vulca-org · yha9806 · Jun 16, 2026 · Jun 16, 2026
@@ -120,22 +120,25 @@ Current evidence:
 - Platform PR #39 adds database-backed `workspace_review_memberships` and
   requires production save/clear operations on the compatibility route to
   match an active repo membership for the trusted actor id and role.
+- Platform PR #40 extends trusted actor and active membership checks to
+  production load operations on the compatibility route, so load/save/clear
+  all fail closed without trusted actor and matching active membership.
 - `15-workspace-production-persistence-spec.md` defines the product design for
   database-backed storage, authorization, conflict handling, audit events, and
   multi-instance behavior.
 
 Remaining boundary:
 
-- PR #39 proves a compatibility-route active membership check for production
-  save/clear, but does not prove full user/JWT authentication, read
-  authorization, membership management APIs/UI, typed Workspace aggregates,
-  release-owner human audit semantics, operation-specific writes, ingress
-  header-stripping configuration, or multi-instance acceptance behavior.
+- PR #40 proves a compatibility-route active membership check for production
+  load/save/clear, but does not prove full user/JWT authentication, membership
+  management APIs/UI, typed Workspace aggregates, release-owner human audit
+  semantics, operation-specific writes, ingress header-stripping
+  configuration, or multi-instance acceptance behavior.
 
 Blocked until:
 
 - the compatibility snapshot slice is supplemented by production-grade access
-  boundaries beyond trusted headers and save/clear membership checks, typed
+  boundaries beyond trusted headers and compatibility-route membership checks, typed
   durable records, operation-specific frontend writes, release-owner audit
   semantics, and multi-instance evidence for the demo path.
 

@@ -15,7 +15,7 @@ readiness.
 
 ## Current Baseline
 
-The current platform state has seven relevant merged slices:
+The current platform state has eight relevant merged slices:
 
 - PR #31 adds the Workspace review product shell.
 - PR #32 adds local durable review state and release-owner audit trail
@@ -37,15 +37,18 @@ The current platform state has seven relevant merged slices:
   requires production save/clear operations on that same compatibility
   endpoint to match an active repo membership for the trusted actor id and
   role.
+- PR #40 extends the same trusted actor and active membership checks to
+  production load operations, so the compatibility endpoint now fails closed
+  for load/save/clear unless the actor is trusted and a matching active repo
+  membership exists.
 
 The baseline now proves product direction, a shared API surface, and
 database-backed compatibility snapshot persistence with basic revision conflict
 audit evidence plus compatibility-route trusted actor and active-membership
-gates for production save/clear. It does not prove the full production
-persistence model, user/JWT authorization, read authorization, membership
-management APIs/UI, typed object aggregates, release-owner human audit
-semantics, operation-specific writes, ingress header-stripping proof, or
-multi-instance acceptance behavior.
+gates for production load/save/clear. It does not prove the full production
+persistence model, user/JWT authorization, membership management APIs/UI, typed
+object aggregates, release-owner human audit semantics, operation-specific
+writes, ingress header-stripping proof, or multi-instance acceptance behavior.
 
 ## Product Position
 
@@ -216,7 +219,7 @@ Rules:
 
 ## Migration From Current Slice
 
-Migration from PR #34, PR #35, PR #36, PR #37, and PR #39 should be staged:
+Migration from PR #34, PR #35, PR #36, PR #37, PR #39, and PR #40 should be staged:
 
 1. Keep the existing review-state endpoint as the frontend compatibility route.
 2. Add database tables and service-layer operations behind the endpoint.
@@ -242,14 +245,16 @@ Current implementation evidence:
   metadata in save/clear audit events.
 - PR #39 extends that compatibility slice with active repo membership checks
   for production save/clear, backed by `workspace_review_memberships`.
+- PR #40 extends the trusted actor and active membership checks to production
+  load on the compatibility route.
 - PR #35 does not yet implement typed service-layer operations for
   `CreativeRepo`, `ReviewItem`, `EvidencePack`, `ReleaseGate`, or
   `AuditEvent`.
-- PR #39 does not yet implement full user/JWT authentication, read
-  authorization, membership management APIs/UI, typed service-layer operations,
-  release-owner human audit semantics, seeded repo migration,
-  operation-specific frontend writes, ingress/gateway header-stripping proof,
-  or multi-instance acceptance evidence.
+- PR #40 does not yet implement full user/JWT authentication, membership
+  management APIs/UI, typed service-layer operations, release-owner human audit
+  semantics, seeded repo migration, operation-specific frontend writes,
+  ingress/gateway header-stripping proof, or multi-instance acceptance
+  evidence.
 
 ## Acceptance Gates
 
@@ -291,3 +296,4 @@ This spec does not upgrade current release status by itself.
 - `yha9806/vulca-platform` PR #36.
 - `yha9806/vulca-platform` PR #37.
 - `yha9806/vulca-platform` PR #39.
+- `yha9806/vulca-platform` PR #40.
@@ -4,6 +4,25 @@ Vault status: append-only change log.
 
 ## 2026-06-16
 
+### Recorded Platform Workspace Read Gate Merge
+
+- Recorded platform PR #40 as merged to `master` with production read
+  authorization for the existing Workspace review-state compatibility endpoint.
+- Clarified that #40 extends the trusted actor and active membership gate from
+  save/clear to load/save/clear, so production clients fail closed until a
+  trusted upstream actor and matching active membership are configured.
+- Preserved the boundary that #40 is still a compatibility-route gate: full
+  user/JWT identity, membership management APIs/UI, typed Workspace aggregates,
+  release-owner human semantics, operation-specific writes,
+  ingress header-stripping proof, and multi-instance acceptance evidence remain
+  gated.
+
+Source basis:
+
+- `yha9806/vulca-platform` PR #40.
+- Merge commit `d31e9bf8f6139c60ee10605337c32221a5098b8b`.
+- Remote checks: `Run Tests` and `security` passed on PR #40.
+
 ### Recorded Platform Workspace Membership Gate Merge
 
 - Recorded platform PR #39 as merged to `master` with a database-backed

@@ -55,12 +55,13 @@
   "core_sources": {
     "sdk_mainline": "cb6d52fe",
     "workspace_context_baseline": "6efef07",
-    "workspace_latest_observed": "dff2331",
+    "workspace_latest_observed": "d31e9bf",
     "workspace_shared_review_state_merge": "d06a713b",
     "workspace_db_review_state_merge": "24efaab5",
     "workspace_revision_conflict_audit_merge": "3310093",
     "workspace_trusted_actor_gate_merge": "0faf874",
     "workspace_membership_gate_merge": "dff2331",
+    "workspace_read_gate_merge": "d31e9bf",
     "artifact_bridge_spec": "11-artifact-bridge-spec.md",
     "m3_bridge_fixture": "artifact-bridge/m3-demo-bridge-fixture.json",
     "m3_durable_review_fixture": "workspace-durable/m3-durable-review-fixture.json",

@@ -66,6 +66,12 @@ As of 2026-06-16:
   active repo membership and role matching for production save/clear on the
   compatibility endpoint, and documents the fail-closed deployment boundary.
   Its PR gate passed remote `Run Tests` and `security`.
+- Platform PR #40, `feat: gate workspace review reads`, merged to `master` at
+  `d31e9bf8f6139c60ee10605337c32221a5098b8b` from head `e0a0bae`. It extends
+  trusted actor and active membership checks to production load operations on
+  the compatibility endpoint, making load/save/clear fail closed without a
+  trusted actor and matching active membership. Its PR gate passed remote
+  `Run Tests` and `security`.
 
 These PRs improve R5 evidence, but they do not change the product-level
 decision above.
@@ -93,10 +99,10 @@ blocker is `15-workspace-production-persistence-spec.md`.
 ## Remaining R5 Blockers
 
 - production-grade Workspace persistence beyond the DB-backed compatibility
-  snapshot, including typed durable records, full user/JWT authorization, read
-  authorization, membership management APIs/UI beyond the save/clear
-  compatibility check, release-owner human audit semantics, operation-specific
-  writes, ingress header-stripping proof, and multi-instance behavior;
+  snapshot, including typed durable records, full user/JWT authorization,
+  membership management APIs/UI beyond the compatibility route check,
+  release-owner human audit semantics, operation-specific writes, ingress
+  header-stripping proof, and multi-instance behavior;
 - repeated bridge ingestion across more than one workflow;
 - production EvidencePack rendering evidence;
 - human-owned release workflow implementation evidence;
@@ -118,3 +124,4 @@ blocker is `15-workspace-production-persistence-spec.md`.
 - `yha9806/vulca-platform` PR #36.
 - `yha9806/vulca-platform` PR #37.
 - `yha9806/vulca-platform` PR #39.
+- `yha9806/vulca-platform` PR #40.
@@ -47,6 +47,11 @@
       "status": "indexed",
       "source": "docs/review-context/workspace-durable/README.md"
     },
+    {
+      "name": "Workspace review-state read gate evidence",
+      "status": "indexed",
+      "source": "docs/review-context/workspace-durable/README.md"
+    },
     {
       "name": "Workspace production persistence product spec",
       "status": "indexed",
@@ -83,12 +88,12 @@
     "max_allowed_level": "R4",
     "example_scope": "public-example-key-visual-v1",
     "human_owner": null,
-    "boundary_notes": "R4 example-specific public copy is allowed only within RR4/RR5 scope. Product-level R5 remains blocked. Platform PR #39 adds an active membership gate for production save/clear on the compatibility snapshot route, not full user/JWT authorization, read authorization, membership management APIs/UI, typed aggregates, release-owner human audit semantics, operation-specific writes, ingress header-stripping proof, or multi-instance release readiness."
+    "boundary_notes": "R4 example-specific public copy is allowed only within RR4/RR5 scope. Product-level R5 remains blocked. Platform PR #40 extends the active membership gate to production load/save/clear on the compatibility snapshot route, not full user/JWT authorization, membership management APIs/UI, typed aggregates, release-owner human audit semantics, operation-specific writes, ingress header-stripping proof, or multi-instance release readiness."
   },
   "remaining_blockers": [
     "typed Workspace persistence records beyond the compatibility snapshot",
-    "full user/JWT Workspace authorization and read authorization",
-    "membership management APIs/UI beyond the compatibility save/clear check",
+    "full user/JWT Workspace authorization",
+    "membership management APIs/UI beyond the compatibility route check",
     "release-owner human audit semantics beyond compatibility snapshot events",
     "operation-specific Workspace write evidence",
     "ingress header-stripping proof for trusted Workspace actor headers",

@@ -164,6 +164,11 @@ check before changing high-level VULCA claims.
     identity, read authorization, membership management APIs/UI, typed
     aggregates, release-owner human semantics, operation-specific writes,
     ingress header stripping, and multi-instance acceptance remain gated.
+  - Platform PR #40 extends the same trusted actor and active membership gate
+    to production load operations on the compatibility route. Full user/JWT
+    identity, membership management APIs/UI, typed aggregates, release-owner
+    human semantics, operation-specific writes, ingress header stripping, and
+    multi-instance acceptance remain gated.
 - Public example gate:
   - `docs/review-context/public-examples/m3-public-example-gate.json`
   - Protected RR4 reference for one example-specific public artifact and copy
@@ -188,8 +193,8 @@ Workspace product code lives in the separate `vulca-platform` repository.
   `/Users/yhryzy/.config/superpowers/worktrees/vulca-platform/workspace-interactive-demo`
 - Context baseline: `6efef07 fix: align workspace context review controls`
 - Latest merged platform master:
-  `dff2331f95161ec909a07b76ef7e94ae7def3cfe` from PR #39,
-  `feat: add workspace review memberships`.
+  `d31e9bf8f6139c60ee10605337c32221a5098b8b` from PR #40,
+  `feat: gate workspace review reads`.
 - Important files:
   - `wenxin-moyun/src/content/workspaceDemo.ts`
   - `wenxin-moyun/src/components/workspace/`
@@ -266,6 +271,20 @@ Workspace product code lives in the separate `vulca-platform` repository.
     aggregates, not operation-specific frontend writes, not release-owner human
     audit semantics, not ingress/gateway header-stripping proof, and not
     multi-instance acceptance evidence.
+- Workspace read gate compatibility merge:
+  - `yha9806/vulca-platform` PR #40.
+  - Merge commit: `d31e9bf8f6139c60ee10605337c32221a5098b8b`.
+  - Evidence: production `load` now requires a trusted actor, active
+    `workspace_review_memberships` row, and role match; README notes that
+    load/save/clear fail closed until trusted upstream headers and membership
+    data are configured; tests cover preview load rejection, non-member load,
+    inactive member load, role mismatch on load, and successful member load.
+  - Boundary: compatibility-route load/save/clear membership gate only; not
+    full user/JWT authentication, not membership management APIs/UI, not typed
+    CreativeRepo/ReviewItem/EvidencePack/ReleaseGate aggregates, not
+    operation-specific frontend writes, not release-owner human audit
+    semantics, not ingress/gateway header-stripping proof, and not
+    multi-instance acceptance evidence.
 - Production persistence design:
   - `docs/review-context/15-workspace-production-persistence-spec.md`.
   - This is the next product-layer design reference before changing the

@@ -12,7 +12,7 @@ blocker, decision-state, and human-audit boundaries.
 
 ## Product Implementation Status
 
-As of 2026-06-16, the platform implementation has seven merged PRs on
+As of 2026-06-16, the platform implementation has eight merged PRs on
 `yha9806/vulca-platform` `master`:
 
 - PR #31, `[codex] Workspace review product shell`, merged at
@@ -50,15 +50,21 @@ As of 2026-06-16, the platform implementation has seven merged PRs on
   `workspace_review_memberships` table and requires production save/clear
   operations on the compatibility endpoint to match an active repo membership
   for the trusted actor id and role.
+- PR #40, `feat: gate workspace review reads`, merged at
+  `d31e9bf8f6139c60ee10605337c32221a5098b8b`. It extends the same trusted
+  actor and active membership checks to production load operations, so
+  load/save/clear all fail closed without a trusted actor and matching active
+  membership.
 
 PR #32 is intentionally a local durability slice. PR #34 is intentionally a
 shared in-process backend slice. PR #35 upgrades that compatibility route to
 database-backed snapshot persistence. PR #36 adds compatibility-route revision
 conflict checks and snapshot audit events. PR #37 adds a trusted-header actor
 gate for that compatibility route. PR #39 adds an active-membership check for
-production save/clear on that same route. Together they improve Workspace
-persistence evidence, but they do not certify the full production model:
-user/JWT identity, read authorization, membership management APIs/UI, typed
+production save/clear on that same route. PR #40 extends that check to
+production load. Together they improve Workspace persistence and compatibility
+route authorization evidence, but they do not certify the full production
+model: user/JWT identity, membership management APIs/UI, typed
 CreativeRepo/ReviewItem/EvidencePack aggregates, release-owner human audit
 semantics, operation-specific writes, multi-instance acceptance, ingress
 header-stripping proof, or product-level release readiness.
@@ -95,3 +101,4 @@ that turns these slices into the full production persistence model.
 - `yha9806/vulca-platform` PR #36.
 - `yha9806/vulca-platform` PR #37.
 - `yha9806/vulca-platform` PR #39.
+- `yha9806/vulca-platform` PR #40.