling landed in `pipeline/metamuseum_pipeline/assets.py`:
  • upstream tombstone detection from `_source.upstreamStatus` / `_source.httpStatus` / `_source.statusCode`
  • local tombstone registry persisted in `pipeline/state/materialized-records.json` (`tombstones` block)
  • Solr deindex call on tombstone transition (`/solr/<core>/update` delete-by-id)
  • deletion activity emission to `pipeline/state/deletion-activities.json` with `Delete` + `Tombstone` object semantics
  • Test coverage:
  • `pipeline/tests/test_c2_pipeline.py` (`test_tombstone_404_marks_local_tombstone_and_emits_delete_activity`)
  • Live drill (2026-05-31):
  • projected record `https://example.org/object/outbox-deindex-final-1780254290729` into Solr via outbox projector,
  • ran C2 tombstone materialization with `_source.upstreamStatus=410`,
  • Solr exact-id count transitioned `before=1` -> `after=0`,
  • summary included `deindexed=1` + `deletion_activities_emitted=1`.
  • [x] ✅ ActivityStreams deletion semantics for tombstoned records (`Delete`/`Tombstone` event policy documented and implemented).
  • Feed policy + implementation landed in `app/api/activity/route.ts`:
  • `/api/activity` now merges C2 tombstone lifecycle activities from `pipeline/state/deletion-activities.json`.
  • Tombstoned records are emitted as ActivityStreams `Delete` events with `object.type = "Tombstone"` and `object.formerType = "HumanMadeObject"`.
  • Response includes explicit `policy.deletionSemantics` metadata for aggregator consumers.
  • Coverage:
  • `tests/api/activity.test.ts` (`includes Delete/Tombstone activities from tombstone lifecycle state`)
  • [x] ✅ Meta Wiki Art source-of-truth contract finalized (publication-target-only vs community-editable model).
  • Default mode: `publication-target-only` (safe default).
  • Optional mode: `community-editable` (explicit opt-in).
  • Executable policy gate landed:
  • `src/services/wiki-source-of-truth.ts`
  • `app/api/wiki-drafts/[id]/publish/route.ts`
  • Publish preflight now enforces source anchoring:
  • draft `sourceRecordId` must resolve to an internal record before publish proceeds.
  • Coverage:
  • `tests/services/wiki-source-of-truth.test.ts`
  • `tests/api/wiki-drafts/flow.test.ts` (`blocks publish when source record is missing under publication-target-only contract`)
  • [x] ✅ If community-editable: reverse-ETL conflict resolution pipeline from Wikibase back to Postgres with deterministic merge policy.
  • Reverse-ETL apply endpoint landed:
  • `POST /api/wiki-sync/reverse-etl` (`app/api/wiki-sync/reverse-etl/route.ts`)
  • Deterministic merge + idempotency engine landed:
  • `src/services/wiki-reverse-etl.ts`
  • precedence policy: newer `modifiedAt` wins; equal timestamp tie-break by lexicographic `changeId`; replayed `changeId` is skipped.
  • Back-sync state persistence landed:
  • `storage/wiki-reverse-etl-state.json` (`wiki_reverse_etl_state` managed in Postgres modes)
  • Coverage:
  • `tests/services/wiki-reverse-etl.test.ts`
  • `tests/api/wiki-reverse-etl.test.ts`
\n
3) AI/LLM reliability (EvalOps)
\n
  • [x] ✅ Golden evaluation dataset for complex museum questions (minimum 100 prompts with expected grounding/citation behavior).
  • Dataset landed:
  • `evals/golden-museum-questions.v1.json` (`120` prompts, rubric + per-prompt grounding/citation/refusal expectations)
  • EvalOps documentation landed:
  • `docs/evals/golden-museum-questions.md`
  • Executable conformance gate landed:
  • `tests/quality/ai-eval-golden-dataset.test.ts`
  • [x] ✅ CI eval gate for AI-layer PRs (faithfulness, relevance, citation accuracy, citation freshness) using an evaluation harness (Ragas/DeepEval-equivalent workflow).
  • Eval harness landed:
  • `src/services/ai-eval-harness.ts`
  • `scripts/ai-eval-gate.ts`
  • Commands landed:
  • `pnpm ai:eval:report`
  • `pnpm ai:eval:gate`
  • CI workflow landed (AI-layer path-gated):
  • `.github/workflows/ai-eval-gate.yml`
  • Coverage:
  • `tests/services/ai-eval-harness.test.ts`
  • [x] ✅ Regression thresholds for model/prompt/version changes with fail-fast policy on citation and citation-freshness drift.
  • Versioned regression policy landed:
  • `config/ai-eval-regression-policy.json`
  • baseline identity keys: `datasetId + datasetVersion + modelVersion + promptVersion`
  • Drift evaluator landed:
  • `src/services/ai-eval-regression.ts`
  • citation drift is configured as fail-fast (`failFastOnCitationDrift`)
  • citation freshness drift is configured as fail-fast (`failFastOnCitationFreshnessDrift`)
  • Gate runner wiring landed:
  • `scripts/ai-eval-gate.ts` (`--check`, `--record-baseline`)
  • `pnpm ai:eval:gate`
  • `pnpm ai:eval:baseline:record`
  • CI enforcement landed:
  • `.github/workflows/ai-eval-gate.yml`
  • Coverage:
  • `tests/services/ai-eval-regression.test.ts`
  • [x] ✅ Structured evaluation artifact retention for trend analysis (per-run metrics + prompt/model version metadata).
  • Eval artifact retention service landed:
  • `src/services/ai-eval-artifacts.ts`
  • Gate runner now writes:
  • `artifacts/evals/ai-eval-gate-latest.json`
  • `artifacts/evals/runs/ai-eval-gate-<timestamp>.json`
  • `artifacts/evals/trend-index.json`
  • `artifacts/evals/summary.md` with CI badges, artifact links, and freshness-aging alerts
  • CI visibility:
  • `.github/workflows/ai-eval-gate.yml` appends `artifacts/evals/summary.md` to `$GITHUB_STEP_SUMMARY`
  • `.github/workflows/ai-eval-gate.yml` uploads `artifacts/evals/` for post-run inspection
  • Retention control:
  • `METAMUSEUM_EVAL_RETENTION_MAX_RUNS` (default `200`)
  • Coverage:
  • `tests/services/ai-eval-artifacts.test.ts`
\n
4) Frontend UX + research quality
\n
  • [x] ✅ Next.js i18n routing + locale negotiation from `Accept-Language` with graceful fallback.
  • Locale-aware proxy routing landed:
  • `proxy.ts`
  • i18n routing policy + negotiation utilities landed:
  • `src/utils/i18n-routing.ts`
  • `src/utils/locale-preferences.ts`
  • Behavior:
  • Non-localized `GET/HEAD` page requests redirect to `/{locale}/...` using negotiated locale.
  • Locale-prefixed requests rewrite to canonical internal routes while preserving locale context via request header/cookie.
  • Unsupported locale negotiation gracefully falls back to default locale (`en`).
  • Write-route role checks remain enforced against locale-normalized paths.
  • Coverage:
  • `tests/utils/i18n-routing.test.ts`
  • [x] ✅ Linked Art language-tag selection policy in UI rendering (prefer user locale, then fallback chain, preserving source labels).
  • Locale and language-tag policy utilities landed:
  • `src/utils/locale-preferences.ts`
  • `src/utils/linked-art-language.ts`
  • UI renderers now pass request locale preferences from `Accept-Language`:
  • `app/(workspace)/artwork/[id]/page.tsx`
  • `app/(workspace)/entity/[id]/page.tsx`
  • `app/(workspace)/records/page.tsx`
  • `app/(workspace)/entities/page.tsx`
  • `app/(workspace)/iiif/page.tsx`
  • Linked Art projection layers now apply locale-aware label selection while preserving source-label fallbacks:
  • `src/utils/artwork-builder.ts`
  • `src/utils/entities.ts`
  • Coverage:
  • `tests/utils/linked-art-language.test.ts`
  • `tests/utils/artwork-builder.test.ts`
  • `tests/utils/entities.test.ts`
  • [x] ✅ Researcher feedback/annotation loop using W3C Web Annotation model (claim-targeted annotations without mutating canonical `_source.raw`).
  • W3C annotation contracts + validation landed:
  • `src/contracts/zod/web-annotation.ts`
  • `src/contracts/web-annotation.ts`
  • `src/contracts/zod/requests.ts`
  • Annotation persistence is isolated from canonical records and stored as a separate managed document (`annotations.json`):
  • `src/services/annotations.ts`
  • `src/utils/storage.ts`
  • API endpoints landed for create/list/get with public CORS and audit logging:
  • `app/api/annotations/route.ts`
  • `app/api/annotations/[id]/route.ts`
  • Research UI loop landed on artwork detail pages:
  • `src/components/research-annotation-loop.tsx`
  • `app/(workspace)/artwork/[id]/page.tsx`
  • Coverage:
  • `tests/api/annotations.test.ts`
  • `tests/auth/roles.test.ts`
  • [x] ✅ Curator triage queue for annotation-driven correction proposals with provenance-safe review flow.
  • Curator triage queue API landed with state-aware queue metrics and claim-target proposal payloads:
  • `app/api/annotations/triage/route.ts`
  • Provenance-safe review action API landed:
  • `app/api/annotations/[id]/review/route.ts`
  • `src/services/annotations.ts` (`review()` workflow transitions)
  • Role policy enforces editor/admin review access while preserving researcher submit access:
  • `src/auth/roles.ts`
  • Curator workspace queue UI landed:
  • `app/curator/annotations/page.tsx`
  • `src/components/annotation-triage-workbench.tsx`
  • `app/layout.tsx` (workspace navigation link)
  • Coverage:
  • `tests/api/annotations.test.ts`
  • `tests/auth/roles.test.ts`
\n
5) Security + privacy posture
\n
  • [x] ✅ PII/sensitivity scan stage in C2 ETL before public indexing/syndication.
  • `src/utils/sensitivity.ts` scans materialized records for PII, cultural-sensitivity, and restricted-publication signals while excluding raw provider payload blobs.
  • `src/utils/record-materializer.ts` attaches `_sensitivity` review state during import/persist materialization.
  • `src/services/outbox-projector.ts` skips Solr + GraphDB public projections for records held by sensitivity review.
  • Coverage:
  • `tests/utils/sensitivity.test.ts`
  • `tests/utils/record-materializer.test.ts`
  • `tests/utils/search-index.test.ts`
  • `tests/services/outbox-projector.test.ts`
  • [x] ✅ Human-review hold policy for flagged records (restricted publication until disposition).
  • Flagged records carry `_sensitivity.status = "review_required"` and `_sensitivity.holdPublication = true`.
  • Held records are excluded from Solr/GraphDB syndication and flattened with `publication_status = "held_for_review"` plus no public `text_all`.
  • [x] ✅ Culturally sensitive knowledge handling rules integrated with rights/reuse UI and syndication controls.
  • Cultural-sensitivity scan rules and syndication holds now flow into explorer DTOs as `held_for_review` records with explicit rights/reuse review labels.
  • `RightsBadge` renders sensitivity labels as review-required publication holds, keeping cultural-sensitivity warnings visible anywhere rights/reuse chips appear.
  • Coverage:
  • `tests/components/linked-atomics.test.ts`
  • `tests/utils/artwork-builder.test.ts`
  • [x] ✅ Security telemetry for sensitivity decisions (who approved, why, and when).
  • Scanner telemetry records version, scan time, signal count, highest severity, and hold policy.
  • Human disposition telemetry now requires reviewer identity, rationale, and timestamp before approval can clear a publication hold.
  • Materialization preserves existing disposition telemetry during record rewrites, and reviewed records only return to public indexing after an approved disposition.
  • Coverage:
  • `tests/utils/sensitivity.test.ts`
  • `tests/utils/record-materializer.test.ts`
  • `tests/utils/search-index.test.ts`
\n
6) Content credibility engine (trust/originality/distribution/consistency)
\n
  • [x] ✅ Baseline credibility-engine policy document landed:
  • `docs/content-credibility-engine.md`
  • [x] ✅ Trust-layer storage templates landed:
  • `provenance/ledger.json`
  • `provenance/source-map.yaml`
  • [x] ✅ Originality-layer storage template landed:
  • `semantic-core/originality-index.json`
  • baseline novelty threshold documented (`cosine_distance > 0.18`)
  • [x] ✅ Distribution/consistency scaffolding landed:
  • `distribution/schedule.yaml`
  • runtime queue path reserved at `distribution/queue.db` (gitignored)
  • `generation/style-profile.md`
  • [x] ✅ Monitoring scaffold landed:
  • `monitoring/metrics.json`
  • [x] ✅ Enforce citation-coverage gates in code for generated/publishable artifacts.
  • `POST /api/content/generate` now returns `422` when computed citation coverage falls below threshold (`METAMUSEUM_CITATION_COVERAGE_THRESHOLD`, default `0.95`), including coverage diagnostics in response.
  • `POST /api/wiki-drafts/[id]/publish` now runs explicit publish preflight and returns `422` with preflight diagnostics when citation coverage or other publishability checks fail.
  • Evidence: `src/utils/citation-coverage.ts`, `app/api/content/generate/route.ts`, `src/services/wiki-publish.ts`, `app/api/wiki-drafts/[id]/publish/route.ts`, `tests/api/content-generate.test.ts`, `tests/quality/cite-or-refuse-conformance.test.ts`, `tests/services/wiki-publish.test.ts`.
  • [x] ✅ Enforce originality-score gates in code for generated/publishable artifacts.
  • Originality scoring utility landed with policy-driven threshold + minimum unique-insight checks:
  • `src/utils/originality-score.ts`
  • `POST /api/content/generate` now returns `422` when originality score gates fail, including originality diagnostics in output payload.
  • `src/services/agents.ts`
  • `app/api/content/generate/route.ts`
  • Wiki publish preflight now enforces originality gates before publishable status:
  • `src/services/wiki-publish.ts`
  • `app/api/wiki-drafts/[id]/publish/route.ts`
  • Coverage:
  • `tests/utils/originality-score.test.ts`
  • `tests/api/content-generate.test.ts`
  • `tests/quality/cite-or-refuse-conformance.test.ts`
  • `tests/services/wiki-publish.test.ts`
  • `tests/api/wiki-drafts/flow.test.ts`
  • [x] ✅ Add weekly credibility audit automation (drift + relevance + broken-link checks).
  • Weekly audit orchestration script landed:
  • `scripts/credibility-audit.ts`
  • `src/services/credibility-audit.ts`
  • Package commands:
  • `pnpm credibility:audit`
  • `pnpm credibility:audit:check`
  • Weekly GitHub Action landed:
  • `.github/workflows/credibility-audit.yml`
  • uploads `artifacts/credibility-audit/latest.json`
  • Coverage:
  • `tests/services/credibility-audit.test.ts`
  • [x] ✅ Add queue worker implementation for multi-channel publish orchestration (web/linkedin/medium/email/api).
  • Publish queue worker service landed with:
  • schedule parsing from `distribution/schedule.yaml`
  • durable queue state in `distribution/queue.db`
  • per-channel delivery states, retries/backoff, dead-letter handling
  • per-day channel cap deferral logic from schedule policy
  • channel adapters for `web`, `linkedin`, `medium`, `email`, `api`
  • Files:
  • `src/services/publish-queue-worker.ts`
  • `scripts/publish-queue-worker.ts`
  • `distribution/README.md`
  • Commands:
  • `pnpm publish:queue:worker`
  • `pnpm publish:queue:worker:once`
  • `pnpm publish:queue:worker:drain`
  • Coverage:
  • `tests/services/publish-queue-worker.test.ts`
  • [x] ✅ Add OpenTelemetry metric/span conventions for trust/originality/distribution events.
  • Shared conventions module landed with stable span/metric names plus common layer/event/kind/outcome attributes:
  • `src/utils/otel-credibility.ts`
  • Trust/originality gates now emit standardized spans/metrics:
  • `src/utils/citation-coverage.ts`
  • `src/utils/originality-score.ts`
  • Wiki publish preflight/execute and distribution queue orchestration emit the same conventions:
  • `src/services/wiki-publish.ts`
  • `src/services/publish-queue-worker.ts`
  • Coverage:
  • `tests/utils/otel-credibility.test.ts`
  • [x] ✅ Add eval thresholds for engagement velocity and trust/originality regression alerts.
  • Threshold evaluator landed for engagement velocity minimum plus trust/originality minimum and baseline-drop budgets:
  • `src/services/credibility-eval-thresholds.ts`
  • `config/credibility-eval-thresholds.json`
  • Weekly credibility audit now evaluates and reports these alerts:
  • `src/services/credibility-audit.ts`
  • `scripts/credibility-audit.ts`
  • Coverage:
  • `tests/services/credibility-eval-thresholds.test.ts`
  • `tests/services/credibility-audit.test.ts`
\n
Highest ROI priority
\n
  • [x] ✅ Implement OpenTelemetry before broader C4/C5 expansion to prevent distributed-debugging bottlenecks.
\n
Meta Wiki Art bridge implementation notes:
\n
  • [x] ✅ See meta-wiki-art-bridge.md(meta-wiki-art-bridge.md) for sequencing constraints, boundaries, and the staged publish flow.
  • Sequencing constraints are documented under `## Sequencing constraints`.
  • Bridge boundaries are documented under `## Boundaries (Out Of Scope For Era A/B)`.
  • Staged publish flow is documented under `## Planned C5 flow`.
\n
Era C exit gate:
\n
  • [x] ✅ Automated evidence pack landed for all four checks (artifact schema + nightly job + dated run history).
  • Schema: `docs/schemas/era-c-exit-gate-evidence.schema.json`
  • Policy: `config/era-c-exit-gate-policy.json`
  • Script + artifacts: `scripts/era-c-exit-gate.ts`, `artifacts/exit-gate/`
  • Trend index now carries compact failed-check reasons so agents can prioritize the next blocker without opening every historical artifact.
  • Telemetry snapshot automation: `scripts/monitoring-telemetry-sync.ts` via `pnpm monitoring:telemetry:sync` (wired into `pnpm era-c:exit-gate:evidence` / `pnpm era-c:exit-gate:check`)
  • Nightly workflow: `.github/workflows/era-c-exit-gate-evidence.yml`
  • Nightly workflow now supports deployed-target evidence via `METAMUSEUM_EVIDENCE_BASE_URL`, `METAMUSEUM_EVIDENCE_IIIF_TILE_URL`, optional SPARQL/query vars, and matrix-first `METAMUSEUM_ACTIVITY_CONSUMER_IDS` (`METAMUSEUM_ACTIVITY_CONSUMER_ID` fallback); when target vars are missing it keeps the local `pnpm k6:slo:ci` fallback so automation still produces artifacts.
  • [x] ✅ Deployment-foundation preflight landed for controlled beta / production launch review.
  • Commands: `pnpm launch:preflight`, `pnpm launch:preflight:production`
  • Script + service: `scripts/deployment-preflight.ts`, `src/services/deployment-preflight.ts`
  • Runbook: `docs/ops/deployment-preflight.md`
  • Scope: verifies env/secrets, Postgres mode, uptime source, SLO target URL, fresh DR restore rehearsal, and staging-vs-production smoke-token posture before collecting exit-gate evidence.
  • [x] ✅ Launch review packet landed for controlled beta / production launch decision evidence.
  • Commands: `pnpm launch:review`, `pnpm launch:review:check`, `pnpm launch:review:production`
  • Script + service: `scripts/launch-review.ts`, `src/services/launch-review.ts`
  • Runbook: `docs/ops/launch-review.md`
  • Scope: aggregates latest preflight, Era C exit-gate, security audit baseline, DR drill, public-trust smoke, a11y evidence, and explore smoke evidence; production fails on missing/stale/red evidence while staging can warn for beta-only evidence collection.
  • Evidence producers: `pnpm a11y:check` writes `artifacts/launch/a11y-latest.json`, and `pnpm smoke:explore:matrix` writes `artifacts/launch/explore-smoke-latest.json`.
  • [ ] ⚠️ Latest exit-gate status is failed (`2026-06-10T11:36:30.690Z`), but the artifact is now agent-actionable:
  • SLO failures distinguish incomplete k6 summaries from actual p95 threshold breaches via `missingMetricsInWindow` and per-sample `metricDetails`.
  • Uptime failures include evidence `source` and `notes`.
  • Activity adoption credits only declared external consumers with `class: "declared"` and `declaredId`.
  • KPI failures include source metadata, snapshot notes, and per-failed-metric source/reason details.
  • [ ] All SLOs in SOTA §20.4 met at p95 over a 30-day window.
  • Evidence contract now requires all five p95 SLO metrics: cached Record, cold Record, keyword+facet search, whitelisted SPARQL, and IIIF tile serving.
  • SLO evidence artifacts now include missing-metric summaries and per-sample metric details so incomplete k6 runs are actionable separately from threshold breaches.
  • Nightly workflow hardening can now collect complete deployed-target samples once GitHub vars provide the app base URL, IIIF tile URL, and whitelisted SPARQL inputs.
  • Current blocker: retained k6 history has only `3/30` samples and those samples are legacy three-metric summaries missing whitelisted SPARQL and IIIF tile p95 values.
  • [ ] 99.9% uptime on public read.
  • Uptime gate now rejects stale or undated availability snapshots; `uptime.maxSnapshotAgeHours` defaults to `48` so the 30-day proof must be continuously refreshed.
  • Uptime evidence artifacts now surface source (`prometheus`, `probe`, `unavailable`) plus notes, making missing public-read proof actionable without opening telemetry snapshots.
  • Current blocker: uptime source is `probe`, availability is `1`, and `sampleCount30d` is `3`; continue scheduled probes until the 30-sample window is met.
  • [ ] ≥ 3 external Linked Art systems consume the `/api/activity` feed.
  • Exit-gate adoption evidence now credits only declared external consumers via `x-linked-art-consumer-id`; derived fingerprints remain diagnostic and cannot satisfy the gate.
  • Evidence ingestion preserves `class` + `declaredId` from `storage/activity-consumers.json`, so declared external consumers can satisfy the gate when real adoption arrives.
  • Activity adoption proof tooling now rejects placeholder/local IDs by default, probes `/api/activity` + `/api/activity/readiness`, and writes dated single-consumer + matrix artifacts under `artifacts/activity-adoption/`.
  • Current blocker in the latest published artifact: declared external consumers are `0/3`; run `pnpm activity:adoption:matrix` with three partner-owned consumer IDs against the deployed target after those consumers are onboarded.
  • [ ] KPIs in SOTA §26 hit.
  • KPI gate now rejects stale or undated KPI snapshots and requires real AI query cost telemetry when `kpis26.requireAiQueryCostTelemetry` is enabled; fallback default cost values remain diagnostic only.
  • KPI evidence artifacts now include source metadata, snapshot notes, and per-failed-metric source/reason details so SOTA §26 blockers are actionable without opening telemetry inputs.
  • KPI telemetry sync now accepts `monitoring/kpi-evidence.json` (or `METAMUSEUM_KPI_EVIDENCE_PATH`) for aggregate production record-enrichment and reconciliation-review counts; invalid sections are ignored instead of creating false-green metrics.
  • AI query telemetry now logs `costUsd`, `costCurrency`, `costSource`, and usage counts per query; the deterministic local planner records `costUsd: 0` with `costSource: "deterministic-local-planner"` instead of relying on fallback KPI defaults.
  • Nightly workflow now seeds one deployed `/api/ai/query` request before telemetry sync when `METAMUSEUM_EVIDENCE_BASE_URL` is configured.
  • Current blockers in the latest published artifact: `dataQualityEnrichedShare`, `reconciliationAutoApproveRate`, and `reconciliationPrecisionReviewed`; AI query cost telemetry is now sourced and within policy, so the remaining KPI work is production enrichment/reconciliation evidence.
\n
---
","updatedAt":"2018-10-20T01:46:40.000Z","checksum":"cc030755d1e57b3a4e99b6036fc1ff3a8e2931a9ac35111319e013c9782e0b3e","checksumPrefix":"cc030755d1e5","anchorCount":47,"lineCount":1284,"rawUrl":"/api/docs/content?path=progress%2Fera-history.md","htmlUrl":"/docs?doc=progress%2Fera-history.md","apiUrl":"/api/docs/content?path=progress%2Fera-history.md"}