Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 15 additions & 14 deletions .agent-loop/LOOP_STATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,22 +4,23 @@

- Active initiative: `WS-AUTH-001` - Workstream Authorization Service
- Active planning chunk: none
- Active implementation chunk: none
- Branch: `codex/ws-auth-001-03-post-merge-memory`
- Worktree: `/home/abiorh/flow/workstream-authorization-service`
- Status: AUTH-03 merged through PR #109 as `f06532e` after Backend, Agent
Gates, CodeRabbit, internal review, and explicit human approval passed.
- Active implementation chunk: `WS-AUTH-001-04A` - Request And Error Context
- Branch: `codex/ws-auth-001-04-request-api-controls`
- Worktree: `/home/abiorh/flow/workstream-auth-001-04`
- Status: AUTH-04A implementation and required internal repair review pass on
production SHA `cdcaf77`; final reviewed candidate `4fd6db9` includes only
additive scalar-context and logging-state behavior-test repairs plus evidence.
- Prior `WS-AUTH-001-01` reviewed implementation SHA: `be0b836`
- Prior `WS-AUTH-001-01` final merged branch head: `b5217e1`
- Latest integrated `main` merge commit: `f06532e`
- Current gate: publish and merge the AUTH-03 post-merge memory update, then
stop.
- Next chunk: none; `WS-AUTH-001-04` remains proposed and inactive pending a
separate explicit user start after this memory update merges.
- Parallel initiative: `WS-QUAL-001-01B1B-R10` merged through PR #108 as
`5c47aba`, and this convergence records its post-merge memory. B2 remains
inactive pending a separate explicit user start; coverage chunk 02 remains
inactive pending B2 merge/memory and its separate explicit start.
- Latest integrated `main` merge commit: `1864867`
- Current gate: publish the ready PR, then require GitHub Backend, Agent Gates,
CodeRabbit, and explicit human review before merge.
- Next chunk: none; do not start `WS-AUTH-001-05` automatically.
- `WS-AUTH-001-04B` is inactive until AUTH-04A merges, memory is updated, and
the user gives its separate explicit start signal.
- Parallel initiative: `WS-QUAL-001-01B2` is paused at the user's direction so
AUTH receives the laptop's test capacity. Its last official whole-app result
remains `6466/8159` statements (`79.249908%`); no replacement evidence exists.
- Parallel initiative: `WS-ART-001-01` merged through PR #101 as `050eb15`.
`WS-ART-001-02` remains proposed and inactive pending a separate explicit
user start.
Expand Down
77 changes: 77 additions & 0 deletions .agent-loop/REVIEW_LOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,82 @@
# Review Log

## 2026-07-13 - WS-AUTH-001-04A Internal Review Passed

All required implementation tracks pass on production SHA `cdcaf77`.
Test-validation head `47241cf` added one genuine real-ASGI scalar
validation-context branch assertion. A later test-only repair establishes and
restores logging capture after in-process Alembic configuration disables an
existing logger. Exact-head test-delta review confirmed identical production
blobs and retained every earlier result; the final reviewed test revision is
bound in the internal review evidence. Valid OpenAPI, response-header,
pre-response logging, real-ASGI behavior, inventory, compatibility, and memory
findings were repaired without rate controls, schema, grants, roles, routes, or
product-authority changes.

Focused evidence is 235 passing tests. Changed-file statement coverage is
98.08 percent for API controls, 90.82 percent for the application factory,
90.70 percent for auth dependencies, and 92.36 percent for the task router. The
API drill, isolated-runner lifecycle suite, Ruff, docstring threshold, stale
scans, Markdown links, Agent Gates, additive test-delta scan, and diff hygiene
pass. A complete isolated backend regression run exposed an Alembic logging
state leak after 114 passing tests; the affected real-ASGI test now establishes
and restores its logging capture precondition, and the exact failing order
passes. GitHub Backend owns the complete-suite rerun before merge. The official
separate whole-app coverage baseline remains 79.249908 percent; no replacement
is claimed.

## 2026-07-13 - WS-AUTH-001-04A Implementation Review Repair

The final repaired 04A contract passed both required preimplementation review
tracks at exact commit `f98bbfc` before runtime implementation began. The
implementation crossed the 350 non-comment production-line checkpoint; scope
was inspected and frozen to the approved request/error boundary, with no rate
control, schema migration, grant, role, or product-authority work. The durable
checkpoint record was omitted at that time and is repaired here. The candidate
remains below the 500-line hard stop; 04B and later chunks are inactive.

Required implementation review of exact head `2a129f4` passed security,
product authority, test-delta, CI-integrity, ASGI architecture, and shared
adapter-boundary checks, but rejected publication pending truthful per-route
OpenAPI, required response-header metadata, bounded pre-response failure
logging, complete real-ASGI error/schema/inventory proof, and synchronized loop
state. Those valid findings are in the first bounded repair cycle. A full-suite
run against `2a129f4` was stopped after findings made that exact-head evidence
obsolete; its partial output contained one unidentified failure and is not
completion evidence.

## 2026-07-13 - WS-AUTH-001-04 Split Required Before Implementation

Required L1 plan review rejected the combined request/error/rate-control parent
contract before any runtime edit. The valid findings required exact ASGI header
behavior and OpenAPI compatibility for request/error context, plus an
independent committed PostgreSQL transaction, database-time atomic upsert,
privacy-key framing, and migration proof for rate controls.

The parent is split into `WS-AUTH-001-04A` Request And Error Context and
`WS-AUTH-001-04B` PostgreSQL Rate Controls. Only 04A contract repair and
preimplementation re-review are active. 04B requires 04A merge/memory and a
separate explicit user start. No runtime implementation was written under the
failed combined plan.

The first split re-review passed senior/architecture/security/product/docs/reuse
at `f01427a` but QA/CI/test-delta required one more 04A contract repair: exact
per-branch errors and invalid-ID behavior, bounded validation shapes,
CI-equivalent isolated-runner/docstring proof, per-file coverage, and additive
test-delta evidence. Runtime implementation remains gated on that re-review.

## 2026-07-13 - WS-AUTH-001-04 Started

PR #110 merged AUTH-03 post-merge memory to `main` as `1864867` after Backend,
Agent Gates, CodeRabbit, internal review, and explicit human approval passed.
The user then explicitly started `WS-AUTH-001-04` in the isolated worktree
`/home/abiorh/flow/workstream-auth-001-04` on branch
`codex/ws-auth-001-04-request-api-controls`.

AUTH-04 is L1/P1 authentication infrastructure. Discovery and required
preimplementation plan review must pass before runtime edits. AUTH-05,
POL-002-04, and all QA implementation chunks remain inactive.

## 2026-07-13 - WS-AUTH-001-03 Merged

PR #109 merged `WS-AUTH-001-03` to `main` as `f06532e` after final branch head
Expand Down
15 changes: 8 additions & 7 deletions .agent-loop/WORK_QUEUE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@

| Chunk | Title | Risk | Status |
|---|---|---:|---|
| - | No active implementation chunk | - | AUTH-03 post-merge memory in progress; no product implementation active |
| `WS-AUTH-001-04A` | Request And Error Context | L1 | Internal review passed; ready PR publication active, complete GitHub checks required before merge |

## Planned Next

| Chunk | Title | Risk | Status |
|---|---|---:|---|
| `WS-AUTH-001-04` | Request, Error, And API Control Foundation | L1 | Proposed; inactive pending AUTH-03 memory merge and explicit user start |
| `WS-QUAL-001-01B2` | Baseline Evidence And CI Ratchet | L1 | Inactive pending explicit user start |
| `WS-AUTH-001-04B` | PostgreSQL Rate Controls | L1 | Inactive until 04A merge/memory and a separate explicit user start |
| `WS-QUAL-001-01B2` | Baseline Evidence And CI Ratchet | L1 | Paused for AUTH priority; no valid replacement baseline yet |
| `WS-QUAL-001-02` | Project Service Coverage | L1 | Inactive until 01B2 merge/memory plus explicit user start |
| `WS-POL-002-04` | Locked Runtime Execution And Routing Hardening | L1 | Inactive pending relevant authorization proof and a separate explicit user start |
| `WS-ART-001-02` | Flow Node Adapter And Reconciliation | L1 | Proposed; inactive pending separate explicit user start |
Expand Down Expand Up @@ -56,10 +56,11 @@

## Proposed Next

`WS-AUTH-001-03` merged through PR #109 as `f06532e` after all required checks
and reviews passed. Its post-merge memory update is active; no AUTH product
implementation is active. Do not start `WS-AUTH-001-04` or `WS-POL-002-04`
automatically.
`WS-AUTH-001-03` post-merge memory merged through PR #110 as `1864867`. The user
explicitly started parent `WS-AUTH-001-04`. Required plan review split it before
runtime implementation. Only child `WS-AUTH-001-04A` contract repair and
re-review are active in its isolated worktree. Do not start 04B, AUTH-05, or
POL-002-04 automatically.

Coverage R10 merged through PR #108. Do not start 01B2, chunk 02, or another
coverage implementation chunk from this worktree.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ stopped.
| `WS-AUTH-001-01` | Adopt Authorization Baseline And Repository Contracts | L1 | Merged through PR #93 as `772af1d` |
| `WS-AUTH-001-02` | Verified Issuer Token And JWKS Boundary | L1 | Merged through PR #107 as `060b780` |
| `WS-AUTH-001-03` | Legacy Actor Classification Preflight | L1 | Merged through PR #109 as `f06532e` |
| `WS-AUTH-001-04` | Request, Error, And API Control Foundation | L1 | Proposed |
| `WS-AUTH-001-04` | Request, Error, And API Control Foundation | L1 | Split before implementation into 04A and 04B |
| `WS-AUTH-001-04A` | Request And Error Context | L1 | Internally reviewed; ready PR publication active and complete GitHub checks required |
| `WS-AUTH-001-04B` | PostgreSQL Rate Controls | L1 | Inactive pending 04A merge/memory and separate explicit start |
| `WS-AUTH-001-05` | Authority Evidence And Idempotency Foundation | L1 | Proposed |
| `WS-AUTH-001-06` | Canonical Actor Profile And Identity Link | L1 | Proposed |
| `WS-AUTH-001-07` | Authorization Kernel And Permission Registry | L1 | Proposed |
Expand All @@ -36,7 +38,8 @@ WS-AUTH-001-PLAN
-> WS-AUTH-001-01
-> WS-AUTH-001-02
-> WS-AUTH-001-03
-> WS-AUTH-001-04
-> WS-AUTH-001-04A
-> WS-AUTH-001-04B
-> WS-AUTH-001-05
-> WS-AUTH-001-06
-> WS-AUTH-001-07
Expand All @@ -55,7 +58,9 @@ WS-AUTH-001-PLAN

- Chunk 02 authenticates tokens but grants no product authority.
- Chunk 03 provides a supported classification gate before schema migration.
- Chunk 04 establishes request/error/rate controls.
- Parent chunk 04 was split before implementation. Chunk 04A establishes
request/correlation and additive error compatibility; chunk 04B later owns
durable PostgreSQL rate controls and its migration.
- Chunk 05 evolves the shared audit path and idempotency before mutations.
- Chunk 06 establishes canonical actor resolution while preserving only the
enumerated non-authoritative legacy workflow-eligibility consumers required
Expand All @@ -72,8 +77,11 @@ WS-AUTH-001-PLAN

## Stop condition

`WS-AUTH-001-03` merged through PR #109 as `f06532e` after deterministic proof,
all required internal reviewers, Backend, Agent Gates, CodeRabbit, and explicit
human approval passed. Its post-merge memory update is the current gate. Do not
start `WS-AUTH-001-04` or `WS-POL-002-04`; both retain separate explicit start
signals and prerequisites.
AUTH-03 post-merge memory merged through PR #110 as `1864867`. The user
explicitly started parent AUTH-04. Required plan review split it before runtime
implementation. AUTH-04A's repaired-contract review passed at `f98bbfc`;
production review passed at `cdcaf77`, and the final test-only revision is
bound in internal review evidence after exact-head confirmation. Ready PR
publication and complete GitHub checks are the current gate.
Do not start AUTH-04B, AUTH-05, or POL-002-04; each retains its separate start
signal and prerequisites.
Original file line number Diff line number Diff line change
Expand Up @@ -158,3 +158,32 @@ start does not imply dependency approval. No production dependency or runtime
implementation may change until the user explicitly accepts D12 and that
acceptance is recorded here. The user explicitly approved D12 by replying
"ok apporeved" after the final preimplementation plan review passed.

## D13: Identity issuer is the stable verification boundary

Status: accepted by the user on 2026-07-13.

Workstream depends on one provider-neutral `IdentityIssuerVerifier` capability
port. It extends the repository-wide `ExternalServiceAdapter` convention and
is constructed through the typed
`ExternalServiceAdapterFactory[IdentityIssuerVerifier]` foundation being
prepared by `WS-ART-001-01C`. AUTH must adopt that merged shared foundation; it
must not create a second generic adapter registry or factory.

The `/auth` dependency and product authorization layers must not change when an
additional external identity issuer is configured. Issuer-specific discovery,
JWKS, signature, claim, and introspection behavior remains behind explicit
adapter registration, construction, and configuration; it does not become a
second internal auth system or grant Workstream product authority.

The current `AuthVerifier` port, `FlowAuthVerifier` adapter, and `flow_auth_*`
configuration names are migration inputs rather than the target vocabulary.
Their rename must be one bounded, atomic specification and implementation
chunk covering the port, adapter, factory, configuration compatibility,
tests, operator documentation, and stale-name proof. AUTH-04A does not absorb
that cross-cutting rename because its reviewed request/error scope is already
at the production size circuit breaker. The owning follow-up chunk is blocked
until the shared convention merges, and must then remove the old AUTH factory
entry point and migrate all callers in one clean cut. It must be planned and
reviewed before implementation; no compatibility factory alias, duplicate
verifier, service locator, or public login/session API may be introduced.
Original file line number Diff line number Diff line change
Expand Up @@ -156,3 +156,74 @@ Production deployment inputs remain externally supplied:
- Append-only audit facts for lifecycle and authority changes.
- Fixed internal system actors for server-owned automation.
- One PR-sized chunk at a time with deterministic evidence and internal review.

## AUTH-04 Delta Discovery (2026-07-13)

### Current behavior

- `backend/app/main.py` only customizes FastAPI request-validation errors. It
has no request/correlation context, HTTP/unhandled exception envelope, or
response ID headers.
- Existing HTTP errors primarily expose FastAPI `detail`. Two bounded task
domain errors expose top-level `code/details`; existing tests rely on these
fields, so AUTH-04 must add the canonical nested envelope without deleting
compatibility fields.
- `backend/app/api/deps/auth.py` already distinguishes missing, invalid, and
unavailable authentication conditions internally, but its public responses
do not carry stable machine codes or correlation evidence.
- No rate-control model, query, service, or dependency exists. Redis is Celery
delivery infrastructure and is not an authority or API-control store.
- No first-access or admin-mutation endpoint exists yet. Their control
dependencies must be prepared here and attached only by the later owning
chunks; unrelated legacy reads must not consume those limits.

### Current migration and ownership boundary

- Current `main` migration head is `0016_artifact_domain`; the original AUTH-04
`0016_*` filename allowance is stale after parallel artifact integration.
- AUTH-04 therefore owns `0017_api_controls` with down revision
`0016_artifact_domain`.
- Existing feature modules use `models -> repository -> service`, with
`backend/app/db/models.py` importing feature models for Alembic metadata.
`backend/app/modules/api_controls` must follow that pattern and own SQL and
transaction behavior.

### Required compatibility and security properties

- Request/correlation headers require bounded canonical UUID parsing, duplicate
rejection, safe generation, and no reflection of invalid bytes.
- The adopted fallback envelope is
`error.code/message/details/correlation_id/retryable`; raw exceptions, token
material, claims, provider responses, SQL, secrets, and PII are excluded.
- Existing `detail` and coded-domain fields remain additive compatibility
surfaces in this chunk; current intake assertions may not be weakened.
- Privacy-safe rate keys require keyed HMAC rather than persisted raw issuer,
subject, actor, token, network, or email values.
- Cross-replica fixed-window increments require one PostgreSQL atomic upsert
driven by database time. Missing configuration or database failure must fail
closed for the protected dependency.

### Proof gaps owned by AUTH-04

- Header absence/propagation, malformed/duplicate values, success and every
error class, unhandled exception redaction, and legacy-field compatibility.
- Allowed, exact-limit, exceeded, expiry-reset, concurrent, cross-session,
distinct-scope/key, missing-secret, and database-unavailable rate behavior.
- Prior-head upgrade, downgrade, re-upgrade, constraints, unique key, indexes,
and database-time fields for migration `0017`.
- Full backend and API-contract regression proof without modifying product
authorization or attaching future controls to unrelated routes.

### Required plan-review split

The first combined AUTH-04 plan failed required preimplementation review before
any runtime edit. Request/error compatibility and durable rate consumption each
need an independently reviewable contract and production-code budget.

- `WS-AUTH-001-04A` owns pure-ASGI request/correlation context, bounded additive
error envelopes, legacy response/header compatibility, and OpenAPI proof.
- `WS-AUTH-001-04B` later owns HMAC-keyed PostgreSQL counters, a dedicated
committed transaction, atomic database-time windows, `0017_api_controls`,
configuration failure behavior, and migration/concurrency proof.
- 04B is not activated by this split. It requires 04A merge/memory and a
separate explicit user start.
Loading
Loading