From e34d4a3e9eaa1eaea6ee772b9e1610db98302dbb Mon Sep 17 00:00:00 2001 From: yhryzy Date: Tue, 16 Jun 2026 15:32:55 +0100 Subject: [PATCH] docs: record workspace read gate merge --- .../14-release-readiness-evidence-gate.md | 15 ++++++---- ...5-workspace-production-persistence-spec.md | 30 +++++++++++-------- docs/review-context/CHANGELOG.md | 19 ++++++++++++ docs/review-context/MANIFEST.json | 3 +- .../release-readiness/M5-CLOSEOUT.md | 15 +++++++--- .../m5-closeout-summary.json | 11 +++++-- docs/review-context/source-index.md | 23 ++++++++++++-- .../workspace-durable/README.md | 15 +++++++--- 8 files changed, 99 insertions(+), 32 deletions(-) diff --git a/docs/review-context/14-release-readiness-evidence-gate.md b/docs/review-context/14-release-readiness-evidence-gate.md index ed52765a..c3afc389 100644 --- a/docs/review-context/14-release-readiness-evidence-gate.md +++ b/docs/review-context/14-release-readiness-evidence-gate.md @@ -120,22 +120,25 @@ Current evidence: - Platform PR #39 adds database-backed `workspace_review_memberships` and requires production save/clear operations on the compatibility route to match an active repo membership for the trusted actor id and role. +- Platform PR #40 extends trusted actor and active membership checks to + production load operations on the compatibility route, so load/save/clear + all fail closed without trusted actor and matching active membership. - `15-workspace-production-persistence-spec.md` defines the product design for database-backed storage, authorization, conflict handling, audit events, and multi-instance behavior. Remaining boundary: -- PR #39 proves a compatibility-route active membership check for production - save/clear, but does not prove full user/JWT authentication, read - authorization, membership management APIs/UI, typed Workspace aggregates, - release-owner human audit semantics, operation-specific writes, ingress - header-stripping configuration, or multi-instance acceptance behavior. +- PR #40 proves a compatibility-route active membership check for production + load/save/clear, but does not prove full user/JWT authentication, membership + management APIs/UI, typed Workspace aggregates, release-owner human audit + semantics, operation-specific writes, ingress header-stripping + configuration, or multi-instance acceptance behavior. Blocked until: - the compatibility snapshot slice is supplemented by production-grade access - boundaries beyond trusted headers and save/clear membership checks, typed + boundaries beyond trusted headers and compatibility-route membership checks, typed durable records, operation-specific frontend writes, release-owner audit semantics, and multi-instance evidence for the demo path. diff --git a/docs/review-context/15-workspace-production-persistence-spec.md b/docs/review-context/15-workspace-production-persistence-spec.md index 1b4188b8..2b8369e7 100644 --- a/docs/review-context/15-workspace-production-persistence-spec.md +++ b/docs/review-context/15-workspace-production-persistence-spec.md @@ -15,7 +15,7 @@ readiness. ## Current Baseline -The current platform state has seven relevant merged slices: +The current platform state has eight relevant merged slices: - PR #31 adds the Workspace review product shell. - PR #32 adds local durable review state and release-owner audit trail @@ -37,15 +37,18 @@ The current platform state has seven relevant merged slices: requires production save/clear operations on that same compatibility endpoint to match an active repo membership for the trusted actor id and role. +- PR #40 extends the same trusted actor and active membership checks to + production load operations, so the compatibility endpoint now fails closed + for load/save/clear unless the actor is trusted and a matching active repo + membership exists. The baseline now proves product direction, a shared API surface, and database-backed compatibility snapshot persistence with basic revision conflict audit evidence plus compatibility-route trusted actor and active-membership -gates for production save/clear. It does not prove the full production -persistence model, user/JWT authorization, read authorization, membership -management APIs/UI, typed object aggregates, release-owner human audit -semantics, operation-specific writes, ingress header-stripping proof, or -multi-instance acceptance behavior. +gates for production load/save/clear. It does not prove the full production +persistence model, user/JWT authorization, membership management APIs/UI, typed +object aggregates, release-owner human audit semantics, operation-specific +writes, ingress header-stripping proof, or multi-instance acceptance behavior. ## Product Position @@ -216,7 +219,7 @@ Rules: ## Migration From Current Slice -Migration from PR #34, PR #35, PR #36, PR #37, and PR #39 should be staged: +Migration from PR #34, PR #35, PR #36, PR #37, PR #39, and PR #40 should be staged: 1. Keep the existing review-state endpoint as the frontend compatibility route. 2. Add database tables and service-layer operations behind the endpoint. @@ -242,14 +245,16 @@ Current implementation evidence: metadata in save/clear audit events. - PR #39 extends that compatibility slice with active repo membership checks for production save/clear, backed by `workspace_review_memberships`. +- PR #40 extends the trusted actor and active membership checks to production + load on the compatibility route. - PR #35 does not yet implement typed service-layer operations for `CreativeRepo`, `ReviewItem`, `EvidencePack`, `ReleaseGate`, or `AuditEvent`. -- PR #39 does not yet implement full user/JWT authentication, read - authorization, membership management APIs/UI, typed service-layer operations, - release-owner human audit semantics, seeded repo migration, - operation-specific frontend writes, ingress/gateway header-stripping proof, - or multi-instance acceptance evidence. +- PR #40 does not yet implement full user/JWT authentication, membership + management APIs/UI, typed service-layer operations, release-owner human audit + semantics, seeded repo migration, operation-specific frontend writes, + ingress/gateway header-stripping proof, or multi-instance acceptance + evidence. ## Acceptance Gates @@ -291,3 +296,4 @@ This spec does not upgrade current release status by itself. - `yha9806/vulca-platform` PR #36. - `yha9806/vulca-platform` PR #37. - `yha9806/vulca-platform` PR #39. +- `yha9806/vulca-platform` PR #40. diff --git a/docs/review-context/CHANGELOG.md b/docs/review-context/CHANGELOG.md index ed045c2b..fbb536d1 100644 --- a/docs/review-context/CHANGELOG.md +++ b/docs/review-context/CHANGELOG.md @@ -4,6 +4,25 @@ Vault status: append-only change log. ## 2026-06-16 +### Recorded Platform Workspace Read Gate Merge + +- Recorded platform PR #40 as merged to `master` with production read + authorization for the existing Workspace review-state compatibility endpoint. +- Clarified that #40 extends the trusted actor and active membership gate from + save/clear to load/save/clear, so production clients fail closed until a + trusted upstream actor and matching active membership are configured. +- Preserved the boundary that #40 is still a compatibility-route gate: full + user/JWT identity, membership management APIs/UI, typed Workspace aggregates, + release-owner human semantics, operation-specific writes, + ingress header-stripping proof, and multi-instance acceptance evidence remain + gated. + +Source basis: + +- `yha9806/vulca-platform` PR #40. +- Merge commit `d31e9bf8f6139c60ee10605337c32221a5098b8b`. +- Remote checks: `Run Tests` and `security` passed on PR #40. + ### Recorded Platform Workspace Membership Gate Merge - Recorded platform PR #39 as merged to `master` with a database-backed diff --git a/docs/review-context/MANIFEST.json b/docs/review-context/MANIFEST.json index 74926a3b..afae0bc6 100644 --- a/docs/review-context/MANIFEST.json +++ b/docs/review-context/MANIFEST.json @@ -55,12 +55,13 @@ "core_sources": { "sdk_mainline": "cb6d52fe", "workspace_context_baseline": "6efef07", - "workspace_latest_observed": "dff2331", + "workspace_latest_observed": "d31e9bf", "workspace_shared_review_state_merge": "d06a713b", "workspace_db_review_state_merge": "24efaab5", "workspace_revision_conflict_audit_merge": "3310093", "workspace_trusted_actor_gate_merge": "0faf874", "workspace_membership_gate_merge": "dff2331", + "workspace_read_gate_merge": "d31e9bf", "artifact_bridge_spec": "11-artifact-bridge-spec.md", "m3_bridge_fixture": "artifact-bridge/m3-demo-bridge-fixture.json", "m3_durable_review_fixture": "workspace-durable/m3-durable-review-fixture.json", diff --git a/docs/review-context/release-readiness/M5-CLOSEOUT.md b/docs/review-context/release-readiness/M5-CLOSEOUT.md index 3b5e2d3a..0aa88196 100644 --- a/docs/review-context/release-readiness/M5-CLOSEOUT.md +++ b/docs/review-context/release-readiness/M5-CLOSEOUT.md @@ -66,6 +66,12 @@ As of 2026-06-16: active repo membership and role matching for production save/clear on the compatibility endpoint, and documents the fail-closed deployment boundary. Its PR gate passed remote `Run Tests` and `security`. +- Platform PR #40, `feat: gate workspace review reads`, merged to `master` at + `d31e9bf8f6139c60ee10605337c32221a5098b8b` from head `e0a0bae`. It extends + trusted actor and active membership checks to production load operations on + the compatibility endpoint, making load/save/clear fail closed without a + trusted actor and matching active membership. Its PR gate passed remote + `Run Tests` and `security`. These PRs improve R5 evidence, but they do not change the product-level decision above. @@ -93,10 +99,10 @@ blocker is `15-workspace-production-persistence-spec.md`. ## Remaining R5 Blockers - production-grade Workspace persistence beyond the DB-backed compatibility - snapshot, including typed durable records, full user/JWT authorization, read - authorization, membership management APIs/UI beyond the save/clear - compatibility check, release-owner human audit semantics, operation-specific - writes, ingress header-stripping proof, and multi-instance behavior; + snapshot, including typed durable records, full user/JWT authorization, + membership management APIs/UI beyond the compatibility route check, + release-owner human audit semantics, operation-specific writes, ingress + header-stripping proof, and multi-instance behavior; - repeated bridge ingestion across more than one workflow; - production EvidencePack rendering evidence; - human-owned release workflow implementation evidence; @@ -118,3 +124,4 @@ blocker is `15-workspace-production-persistence-spec.md`. - `yha9806/vulca-platform` PR #36. - `yha9806/vulca-platform` PR #37. - `yha9806/vulca-platform` PR #39. +- `yha9806/vulca-platform` PR #40. diff --git a/docs/review-context/release-readiness/m5-closeout-summary.json b/docs/review-context/release-readiness/m5-closeout-summary.json index 65ce142d..c44043ab 100644 --- a/docs/review-context/release-readiness/m5-closeout-summary.json +++ b/docs/review-context/release-readiness/m5-closeout-summary.json @@ -47,6 +47,11 @@ "status": "indexed", "source": "docs/review-context/workspace-durable/README.md" }, + { + "name": "Workspace review-state read gate evidence", + "status": "indexed", + "source": "docs/review-context/workspace-durable/README.md" + }, { "name": "Workspace production persistence product spec", "status": "indexed", @@ -83,12 +88,12 @@ "max_allowed_level": "R4", "example_scope": "public-example-key-visual-v1", "human_owner": null, - "boundary_notes": "R4 example-specific public copy is allowed only within RR4/RR5 scope. Product-level R5 remains blocked. Platform PR #39 adds an active membership gate for production save/clear on the compatibility snapshot route, not full user/JWT authorization, read authorization, membership management APIs/UI, typed aggregates, release-owner human audit semantics, operation-specific writes, ingress header-stripping proof, or multi-instance release readiness." + "boundary_notes": "R4 example-specific public copy is allowed only within RR4/RR5 scope. Product-level R5 remains blocked. Platform PR #40 extends the active membership gate to production load/save/clear on the compatibility snapshot route, not full user/JWT authorization, membership management APIs/UI, typed aggregates, release-owner human audit semantics, operation-specific writes, ingress header-stripping proof, or multi-instance release readiness." }, "remaining_blockers": [ "typed Workspace persistence records beyond the compatibility snapshot", - "full user/JWT Workspace authorization and read authorization", - "membership management APIs/UI beyond the compatibility save/clear check", + "full user/JWT Workspace authorization", + "membership management APIs/UI beyond the compatibility route check", "release-owner human audit semantics beyond compatibility snapshot events", "operation-specific Workspace write evidence", "ingress header-stripping proof for trusted Workspace actor headers", diff --git a/docs/review-context/source-index.md b/docs/review-context/source-index.md index c7713553..96decef8 100644 --- a/docs/review-context/source-index.md +++ b/docs/review-context/source-index.md @@ -164,6 +164,11 @@ check before changing high-level VULCA claims. identity, read authorization, membership management APIs/UI, typed aggregates, release-owner human semantics, operation-specific writes, ingress header stripping, and multi-instance acceptance remain gated. + - Platform PR #40 extends the same trusted actor and active membership gate + to production load operations on the compatibility route. Full user/JWT + identity, membership management APIs/UI, typed aggregates, release-owner + human semantics, operation-specific writes, ingress header stripping, and + multi-instance acceptance remain gated. - Public example gate: - `docs/review-context/public-examples/m3-public-example-gate.json` - Protected RR4 reference for one example-specific public artifact and copy @@ -188,8 +193,8 @@ Workspace product code lives in the separate `vulca-platform` repository. `/Users/yhryzy/.config/superpowers/worktrees/vulca-platform/workspace-interactive-demo` - Context baseline: `6efef07 fix: align workspace context review controls` - Latest merged platform master: - `dff2331f95161ec909a07b76ef7e94ae7def3cfe` from PR #39, - `feat: add workspace review memberships`. + `d31e9bf8f6139c60ee10605337c32221a5098b8b` from PR #40, + `feat: gate workspace review reads`. - Important files: - `wenxin-moyun/src/content/workspaceDemo.ts` - `wenxin-moyun/src/components/workspace/` @@ -266,6 +271,20 @@ Workspace product code lives in the separate `vulca-platform` repository. aggregates, not operation-specific frontend writes, not release-owner human audit semantics, not ingress/gateway header-stripping proof, and not multi-instance acceptance evidence. +- Workspace read gate compatibility merge: + - `yha9806/vulca-platform` PR #40. + - Merge commit: `d31e9bf8f6139c60ee10605337c32221a5098b8b`. + - Evidence: production `load` now requires a trusted actor, active + `workspace_review_memberships` row, and role match; README notes that + load/save/clear fail closed until trusted upstream headers and membership + data are configured; tests cover preview load rejection, non-member load, + inactive member load, role mismatch on load, and successful member load. + - Boundary: compatibility-route load/save/clear membership gate only; not + full user/JWT authentication, not membership management APIs/UI, not typed + CreativeRepo/ReviewItem/EvidencePack/ReleaseGate aggregates, not + operation-specific frontend writes, not release-owner human audit + semantics, not ingress/gateway header-stripping proof, and not + multi-instance acceptance evidence. - Production persistence design: - `docs/review-context/15-workspace-production-persistence-spec.md`. - This is the next product-layer design reference before changing the diff --git a/docs/review-context/workspace-durable/README.md b/docs/review-context/workspace-durable/README.md index ff488622..a0c9c948 100644 --- a/docs/review-context/workspace-durable/README.md +++ b/docs/review-context/workspace-durable/README.md @@ -12,7 +12,7 @@ blocker, decision-state, and human-audit boundaries. ## Product Implementation Status -As of 2026-06-16, the platform implementation has seven merged PRs on +As of 2026-06-16, the platform implementation has eight merged PRs on `yha9806/vulca-platform` `master`: - PR #31, `[codex] Workspace review product shell`, merged at @@ -50,15 +50,21 @@ As of 2026-06-16, the platform implementation has seven merged PRs on `workspace_review_memberships` table and requires production save/clear operations on the compatibility endpoint to match an active repo membership for the trusted actor id and role. +- PR #40, `feat: gate workspace review reads`, merged at + `d31e9bf8f6139c60ee10605337c32221a5098b8b`. It extends the same trusted + actor and active membership checks to production load operations, so + load/save/clear all fail closed without a trusted actor and matching active + membership. PR #32 is intentionally a local durability slice. PR #34 is intentionally a shared in-process backend slice. PR #35 upgrades that compatibility route to database-backed snapshot persistence. PR #36 adds compatibility-route revision conflict checks and snapshot audit events. PR #37 adds a trusted-header actor gate for that compatibility route. PR #39 adds an active-membership check for -production save/clear on that same route. Together they improve Workspace -persistence evidence, but they do not certify the full production model: -user/JWT identity, read authorization, membership management APIs/UI, typed +production save/clear on that same route. PR #40 extends that check to +production load. Together they improve Workspace persistence and compatibility +route authorization evidence, but they do not certify the full production +model: user/JWT identity, membership management APIs/UI, typed CreativeRepo/ReviewItem/EvidencePack aggregates, release-owner human audit semantics, operation-specific writes, multi-instance acceptance, ingress header-stripping proof, or product-level release readiness. @@ -95,3 +101,4 @@ that turns these slices into the full production persistence model. - `yha9806/vulca-platform` PR #36. - `yha9806/vulca-platform` PR #37. - `yha9806/vulca-platform` PR #39. +- `yha9806/vulca-platform` PR #40.