Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
9228699
docs(auth): split AUTH-05 evidence foundation
Abiorh001 Jul 14, 2026
f4d9035
docs(auth): lock AUTH-05 child contracts
Abiorh001 Jul 14, 2026
7a9023b
docs(auth): finalize AUTH-05A replay reference
Abiorh001 Jul 14, 2026
5f9a49f
feat(auth): add append-only authority audit evidence
Abiorh001 Jul 14, 2026
6fbb1f8
fix(auth): close authority evidence privacy gaps
Abiorh001 Jul 14, 2026
c93cf14
docs(auth): repair AUTH-05A privacy contract
Abiorh001 Jul 14, 2026
2cd0fbe
docs(auth): specify authority evidence registries
Abiorh001 Jul 14, 2026
27d9eca
docs(auth): resolve authority registry contradictions
Abiorh001 Jul 14, 2026
7cc6058
docs(auth): bind authority evidence scope
Abiorh001 Jul 14, 2026
42c0a4d
docs(auth): record AUTH-05A contract approval
Abiorh001 Jul 14, 2026
ab62a61
docs(auth): raise AUTH-05A circuit breaker
Abiorh001 Jul 14, 2026
611abfc
docs(auth): align AUTH-05A amendment state
Abiorh001 Jul 14, 2026
cd07e81
docs(auth): record AUTH-05A ceiling approval
Abiorh001 Jul 14, 2026
a5559bd
fix(auth): enforce closed authority evidence registries
Abiorh001 Jul 14, 2026
bd0bde8
fix(auth): close authority audit custody gaps
Abiorh001 Jul 14, 2026
1db2a36
fix(auth): snapshot untrusted audit inputs
Abiorh001 Jul 14, 2026
78d34ca
test(auth): require silent audit readmission
Abiorh001 Jul 14, 2026
4490128
fix(auth): normalize nested audit facts
Abiorh001 Jul 14, 2026
3536e39
docs(auth): record AUTH-05A review evidence
Abiorh001 Jul 14, 2026
957dd3d
fix(auth): address PR review feedback
Abiorh001 Jul 14, 2026
ea16fd8
docs(auth): align 05B verification with CI
Abiorh001 Jul 14, 2026
d023952
docs(auth): record CodeRabbit repair evidence
Abiorh001 Jul 14, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 18 additions & 12 deletions .agent-loop/LOOP_STATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,26 @@

- Active initiative: `WS-AUTH-001` - Workstream Authorization Service
- Active planning chunk: none
- Active implementation chunk: none
- Branch: `codex/ws-auth-001-04b-post-merge-memory`
- Worktree: `/home/abiorh/flow/workstream-authorization-service`
- Status: AUTH-04B merged through PR #113 as `05a63c8` after Backend, Agent
Gates, CodeRabbit, required internal review, and explicit human approval
passed.
- Active implementation chunk: `WS-AUTH-001-05A` - Shared Audit Ownership And
Append-Only Authority Evidence
- Branch: `codex/ws-auth-001-05-authority-evidence`
- Worktree: `/home/abiorh/flow/workstream-auth-001-05`
- Status: AUTH-04B post-merge memory merged through PR #114 as `97cd0f5`.
The user explicitly started AUTH-05. Required L1 review rejected the combined
contract, then passed the first repaired AUTH-05A contract at `7a9023b`.
Exact-SHA implementation review reopened the contract for closed privacy
registries, non-echoing mapping admission, typed/SQL parity, and readable SQL.
- Prior `WS-AUTH-001-01` reviewed implementation SHA: `be0b836`
- Prior `WS-AUTH-001-01` final merged branch head: `b5217e1`
- Latest integrated `main` merge commit: `05a63c8`
- Current gate: publish and merge the AUTH-04B post-merge memory update, then
stop.
- Size checkpoint: implementation is 480 changed non-comment production lines;
the required 350-line inspection passed and the 500-line hard stop holds.
- Next chunk: none; do not start `WS-AUTH-001-05` automatically.
- Latest integrated `main` merge commit: `97cd0f5`
- Current gate: AUTH-05A runtime repair and focused evidence under the
human-approved semantic chunk boundary.
- Scope checkpoint: allowed files, non-goals, acceptance criteria, behavior
evidence, and required review bound AUTH-05A; there is no numeric line cap.
AUTH-05B remains a separate inactive chunk.
- Next chunk: AUTH-05B remains inactive until AUTH-05A merges, post-merge memory
is reconciled, and the user gives a separate explicit start. AUTH-06 remains
inactive.
- Focused evidence: 77 isolated rate/config tests pass at 97 percent subsystem
coverage, 59 final config/object-graph tests pass, and the exact migration
proof and real API E2E pass. Final GitHub Backend passed 937 tests at 82.15
Expand Down
114 changes: 114 additions & 0 deletions .agent-loop/REVIEW_LOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,119 @@
# Review Log

## 2026-07-14 - WS-AUTH-001-05A CodeRabbit Response

CodeRabbit run `30676bdc-7525-4deb-8f9e-a87d42c64f92` produced four actionable
comments on PR #115. The response makes the inactive AUTH-05B verification
commands executable, replaces fragile positional event mapping with explicit
identity-link event keys, types the task audit fixture session, and replaces
misleading reused-agent names with AUTH-05A-specific review references. Focused
behavior, Ruff, stale authorization docs, Markdown links, and diff integrity
pass. Exact-SHA internal re-review is required before publication of the repair.

## 2026-07-14 - WS-AUTH-001-05A Semantic Scope Amendment

The human replaced AUTH-05A's numeric production-line ceiling with the approved
chunk contract as the controlling boundary. Allowed files, explicit non-goals,
acceptance criteria, behavior evidence, and required internal review now govern
scope. Readable SQL remains mandatory; AUTH-05B, route activation, permission
evaluation, and grant lifecycle implementation remain inactive.

## 2026-07-14 - WS-AUTH-001-05A Circuit Breaker Amendment Passed

The human-approved AUTH-05A-only 500-line inspection and 1000-line hard stop
passed all required exact-SHA reviewers at `611abfc`. Review confirmed the typed
and PostgreSQL privacy matrices must remain atomic, the incomplete 689-line
draft was discarded, SQL packing remains prohibited, focused behavior and 90
percent subsystem coverage gates remain, and AUTH-05B stays inactive. Bounded
runtime repair may resume.

## 2026-07-14 - WS-AUTH-001-05A Circuit Breaker Reopened

The first post-approval exact-registry dry run reached 689 changed non-comment
production lines before readable PostgreSQL parity was complete, crossing the
650 hard stop. The uncommitted runtime draft was discarded and the tree
returned to the 484-line approved implementation checkpoint. Splitting typed
and database enforcement into separately mergeable PRs would leave an
incomplete security boundary, so the user approved a 1000-line hard stop
with the existing 500-line inspection, 120-character migration line gate, and
no SQL packing. Runtime work remains paused for exact-SHA amendment review.

## 2026-07-14 - WS-AUTH-001-05A Repaired Contract Review Passed

The exact contract at `7cc6058` passed senior engineering, architecture,
product/ops, docs, reuse, QA, CI/test-delta, and security/privacy review. It
locks closed envelope/reason/fact registries, cross-field project integrity,
non-echoing Mapping/JSON admission, identical typed/direct-SQL behavior,
readable SQL, focused regressions, and the then-approved 500/650
circuit breaker. Bounded runtime repair may proceed; AUTH-05B remains inactive.

## 2026-07-14 - WS-AUTH-001-05A Repaired Contract Review Failed

Required review of contract `c93cf14` rejected implicit security registries.
Senior engineering, QA, and security agreed that exact event-to-reason,
event-to-fact, permission, denial, and reference matrices must be normative;
lexical bounds and "spec-derived" values were insufficient. Review also
required sanitized malformed-JSON handling, the two known checker regression
nodes, deterministic size/line checks, and symmetric additive test-delta
checks. The contract was repaired without runtime edits and requires a new
exact-SHA review.

Review of `2cd0fbe` then caught contradictory UUID rules for permission targets,
resource-ID nullability, admin role/scope compatibility, optional-versus-required
reason wording, and state-versus-decision fact meaning. It also required exact
added-plus-deleted size arithmetic and reuse of the repository's AST-aware test
weakening detector. Those contract defects were repaired before runtime work.
QA then found the AST command below the repository-root directory change; the
command was moved into its executable backend-relative position before final
contract review.
Senior review also required project-scoped grant facts to match the envelope
project, replacement facts to retain one scope, system-scope grant evidence to
omit project scope, and project resources to agree with the envelope project.

## 2026-07-14 - WS-AUTH-001-05A Contract Reopened By Exact-SHA Review

Exact-SHA review of implementation repair `6fbb1f8` closed append-only,
repository ownership, canonical actor-reference, and invalidation-cause
integrity concerns, but found valid remaining privacy and auditability gaps.
Arbitrary reason/fact strings could still impersonate opaque secrets, rejected
known values and non-dict mappings remained recoverable through structured
Pydantic errors, direct SQL did not enforce every typed token bound, and the
500-line ceiling had encouraged unreadable security SQL.

The repaired contract raises only AUTH-05A's ceiling to 650, prohibits
long-line packing, requires closed reason/fact registries, requires a
non-echoing pre-admission boundary for every Mapping, clarifies invalidation
cause integrity versus inactive idempotency replay, and requires typed/direct
SQL parity. No further runtime repair is permitted until required L1 contract
review passes; AUTH-05B remains inactive.

## 2026-07-14 - WS-AUTH-001-05A Preimplementation Review Passed

The repaired AUTH-05A contract passed required senior engineering,
QA/CI/test-delta, security/privacy, product/ops, architecture, docs, and reuse
review at `7a9023b`. The contract fixes migration ownership at `0018`, retains
the existing `audit_events` ledger and `AuditRepository` as sole persistence
owner, defines exact legacy/authority compatibility and bounded event shapes,
and requires unconditional normal-DML append-only triggers plus downgrade and
production-role custody proof. Bounded implementation and deterministic
evidence are active; AUTH-05B remains inactive.

## 2026-07-14 - WS-AUTH-001-05 Plan Review Split Required

After AUTH-04B post-merge memory merged through PR #114 as `97cd0f5`, the user
explicitly started AUTH-05. Required L1 engineering, QA/CI, and
security/privacy/product plan review rejected the combined contract before any
runtime edit. Migration `0017` is already owned by AUTH-04B, dedicated audit and
authorization tests were absent, and shared audit custody plus idempotency and
invalidation were not credibly reviewable as one sub-500-line production diff.

The repaired plan splits AUTH-05 into 05A shared audit ownership/append-only
authority evidence on migration `0018`, then 05B idempotency/invalidation on
`0019`. Both retain caller-owned transactions, focused 90 percent subsystem
coverage, the global 78 percent CI floor, full reviewer fanout, and separate
human merge/start gates. No runtime implementation is active pending repaired
contract review.

## 2026-07-14 - WS-AUTH-001-04B Merged

PR #113 merged `WS-AUTH-001-04B` to `main` as `05a63c8` after final branch head
Expand Down
9 changes: 5 additions & 4 deletions .agent-loop/WORK_QUEUE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

| Chunk | Title | Risk | Status |
|---|---|---:|---|
| - | No active implementation chunk | - | AUTH-04B post-merge memory in progress; no product implementation active |
| `WS-AUTH-001-05A` | Shared Audit Ownership And Append-Only Authority Evidence | L1 | Human-approved semantic chunk boundary; runtime repair/evidence |

## Planned Next

Expand Down Expand Up @@ -57,9 +57,10 @@

## Proposed Next

`WS-AUTH-001-04B` merged through PR #113 as `05a63c8` after all required checks
and reviews passed. Its post-merge memory update is active; no AUTH product
implementation is active. Do not start AUTH-05 or POL-002-04 automatically.
AUTH-04B post-merge memory merged through PR #114 as `97cd0f5`. The user
explicitly started AUTH-05. Required plan review rejected the combined contract
before runtime edits and required children 05A/05B. Only 05A contract repair is
active. Do not implement 05B, AUTH-06, or POL-002-04 automatically.

Coverage R10 merged through PR #108. Do not start 01B2, chunk 02, or another
coverage implementation chunk from this worktree.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ stopped.
| `WS-AUTH-001-04` | Request, Error, And API Control Foundation | L1 | Split before implementation into 04A and 04B |
| `WS-AUTH-001-04A` | Request And Error Context | L1 | Merged through PR #111 as `90c9a28` |
| `WS-AUTH-001-04B` | PostgreSQL Rate Controls | L1 | Merged through PR #113 as `05a63c8` |
| `WS-AUTH-001-05` | Authority Evidence And Idempotency Foundation | L1 | Proposed |
| `WS-AUTH-001-05` | Authority Evidence And Idempotency Foundation | L1 | Split before implementation into 05A and 05B |
| `WS-AUTH-001-05A` | Shared Audit Ownership And Append-Only Authority Evidence | L1 | Semantic chunk boundary approved; runtime repair/evidence |
| `WS-AUTH-001-05B` | Authority Idempotency And Invalidation Foundation | L1 | Inactive pending 05A merge/memory and separate explicit start |
| `WS-AUTH-001-06` | Canonical Actor Profile And Identity Link | L1 | Proposed |
| `WS-AUTH-001-07` | Authorization Kernel And Permission Registry | L1 | Proposed |
| `WS-AUTH-001-08` | Bootstrap And Administrative Role Grants | L1 | Proposed |
Expand All @@ -40,7 +42,8 @@ WS-AUTH-001-PLAN
-> WS-AUTH-001-03
-> WS-AUTH-001-04A
-> WS-AUTH-001-04B
-> WS-AUTH-001-05
-> WS-AUTH-001-05A
-> WS-AUTH-001-05B
-> WS-AUTH-001-06
-> WS-AUTH-001-07
-> WS-AUTH-001-08
Expand All @@ -61,7 +64,9 @@ WS-AUTH-001-PLAN
- Parent chunk 04 was split before implementation. Chunk 04A establishes
request/correlation and additive error compatibility; chunk 04B later owns
durable PostgreSQL rate controls and its migration.
- Chunk 05 evolves the shared audit path and idempotency before mutations.
- Parent chunk 05 was split before implementation. Chunk 05A owns shared audit
schema/writer custody and append-only authority evidence; chunk 05B owns
idempotency and typed invalidation orchestration.
- Chunk 06 establishes canonical actor resolution while preserving only the
enumerated non-authoritative legacy workflow-eligibility consumers required
for intermediate-release operability.
Expand Down Expand Up @@ -89,5 +94,11 @@ post-merge memory merged through PR #112 as `7749f54`. The user explicitly
started AUTH-04B. Its repaired contract passed at `b5dceb1`; bounded
implementation and all required internal review tracks passed, and PR #113
merged as `05a63c8` after Backend, Agent Gates, CodeRabbit, and explicit human
approval passed. AUTH-04B post-merge memory is the current gate. Stop; do not
start AUTH-05 or POL-002-04.
approval passed. AUTH-04B post-merge memory then merged through PR #114 as
`97cd0f5`, and the user explicitly started AUTH-05. Required plan review
rejected the combined contract before runtime edits and required 05A/05B.
The first 05A implementation review proved the original numeric ceiling
incompatible with readable typed/database privacy parity. Repaired 05A contract
review passed at `7cc6058`; the user subsequently replaced the line cap with
the semantic AUTH-05A boundary. Runtime repair is active. 05B remains inactive.
Do not start AUTH-06 or POL-002-04.
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,24 @@ Production deployment inputs remain externally supplied:
- Fixed internal system actors for server-owned automation.
- One PR-sized chunk at a time with deterministic evidence and internal review.

## AUTH-05 Delta Discovery (2026-07-14)

- Current migration head is `0017_api_controls`; the original AUTH-05
`0017_*` allowance collides and cannot be implemented.
- `AuditEvent` remains in `tasks.models`. `AuditRepository` owns a shared insert
implementation, while `TaskRepository` still duplicates insert/read logic
used by task/checker services.
- Legacy audit rows require non-null external issuer/subject, token-role, and
claim fields. Authority events need a conditional privacy-safe envelope that
preserves legacy rows without copying those identity-provider fields.
- The combined shared-audit schema/writer, append-only database custody,
idempotency state machine, and concurrency proof cross two persistent
subsystem boundaries. Required L1 plan review split them into 05A (`0018`)
and 05B (`0019`) before runtime implementation.
- D13 provider-neutral verifier adoption does not block either child and remains
a separate reviewed chunk after the shared external-service adapter
foundation exists.

## AUTH-04 Delta Discovery (2026-07-13)

### Current behavior
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,8 @@ proving the same token role alone no longer authorizes.
evidence workflow.
4. Establish request/correlation context, structured errors, and API rate
controls.
5. Evolve shared audit evidence and add canonical idempotency/invalidation.
5. Evolve shared audit evidence in 05A, then add canonical
idempotency/invalidation in 05B.
6. Migrate to canonical profile/link semantics and first-human resolution.
7. Implement the minimal registered permission and AuthorizationService kernel
before protected authority-management APIs.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,20 +43,29 @@ internally approved at final SHA `922778b`; reviewed production SHA is
`67484b5`. The Backend CI isolation repair passed exact review at `4fb846c`.
Final branch head `94fb2fe` passed Backend, Agent Gates, and CodeRabbit, then
explicit human approval merged PR #113 to `main` as `05a63c8` on 2026-07-14.
AUTH-04B post-merge memory is active; AUTH-05 remains inactive.
AUTH-04B post-merge memory merged through PR #114 as `97cd0f5`. The user then
explicitly started AUTH-05. Required L1 plan review rejected the combined
audit/idempotency contract before runtime edits and required children 05A and
05B. The first repaired AUTH-05A contract passed at `7a9023b`, but exact-SHA
implementation review demonstrated that closed privacy registries and readable
typed/SQL parity require a larger readable contract. The repaired contract
passed at `7cc6058`, but numeric hard stops repeatedly interrupted the atomic
typed/database parity boundary. The human replaced the line cap with AUTH-05A's
semantic scope, acceptance criteria, behavior evidence, and review gates;
runtime repair and focused evidence are active.

## Active planning chunk

None.

## Active implementation chunk

None.
`WS-AUTH-001-05A` - Shared Audit Ownership And Append-Only Authority Evidence.

## Current implementation branch

None. Post-merge memory uses `codex/ws-auth-001-04b-post-merge-memory` and makes
no product implementation change.
`codex/ws-auth-001-05-authority-evidence` in
`/home/abiorh/flow/workstream-auth-001-05`.

## Chunk status

Expand All @@ -69,7 +78,9 @@ no product implementation change.
| `WS-AUTH-001-04` | Split | `codex/ws-auth-001-04-request-api-controls` | - | Parent split before runtime implementation. |
| `WS-AUTH-001-04A` | Merged | `codex/ws-auth-001-04-request-api-controls` | #111 | Merged as `90c9a28`; production review `cdcaf77`; final branch head `36c4aa5`. |
| `WS-AUTH-001-04B` | Merged | `codex/ws-auth-001-04b-postgres-rate-controls` | #113 | Merged as `05a63c8`; production review `67484b5`; final branch head `94fb2fe`. |
| `WS-AUTH-001-05` | Proposed | - | - | Authority evidence and idempotency foundation. |
| `WS-AUTH-001-05` | Split | `codex/ws-auth-001-05-authority-evidence` | - | Parent split before implementation into 05A and 05B. |
| `WS-AUTH-001-05A` | Runtime repair/evidence | `codex/ws-auth-001-05-authority-evidence` | - | Human-approved semantic chunk boundary; repair active. |
| `WS-AUTH-001-05B` | Inactive | - | - | Idempotency and invalidation; requires 05A merge/memory and separate explicit start. |
| `WS-AUTH-001-06` | Proposed | - | - | Canonical actor profile and identity link. |
| `WS-AUTH-001-07` | Proposed | - | - | Authorization kernel and permissions. |
| `WS-AUTH-001-08` | Proposed | - | - | Bootstrap and administrative grants. |
Expand All @@ -84,10 +95,15 @@ no product implementation change.

## Blockers

No active implementation blocker because no AUTH product chunk is active.
AUTH-05 may start only after this memory update merges and the user gives a
separate explicit start signal. AUTH-04B owns migration `0017`, following the
now-owned `0016` prefix on current main. Non-test
AUTH-05A has no preimplementation blocker under its human-approved semantic
chunk boundary. The combined AUTH-05 contract was
rejected before code changes because migration `0017` is already owned by
AUTH-04B and the shared-audit plus idempotency scope was not reviewable as one
L1 change. Repaired AUTH-05A owns migration `0018`; AUTH-05B later owns
migration `0019`. Exact-SHA review found valid arbitrary fact/reason privacy,
non-dict Mapping retention, DB token-parity, cause-contract ambiguity, and SQL
auditability findings; the repaired contract owns their closure without
reactivating 05B. Non-test
operators must later supply explicit classification evidence rather than
inferred kinds before the owning canonical actor migration.

Expand Down
Loading
Loading