The operator covenant. By generating an operator key (pluck bureau keys generate) and publishing to a Bureau program, you accept these duties. This document is not yet legally binding but operators acting in good faith should already follow it.

The canonical copy lives at pluck/OPERATOR_DUTIES.md.

What "operator" means

You are the human or organization who:

Holds a private signing key written by pluck bureau keys generate.
Publishes signed Bureau artifacts (dossiers, quorum votes, probe-packs) to public Sigstore Rekor or any private Rekor instance.
Operates a Bureau program daemon (Dragnet, Tripwire, etc.) against a target AI vendor.

The Permanent-Public-Log rule

Anything you notarize lands on Sigstore Rekor permanently. The Linux Foundation's Rekor does not honor erasure. There is no remediation path for accidentally-notarized PII.

You MUST redact personal data before notarizing:

Names, emails, phone numbers, government IDs, addresses, financial data
Photos, faces, biometric identifiers
Health-related information (PHI)
Anything covered by a non-disclosure agreement, attorney-client privilege, or whistleblower-source protection

If the redaction toolkit ships with the program you MUST run it before invoking notarize. If no redaction toolkit exists yet, you MUST NOT notarize cassettes that contain personal data. The cross-program scrub is redactBureauPayload in @sizls/pluck-bureau-core – see Bureau Foundations.

Probe-pack supply-chain

When running a probe-pack downloaded from Nuclei or any other source:

Verify the pack signature against an author public key you obtained out-of-band from the registry. Do NOT verify against a key the registry served alongside the pack – that's TOFU and grants the registry total trust.
Inspect the probe bodies before running. body: unknown accepts any payload; an attacker-authored probe could include canary documents, fake credentials, or vendor-side honeypots that compromise YOUR identity.
Do not run packs whose authorFingerprint does not match a key you have personally vetted.

This is where SBOM-AI's roster + the Nuclei registry's trustTier distinction matters – see SBOM-AI and Nuclei → Trust model.

Quorum participation

When acting as a quorum-node operator:

Generate a fresh key for each Bureau identity. Do not reuse keys across personal/professional/anonymous identities.
Never sign a vote unless you have independently re-run the underlying Bureau verification yourself. A signature is your professional reputation, not a rubber stamp.
Rotate your key (via Rotate) at least annually or immediately after any compromise indicator.
Tag your identity with a jurisdiction so cross-border operators can apply the appropriate transfer controls.

Whistleblower-source protection

If you are publishing on behalf of a journalistic or whistleblower source via the Whistle program:

Use a fresh anonymous signing key. Do not link it to your existing identity.
Run the Whistle redaction toolkit and review its output BEFORE notarizing.
Use Tor or a similar anonymizing transport for the submission.
Understand that anonymity is best-effort, not absolute. Adversarial stylometric analysis or a future legal subpoena against Pluck infrastructure could de-anonymize a source if the source's content is distinctive.

Whistle's anonymity caveats are reproduced on the program page – read both before publishing.

Court-evidence (Custody) operators

If you are publishing court-admissible evidence via the Custody program:

Use WebAuthn-bound signing (when shipped). Disk-only signing keys do not survive Federal Rules of Evidence 902(13) self-authentication challenges. Alpha bundles emit fre902Compliant: false until WebAuthn binding lands.
Capture the full chain-of-custody envelope – collector identity, collection environment, hashes at every handoff.
Do not attempt to use Custody for sources that you obtained unlawfully – Computer Fraud and Abuse Act / Computer Misuse Act exposure is not eliminated by attestation.

Compromise response

If you suspect your private key has been compromised:

1. Reach for the kill-switch first

The Bureau ships a sentinel-based pause for every long-running daemon:

pluck bureau pause             # halt every Bureau daemon
pluck bureau pause --program=dragnet   # halt one program
pluck bureau resume            # remove the sentinel after recovery

Pause halts every daemon at the next poll tick (default 5 s; configurable via pausePollMs). For sub-second containment, prefer system.shutdown(). See Bureau Foundations → kill-switch.

2. Freeze

Publish a fast KeyFreeze/v1 via the Rotate program. ANY identity with the quorum-node role can freeze; the freeze closes the race window between detection and the slower revocation publish.

3. Revoke

Publish KeyRevocation/v1 via Rotate. Verifiers consult the compromise ledger BEFORE trusting any historical signature from the revoked fingerprint.

4. Generate a new key

Shell

pluck bureau keys generate --out ./keys-new

Notify any quorum nodes / bureau peers that have your old fingerprint registered.

5. Re-witness

Walk every prior Rekor uuid signed by the compromised key and emit ReWitnessReport/v1 annotations classifying the windows (before-freeze / during-freeze / during-revoke / after-replacement).

6. Note that Rekor entries signed by the compromised key remain valid + public

Revocation invalidates trust, not data. The cryptographic record does not crypto-shred. This is a feature of public-Merkle-tree integrity, not a bug – see Rotate → Trust invalidation, NOT crypto-shred.

For the full Bureau threat model – including identity binding, probe-pack supply-chain, Sybil defense, Mole Rekor-clock gate, Oath retraction protocol, and operator-key risk – see Threat Model.

Disclaimer

Pluck Bureau ships the math; it does not ship judgment. Every accusation you publish carries your professional reputation and potential legal liability. If you would not stand behind the claim in public – do not sign it.

This covenant is tracked at pluck/OPERATOR_DUTIES.md.

Operator Duties