Skip to content

Add legacy actor classification preflight#109

Merged
abiorh-claw merged 12 commits into
mainfrom
codex/ws-auth-001-03-legacy-actor-classification
Jul 13, 2026
Merged

Add legacy actor classification preflight#109
abiorh-claw merged 12 commits into
mainfrom
codex/ws-auth-001-03-legacy-actor-classification

Conversation

@Abiorh001

@Abiorh001 Abiorh001 commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

PR Trust Bundle: WS-AUTH-001-03

Chunk

WS-AUTH-001-03 - Legacy Actor Classification Preflight

Goal

Provide the supported, explicit, dry-run-first evidence workflow that classifies
every legacy actor identity before canonical actor migration without inference,
manual SQL, grants, or actor-state mutation.

Human-Approved Intent

The user explicitly started AUTH-03 after PR #107 merged AUTH-02 as 060b780.
This PR implements only the existing AUTH-03 contract. Coverage work remains
independent, and AUTH-04 remains inactive pending a separate post-merge start.

What Changed

  • Added strict version-one manifest, live-row, envelope, report, and stable
    failure contracts.
  • Added a read-only repeatable-read PostgreSQL snapshot over the fixed legacy
    identity projection.
  • Added deterministic canonical checksums and a future migration verifier.
  • Added a dry-run-first CLI with private, atomic, immutable envelope export.
  • Added adversarial file, JSON, UUID, mismatch, TOCTOU, concurrency, privacy,
    and CLI behavior tests.
  • Expanded the authorization operations runbook and reconciled AUTH loop memory.

Why It Changed

Existing actor registry rows have issuer and opaque subject but no trustworthy
subject kind. The later canonical actor migration must fail closed rather than
guessing whether a legacy identity is human or an internal service.

Design Chosen

An operator-owned strict JSON manifest binds each exact legacy UUIDv5, HTTPS
issuer, case-sensitive subject, and human or service kind. One read-only
repeatable-read snapshot verifies completeness and exact identity, then binds a
canonical confidential envelope to the live row set, manifest, database, UTC
generated-at value, and its complete contents. Publication uses an owner-only
directory, mode 0600, temp-file fsync, atomic no-overwrite link, directory
fsync, and rollback on post-link durability failure.

Pure envelope loading and verification remain independent from the mutable
actor ORM so the future synchronous Alembic migration can reuse them. That
migration will accept the file only through
WORKSTREAM_LEGACY_ACTOR_CLASSIFICATION_FILE and must recompute live bindings
inside its transaction.

Alternatives Rejected

  • Inferring kind from email, issuer subject syntax, token roles, or profiles.
  • Converting legacy profile rows into grants.
  • Manual SQL classification or an ad hoc migration bypass.
  • Persisting staged classifications in current actor state.
  • Importing the live actor ORM into the migration evidence boundary.
  • Writing confidential evidence inside any Git worktree.

Scope Control

The diff is limited to the contract-approved classifier module, CLI, focused
tests, actor database test, authorization runbook, and durable AUTH loop memory.
There is no schema, Alembic, dependency, CI, grant, role, actor-state, API,
product lifecycle, frontend, review, payment, or later AUTH implementation.

Product Behavior

This chunk adds no public API and grants no authority. Operators receive a
privacy-bounded dry-run report by default. Non-empty registries require a
complete exact manifest. Empty registries produce explicit empty proof. Export
is explicit, confidential, canonical, owner-only, and no-overwrite.

Acceptance Criteria Proof

Tests cover strict/duplicate/oversized/non-finite JSON, supported kinds,
canonical UUIDv5 derivation, exact issuer/subject matching, missing/stale/extra
rows, deterministic hashes, complete envelope checksum, database drift,
TOCTOU, empty proof, canonical bytes, permissions/ownership, main and linked
worktrees, symlinks, idempotence, link and fsync failures, environment-only
handoff, cleanup redaction, migration import independence, and real PostgreSQL
snapshot isolation under a concurrent commit.

Tests And Checks

  • 57 repaired focused behavior tests passed against isolated PostgreSQL.
  • New classifier plus CLI coverage is 92 percent combined.
  • Repository-wide Ruff, stale wording, stale authorization docs, Markdown
    links, docstring coverage, and git diff --check pass.
  • The isolated-runner lifecycle rerun passed 16/16 tests.
  • The unchanged GitHub Backend CI --cov-fail-under=78 gate will provide the
    repository-wide coverage and complete-suite evidence before merge.

Test Delta

No tests were deleted, skipped, xfailed, or weakened. The changed actor test
uses real PostgreSQL and proves read-only repeatable-read state plus concurrent
snapshot stability. File and CLI tests exercise observable failure behavior,
not execution-only coverage lines.

CI Integrity

No workflow, dependency, package script, threshold, exclusion, or bypass
changed. Focused coverage exceeds 90 percent. Repository-wide coverage remains
enforced at the unchanged 78 percent CI floor while the separate coverage
initiative raises that floor toward the authoritative 90 percent target.

Reviewer Results

All required tracks pass implementation SHA
8e2ae489834a3934d6ef507834139a1009dac2e6, and the final evidence-bound
revision db123f7d06cadf433f02f1210ab7927b85a26b61 passed engineering,
security, QA, test-delta, and CI evidence re-review. Initial High and Medium
findings were repaired and re-reviewed. Only documented low risks remain.

External Review

Ready PR #109 is open at
https://github.com/Flow-Research/workstream/pull/109. Agent Gates pass;
GitHub Backend CI, CodeRabbit, and explicit human review are pending.

Remaining Risks

  • Database binding is a same-cluster guard, not a globally unique environment
    identity; clone/restore/recreation requires fresh evidence.
  • Production classifications remain operator inputs from authoritative issuer
    evidence and are not available or required for deterministic implementation.
  • The later migration must still consume and reverify this envelope; AUTH-03
    does not alter schema or actor state.

Follow-Up Work

AUTH-04 remains inactive. The future actor migration consumes this preflight in
its owning reviewed chunk. Confidential manifest/envelope deletion follows the
durable migration-record and rollback-window procedure in the runbook.

Human Review Focus

Inspect absence of inference, exact UUIDv5/issuer/subject matching, complete
row-set and envelope checksums, owner-only custody, every-worktree exclusion,
snapshot/TOCTOU behavior, future migration independence, and absence of grants
or database writes.

Human Merge Ownership

Only the user may approve and merge this PR. PR publication is not merge
approval, and AUTH-04 must not start automatically.

Summary by CodeRabbit

  • New Features
    • Added a dry-run workflow for classifying legacy actors and generating privacy-bounded reports.
    • Added controlled export of tamper-evident evidence files with deterministic checksums and database consistency validation.
    • Added safeguards for secure file handling, read-only snapshots, atomic publication, and fail-closed error reporting.
  • Documentation
    • Documented manifest requirements, export procedures, validation failures, retention, rollback, and migration handoff rules.
  • Bug Fixes
    • Improved protection against identity disclosure, data drift, unsafe paths, and incomplete classification evidence.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@Abiorh001, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 27 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2aa4607b-3b13-4522-abfd-0afaea8386b3

📥 Commits

Reviewing files that changed from the base of the PR and between 5185075 and 43ffbfe.

📒 Files selected for processing (10)
  • .agent-loop/LOOP_STATE.md
  • .agent-loop/REVIEW_LOG.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-03-legacy-actor-classification.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-03-external-review-response.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-03-internal-review-evidence.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-03-pr-trust-bundle.md
  • .agent-loop/initiatives/WS-QUAL-001-backend-coverage-floor/STATUS.md
  • backend/scripts/legacy_actor_classification.py
  • backend/tests/test_actor_legacy_classification.py
📝 Walkthrough

Walkthrough

Adds a fail-closed legacy actor classification workflow with deterministic evidence contracts, read-only database snapshots, secure envelope publication, a dry-run-first CLI, extensive tests, operational documentation, and updated workstream gating state.

Changes

Legacy actor classification

Layer / File(s) Summary
Evidence contracts and validation
backend/app/modules/actors/legacy_classification.py
Adds strict Pydantic contracts, canonical JSON and SHA-256 hashing, UUIDv5 identity checks, manifest/envelope validation, and privacy-bounded reports.
Snapshot, verification, and publication
backend/app/modules/actors/legacy_classification.py
Adds repeatable-read read-only PostgreSQL snapshots, checksum and database-binding verification, protected-path validation, and crash-safe immutable envelope publication.
Dry-run and export CLI
backend/scripts/legacy_actor_classification.py
Adds bounded argument parsing, Git worktree resolution, dry-run reporting, explicit export handling, stable errors, and cleanup behavior.
Behavioral and database proof
backend/tests/test_actor_legacy_classification.py, backend/tests/test_actors.py
Covers schema, hashing, tampering, permissions, atomic publication, migration handoff, privacy, CLI behavior, and snapshot isolation.
Operational workflow and review records
docs/operations_authorization_service.md, .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/*, .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/*
Documents evidence handling, execution and migration protocols, acceptance criteria, review results, risks, and stop conditions.
Initiative and queue state
.agent-loop/*, .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/*, .agent-loop/initiatives/WS-QUAL-001-backend-coverage-floor/*
Updates active chunks, merged PR records, reviewed SHAs, work queues, and explicit start gates.
Estimated code review effort: 4 (Complex) ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Operator
  participant ClassificationCLI
  participant PostgreSQL
  participant EvidencePublisher
  Operator->>ClassificationCLI: run dry-run or explicit export
  ClassificationCLI->>PostgreSQL: acquire read-only repeatable-read snapshot
  PostgreSQL-->>ClassificationCLI: legacy actor rows and database binding
  ClassificationCLI->>ClassificationCLI: validate manifest and build envelope
  ClassificationCLI->>EvidencePublisher: publish canonical envelope when requested
  EvidencePublisher-->>ClassificationCLI: write status or stable failure
  ClassificationCLI-->>Operator: bounded JSON report
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 51.38% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding a legacy actor classification preflight workflow.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/ws-auth-001-03-legacy-actor-classification

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@abiorh-claw abiorh-claw self-requested a review July 13, 2026 08:12
…legacy-actor-classification

# Conflicts:
#	.agent-loop/LOOP_STATE.md
#	.agent-loop/WORK_QUEUE.md

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Nitpick comments (1)
backend/scripts/legacy_actor_classification.py (1)

119-121: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add internal logging for unexpected exceptions.

The generic except Exception handler reports all non-LegacyClassificationError failures as "database_operation_failed", which is misleading for file I/O errors from publish_envelope or manifest parsing errors from load_manifest. Consider logging the actual exception internally for debugging while preserving the generic external message.

Add import logging at the top of the file, then:

♻️ Proposed refactor
     except Exception:
+        logging.getLogger(__name__).exception("unexpected classification error")
         stderr_message = '{"error":"database_operation_failed","status":"error"}'
         result = 2
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/scripts/legacy_actor_classification.py` around lines 119 - 121,
Update the generic `except Exception` handler in the main classification flow to
log the caught exception internally with Python’s `logging` module, while
preserving the existing generic `stderr_message` and result code. Add the
`logging` import and use an appropriate logger call so failures from
`publish_envelope`, `load_manifest`, or other unexpected operations retain
diagnostic details without changing the external response.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
@.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-03-legacy-actor-classification.md:
- Around line 123-130: Update the “Implementation review status” record to match
the durable internal review evidence: label
a70b89c91a8950eabaa750e340d4f853529d66f0 as the reviewed revision and
8e2ae489834a3934d6ef507834139a1009dac2e6 as the implementation SHA, using these
labels consistently across the related records.

In
@.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-03-internal-review-evidence.md:
- Around line 19-36: Replace the host-local /root/auth03_parallel review paths
in the recorded review run ID fields with durable run identifiers or
repository-relative artifact references. Update all entries under the reviewer,
merge-resolution, and evidence-binding sections while preserving each review
role and its association with the correct run.

In
@.agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md:
- Around line 21-22: Reconcile the PR `#108` lifecycle-head reference in STATUS.md
with the authoritative 5c47aba SHA recorded in LOOP_STATE.md and REVIEW_LOG.md.
Update the entry to use 5c47aba, or explicitly clarify why a70b89c is a distinct
reviewed head so operators can identify the correct integrated revision.
- Around line 60-62: Update the status statement in the AUTH-03 documentation to
distinguish implementation readiness from merge readiness: state that there is
no implementation blocker, while explicitly noting that PR `#109` external checks,
required human review, and repository-wide coverage proof remain pending.

In @.agent-loop/initiatives/WS-QUAL-001-backend-coverage-floor/STATUS.md:
- Around line 5-13: Update the Branch metadata in STATUS.md to reference the
authoritative post-merge branch associated with the merged R10 state, or
explicitly label the existing B1B branch as historical; keep the merged status
and active implementation chunk unchanged.

In `@backend/scripts/legacy_actor_classification.py`:
- Around line 122-127: Update the cleanup exception handler around
dispose_engine() so it only assigns the database_cleanup_failed stderr_message
and result = 2 when no prior failure has been recorded. Preserve the existing
stdout_message, stderr_message, and result values when the main operation
already failed, including specific exit codes such as 130.

---

Nitpick comments:
In `@backend/scripts/legacy_actor_classification.py`:
- Around line 119-121: Update the generic `except Exception` handler in the main
classification flow to log the caught exception internally with Python’s
`logging` module, while preserving the existing generic `stderr_message` and
result code. Add the `logging` import and use an appropriate logger call so
failures from `publish_envelope`, `load_manifest`, or other unexpected
operations retain diagnostic details without changing the external response.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9920e7b9-1e8d-4b04-85ae-5615362cb8af

📥 Commits

Reviewing files that changed from the base of the PR and between 5c47aba and 5185075.

📒 Files selected for processing (15)
  • .agent-loop/LOOP_STATE.md
  • .agent-loop/REVIEW_LOG.md
  • .agent-loop/WORK_QUEUE.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/CHUNK_MAP.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/chunks/WS-AUTH-001-03-legacy-actor-classification.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-03-internal-review-evidence.md
  • .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/reviews/WS-AUTH-001-03-pr-trust-bundle.md
  • .agent-loop/initiatives/WS-QUAL-001-backend-coverage-floor/CHUNK_MAP.md
  • .agent-loop/initiatives/WS-QUAL-001-backend-coverage-floor/STATUS.md
  • backend/app/modules/actors/legacy_classification.py
  • backend/scripts/legacy_actor_classification.py
  • backend/tests/test_actor_legacy_classification.py
  • backend/tests/test_actors.py
  • docs/operations_authorization_service.md

Comment thread .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md Outdated
Comment thread .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md Outdated
Comment thread backend/scripts/legacy_actor_classification.py Outdated
@abiorh-claw abiorh-claw merged commit f06532e into main Jul 13, 2026
3 checks passed
@abiorh-claw abiorh-claw deleted the codex/ws-auth-001-03-legacy-actor-classification branch July 13, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants