Skip to main content

Portfolio Intake Workflow

Portfolio intake turns artist conversations and media into review-ready evidence. It does not turn text messages into public portfolio updates automatically. The workflow keeps private media staging separate from governed upload completion and human review.

Flow

What Each System Does

SystemJobAuthority
Communications bufferInbox contextEvidence source only
TattooAPIPolicy, auth, review, identity evidence, projection, and write boundaryGoverning authority
Private media stagingPrivate temporary media stagingEvidence storage only
Upload integrity completionVerify private object bytes, size, image signature, MIME metadata, and server-side SHA-256 before reviewStaging state transition only
Private workersOutbound private compute for classification and context loadingReview evidence only
Approved portfolio storageApproved portfolio/media lakeStorage after review
TattooAPI runtimeRuntime mappings and canonical promotion stateRuntime truth after approval
ObservabilityMetadata-first observabilityTrace only, not write authority

Identity Evidence, Not KYC

TattooAPI v0 uses identity evidence to help reviewers connect inbound media to artists or studios. It is not legal KYC.
StatusMeaning
unmatchedNo reliable contact or profile evidence matched.
phone_matchedA normalized phone hash or contact record matched existing evidence.
review_requiredEvidence is incomplete, ambiguous, or conflicting.
verified_by_operatorA human operator approved the evidence for this workflow.
Do not claim kyc_verified in v0. Legal identity verification would require a separate approved provider and policy.

Launch Caveat

Communications API access and TattooAPI readiness do not equal SMS/MMS launch readiness. A2P approval remains required before artist-facing SMS/MMS intake is production-ready.

Worker Boundary

Private workers authenticate portfolio creation and upload completion with a WorkOS organization API key in X-API-Key. The operator-context capability-claims route uses a separate short-lived WorkOS client-credentials Bearer token. These credentials are not interchangeable. Workers can request context and return evidence, but they cannot:
  • write directly to approved portfolio storage
  • mutate runtime records directly
  • publish public surfaces
  • send messages without approval
  • store raw phone numbers, media URLs, provider tokens, or API keys in traces
Use Portfolio Intake for the staging envelope and classification contract.

Permanent Integration

Permanent uses a dedicated Production WorkOS organization API key with exactly artists:read and portfolio_intake:stage for artist evidence reads, portfolio submission creation, and bodyless upload completion. TattooAPI maps the non-secret key ID to an approved service actor in Convex. The service mapping carries portfolio_intake:stage_cross_tenant for governed artist identity resolution and staging across approved tenants. That internal TattooAPI capability is not a WorkOS key permission. Permanent cannot approve its own submission, promote canonical runtime truth, call Sanity directly, or publish a public surface. Upload completion itself can only move verified media from awaiting_upload to awaiting_review; it cannot approve, resolve or reassign an artist, call Sanity, activate a public surface, or promote canonical runtime state. Unresolved attribution stays review-required and fail-closed with portfolioStagingAllowed=false. Identity resolution requests use the separate POST /api/private/portfolio-intake/v1/artist-resolution-requests review lane; upload completion adds no artist-resolution route.