Cut over live target identity reads to provider-target resolver

[cbusillo]

Intent

Introduce the provider-neutral identity resolver and move live read/deploy/promotion paths to provider-target authority while still validating provider-specific execution config.

Current Status

PR #1113 is open and green for the first #1104 cutover slice: #1113

Implemented in commit 4ca24a1924d0d75f20d9e0680229e3173ab3d4d8:

• Provider-target Postgres reads/lists now use only physical launchplane_provider_targets rows for current authority. Paired Dokploy records remain audit/backfill comparison material and execution metadata.
• Lane summaries and product environment target summaries no longer synthesize current provider-target identity from Dokploy target/id pairs; Dokploy-only lanes surface missing target authority.
• Generic-web Dokploy deploy resolves identity from physical ProviderTargetRecord, reads only the selected lane's Dokploy execution config, fails closed on missing provider-target authority or Dokploy identity mismatch, and avoids cross-lane Dokploy orphan blast radius.
• Records/service-boundary docs updated to describe identity authority versus provider execution config.

Local validation:

• uv run --extra dev ruff check <changed python files> passed.
• uv run --extra dev ruff format --check <changed python files> passed.
• uv run --extra dev mypy control_plane tests passed.
• npx --yes markdownlint-cli2 docs/records.md docs/service-boundary.md passed.
• uv run python -m unittest tests.test_postgres_store tests.test_generic_web_deploy tests.test_product_environment_read_model tests.test_service passed: 536 tests.
• uv run python -m unittest tests.test_provider_target_audit tests.test_provider_target_backfill tests.test_product_environment_read_model tests.test_service passed: 482 tests.
• uv run python -m unittest passed: 1,966 tests.

GitHub validation on PR #1113:

• CI run 26830599547 passed.
• Security run 26830600144 passed.
• CodeQL run 26830599588 passed.

Next action: review/merge/deploy PR #1113. After deploy, #1105 should run product-by-product validation and a fresh Provider Target Operations audit before #1106 retirement.

Finish Line

Generic-web deploy, promotion/ship resolution, VeriReel environment reads, and Odoo target-sensitive workflows resolve stable target identity from provider-target rows and fail closed when provider-specific Dokploy metadata disagrees.

Acceptance Criteria

• Resolver uses ProviderTargetRecord for provider id, target id, target category, display name, and provider target type.
• Dokploy adapter still loads Dokploy route/runtime config needed for execution but cannot override provider-target identity.
• Missing provider-target rows block migrated live paths after cutover.
• Existing deployment/promotion records keep provider-neutral target evidence.
• Tests cover generic-web deploy, promotion/ship resolution, VeriReel environment, Odoo target replacement/post-deploy, mismatch blocking, and missing-row failure.
• Docs clarify identity authority versus provider execution config authority.

Quality Gates

Targeted workflow tests, full unittest, ruff, mypy, docs, then post-merge CI/deploy/health evidence.

[cbusillo]

Blocked on live data precondition before implementation.\n\n#1101, #1102, and #1103 are merged/deployed. #1104 now needs clean shared-store evidence before live target identity reads can move to provider-target authority:\n\n1. Run dry-run against the shared Launchplane Postgres database.\n2. Review incomplete/conflict/unsupported-provider rows.\n3. Run if the dry-run is acceptable.\n4. Re-run and require clean/no-blocker evidence for affected routes.\n\nCurrent blocker: this checkout has no , and I found no deployed service endpoint or GitHub workflow for provider-target backfill/audit. Per repo guardrails, I should not use an arbitrary local checkout as a live mutation fallback. Next safe unblock is either operator-provided backfill/audit evidence or a Launchplane-owned service/workflow surface to run this evidence path.

[cbusillo]

Corrected blocker note with command names preserved:

#1101, #1102, and #1103 are merged/deployed. #1104 now needs clean shared-store evidence before live target identity reads can move to provider-target authority:

1. Run uv run launchplane storage provider-target-backfill --database-url "$LAUNCHPLANE_DATABASE_URL" as a dry-run against the shared Launchplane Postgres database.
2. Review incomplete/conflict/unsupported-provider rows.
3. Run uv run launchplane storage provider-target-backfill --database-url "$LAUNCHPLANE_DATABASE_URL" --apply if the dry-run is acceptable.
4. Re-run uv run launchplane storage provider-target-audit --database-url "$LAUNCHPLANE_DATABASE_URL" and require clean/no-blocker evidence for affected routes.

Current blocker: this checkout has no LAUNCHPLANE_DATABASE_URL, and I found no deployed service endpoint or GitHub workflow for provider-target backfill/audit. Per repo guardrails, I should not use an arbitrary local checkout as a live mutation fallback. Next safe unblock is either operator-provided backfill/audit evidence or a Launchplane-owned service/workflow surface to run this evidence path.

[cbusillo]

Current Status — 2026-06-02

PR #1113 remains ready after the provider-target apply idempotency fix.

Latest head: bfdc91cba2b6b4b182b61160be8b7195b6c8fbf3 (Require idempotency for provider-target applies). This follow-up requires an Idempotency-Key header for backfill-apply provider-target operations before the route can mutate state, and adds a service regression test that an authorized apply without the key returns 400 idempotency_key_required and writes no provider-target row.

Local validation on the updated head:

• uv run python -m unittest tests.test_service.LaunchplaneServiceTests.test_provider_target_operation_endpoint_backfills_route tests.test_service.LaunchplaneServiceTests.test_provider_target_operation_endpoint_rejects_apply_without_idempotency_key tests.test_service.LaunchplaneServiceTests.test_provider_target_operation_endpoint_rejects_apply_without_authz — pass, 3 tests
• uv run python -m unittest tests.test_service — pass, 431 tests
• uv run python -m unittest — pass, 1,967 tests
• uv run --extra dev ruff check control_plane/service.py tests/test_service.py — pass
• uv run --extra dev ruff format --check control_plane/service.py tests/test_service.py — pass
• uv run --extra dev mypy control_plane tests — pass

GitHub validation on the updated head:

• CI run 26831219711 — success
• Security run 26831219716 — success
• CodeQL run 26831220999 — success

PR state is clean/mergeable. Next step remains merge #1113, deploy Launchplane through the normal protected path, then run the #1105 post-cutover validation/audit work.

[cbusillo]

Current Status — 2026-06-02

PR #1113 has been merged and deployed.

Merge/deploy evidence:

• PR: Cut over provider-target authority reads #1113 Cut over provider-target authority reads
• Merge commit: 3cfd9ddaa6826a56a6edec28fb2093f0d06eaf91
• Main CI run 26831888615 — success
• Main Security run 26831888503 — success
• Main CodeQL run 26831888738 — success
• Deploy Launchplane run 26832039279 — success
• Post-deploy health check: https://launchplane.shinycomputers.com/v1/health returned status: ok, storage_backend: postgres

Agent review before merge found no blockers. One non-blocking follow-up was noted: if a lane has provider-target authority but the legacy Dokploy execution metadata row is missing, generic-web deploy resolution may raise a rougher FileNotFoundError/500 path instead of a controlled deploy failure. That should be captured in the #1105 validation/follow-up slice, but it did not block the authority cutover merge/deploy.

Next step: run #1105 post-cutover validation/audit for the Phase Two target set before beginning #1106 retirement.