plan(super-domain-rbac-v1): §18 — empirical reality check via MedCare/MedCareV2 inspection

Inspected AdaWorldAPI/MedCareV2 + AdaWorldAPI/MedCare-rs@claude/csharp-
handoff-docs-L3DF0 via pygithub REST (token-quote-stripped per cca2a-sprint-
prompt-template guardrail). Major findings refine §15-§17 substantially.

Drift bridge already designed and partially scaffolded:
- MedCareV2/MedCare_2.0/LanceProbe/ contains 8 components mapping nearly 1:1
  to my spec's DTOs (ParityClient → MetaBridge HTTP, ParityWitness →
  DriftDetectionBridge + canonicalization, DriftSink → AuditSink async batch,
  ParityPanel → admin UI, DiagnosisRedactor → FieldRedactionMask).
- M1 complete (scaffolding compiles, throws NotImplementedException);
  M2-M6 pending Rust-side endpoints D-SDR-35..39.
- Coordination spec at MedCare-rs/docs/CSHARP_HANDOFF_PROMPT.md.

MedCareV2 is overlay-only, NOT reshapeable:
- Per docs/PARITY_TOOL_OVERVIEW.md: copy of MedCare + LanceProbe additions.
- Explicit constraint: "do NOT refactor... the diff must be additions only."
- §16.2 framing of MedCareV2 as "partial rewrite, reshapeable freely" CORRECTED.

CRITICAL crypto correction:
- The "3DES" in Crypt.cs:438-451 is broken security, not just outdated.
- 128-bit truncated key (TripleDESCryptoServiceProvider with CryptDeriveKey
  yielding 16 bytes instead of 24) = cryptographically equivalent to single
  DES with 56-bit effective strength (broken since late 1990s).
- Zero IV + ECB-equivalent + non-standard MD5+RC2 KDF + no salt.
- Password source: hardcoded 62-entry Passwort_Crypt[] array
  (Crypt.cs:285-349); NOT user-input-derived.
- Ciphertext format: [1-char index prefix][base64(encrypted bytes)].
- Migration is NOT 3DES→AES-GCM rewrap; it's Argon2-backfill-on-login per
  existing MedCare-rs/docs/AUTH_LEGACY_TRIPLEDES_MIGRATION.md plan.

D-SDR-27 scope reduces:
- Only u_pwd column on praxis_mitarbeiter uses the 3DES path; rest of the
  schema is plaintext (likely no other EncryptMessage call sites).
- Pipeline: carry ciphertext forward as opaque blob; Argon2 backfill happens
  on first successful user login (separate code path).
- Reduced from ~250 LOC + 4 tests to ~80 LOC + 2 tests.
- Removes the AES-GCM rewrap logic entirely (wrong for actual data shape).

Canonicalization rules concretized:
- §15.2 abstract 12-rule cross-language determinism table replaced by
  6 concrete rules from CSHARP_HANDOFF_PROMPT.md lines 93-104:
  geburtsdatum/p_birth (ISO date), werte (F4 InvariantCulture), pf_delete
  (bool null/0→false), db_spez (tinyint→bool), u_pwd (byte-equivalent),
  created_at/d_createdate/updated_at (second-truncated ISO).
- D-SDR-26 test surface drops to 6 named tests.

§17.3 Arrow Flight SQL is aspirational:
- Immediate path is HTTP+JSON over JWT (what LanceProbe already targets).
- Flight SQL convergence is Phase 5+ migration after JSON path is drift-clean.

5 new Rust-side deliverables (D-SDR-35..39) blocking LanceProbe M5/M6:
- D-SDR-35: POST /api/__parity/csharp ingest endpoint
- D-SDR-36: GET /api/__parity dashboard endpoint
- D-SDR-37: _dto_contracts.md stable JSON DTO contracts (blocks M2)
- D-SDR-38: legacy-tripledes-fallback feature flag (blocks M5a)
- D-SDR-39: /api/__parity/telemetry endpoint

Phase sequencing now concrete (replaces §17.2 abstract version):
- Phase 0: M1 done. Phase 1: M2 + D-SDR-31/37. Phase 2: M3+M4 + D-SDR-33.
- Phase 3: M5 + D-SDR-35/36. Phase 3a: M5a + D-SDR-38. Phase 4: M6 + D-SDR-39/30.

Resolved 7 prior open questions; added 3 new ones.

INTEGRATION_PLANS.md third correction line appended per APPEND-ONLY governance.

Author: claude

.claude/board/INTEGRATION_PLANS.md

@@ -49,6 +49,8 @@
 
 **Correction (2026-05-13):** §13 refinements added (same session). (a) Enforcement composes onto shipped `lance-graph-callcenter::policy::PolicyRewriter` chain + `PolicyKind` taxonomy (RowFilter/ColumnMask/RowEncryption/DifferentialPrivacy/Audit) rather than introducing parallel path — ~30% Tier A LOC reduction. (b) Cross-tenant federation upgraded to A+B+C all accepted; Option C (`EncryptedViewAggregate`) viable now via LanceDB transparent encrypted views, not 2027+ R&D. (c) Audit chain integrity built-in via `MerkleRoot::from_fingerprint` + `ClamPath` from `graph/spo/merkle.rs` (the merkle/DN-path mixing already shipped). (d) Hard-lock requirement formalized: Healthcare ↔ OSINT (and 3 other pairs) get 3 layers of defense — predicate + per-super-domain merkle salt + super-domain-scoped HKDF key derivation. (e) `researcher` role hardened to anonymized-projection-only with k-anonymity floor + DP noise injection on aggregates. New deliverables D-SDR-13..17 added. Open questions on audit format + cross-tenant federation RESOLVED; new open questions on hard-lock partner matrix + per-super-domain DP epsilon + merkle salt rotation cadence.
 
+**Correction (2026-05-13, third commit):** §18 empirical reality check added after pygithub REST inspection of `AdaWorldAPI/MedCareV2` + `AdaWorldAPI/MedCare-rs@claude/csharp-handoff-docs-L3DF0`. Major findings: (a) The §15-§17 drift bridge concept is already designed and partially scaffolded as `MedCareV2/MedCare_2.0/LanceProbe/` (M1 complete; M2-M6 pending Rust-side endpoints). 8 LanceProbe components (ParityClient/ParityWitness/DriftSink/etc.) map nearly 1:1 to the spec's DTOs. (b) MedCareV2 is overlay-only (copy of MedCare + LanceProbe additions) — cannot be reshaped freely as I assumed; "do NOT refactor" is the explicit constraint. (c) CRITICAL crypto correction: the "3DES" in MedCare's `Crypt.cs:438-451` uses 128-bit truncated key + zero IV + ECB-equivalent + non-standard MD5+RC2 KDF + 62-entry hardcoded password array — cryptographically equivalent to single DES (broken). The migration is NOT 3DES→AES-GCM rewrap; it's Argon2-backfill-on-login per existing `MedCare-rs/docs/AUTH_LEGACY_TRIPLEDES_MIGRATION.md` plan. (d) Only the `u_pwd` column on `praxis_mitarbeiter` uses the 3DES path; rest of the schema is plaintext. D-SDR-27 scope reduces from "decrypt-rewrap pipeline" to "carry ciphertext forward, Argon2-backfill on first login." (e) §15.2 abstract 12-rule determinism table replaced by 6 concrete canonicalization rules from `CSHARP_HANDOFF_PROMPT.md` lines 93-104 (date / decimal / bool / soft-delete / pwd / timestamp). (f) §17.3 Arrow Flight SQL convergence is aspirational end-state; immediate path is HTTP+JSON over JWT (what LanceProbe already targets); Flight SQL is Phase 5+ migration. (g) New deliverables D-SDR-35..39 for medcare-rs side: parity ingest endpoint, dashboard, DTO contracts doc, TripleDES fallback feature flag, telemetry endpoint. M5 is blocked until these land. Resolved 7 prior open questions (audit format, federation, DEK rotation, hard-lock matrix scope, DP epsilon, MedCareV2 reshape, 3DES inventory). 3 new open questions: other columns calling EncryptMessage in MySQL_Connect.cs, DTO contracts for 40+ planned routes, AUTH_LEGACY_TRIPLEDES_MIGRATION.md DRAFT-to-Active blockers.
+
 **Correction (2026-05-13, second commit):** §14-§17 refinements added (same session). (§14) Meta-bridge extracted from shipped medcare_bridge.rs + sharepoint_bridge.rs harvest, not designed clean-room. New bridges hubspot_bridge.rs + hiro_bridge.rs added as templates; woa_bridge.rs retrofit. Tier F (D-SDR-18..20, 23) + Tier G (D-SDR-21..22) deliverables. (§15) Drift detection initially framed as production parallelbetrieb infrastructure with 12 cross-language determinism rules — substantially refined by §16+§17. (§16) Pre-prod posture corrected per user clarification: nothing in production yet, single 3DES cipher (not 3-cipher chain), one-shot import tool not persistent infrastructure. Zone 3 boundary placement collapses determinism rules from 12 to ~3 (decimal + timestamp + FP aggregate). MerkleRoot-cleartext-beside-ciphertext insight: drift bridge compares without ever decrypting in steady-state production, so encryption uses random nonces (no need for AES-GCM-SIV). MedCare MySQL Struktur reality check (104 tables, all VARCHAR/TEXT/DATETIME, app-layer 3DES not at-rest, schema is purely clinical with billing/tickets in separate WoA/Hiro databases). New deliverables D-SDR-27..30. (§17) Convergence on LanceDB+DataFusion SQL as unified persistence; both Rust (in-process) and C# (Arrow Flight SQL gRPC) clients hit the same DataFusion logical plan layer. Custom Protobuf IDL (D-SDR-20) SUPERSEDED by Arrow Flight SQL — Substrait extension types for OwlIdentity/MerkleRoot/SuperDomain. Drift bridge bounded to Phase 2-3 cutover window, then retires to CI gate. New deliverables D-SDR-31..34. Dropped scope: MySQLAdapterBridge (D-SDR-24), persistent production drift infra, multi-trustee key escrow, C-ABI FFI option, custom Protobuf IDL. §18 deferred pending MCP scope expansion to AdaWorldAPI/MedCare + AdaWorldAPI/MedCareV2 for 3DES column inventory + transcoded shape grep.
 
 ---