pdurlej/kan-ductor
1
0
Fork 0
Code Issues 42 Pull requests Projects Releases Packages Wiki Activity Actions

feat(cockpit): preserve trust metadata in snapshots #156

Merged
pdurlej merged 1 commit from codex/cockpit-trust-metadata into main 2026-06-03 19:42:22 +02:00
Conversation 0 Commits 1 Files changed 5 +266
codex commented 2026-06-03 10:35:02 +02:00
Collaborator
Copy link

Fixes #83.

Canary status: missing — request review before merge if this is treated as cockpit contract-sensitive.

Summary

  • Adds optional trust metadata to operational snapshot items: actor, source channel, evidence class, operator approval, confidence, and opaque source ref.
  • Preserves that metadata through submitOperationalSnapshot instead of stripping nested item fields.
  • Shows compact safe trust badges in Cockpit Lite while deliberately not rendering raw trust.sourceRef.
  • Documents the trust block in the operational cockpit contract and JSON schema.

Scope

Operational Cockpit v0 contract/API/UI only. No storage migration: snapshots are already JSON payloads in the existing operational snapshot table.

Non-goals

  • No production deploy or runtime producer changes.
  • No raw Signal/path/source ref display in the default UI.
  • No new trust authority or approval workflow.
  • No database migration, token change, or Infisical change.

Spec sources read

  • #83
  • docs/operational-cockpit-contract.md
  • docs/contracts/operational-snapshot.v0.schema.json
  • packages/api/src/routers/agent.ts
  • apps/web/src/views/settings/OperationalCockpitSettings.tsx

Tests / smoke

pnpm --filter @kan/api test -- src/routers/agent.test.ts -t "preserves operational snapshot trust metadata"
pnpm --filter @kan/api test -- src/routers/agent.test.ts
pnpm --filter @kan/api typecheck
pnpm exec prettier --check packages/api/src/routers/agent.ts packages/api/src/routers/agent.test.ts apps/web/src/views/settings/OperationalCockpitSettings.tsx docs/contracts/operational-snapshot.v0.schema.json docs/operational-cockpit-contract.md

Known existing debt:

pnpm exec eslint src/views/settings/OperationalCockpitSettings.tsx

remains red on pre-existing typed-router/project-service lint debt in that file. This PR adds to the file but does not broaden the underlying generated API inference issue.

Rollback

Revert this commit. Existing snapshots without trust remain valid; future submitted trust blocks would again be stripped from nested items.

Owner gates

None for merge. Production deploy remains a separate owner-gated action.

Fixes #83. Canary status: missing — request review before merge if this is treated as cockpit contract-sensitive. ## Summary - Adds optional `trust` metadata to operational snapshot items: actor, source channel, evidence class, operator approval, confidence, and opaque source ref. - Preserves that metadata through `submitOperationalSnapshot` instead of stripping nested item fields. - Shows compact safe trust badges in Cockpit Lite while deliberately not rendering raw `trust.sourceRef`. - Documents the trust block in the operational cockpit contract and JSON schema. ## Scope Operational Cockpit v0 contract/API/UI only. No storage migration: snapshots are already JSON payloads in the existing operational snapshot table. ## Non-goals - No production deploy or runtime producer changes. - No raw Signal/path/source ref display in the default UI. - No new trust authority or approval workflow. - No database migration, token change, or Infisical change. ## Spec sources read - #83 - `docs/operational-cockpit-contract.md` - `docs/contracts/operational-snapshot.v0.schema.json` - `packages/api/src/routers/agent.ts` - `apps/web/src/views/settings/OperationalCockpitSettings.tsx` ## Tests / smoke ```bash pnpm --filter @kan/api test -- src/routers/agent.test.ts -t "preserves operational snapshot trust metadata" pnpm --filter @kan/api test -- src/routers/agent.test.ts pnpm --filter @kan/api typecheck pnpm exec prettier --check packages/api/src/routers/agent.ts packages/api/src/routers/agent.test.ts apps/web/src/views/settings/OperationalCockpitSettings.tsx docs/contracts/operational-snapshot.v0.schema.json docs/operational-cockpit-contract.md ``` Known existing debt: ```bash pnpm exec eslint src/views/settings/OperationalCockpitSettings.tsx ``` remains red on pre-existing typed-router/project-service lint debt in that file. This PR adds to the file but does not broaden the underlying generated API inference issue. ## Rollback Revert this commit. Existing snapshots without `trust` remain valid; future submitted `trust` blocks would again be stripped from nested items. ## Owner gates None for merge. Production deploy remains a separate owner-gated action.
feat(cockpit): preserve trust metadata in snapshots (#83)
All checks were successful
Forgejo CI / verify (pull_request) Successful in 40s
Details
fb8e88994c
pdurlej deleted branch codex/cockpit-trust-metadata 2026-06-03 19:42:22 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
3plus3-followup
Surfaced by Codex 3+3 review during chain merge 2026-05-10

  
agent/claude-code
Vistula actor: Claude Code.

  
agent/codex
Vistula actor: Codex.

  
agent/hermes
Vistula actor: Hermes Upstream.

  
agent/iskra
Vistula actor: Iskra.

  
agent/ollama
Vistula actor: Ollama or compatible model.

  
agent/patchwarden
Vistula actor: Patchwarden.

  
analytics
Analytics/read-model task

  
api
API/router contract task

  
cockpit
Operational cockpit task

  
dependency/blocked
Vistula dependency state: blocked.

  
dependency/blocks-others
Vistula dependency state: blocks other work.

  
dependency/cross-repo
Vistula dependency scope: cross-repository.

  
dependency/needs-confirmation
Vistula dependency state: needs confirmation.

  
docs
Documentation-only or docs-heavy task

  
domain:agents
Agent identity, delegation, subagents, routing, or workflows.

  
domain:ci
CI, checks, Actions, runners, or release automation.

  
domain:docs
Documentation, packets, practices, or source-of-truth text.

  
domain:forgejo
Forgejo issues, PRs, labels, repo settings, or identity.

  
domain:infra
Infrastructure, storage, backup, DNS, network, or host substrate.

  
domain:memory
Memory, recall, write gates, salience, or Honcho-adjacent behavior.

  
domain:runtime
Runtime services, deploys, daemons, timers, or live behavior.

  
domain:signal
Signal UX, delivery, context, or outbound behavior.

  
domain:ux
Product UX, operator experience, or conversation ergonomics.

  
flow/architecture
Vistula lifecycle: architecture phase in progress.

  
flow/blocked
Vistula lifecycle: blocked on dependency or decision.

  
flow/deployed
Vistula lifecycle: deployed to runtime where applicable.

  
flow/done
Vistula lifecycle: work merged or otherwise done.

  
flow/implementation
Vistula lifecycle: implementation phase in progress.

  
flow/intake
Vistula lifecycle: incoming signal not refined yet.

  
flow/maintained
Vistula lifecycle: maintained/steady state.

  
flow/observed
Vistula lifecycle: observed after delivery.

  
flow/ready
Vistula lifecycle: ready for architecture or implementation.

  
flow/refining
Vistula lifecycle: Hermes/spec refinement in progress.

  
flow/retired
Vistula lifecycle: retired or intentionally closed.

  
flow/review
Vistula lifecycle: review phase in progress.

  
gemini-flash
Small autonomous task suitable for Gemini 3.5 Flash

  
judge/codex-candidate
Candidate for Codex implementation.

  
judge/hermes-candidate
Candidate for Hermes discovery/research.

  
judge/low-confidence
Judgment confidence is low.

  
judge/needs-refinement
Needs clearer evidence or scope.

  
judge/operator-needed
Needs Piotr decision or input.

  
judge/p0
Urgent, operator attention or unblock now.

  
judge/p1
High value, schedule soon.

  
judge/p2
Useful, normal queue.

  
judge/p3
Low priority, keep but do not chase.

  
judge/park
Parked from current attention.

  
judge/patchwarden-candidate
Needs Patchwarden merge-safety attention.

  
judge/stale-priority
Existing priority judgment appears stale.

  
kind/adr
Vistula work kind: architecture decision record.

  
kind/bug
Vistula work kind: bug fix.

  
kind/chore
Vistula work kind: chore.

  
kind/feature
Vistula work kind: feature.

  
kind/infra
Vistula work kind: infrastructure.

  
kind/ops
Vistula work kind: operations.

  
kind/refactor
Vistula work kind: refactor.

  
kind/research
Vistula work kind: research/discovery.

  
leviathan
Swarmheart/Leviathan projection task

  
mcp
MCP tool/contract task

  
merge/auto
Vistula merge mode: automated merge.

  
merge/manual
Vistula merge mode: manual merge.

  
merge/manual-dependency-conflict
Manual merge reason: dependency conflict.

  
merge/manual-failing-tests
Manual merge reason: failing tests.

  
merge/manual-merge-conflict
Manual merge reason: merge conflict.

  
merge/manual-missing-review
Manual merge reason: missing review.

  
merge/manual-operator-preference
Manual merge reason: operator preference.

  
merge/manual-red-zone
Manual merge reason: red-zone risk.

  
merge/manual-security-sensitive
Manual merge reason: security-sensitive work.

  
merge/manual-unclear-scope
Manual merge reason: unclear scope.

  
merge/manual-unknown
Manual merge reason: unknown.

  
mode:operator-only
Apply step requires explicit operator approval.

  
mode:patchwarden-iskra-approved
Work eligible for Patchwarden/Iskra approval inside repo policy.

  
mode:safe-auto
Low-risk work eligible for lightweight autonomous handling.

  
observed/erroring
Vistula observation: erroring.

  
observed/needs-followup
Vistula observation: needs follow-up.

  
observed/pending
Vistula observation: pending.

  
observed/retire-candidate
Vistula observation: retire candidate.

  
observed/unused
Vistula observation: unused.

  
observed/used
Vistula observation: used.

  
ops
Operational runbook/health/deploy task

  
priority:p0
Critical: security, scope, data integrity. Blocks production trust.

  
priority:p1
Important next wave, bounded risk.

  
priority:p2
Useful but not immediate blocker

  
priority:p3
Opportunistic cleanup, research, or backlog work.

  
review:claude-reviewed
Reviewed by Claude-family agent.

  
review:codex-reviewed
Reviewed by Codex-family agent.

  
review:dziadek-reviewed
Reviewed by Dziadek pinch-point reviewer.

  
review:needs-human
Needs human review before merge or apply.

  
safety
Safety/audit/redaction/least-privilege task

  
safety:external-write
May write to external systems, users, rooms, repos, or services.

  
safety:no-prod-mutation
Must not mutate production or live external state.

  
safety:prod-impact
May affect production/runtime behavior.

  
safety:secret-touch
Touches secrets, credentials, auth, or secret-adjacent config.

  
scout
Repository investigation or gap mapping

  
security
Security/scope/exposure concern

  
size/large
Vistula size: large.

  
size/medium
Vistula size: medium.

  
size/small
Vistula size: small.

  
size/tiny
Vistula size: tiny.

  
size/unknown
Vistula size: not classified yet.

  
small-task
Narrow task, expected to fit one focused PR/comment

  
source/adr
Vistula source: ADR.

  
source/agent-generated
Vistula source: agent generated.

  
source/manual
Vistula source: manual entry.

  
source/operator-chat
Vistula source: operator chat.

  
source/voice-note
Vistula source: voice note.

  
status:blocked
Blocked by missing dependency, evidence, access, or operator decision.

  
status:codex-ready
Ready for a Codex implementation pass.

  
status:merged:pending-evidence
Merged but waiting for live or artifact evidence before closure.

  
status:needs-evidence
Needs proof, logs, tests, or operator-visible evidence.

  
status:operator-needed
Requires explicit operator input before safe progress.

  
status:parked
Intentionally deferred; not active campaign work.

  
tests
Regression or smoke test task

  
tier:0-platform-substrate
Data, secrets, backup, storage, or critical platform substrate.

  
tier:1-iskra-value-layer
Iskra/OpenClaw behavior, memory, runtime, or value-layer work.

  
tier:2-tools-products-modules
Tools, products, modules, experiments, and lower-blast-radius work.

  
type:bug
Incorrect behavior or regression.

  
type:chore
Maintenance, cleanup, metadata, or operational task.

  
type:docs
Documentation-only work.

  
type:feat
New capability or product behavior.

  
type:policy
Governance, protocol, boundary, or decision-contract change.

  
type:research
Investigation, spike, or evidence-gathering task.

  
ui
User interface task

No labels
3plus3-followup
agent/claude-code
agent/codex
agent/hermes
agent/iskra
agent/ollama
agent/patchwarden
analytics
api
cockpit
dependency/blocked
dependency/blocks-others
dependency/cross-repo
dependency/needs-confirmation
docs
domain:agents
domain:ci
domain:docs
domain:forgejo
domain:infra
domain:memory
domain:runtime
domain:signal
domain:ux
flow/architecture
flow/blocked
flow/deployed
flow/done
flow/implementation
flow/intake
flow/maintained
flow/observed
flow/ready
flow/refining
flow/retired
flow/review
gemini-flash
judge/codex-candidate
judge/hermes-candidate
judge/low-confidence
judge/needs-refinement
judge/operator-needed
judge/p0
judge/p1
judge/p2
judge/p3
judge/park
judge/patchwarden-candidate
judge/stale-priority
kind/adr
kind/bug
kind/chore
kind/feature
kind/infra
kind/ops
kind/refactor
kind/research
leviathan
mcp
merge/auto
merge/manual
merge/manual-dependency-conflict
merge/manual-failing-tests
merge/manual-merge-conflict
merge/manual-missing-review
merge/manual-operator-preference
merge/manual-red-zone
merge/manual-security-sensitive
merge/manual-unclear-scope
merge/manual-unknown
mode:operator-only
mode:patchwarden-iskra-approved
mode:safe-auto
observed/erroring
observed/needs-followup
observed/pending
observed/retire-candidate
observed/unused
observed/used
ops
priority:p0
priority:p1
priority:p2
priority:p3
review:claude-reviewed
review:codex-reviewed
review:dziadek-reviewed
review:needs-human
safety
safety:external-write
safety:no-prod-mutation
safety:prod-impact
safety:secret-touch
scout
security
size/large
size/medium
size/small
size/tiny
size/unknown
small-task
source/adr
source/agent-generated
source/manual
source/operator-chat
source/voice-note
status:blocked
status:codex-ready
status:merged:pending-evidence
status:needs-evidence
status:operator-needed
status:parked
tests
tier:0-platform-substrate
tier:1-iskra-value-layer
tier:2-tools-products-modules
type:bug
type:chore
type:docs
type:feat
type:policy
type:research
ui
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pdurlej/kan-ductor!156
No description provided.