Safety & Regulation
Citetome governance posture
Citetome runs on a multi-tenant knowledge graph with human approval gates. This page documents the enforced safety properties of the codebase. Every policy below is backed by code in the open-source router, not marketing copy. If the policy drifts from the code, the page is updated in the same change.
pact version: 2026-04-22-v1 . sha256: 18bcbbd36f57fc9c...
Enforced policies
- Human-in-the-loop approval queue
No write to any member CMS happens without a pending ApprovalQueueItem row and an explicit approve decision. - Entity-gated cross-linking
Cross-link proposals require a shared entity or a one-hop EntityRelation between the two sites. No shared entity, no proposal. - FTC 16 CFR Part 255 scan
Detected articles with affiliate signals are scanned for a disclosure phrase. Gaps are surfaced to the member, not fixed silently. - GDPR right-to-be-forgotten
A valid DELETE /governance/forget request tombstones EntityReference, GovernancePact, and signer fields within 30 days. Audit trail preserved with hashed identifiers. - Member takedown
POST /governance/pact/revoke honours removal within 72 hours. Entity references are tombstoned; the public @id URI returns 410 Gone. - SSRF-safe fetch
Every outbound fetch (detect, compliance-run, indexnow) rejects private-IP targets and caps redirects. See app.services.safe_fetch. - API key gate
All mutations require X-Loomgraph-Key via hmac.compare_digest. Read endpoints are public. When the key is unset, mutations fail closed with 503. - Immutable audit log
Every mutation writes an AuditLog row. Rows are append-only; GDPR forgets tombstone the subject fields, never delete the row. - AI crawler policy
GPTBot, ClaudeBot, PerplexityBot, Google-Extended, CCBot are allowed on /kg/* and /llms.txt. Non-public paths are disallowed.
Member operations
- Sign the pact - POST /governance/pact/sign (API key required). Pact text at /governance/pact.
- Revoke - POST /governance/pact/revoke honours takedown within 72 hours.
- Right to erasure - DELETE /governance/forget/{site_id}. Audit trail preserved with hashed identifiers within 30 days.
- Audit log window - GET /governance/audit-log paginates the immutable trail.