Add post-submit policy approval APIs#90
Conversation
📝 WalkthroughWalkthroughAdds operator-facing setup visibility, server-owned approval, and correction endpoints for compiled post-submit checker policies, with locking, validation, redaction, authorization, correction requeueing, tests, documentation, and lifecycle-state updates. ChangesPost-submit checker policy lifecycle
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Operator
participant ProjectsRouter
participant ProjectService
participant ProjectRepository
Operator->>ProjectsRouter: Request setup, approval, or correction
ProjectsRouter->>ProjectService: Invoke policy lifecycle operation
ProjectService->>ProjectRepository: Lock and validate compiled policy
ProjectRepository-->>ProjectService: Return locked policy state
ProjectService-->>ProjectsRouter: Return redacted setup response
ProjectsRouter-->>Operator: Return policy status
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
backend/app/modules/projects/schemas.py (1)
529-538: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider a typed model instead of
dict[str, Any]forderivation_input_summary.This field carries the "bounded" operator-visible derivation context, and the whole point of this PR is to guarantee no raw source text, hashes, or policy bodies leak through. A free-form
dict[str, Any]bypasses Pydantic's response-model filtering — any key the service returns passes through unchecked, so the redaction guarantee lives only in code discipline in_post_submit_derivation_input_summary, not in the schema contract. A dedicated model (mirroring the known fixed keys, e.g.source_snapshot_id,source_snapshot_hash_redacted,sufficiency_status,effective_policy_id,pre_submit_checker_names, etc.) withextra="forbid"would make the contract enforceable at the type level and fail loudly if an unexpected/unsafe key is ever introduced.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@backend/app/modules/projects/schemas.py` around lines 529 - 538, Replace the free-form derivation_input_summary field in PostSubmitCheckerPolicySetupResponse with a dedicated Pydantic model containing the known bounded keys returned by _post_submit_derivation_input_summary, including redacted snapshot metadata, sufficiency status, effective policy ID, and pre-submit checker names. Configure the model with extra="forbid" so unexpected or unsafe fields are rejected, while preserving the existing response shape and types for the approved keys.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.agent-loop/LOOP_STATE.md:
- Around line 5-16: Remove or update the stale pause bullet in LOOP_STATE.md
that says WS-POL-002-03 must not start. Reconcile it with the implemented status
and PR `#90` recorded in the active initiative section, leaving a single
authoritative state for WS-POL-002-03.
In @.agent-loop/WORK_QUEUE.md:
- Around line 13-14: Synchronize WS-POL-002-03 lifecycle evidence across all
listed artifacts before merge: in .agent-loop/WORK_QUEUE.md lines 13-14 retain
one WS-POL-002-03 row and derive WS-POL-002-04’s state from it; in CHUNK_MAP.md
line 15 reconcile “In review” with the paused entry; in STATUS.md lines 24-26
align the implementation narrative with the paused-after-chunk-02 narrative and
remove the duplicate “In review”/“Paused” rows at lines 47-48; in
.agent-loop/REVIEW_LOG.md lines 5-6 replace the stale publication-pending text
with the current PR `#90` state.
In `@docs/operations_project_operating_manual.md`:
- Line 45: Update docs/operations_project_operating_manual.md lines 45-45 to
require approval by admin or project_manager only, explicitly treating
correction requests as blocked/in-progress; update lines 107-110 to state
activation requires the approval endpoint and correction only requeues
regeneration; update docs/product_first_user_flows.md lines 18-23 so correction
branches back to post-submit derivation rather than policy enablement or
activation.
---
Nitpick comments:
In `@backend/app/modules/projects/schemas.py`:
- Around line 529-538: Replace the free-form derivation_input_summary field in
PostSubmitCheckerPolicySetupResponse with a dedicated Pydantic model containing
the known bounded keys returned by _post_submit_derivation_input_summary,
including redacted snapshot metadata, sufficiency status, effective policy ID,
and pre-submit checker names. Configure the model with extra="forbid" so
unexpected or unsafe fields are rejected, while preserving the existing response
shape and types for the approved keys.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 0048edd0-0ca0-48b0-a6bd-babed4b24f50
📒 Files selected for processing (16)
.agent-loop/LOOP_STATE.md.agent-loop/REVIEW_LOG.md.agent-loop/WORK_QUEUE.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/CHUNK_MAP.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/STATUS.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-external-review-response.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-internal-review-evidence.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-pr-trust-bundle.mdbackend/app/modules/projects/repository.pybackend/app/modules/projects/router.pybackend/app/modules/projects/schemas.pybackend/app/modules/projects/service.pybackend/tests/test_projects.pydocs/architecture_data_model.mddocs/operations_project_operating_manual.mddocs/product_first_user_flows.md
…ost-submit-approval-visibility # Conflicts: # .agent-loop/LOOP_STATE.md # .agent-loop/WORK_QUEUE.md
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/product_first_user_flows.md (1)
28-28: 🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick winUse the exact activation-gate wording.
The acceptance criterion should require an approved, current compiled post-submit checker policy, not merely an approved policy, so the documented gate cannot be interpreted as allowing stale or uncompiled output.
As per coding guidelines, Markdown should prefer evidence-backed documentation; the PR objective explicitly requires an approved, current compiled policy.
Proposed wording
-- Project cannot become active without guide, immutable guide source snapshot, passed or acknowledged guide sufficiency report for that immutable guide source snapshot, submission artifact policy, effective project submission artifact hash, project pre-submit checker bundle hash, approved post-submit checker policy, review policy, revision policy, and payment policy. +- Project cannot become active without guide, immutable guide source snapshot, passed or acknowledged guide sufficiency report for that immutable guide source snapshot, submission artifact policy, effective project submission artifact hash, project pre-submit checker bundle hash, an approved, current compiled post-submit checker policy, review policy, revision policy, and payment policy.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/product_first_user_flows.md` at line 28, Update the project activation-gate sentence in product_first_user_flows.md to require an approved, current compiled post-submit checker policy, replacing the broader “approved post-submit checker policy” wording while preserving all other gate requirements unchanged.Source: Coding guidelines
🧹 Nitpick comments (1)
docs/product_first_user_flows.md (1)
19-20: 🗄️ Data Integrity & Integration | 🔵 Trivial | ⚡ Quick winDocument the correction contract completely.
This says correction clears output and returns to derivation, but the contract also requires preserving redacted metadata and requeueing setup continuation. Add both guarantees to avoid implying metadata is deleted or continuation is synchronous.
As per coding guidelines, Markdown should prefer evidence-backed documentation; the PR objective explicitly requires redacted-metadata preservation and setup requeueing.
Proposed wording
- If admin or project_manager requests correction instead, Workstream clears unapproved output and returns to post-submit derivation; setup does not continue toward activation. + If admin or project_manager requests correction instead, Workstream clears unapproved compiled output, preserves redacted metadata, and requeues setup continuation from post-submit derivation; setup does not continue toward activation.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/product_first_user_flows.md` around lines 19 - 20, Update the correction behavior described in the Workstream flow around “post-submit derivation” to state that clearing unapproved output preserves redacted metadata and that setup continuation is requeued rather than proceeding synchronously. Keep the existing return-to-derivation behavior and approval path unchanged.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
@.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-01-adopt-authorization-baseline.md:
- Around line 121-123: Update the roadmap status wording in this chunk to say it
defers authorization implementation until auth proof, while preserving the
existing D4-D10 and start-signal conditions.
---
Outside diff comments:
In `@docs/product_first_user_flows.md`:
- Line 28: Update the project activation-gate sentence in
product_first_user_flows.md to require an approved, current compiled post-submit
checker policy, replacing the broader “approved post-submit checker policy”
wording while preserving all other gate requirements unchanged.
---
Nitpick comments:
In `@docs/product_first_user_flows.md`:
- Around line 19-20: Update the correction behavior described in the Workstream
flow around “post-submit derivation” to state that clearing unapproved output
preserves redacted metadata and that setup continuation is requeued rather than
proceeding synchronously. Keep the existing return-to-derivation behavior and
approval path unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 2dc9ac0d-dc35-4c49-8c09-dd1f42f4c75b
📒 Files selected for processing (22)
.agent-loop/LOOP_STATE.md.agent-loop/REVIEW_LOG.md.agent-loop/WORK_QUEUE.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DECISIONS.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DISCOVERY.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/INTENT.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/PLAN.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/RISKS.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-01-adopt-authorization-baseline.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-12-project-mutation-cutover.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-16-evidence-live-proof.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-PLAN-authorization-service-planning.md.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-PLAN-internal-review-evidence.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/CHUNK_MAP.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/STATUS.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-external-review-response.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-internal-review-evidence.md.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-pr-trust-bundle.mddocs/operations_project_operating_manual.mddocs/product_first_user_flows.md
✅ Files skipped from review due to trivial changes (15)
- .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-12-project-mutation-cutover.md
- .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/RISKS.md
- .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md
- .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DECISIONS.md
- .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-16-evidence-live-proof.md
- .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/DISCOVERY.md
- .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/CHUNK_MAP.md
- .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-internal-review-evidence.md
- .agent-loop/REVIEW_LOG.md
- docs/operations_project_operating_manual.md
- .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/INTENT.md
- .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-external-review-response.md
- .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/STATUS.md
- .agent-loop/WORK_QUEUE.md
- .agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-pr-trust-bundle.md
🚧 Files skipped from review as they are similar to previous changes (1)
- .agent-loop/LOOP_STATE.md
PR Trust Bundle: WS-POL-002-03
Chunk
WS-POL-002-03- Server-Owned Policy Approval And Visibility APIsReviewed Revision
Reviewed code SHA:
0e59873971db8c2a7d9d6f9f7e725cb902eb888eReviewed at:
2026-07-11T18:04:17ZInternal review evidence:
.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-internal-review-evidence.mdGoal
Expose generated post-submit checker setup state through safe APIs and replace
manual setup approval shortcuts with server-owned approval/correction actions.
Human-Approved Intent
Post-submit setup mirrors the pre-submit separation:
The agent derives constrained setup policy. Workstream owns approval,
correction, visibility, and activation checks. The agent still does not judge
worker submissions at runtime.
What Changed
GET /api/v1/projects/{project_id}/guides/{guide_id}/post-submit-checker-policy/setupPOST /api/v1/projects/{project_id}/guides/{guide_id}/post-submit-checker-policy/approvePOST /api/v1/projects/{project_id}/guides/{guide_id}/post-submit-checker-policy/request-correctionactor/role/time/reason provenance, feed feedback only into the exact matching
setup context, reject unchanged replacement hashes, and requeue continuation.
migration
0015_post_submit_correctionwith append-only audit rows pluscurrent-policy uniqueness.
initiative files unchanged for the separate authorization worktree.
Design Chosen
Approval is a server-owned state transition, not a client patch:
Correction is also server-owned and append-only:
Alternatives Rejected
source/effective/pre-submit setup contexts.
Scope Control
This chunk stays inside project setup visibility and approval. It does not
change task runtime, checker runtime, frontend/demo work, payment, reputation,
blockchain settlement, reviewer decision records, or per-task checker policy
generation.
Acceptance Criteria Proof
post_submit_checker_policypayload fields.requeues exact-context correction-aware derivation rather than becoming a
dead end.
Tests/Checks Run
Result summary:
Reviewer Results
These are Codex engineering-loop reviewer verdicts, not Workstream product
review decisions. Product review decisions remain
accept,needs_revision,and
reject; internal reviewer agents reportPASS,PASS WITH LOW RISKS,PASS AFTER FIXES, orFAILso process evidence stays separate from productlifecycle records.
External Review
External review response:
.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/reviews/WS-POL-002-03-external-review-response.mdEarlier CodeRabbit and GitHub Actions runs passed on the prior pushed head. The
current implementation and review-response fixes are bound to non-evidence
commit
0e59873971db8c2a7d9d6f9f7e725cb902eb888e; external checks must rerun onthe evidence-only pushed head before merge.
Remaining Risks
adminandproject_manageras setup-authorized; project-scoped role assignment remainsfuture Workstream role work.
WS-POL-002-04still owns runtime hardening for locked post-submit policyexecution and routing.
Human Review Focus
to the exact setup context, and resumes derivation without accepting an
unchanged replacement.
Human Merge Ownership
Only the user can approve and merge this PR. Codex must not merge it without
explicit user approval for this specific PR.