vulca-org · yha9806 · Jun 16, 2026 · Jun 16, 2026
@@ -123,24 +123,29 @@ Current evidence:
 - Platform PR #40 extends trusted actor and active membership checks to
   production load operations on the compatibility route, so load/save/clear
   all fail closed without trusted actor and matching active membership.
+- Platform PR #41 adds trusted `system` actor routes to provision and
+  deactivate the `workspace_review_memberships` rows used by the compatibility
+  route gates, with role validation and membership admin audit events.
 - `15-workspace-production-persistence-spec.md` defines the product design for
   database-backed storage, authorization, conflict handling, audit events, and
   multi-instance behavior.
 
 Remaining boundary:
 
-- PR #40 proves a compatibility-route active membership check for production
-  load/save/clear, but does not prove full user/JWT authentication, membership
-  management APIs/UI, typed Workspace aggregates, release-owner human audit
-  semantics, operation-specific writes, ingress header-stripping
-  configuration, or multi-instance acceptance behavior.
+- PR #41 proves system-only provisioning/deactivation for compatibility-route
+  memberships, but does not prove full user/JWT authentication, end-user or
+  repo-owner self-service membership management UI, typed Workspace
+  aggregates, release-owner human audit semantics, operation-specific writes,
+  ingress header-stripping configuration, or multi-instance acceptance
+  behavior.
 
 Blocked until:
 
 - the compatibility snapshot slice is supplemented by production-grade access
-  boundaries beyond trusted headers and compatibility-route membership checks, typed
-  durable records, operation-specific frontend writes, release-owner audit
-  semantics, and multi-instance evidence for the demo path.
+  boundaries beyond trusted headers and system-admin compatibility-route
+  membership checks, typed durable records, operation-specific frontend writes,
+  release-owner audit semantics, and multi-instance evidence for the demo
+  path.
 
 ### Gate 2: Artifact Ingestion
 

@@ -15,7 +15,7 @@ readiness.
 
 ## Current Baseline
 
-The current platform state has eight relevant merged slices:
+The current platform state has nine relevant merged slices:
 
 - PR #31 adds the Workspace review product shell.
 - PR #32 adds local durable review state and release-owner audit trail
@@ -41,14 +41,19 @@ The current platform state has eight relevant merged slices:
   production load operations, so the compatibility endpoint now fails closed
   for load/save/clear unless the actor is trusted and a matching active repo
   membership exists.
+- PR #41 adds trusted `system` actor routes to provision and deactivate the
+  `workspace_review_memberships` rows used by the compatibility endpoint,
+  including role validation, deactivate-with-history behavior, stable error
+  responses, membership admin audit events, and deployment notes.
 
 The baseline now proves product direction, a shared API surface, and
 database-backed compatibility snapshot persistence with basic revision conflict
-audit evidence plus compatibility-route trusted actor and active-membership
-gates for production load/save/clear. It does not prove the full production
-persistence model, user/JWT authorization, membership management APIs/UI, typed
-object aggregates, release-owner human audit semantics, operation-specific
-writes, ingress header-stripping proof, or multi-instance acceptance behavior.
+audit evidence plus compatibility-route trusted actor, active-membership, and
+system-admin provisioning gates for production load/save/clear. It does not
+prove the full production persistence model, user/JWT authorization, end-user
+or repo-owner self-service membership management UI, typed object aggregates,
+release-owner human audit semantics, operation-specific writes, ingress
+header-stripping proof, or multi-instance acceptance behavior.
 
 ## Product Position
 
@@ -219,7 +224,8 @@ Rules:
 
 ## Migration From Current Slice
 
-Migration from PR #34, PR #35, PR #36, PR #37, PR #39, and PR #40 should be staged:
+Migration from PR #34, PR #35, PR #36, PR #37, PR #39, PR #40, and PR #41
+should be staged:
 
 1. Keep the existing review-state endpoint as the frontend compatibility route.
 2. Add database tables and service-layer operations behind the endpoint.
@@ -247,14 +253,17 @@ Current implementation evidence:
   for production save/clear, backed by `workspace_review_memberships`.
 - PR #40 extends the trusted actor and active membership checks to production
   load on the compatibility route.
+- PR #41 adds system-only compatibility routes for provisioning and
+  deactivating Workspace review memberships, with role validation and
+  membership admin audit events.
 - PR #35 does not yet implement typed service-layer operations for
   `CreativeRepo`, `ReviewItem`, `EvidencePack`, `ReleaseGate`, or
   `AuditEvent`.
-- PR #40 does not yet implement full user/JWT authentication, membership
-  management APIs/UI, typed service-layer operations, release-owner human audit
-  semantics, seeded repo migration, operation-specific frontend writes,
-  ingress/gateway header-stripping proof, or multi-instance acceptance
-  evidence.
+- PR #41 does not yet implement full user/JWT authentication, end-user or
+  repo-owner self-service membership management UI, typed service-layer
+  operations, release-owner human audit semantics, seeded repo migration,
+  operation-specific frontend writes, ingress/gateway header-stripping proof,
+  or multi-instance acceptance evidence.
 
 ## Acceptance Gates
 
@@ -297,3 +306,4 @@ This spec does not upgrade current release status by itself.
 - `yha9806/vulca-platform` PR #37.
 - `yha9806/vulca-platform` PR #39.
 - `yha9806/vulca-platform` PR #40.
+- `yha9806/vulca-platform` PR #41.
@@ -4,6 +4,27 @@ Vault status: append-only change log.
 
 ## 2026-06-16
 
+### Recorded Platform Workspace Membership Admin Merge
+
+- Recorded platform PR #41 as merged to `master` with system-only
+  provisioning and deactivation routes for Workspace review memberships on the
+  existing compatibility surface.
+- Clarified that #41 adds `PUT`/`DELETE`
+  `/api/v1/workspace/review-memberships/{repo_id}/{member_actor_id}` for a
+  trusted `system` actor, validates member roles, deactivates memberships
+  without deleting history, and records membership admin audit events.
+- Preserved the boundary that #41 is still a compatibility-route
+  administration slice: full user/JWT identity, end-user or repo-owner
+  self-service membership management UI, typed Workspace aggregates,
+  release-owner human semantics, operation-specific writes, ingress
+  header-stripping proof, and multi-instance acceptance evidence remain gated.
+
+Source basis:
+
+- `yha9806/vulca-platform` PR #41.
+- Merge commit `becbb072434bd4e0d9241e11a87717c7891926b5`.
+- Remote checks: `Run Tests` and `security` passed on PR #41.
+
 ### Recorded Platform Workspace Read Gate Merge
 
 - Recorded platform PR #40 as merged to `master` with production read
@@ -12,10 +33,10 @@ Vault status: append-only change log.
   save/clear to load/save/clear, so production clients fail closed until a
   trusted upstream actor and matching active membership are configured.
 - Preserved the boundary that #40 is still a compatibility-route gate: full
-  user/JWT identity, membership management APIs/UI, typed Workspace aggregates,
-  release-owner human semantics, operation-specific writes,
-  ingress header-stripping proof, and multi-instance acceptance evidence remain
-  gated.
+  user/JWT identity, end-user or repo-owner self-service membership
+  management UI, typed Workspace aggregates, release-owner human semantics,
+  operation-specific writes, ingress header-stripping proof, and multi-instance
+  acceptance evidence remain gated.
 
 Source basis:
 

@@ -55,13 +55,14 @@
   "core_sources": {
     "sdk_mainline": "cb6d52fe",
     "workspace_context_baseline": "6efef07",
-    "workspace_latest_observed": "d31e9bf",
+    "workspace_latest_observed": "becbb07",
     "workspace_shared_review_state_merge": "d06a713b",
     "workspace_db_review_state_merge": "24efaab5",
     "workspace_revision_conflict_audit_merge": "3310093",
     "workspace_trusted_actor_gate_merge": "0faf874",
     "workspace_membership_gate_merge": "dff2331",
     "workspace_read_gate_merge": "d31e9bf",
+    "workspace_membership_admin_merge": "becbb07",
     "artifact_bridge_spec": "11-artifact-bridge-spec.md",
     "m3_bridge_fixture": "artifact-bridge/m3-demo-bridge-fixture.json",
     "m3_durable_review_fixture": "workspace-durable/m3-durable-review-fixture.json",

@@ -72,6 +72,13 @@ As of 2026-06-16:
   the compatibility endpoint, making load/save/clear fail closed without a
   trusted actor and matching active membership. Its PR gate passed remote
   `Run Tests` and `security`.
+- Platform PR #41, `feat: add workspace membership admin routes`, merged to
+  `master` at `becbb072434bd4e0d9241e11a87717c7891926b5` from head
+  `e196a3d`. It adds trusted `system` actor routes to provision and deactivate
+  Workspace review memberships on the compatibility surface, including role
+  validation, deactivate-with-history behavior, stable error responses,
+  membership admin audit events, and deployment notes. Its PR gate passed
+  remote `Run Tests` and `security`.
 
 These PRs improve R5 evidence, but they do not change the product-level
 decision above.
@@ -100,7 +107,8 @@ blocker is `15-workspace-production-persistence-spec.md`.
 
 - production-grade Workspace persistence beyond the DB-backed compatibility
   snapshot, including typed durable records, full user/JWT authorization,
-  membership management APIs/UI beyond the compatibility route check,
+  end-user or repo-owner self-service membership management UI beyond the
+  system-only compatibility admin route,
   release-owner human audit semantics, operation-specific writes, ingress
   header-stripping proof, and multi-instance behavior;
 - repeated bridge ingestion across more than one workflow;
@@ -125,3 +133,4 @@ blocker is `15-workspace-production-persistence-spec.md`.
 - `yha9806/vulca-platform` PR #37.
 - `yha9806/vulca-platform` PR #39.
 - `yha9806/vulca-platform` PR #40.
+- `yha9806/vulca-platform` PR #41.
@@ -52,6 +52,11 @@
       "status": "indexed",
       "source": "docs/review-context/workspace-durable/README.md"
     },
+    {
+      "name": "Workspace review-state membership admin evidence",
+      "status": "indexed",
+      "source": "docs/review-context/workspace-durable/README.md"
+    },
     {
       "name": "Workspace production persistence product spec",
       "status": "indexed",
@@ -88,12 +93,12 @@
     "max_allowed_level": "R4",
     "example_scope": "public-example-key-visual-v1",
     "human_owner": null,
-    "boundary_notes": "R4 example-specific public copy is allowed only within RR4/RR5 scope. Product-level R5 remains blocked. Platform PR #40 extends the active membership gate to production load/save/clear on the compatibility snapshot route, not full user/JWT authorization, membership management APIs/UI, typed aggregates, release-owner human audit semantics, operation-specific writes, ingress header-stripping proof, or multi-instance release readiness."
+    "boundary_notes": "R4 example-specific public copy is allowed only within RR4/RR5 scope. Product-level R5 remains blocked. Platform PR #41 adds system-only provisioning/deactivation for compatibility-route membership rows, not full user/JWT authorization, end-user or repo-owner self-service membership management UI, typed aggregates, release-owner human audit semantics, operation-specific writes, ingress header-stripping proof, or multi-instance release readiness."
   },
   "remaining_blockers": [
     "typed Workspace persistence records beyond the compatibility snapshot",
     "full user/JWT Workspace authorization",
-    "membership management APIs/UI beyond the compatibility route check",
+    "end-user or repo-owner self-service membership management UI beyond the system-only compatibility admin route",
     "release-owner human audit semantics beyond compatibility snapshot events",
     "operation-specific Workspace write evidence",
     "ingress header-stripping proof for trusted Workspace actor headers",

@@ -161,14 +161,22 @@ check before changing high-level VULCA claims.
   - Platform PR #39 adds `workspace_review_memberships` and requires
     production save/clear operations on the compatibility route to match an
     active repo membership for the trusted actor id and role. Full user/JWT
-    identity, read authorization, membership management APIs/UI, typed
-    aggregates, release-owner human semantics, operation-specific writes,
-    ingress header stripping, and multi-instance acceptance remain gated.
+    identity, read authorization, end-user or repo-owner self-service
+    membership management UI, typed aggregates, release-owner human semantics,
+    operation-specific writes, ingress header stripping, and multi-instance
+    acceptance remain gated.
   - Platform PR #40 extends the same trusted actor and active membership gate
     to production load operations on the compatibility route. Full user/JWT
-    identity, membership management APIs/UI, typed aggregates, release-owner
-    human semantics, operation-specific writes, ingress header stripping, and
-    multi-instance acceptance remain gated.
+    identity, end-user or repo-owner self-service membership management UI,
+    typed aggregates, release-owner human semantics, operation-specific writes,
+    ingress header stripping, and multi-instance acceptance remain gated.
+  - Platform PR #41 adds system-only Workspace review membership provisioning
+    and deactivation routes on the compatibility surface. A trusted actor with
+    role `system` can upsert active memberships, deactivate memberships without
+    deleting history, and emit membership admin audit events. Full user/JWT
+    identity, end-user or repo-owner self-service membership management UI,
+    typed aggregates, release-owner human semantics, operation-specific writes,
+    ingress header stripping, and multi-instance acceptance remain gated.
 - Public example gate:
   - `docs/review-context/public-examples/m3-public-example-gate.json`
   - Protected RR4 reference for one example-specific public artifact and copy
@@ -193,8 +201,8 @@ Workspace product code lives in the separate `vulca-platform` repository.
   `/Users/yhryzy/.config/superpowers/worktrees/vulca-platform/workspace-interactive-demo`
 - Context baseline: `6efef07 fix: align workspace context review controls`
 - Latest merged platform master:
-  `d31e9bf8f6139c60ee10605337c32221a5098b8b` from PR #40,
-  `feat: gate workspace review reads`.
+  `becbb072434bd4e0d9241e11a87717c7891926b5` from PR #41,
+  `feat: add workspace membership admin routes`.
 - Important files:
   - `wenxin-moyun/src/content/workspaceDemo.ts`
   - `wenxin-moyun/src/components/workspace/`
@@ -280,7 +288,25 @@ Workspace product code lives in the separate `vulca-platform` repository.
     data are configured; tests cover preview load rejection, non-member load,
     inactive member load, role mismatch on load, and successful member load.
   - Boundary: compatibility-route load/save/clear membership gate only; not
-    full user/JWT authentication, not membership management APIs/UI, not typed
+    full user/JWT authentication, not end-user or repo-owner self-service
+    membership management UI, not typed
+    CreativeRepo/ReviewItem/EvidencePack/ReleaseGate aggregates, not
+    operation-specific frontend writes, not release-owner human audit
+    semantics, not ingress/gateway header-stripping proof, and not
+    multi-instance acceptance evidence.
+- Workspace membership admin compatibility merge:
+  - `yha9806/vulca-platform` PR #41.
+  - Merge commit: `becbb072434bd4e0d9241e11a87717c7891926b5`.
+  - Evidence: trusted `system` actor gate for
+    `/api/v1/workspace/review-memberships/{repo_id}/{member_actor_id}`,
+    `PUT` upsert with role validation and active flag, `DELETE` deactivate
+    without deleting history, stable 403/404/422 error responses, membership
+    admin audit events for upsert/deactivate, README deployment notes, and
+    tests for provisioning, non-system rejection, invalid role rejection, blank
+    actor rejection, deactivation, and missing deactivate rejection.
+  - Boundary: compatibility-route system admin provisioning only; not full
+    user/JWT authentication, not end-user or repo-owner self-service
+    membership management UI, not typed
     CreativeRepo/ReviewItem/EvidencePack/ReleaseGate aggregates, not
     operation-specific frontend writes, not release-owner human audit
     semantics, not ingress/gateway header-stripping proof, and not

@@ -12,7 +12,7 @@ blocker, decision-state, and human-audit boundaries.
 
 ## Product Implementation Status
 
-As of 2026-06-16, the platform implementation has eight merged PRs on
+As of 2026-06-16, the platform implementation has nine merged PRs on
 `yha9806/vulca-platform` `master`:
 
 - PR #31, `[codex] Workspace review product shell`, merged at
@@ -55,19 +55,26 @@ As of 2026-06-16, the platform implementation has eight merged PRs on
   actor and active membership checks to production load operations, so
   load/save/clear all fail closed without a trusted actor and matching active
   membership.
+- PR #41, `feat: add workspace membership admin routes`, merged at
+  `becbb072434bd4e0d9241e11a87717c7891926b5`. It adds trusted `system` actor
+  routes to provision and deactivate Workspace review memberships on the
+  compatibility surface, including role validation, deactivate-with-history,
+  stable error responses, membership admin audit events, and deployment notes.
 
 PR #32 is intentionally a local durability slice. PR #34 is intentionally a
 shared in-process backend slice. PR #35 upgrades that compatibility route to
 database-backed snapshot persistence. PR #36 adds compatibility-route revision
 conflict checks and snapshot audit events. PR #37 adds a trusted-header actor
 gate for that compatibility route. PR #39 adds an active-membership check for
 production save/clear on that same route. PR #40 extends that check to
-production load. Together they improve Workspace persistence and compatibility
-route authorization evidence, but they do not certify the full production
-model: user/JWT identity, membership management APIs/UI, typed
-CreativeRepo/ReviewItem/EvidencePack aggregates, release-owner human audit
-semantics, operation-specific writes, multi-instance acceptance, ingress
-header-stripping proof, or product-level release readiness.
+production load. PR #41 adds system-only provisioning/deactivation for the
+membership rows used by those gates. Together they improve Workspace
+persistence and compatibility-route authorization evidence, but they do not
+certify the full production model: user/JWT identity, end-user or repo-owner
+self-service membership management UI, typed CreativeRepo, ReviewItem, and
+EvidencePack aggregates, release-owner human audit semantics,
+operation-specific writes, multi-instance acceptance, ingress header-stripping
+proof, or product-level release readiness.
 
 Use `../15-workspace-production-persistence-spec.md` for the product design
 that turns these slices into the full production persistence model.
@@ -102,3 +109,4 @@ that turns these slices into the full production persistence model.
 - `yha9806/vulca-platform` PR #37.
 - `yha9806/vulca-platform` PR #39.
 - `yha9806/vulca-platform` PR #40.
+- `yha9806/vulca-platform` PR #41.