Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 10 additions & 9 deletions .agent-loop/LOOP_STATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,18 @@

- Active initiative: `WS-POL-002` - Post-Submit Checker Foundation
- Active planning chunk: none
- Active implementation chunk: none
- Branch: `main`
- Status: `WS-POL-002-PLAN` merged through PR #85. Planning is complete for
post-submit checker setup to follow the same project-guide-derived,
compiler-validated, deterministic shape as the pre-submit checker pipeline.
- Active implementation chunk: `WS-POL-002-01` - Post-Submit Compiler Contract
- Branch: `codex/ws-pol-002-01-post-submit-compiler`
- Status: `WS-POL-002-01` started after the user's explicit start signal.
Pre-implementation plan review narrowed the chunk to compiler/body/hash
behavior only; persistence, setup-run fields, approval, and activation
enforcement remain in later chunks.
- Last merged implementation SHA: `be2d5ec`
- Last merge commit: `3fc1a68`
- Current gate: post-merge memory update for `WS-POL-002-PLAN`; no
implementation chunk is active.
- Next chunk: `WS-POL-002-01` is proposed only and inactive until the
user gives an explicit start signal.
- Current gate: implementation for `WS-POL-002-01`.
- Next chunk: inactive until `WS-POL-002-01` is implemented, reviewed,
externally checked, merged by explicit human approval, and followed by memory
update.

## Operating Rule

Expand Down
7 changes: 4 additions & 3 deletions .agent-loop/WORK_QUEUE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

| Chunk | Title | Risk | Status |
|---|---|---:|---|
| `WS-POL-002-01` | Post-Submit Provenance And Compiler Contract | L1 | Proposed; inactive until explicit user start |
| `WS-POL-002-01` | Post-Submit Compiler Contract | L1 | Active on `codex/ws-pol-002-01-post-submit-compiler` |

## Completed

Expand Down Expand Up @@ -33,8 +33,9 @@

## Proposed Next

Do not start `WS-POL-002-01` until the user explicitly starts the
implementation chunk.
Do not start the next chunk until `WS-POL-002-01` is implemented, reviewed,
externally checked, merged by explicit human approval, and followed by memory
update.

## Blocked

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ reviewed, merged by explicit human approval, and followed by a memory update.

| Chunk | Title | Risk | Status |
|---|---|---:|---|
| `WS-POL-002-01` | Post-Submit Provenance And Compiler Contract | L1 | Proposed |
| `WS-POL-002-01` | Post-Submit Compiler Contract | L1 | Active |
| `WS-POL-002-02` | Post-Submit Derivation Agent And Resumable Setup Integration | L1 | Proposed |
| `WS-POL-002-03` | Server-Owned Policy Approval And Visibility APIs | L1 | Proposed |
| `WS-POL-002-04` | Locked Runtime Execution And Routing Hardening | L1 | Proposed |
Expand All @@ -28,5 +28,6 @@ WS-POL-002-01

## Stop Condition

After this planning chunk is reviewed, stop. The first implementation chunk is
inactive until the user explicitly starts `WS-POL-002-01`.
After each implementation chunk is reviewed, externally checked, and merged by
explicit human approval, perform the memory update before starting the next
chunk.
Original file line number Diff line number Diff line change
Expand Up @@ -118,11 +118,12 @@ The trusted Workstream post-submit compiler:
- emits the canonical `PostSubmitCheckerPolicy.policy_body`
- emits `policy_hash = sha256(canonical_json(policy_body))`

The platform default checker list is authoritative. `policy_body.default_checkers`
must exactly equal the server-owned `DEFAULT_DURABLE_CHECKERS` list. Default-only
projects are valid: the compiler represents defaults as required durable
coverage and permits an empty project-specific addition set only when all
platform defaults remain required.
The platform default checker list is authoritative at compile time.
`policy_body.default_checkers` is stamped into the versioned locked policy body,
and the body hash preserves that exact compiler output for future task context.
Default-only projects are valid: the compiler represents defaults as required
durable coverage and permits an empty project-specific addition set only when
all platform defaults remain required in the compiled body.

The compiler, not the agent, decides the executable policy body.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,29 +5,29 @@
Planning completed and merged through PR #85 as
`3fc1a688743f13476d6092078d40792592823d27`.

No implementation chunk is active. `WS-POL-002-01` is ready to start only after
the user gives an explicit start signal.
`WS-POL-002-01` is active after the user's explicit start signal. A
pre-implementation plan review narrowed the chunk to compiler/body/hash
behavior only; durable persistence, setup-run fields, approval, and activation
enforcement remain in later chunks.

## Active Planning Chunk

None.

## Active Implementation Chunk

None.

## Proposed First Implementation Chunk
`WS-POL-002-01` - Post-Submit Compiler Contract.

`WS-POL-002-01` - Post-Submit Provenance And Compiler Contract.
## Current Implementation Branch

This chunk is inactive until the user gives an explicit start signal.
`codex/ws-pol-002-01-post-submit-compiler`

## Chunk Status

| Chunk | Status | Branch | PR | Notes |
|---|---|---|---:|---|
| `WS-POL-002-PLAN` | Merged | `codex/ws-pol-002-post-submit-checker-planning` | #85 | Defines intent, discovery, design, risks, decisions, and implementation chunks. |
| `WS-POL-002-01` | Proposed | - | - | Post-Submit Provenance And Compiler Contract. |
| `WS-POL-002-01` | Active | `codex/ws-pol-002-01-post-submit-compiler` | - | Post-Submit Compiler Contract. |
| `WS-POL-002-02` | Proposed | - | - | Post-submit derivation agent and resumable setup integration after pre-submit approval/compile. |
| `WS-POL-002-03` | Proposed | - | - | Server-owned approval and setup visibility APIs; remove manual guide payload. |
| `WS-POL-002-04` | Proposed | - | - | Runtime hardening for locked post-submit policy execution and routing. |
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Chunk Contract: WS-POL-002-01 - Post-Submit Provenance And Compiler Contract
# Chunk Contract: WS-POL-002-01 - Post-Submit Compiler Contract

## Parent Initiative

Expand Down Expand Up @@ -27,45 +27,72 @@ weakening platform defaults or referencing unsupported checkers.

## Goal

Introduce the durable post-submit policy provenance fields, setup-run output
fields, and trusted compiler contract that produce the canonical project-scoped
`PostSubmitCheckerPolicy` body from a constrained spec.
Introduce the trusted compiler contract that produces the canonical
project-scoped `PostSubmitCheckerPolicy` body from a constrained spec.

This chunk is compiler-only. Durable provenance columns, setup-run output
fields, approval state, and guide activation changes are deferred to later
chunks so the first implementation remains reviewable.

## Target Behavior

- Compiler always includes platform default durable post-submit checkers.
- Compiler is owned by `backend/app/modules/projects/post_submit_policy.py`.
`backend/app/modules/checkers/compiler.py` remains the pre-submit compiler
module and must not import project post-submit policy helpers.
- Compiler always includes platform default durable post-submit checkers in
`default_checkers` and `execution_checkers`.
- Compiler rejects unknown checker names.
- Compiler rejects attempts to remove or weaken defaults.
- Compiler rejects duplicate/conflicting checker classifications.
- Compiler rejects unsupported blocking-severity downgrade attempts.
- Compiler emits the canonical policy body and hash.
- Compiler supports default-only projects by representing platform defaults as
required durable coverage while permitting an empty project-specific addition
set.
- `policy_body.default_checkers` must exactly equal the platform-owned
`DEFAULT_DURABLE_CHECKERS` list.
- Policy rows bind to guide source snapshot id/hash, compiler version,
derivation provenance, lifecycle status, and approval provenance.
- `ProjectSetupRun` can reference post-submit derivation/compile output and
represent post-submit setup statuses without JSON-only hiding.
- Activation/runtime validation uses the compiled canonical body, not ad hoc
request lists.
- Compiler supports default-only projects. A default-only constrained spec has
empty project-specific `required_checkers` and `warning_checkers`; the
compiled policy body still executes every platform default because
`default_checkers` is stamped from the compiler's platform defaults and
`execution_checkers` is compiled from that locked default list.
- `required_checkers` and `warning_checkers` represent project-specific routing
classifications. They may reference registered non-default checkers, and
`required_checkers` may also reference a default checker to tighten its
routing for the project. Default-only projects leave both lists empty.
Platform defaults remain mandatory through the compiler-owned default list
and execution list, not by duplicating them into `required_checkers`.
- `policy_body.default_checkers` is a locked compiler output, not a runtime read
from the mutable `DEFAULT_DURABLE_CHECKERS` constant.
- Platform blocking severities are `["critical", "high"]`, matching the
existing checker runner. A constrained spec may tighten routing by adding
known severities, but it cannot remove `critical` or `high`.
- Activation and runtime behavior are not changed in this chunk except where
existing validation calls the canonical parser/body helpers. Persistence
fields and setup-run statuses are defined in `WS-POL-002-02` and
server-owned approval/activation enforcement remains in `WS-POL-002-03`.
- Existing real API drill scripts may be updated only to keep their bootstrap
post-submit policy payloads aligned with the compiler's
non-weakenable `["critical", "high"]` platform severity floor.

## Allowed Files

```text
backend/app/modules/projects/post_submit_policy.py
backend/app/modules/checkers/compiler.py
backend/app/modules/projects/models.py
backend/app/modules/projects/repository.py
backend/app/modules/projects/service.py
backend/app/modules/projects/schemas.py
backend/alembic/versions/**
backend/tests/test_alembic.py
backend/tests/test_checkers.py
backend/tests/test_projects.py
backend/tests/test_tasks.py
backend/scripts/api_contract_e2e.py
examples/terminal_benchmark/terminal_benchmark_api_e2e.py
docs/architecture_checker_framework.md
docs/architecture_data_model.md
docs/architecture_lifecycle_state_machine.md
docs/operations_project_operating_manual.md
docs/operations_queue_policy.md
docs/operations_reviewer_workflow.md
docs/product_principles.md
docs/principles.md
docs/product_first_user_flows.md
docs/roadmap_30_day_master_plan.md
docs/roadmap_pilot_plan.md
docs/roles_permissions.md
docs/template_checker_policy.md
.agent-loop/initiatives/WS-POL-002-post-submit-checker-foundation/**
.agent-loop/LOOP_STATE.md
Expand All @@ -77,6 +104,10 @@ docs/template_checker_policy.md

```text
backend/app/adapters/project_agents/**
backend/app/modules/checkers/compiler.py
backend/app/modules/projects/models.py
backend/app/modules/projects/repository.py
backend/alembic/versions/**
backend/app/modules/tasks/**
frontend or demo UI work
payment/reputation/blockchain settlement
Expand All @@ -90,24 +121,30 @@ arbitrary generated checker code execution
project `PostSubmitCheckerPolicy` body.
- Default durable post-submit checkers are always present in
`execution_checkers`.
- `policy_body.default_checkers` exactly matches `DEFAULT_DURABLE_CHECKERS`; no
missing, extra, renamed, or reordered defaults are accepted. This chunk must
not change the `DEFAULT_DURABLE_CHECKERS` list; any future default-list change
requires explicit human approval and security review in its own chunk.
- `policy_body.default_checkers` is copied from `DEFAULT_DURABLE_CHECKERS` at
compile time and stamped with `compiler_version`; runtime validates the locked
body by schema version, supported compiler version, canonical structure, and
`policy_hash`, not by comparing old locked rows to today's default constant.
This chunk must not change the `DEFAULT_DURABLE_CHECKERS` list; any future
default-list change requires explicit human approval and security review in
its own chunk.
- Default-only project policy compilation and activation are valid when all
platform defaults remain required.
platform defaults remain present in `default_checkers` and
`execution_checkers`.
- Unknown checker names fail closed.
- Duplicate or contradictory required/warning checker classifications fail
closed.
- Policy hash equals `sha256(canonical_json(policy_body))`.
- Compiler implementation reuses or consolidates through existing
`post_submit_policy.py` canonical body, hash, default-list, and locked-body
parsing helpers instead of reimplementing a second post-submit canonicalizer.
- Migration and ORM metadata persist source snapshot id/hash, compiler version,
lifecycle status, approval actor/role/time, derivation provenance, and
unsupported checker gaps without weakening existing policy locks.
- Migration and ORM metadata add explicit setup-run post-submit output/status
support.
- Compiler implementation must not introduce a reverse dependency from
`backend/app/modules/checkers/compiler.py` into project modules.
- The locked-body parser rejects bodies whose `default_checkers` are malformed
or inconsistent with `execution_checkers`; a locked body must also match the
frozen default-checker snapshot for its stamped `compiler_version`. Later
default-list constant changes therefore do not break older rows, but a v0.1
body cannot invent a different v0.1 default list.
- Existing runtime tests still pass.
- Docs describe the compiler boundary and default checker list.

Expand All @@ -117,7 +154,6 @@ arbitrary generated checker code execution
python3 scripts/check_stale_workstream_wording.py
python3 scripts/check_markdown_links.py
(cd backend && .venv/bin/pytest tests/test_projects.py tests/test_checkers.py -q)
(cd backend && .venv/bin/pytest tests/test_alembic.py -q)
git diff --check
```

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# External Review Response: WS-POL-002-01

## Source

PR #87 external checks.

## Comments Addressed

### Backend CI failure

Status: addressed.

Finding:

- The Backend workflow failed in `tests/test_tasks.py` at
`test_screening_uses_persisted_post_submit_policy_body_after_default_drift`.
The test name and assertion did not reflect the final versioned compiler
contract for locked post-submit policy bodies.

Decision:

- The old expectation was stale under `WS-POL-002-01`. The compiler now stamps
`compiler_version` and the emitted default list into `policy_body`. Runtime
validates the locked body by supported compiler version, internal consistency,
and `policy_hash`, not by comparing old locked rows to today's mutable
`DEFAULT_DURABLE_CHECKERS` constant. Future default-list changes still require
explicit versioning or migration work and must not silently reinterpret old
locked bodies.

Fix:

- Renamed the test to
`test_screening_uses_versioned_post_submit_policy_body_after_default_drift`.
- Updated the assertion to expect `200` and verify that screening stamps the
persisted v0.1 policy body and hash after a later mutation to the current
default-checker constant.
- Added parser regression coverage for unsupported compiler versions and
self-consistent default-list drift that does not match the frozen v0.1
compiler snapshot.

Verification:

```bash
cd backend && .venv/bin/pytest tests/test_tasks.py::test_screening_uses_versioned_post_submit_policy_body_after_default_drift -q
cd backend && .venv/bin/ruff check tests/test_tasks.py
```

Results:

- Focused CI-fix test: 1 passed.
- Ruff: passed.

Internal post-fix review:

- QA/test: PASS.
- Test delta: PASS.

## External Check Status

- Backend, Agent Gates, and CodeRabbit passed on the previous push.
- This file now includes additional unpushed fixes for the versioned default
snapshot contract. GitHub Actions and CodeRabbit must rerun after this fix
push before the PR is considered externally clear.

## Comments Deferred

None.

## Human Decisions Needed

None before human merge review.

## Commands Rerun

```bash
cd backend && .venv/bin/pytest tests/test_tasks.py::test_screening_uses_versioned_post_submit_policy_body_after_default_drift -q
cd backend && .venv/bin/ruff check tests/test_tasks.py
```

## Remaining Risks

- External checks are pending rerun for this unpushed fix diff. Human merge
review is still required after the rerun is green.
Loading
Loading