{ "evidence_version": 1, "generated_at": "2026-05-26T23:34:49Z", "domain": "socialmedia2.com", "repository": "https://github.com/ChrisRoyse/Polis", "pilot_polis": "Evanston, Illinois", "status": "acquisition_paths_ready_not_build_done_evidence", "build_done_expected": false, "hosted_ci": false, "no_paid_operations": true, "secret_store": { "provider": "infisical", "path": "/polis/socialmedia2_com", "secret_values_in_repo": false }, "repo_visibility_preflight": { "readback_command": "gh repo view ChrisRoyse/Polis --json visibility,licenseInfo,url", "visibility": "PUBLIC", "is_private": false, "license_declared_in_cargo": "Apache-2.0", "license_file_path": "LICENSE", "license_file_spdx_id": "Apache-2.0", "open_source_license_readiness": "license_file_present", "github_license_detected": "Apache-2.0", "github_license_readback": "gh repo view ChrisRoyse/Polis --json visibility,licenseInfo,url,isPrivate", "hackerone_community_application_status": "not_submitted_project_age_requirement_not_met_until_2026_08_25" }, "non_substitution_policy": { "synthesized_allowed_for": [ "outreach_drafts", "request_packets", "readiness_scan_plans", "calibration_rehearsal_design" ], "never_build_done_evidence": [ "automated_scan_only_for_H2", "self_review_for_H2_or_X4", "generated_only_legal_review", "public_dataset_rows_for_E2_E3", "synthetic_calibration_rows", "unconsented_pilot_rows", "missing_30_day_tie_outcomes" ] }, "candidate_paths": [ { "id": "H2_HACKERONE_COMMUNITY", "gate": "H2", "github_issue": 7, "path_type": "vulnerability_coordination", "source_urls": [ "https://www.hackerone.com/company/open-source-community" ], "source_basis": "HackerOne Community Edition is free for eligible open source projects, supports vulnerability coordination, does not require bounty payments, and its public application requirements include OSI-licensed scope, a root SECURITY.md, public profile linking after approval, sub-week initial report response, and active project age of at least 3 months by shipped releases/code contributions.", "cost_boundary": "free_if_eligible_no_bounties_no_credit_card", "build_done_fit": "supporting_only", "current_submission_status": "not_submitted_project_age_requirement_not_met_until_2026_08_25", "eligibility_risk": "The repository is public and Apache-2.0 with .github/SECURITY.md present, but current GitHub repo age does not satisfy HackerOne at-least-3-month active-project requirement. Do not check the application attestation or submit unless HackerOne confirms older project history can count or the recheck date has passed.", "next_action": "Recheck HackerOne Community eligibility on or after 2026-08-25, or ask HackerOne whether older Serendipity Engine/Polis project history can satisfy the age requirement without false attestation; if approved, add the HackerOne profile link to socialmedia2.com navigation and keep bounties disabled unless explicitly approved.", "why_not_direct_build_done": "H2 still requires a real independent external firm pentest PDF with zero Critical or High findings open.", "application_readback_at": "2026-05-26T21:51:14Z", "github_repo_created_at": "2026-05-25T03:50:37Z", "first_local_commit_date": "2026-05-24", "earliest_truthful_age_recheck_date": "2026-08-25", "phone_requirement_readiness": "stripe_public_support_phone_present_but_value_not_committed" }, { "id": "H2_OSTIF_AUDIT_FACILITATION", "gate": "H2", "github_issue": 7, "path_type": "funded_or_pro_bono_external_audit", "source_urls": [ "https://ostif.org/", "https://ostif.org/the-ostif-difference/" ], "source_basis": "OSTIF facilitates security audits and reviews for open source projects and coordinates audit process, scoping, and specialist teams.", "cost_boundary": "no_project_spend_only_if_sponsor_grant_or_pro_bono_terms_are_confirmed", "build_done_fit": "conditional_after_real_independent_report", "eligibility_risk": "OSTIF examples include paid sponsor-funded audits; no quote, statement of work, or payment obligation may be accepted under the no-paid-ops rule.", "next_action": "Ask whether Polis can be considered for sponsor-funded or pro-bono review, with reports sent to security@socialmedia2.com or review@socialmedia2.com.", "why_not_direct_build_done": "The contact path is not evidence until an independent report file and latest.json pass scripts/ci/pentest_evidence_check.sh." }, { "id": "H2_LFX_OSTIF_SECURITY_AUDIT_APPLICATION", "gate": "H2", "github_issue": 7, "path_type": "crowdfunded_or_sponsor_funded_security_audit_application", "source_urls": [ "https://docs.linuxfoundation.org/lfx/crowdfunding/apply-for-crowdfunding/add-a-project-for-security-audit" ], "source_basis": "Linux Foundation LFX documentation describes a security audit application flow where projects submit an application to OSTIF through crowdfunding and, if approved, OSTIF determines the funding goal.", "cost_boundary": "no_project_spend_only_if_crowdfunding_sponsor_or_pro_bono_terms_are_confirmed", "build_done_fit": "conditional_after_real_independent_report", "eligibility_risk": "The flow requires LFX sign-in and truthful open-source project metadata; do not submit if any payment obligation is requested.", "next_action": "Prepare the non-secret security packet for LFX/OSTIF review, but hold submission until no-project-spend terms are confirmed.", "why_not_direct_build_done": "An application or funding goal is not H2 evidence until a real independent pentest report is received and accepted by scripts/ci/pentest_evidence_check.sh." }, { "id": "H2_MOZILLA_MOSS_SOS_NOMINATION", "gate": "H2", "github_issue": 7, "path_type": "open_source_security_audit_nomination", "source_urls": [ "https://docs.google.com/forms/d/e/1FAIpQLScLwANEOvLBE6gnFVoiamqHOYzzkaChpdQJ7f0PlZGmfyy94w/viewform", "https://www.mozilla.org/en-US/moss/secure-open-source/" ], "source_basis": "Mozilla's MOSS Secure Open Source track supports security audits and remediation for open source software projects and publishes a public nomination form plus sosfund@mozilla.com for questions.", "cost_boundary": "no_project_spend_only_if_selected_under_moss_secure_open_source_terms", "build_done_fit": "conditional_after_real_independent_report", "eligibility_risk": "MOSS requires open source or free software with an OSI-certified or FSF-approved license and active maintenance; the repository is now public and Apache-2.0 licensed.", "next_action": "Monitor security@socialmedia2.com and review@socialmedia2.com for Mozilla follow-up. Do not claim H2 complete unless Mozilla or its assigned reviewer provides a real independent audit report that passes scripts/ci/pentest_evidence_check.sh.", "why_not_direct_build_done": "A nomination is not H2 evidence until Mozilla or its assigned reviewer provides a real audit report with zero Critical or High findings open.", "current_submission_status": "submitted_public_form_no_reply_expected", "submitted_at": "2026-05-26T21:31:50Z", "submitted_contact": "security@socialmedia2.com", "submission_confirmation_text": "Thank you for applying to the Mozilla Open Source Support program - your work is important to us.", "edit_response_url_committed": false }, { "id": "H2_CISA_CYBER_HYGIENE", "gate": "H2", "github_issue": 7, "path_type": "no_cost_external_vulnerability_scan", "source_urls": [ "https://www.cisa.gov/cyber-hygiene-services" ], "source_basis": "CISA advertises no-cost Cyber Hygiene services for eligible organizations, including vulnerability scanning and web application scanning, and publishes vulnerability@cisa.dhs.gov with the subject line Requesting Cyber Hygiene Services.", "cost_boundary": "request_no_cost_terms_only", "build_done_fit": "supporting_only", "eligibility_risk": "Eligibility can depend on organization type, U.S. presence, and critical-infrastructure fit.", "next_action": "Send an eligibility inquiry asking only for no-cost Cyber Hygiene services for socialmedia2.com and route any reports to security@socialmedia2.com or review@socialmedia2.com.", "why_not_direct_build_done": "Automated or non-pentest external scanning is not the independent external firm pentest required by H2." }, { "id": "H2_LOCAL_READINESS_SCANS", "gate": "H2", "github_issue": 7, "path_type": "local_only_security_readiness", "source_urls": [ "https://developer.mozilla.org/en-US/observatory/docs/faq", "https://www.zaproxy.org/docs/docker/", "https://github.com/ossf/scorecard" ], "source_basis": "MDN HTTP Observatory, OWASP ZAP Docker scans, and OpenSSF Scorecard provide no-cost readiness checks that can be run locally or as public scans without paid CI.", "cost_boundary": "local_only_no_paid_saas_no_hosted_ci", "build_done_fit": "supporting_only", "eligibility_risk": "Public scans can publish domain scan history; do not include secrets or authenticated citizen data.", "next_action": "Use these only as remediation inputs before a real independent pentest.", "why_not_direct_build_done": "Readiness scans are self-operated or automated and cannot replace independent H2 evidence." }, { "id": "H2_SILENTPROOF_FREE_BASELINE", "gate": "H2", "github_issue": 7, "path_type": "no_cost_manual_security_baseline_request", "source_urls": [ "https://silentproof.io/", "https://socialmedia2.com/review/pentest-request.json" ], "source_basis": "SilentProof advertises a $0 Free Baseline, work-email verification, written authorization before active testing, no credentials or repository access for the baseline, human-verified findings, and a short outcome note if no critical or high-impact issue is confirmed.", "cost_boundary": "free_baseline_only_no_deep_review_no_paid_remediation_no_credentials", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "submitted_free_baseline_request_authorization_email_queued", "submitted_at": "2026-05-26T17:38:08Z", "request_id": "sp_8a28a74d", "eligibility_risk": "The baseline is narrower than a full independent pentest and starts active testing only after a later written authorization step; any paid Deep Review, remediation, credentials, repository access, or destructive testing remains outside approval.", "next_action": "Monitor security@socialmedia2.com and review@socialmedia2.com for SilentProof verification or authorization email, approve only no-cost/non-destructive scope if appropriate, and assemble any resulting independent report only if it satisfies scripts/ci/pentest_evidence_check.sh.", "why_not_direct_build_done": "The request and queued authorization email are acquisition support only; H2 still requires an accepted independent external pentest report with zero Critical or High findings open." }, { "id": "H2_ZEALYNX_AUDIT_GRANT_OR_SCOPE_REVIEW", "gate": "H2", "github_issue": 7, "path_type": "no_project_spend_security_audit_grant_or_scope_review", "source_urls": [ "https://www.zealynx.io/", "https://www.zealynx.io/quote", "https://www.zealynx.io/methodology", "https://grants.zealynx.io/", "https://socialmedia2.com/review/pentest-request.json" ], "source_basis": "Zealynx describes senior-led manual review, application/API/backend pentesting, AI and MCP audits, a free scope-review path, and audit grants where the Core Grant is a fully covered audit for selected builders; its methodology combines line-by-line manual review, automated verification layers, and published severity classification.", "cost_boundary": "free_scope_review_or_core_grant_only_no_quote_acceptance_no_paid_grant_tiers_no_invoice_no_payment_method", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "not_submitted_grant_window_tbd_or_paid_quote_boundary", "eligibility_risk": "Zealynx grant and quote paths are Web3/protocol-oriented and can lead to paid Growth or Builder tiers, scoped invoices, or standard audit rates; do not create an account, submit a quote, accept a scope, or authorize active testing unless no-cost Core Grant or free-scope-review terms are explicit.", "next_action": "Use only a no-cost Core Grant or free scope-review inquiry after confirming no quote, statement of work, invoice, payment method, account commitment, private repo access, secrets, citizen data, or destructive testing is required; ask whether socialmedia2.com, Cloudflare Pages, the Pages Function webhook, and public MCP/API surfaces can be independently reviewed at no project cost.", "why_not_direct_build_done": "A source lead, free-scope-review inquiry, or grant application is not H2 evidence until Zealynx delivers a real independent external security report accepted by scripts/ci/pentest_evidence_check.sh with zero Critical or High findings open." }, { "id": "H2_OPENSSF_ALPHA_OMEGA_GRANT", "gate": "H2", "github_issue": 7, "path_type": "open_source_security_grant_expert_analysis", "source_urls": [ "https://alpha-omega.dev/grants/how-to-apply/", "https://openssf.org/Alpha-Omega/", "https://socialmedia2.com/review/pentest-request.json" ], "source_basis": "OpenSSF Alpha-Omega says its mission is improving critical open source software security through direct maintainer engagement and expert analysis, lists standalone projects as eligible, and publishes a grant submission form for aligned projects.", "cost_boundary": "grant_or_expert_analysis_only_no_project_spend_no_vendor_terms_without_explicit_approval", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "not_submitted_public_repo_ready_criticality_fit_boundary", "eligibility_risk": "Alpha-Omega focuses on critical open source software, asks for open source license information and project-security posture, and may require proposal or agreement terms; do not submit until criticality fit and no-project-spend terms can be answered truthfully.", "next_action": "Prepare the non-secret H2 packet for an Alpha-Omega grant inquiry after criticality fit is confirmed; request only no-cost expert analysis or grant-supported review of socialmedia2.com, Cloudflare Pages, the Pages Function webhook, and public MCP/API surfaces.", "why_not_direct_build_done": "A grant request, eligibility conversation, or funding approval is not H2 evidence until a real independent external security report is received and accepted by scripts/ci/pentest_evidence_check.sh with zero Critical or High findings open." }, { "id": "X4_UIC_COMMUNITY_ENTERPRISE_CLINIC", "gate": "X4", "github_issue": 9, "path_type": "pro_bono_or_clinic_legal_review", "source_urls": [ "https://law.uic.edu/experiential-education/clinics/community-enterprise/" ], "source_basis": "UIC Law's Community Enterprise and Solidarity Economy Clinic represents worker-owned cooperative, nonprofit, or small-business community enterprises and publishes a direct clinic contact.", "cost_boundary": "pro_bono_or_no_cost_terms_required_before_engagement", "build_done_fit": "conditional_after_real_independent_report", "eligibility_risk": "Client eligibility and timing are controlled by the clinic.", "next_action": "Send the X4 request package and ask whether the clinic can provide a written independent review of the articles and bylaws.", "why_not_direct_build_done": "A clinic contact is not evidence until an independent legal-review PDF and x4-legal-review.json pass scripts/ci/legal_review_check.sh." }, { "id": "X4_NORTHWESTERN_DPELC", "gate": "X4", "github_issue": 9, "path_type": "entrepreneurship_clinic_legal_review", "source_urls": [ "https://www.northwestern.edu/innovation/innovation-at-northwestern/dplc.html", "https://www.law.northwestern.edu/legalclinic/elc/index.html" ], "source_basis": "Northwestern's Donald Pritzker Entrepreneurship Law Center describes supervised legal work for entrepreneurs, including incorporation, contract drafting, trademark, copyright, and startup launch support; the official law clinic page says the Center continues to accept clients and publishes dpelc@law.northwestern.edu.", "cost_boundary": "clinic_or_pro_bono_terms_required_before_engagement", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "sent_email_pending_external_reply", "submitted_at": "2026-05-26T20:51:41Z", "eligibility_risk": "Clinic client selection, conflicts, and timing are controlled by Northwestern Law; cooperative and nonprofit-specific scope must be confirmed before relying on this path.", "next_action": "Monitor legal@socialmedia2.com, review@socialmedia2.com, and Gmail replies for DPELC fit guidance or referral; assemble X4 only after a qualified independent written report is received.", "why_not_direct_build_done": "Clinic eligibility or advice is not X4 evidence until a qualified independent reviewer returns a signed report accepted by scripts/ci/legal_review_check.sh." }, { "id": "X4_UCONN_TRANSACTIONAL_LAW_CLINIC", "gate": "X4", "github_issue": 9, "path_type": "pro_bono_transactional_legal_intake", "source_urls": [ "https://law.uconn.edu/academics/clinics-experiential-education/transactional-law-clinic/", "https://forms.office.com/r/S78twngQ12" ], "source_basis": "UConn Law's Transactional Law Clinic Microsoft Forms intake states the clinic provides pro bono transactional legal services and gives priority to clients without funds, Connecticut location or impact, business plan/capacity, or service to underserved communities; Playwright readback also found the clinic currently full and taking new applications in order received.", "cost_boundary": "clinic_services_no_cost_but_no_filing_or_third_party_fees_without_explicit_approval", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "not_submitted_required_address_phone_financial_fields_missing_and_clinic_full", "eligibility_risk": "The intake requests real applicant address, phone, representative contact, last-year/current revenue, assets, annual budget, combined personal gross income, owners and ownership percentages, signature, and date; do not submit without truthful owner-supplied facts and no-cost scope confirmation.", "next_action": "Collect the real organization address, phone, financial eligibility, owner/contact representative, and signature facts from the owner, then submit only if the clinic can still consider the matter and no paid cost is authorized.", "why_not_direct_build_done": "An intake application is not X4 evidence until a qualified independent reviewer returns a signed legal-review report accepted by scripts/ci/legal_review_check.sh." }, { "id": "X4_LOYOLA_BUSINESS_LAW_CLINIC", "gate": "X4", "github_issue": 9, "path_type": "pro_bono_business_and_nonprofit_legal_review", "source_urls": [ "https://www.luc.edu/law/academics/clinical-programs/businesslawclinic/clientapplication/", "https://luclawschool.formstack.com/forms/business_law_clinic_application" ], "source_basis": "Loyola Chicago's Business Law Clinic states that it provides pro bono legal representation to Illinois for-profit businesses and not-for-profit organizations, including document drafting and review for organizational, operational, and financial documents.", "cost_boundary": "clinic_services_no_cost_but_no_filing_or_third_party_fees_without_explicit_approval", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "not_submitted_required_address_phone_fields_missing", "eligibility_risk": "The application requires truthful address, phone, business or organization description, business-plan status, and waitlist acceptance; no paid filing or third-party expense may be accepted without explicit owner approval.", "next_action": "Collect the real organization address, phone, and business-plan status from the owner, then submit only the non-confidential X4 review request if the no-cost boundary remains true.", "why_not_direct_build_done": "A clinic application is not X4 evidence until a qualified independent reviewer returns a signed legal-review report accepted by scripts/ci/legal_review_check.sh." }, { "id": "X4_UCHICAGO_INNOVATION_CLINIC", "gate": "X4", "github_issue": 9, "path_type": "pro_bono_transactional_legal_review", "source_urls": [ "https://www.law.uchicago.edu/clinics/innovation/about" ], "source_basis": "The University of Chicago Innovation Clinic describes itself as pro bono and includes entity formation, internal governance documentation, terms, privacy, and software licensing work.", "cost_boundary": "pro_bono_or_no_cost_terms_required_before_engagement", "build_done_fit": "conditional_after_real_independent_report", "eligibility_risk": "The clinic may decline matters outside its scope or with institutional conflicts.", "next_action": "Ask whether the clinic can review the cooperative articles and bylaws against X4's exact scope and provide a signed report.", "why_not_direct_build_done": "The clinic path is not evidence until the required report and hash-bound metadata exist." }, { "id": "X4_CHICAGO_LAWYERS_COMMITTEE_LEGAL_REQUEST", "gate": "X4", "github_issue": 9, "path_type": "free_nonprofit_or_small_business_legal_intake", "source_urls": [ "https://www.clccrul.org/find-help", "https://www.clccrul.org/nonprofits-small-businesses-1" ], "source_basis": "Chicago Lawyers' Committee for Civil Rights publishes free legal services for eligible nonprofits and small businesses, a Legal Request Inquiry Form, and probonoworks@clccrul.org for questions.", "cost_boundary": "free_legal_services_only_no_paid_engagement_without_explicit_user_approval", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "sent_email_pending_external_reply", "submitted_at": "2026-05-26T20:51:41Z", "eligibility_risk": "Eligibility depends on nonprofit or small-business status, community served, ability to pay, and intake review; startup nonprofits may need a business plan, proposed budget, and board list.", "next_action": "Monitor probonoworks@clccrul.org replies for eligibility guidance, referral, or a no-cost intake path; do not submit eligibility forms with fabricated nonprofit, budget, address, or phone facts.", "why_not_direct_build_done": "An intake form or referral is not X4 evidence until a qualified independent reviewer returns a signed legal-review report accepted by scripts/ci/legal_review_check.sh." }, { "id": "X4_LANE_LEGAL_AID_FOR_NEW_ENTREPRENEURS", "gate": "X4", "github_issue": 9, "path_type": "free_small_business_transactional_legal_intake", "source_urls": [ "https://www.lanechicago.org/legal_help" ], "source_basis": "Legal Aid for New Entrepreneurs states that it provides free legal services to entrepreneurs in Chicago, Cook County, or serving Chicago-area communities, including business entity formation, contract review and drafting, intellectual property, and other short-term transactional matters.", "cost_boundary": "free_legal_services_only_no_paid_engagement_without_explicit_user_approval", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "not_submitted_income_revenue_and_for_profit_eligibility_fields_missing", "eligibility_risk": "LANE does not provide assistance to nonprofit organizations or groups and requests income and revenue information, so submit only if Polis or Serendipity Engine can truthfully qualify as an entrepreneur or small-business matter and the owner supplies the private eligibility facts.", "next_action": "Collect real legal-entity status, owner income and revenue eligibility facts, and no-cost scope confirmation before submitting the Microsoft Forms intake.", "why_not_direct_build_done": "An intake application is not X4 evidence until a qualified independent reviewer returns a signed legal-review report accepted by scripts/ci/legal_review_check.sh." }, { "id": "X4_FORDHAM_COMMUNITY_ENTERPRISE_CLINIC", "gate": "X4", "github_issue": 9, "path_type": "community_enterprise_and_cooperative_legal_review", "source_urls": [ "https://www.fordham.edu/school-of-law/experiential-education/clinics/community-enterprise-clinic/" ], "source_basis": "Fordham Law's Community Enterprise Clinic describes representation for grassroots and community-based nonprofit organizations, worker-owned cooperative businesses, bylaws and internal structures, democratic ownership and governance structures, and faculty-supervised student lawyer teams.", "cost_boundary": "clinic_or_pro_bono_terms_required_before_engagement_no_project_spend", "build_done_fit": "conditional_after_real_independent_report", "eligibility_risk": "Clinic client selection, geography, conflicts, semester timing, and whether the clinic can issue an X4-compliant signed independent report must be confirmed before relying on this path.", "next_action": "Send the public X4 legal-review packet and ask whether the clinic can review the cooperative articles and bylaws against the current hash-bound documents at no project cost.", "why_not_direct_build_done": "A clinic inquiry is not X4 evidence until a qualified independent reviewer returns a signed legal-review report accepted by scripts/ci/legal_review_check.sh." }, { "id": "X4_MICHIGAN_COMMUNITY_ENTERPRISE_CLINIC", "gate": "X4", "github_issue": 9, "path_type": "free_transactional_community_enterprise_clinic_intake", "source_urls": [ "https://michigan.law.umich.edu/academics/experiential-learning/clinics/community-enterprise-clinic-0", "https://www.law.umich.edu/clinical/CommunityEnterpriseClinic/Pages/clientapplication.aspx", "https://socialmedia2.com/review/legal-review-request.json" ], "source_basis": "Michigan Law Community Enterprise Clinic provides transactional legal services to nonprofit and community-based organizations, social enterprises, cooperatives, and neighborhood-based small businesses; listed work includes entity formation, cooperative organizations, drafting by-laws and governance documents, contracts, intellectual property, privacy policies, website terms of use, and risk management. The page states services are free, but clients pay government or agency-imposed application or filing fees.", "cost_boundary": "clinic_services_free_only_no_government_or_agency_fees_without_explicit_approval", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "not_submitted_region_fit_and_external_fee_boundary", "eligibility_risk": "The clinic prioritizes Detroit and southeastern Michigan community enterprises and requires an online application, conflict check, screening interview, and signed engagement agreement before representation; Polis must not submit private facts, accept filing fees, or rely on the clinic unless regional fit and no-project-spend scope are explicit.", "next_action": "Use the public X4 packet to ask whether the clinic can review the cooperative articles and bylaws as a no-cost written independent review without filing or agency fees; submit the client application only after truthful organization facts, regional-fit explanation, and no-cost scope are ready.", "why_not_direct_build_done": "A clinic source lead or application is not X4 evidence until a qualified independent reviewer returns a signed legal-review report accepted by scripts/ci/legal_review_check.sh." }, { "id": "X4_GEORGETOWN_SENL_CLINIC", "gate": "X4", "github_issue": 9, "path_type": "social_enterprise_nonprofit_cooperative_legal_clinic", "source_urls": [ "https://www.law.georgetown.edu/experiential-learning/clinics/our-clinics/social-enterprise-and-nonprofit-clinic/", "https://www.law.georgetown.edu/experiential-learning/clinics/our-clinics/social-enterprise-and-nonprofit-clinic/clients/", "https://socialmedia2.com/review/legal-review-request.json" ], "source_basis": "Georgetown Law's Social Enterprise & Nonprofit Law Clinic says it offers free corporate and transactional legal services to social enterprises, including nonprofit organizations, cooperative associations, and select small businesses; its client page lists articles of incorporation, bylaws and operating agreements, organizational-document review, and governance compliance and review.", "cost_boundary": "pro_bono_legal_assistance_only_no_filing_or_third_party_cost_without_explicit_approval", "build_done_fit": "conditional_after_real_independent_report", "current_submission_status": "not_submitted_intake_closed_until_june_2026", "eligibility_risk": "The public pages say client intake is currently closed and will begin accepting applications in June 2026 for assistance starting September 2026; the clinic also focuses on Washington Metropolitan Area social enterprises, so geographic and timing fit must be confirmed before submission.", "next_action": "Recheck the client page in June 2026 and submit only the public X4 legal-review packet plus truthful organization facts if intake is open, no-cost scope is explicit, and Georgetown can provide a written independent review binding the current article and bylaw hashes.", "why_not_direct_build_done": "A future clinic intake path is not X4 evidence until a qualified independent reviewer returns a signed legal-review report accepted by scripts/ci/legal_review_check.sh." }, { "id": "X4_SELC_LEGAL_CAFE", "gate": "X4", "github_issue": 9, "path_type": "cooperative_legal_intake_or_referral", "source_urls": [ "https://www.theselc.org/cafe" ], "source_basis": "Sustainable Economies Law Center's Legal Cafe covers worker-owned cooperatives, nonprofits, governance, contracts, and liability questions.", "cost_boundary": "no_donation_no_paid_engagement_without_explicit_user_approval", "build_done_fit": "referral_or_supporting_only", "eligibility_risk": "Legal Cafe sessions are advisory and donation-based; a formal independent report may require a separate no-cost or pro-bono engagement.", "next_action": "Use as a referral path to locate a cooperative lawyer willing to produce X4 evidence at no project cost.", "why_not_direct_build_done": "Advice or templates are not an independent legal-review report." }, { "id": "E2_E3_COPENHAGEN_NETWORKS_REHEARSAL", "gate": "E2_E3", "github_issue": 2, "path_type": "public_dataset_rehearsal", "source_urls": [ "https://www.nature.com/articles/s41597-019-0325-x" ], "source_basis": "The Copenhagen Networks Study describes a multi-layer temporal network for more than 700 university students over four weeks, including proximity, calls, texts, and Facebook friendships.", "cost_boundary": "public_research_dataset_for_non_build_rehearsal_only", "build_done_fit": "rehearsal_only", "eligibility_risk": "Public research data is not opt-in Polis pilot data and cannot be treated as citizen consent for BUILD_DONE.", "next_action": "Use only to rehearse D1/D2 pipeline shape and outcome-class joins before real pilot rows arrive.", "why_not_direct_build_done": "E2/E3 require real opt-in pilot citizens in the selected polis with 30-day tie outcomes." }, { "id": "E2_E3_VAN_DE_BUNT_REHEARSAL", "gate": "E2_E3", "github_issue": 2, "path_type": "public_dataset_rehearsal", "source_urls": [ "https://rdrr.io/cran/networkDynamicData/man/vanDeBunt_students.html" ], "source_basis": "The van de Bunt data records multiple friendship levels over seven time points among university freshmen.", "cost_boundary": "public_research_dataset_for_non_build_rehearsal_only", "build_done_fit": "rehearsal_only", "eligibility_risk": "The available almost-complete cohort is only 32 students, below the 500-citizen build gate.", "next_action": "Use only as a small fixture for outcome label transitions and negative/positive tie examples.", "why_not_direct_build_done": "The dataset is too small and is not a Polis opt-in pilot calibration corpus." }, { "id": "E2_E3_NORTHWESTERN_LDCE_VOLUNTEER_OPPORTUNITY", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://www.northwestern.edu/lead-engage/community-engagement/submit-a-volunteer-opportunity.html" ], "source_basis": "Northwestern Leadership Development and Community Engagement accepts volunteer-opportunity submissions and says it can post ongoing opportunities on its website and pass one-time opportunities to interested groups.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "not_submitted_public_page_form_not_rendered_in_playwright", "eligibility_risk": "The channel does not guarantee student interest, and any participants must still opt in through the Polis intake and later complete 30-day outcome collection.", "next_action": "Use the page contact path or retry the public page later; submit only if the form renders or LDCE provides an alternative no-cost submission path.", "why_not_direct_build_done": "A posting channel is not E2/E3 evidence until real opt-in pilot rows and joined 30-day outcomes meet the POLIS thresholds." }, { "id": "E2_E3_CITY_VOLUNTEER_EVANSTON", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://www.cityofevanston.org/residents/community_resources/volunteerevanston.php" ], "source_basis": "The City of Evanston's VolunteerEvanston page invites nonprofit organizations to submit volunteer opportunities for review and potential promotion through city communication channels.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "not_submitted_nonprofit_eligibility_and_recaptcha", "eligibility_risk": "Promotion is reviewed by the City and may require nonprofit status; any resulting participant data must be real, consented, and joined with 30-day outcomes.", "next_action": "Submit only after nonprofit-organization eligibility is truthful and a human can complete the visible reCAPTCHA if required.", "why_not_direct_build_done": "A municipal volunteer listing is acquisition support only, not calibration evidence." }, { "id": "E2_E3_48TH_WARD_CALENDAR_SUBMISSION", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://the48thward.org/calendar", "https://the48thward.org/comms-form", "https://socialmedia2.com/pilot/orientation/" ], "source_basis": "The 48th Ward calendar invites event submissions for consideration, and its newsletter/calendar form accepts items for the ward newsletter and/or calendar while stating that inclusion is not guaranteed.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "not_submitted_first_party_event_page_ready_ward_fit_unconfirmed", "eligibility_risk": "The route may only fit events relevant to the 48th Ward, not generic Evanston pilot recruitment.", "next_action": "Submit only after a truthful neighborhood fit is confirmed for the June 18, 2026 no-cost public pilot orientation.", "why_not_direct_build_done": "A ward calendar listing can recruit opt-in participants but is not E2/E3 evidence until real joined 30-day outcomes meet the POLIS thresholds." }, { "id": "E2_E3_FREE_COUNTRY_CHICAGO_COMMUNITY_EVENT", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://www.freecountrychicago.com/get-your-community-event-on-our-calendar/", "https://www.freecountrychicago.com/events/community/add", "https://socialmedia2.com/pilot/orientation/" ], "source_basis": "Free Country Chicago invites community events for listener awareness and provides a public Add New Event form requiring event title, description, start and end date/time, and event details.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "submitted_public_event_form_pending_moderation", "eligibility_risk": "The route has a dated public event page, but approval and audience fit are not guaranteed.", "next_action": "Monitor for moderation, publication, or referral response; any participants must still opt in through the live intake and later complete 30-day outcome collection.", "why_not_direct_build_done": "A community calendar listing is acquisition support only and cannot satisfy E2/E3 without real opt-in intake rows and 30-day outcome labels." }, { "id": "E2_E3_WDCB_COMMUNITY_PSA", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://wdcb.org/event-submission?cat=submit-event.php", "https://socialmedia2.com/pilot/orientation/" ], "source_basis": "WDCB Public Radio publishes an Events Calendar Submission form with a Community Events, PSAs & Other Music category and a Livestream Online venue option; headed Playwright submitted the June 18, 2026 online Polis Evanston Pilot Orientation and the page returned a staff-review confirmation.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "submitted_public_form_pending_review", "eligibility_risk": "WDCB staff review is required and publication is not guaranteed; any participants must still opt in through the live intake and later complete 30-day outcome collection.", "next_action": "Monitor for WDCB moderation, publication, or referral response; do not treat the listing itself as E2/E3 evidence.", "why_not_direct_build_done": "A public radio community PSA submission is acquisition support only and cannot satisfy E2/E3 without real opt-in intake rows and 30-day outcome labels." }, { "id": "E2_E3_AROUND_EVANSTON_EVENT_CALENDAR", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://www.aroundevanston.com/submit-event", "https://socialmedia2.com/pilot/orientation/" ], "source_basis": "Around Evanston publishes a public event submission page for local community events; headed Playwright filled the June 18, 2026 online Polis Evanston Pilot Orientation, but the submit endpoint returned captcha validation failed.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists_no_captcha_bypass", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "not_submitted_recaptcha_validation_failed", "eligibility_risk": "A visible or server-side CAPTCHA requires human validation; do not bypass it or treat the failed submission as outreach.", "next_action": "Retry only if a human can complete the CAPTCHA or Around Evanston provides an alternate no-cost editorial contact path.", "why_not_direct_build_done": "A failed calendar submission is acquisition-state readback only and cannot satisfy E2/E3 without real opt-in intake rows and 30-day outcome labels." }, { "id": "E2_E3_ABC7_CHICAGO_COMMUNITY_CALENDAR", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://abc7chicago.com/community/submitevent/", "https://socialmedia2.com/pilot/orientation/" ], "source_basis": "ABC7 Chicago publishes a Community Calendar event-submission flow through Trumba; headed Playwright filled the public orientation event, and the form readback required a contact phone number before submission.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists_no_fabricated_phone", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "not_submitted_required_phone_missing", "eligibility_risk": "The form states contact information is kept confidential, but a truthful phone number is still required and was not available in the project source of truth.", "next_action": "Submit only after the owner supplies a truthful project contact phone number or ABC7 provides a no-phone alternate route.", "why_not_direct_build_done": "A held calendar form is acquisition support only and cannot satisfy E2/E3 without real opt-in pilot rows and 30-day outcome labels." }, { "id": "E2_E3_INEVANSTON_EVENT_CALENDAR", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://www.inevanston.com/submit-your-event/", "https://socialmedia2.com/pilot/orientation/" ], "source_basis": "InEvanston publishes a submit-your-event form, but page readback says only events taking place in Evanston will be added and the form requires an Event Address.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists_no_false_location", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "not_submitted_in_person_evanston_location_required_for_online_orientation", "eligibility_risk": "The current pilot orientation is online; do not invent an in-person Evanston address or submit an online event to a location-required calendar.", "next_action": "Use only if a truthful Evanston in-person orientation venue is scheduled later.", "why_not_direct_build_done": "A location-fit rejection is acquisition-state readback only and cannot satisfy E2/E3 without real opt-in rows and 30-day outcomes." }, { "id": "E2_E3_ENJOY_EVANSTON_EVENT_CALENDAR", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://www.enjoyevanston.com/event-submission-requirements", "https://socialmedia2.com/pilot/orientation/" ], "source_basis": "Enjoy Evanston publishes event-submission requirements, but page readback says all events must take place in Evanston and excludes volunteer recruitment or organization business meetings.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists_no_policy_mismatch", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "not_submitted_event_type_and_in_person_location_fit_failed", "eligibility_risk": "The current online pilot orientation does not satisfy the stated in-Evanston leisure or cultural event fit.", "next_action": "Use only for a later truthful in-person Evanston public event that satisfies the published event-type requirements.", "why_not_direct_build_done": "A non-fit event directory readback is acquisition-state evidence only and cannot satisfy E2/E3 without real opt-in pilot rows and 30-day outcomes." }, { "id": "E2_E3_PATCH_EVANSTON_CALENDAR", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://patch.com/illinois/evanston/calendar", "https://socialmedia2.com/pilot/orientation/" ], "source_basis": "Patch Evanston exposes a local calendar path, but the visible submit call-to-action was framed as Promote it on Patch with Fast Local Affordable paid-promotion language.", "cost_boundary": "not_used_paid_promotion_framing_no_paid_operations", "build_done_fit": "supporting_only", "current_submission_status": "not_submitted_paid_promotion_framing", "eligibility_risk": "Do not use this route unless a clearly free, no-payment event submission path is verified.", "next_action": "Look for an explicitly free Patch event path or skip the channel under the no-paid-operations rule.", "why_not_direct_build_done": "A paid-promotion-framed source lead is not E2/E3 evidence and cannot replace real opt-in pilot rows and 30-day outcomes." }, { "id": "E2_E3_EVANSTON_ROUNDTABLE_STORY_TIP", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://evanstonroundtable.com/contact-us/", "https://socialmedia2.com/pilot/orientation/", "https://socialmedia2.com/pilot/" ], "source_basis": "Evanston RoundTable contact page publishes story-tip and press-release routing plus a public contact form; headed Playwright submitted a story tip/community announcement for the no-cost Polis Evanston pilot and the page returned Thank you for your response.", "cost_boundary": "free_public_contact_form_no_paid_ads_no_paid_lists", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "submitted_public_form_pending_editorial_review", "eligibility_risk": "Editorial response and publication are not guaranteed; any participants must still opt in through the live intake and later complete 30-day outcome collection.", "next_action": "Monitor for editorial response, publication, or referral; do not treat the tip itself as E2/E3 build evidence.", "why_not_direct_build_done": "A local-news story-tip submission is acquisition support only and cannot satisfy E2/E3 without real opt-in intake rows and 30-day outcome labels." }, { "id": "E2_E3_EVANSTON_MADE_COMMUNITY_ARTS_CALENDAR", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_acquisition_channel", "source_urls": [ "https://evanstonmade.org/community-calendar/", "https://www.evanstonmade.org/calendar/community/add", "https://socialmedia2.com/pilot/orientation/" ], "source_basis": "Evanston Made exposes a no-login public community event form, but live Playwright readback of the Community Arts Calendar says the service is for art-community art events, not political or religious content, and events should be public, cultural, and in or around Evanston.", "cost_boundary": "free_public_submission_no_paid_ads_no_paid_lists_no_policy_mismatch", "build_done_fit": "conditional_after_real_500_citizen_corpus", "current_submission_status": "not_submitted_art_content_and_cultural_event_fit_failed", "eligibility_risk": "The current Polis online pilot orientation is a civic pilot onboarding event, not an art-community art event; do not invent arts relevance to submit it.", "next_action": "Use only for a later truthful public cultural or art-community Evanston event that directly fits Evanston Made's calendar policy.", "why_not_direct_build_done": "A non-fit arts-calendar readback is acquisition-state evidence only and cannot satisfy E2/E3 without real opt-in pilot rows and 30-day outcomes." }, { "id": "E2_E3_LIVE_PILOT_ACQUISITION", "gate": "E2_E3", "github_issue": 2, "path_type": "real_opt_in_pilot_collection", "source_urls": [ "ops/calibration/socialmedia2.com/collection-surfaces.json", "https://socialmedia2.com/pilot/" ], "source_basis": "Existing Google Forms, email routing, and public pilot page collect real opt-in pilot intake and 30-day outcome evidence without committing respondent data.", "cost_boundary": "no_paid_ads_no_paid_lists_no_unconsented_scraping", "build_done_fit": "conditional_after_real_500_citizen_corpus", "eligibility_risk": "Rows must be real opt-in pilot citizens, privacy-preserving, and joined with 30-day outcomes.", "next_action": "Recruit real participants through no-cost owned channels and assemble evidence only after the response and outcome thresholds are met.", "why_not_direct_build_done": "Collection surfaces exist, but current readback is zero intake responses and zero outcome responses." } ], "synthesized_artifacts": [ { "path": "ops/evidence/socialmedia2.com/external-evidence-outreach.md", "purpose": "No-secret outreach drafts and intake checklist for H2, X4, and E2/E3 evidence acquisition.", "build_done_evidence": false }, { "path": "security/pentest/request-package.json", "purpose": "Existing H2 non-secret request packet for external reviewers.", "build_done_evidence": false }, { "path": "governance/legal_review/request-package.json", "purpose": "Existing X4 non-secret request packet for legal reviewers.", "build_done_evidence": false }, { "path": "ops/calibration/socialmedia2.com/collection-surfaces.json", "purpose": "Existing E2/E3 real-pilot collection surfaces.", "build_done_evidence": false } ], "outbound_queue": "ops/evidence/socialmedia2.com/external-evidence-outbound.json", "local_readiness_commands": [ "scripts/ci/local_ci.sh", "scripts/ci/pentest_attack_surface_check.sh", "scripts/ci/security_txt_check.sh", "scripts/ci/external_evidence_acquisition_check.sh", "scripts/ci/external_evidence_outbound_check.sh", "scripts/ci/current_blocker_audit_check.sh" ] }