Skip to main content

Portfolio Write Policy

Portfolio assets are creative proof objects. They carry source lineage, owner tenant, artist attribution, rights posture, consent posture, review state, and distribution eligibility before they can power public products.
Review-gated surface: this workflow can stage evidence and prepare review records, but it cannot publish, promote, or write approved portfolio data without TattooAPI policy checks and human approval.

Default Rule

Public portfolio projections are read-only by default. Writes are allowed only through governed TattooAPI routes after identity, ownership, review, rights, consent, and distribution checks pass.

Actor Model

The artist remains the owner of the portfolio work. Studio affiliation does not transfer artist ownership.

Required Checks

Before any approved portfolio write, TattooAPI must verify:
  • actor identity
  • reviewed identity evidence and owner mapping
  • artist ownership
  • delegated studio authorization, when applicable
  • rights posture
  • consent posture
  • source lineage
  • review status
  • target distribution eligibility
  • audit trail

Delegated Studio Actions

Studio owners and managers can help operate portfolio surfaces, but delegated actions must preserve authorship:
  • artist owner remains attached to the asset
  • acting studio/user is audited separately
  • request source is preserved
  • distribution target is explicit
  • approval path is visible

Blocked Paths

Private workers cannot write directly to approved portfolio storage, mutate canonical runtime tables, activate public surfaces, change identity mappings, or publish inbound media. They return classification and review evidence to TattooAPI.
Also blocked:
  • communications-provider-to-approved-storage direct writes
  • raw inbound media appearing on public sites
  • public writes from unverified actors
  • identity mapping from display name or phone alone
  • runtime canonical promotion from a text-message event
  • approved storage as the permission boundary
Approved portfolio storage is the destination after review. TattooAPI is the policy boundary. Identity evidence is not legal KYC. Phone, Instagram, and tattoo.co profile evidence can support operator review, but no single field automatically creates an artist or grants write authority.