Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 17 additions & 16 deletions .agent-loop/LOOP_STATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,34 +5,35 @@
- This authored file is reviewed planning/history context, not canonical live
post-merge state. Canonical state is the signed schema-v2 output on
`automation/loop-memory`.
- Active initiatives include parallel `WS-AUTH-001`, `WS-ART-001`, and the
planning-only `WS-XINT-001` boundary reconciliation.
- Active planning chunk: `WS-XINT-001-PLAN` on
`codex/ws-xint-001-boundary-reconciliation`.
- Parallel implementation worktrees: reviewed `WS-AUTH-001-09A` fixed service
identity foundation at `c4200a7` and reviewed `WS-ART-001-02A3` ArtifactStore
v2 Local clean cut at `935b1a2`; neither is part of this planning branch.
- Start basis: PR #131 merged AUTH-08 into `main` as `aa0fdcd`, and PR #129 then
merged ART-02A2 into `main` as `9a04434`.
- Active initiatives include parallel `WS-AUTH-001` and `WS-ART-001`.
- PR #139 merged the planning-only `WS-XINT-001-PLAN` boundary reconciliation
into `main` as `5d353b6` on 2026-07-17.
- Active planning chunk: `WS-AUTH-001-XINT` on
`codex/ws-auth-001-xint-reconciliation`.
- PR #132 remains open at `79d1989` and conflicts with current `main`. Its
AUTH-09A fixed service foundation remains valid but must converge after this
AUTH planning amendment; AUTH-09B remains inactive.
- Start basis: trusted `main` at `5d353b6` after PR #139.
- PR #119 merged `WS-AUTH-001-05B` as `ad71c7e`.
- PR #120 merged `WS-ART-001-OBJECT-STORAGE-AMENDMENT` as `4408256`.
- PR #122 merged the first automated post-merge memory implementation as
`fc89fb6`; its schema-v1 cross-initiative next pointer is superseded by the
schema-v2 initiative-local clean cut.
- Current gate: exact-SHA internal review and evidence for
`WS-XINT-001-PLAN`; no downstream runtime starts from this planning branch.
- Current gate: required internal review passes on the externally repaired
planning state at `bac3073`, and final deterministic closure passes on
evidence head `7cb02b5`; replacement external checks and the human checkpoint
remain for PR #140. No runtime starts from this planning branch.
- Scope checkpoint: AWS S3 is the only v0.1 production provider; MinIO is
local/CI S3 protocol proof; LocalStorage is focused development/test; R2 and
Flow Node are deferred. Product modules receive narrow artifact capabilities,
and AWS cannot instantiate in production without release-bound live proof.
- Authorization checkpoint: merged main contains 74 PermissionIds and 57
ActionIds, with the two actor-self and seven AUTH-08 administrative actions
active. AUTH-09A's reviewed parallel branch defines seven fixed artifact
service identities and eleven exact planned static matrix memberships. ART
feature chunks supply hidden canonical behavior/resource composition. Future
AUTH activation-custodian chunks alone integrate evaluators and change action
availability after that hidden behavior merges; `WS-XINT-001` activates
nothing.
service identities and eleven exact planned static matrix memberships. The
plan now requires availability-neutral ART/REV custody transfer, fixed-service
admission, prepared mutation authority, feature-owned hidden behavior, and
exact AUTH-only activation chunks. This planning amendment activates nothing.
- Parallel artifact checkpoint: `WS-ART-001-02A1` was explicitly started and
merged through PR #127 as `f64a8e5`; it is at the post-merge memory/stop
checkpoint. ART-02A2 merged through PR #129, and ART-02A3 is reviewed in its
Expand Down
22 changes: 22 additions & 0 deletions .agent-loop/REVIEW_LOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,27 @@
# Review Log

## 2026-07-17 - WS-AUTH-001-XINT External Review Repair Passed

CodeRabbit posted nine actionable comments on PR #140. Eight valid contract,
least-privilege, migration, and Markdown findings were repaired at exact SHA
`c4c4f2e`; the requested runtime `AuthorityClaimHandle` rewrite was rejected as
a conflation with the distinct future PREP handle and as planning-scope creep.
Senior, QA, security, product, architecture, CI, docs, and reuse tracks pass the
repair. Earlier Agent Gates failures were repaired by the null schema-v2
successor, and replacement Agent Gates and Backend runs pass. Evidence rebinding
and replacement external checks remain; no AUTH runtime successor is active.

## 2026-07-17 - WS-AUTH-001-XINT Internal Review Passed

Exact planning SHA `2acabdac0658c3f0109db4235458827b8a06bf31` passed senior
engineering, QA/test, security/auth, product/ops, architecture, CI integrity,
docs, and reuse/dedup review after all valid findings were repaired. The final
plan preserves merged XINT's eight ART custody owners, exact 25 ART / 19 REV
action map, uninterrupted AUTH-09A through 09E sequence, delta-based future
registrations, dormant adjudicator invalidation, and exact PREP lock order. All
80 agent-gate tests, stale wording, authorization-doc, Markdown-link, and diff
checks passed. PR publication is pending; no runtime successor is active.

## 2026-07-16 - WS-AUTH-001-08 Internal Review Passed

Exact implementation SHA `34f87a5aa7d75897349f64f5e904cb1847af019b`
Expand Down
12 changes: 7 additions & 5 deletions .agent-loop/WORK_QUEUE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

| Chunk | Title | Risk | Status |
|---|---|---:|---|
| `WS-XINT-001-PLAN` | Lifecycle Boundary Reconciliation | L1 | Planning-only coordination active after explicit user start on 2026-07-16 |
| `WS-AUTH-001-XINT` | Lifecycle Boundary Plan Reconciliation | L1 | Planning-only AUTH owner response to merged PR #139 |

Live post-merge state remains read from signed `automation/loop-memory`
output. This authored queue records the separately approved parallel chunks.
Expand All @@ -14,7 +14,7 @@ output. This authored queue records the separately approved parallel chunks.
| Chunk | Title | Risk | Status |
|---|---|---:|---|
| `WS-QUAL-001-01B2` | Baseline Evidence And CI Ratchet | L1 | Paused for AUTH priority; no valid replacement baseline yet |
| `WS-AUTH-001-09A` | Fixed Service Identity Foundation | L1 | Reviewed in PR #132; awaiting explicit human merge approval |
| `WS-AUTH-001-09A` | Fixed Service Identity Foundation | L1 | PR #132 remains unmerged/conflicting; converge on merged XINT and re-review after this plan merges |
| `WS-QUAL-001-02` | Project Service Coverage | L1 | Inactive until 01B2 merge/memory plus explicit user start |
| `WS-POL-002-04` | Locked Runtime Execution And Routing Hardening | L1 | Inactive pending relevant authorization proof and a separate explicit user start |
| `WS-ART-001-02A3` | ArtifactStore v2 Local Clean Cut | L1 | Reviewed in isolated parallel worktree; pending its own PR and merge |
Expand Down Expand Up @@ -72,6 +72,7 @@ output. This authored queue records the separately approved parallel chunks.
| `WS-AUTH-001-07B` | Deny-By-Default Kernel And Self-Action Cutover | L1 | Merged through PR #130 as `90eca12` on 2026-07-15 |
| `WS-AUTH-001-08` | Bootstrap Access Administrator Grant | L1 | Merged through PR #131 as `aa0fdcd` on 2026-07-16 |
| `WS-ART-001-02A2` | Committed Source And Local Preparation | L1 | Merged through PR #129 as `9a04434` on 2026-07-16 |
| `WS-XINT-001-PLAN` | Lifecycle Boundary Reconciliation | L1 | Merged through PR #139 as `5d353b6` on 2026-07-17 |
| `WS-ART-001-OBJECT-STORAGE-AMENDMENT` | AWS-First Object Storage Planning Amendment | L1 | Merged through PR #120 as `4408256` on 2026-07-14 |
| `WS-ART-001-02A1` | External Service Adapter Foundation | L1 | Merged through PR #127 as `f64a8e5` on 2026-07-15 |
| `WS-ENG-001-02` | Automated Post-Merge Memory | L1 | Merged through PR #122 as `fc89fb6`; schema-v1 output superseded by WS-ENG-001-03 |
Expand All @@ -81,9 +82,10 @@ output. This authored queue records the separately approved parallel chunks.
AUTH-05A merged through PR #115 as `8e1cde6`, and CAT plus its post-merge memory
merged through PRs #117 and #118. AUTH-05B merged through PR #119 as `ad71c7e`.
AUTH-06 merged through PR #124 as `f599551`. AUTH-07A, AUTH-07B, and AUTH-08
merged through PRs #126, #130, and #131. AUTH-09A is reviewed in its isolated
parallel worktree; do not start an AUTH-09 successor or POL-002-04
automatically.
merged through PRs #126, #130, and #131. WS-XINT planning merged through PR #139.
`WS-AUTH-001-XINT` now reconciles AUTH's owner plan. AUTH-09A remains open
and conflicting in PR #132; converge and re-review it only after this planning
amendment merges. Do not start an AUTH-09 successor or POL-002-04 automatically.

Coverage R10 merged through PR #108. Do not start 01B2, chunk 02, or another
coverage implementation chunk from this worktree.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
# Activation Custody: WS-AUTH-001

## Authority

This plan applies the merged `WS-XINT-001` handoffs to AUTH. It distinguishes:

- feature/resource ownership: ART, REV, CON, project, task, submission, or
checker code owns facts, guards, state, and hidden behavior;
- activation custody: one exact AUTH chunk owns `ActionOwner`, evaluator
integration, and the `planned` to `active` transition; and
- transaction ownership: the request route or service command owns one commit
after AUTH and all feature participants have staged their evidence and state.

Feature chunks never change availability. AUTH never invents feature facts or
performs feature lifecycle mutations.

## Current catalogue baseline

Trusted `main` after PR #139 contains 74 PermissionIds and 57 ActionIds: nine
active and 48 planned. Of the planned rows, 25 ART actions and 19 REV actions
still carry historical feature-chunk owner values. The two custody-transfer
chunks below change only those owner values. Counts, mappings, and availability
must remain identical.

## ART custody transfer

| AUTH activation chunk | Exact planned ActionIds |
|---|---|
| `WS-AUTH-001-ART-02D-INTERNAL` | `artifact.verification.execute`, `artifact.pending_work.scan`, `artifact.put_attempt.resolve` |
| `WS-AUTH-001-ART-02D-OPERATOR` | `artifact.binding.read`, `artifact.replica.read`, `artifact.receipt.read`, `artifact.verification_job.read`, `artifact.verification_job.retry`, `artifact.recovery_attempt.read`, `artifact.audit.read`, `operations.artifact_storage_admission.read` |
| `WS-AUTH-001-ART-03` | `artifact.guide_source.ingest`, `artifact.guide_source.read`, `artifact.guide_source.binding.create` |
| `WS-AUTH-001-ART-04A` | `artifact.upload_session.create`, `artifact.upload_session.read`, `artifact.upload_item.write`, `artifact.upload_session.seal`, `artifact.upload_session.cancel`, `artifact.upload_session.expire` |
| `WS-AUTH-001-ART-04B` | `artifact.pre_submit.checker_input.materialize` |
| `WS-AUTH-001-ART-05` | `artifact.submission.binding.create` |
| `WS-AUTH-001-ART-06A` | `artifact.post_submit.checker_input.materialize` |
| `WS-AUTH-001-ART-06B` | `artifact.checker_output.write`, `artifact.checker_output.binding.create` |

`WS-AUTH-001-ART-CUSTODY` performs the atomic 25-row transfer to eight exact AUTH
groups and removes the seven historical ART owner enum values. It adds no migration because owner and
availability are typed metadata, while PostgreSQL preserves the exact
ActionId-to-PermissionId set.

## REV custody transfer

| AUTH activation chunk | Exact planned ActionIds |
|---|---|
| `WS-AUTH-001-REV-05` | `review.queue.read`, `review.queue.inspect` |
| `WS-AUTH-001-REV-06` | `review.claim`, `review.release`, `review.decline_preference`, `review.preference_expiry.run`, `review.lease_expiry.run` |
| `WS-AUTH-001-REV-07` | `review.context.read`, `review.chain.read`, `review.finding_evidence.ingest` |
| `WS-AUTH-001-REV-08` | `review.decision` |
| `WS-AUTH-001-REV-09A` | `review.finding_response_evidence.ingest` |
| `WS-AUTH-001-REV-11` | `review.lease.force_release`, `review.queue.routing.override`, `review.queue.routing.correct`, `review.queue.close`, `review.reconcile.run` |
| `WS-AUTH-001-REV-12` | `review.artifact_reference.reconcile`, `review.projection.rebuild` |

`WS-AUTH-001-REV-CUSTODY` performs the atomic 19-row transfer and removes the
seven historical REV owner enum values. It changes no mapping or availability
and adds no migration.

## Additive registration gates

The following values are approved boundary proposals, not registered runtime
actions on trusted `main`:

| Registration chunk | Future activation chunk | Proposed ActionId -> PermissionId |
|---|---|---|
| `WS-AUTH-001-REV-REG` | `WS-AUTH-001-REV-LIFECYCLE` | `review.revision_context.repair` -> `project.task.manage`; `review.revision_context.legacy_close` -> `operations.reconcile.run`; `review.revision_obligation.close` -> `project.task.manage`; `review.lifecycle.activation.manage` -> `operations.reconcile.run` |
| `WS-AUTH-001-ART-REV-EVIDENCE-REG` | `WS-AUTH-001-ART-REV-EVIDENCE` | `artifact.review_evidence.binding.create` -> `artifact.binding.create` |

These are declared future registration gates, not executable chunk contracts.
Neither may receive a full contract or start until the owning feature publishes exact
principal class, typed resource context, canonical facts, guards, surfaces,
transaction revalidation, and hidden behavior dependencies. AUTH must not invent
those contracts. Registration is availability-neutral and requires typed plus
PostgreSQL audit mapping parity. Migration numbers are allocated from trusted
`main` when each registration contract becomes executable; they are not
reserved ahead of an incomplete feature contract. Each registration migration
takes a writer-blocking downgrade lock and refuses without mutation when any
decision, audit, idempotency, or linked evidence references an added ActionId.
Its proof includes populated refusal, empty safe downgrade, re-upgrade, and
fresh replay.

Counts are derived from trusted `main` when a gate executes. REV registration
adds exactly four planned actions and zero active actions; evidence registration
adds exactly one planned action and zero active actions, in either order.
PermissionIds remain 74. The evidence-binding
registration also adds that exact action to the existing
`workstream.artifact.binding` static row, increasing matrix membership from 11
to 12 without adding an identity or database grant.

## Prepared mutation prerequisite

`WS-AUTH-001-PREP` adds a session-bound, action-bound, opaque, single-use,
nonserializable prepared authority handle:

```text
AUTH locks canonical current authority
-> feature locks its records
-> feature recomposes final typed facts
-> AUTH evaluates exactly once and stages decision evidence
-> feature participants flush
-> route or service command commits once
```

Reads retain `AuthorizationService.require()`. Mutations must not evaluate
against stale pre-lock facts or let dependency teardown commit shared state.

## Activation gate

Every activation chunk requires an immutable merged feature SHA and exact
manifest containing its action list, resource composer, facts, guards, primary
surface declarations, transaction owner, revalidation proof, and real-kernel
`action_unavailable` proof before activation. The AUTH chunk then integrates
only those evaluators, changes only those actions to active, proves the exact
availability delta, and preserves all unrelated rows.

An activation entry in this map is a non-executable placeholder until that
manifest exists. Its later preimplementation contract must enumerate exact
allowed feature files, route/command and transaction tests, generated manifest
delta, allow/deny/revalidation/rollback matrix, PostgreSQL concurrency cases,
focused coverage commands for every changed subsystem at 90 percent or higher,
and the full backend suite preserving the global 78 percent floor. Generic “as
applicable” proof or AUTH-only tests cannot authorize activation.

`WS-AUTH-001-ART-02D-INTERNAL` requires the exact merged ART-02C2 verification,
resolution, and scanner behavior plus ART-02C3 recovery/fencing foundations and
any ART-02D resource-composer dependency. ART-02D does not own the internal
behavior. Within `WS-AUTH-001-ART-02D-OPERATOR`,
`artifact.verification_job.retry` requires its own evaluator, guards, behavior
tests, and explicit availability assertion; passing the seven read/status cases
does not authorize retry.

Service actions additionally require a previously reviewed exact fixed-service
identity and matrix extension plus controlled provisioning and AUTH-09E
admission. REV must publish exact timer, expiry, reconciliation, projection,
artifact-reference, and release-control service manifests before AUTH creates
those identity-specific extension contracts. No catch-all review service is
pre-created.

`review.decision` additionally requires the merged flush-only CON participant
and one rollback-safe REV+CON transaction. Review-evidence binding additionally
requires ART and REV to define the in-process/service boundary, two independent
authorization decisions and evidence records, exact lock order, and one
transaction owner. Human authority cannot be silently converted into service
authority.

## Sequencing

```text
WS-AUTH-001-XINT planning reconciliation
-> repair and re-review PR #132 / AUTH-09A on trusted main
-> AUTH-09B -> 09C -> 09D -> 09E
-> WS-AUTH-001-ART-CUSTODY
-> WS-AUTH-001-REV-CUSTODY
-> WS-AUTH-001-PREP
-> AUTH-10 through AUTH-15 core cutovers
-> feature-gated registration and activation chunks as their manifests merge
-> AUTH-16 aggregate conformance and live proof
```

Only one WS-AUTH implementation chunk is active at a time. ART, REV, and CON
may build hidden behavior in their own worktrees while real actions remain
planned, but each merged AUTH activation must converge from current trusted
`main` and pass its own human checkpoint.
Loading
Loading