feat(platformctl): persist apply status artifacts #166

Merged

pdurlej merged 1 commit from codex/issues/142-apply-evidence-artifacts into codex/issues/142-apply-compose-execution

2026-05-12 01:29:11 +02:00

codex commented

2026-05-10 23:28:50 +02:00

Collaborator

Canary status: missing — fire canary 3+3 manually before merge

Canary Context Pack

Product story

Apply results must be inspectable after a job finishes; otherwise the operator only has expiring logs and screenshots.

What changed

Added atomic .platform/state/modules/<module>.status.json write for no-op, applied, and remote-failed results.
Ignored .platform/state/ in git.
Added tests for status artifact contents and redaction preservation.

Why it changed

PR #160 review flagged that observed/apply evidence could be hidden in expiring artifacts.

Files touched

.gitignore
control-plane/platformctl/apply.py
control-plane/platformctl/tests/test_apply_phase3.py

Relevant context

Stacked after compose execution split.

Runtime evidence

No live runtime mutation. Local tests validate artifact writes under a temp state root.

Known constraints

This writes local job/worktree artifacts only; upload wiring is in the next split.

Explicit out-of-scope

Forgejo Actions artifact upload and workflow token wiring.

Requested decision

Approve durable local apply evidence surface.

Merge blockers

Any raw secret output written to status artifacts, non-atomic writes, or missing failure evidence.

Spec sources read

AGENTS.md — evidence/canary expectations.
.gitignore — local state ignore policy.
control-plane/platformctl/apply.py — status artifact writer.
control-plane/platformctl/tests/test_apply_phase3.py — tests.

Refs #142
Supersedes part of #160

Canary status: missing — fire canary 3+3 manually before merge ## Canary Context Pack ### Product story Apply results must be inspectable after a job finishes; otherwise the operator only has expiring logs and screenshots. ### What changed - Added atomic `.platform/state/modules/<module>.status.json` write for no-op, applied, and remote-failed results. - Ignored `.platform/state/` in git. - Added tests for status artifact contents and redaction preservation. ### Why it changed PR #160 review flagged that observed/apply evidence could be hidden in expiring artifacts. ### Files touched - `.gitignore` - `control-plane/platformctl/apply.py` - `control-plane/platformctl/tests/test_apply_phase3.py` ### Relevant context Stacked after compose execution split. ### Runtime evidence No live runtime mutation. Local tests validate artifact writes under a temp state root. ### Known constraints This writes local job/worktree artifacts only; upload wiring is in the next split. ### Explicit out-of-scope Forgejo Actions artifact upload and workflow token wiring. ### Requested decision Approve durable local apply evidence surface. ### Merge blockers Any raw secret output written to status artifacts, non-atomic writes, or missing failure evidence. ## Spec sources read - `AGENTS.md` — evidence/canary expectations. - `.gitignore` — local state ignore policy. - `control-plane/platformctl/apply.py` — status artifact writer. - `control-plane/platformctl/tests/test_apply_phase3.py` — tests. Refs #142 Supersedes part of #160

codex added 1 commit

2026-05-10 23:28:50 +02:00

feat(platformctl): persist apply status artifacts

canary-required / collect-diff (pull_request) Successful in 4s

Details

pyfallow / Pyfallow gate (control-plane) (pull_request) Successful in 16s

Details

python-ci / Python 3.11 (pull_request) Successful in 43s

Details

python-ci / Python 3.12 (pull_request) Successful in 45s

Details

python-ci / Python 3.13 (pull_request) Successful in 44s

Details

canary-required / canary (pull_request) Successful in 12s

Details

76a67a0e1e

codex added the

class/security-sensitive

phase/03

risk/process

risk/runtime

labels

2026-05-10 23:28:51 +02:00

codex referenced this pull request

2026-05-10 23:29:31 +02:00

feat(platformctl): implement approved apply path #160

codex referenced this pull request

2026-05-10 23:29:31 +02:00

[coordination-lane] Cutover Flight Phase 2: v2 catalog to gate #142

codex commented

2026-05-11 00:58:39 +02:00

Author

Collaborator

Ralph review (5-iter chmurowy) — ITERATE_BLOCKER 4/9

Niezależny 5-iter ralph chain. Verdict + drafted patches poniżej.

Per-dim scoring

Correctness: 3/9
Security: 2/9 ⚠️ (path traversal)
Observability: 5/9
Test coverage: 7/9
Scope discipline: 8/9

Evidence: ~/Iskra-i-Piotr/05 System/Swarmheart Backups/ralph-phase3-apply/166/.

BLOCKER 1 — Sanitize `module` input (path traversal)

WHAT: _write_status_artifact linia 290-292: module = result.get("module") or plan.get("module"). Sprawdza only non-empty string. Then linia 310: target = state_root / "modules" / f"{module}.status.json" — Path's / operator joins without sanitization.

WHY: Trivial path traversal:

plan = {"module": "../../../etc/passwd", ...}
# state_root / "modules" / "../../../etc/passwd.status.json"
# → /etc/passwd.status.json

Apply z malicious plan może write status artifacts anywhere on filesystem. Combined z linia 311 target.parent.mkdir(parents=True), attacker creates dirs anywhere.

HOW (drafted patch w apply.py linie 284-315):

# Add to top of apply.py:
import re

_MODULE_ID_RE = re.compile(r"^[a-zA-Z0-9_-]+$")


def _write_status_artifact(
    result: dict,
    plan: dict,
    *,
    state_root: Path,
) -> Path:
    """Write apply status artifact for a module.

    SECURITY (ralph #166 BLOCKER 1): validate module against safe pattern
    to prevent path traversal via crafted plan["module"] field.
    """
    module = result.get("module") or plan.get("module")
    if not isinstance(module, str) or not module:
        raise ValueError("cannot write apply status without module id")

    if not _MODULE_ID_RE.fullmatch(module):
        raise ValueError(
            f"module id {module!r} contains unsafe characters; "
            f"must match {_MODULE_ID_RE.pattern}"
        )

    payload = {
        # ...unchanged
    }

    target = state_root / "modules" / f"{module}.status.json"
    # ...rest unchanged

VERIFY (add to tests/test_apply_phase3.py):

@pytest.mark.parametrize("bad_module", [
    "../../etc/passwd",
    "../escape",
    "foo/bar",
    "with space",
    "with.dot",
    "../",
    "",  # already covered, but include
])
def test_write_status_artifact_rejects_path_traversal(tmp_path, bad_module):
    """module id must reject path-unsafe chars (ralph BLOCKER 1)."""
    result = {"module": bad_module, "exitCode": 0}
    plan = {"module": bad_module}
    with pytest.raises(ValueError, match="unsafe characters|cannot write"):
        _write_status_artifact(result, plan, state_root=tmp_path)

BLOCKER 2 — Guard artifact emission (exception masking)

WHAT: _attach_status_artifact linia 318-322:

def _attach_status_artifact(result: dict, plan: dict, *, state_root: Path | None) -> None:
    if state_root is None:
        return
    path = _write_status_artifact(result, plan, state_root=state_root)
    result["status_artifact"] = str(path)

No try/except. Failed write (OSError: disk full, permission denied, ValueError z BLOCKER 1) raises → propagates do apply_plan → unhandled exception → caller gets stack trace zamiast clean exit code. Apply may have succeeded, ale wrapper crash hides that.

WHY: Status artifact is enrichment, not gate. Write failure must NOT corrupt apply result/exit code. Observability concern shouldn't mask correctness signal.

HOW (drafted patch w apply.py linie 318-322):

import logging
_LOG = logging.getLogger(__name__)


def _attach_status_artifact(result: dict, plan: dict, *, state_root: Path | None) -> None:
    """Write status artifact and attach path to result.

    SECURITY (ralph #166 BLOCKER 2): NEVER let artifact write failure corrupt
    apply result. Log + continue. Status artifact is enrichment, not gate.
    """
    if state_root is None:
        return
    try:
        path = _write_status_artifact(result, plan, state_root=state_root)
        result["status_artifact"] = str(path)
    except (OSError, ValueError) as exc:
        _LOG.warning(
            "failed to write apply status artifact for module=%r: %s",
            (result.get("module") or plan.get("module")),
            exc,
        )
        result["status_artifact_error"] = str(exc)
        # Do NOT re-raise — apply outcome stands.

VERIFY:

def test_attach_status_artifact_does_not_raise_on_oserror(tmp_path, monkeypatch, caplog):
    """OSError during write must NOT propagate (ralph BLOCKER 2)."""
    def raise_oserror(*a, **kw): raise OSError("disk full")
    monkeypatch.setattr("platformctl.apply._write_status_artifact", raise_oserror)
    result = {"module": "honcho-api", "exitCode": 9}
    plan = {"module": "honcho-api"}
    with caplog.at_level(logging.WARNING):
        _attach_status_artifact(result, plan, state_root=tmp_path)
    assert "status_artifact_error" in result
    assert "disk full" in result["status_artifact_error"]
    assert "status_artifact" not in result  # path NOT set on failure
    assert any("failed to write" in rec.message for rec in caplog.records)


def test_attach_status_artifact_does_not_raise_on_unsafe_module(tmp_path):
    """ValueError from BLOCKER 1 validation must NOT crash apply (ralph BLOCKER 2)."""
    result = {"module": "../escape", "exitCode": 9}
    plan = {"module": "../escape"}
    # Should log + set status_artifact_error, NOT raise
    _attach_status_artifact(result, plan, state_root=tmp_path)
    assert "status_artifact_error" in result
    assert "unsafe characters" in result["status_artifact_error"]

BLOCKER 3 — Unique temp filename (concurrent race)

WHAT: Linia 312: tmp = target.with_suffix(target.suffix + ".tmp") — deterministic <module>.status.json.tmp. Two concurrent applies dla tego samego modułu collide.

WHY: Race condition:

Apply A: writes target/honcho-api.status.json.tmp (begins)
Apply B: writes target/honcho-api.status.json.tmp (overwrites A's content)
Apply A: tmp.replace(target) → publishes B's partial content as A's status
Apply B: tmp.replace(target) → fine, but A's "success" is now mislabeled

Concurrent applies on same module aren't strictly forbidden (operator might trigger via different gates). Deterministic temp = silent corruption.

HOW (drafted patch w apply.py linia 312):

target = state_root / "modules" / f"{module}.status.json"
target.parent.mkdir(parents=True, exist_ok=True)
# SECURITY (ralph #166 BLOCKER 3): unique temp suffix avoids concurrent-apply race.
tmp = target.with_suffix(f".{os.getpid()}.{int(time.monotonic() * 1000) % 1000000}.tmp")
tmp.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\n")
tmp.replace(target)
return target

Add import time na górze pliku.

Note: combining pid + millis avoids both same-process concurrent (gevent/threading) i cross-process collisions.

VERIFY:

def test_write_status_artifact_uses_unique_temp(tmp_path, monkeypatch):
    """Temp filename must be unique per call (ralph BLOCKER 3)."""
    result = {"module": "honcho-api", "exitCode": 9}
    plan = {"module": "honcho-api"}
    # Patch tmp write to capture filename
    captured: list[Path] = []
    orig_write = Path.write_text
    def capture_write(self, *a, **kw):
        if ".tmp" in self.name:
            captured.append(self)
        return orig_write(self, *a, **kw)
    monkeypatch.setattr(Path, "write_text", capture_write)
    
    _write_status_artifact(result, plan, state_root=tmp_path)
    _write_status_artifact(result, plan, state_root=tmp_path)
    
    assert len(captured) == 2
    assert captured[0].name != captured[1].name  # unique

Follow-up issues

`STATUS-PERMS-01` — Restrictive file permissions

Status artifacts currently world-readable (default umask). May leak module topology + applied SHA history. Add os.chmod(target, 0o640) after tmp.replace(target).

`STATUS-FSYNC-01` — Disk durability via fsync

Linia 313 writes via tmp.write_text() → no explicit fsync. After crash/power-loss, status artifact may be truncated. Add os.fsync(fd) before tmp.replace(target) for crash-consistency.

Proposed: replace tmp.write_text z explicit open(tmp, 'w') + os.fsync(f.fileno()) + close.

`STATUS-ABSPATH-01` — Normalize status_artifact path

result["status_artifact"] = str(path) może być relative path (.platform/state/modules/x.status.json). Consumers (audit, monitoring) treat as path-from-where? Resolve do absolute przed result emission.

Action items

Apply 3 BLOCKER patches → apply.py + tests
Force-push do codex/issues/142-apply-evidence-artifacts
File 3 follow-up issues
Comment "ready for re-review" tutaj
Operator może odpalić re-ralph

— ralph batch 2026-05-10, claude-opus-4.7 (Pan Herbata) dispatching via codex identity

## Ralph review (5-iter chmurowy) — ITERATE_BLOCKER 4/9 Niezależny 5-iter ralph chain. Verdict + drafted patches poniżej. ### Per-dim scoring - Correctness: 3/9 - **Security: 2/9** ⚠️ (path traversal) - Observability: 5/9 - Test coverage: 7/9 - Scope discipline: 8/9 Evidence: `~/Iskra-i-Piotr/05 System/Swarmheart Backups/ralph-phase3-apply/166/`. --- ## BLOCKER 1 — Sanitize `module` input (path traversal) **WHAT:** `_write_status_artifact` linia 290-292: `module = result.get("module") or plan.get("module")`. Sprawdza only non-empty string. Then linia 310: `target = state_root / "modules" / f"{module}.status.json"` — Path's `/` operator joins without sanitization. **WHY:** Trivial path traversal: ```python plan = {"module": "../../../etc/passwd", ...} # state_root / "modules" / "../../../etc/passwd.status.json" # → /etc/passwd.status.json ``` Apply z malicious plan może write status artifacts anywhere on filesystem. Combined z linia 311 `target.parent.mkdir(parents=True)`, attacker creates dirs anywhere. **HOW (drafted patch w `apply.py` linie 284-315):** ```python # Add to top of apply.py: import re _MODULE_ID_RE = re.compile(r"^[a-zA-Z0-9_-]+$") def _write_status_artifact( result: dict, plan: dict, *, state_root: Path, ) -> Path: """Write apply status artifact for a module. SECURITY (ralph #166 BLOCKER 1): validate module against safe pattern to prevent path traversal via crafted plan["module"] field. """ module = result.get("module") or plan.get("module") if not isinstance(module, str) or not module: raise ValueError("cannot write apply status without module id") if not _MODULE_ID_RE.fullmatch(module): raise ValueError( f"module id {module!r} contains unsafe characters; " f"must match {_MODULE_ID_RE.pattern}" ) payload = { # ...unchanged } target = state_root / "modules" / f"{module}.status.json" # ...rest unchanged ``` **VERIFY (add to `tests/test_apply_phase3.py`):** ```python @pytest.mark.parametrize("bad_module", [ "../../etc/passwd", "../escape", "foo/bar", "with space", "with.dot", "../", "", # already covered, but include ]) def test_write_status_artifact_rejects_path_traversal(tmp_path, bad_module): """module id must reject path-unsafe chars (ralph BLOCKER 1).""" result = {"module": bad_module, "exitCode": 0} plan = {"module": bad_module} with pytest.raises(ValueError, match="unsafe characters|cannot write"): _write_status_artifact(result, plan, state_root=tmp_path) ``` --- ## BLOCKER 2 — Guard artifact emission (exception masking) **WHAT:** `_attach_status_artifact` linia 318-322: ```python def _attach_status_artifact(result: dict, plan: dict, *, state_root: Path | None) -> None: if state_root is None: return path = _write_status_artifact(result, plan, state_root=state_root) result["status_artifact"] = str(path) ``` No try/except. Failed write (OSError: disk full, permission denied, ValueError z BLOCKER 1) raises → propagates do `apply_plan` → unhandled exception → caller gets stack trace zamiast clean exit code. **Apply may have succeeded, ale wrapper crash hides that.** **WHY:** Status artifact is **enrichment**, not gate. Write failure must NOT corrupt apply result/exit code. Observability concern shouldn't mask correctness signal. **HOW (drafted patch w `apply.py` linie 318-322):** ```python import logging _LOG = logging.getLogger(__name__) def _attach_status_artifact(result: dict, plan: dict, *, state_root: Path | None) -> None: """Write status artifact and attach path to result. SECURITY (ralph #166 BLOCKER 2): NEVER let artifact write failure corrupt apply result. Log + continue. Status artifact is enrichment, not gate. """ if state_root is None: return try: path = _write_status_artifact(result, plan, state_root=state_root) result["status_artifact"] = str(path) except (OSError, ValueError) as exc: _LOG.warning( "failed to write apply status artifact for module=%r: %s", (result.get("module") or plan.get("module")), exc, ) result["status_artifact_error"] = str(exc) # Do NOT re-raise — apply outcome stands. ``` **VERIFY:** ```python def test_attach_status_artifact_does_not_raise_on_oserror(tmp_path, monkeypatch, caplog): """OSError during write must NOT propagate (ralph BLOCKER 2).""" def raise_oserror(*a, **kw): raise OSError("disk full") monkeypatch.setattr("platformctl.apply._write_status_artifact", raise_oserror) result = {"module": "honcho-api", "exitCode": 9} plan = {"module": "honcho-api"} with caplog.at_level(logging.WARNING): _attach_status_artifact(result, plan, state_root=tmp_path) assert "status_artifact_error" in result assert "disk full" in result["status_artifact_error"] assert "status_artifact" not in result # path NOT set on failure assert any("failed to write" in rec.message for rec in caplog.records) def test_attach_status_artifact_does_not_raise_on_unsafe_module(tmp_path): """ValueError from BLOCKER 1 validation must NOT crash apply (ralph BLOCKER 2).""" result = {"module": "../escape", "exitCode": 9} plan = {"module": "../escape"} # Should log + set status_artifact_error, NOT raise _attach_status_artifact(result, plan, state_root=tmp_path) assert "status_artifact_error" in result assert "unsafe characters" in result["status_artifact_error"] ``` --- ## BLOCKER 3 — Unique temp filename (concurrent race) **WHAT:** Linia 312: `tmp = target.with_suffix(target.suffix + ".tmp")` — deterministic `<module>.status.json.tmp`. Two concurrent applies dla tego samego modułu collide. **WHY:** Race condition: ``` Apply A: writes target/honcho-api.status.json.tmp (begins) Apply B: writes target/honcho-api.status.json.tmp (overwrites A's content) Apply A: tmp.replace(target) → publishes B's partial content as A's status Apply B: tmp.replace(target) → fine, but A's "success" is now mislabeled ``` Concurrent applies on same module aren't strictly forbidden (operator might trigger via different gates). Deterministic temp = silent corruption. **HOW (drafted patch w `apply.py` linia 312):** ```python target = state_root / "modules" / f"{module}.status.json" target.parent.mkdir(parents=True, exist_ok=True) # SECURITY (ralph #166 BLOCKER 3): unique temp suffix avoids concurrent-apply race. tmp = target.with_suffix(f".{os.getpid()}.{int(time.monotonic() * 1000) % 1000000}.tmp") tmp.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\n") tmp.replace(target) return target ``` Add `import time` na górze pliku. Note: combining pid + millis avoids both same-process concurrent (gevent/threading) i cross-process collisions. **VERIFY:** ```python def test_write_status_artifact_uses_unique_temp(tmp_path, monkeypatch): """Temp filename must be unique per call (ralph BLOCKER 3).""" result = {"module": "honcho-api", "exitCode": 9} plan = {"module": "honcho-api"} # Patch tmp write to capture filename captured: list[Path] = [] orig_write = Path.write_text def capture_write(self, *a, **kw): if ".tmp" in self.name: captured.append(self) return orig_write(self, *a, **kw) monkeypatch.setattr(Path, "write_text", capture_write) _write_status_artifact(result, plan, state_root=tmp_path) _write_status_artifact(result, plan, state_root=tmp_path) assert len(captured) == 2 assert captured[0].name != captured[1].name # unique ``` --- ## Follow-up issues ### `STATUS-PERMS-01` — Restrictive file permissions > Status artifacts currently world-readable (default umask). May leak module topology + applied SHA history. Add `os.chmod(target, 0o640)` after `tmp.replace(target)`. ### `STATUS-FSYNC-01` — Disk durability via fsync > Linia 313 writes via `tmp.write_text()` → no explicit fsync. After crash/power-loss, status artifact may be truncated. Add `os.fsync(fd)` before `tmp.replace(target)` for crash-consistency. > > Proposed: replace `tmp.write_text` z explicit `open(tmp, 'w')` + `os.fsync(f.fileno())` + close. ### `STATUS-ABSPATH-01` — Normalize status_artifact path > `result["status_artifact"] = str(path)` może być relative path (`.platform/state/modules/x.status.json`). Consumers (audit, monitoring) treat as path-from-where? Resolve do absolute przed result emission. --- ## Action items 1. Apply 3 BLOCKER patches → `apply.py` + tests 2. Force-push do `codex/issues/142-apply-evidence-artifacts` 3. File 3 follow-up issues 4. Comment "ready for re-review" tutaj 5. Operator może odpalić re-ralph — ralph batch 2026-05-10, claude-opus-4.7 (Pan Herbata) dispatching via codex identity

codex referenced this pull request

2026-05-11 00:59:52 +02:00

fix(platformctl): wire apply workflow evidence #167

codex force-pushed codex/issues/142-apply-evidence-artifacts from 76a67a0e1e

canary-required / collect-diff (pull_request) Successful in 4s

Details

pyfallow / Pyfallow gate (control-plane) (pull_request) Successful in 16s

Details

python-ci / Python 3.11 (pull_request) Successful in 43s

Details

python-ci / Python 3.12 (pull_request) Successful in 45s

Details

python-ci / Python 3.13 (pull_request) Successful in 44s

Details

canary-required / canary (pull_request) Successful in 12s

Details

to 01f7606b5a

canary-required / collect-diff (pull_request) Successful in 4s

Details

pyfallow / Pyfallow gate (control-plane) (pull_request) Successful in 16s

Details

python-ci / Python 3.11 (pull_request) Successful in 42s

Details

python-ci / Python 3.12 (pull_request) Successful in 46s

Details

python-ci / Python 3.13 (pull_request) Successful in 45s

Details

canary-required / canary (pull_request) Successful in 11s

Details

2026-05-12 00:58:43 +02:00

Compare

codex referenced this pull request

2026-05-12 00:59:25 +02:00

fix(platformctl): restrict apply status artifact permissions #203

codex referenced this pull request

2026-05-12 00:59:25 +02:00

fix(platformctl): fsync apply status artifacts before replace #204

codex referenced this pull request

2026-05-12 00:59:25 +02:00

fix(platformctl): emit absolute apply status artifact paths #205

codex commented

2026-05-12 00:59:38 +02:00

Author

Collaborator

Ready for re-review — ralph blockers addressed

Updated #166 on commit 01f7606b5a91e64fe8d7964afc8d7152413e4810.

Addressed

BLOCKER 1: status artifact module ids now require safe pattern ^[a-zA-Z0-9_-]+$; unsafe ids set status_artifact_error and do not write outside the state root.
BLOCKER 2: status artifact emission is best-effort; OSError/ValueError is logged and attached as status_artifact_error, without masking the apply/no-op/remote-failed result.
BLOCKER 3: status artifact temp files now include pid + monotonic timestamp before atomic replace.

Verification

PYTHONPATH=control-plane pytest control-plane/platformctl/tests/test_apply_phase3.py -q → 41 passed
Full tests/run-verify.sh still blocked by pre-existing main prompt debt: prompts/codex-rs2000-close-2026-05-12.md token budget + missing P2 image-prune prompt reference.

Follow-ups filed

#203 STATUS-PERMS-01
#204 STATUS-FSYNC-01
#205 STATUS-ABSPATH-01

## Ready for re-review — ralph blockers addressed Updated #166 on commit `01f7606b5a91e64fe8d7964afc8d7152413e4810`. ### Addressed - BLOCKER 1: status artifact module ids now require safe pattern `^[a-zA-Z0-9_-]+$`; unsafe ids set `status_artifact_error` and do not write outside the state root. - BLOCKER 2: status artifact emission is best-effort; `OSError`/`ValueError` is logged and attached as `status_artifact_error`, without masking the apply/no-op/remote-failed result. - BLOCKER 3: status artifact temp files now include pid + monotonic timestamp before atomic replace. ### Verification - `PYTHONPATH=control-plane pytest control-plane/platformctl/tests/test_apply_phase3.py -q` → 41 passed - Full `tests/run-verify.sh` still blocked by pre-existing main prompt debt: `prompts/codex-rs2000-close-2026-05-12.md` token budget + missing P2 image-prune prompt reference. ### Follow-ups filed - #203 STATUS-PERMS-01 - #204 STATUS-FSYNC-01 - #205 STATUS-ABSPATH-01

codex referenced this pull request

2026-05-12 01:09:37 +02:00

[coordination-lane] Cutover Flight Phase 2: v2 catalog to gate #142