RV/overview
RV PRIVACY V1OPERATOR-BLINDNO RECOVERY KEY
Blinded research operations without identity spillover
Precision workflow for acquisition, judging, analysis, governance, and controlled exports. Direct identifiers stay in the user-held vault; role workspaces see scoped capability summaries only.
Identity modelVAULTclient-encrypted mappings
Access modelCAPscoped principals
ArtifactsTICKETopaque read links
ExportsLOCALbundle pseudonyms only
Direct identifiers, identity mappings, invitation secrets, raw capability refs, and storage paths are excluded from normal operator surfaces.
PRIVACY BOUNDARYWorkspaces
role-scoped| Area | Purpose | |
|---|---|---|
| Study registry | Protocol setup, lock, assignment, and lifecycle | Open |
| Target corpus | Target media and frozen pools | Open |
| Acquisition | Viewer sessions with concealed target identity | Open |
| Blind judging | Anonymized 4-choice ranking packets | Open |
| Analysis | Pre-registered confirmatory reporting | Open |
| Governance | Audit, retention, and controlled exports | Open |
Access paths
separate contextsRedeem an anonymous invitation for role-scoped workspaces. Account-backed vault access is separate and requires an authenticated account session.
Redeem anonymous invitationOperator limits
Railway/domain metadata remains visible. Anonymous capabilities do not unlock the account vault, and vault decrypt keys do not exist server-side.