Plan immutable artifact storage and Flow Node integration#97
Conversation
|
@coderabbitai review |
✅ Action performedReview finished.
|
📝 WalkthroughWalkthroughThis PR establishes the WS-ART-001 immutable artifact storage planning package. It adds discovery, decisions, architecture, service contracts, implementation chunk specifications, Flow Node runtime specifications, review evidence, and agent-loop tracking updates. No runtime implementation changes are included. ChangesWS-ART-001 planning package
Estimated code review effort: 3 (Moderate) | ~20 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/CHUNK_MAP.md:
- Around line 19-31: Update the Dependency Order section to begin with the
WS-ART-001-PLAN planning gate, followed by WS-ART-001-01 and the existing
dependency chain. Preserve all subsequent ordering and prerequisites unchanged.
In
@.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/FN-ART-001-01-streaming-dag-primitives.md:
- Around line 37-42: Update the verification command block in FN-ART-001-01 to
use checkout-relative paths, replacing the hard-coded Flow-Node directory with
cd back-end from the repository root or a git rev-parse-derived root. Apply the
same correction to the corresponding verification commands in FN-ART-001-02 and
FN-ART-001-03 while preserving the existing checks.
In
@.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-02-flow-node-adapter-reconciliation.md:
- Line 43: Update the Flow Node image requirement in the v1 vector validation
criteria to use an exact immutable image digest, including the registry and
provenance verification requirements when applicable; do not accept mutable tags
or version-only references, and preserve the existing LocalStorageAdapter parity
and recovery-test coverage.
- Around line 48-60: Update the “Compose health proves authenticated
ingest/retrieve/status” criterion and its Verification commands so they actually
start the Workstream API plus all required authentication and worker services
before running authenticated artifact proof. Alternatively, narrow the criterion
to adapter-level validation and add a separate command that starts the complete
required Compose stack and verifies authenticated ingest, retrieve, and status
behavior.
In
@.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-05-submission-artifact-cutover.md:
- Around line 84-85: Extend the populated-legacy migration test or acceptance
criteria to assert that refusal preserves all existing rows and leaves the
schema unchanged, while still emitting the rebuild guidance. Keep the existing
fresh, downgrade-empty, and re-upgrade coverage intact, and anchor the new
assertions to the populated-legacy migration path.
In `@docs/decision_0013_immutable_artifact_storage_boundary.md`:
- Line 64: Update the requirement sentence in the immutable artifact storage
boundary document to explicitly state that production requires encrypted storage
and encrypted backups, while retaining redacted logs, quotas, and an approved
retention-policy version.
In `@docs/spec_artifact_storage_service.md`:
- Around line 103-110: Update the “Service Authentication” section to explicitly
state that production pins the issuer and uses an explicit allowlist of
permitted asymmetric algorithms, replacing the ambiguous “pinned
issuer/asymmetric algorithms” wording. Preserve the remaining authentication
requirements unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 59fdeb37-d69f-4aa0-b116-d604a8b6b6bf
📒 Files selected for processing (26)
.agent-loop/LOOP_STATE.md.agent-loop/REVIEW_LOG.md.agent-loop/WORK_QUEUE.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/CHUNK_MAP.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/DECISIONS.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/DISCOVERY.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/INTENT.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/PLAN.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/RISKS.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/STATUS.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/FN-ART-001-01-streaming-dag-primitives.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/FN-ART-001-02-authenticated-artifact-http.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/FN-ART-001-03-verify-retain-focused-runtime.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-01-artifact-domain-local-adapter.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-02-flow-node-adapter-reconciliation.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-03-guide-source-cutover.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-04-upload-session-admission.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-05-submission-artifact-cutover.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-06-checker-artifact-cutover.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-07-recovery-live-proof.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/reviews/WS-ART-001-PLAN-internal-review-evidence.md.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/reviews/WS-ART-001-PLAN-pr-trust-bundle.mdREADME.mddocs/decision_0013_immutable_artifact_storage_boundary.mddocs/glossary.mddocs/spec_artifact_storage_service.md
| ```bash | ||
| cd /home/abiorh/flow/Flow-Node/back-end && cargo fmt --check | ||
| cd /home/abiorh/flow/Flow-Node/back-end && cargo clippy --all-targets --all-features -- -D warnings | ||
| cd /home/abiorh/flow/Flow-Node/back-end && ./scripts/run_nonempty_cargo_test_target.sh artifact_streaming_contract | ||
| cd /home/abiorh/flow/Flow-Node/back-end && cargo test | ||
| git -C /home/abiorh/flow/Flow-Node diff --check |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Make the Flow Node verification commands checkout-relative.
The hard-coded /home/abiorh/flow/Flow-Node path makes these checks unusable from other checkouts or CI runners. Apply the same correction to FN-ART-001-02 and FN-ART-001-03.
Use cd back-end from the Flow Node repository root, or derive the root with git rev-parse.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
@.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/FN-ART-001-01-streaming-dag-primitives.md
around lines 37 - 42, Update the verification command block in FN-ART-001-01 to
use checkout-relative paths, replacing the hard-coded Flow-Node directory with
cd back-end from the repository root or a git rev-parse-derived root. Apply the
same correction to the corresponding verification commands in FN-ART-001-02 and
FN-ART-001-03 while preserving the existing checks.
| - Compose health proves authenticated ingest/retrieve/status without product | ||
| module changes. | ||
|
|
||
| ## Verification | ||
|
|
||
| ```bash | ||
| (cd backend && .venv/bin/ruff check app tests scripts) | ||
| (cd backend && .venv/bin/docstr-coverage --config .docstr.yaml) | ||
| (cd backend && WORKSTREAM_TEST_DATABASE_URL=postgresql+asyncpg://workstream:workstream@localhost:5433/workstream_test .venv/bin/pytest -q tests/test_artifacts.py tests/test_alembic.py) | ||
| (cd backend && WORKSTREAM_TEST_DATABASE_URL=postgresql+asyncpg://workstream:workstream@localhost:5433/workstream_test .venv/bin/pytest -q) | ||
| (cd backend && WORKSTREAM_DATABASE_URL=postgresql+asyncpg://workstream:workstream@localhost:5433/workstream_test .venv/bin/python scripts/api_contract_e2e.py) | ||
| docker compose up -d --build --wait --wait-timeout 120 postgres redis flow-node | ||
| (cd backend && WORKSTREAM_DATABASE_URL=postgresql+asyncpg://workstream:workstream@localhost:5433/workstream_test .venv/bin/python scripts/artifact_store_contract_e2e.py) |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift
Start the Workstream API before claiming authenticated API proof.
The verification command starts only postgres, redis, and flow-node, but this criterion requires authenticated ingest/retrieve/status through Compose. Add the api and required authentication/worker services, or narrow the criterion to adapter-level testing and add a separate API proof command.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
@.agent-loop/initiatives/WS-ART-001-immutable-artifact-storage/chunks/WS-ART-001-02-flow-node-adapter-reconciliation.md
around lines 48 - 60, Update the “Compose health proves authenticated
ingest/retrieve/status” criterion and its Verification commands so they actually
start the Workstream API plus all required authentication and worker services
before running authenticated artifact proof. Alternatively, narrow the criterion
to adapter-level validation and add a separate command that starts the complete
required Compose stack and verifies authenticated ingest, retrieve, and status
behavior.
PR Trust Bundle
Chunk
WS-ART-001-PLAN- Immutable Artifact Storage And Flow Node IntegrationPlanning
Goal
Lock the cross-repository architecture and bounded chunk sequence required for
Workstream to own exact artifact bytes through a local adapter and focused Flow
Node provider before pre-submit/post-submit checker expansion resumes.
Human-Approved Intent
../INTENT.md../DECISIONS.md../PLAN.md../CHUNK_MAP.mdWhat Changed
implementation chunk contracts across Workstream and Flow Node.
recovery, provider-contract, and clean-cutover requirements.
Why It Changed
Current Workstream submissions and guides can record declarations without
owning the referenced bytes. Checkers therefore cannot prove that pre-submit,
post-submit, and later review use the same immutable content. Flow Node has
useful low-level storage primitives, but its current REST path is not yet a
private byte-storage provider boundary.
Design Chosen
Workstream owns authorization, lifecycle meaning, content identity, immutable
resource bindings, operation intent, and audit. Storage providers own bytes and
provider operation facts. A provider-neutral port supports both private local
development storage and a focused authenticated Flow Node runtime.
Alternatives Rejected
Scope Control
Planning/docs/loop-memory files only. No backend runtime, migration, API,
Celery, Docker, checker, or Flow Node source was implemented in this PR.
Product Behavior
Acceptance Criteria Proof
criteria, verification commands, reviewers, human focus, and stop condition.
Tests And Checks Run
All passed; the agent-gate regression suite reported 31 passing tests.
Test Delta
No product tests were added, changed, removed, skipped, or weakened. This PR is
planning-only. Future chunk contracts explicitly own focused and full-regression
proof.
CI Integrity
No workflow, dependency, coverage, lint, typecheck, package-script, or checkout
credential setting changed. Future Workstream chunks require CI-equivalent
backend and Agent Gates commands; Flow Node chunks require non-empty dedicated
test targets and live focused-runtime conformance.
Reviewer Results
Reviewed code SHA: f7fbc33
All required internal tracks passed: senior engineering, QA/test,
security/auth, product/ops, architecture, docs, CI integrity, reuse/dedup, and
test delta.
Internal evidence:
WS-ART-001-PLAN-internal-review-evidence.mdExternal Review
PR #97 received seven actionable CodeRabbit comments. All were fixed and
recorded separately in
WS-ART-001-PLAN-external-review-response.md; externalreview is not internal review evidence. Fresh checks must pass on the pushed
fix/evidence head.
Remaining Risks
still require implementation and deployment approval.
Workstream and Flow Node PRs.
Follow-Up Work
After explicit planning merge and a separate start signal, execute only
WS-ART-001-01. Do not begin Flow Node or product cutover chunks automatically.Human Review Focus
Human Merge Ownership