Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletions .agent-loop/LOOP_STATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,22 @@

- Active initiative: `WS-AUTH-001` - Workstream Authorization Service
- Active planning chunk: none
- Active implementation chunk: none
- Branch: `codex/ws-auth-001-04a-post-merge-memory`
- Worktree: `/home/abiorh/flow/workstream-authorization-service`
- Status: AUTH-04A merged through PR #111 as `90c9a28` after Backend, Agent
Gates, CodeRabbit, required internal review, and explicit human approval
passed.
- Active implementation chunk: `WS-AUTH-001-04B` - PostgreSQL Rate Controls
- Branch: `codex/ws-auth-001-04b-postgres-rate-controls`
- Worktree: `/home/abiorh/flow/workstream-auth-001-04b`
- Status: AUTH-04B implementation and all required internal review tracks pass
final implementation SHA `922778b`; reviewed production SHA is `67484b5`.
Ready PR #113 is open.
- Prior `WS-AUTH-001-01` reviewed implementation SHA: `be0b836`
- Prior `WS-AUTH-001-01` final merged branch head: `b5217e1`
- Latest integrated `main` merge commit: `90c9a28`
- Current gate: publish and merge the AUTH-04A post-merge memory update, then
stop.
- Latest integrated `main` merge commit: `7749f54`
- Current gate: GitHub checks, CodeRabbit, and explicit human review on PR #113.
- Size checkpoint: implementation is 480 changed non-comment production lines;
the required 350-line inspection passed and the 500-line hard stop holds.
- Next chunk: none; do not start `WS-AUTH-001-05` automatically.
- `WS-AUTH-001-04B` is inactive until this memory update merges and the user
gives its separate explicit start signal.
- Focused evidence: 77 isolated rate/config tests pass at 97 percent subsystem
coverage, 59 final config/object-graph tests pass, the exact migration proof
and real API E2E pass. AUTH-05 and later chunks remain inactive.
- Parallel initiative: `WS-QUAL-001-01B2` is paused at the user's direction so
AUTH receives the laptop's test capacity. Its last official whole-app result
remains `6466/8159` statements (`79.249908%`); no replacement evidence exists.
Expand Down
176 changes: 176 additions & 0 deletions .agent-loop/REVIEW_LOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,181 @@
# Review Log

## 2026-07-14 - WS-AUTH-001-04B Backend CI Repair

PR #113 Backend reached 82.12 percent repository coverage but failed because
the final AUTH-04B Alembic test left the shared isolated database at `base`.
Pytest's CI discovery order then entered `test_api_rate_controls.py` without
table `api_rate_control_counters`. The owning migration test now restores
Alembic `head` after its destructive cleanup. The exact failing
`test_alembic.py -> test_api_rate_controls.py` order is required repair proof;
no runtime, migration, coverage threshold, or workflow changes are permitted.
CodeRabbit posted one valid test-deduplication nit, now addressed through a
transaction-preserving shared insert helper. Its PR-description template
warning is addressed in the trust bundle; its docstring heuristic is superseded
by the passing repository-owned 95.8 percent docstring gate.

## 2026-07-14 - WS-AUTH-001-04B Ready PR Published

Ready PR #113 is open at
`https://github.com/Flow-Research/workstream/pull/113`. GitHub Backend, Agent
Gates, CodeRabbit, and explicit human review are the current gate. Publication
is not merge approval; AUTH-05 and artifact runtime remain inactive.

## 2026-07-14 - WS-AUTH-001-04B Internal Review Passed

All required tracks pass final SHA `922778b`; reviewed production SHA is
`67484b5`. Senior engineering, architecture, docs, reuse, QA/test, CI integrity,
test delta, security/auth, privacy/data, and product/ops found no remaining
blocker. The final test-only proof instruments the BaseSettings boundary and
would fail the prior recoverable-`SecretStr` implementation. Evidence and the
PR trust bundle are recorded under the AUTH initiative reviews directory.

Ready PR publication and external GitHub checks are the current gate. AUTH-05,
artifact runtime, and all route attachments remain inactive.

## 2026-07-14 - WS-AUTH-001-04B Exact-Head Review Repair

Required implementation review at `8f54fd9` passed QA, CI integrity, and test
delta with 72 fresh isolated PostgreSQL tests. Senior engineering and security
rejected PR publication because unrelated Pydantic validation errors could
retain the raw rate-control secret through structured error APIs. Security also
found that the canonical inactive artifact plan did not yet enforce D14's
central authorization prerequisite for adapter I/O.

The bounded repair removes the secret from Pydantic's public field graph before
all structured validation while preserving constructor, environment, and dotenv
loading. Regression tests inspect `errors()` and `json()` and cover
`model_validate`. The user-directed artifact ownership clarification amends only
the canonical ART plan and inactive chunk contract: mechanics may be developed
independently, but production dispatch requires AUTH-07 permissions, AUTH-09
service principals, exact resource authorization evidence, and never derives
authority from a credential or receipt. No artifact runtime or AUTH-05 behavior
is activated.

Initial repair evidence is 78 migration-inclusive isolated PostgreSQL behavior tests,
69 focused rate-control/config tests at 98 percent subsystem coverage, and the
real API contract E2E. Ruff, docstring coverage, stale authorization/artifact/
Workstream wording, Markdown links, loop memory, diff integrity, and all 36
agent-gate tests pass. The repaired production delta is 465 non-comment lines,
below the 500-line hard stop. Exact-SHA internal re-review is the current gate.

Exact-head review of `0b9d0fe` passed QA, CI integrity, and test delta, but
senior engineering and security found the same retention class in
`model_validate_json` and `model_validate_strings`; malformed JSON could also
retain its complete document. Senior engineering additionally found that the
manual secret source did not preserve BaseSettings' supported layered-dotenv
precedence. The final bounded repair covers those public entry points, rejects
malformed JSON with a constant non-retaining error, and resolves layered dotenv
files in order. Exact-SHA re-review remains mandatory before publication.

Final repair evidence adds 77 focused behavior tests at 98 percent subsystem
coverage, 56 direct configuration tests, and the exact AUTH-04B migration test
passing against a fresh isolated database. The production delta is 480
non-comment lines and remains below the 500-line hard stop. All static gates
continue to pass.

Exact-head review of `629d10c` found that rendered redaction was still weaker
than object-graph non-retention: Pydantic-version-dependent error input could
retain a recoverable `SecretStr`, malformed JSON remained reachable through
`JSONDecodeError.__context__`, and non-ASCII rejection chained a
`UnicodeEncodeError` containing the original key. The final privacy repair
passes only `None` into Pydantic, assigns the private validated key after
successful validation, and raises constant parse/decode failures outside catch
scopes. Tests traverse structured errors and complete exception cause/context
graphs rather than checking rendered output alone.

The object-graph repair passes 77 focused behavior tests at 97 percent
subsystem coverage. The final production delta is 480 non-comment lines, below
the 500-line hard stop.

QA passed runtime and CI integrity at `67484b5` but rejected the test proof:
the recursive helper did not traverse `ValidationError.errors()`, so rendered
redaction could hide a recoverable `SecretStr` on another Pydantic version. The
test-only repair now traverses the actual structured error objects and
instruments the `BaseSettings` boundary for mapping, JSON, and string-mapping
validation, asserting that only `None` crosses into Pydantic. This
deterministically fails the prior implementation that forwarded `SecretStr`.

## 2026-07-13 - WS-AUTH-001-04B Repaired Contract Passed

Implementation candidate `62dd18e` failed required exact-head review. Valid
findings were structured Pydantic secret retention, unpaired-surrogate identity
500s, a concurrent downgrade custody race, unsynchronized database tests,
incomplete downstream-rollback/session-open/prune/database-clock evidence, no
representative 0016 artifact row, and tests mistakenly placed in the prior
AUTH-04A file instead of the contract-owned rate-control file. One bounded
repair cycle moves the tests, closes each runtime/migration issue, adds exact
proof, and requires full-suite coverage plus exact-head re-review.

The repository-wide coverage run for repair head `2d70581` was interrupted by
the host shutdown on 2026-07-14 and produced no valid result. Under the current
repository rule and the chunk's laptop-capacity clause, local evidence must
prove the materially changed AUTH-04B subsystem remains at least 90 percent;
GitHub CI owns the unchanged repository-wide 78 percent gate. No interrupted
result is treated as evidence.

Required senior engineering, architecture, security/data, QA/test, CI-integrity,
test-delta, product/ops, docs, and reuse review passed exact repaired-contract
head `b5dceb1`. The second repair closed optional-secret, missing-database,
lock-order, oversized-identity, exact-setting/constraint, same-clock timestamp,
and cross-replica rotation gaps without runtime edits.

Bounded AUTH-04B implementation is authorized under the 350-line checkpoint and
500-line hard stop. Named dependencies remain unattached; AUTH-05 and all
product authority changes remain inactive.

`backend/tests/test_auth.py` was added as a test-only scope amendment after its
canonical-verification consumer allowlist correctly detected the new unattached
rate dependency. Only that expected inventory may change; auth runtime, routes,
compatibility behavior, and authority remain out of scope.

The implementation candidate passed 93 owned tests with 99 percent aggregate
coverage across config, dependency, model, repository, and service modules.
Real PostgreSQL proofs passed for atomic concurrency, durable denial, expiry,
saturation, pruning, exact schema, and guarded downgrade. The real API E2E and
all stale-wording, authorization-doc, artifact-contract, link, loop-state,
ruff, and diff checks pass. Required implementation review is the current gate.

The first production pass reached 408 changed non-comment lines. The mandatory
350-line checkpoint inspected every production path and froze scope to the
approved config, unattached dependencies, model, repository, service, model
registration, and `0017` migration. Ninety-two lines remain before the hard
stop; tests, docs, and evidence do not count.

## 2026-07-13 - WS-AUTH-001-04B Contract Repair Required

Required L1 preimplementation review rejected activation head `5ed410d` before
any runtime edit. The contract did not bind exact HMAC/secret bytes, overflow-
safe SQL, database-time boundaries, dedicated commit ownership, dependency
errors, real concurrency counts, transactional downgrade refusal, or expired
pseudonymous-row retention.

The repaired contract specifies canonical Base64 secret material, exact framed
HMAC input and bounds, `BYTEA` persistence guarded to 32 bytes, one clock-bound saturating
upsert, dedicated committed sessions, canonical 429/503 behavior, bounded
pruning plus operator cleanup, exact migration custody, real-ASGI/concurrency
proof, per-file 90 percent coverage, and additive test-delta evidence. Runtime
remains gated on exact-head re-review.

First repaired head `78e2170` resolved the original security/data ambiguities
but failed re-review on optional-secret syntax, missing-database mapping,
prune-before-upsert lock ordering, exact setting/constraint names, same-clock
`updated_at`, and local oversized-identity handling. This second repair is the
final in-place contract cycle for those classes; another failure stops and
replans before runtime code.

## 2026-07-13 - WS-AUTH-001-04B Started

PR #112 merged AUTH-04A post-merge memory to `main` as `7749f54` after Backend,
Agent Gates, CodeRabbit, required internal review, and explicit human approval
passed. The user then explicitly started `WS-AUTH-001-04B` in the isolated
worktree `/home/abiorh/flow/workstream-auth-001-04b` on branch
`codex/ws-auth-001-04b-postgres-rate-controls`.

AUTH-04B is L1/P1 authorization infrastructure. Its existing bounded contract
must pass required preimplementation review before runtime edits. AUTH-05,
POL-002-04, and QA implementation remain inactive.

## 2026-07-13 - WS-AUTH-001-04A Merged

PR #111 merged `WS-AUTH-001-04A` to `main` as `90c9a28` after final branch head
Expand Down
9 changes: 4 additions & 5 deletions .agent-loop/WORK_QUEUE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,12 @@

| Chunk | Title | Risk | Status |
|---|---|---:|---|
| - | No active implementation chunk | - | AUTH-04A post-merge memory in progress; no product implementation active |
| `WS-AUTH-001-04B` | PostgreSQL Rate Controls | L1 | Internal review passed; PR #113 in external review |

## Planned Next

| Chunk | Title | Risk | Status |
|---|---|---:|---|
| `WS-AUTH-001-04B` | PostgreSQL Rate Controls | L1 | Inactive until 04A merge/memory and a separate explicit user start |
| `WS-QUAL-001-01B2` | Baseline Evidence And CI Ratchet | L1 | Paused for AUTH priority; no valid replacement baseline yet |
| `WS-QUAL-001-02` | Project Service Coverage | L1 | Inactive until 01B2 merge/memory plus explicit user start |
| `WS-POL-002-04` | Locked Runtime Execution And Routing Hardening | L1 | Inactive pending relevant authorization proof and a separate explicit user start |
Expand Down Expand Up @@ -57,9 +56,9 @@

## Proposed Next

`WS-AUTH-001-04A` merged through PR #111 as `90c9a28` after all required checks
and reviews passed. Its post-merge memory update is active; no AUTH product
implementation is active. Do not start 04B, AUTH-05, or POL-002-04
`WS-AUTH-001-04A` post-merge memory merged through PR #112 as `7749f54`. The
user explicitly started `WS-AUTH-001-04B`; all required internal review tracks
pass and ready PR #113 is in external review. Do not start AUTH-05 or POL-002-04
automatically.

Coverage R10 merged through PR #108. Do not start 01B2, chunk 02, or another
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,12 @@ approval, locking, and deterministic checker compilation.

## WS-AUTH Dependencies

- Internal artifact foundations and Flow Node work may proceed independently.
- Internal artifact schemas and adapter mechanics may proceed independently,
but production dispatch and every external adapter I/O remain disabled until
`WS-AUTH-001-07` defines the exact operation permission and
`WS-AUTH-001-09` provisions the calling service principal. Each dispatch must
carry a central authorization decision for the exact operation and resource;
an adapter credential or provider receipt never creates authority.
- Guide source API cutover waits for WS-AUTH project mutation cutover
(`WS-AUTH-001-12`) or its approved replacement.
- Upload session and submission cutovers wait for task/submission/checker
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ Parent: `WS-ART-001` | Repository: Workstream | Risk: L1 | SLA: P1
## Goal

Implement `FlowNodeAdapter`, metadata-only operation outbox/reconciliation,
pinned provider delivery, and local integration.
pinned provider delivery, and local integration. Production dispatch remains
disabled until the central AUTH permission and service-principal prerequisites
are merged.

## Allowed Files

Expand All @@ -20,7 +22,8 @@ pinned provider delivery, and local integration.
## Not Allowed

No byte payload in DB/Redis/outbox, product cutover, provider fallback, human
token forwarding, or provider-triggered lifecycle transition.
token forwarding, provider-triggered lifecycle transition, or adapter I/O that
bypasses a central authorization decision for the exact operation and resource.

## Acceptance Criteria

Expand All @@ -38,6 +41,11 @@ token forwarding, or provider-triggered lifecycle transition.
visibility.
- Reconciliation, quarantine, retain, and release product audit events use the
shared `AuditRepository`; provider receipts remain operation evidence only.
- Production upload, read, retain, release/delete, replicate, verify, and
reconcile dispatch requires the exact permission from `WS-AUTH-001-07` and an
explicitly provisioned service principal from `WS-AUTH-001-09`. Mechanical
adapter work may be tested before those chunks merge, but production dispatch
stays disabled and no receipt or adapter credential creates authority.
- Concurrent dispatch/reconcile has one monotonic provider effect and one
canonical receipt outcome; row counts are asserted.
- Same v1 vectors pass LocalStorageAdapter and a Flow Node image pinned by full
Expand All @@ -48,9 +56,10 @@ token forwarding, or provider-triggered lifecycle transition.
populated-state preservation, empty downgrade, and re-upgrade are owned and
proved in `test_alembic.py`; otherwise the chunk records that no migration was
created.
- Compose health proves adapter-level authenticated ingest/retrieve/status from
Workstream's service principal directly through `FlowNodeAdapter`; it does not
claim a public Workstream artifact API before the product cutover.
- Compose health proves test-only adapter mechanics for ingest/retrieve/status.
Production service-principal dispatch additionally requires central AUTH
decision evidence and remains disabled before the owning AUTH cutovers; this
chunk does not claim a public Workstream artifact API.

## Verification

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ stopped.
| `WS-AUTH-001-03` | Legacy Actor Classification Preflight | L1 | Merged through PR #109 as `f06532e` |
| `WS-AUTH-001-04` | Request, Error, And API Control Foundation | L1 | Split before implementation into 04A and 04B |
| `WS-AUTH-001-04A` | Request And Error Context | L1 | Merged through PR #111 as `90c9a28` |
| `WS-AUTH-001-04B` | PostgreSQL Rate Controls | L1 | Inactive pending 04A memory merge and separate explicit start |
| `WS-AUTH-001-04B` | PostgreSQL Rate Controls | L1 | Internal review passed; PR #113 in external review |
| `WS-AUTH-001-05` | Authority Evidence And Idempotency Foundation | L1 | Proposed |
| `WS-AUTH-001-06` | Canonical Actor Profile And Identity Link | L1 | Proposed |
| `WS-AUTH-001-07` | Authorization Kernel And Permission Registry | L1 | Proposed |
Expand Down Expand Up @@ -68,6 +68,11 @@ WS-AUTH-001-PLAN
- Chunk 07 provides the single authorization engine before grant APIs.
- Chunks 08-10 establish local grant truth before product cutover.
- Chunks 11-15 migrate bounded complete product/system surfaces.
- Artifact upload, read, retention, release/delete, replication, integrity, and
reconciliation remain mechanically owned by the artifact subsystem but must
receive centralized AUTH decisions. Chunk 07 owns the permission-registry
boundary, chunk 09 owns artifact service principals, the applicable 11-15
resource cutovers attach enforcement, and chunk 16 proves no bypass remains.
- Chunk 16 proves the complete initiative; it does not backfill missing audit
or idempotency evidence.
- `WS-POL-002-03` merged separately through PR #90 as `a7aa474`. This initiative
Expand All @@ -79,8 +84,9 @@ WS-AUTH-001-PLAN

AUTH-03 post-merge memory merged through PR #110 as `1864867`. The user
explicitly started parent AUTH-04. Required plan review split it before runtime
implementation. AUTH-04A merged through PR #111 as `90c9a28` after required
internal review, Backend, Agent Gates, CodeRabbit, and explicit human approval
passed. Its post-merge memory update is the current gate.
Do not start AUTH-04B, AUTH-05, or POL-002-04; each retains its separate start
signal and prerequisites.
implementation. AUTH-04A merged through PR #111 as `90c9a28`, and its
post-merge memory merged through PR #112 as `7749f54`. The user explicitly
started AUTH-04B. Its repaired contract passed at `b5dceb1`; bounded
implementation and all required internal review tracks pass final SHA
`922778b`. Ready PR #113 is in external review. Stop; do not start AUTH-05 or
POL-002-04.
Loading
Loading