Data inventory & consent
What Cerevisor knows about you, classified by data type, and the consent system that gates any future egress.
Cerevisor maintains a structured inventory of every memory record it stores, what type of data it is, where it came from, and what you've consented to do with it. Important: in v1.0.x, every consent flag for egress defaults false and there are zero outbound network paths from the memory subsystem. The inventory exists because future versions will add opt-in egress for things like personal-aggregate sharing or a user-data marketplace, and we wanted the consent contract on day one, not retrofitted later. The Inventory tab Open the Memory view → Inventory tab. You see: A summary count by data class. Per-record metadata: what it is, where it came from, when it was created, what its consent scope is. A search box to find a specific record. Click any record to expand its details, including its current content and its provenance (which workflow run, which agent, which skill produced it). Data classification Every record is classified into one of four data classes: Class What it covers identity Information about you that identifies you (your role, name, communication preferences). behaviour-aggregate Patterns of how you use Cerevisor (which roles you use most, which models, which skills). content Specific content the harness produced or you authored. derived-insight The harness's observations and self-portrait — synthesis layered on top of the other classes. Classification happens at write time, never at export time. New write sites in the codebase pin a dataClass explicitly. Third-party PII flag Each record also carries a flag: containsThirdPartyPii Meaning unknown Not yet checked. The default. confirmed-no A scan ran and didn't find third-party PII. flagged-yes A scan flagged this record as potentially containing someone else's personal data. The PII detection capability is a Phase 1 plan, currently every record is unknown until manually flagged. Consent scope Each record's consentScope declares the maximum egress this record can ever participate in: Scope Meaning personal-only Never leaves this device. The default for every record. aggregate-shareable Eligible for inclusion in differentially-private aggregate sharing (Phase 2 feature; not active in v1). marketplace-listable Eligible for inclusion in a marketplace bundle the user creates (Phase 3 feature; not active in v1). You can change a record's consent scope from the Inventory tab. The change is logged. Egress flags The Consent tab (Memory view → Consent) shows the system-wide egress flags: Flag Default What it would enable aggregateMetricsToCerevisor off Send aggregate metrics about your usage to Cerevisor for analytics. Not active. marketplaceParticipation off Opt into the future user-data marketplace. Not active. aiTrainingDonation off Allow your data (after PII scrubbing) to contribute to AI training datasets. Not active. piiDetection off Run local PII detection (no egress; this just scans). Not active. derivedInsightGeneration on Mirror of the meta-cognition enrichment flag. Every change to t