Files
stack/docs/scratchpads/753-kbn010-threat-gate.md
jason.woltje 2e2280070a
All checks were successful
ci/woodpecker/push/publish Pipeline was successful
ci/woodpecker/push/ci Pipeline was successful
docs(#753): clear KBN-010 threat and schema gate (#765)
2026-07-14 21:46:44 +00:00

11 KiB

Issue #753 — KBN-010 threat, authorization, and constraint-impact gate

Objective

Complete the mandatory threat/auth/constraint-impact analysis that gates KBN-100 schema implementation.

Scope

  • In: threat matrix, frozen-control mapping, schema/API/test impact inventory, security evidence plan.
  • Out: runtime, schema, migration, API, dependency, CI, deployment, and secret changes.
  • Canonical requirements: docs/requirements/native-kanban-sot.md.
  • Frozen contract: docs/native-kanban-sot/SHARED-CONTRACT.md and contracts/*.v1.ts.
  • Tracking: Mosaic Stack issue #753.

Plan

  1. Independently inspect current-main implementation and frozen canon.
  2. Enumerate tenant, identity, health-proof, approval, fencing, proposal, audit, token, and outage threats.
  3. Map every threat to required constraints, command behavior, negative tests, and owning future slice.
  4. Surface any unresolved schema impact as a blocker; do not silently amend the frozen contract.
  5. Run documentation/static validation and submit for independent SecReview.

Execution log

  • 2026-07-14: KBN-000 completed through PR #752 and post-merge pipeline #1798.
  • 2026-07-14: KBN-010 issue #753 created; task marked in progress; fresh GPT worker pending dispatch.

Verification evidence

Pending worker validation, independent SecReview, Ultron gate, PR merge, post-merge CI, and issue closure.

2026-07-14 worker analysis checkpoint

  • Inspected issue #753, canonical requirements, all frozen v1 contracts, and actual origin/main at 49e8a54 across DB schema, Better Auth scope, project/task/mission/team repositories/controllers, fleet backlog, and TASKS.md parsing/writing.
  • Confirmed the worker branch has no source/runtime/schema delta from origin/main; orchestrator-owned .mosaic state remains dirty and untouched.
  • Authored the threat, authorization, constraint-impact, negative-test, and requirements-traceability analysis in docs/native-kanban-sot/KBN-010-THREAT-AUTH-CONSTRAINT-GATE.md.
  • Gate decision: BLOCKED by KBN010-SI-001. missionsV1 lacks a unique candidate key on (workspace_id, id), while artifacts_workspace_mission_fk and approval_decisions_workspace_mission_fk both reference that exact pair. PostgreSQL cannot create the frozen composite foreign keys as declared.
  • Decision: do not select or apply a schema fix. Contract authority must version either a (workspace_id, id) mission candidate key or project-congruent child keys, then obtain independent re-review before KBN-100.
  • Additional risks are controlled by frozen transaction/API behavior but require the exact future negative tests cataloged in the deliverable, especially active membership, service-token revocation, same-workspace semantic evidence checks, no-oracle behavior, and serialized parent/DAG cycle checks.
  • OpenBrain startup recall was attempted but unavailable because /home/hermes/.config/mosaic/credentials.json is absent; no project state was written to an alternate memory silo.
  • TDD: not applicable; this slice changes documentation/test-plan analysis only and implements no runtime behavior.

Validation log

  • pnpm exec prettier --check docs/native-kanban-sot/KBN-010-THREAT-AUTH-CONSTRAINT-GATE.md docs/scratchpads/753-kbn010-threat-gate.md — PASS.
  • Changed-doc link validator — PASS (relative_links=0, one external issue link); curl -fsSIL https://git.mosaicstack.dev/mosaicstack/stack/issues/753 — PASS.
  • The first inline link-validator invocation had a Python f-string syntax error; corrected once and rerun successfully without changing the deliverable.
  • pnpm format:check — PASS.
  • pnpm lint — PASS (23 tasks successful).
  • pnpm typecheck — PASS (42 tasks successful).
  • pnpm exec tsc -p docs/native-kanban-sot/tsconfig.json --noEmit — PASS.
  • Scoped diff review — PASS: authored delta is limited to the exclusive deliverable and this scratchpad; no runtime/schema/config/dependency/CI/deployment file is changed, and docs/native-kanban-sot/TASKS.md has no worker worktree delta from tracking commit 9b55de0.
  • Independent SecReview remains pending and cannot return PASS until contract authority resolves KBN010-SI-001.
  • Final formatting/diff/test-ID completeness review — PASS (all catalog prefixes contiguous with no duplicate IDs).
  • Remaining: scoped commit, queue guard, and push.

2026-07-14 KBN010-SI-001 contract-authority amendment

  • Authority: web1:mosaic-100 directed the minimal rc.4 amendment under issue #753: add a non-partial unique candidate key on missions(workspace_id, id) while retaining global missions.id uniqueness and the project-congruent (workspace_id, project_id, id) key.
  • Rationale: artifacts and approval decisions are polymorphic exactly-one-target records and do not consistently carry project_id; widening both children would broaden frozen v1 semantics without improving tenant safety.
  • Plan: amend only the frozen schema contract and shared contract, freeze exact DDL ordering and future migration negatives, run scoped/full validation and independent review, then commit and push without opening/merging a PR or closing #753.
  • TDD: not applicable because this is a design-contract amendment with no runtime schema or migration implementation; rc.4 freezes future executable empty/prod/N-1/rollback/foreign-workspace and duplicate-key-feasibility tests.
  • Budget: no explicit cap supplied; use a 20K-equivalent soft working cap and one bounded worker lane.
  • Read-only #757 boundary: PR #757 adds separate logical-agent connector lease/CAS fencing (logical_agent_connector_leases.lease_epoch) in runtime schema and connector contracts. SI-001 changes only the frozen mission candidate key; it does not consume, alter, or reinterpret connector fencing, task fencing, lease authority, or #757 ownership.

Amendment verification evidence

  • Frozen schema: added exactly one non-partial missions_workspace_id_uidx on (workspace_id, id); retained the global id primary key and missions_workspace_project_id_uidx on (workspace_id, project_id, id).
  • FK reconciliation: targeted static checks prove the candidate key precedes both artifacts_workspace_mission_fk and approval_decisions_workspace_mission_fk; each continues to reference exact ordered columns (workspace_id, mission_id)missions(workspace_id, id) with RESTRICT deletion.
  • Shared contract: candidate version is 1.0.0-rc.4; authority, rationale, exact effect/non-effect, candidate-before-FK DDL order, duplicate feasibility, empty/prod/N-1/rollback/foreign-workspace future tests, and unchanged KCR/SOT/tenant/proposal/fencing/no-cascade invariants are explicit.
  • Changed-file Prettier, contract ESLint, pnpm exec tsc -p docs/native-kanban-sot/tsconfig.json, and targeted SI-001 static checks — PASS.
  • Full pnpm format:check && pnpm lint && pnpm typecheck — PASS (23 lint tasks and 42 typecheck/build tasks).
  • Independent Codex security review — PASS, zero critical/high/medium/low findings; tenant isolation is preserved.
  • Independent Codex code review confirmed the candidate key repairs both FK targets and reported no blocker on the authorized delta. Its initial request to rewrite the historical KBN-010 verdict conflicts with the exclusive scope and was resolved by documenting the immutable-evidence boundary in rc.4; its remaining finding concerns pre-existing live .mosaic session files, which are untouched and excluded from this commit.
  • Scoped diff: only the two frozen contract files and this append-only scratchpad amendment are staged for delivery; no runtime schema, migration, task plan, gate verdict, provider artifact, or #757-owned file is included.

2026-07-14 final rc.4 KBN-010 disposition

  • Control-plane direction authorized final disposition edits only to docs/native-kanban-sot/KBN-010-THREAT-AUTH-CONSTRAINT-GATE.md and this append-only scratchpad; contract author web1:kbn-contract remained idle and undisturbed.
  • Exact reviewed contract object: commit 3f6a3387b419eb99453ee10dd25ba888faaab0b5, tree 7ebab8fa530a7180036928cea9527f808548aa14.
  • Corroborating review identities: full-index SHA-256 6b40a76265c4f3e6d1d30a7f262a2dd16e0d51997e99c146b59f527e6524cd42; stable patch-id 058cf98026fcd1043703c866aee047c8bb144740. A command-rendered patch digest varied by Git rendering command/options and is non-authoritative; commit+tree+exact file content are canonical.
  • Independent Homelab non-author schema/security review verdict: APPROVE. It confirmed the rc.4 missions_workspace_id_uidx(workspace_id,id) repairs both dependent FKs while retaining the global PK and project-congruent key; tenant, polymorphic exactly-one-target, RESTRICT/no-cascade, N-1/rollback semantics remain valid.
  • Read-only #757 cross-check: no shared table, index, FK, identity, fence, or authority collision with connector lease/CAS fencing.
  • Final KBN-010 gate decision: PASS / GO at rc.4 with UNRESOLVED SCHEMA IMPACTS equal to exact none. Historical SI-001 detection remains in the gate document as evidence that rc.3 was invalid.
  • No runtime schema/migration/API/config/dependency/CI/deployment implementation is claimed. KBN-100 must still implement candidate-before-dependent-FK ordering, duplicate feasibility, empty/prod/N-1/rollback evidence, exact FK reconciliation, and separate artifact/approval foreign-workspace negatives (N100-45..50).
  • TDD remains not applicable because this continuation changes only documentation/evidence disposition and no runtime behavior.
  • Remaining orchestrator-owned sequence: worker validation/commit/push → PR open/update → Ultron review → squash merge → terminal-green post-main CI → close #753 → release KBN-100. KBN-100 is not released earlier.

Final worker validation

  • Changed-doc Prettier and link checks — PASS; issue #753 external link returned successfully.
  • Static future-test catalog check — PASS: all prefixes are individually enumerated, contiguous, and duplicate-free; N100 now spans N100-01..50.
  • rc.4 disposition assertions — PASS: gate status PASS/GO, frozen target rc.4, exact none unresolved section, independent APPROVE, review identities, and N100-50 are present.
  • Review identity reproduction — PASS: commit tree 7ebab8fa530a7180036928cea9527f808548aa14, full-index SHA-256 6b40a76265c4f3e6d1d30a7f262a2dd16e0d51997e99c146b59f527e6524cd42, and stable patch-id 058cf98026fcd1043703c866aee047c8bb144740 match.
  • rc.4 frozen-contract static check — PASS: the candidate key is unique in the declaration and precedes both dependent FKs; frozen contract files remain byte-identical to commit 3f6a3387b419eb99453ee10dd25ba888faaab0b5.
  • pnpm exec tsc -p docs/native-kanban-sot/tsconfig.json --noEmit — PASS.
  • pnpm format:check — PASS.
  • pnpm lint — PASS (23 tasks successful).
  • pnpm typecheck — PASS (42 tasks successful).
  • Scoped diff — PASS: only the gate document and this scratchpad are authored changes; contracts, TASKS, requirements, runtime/schema/migration/config/dependency/CI/deployment and #757-owned files are unchanged. Live .mosaic session state remains untouched and excluded.
  • Remaining worker steps: final formatting/scoped staging, commit docs(#753): clear KBN-010 schema gate, queue guard, push, and control-plane notification.