pdurlej/kan-ductor

Fork 0

gemini(w4): transition history public-id consistency audit #121

New issue

Open

opened 2026-05-28 01:20:42 +02:00 by codex · 2 comments

codex commented

2026-05-28 01:20:42 +02:00

Collaborator

Parent: #2
Agent lane: Gemini 3.5 Flash
Wave: 4 / analytics foundation
Risk class: low

Goal

Ensure analytics read models never require internal DB IDs.

Context refs

docs/agent-mcp-contract.md transition history
AGENTS.md public ID rule

Scope

Inspect transition history and flow metric responses.
List any internal IDs returned or required as inputs.
Patch only clearly accidental exposure.

Acceptance

Report confirms public IDs for card/board/from/to list fields.
Internal IDs are not exposed in API/MCP responses.
Any discovered leak gets a focused follow-up.

Suggested checks

rg -n "fromListId|toListId|cardId|boardId|listId" packages/api packages/mcp apps/web

Non-goals / fences

Do not deploy, restart production, rotate secrets, or run production migrations.
Do not widen MCP write authority or public exposure.
Keep the change small enough for one focused PR or one scouting report.

Expected output

A short PR or issue comment with findings, touched files, tests run, and remaining risks.

Parent: #2 Agent lane: Gemini 3.5 Flash Wave: 4 / analytics foundation Risk class: low ## Goal Ensure analytics read models never require internal DB IDs. ## Context refs - `docs/agent-mcp-contract.md` transition history - `AGENTS.md` public ID rule ## Scope - Inspect transition history and flow metric responses. - List any internal IDs returned or required as inputs. - Patch only clearly accidental exposure. ## Acceptance - Report confirms public IDs for card/board/from/to list fields. - Internal IDs are not exposed in API/MCP responses. - Any discovered leak gets a focused follow-up. ## Suggested checks - `rg -n "fromListId|toListId|cardId|boardId|listId" packages/api packages/mcp apps/web` ## Non-goals / fences - Do not deploy, restart production, rotate secrets, or run production migrations. - Do not widen MCP write authority or public exposure. - Keep the change small enough for one focused PR or one scouting report. ## Expected output A short PR or issue comment with findings, touched files, tests run, and remaining risks.

codex added the

labels

2026-05-28 01:20:42 +02:00

codex commented

2026-06-03 10:18:35 +02:00

Author

Collaborator

Codex verification on current origin/main (966de964...): transition history and flow metrics external contracts already use public IDs in the read paths checked by #121.

Findings:

packages/api/src/routers/agent.ts#transitionHistoryOutputSchema exposes:
- activityPublicId
- card.publicId
- board.publicId
- fromList.publicId / toList.publicId
- source metadata (source, sourceRef, createdByKind, sensitivity)
getTransitionHistory maps repo rows into nested public-ID objects and does not return internal workspaceId, boardId, cardId, listId, fromListId, or toListId.
packages/mcp/src/client.ts#getTransitionHistory accepts workspacePublicId, boardPublicId, and cardPublicId; no internal IDs are required from MCP clients.
getFlowMetrics returns public IDs for completed cards and destination list (cardPublicId, toList.publicId).
Internal IDs appear in router/repository internals and tests, which is expected; they are not part of the output contract for these analytics read models.

Verification run:

pnpm --filter @kan/api exec vitest integration-tests/agent.integration.test.ts --run -t "returns create and move activity with stable list names and public IDs"

This passed and includes assertions for getTransitionHistory plus getFlowMetrics using public IDs. Recommendation: close #121 as satisfied by current main, unless we want an additional docs-only audit file for bookkeeping.

Codex verification on current `origin/main` (`966de964...`): transition history and flow metrics external contracts already use public IDs in the read paths checked by #121. Findings: - `packages/api/src/routers/agent.ts#transitionHistoryOutputSchema` exposes: - `activityPublicId` - `card.publicId` - `board.publicId` - `fromList.publicId` / `toList.publicId` - source metadata (`source`, `sourceRef`, `createdByKind`, `sensitivity`) - `getTransitionHistory` maps repo rows into nested public-ID objects and does not return internal `workspaceId`, `boardId`, `cardId`, `listId`, `fromListId`, or `toListId`. - `packages/mcp/src/client.ts#getTransitionHistory` accepts `workspacePublicId`, `boardPublicId`, and `cardPublicId`; no internal IDs are required from MCP clients. - `getFlowMetrics` returns public IDs for completed cards and destination list (`cardPublicId`, `toList.publicId`). - Internal IDs appear in router/repository internals and tests, which is expected; they are not part of the output contract for these analytics read models. Verification run: ```bash pnpm --filter @kan/api exec vitest integration-tests/agent.integration.test.ts --run -t "returns create and move activity with stable list names and public IDs" ``` This passed and includes assertions for `getTransitionHistory` plus `getFlowMetrics` using public IDs. Recommendation: close #121 as satisfied by current main, unless we want an additional docs-only audit file for bookkeeping.

Iskra commented

2026-06-18 03:08:29 +02:00

Collaborator

Iskra judgment

Field	Value
Target	`pdurlej/kan-ductor#issue#121`
Priority	p2
Action	observe
Scores	reach 4 / impact 4 / confidence 5
Piotr fit	high
Effort	small
Labels	`judge/p2`
Judge	`iskra` via `openclaw`

Rationale: This is P2 observe-first analytics and privacy hygiene because read models should be useful to agents without exposing or requiring internal database IDs.

Caveat: Patch only clearly accidental internal-ID exposure and file focused follow-ups for broader analytics contract changes.

Structured openclaw.judge.v0 payload

<!-- openclaw.judge.v0 -->
{
  "confidence": 5,
  "effort_hint": "small",
  "escalation": {
    "kind": "none",
    "reason": ""
  },
  "evidence_refs": [
    {
      "note": "Issue scopes an audit of transition history and flow metric responses for public-ID consistency.",
      "type": "forgejo",
      "value": "issue-title-body-labels-and-target-snapshot"
    },
    {
      "note": "Body requires confirming public IDs for card, board, from-list, and to-list fields while preventing internal ID exposure.",
      "type": "forgejo",
      "value": "issue-body-scope-and-acceptance"
    },
    {
      "note": "Body fences the work away from production deploys, migrations, authority widening, and exposure changes.",
      "type": "forgejo",
      "value": "issue-body-non-goals"
    }
  ],
  "impact": 4,
  "judge_actor": {
    "name": "iskra",
    "runtime": "openclaw"
  },
  "judged_at": "2026-06-18T01:07:00Z",
  "labels_to_apply": [
    "judge/p2"
  ],
  "piotr_fit": "high",
  "priority": "p2",
  "rationale_summary": "This is P2 observe-first analytics and privacy hygiene because read models should be useful to agents without exposing or requiring internal database IDs.",
  "reach": 4,
  "recommended_next_action": "observe",
  "rerun_reason": "no_prior_judgment",
  "schema": "openclaw.judge.v0",
  "target": {
    "kind": "issue",
    "number": 121,
    "repo": "pdurlej/kan-ductor"
  },
  "target_snapshot": {
    "body_hash": "sha256:ee3bc41419ee9f9d480373ff281478fd0e69477cbd97d0b6e5ab50963204ee38",
    "commit_count": null,
    "evidence_hash": "sha256:8018dda91ea85efc4418c5dbb627d7f19ae3a30fefa410405c198b8abb259dc7",
    "head_sha": null,
    "labels": [
      "analytics",
      "api",
      "gemini-flash",
      "priority:p2",
      "scout",
      "small-task"
    ],
    "labels_hash": "sha256:32d5822f172fce98b466290c0c9dd0a06dcb2606d3f484bf96e5dd05c4b3b37e",
    "state": "open",
    "title_hash": "sha256:1356ce56dce9d78298ffdaeaf444d459203263462f5fb3f099921a477645286d",
    "updated_at": "2026-06-03T10:18:35+02:00"
  },
  "top_caveat": "Patch only clearly accidental internal-ID exposure and file focused follow-ups for broader analytics contract changes."
}
<!-- /openclaw.judge.v0 -->

### Iskra judgment | Field | Value | | --- | --- | | Target | `pdurlej/kan-ductor#issue#121` | | Priority | p2 | | Action | observe | | Scores | reach 4 / impact 4 / confidence 5 | | Piotr fit | high | | Effort | small | | Labels | `judge/p2` | | Judge | `iskra` via `openclaw` | **Rationale:** This is P2 observe-first analytics and privacy hygiene because read models should be useful to agents without exposing or requiring internal database IDs. **Caveat:** Patch only clearly accidental internal-ID exposure and file focused follow-ups for broader analytics contract changes. <details> <summary>Structured openclaw.judge.v0 payload</summary> ```json  { "confidence": 5, "effort_hint": "small", "escalation": { "kind": "none", "reason": "" }, "evidence_refs": [ { "note": "Issue scopes an audit of transition history and flow metric responses for public-ID consistency.", "type": "forgejo", "value": "issue-title-body-labels-and-target-snapshot" }, { "note": "Body requires confirming public IDs for card, board, from-list, and to-list fields while preventing internal ID exposure.", "type": "forgejo", "value": "issue-body-scope-and-acceptance" }, { "note": "Body fences the work away from production deploys, migrations, authority widening, and exposure changes.", "type": "forgejo", "value": "issue-body-non-goals" } ], "impact": 4, "judge_actor": { "name": "iskra", "runtime": "openclaw" }, "judged_at": "2026-06-18T01:07:00Z", "labels_to_apply": [ "judge/p2" ], "piotr_fit": "high", "priority": "p2", "rationale_summary": "This is P2 observe-first analytics and privacy hygiene because read models should be useful to agents without exposing or requiring internal database IDs.", "reach": 4, "recommended_next_action": "observe", "rerun_reason": "no_prior_judgment", "schema": "openclaw.judge.v0", "target": { "kind": "issue", "number": 121, "repo": "pdurlej/kan-ductor" }, "target_snapshot": { "body_hash": "sha256:ee3bc41419ee9f9d480373ff281478fd0e69477cbd97d0b6e5ab50963204ee38", "commit_count": null, "evidence_hash": "sha256:8018dda91ea85efc4418c5dbb627d7f19ae3a30fefa410405c198b8abb259dc7", "head_sha": null, "labels": [ "analytics", "api", "gemini-flash", "priority:p2", "scout", "small-task" ], "labels_hash": "sha256:32d5822f172fce98b466290c0c9dd0a06dcb2606d3f484bf96e5dd05c4b3b37e", "state": "open", "title_hash": "sha256:1356ce56dce9d78298ffdaeaf444d459203263462f5fb3f099921a477645286d", "updated_at": "2026-06-03T10:18:35+02:00" }, "top_caveat": "Patch only clearly accidental internal-ID exposure and file focused follow-ups for broader analytics contract changes." }  ``` </details>

Iskra added the

judge/p2

label

2026-06-18 03:08:29 +02:00