fix(phase4): code-enforce funds-≥1-FLW capacity guard at connect MCP boundary (#729)#731
Merged
Merged
Conversation
…boundary (#729) The #722 budget guard was SKILL.md prose and failed live on bednet-spot-check/20260606-2013 (on v0.13.557): the agent evaluated it in dollars ($0.50) while storing cents (50), so number_of_users read as 5 in-head but 0.05 in Connect — Phase 4 shipped an unclaimable opp and the guard never tripped. (Validation also confirmed #721's run-id opp-name prefix works — that's why we know the new code was active.) Move the guard into code at the MCP boundary, computed over the integers actually sent to Connect, so no agent unit-confusion can slip an underfunded opp through: - New pure helper mcp/connect/opportunity-capacity.ts: minBudgetForOneUser, numberOfUsers, assertFundsAtLeastOneUser + typed OpportunityUnderfundedError (non-retryable, structured toJSON with per-PU breakdown). - connect_create_payment_unit(s) take an optional total_budget; when supplied, the REST + Playwright backends assert total_budget ≥ Σ(max_total × (amount + org_amount)) BEFORE POSTing (no orphan PU) and reject with opportunity_underfunded when number_of_users < 1. total_budget is guard-only — never forwarded in the request body. - connect-opp-setup SKILL.md: ALWAYS pass total_budget; the hand-computed prose guard is replaced by a pointer to the code guard; sub-$1 rates round UP to the $1 minimum (never cents — Connect reads 50 as $50/visit). Tests: 10 capacity-helper + 3 rest-wiring (underfunded throws before POST; funded proceeds; total_budget not leaked to body; omitted → guard skipped). Full suite 1930 green. Supersedes the prose guard in #722. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jjackson
force-pushed
the
fix/connect-capacity-guard-code
branch
from
c5bb507 to
6fa87c5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
#722 added a "an opportunity must fund ≥1 FLW" guard as SKILL.md prose. It failed live on
bednet-spot-check/20260606-2013(running confirmedv0.13.557): the agent evaluated the guard in dollars ($0.50) while storing cents (50), sonumber_of_usersread as5in-head but0.05in Connect. Phase 4 shipped an unclaimable opp (amount_cents: 50,total_budget: 50,connect-setup.status: done, no halt). The Deliver smoke "passed" only becausetotal_budget(50) == per-visit-amount(50)— a knife's-edge coincidence in commcare-connect's claim guard, not a healthy config.(The same validation run confirmed #721 — the opp name carried the
20260606-2013 · Bednet Spot-Checkfront-prefix — which is how we know the new code was active and the failure was real, not stale code.)Per CLAUDE.md "class-level preventers > instance fixes" and "enforce at the MCP boundary": a prose guard can't guarantee unit-consistency. Code over the integers actually sent to Connect can.
What
mcp/connect/opportunity-capacity.ts(new, pure):minBudgetForOneUser,numberOfUsers,assertFundsAtLeastOneUser, and a typedOpportunityUnderfundedError(non-retryable; structuredtoJSONwithtotal_budget,min_budget_for_one_user,number_of_users, per-PUbreakdown).connect_create_payment_unit(s)gain an optionaltotal_budgetarg. When supplied, the REST and Playwright backends asserttotal_budget ≥ Σ(max_total × (amount + org_amount))(number_of_users ≥ 1) before POSTing (no orphan PU) and rejectopportunity_underfundedotherwise.total_budgetis guard-only — never forwarded in the request body (asserted in a test).connect-opp-setup/SKILL.md: ALWAYS passtotal_budget; the hand-computed prose guard is replaced by a pointer to the code guard; sub-$1 rates round UP to the $1 minimum, never cents (Connect reads50as$50/visit— the exact bednet mix).Why this can't be fooled: the bednet misconfig (
total_budget=50,amount=50,org=50,max_total=10) → code computes50 / (10×100) = 0.05 < 1→ rejects. The agent can "think in dollars" all it wants; the code only sees the integers it's about to send.Tests
total_budgetnot leaked to body; omitted → guard skipped (back-compat).docs/atom-schemas.mdregenerated; staleness + skill-atom-reference + registration-coverage gates pass.Note on scope
The bednet smoke PDD's
$0.50rate is not edited here — the skill now rounds sub-$1 up to$1and the code guard backstops any underfunding, so the durable fix doesn't depend on the shared AI-authored golden PDD. Re-validation forks from that golden: a healthy run proves the happy path, oropportunity_underfundedproves the guard fires — both validate the fix./reload-plugins) to take effect, and a fresh seeded 3,4,6 re-validation. Supersedes the prose guard in #722.🤖 Generated with Claude Code