use crate::{CliError, CliResult};
use clap::{Args, Subcommand};
use rand::{rngs::OsRng, Rng};
use rusqlite::{
params, Connection, OpenFlags, OptionalExtension, Transaction, TransactionBehavior,
};
use sha2::{Digest, Sha256};
use std::collections::{BTreeMap, HashMap, HashSet};
use std::fs;
use std::io::Read;
use std::path::{Path, PathBuf};
use std::time::Duration;
const CURRENT_SCHEMA_VERSION: i64 = 10;
const CANONICAL_TS_GLOB: &str = "????-??-??T??:??:??Z";
const BUSY_TIMEOUT_MS: u64 = 5000;
#[derive(Debug, Args)]
pub struct DbArgs {
#[arg(
long,
default_value = ".zynk/zynk.db",
help = "SQLite database path for live zynk state"
)]
pub db: PathBuf,
#[command(subcommand)]
pub command: DbCommand,
}
#[derive(Debug, Subcommand)]
pub enum DbCommand {
Init,
Audit(Box<DbAuditCommand>),
Import(Box<DbImportCommand>),
Export(Box<DbExportCommand>),
Serve(crate::db_dashboard::DbServeArgs),
}
#[derive(Debug, Args)]
pub struct DbAuditCommand {
#[command(subcommand)]
pub command: DbAuditSubcommand,
}
#[derive(Debug, Subcommand)]
pub enum DbAuditSubcommand {
Append(DbAuditAppendArgs),
}
#[derive(Debug, Args)]
pub struct DbAuditAppendArgs {
#[arg(long)]
pub session_id: String,
#[arg(long)]
pub audit_id: Option<String>,
#[arg(long)]
pub timestamp: String,
#[arg(long)]
pub source_agent_id: Option<String>,
#[arg(long)]
pub target_agent_id: Option<String>,
#[arg(long)]
pub source_address: String,
#[arg(long)]
pub target_address: String,
#[arg(long)]
pub transport: String,
#[arg(long)]
pub transport_thread_id: Option<String>,
#[arg(long)]
pub workspace_id: String,
#[arg(long)]
pub mid: String,
#[arg(long = "type")]
pub record_type: String,
#[arg(long)]
pub mode: Option<String>,
#[arg(long)]
pub r#ref: Option<String>,
#[arg(long)]
pub re: Option<String>,
#[arg(long, value_parser = ["agent", "operator", "helper-tool", "unknown"])]
pub command_origin: String,
#[arg(long)]
pub payload: Option<String>,
#[arg(long)]
pub payload_file: Option<PathBuf>,
#[arg(long, default_value = "hash-only")]
pub payload_redaction_policy: String,
#[arg(long, default_value_t = 12)]
pub excerpt_chars: usize,
#[arg(long)]
pub delivery_status: String,
#[arg(long)]
pub observed_by: String,
#[arg(long, value_parser = ["transport", "agent", "operator", "helper-tool"])]
pub verified_by: String,
}
#[derive(Debug, Args)]
pub struct DbImportCommand {
#[command(subcommand)]
pub command: DbImportSubcommand,
}
#[derive(Debug, Subcommand)]
pub enum DbImportSubcommand {
Outputs(DbImportOutputsArgs),
}
#[derive(Debug, Args)]
pub struct DbExportCommand {
#[command(subcommand)]
pub command: DbExportSubcommand,
}
#[derive(Debug, Subcommand)]
pub enum DbExportSubcommand {
Outputs(DbExportOutputsArgs),
}
#[derive(Debug, Args)]
#[command(
after_help = "v0.2 exports status.md and audit.md only; summary.md is not exported because the DB schema does not store summary body content."
)]
pub struct DbExportOutputsArgs {
#[arg(
long,
default_value = "outputs",
help = "runtime outputs root; writes <root>/sessions/<session-id>"
)]
pub root: PathBuf,
#[arg(long)]
pub session_id: String,
}
#[derive(Debug, Args)]
#[command(
after_help = "Legacy DB recovery: if an upgraded database warns about non-canonical \
timestamps, rebuild it from artifacts with: rm .zynk/zynk.db && zynk db init && \
zynk db import outputs --root outputs"
)]
pub struct DbImportOutputsArgs {
#[arg(
long,
default_value = "outputs",
help = "runtime outputs root; reads <root>/sessions/*"
)]
pub root: PathBuf,
#[arg(long)]
pub session_id: Option<String>,
#[arg(long)]
pub timestamp: Option<String>,
}
pub fn run(args: DbArgs) -> CliResult<()> {
match args.command {
DbCommand::Init => {
initialize(&args.db)?;
println!("{}", display_path(&args.db)?.display());
Ok(())
}
DbCommand::Audit(command) => run_audit_command(&args.db, *command),
DbCommand::Import(command) => run_import_command(&args.db, *command),
DbCommand::Export(command) => run_export_command(&args.db, *command),
DbCommand::Serve(serve_args) => crate::db_dashboard::serve(&args.db, serve_args),
}
}
fn run_audit_command(path: &Path, command: DbAuditCommand) -> CliResult<()> {
match command.command {
DbAuditSubcommand::Append(args) => {
let audit_id = append_audit_record(path, &args)?;
println!("{audit_id}");
Ok(())
}
}
}
fn run_import_command(path: &Path, command: DbImportCommand) -> CliResult<()> {
match command.command {
DbImportSubcommand::Outputs(args) => {
let summary = import_outputs(path, &args)?;
println!(
"sessions imported: {}; warnings: {}",
summary.sessions_seen, summary.warning_count
);
Ok(())
}
}
}
fn run_export_command(path: &Path, command: DbExportCommand) -> CliResult<()> {
match command.command {
DbExportSubcommand::Outputs(args) => {
let summary = export_outputs(path, &args)?;
println!(
"session exported: {}; written: {}; unchanged: {}",
args.session_id, summary.written, summary.unchanged
);
Ok(())
}
}
}
fn display_path(path: &Path) -> CliResult<PathBuf> {
if path.is_absolute() {
return Ok(path.to_path_buf());
}
std::env::current_dir()
.map(|cwd| cwd.join(path))
.map_err(|error| CliError::failure(format!("failed to read current directory: {error}")))
}
fn initialize(path: &Path) -> CliResult<()> {
ensure_zynk_gitignore(path)?;
open_database(path).map(|_| ())
}
pub(crate) fn open_database(path: &Path) -> CliResult<Connection> {
if let Some(parent) = path
.parent()
.filter(|parent| !parent.as_os_str().is_empty())
{
fs::create_dir_all(parent).map_err(|error| {
CliError::failure(format!("failed to create {}: {error}", parent.display()))
})?;
}
let mut connection = Connection::open(path).map_err(|error| {
CliError::failure(format!("failed to open {}: {error}", path.display()))
})?;
configure_connection(&connection)?;
migrate(&mut connection)?;
Ok(connection)
}
fn configure_connection(connection: &Connection) -> CliResult<()> {
configure_read_connection(connection)?;
connection
.pragma_update(None, "journal_mode", "WAL")
.map_err(|error| CliError::failure(format!("failed to enable SQLite WAL mode: {error}")))?;
Ok(())
}
pub(crate) fn open_read_database(path: &Path) -> CliResult<Connection> {
let connection =
Connection::open_with_flags(path, OpenFlags::SQLITE_OPEN_READ_ONLY).map_err(|error| {
CliError::failure(format!("failed to open {}: {error}", path.display()))
})?;
configure_read_connection(&connection)?;
Ok(connection)
}
fn configure_read_connection(connection: &Connection) -> CliResult<()> {
connection
.busy_timeout(Duration::from_millis(BUSY_TIMEOUT_MS))
.map_err(|error| {
CliError::failure(format!("failed to set SQLite busy timeout: {error}"))
})?;
connection
.pragma_update(None, "foreign_keys", "ON")
.map_err(|error| {
CliError::failure(format!("failed to enable SQLite foreign keys: {error}"))
})?;
Ok(())
}
fn migrate(connection: &mut Connection) -> CliResult<()> {
let version: i64 = connection
.pragma_query_value(None, "user_version", |row| row.get(0))
.map_err(|error| {
CliError::failure(format!("failed to read SQLite schema version: {error}"))
})?;
if version > CURRENT_SCHEMA_VERSION {
return Err(CliError::failure(format!(
"database schema version {version} is newer than this zynk binary supports ({CURRENT_SCHEMA_VERSION}); upgrade zynk"
)));
}
if version == CURRENT_SCHEMA_VERSION {
return Ok(());
}
let transaction = connection
.transaction()
.map_err(|error| CliError::failure(format!("failed to start SQLite migration: {error}")))?;
create_schema_migrations(&transaction)?;
if version < 1 {
apply_v1(&transaction)?;
set_user_version(&transaction, 1)?;
}
if version < 2 {
apply_v2(&transaction)?;
set_user_version(&transaction, 2)?;
}
if version < 3 {
apply_v3(&transaction)?;
set_user_version(&transaction, 3)?;
}
if version < 4 {
apply_v4(&transaction)?;
set_user_version(&transaction, 4)?;
}
if version < 5 {
apply_v5(&transaction)?;
set_user_version(&transaction, 5)?;
}
if version < 6 {
apply_v6(&transaction)?;
set_user_version(&transaction, 6)?;
}
if version < 7 {
apply_v7(&transaction)?;
set_user_version(&transaction, 7)?;
}
if version < 8 {
apply_v8(&transaction)?;
set_user_version(&transaction, 8)?;
}
if version < 9 {
apply_v9(&transaction)?;
set_user_version(&transaction, 9)?;
}
if version < 10 {
apply_v10(&transaction)?;
set_user_version(&transaction, 10)?;
}
transaction.commit().map_err(|error| {
CliError::failure(format!("failed to commit SQLite migration: {error}"))
})?;
if version < 4 {
warn_if_noncanonical_timestamps(connection)?;
}
Ok(())
}
fn warn_if_noncanonical_timestamps(connection: &Connection) -> CliResult<()> {
let count = noncanonical_timestamp_count(connection)?;
if count > 0 {
eprintln!(
"warning: {count} pre-existing row(s) carry non-canonical timestamps and will sort \
incorrectly; this upgrade does not rewrite them. Recover with: \
rm .zynk/zynk.db && zynk db init && zynk db import outputs --root outputs"
);
}
Ok(())
}
fn noncanonical_timestamp_count(connection: &Connection) -> CliResult<i64> {
let glob = CANONICAL_TS_GLOB;
let sql = format!(
"SELECT
(SELECT COUNT(*) FROM audit_records WHERE timestamp NOT GLOB '{glob}')
+ (SELECT COUNT(*) FROM status_events WHERE timestamp NOT GLOB '{glob}')
+ (SELECT COUNT(*) FROM messages WHERE timestamp NOT GLOB '{glob}')
+ (SELECT COUNT(*) FROM sessions
WHERE created_at NOT GLOB '{glob}'
OR updated_at NOT GLOB '{glob}'
OR (completed_at IS NOT NULL AND completed_at NOT GLOB '{glob}'))"
);
connection
.query_row(&sql, [], |row| row.get(0))
.map_err(|error| CliError::failure(format!("failed to scan timestamps: {error}")))
}
fn set_user_version(connection: &Connection, version: i64) -> CliResult<()> {
connection
.pragma_update(None, "user_version", version)
.map_err(|error| {
CliError::failure(format!("failed to set SQLite schema version: {error}"))
})?;
Ok(())
}
fn create_schema_migrations(connection: &Connection) -> CliResult<()> {
connection
.execute_batch(
"CREATE TABLE IF NOT EXISTS schema_migrations (
version INTEGER PRIMARY KEY,
name TEXT NOT NULL,
applied_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now'))
);",
)
.map_err(|error| {
CliError::failure(format!("failed to create schema_migrations: {error}"))
})?;
Ok(())
}
fn apply_v1(connection: &Connection) -> CliResult<()> {
connection
.execute_batch(
"CREATE TABLE projects (
project_id TEXT PRIMARY KEY,
name TEXT NOT NULL,
root_path TEXT NOT NULL,
created_at TEXT NOT NULL,
updated_at TEXT NOT NULL
);
CREATE TABLE agents (
agent_id TEXT PRIMARY KEY,
display_name TEXT NOT NULL,
agent_kind TEXT NOT NULL,
current_transport TEXT,
current_address TEXT,
-- D4: nullable by design. An agent with no active session
-- legitimately has no current status; session_agents.agent_status
-- (below) is NOT NULL because an agent in a session always has one.
current_agent_status TEXT CHECK (
current_agent_status IS NULL
OR current_agent_status IN ('idle', 'working', 'blocked', 'done', 'unknown')
),
created_at TEXT NOT NULL,
updated_at TEXT NOT NULL
);
CREATE TABLE sessions (
session_id TEXT PRIMARY KEY,
project_id TEXT NOT NULL REFERENCES projects(project_id),
title TEXT NOT NULL,
phase TEXT NOT NULL,
mode TEXT NOT NULL,
workflow_status TEXT NOT NULL CHECK (
workflow_status IN ('idle', 'working', 'blocked', 'waiting-for-operator', 'done')
),
lead_agent_id TEXT REFERENCES agents(agent_id),
artifact_ref TEXT,
created_at TEXT NOT NULL,
updated_at TEXT NOT NULL,
completed_at TEXT
);
CREATE TABLE agent_addresses (
agent_id TEXT NOT NULL REFERENCES agents(agent_id),
transport TEXT NOT NULL,
workspace_id TEXT,
address TEXT NOT NULL,
first_seen_at TEXT NOT NULL,
last_seen_at TEXT NOT NULL,
PRIMARY KEY (agent_id, transport, address, first_seen_at)
);
CREATE TABLE session_agents (
session_id TEXT NOT NULL REFERENCES sessions(session_id),
agent_id TEXT NOT NULL REFERENCES agents(agent_id),
role TEXT NOT NULL,
-- D4: NOT NULL — an agent within a session always has a status
-- (the Herdr agent_status domain, distinct from sessions.workflow_status).
agent_status TEXT NOT NULL CHECK (
agent_status IN ('idle', 'working', 'blocked', 'done', 'unknown')
),
last_seen_at TEXT NOT NULL,
PRIMARY KEY (session_id, agent_id)
);
CREATE TABLE audit_records (
audit_id TEXT PRIMARY KEY,
previous_audit_id TEXT REFERENCES audit_records(audit_id),
session_id TEXT NOT NULL REFERENCES sessions(session_id),
source_agent_id TEXT,
target_agent_id TEXT,
source_address TEXT NOT NULL,
target_address TEXT NOT NULL,
transport TEXT NOT NULL,
workspace_id TEXT NOT NULL,
mid TEXT NOT NULL,
record_type TEXT NOT NULL,
command_origin TEXT NOT NULL CHECK (
command_origin IN ('agent', 'operator', 'helper-tool', 'unknown')
),
mode TEXT,
ref TEXT,
re TEXT,
payload_hash TEXT NOT NULL,
payload_redaction_policy TEXT NOT NULL CHECK (
payload_redaction_policy IN ('hash-only', 'excerpt', 'full')
),
content_size INTEGER NOT NULL,
delivery_status TEXT NOT NULL CHECK (
delivery_status IN ('drafted', 'sent', 'observed', 'failed', 'unknown')
),
observed_by TEXT NOT NULL,
verified_by TEXT NOT NULL CHECK (
verified_by IN ('transport', 'agent', 'operator', 'helper-tool')
),
timestamp TEXT NOT NULL
);
CREATE TABLE messages (
message_id TEXT PRIMARY KEY,
session_id TEXT NOT NULL REFERENCES sessions(session_id),
mid TEXT NOT NULL,
source_agent_id TEXT REFERENCES agents(agent_id),
target_agent_id TEXT REFERENCES agents(agent_id),
message_type TEXT NOT NULL,
mode TEXT,
ref TEXT,
transport TEXT NOT NULL,
transport_thread_id TEXT,
payload_redaction_policy TEXT NOT NULL CHECK (
payload_redaction_policy IN ('hash-only', 'excerpt', 'full')
),
payload_excerpt TEXT,
payload_hash TEXT NOT NULL,
latest_delivery_status TEXT NOT NULL CHECK (
latest_delivery_status IN ('drafted', 'sent', 'observed', 'failed', 'unknown')
),
latest_verified_by TEXT NOT NULL CHECK (
latest_verified_by IN ('transport', 'agent', 'operator', 'helper-tool')
),
latest_audit_id TEXT REFERENCES audit_records(audit_id),
timestamp TEXT NOT NULL,
UNIQUE (session_id, mid)
);
CREATE TABLE status_events (
status_event_id INTEGER PRIMARY KEY,
session_id TEXT NOT NULL REFERENCES sessions(session_id),
timestamp TEXT NOT NULL,
phase TEXT NOT NULL,
mode TEXT NOT NULL,
workflow_status TEXT NOT NULL CHECK (
workflow_status IN ('idle', 'working', 'blocked', 'waiting-for-operator', 'done')
),
completed_since_last_update TEXT NOT NULL,
in_progress TEXT NOT NULL,
next_action TEXT NOT NULL,
blockers TEXT NOT NULL,
asks_for_zevs TEXT NOT NULL,
risk_or_residual_uncertainty TEXT NOT NULL,
expected_wait TEXT NOT NULL
);
CREATE TABLE artifacts (
artifact_id INTEGER PRIMARY KEY,
session_id TEXT NOT NULL REFERENCES sessions(session_id),
kind TEXT NOT NULL,
path TEXT NOT NULL,
title TEXT,
content_hash TEXT,
updated_at TEXT NOT NULL,
UNIQUE (session_id, path)
);
CREATE TABLE imports (
import_id INTEGER PRIMARY KEY,
source_kind TEXT NOT NULL CHECK (source_kind IN ('outputs', 'agent-loop')),
source_path TEXT NOT NULL,
source_hash TEXT NOT NULL,
imported_at TEXT NOT NULL,
result TEXT NOT NULL,
warning_summary TEXT NOT NULL
);
INSERT OR IGNORE INTO schema_migrations (version, name) VALUES (1, 'initial-live-state');",
)
.map_err(|error| {
CliError::failure(format!("failed to apply SQLite migration 1: {error}"))
})?;
Ok(())
}
fn apply_v2(connection: &Connection) -> CliResult<()> {
if !table_has_column(connection, "audit_records", "command_origin")? {
connection
.execute_batch(
"ALTER TABLE audit_records
ADD COLUMN command_origin TEXT NOT NULL DEFAULT 'unknown' CHECK (
command_origin IN ('agent', 'operator', 'helper-tool', 'unknown')
);",
)
.map_err(|error| {
CliError::failure(format!(
"failed to add audit_records.command_origin: {error}"
))
})?;
}
connection
.execute_batch(
"CREATE UNIQUE INDEX IF NOT EXISTS audit_records_one_child_per_previous
ON audit_records(session_id, previous_audit_id)
WHERE previous_audit_id IS NOT NULL;
CREATE TRIGGER IF NOT EXISTS audit_records_no_sent_agent_insert
BEFORE INSERT ON audit_records
WHEN NEW.delivery_status = 'sent' AND NEW.verified_by = 'agent'
BEGIN
SELECT RAISE(ABORT, 'delivery_status=sent requires transport, helper-tool, or operator verification');
END;
CREATE TRIGGER IF NOT EXISTS audit_records_no_update
BEFORE UPDATE ON audit_records
BEGIN
SELECT RAISE(ABORT, 'audit_records are append-only');
END;
CREATE TRIGGER IF NOT EXISTS audit_records_no_delete
BEFORE DELETE ON audit_records
BEGIN
SELECT RAISE(ABORT, 'audit_records are append-only');
END;
CREATE TRIGGER IF NOT EXISTS messages_no_sent_agent_insert
BEFORE INSERT ON messages
WHEN NEW.latest_delivery_status = 'sent' AND NEW.latest_verified_by = 'agent'
BEGIN
SELECT RAISE(ABORT, 'delivery_status=sent requires transport, helper-tool, or operator verification');
END;
CREATE TRIGGER IF NOT EXISTS messages_no_sent_agent_update
BEFORE UPDATE ON messages
WHEN NEW.latest_delivery_status = 'sent' AND NEW.latest_verified_by = 'agent'
BEGIN
SELECT RAISE(ABORT, 'delivery_status=sent requires transport, helper-tool, or operator verification');
END;
INSERT OR IGNORE INTO schema_migrations (version, name) VALUES (2, 'audit-chain-constraints');",
)
.map_err(|error| {
CliError::failure(format!("failed to apply SQLite migration 2: {error}"))
})?;
Ok(())
}
fn apply_v3(connection: &Connection) -> CliResult<()> {
if !table_has_column(connection, "status_events", "event_text")? {
connection
.execute_batch(
"ALTER TABLE status_events
ADD COLUMN event_text TEXT NOT NULL DEFAULT '';",
)
.map_err(|error| {
CliError::failure(format!("failed to add status_events.event_text: {error}"))
})?;
}
connection
.execute(
"INSERT OR IGNORE INTO schema_migrations (version, name)
VALUES (3, 'status-event-text')",
[],
)
.map_err(|error| {
CliError::failure(format!("failed to apply SQLite migration 3: {error}"))
})?;
Ok(())
}
fn apply_v4(connection: &Connection) -> CliResult<()> {
if !table_has_column(connection, "status_events", "content_hash")? {
connection
.execute_batch(
"ALTER TABLE status_events
ADD COLUMN content_hash TEXT NOT NULL DEFAULT '';",
)
.map_err(|error| {
CliError::failure(format!("failed to add status_events.content_hash: {error}"))
})?;
}
backfill_status_content_hash(connection)?;
let glob = CANONICAL_TS_GLOB;
connection
.execute_batch(&format!(
"CREATE TRIGGER IF NOT EXISTS audit_records_ts_canonical_insert
BEFORE INSERT ON audit_records
WHEN NEW.timestamp NOT GLOB '{glob}'
BEGIN SELECT RAISE(ABORT, 'audit_records.timestamp must be RFC3339 UTC seconds (Z)'); END;
CREATE TRIGGER IF NOT EXISTS status_events_ts_canonical_insert
BEFORE INSERT ON status_events
WHEN NEW.timestamp NOT GLOB '{glob}'
BEGIN SELECT RAISE(ABORT, 'status_events.timestamp must be RFC3339 UTC seconds (Z)'); END;
CREATE TRIGGER IF NOT EXISTS messages_ts_canonical_insert
BEFORE INSERT ON messages
WHEN NEW.timestamp NOT GLOB '{glob}'
BEGIN SELECT RAISE(ABORT, 'messages.timestamp must be RFC3339 UTC seconds (Z)'); END;
CREATE TRIGGER IF NOT EXISTS messages_ts_canonical_update
BEFORE UPDATE ON messages
WHEN NEW.timestamp NOT GLOB '{glob}'
BEGIN SELECT RAISE(ABORT, 'messages.timestamp must be RFC3339 UTC seconds (Z)'); END;
CREATE TRIGGER IF NOT EXISTS sessions_ts_canonical_insert
BEFORE INSERT ON sessions
WHEN NEW.created_at NOT GLOB '{glob}'
OR NEW.updated_at NOT GLOB '{glob}'
OR (NEW.completed_at IS NOT NULL AND NEW.completed_at NOT GLOB '{glob}')
BEGIN SELECT RAISE(ABORT, 'sessions timestamps must be RFC3339 UTC seconds (Z)'); END;
CREATE TRIGGER IF NOT EXISTS sessions_ts_canonical_update
BEFORE UPDATE ON sessions
WHEN NEW.created_at NOT GLOB '{glob}'
OR NEW.updated_at NOT GLOB '{glob}'
OR (NEW.completed_at IS NOT NULL AND NEW.completed_at NOT GLOB '{glob}')
BEGIN SELECT RAISE(ABORT, 'sessions timestamps must be RFC3339 UTC seconds (Z)'); END;"
))
.map_err(|error| {
CliError::failure(format!("failed to create v4 timestamp triggers: {error}"))
})?;
connection
.execute(
"INSERT OR IGNORE INTO schema_migrations (version, name)
VALUES (4, 'timestamp-canonical-and-content-hash')",
[],
)
.map_err(|error| {
CliError::failure(format!("failed to apply SQLite migration 4: {error}"))
})?;
Ok(())
}
fn apply_v5(connection: &Connection) -> CliResult<()> {
if !table_has_column(connection, "audit_records", "due")? {
connection
.execute_batch("ALTER TABLE audit_records ADD COLUMN due TEXT;")
.map_err(|error| {
CliError::failure(format!("failed to add audit_records.due: {error}"))
})?;
}
let glob = CANONICAL_TS_GLOB;
connection
.execute_batch(&format!(
"DROP TRIGGER IF EXISTS audit_records_ts_canonical_insert;
CREATE TRIGGER audit_records_ts_canonical_insert
BEFORE INSERT ON audit_records
WHEN NEW.timestamp NOT GLOB '{glob}'
OR (NEW.due IS NOT NULL AND NEW.due NOT GLOB '{glob}')
BEGIN SELECT RAISE(ABORT, 'audit_records.timestamp and due must be RFC3339 UTC seconds (Z)'); END;"
))
.map_err(|error| {
CliError::failure(format!("failed to update v5 due trigger: {error}"))
})?;
connection
.execute(
"INSERT OR IGNORE INTO schema_migrations (version, name)
VALUES (5, 'audit-due-and-db-canonical-write-path')",
[],
)
.map_err(|error| {
CliError::failure(format!("failed to apply SQLite migration 5: {error}"))
})?;
Ok(())
}
fn apply_v6(connection: &Connection) -> CliResult<()> {
connection
.execute_batch(
"CREATE TABLE work_events (
work_event_id INTEGER PRIMARY KEY,
session_id TEXT NOT NULL REFERENCES sessions(session_id),
actor_agent_id TEXT NOT NULL,
kind TEXT NOT NULL CHECK (kind IN
('think','tool','diff','plan','artifact','usage','system','gate','conflict')),
timestamp TEXT NOT NULL,
payload TEXT NOT NULL,
content_hash TEXT NOT NULL,
created_at TEXT NOT NULL,
UNIQUE (session_id, kind, content_hash)
);
CREATE INDEX work_events_session_ts ON work_events (session_id, timestamp);
INSERT OR IGNORE INTO schema_migrations (version, name) VALUES (6, 'work-events');",
)
.map_err(|error| CliError::failure(format!("failed to apply schema v6: {error}")))?;
Ok(())
}
fn apply_v7(connection: &Connection) -> CliResult<()> {
connection
.execute_batch(
"CREATE TABLE operator_decisions (
audit_id TEXT PRIMARY KEY REFERENCES audit_records(audit_id),
session_id TEXT NOT NULL REFERENCES sessions(session_id),
decision_type TEXT NOT NULL CHECK (decision_type IN
('gate-decision','conflict-resolve','mode-switch','interrupt','redirect')),
target_work_event_id INTEGER REFERENCES work_events(work_event_id),
verdict TEXT,
resolution TEXT,
mode_to TEXT,
target_agent TEXT,
reason TEXT,
note TEXT,
decision_status TEXT NOT NULL DEFAULT 'decided'
CHECK (decision_status IN ('decided')),
notification_status TEXT NOT NULL DEFAULT 'not-requested'
CHECK (notification_status IN ('not-requested','sent','failed')),
notification_audit_id TEXT REFERENCES audit_records(audit_id),
notification_mid TEXT,
notification_error TEXT,
created_at TEXT NOT NULL
);
CREATE INDEX operator_decisions_session ON operator_decisions (session_id, created_at);
CREATE INDEX operator_decisions_target ON operator_decisions (target_work_event_id);
INSERT OR IGNORE INTO schema_migrations (version, name) VALUES (7, 'operator-decisions');",
)
.map_err(|error| CliError::failure(format!("failed to apply schema v7: {error}")))?;
Ok(())
}
fn apply_v8(connection: &Connection) -> CliResult<()> {
connection
.execute_batch(
"CREATE TABLE custody_vault (
audit_id TEXT PRIMARY KEY REFERENCES audit_records(audit_id),
ciphertext BLOB NOT NULL,
nonce BLOB NOT NULL,
cipher_id TEXT NOT NULL,
key_version INTEGER NOT NULL,
created_at TEXT NOT NULL
);
INSERT OR IGNORE INTO schema_migrations (version, name) VALUES (8, 'custody-vault');",
)
.map_err(|error| CliError::failure(format!("failed to apply schema v8: {error}")))?;
Ok(())
}
fn apply_v9(connection: &Connection) -> CliResult<()> {
connection
.execute_batch(
"CREATE TRIGGER IF NOT EXISTS audit_records_no_sent_nontransport_proof_insert
BEFORE INSERT ON audit_records
WHEN NEW.delivery_status = 'sent'
AND NEW.record_type IN ('gate-decision','conflict-resolve','mode-switch','interrupt','redirect','reveal')
BEGIN
SELECT RAISE(ABORT, 'a non-transport operator proof (decision/reveal) must not be delivery_status=sent (ADR 024 / ADR 034 D8)');
END;
INSERT OR IGNORE INTO schema_migrations (version, name) VALUES (9, 'reject-sent-nontransport-proof');",
)
.map_err(|error| CliError::failure(format!("failed to apply schema v9: {error}")))?;
Ok(())
}
fn apply_v10(connection: &Connection) -> CliResult<()> {
let glob = CANONICAL_TS_GLOB;
connection
.execute_batch(&format!(
"CREATE TABLE participant_overlay (
audit_id TEXT PRIMARY KEY REFERENCES audit_records(audit_id),
session_id TEXT NOT NULL REFERENCES sessions(session_id),
subject_actor_id TEXT NOT NULL,
overlay_kind TEXT NOT NULL CHECK (overlay_kind IN ('actor-kind','role','trait')),
actor_kind TEXT CHECK (actor_kind IS NULL OR actor_kind IN ('human','agent','external')),
role_id TEXT, role_label TEXT,
trait_id TEXT CHECK (trait_id IS NULL OR trait_id IN
('independent','can_edit_source','non_iterating','can_verify_gate','can_merge_approve')),
trait_value INTEGER CHECK (trait_value IS NULL OR trait_value IN (0,1)),
asserter_actor_id TEXT NOT NULL,
asserter_kind TEXT NOT NULL CHECK (asserter_kind IN ('operator','profile')),
supersedes_audit_id TEXT REFERENCES audit_records(audit_id),
superseded_by_audit_id TEXT REFERENCES audit_records(audit_id),
created_at TEXT NOT NULL,
-- trackbrc1 P2: EXACT per-kind row shape — every OTHER kind's columns NULL.
-- The pre-fix CHECK nulled only a SUBSET (e.g. it left role_label/trait_value
-- free on an actor-kind row), letting a cross-kind smuggle insert. Each arm now
-- pins its own non-NULL columns AND nulls all four cross-kind columns.
CHECK (
(overlay_kind='actor-kind' AND actor_kind IS NOT NULL
AND role_id IS NULL AND role_label IS NULL AND trait_id IS NULL AND trait_value IS NULL)
OR (overlay_kind='role' AND role_id IS NOT NULL AND role_label IS NOT NULL
AND actor_kind IS NULL AND trait_id IS NULL AND trait_value IS NULL)
OR (overlay_kind='trait' AND trait_id IS NOT NULL AND trait_value IS NOT NULL
AND actor_kind IS NULL AND role_id IS NULL AND role_label IS NULL)
)
);
CREATE UNIQUE INDEX participant_overlay_current_kindrole ON participant_overlay (session_id, subject_actor_id, overlay_kind)
WHERE superseded_by_audit_id IS NULL AND overlay_kind IN ('actor-kind','role');
CREATE UNIQUE INDEX participant_overlay_current_trait ON participant_overlay (session_id, subject_actor_id, trait_id)
WHERE superseded_by_audit_id IS NULL AND overlay_kind='trait';
CREATE INDEX participant_overlay_subject ON participant_overlay (session_id, subject_actor_id, overlay_kind);
-- D3.1: provenance binding for ALL overlay kinds (C1) — a row cannot claim a
-- different session/asserter/time than its proof (audit_records). NULL-safe
-- `IS NOT`: audit_records.source_agent_id is nullable, so a `<>` against a NULL
-- proof source would yield NULL (no abort) and let the row bypass the binding;
-- the overlay columns are NOT NULL, so `IS NOT` ABORTs both a mismatch AND a
-- NULL proof value.
CREATE TRIGGER participant_overlay_provenance_binding_insert
BEFORE INSERT ON participant_overlay
WHEN NEW.session_id IS NOT (SELECT a.session_id FROM audit_records a WHERE a.audit_id = NEW.audit_id)
OR NEW.asserter_actor_id IS NOT (SELECT a.source_agent_id FROM audit_records a WHERE a.audit_id = NEW.audit_id)
OR NEW.created_at IS NOT (SELECT a.timestamp FROM audit_records a WHERE a.audit_id = NEW.audit_id)
BEGIN
SELECT RAISE(ABORT, 'participant_overlay row session_id/asserter_actor_id/created_at must match its proof (ADR 036 D3.1 provenance binding)');
END;
-- D3.2: no self-grant of a trait (asserter == subject). actor-kind/role are
-- self-describing, not integrity claims — exempt.
CREATE TRIGGER participant_overlay_no_self_grant_trait_insert
BEFORE INSERT ON participant_overlay
WHEN NEW.overlay_kind = 'trait' AND NEW.asserter_actor_id = NEW.subject_actor_id
BEGIN
SELECT RAISE(ABORT, 'an integrity trait must not be self-granted (asserter == subject) (ADR 036 D3.2)');
END;
-- D3.3: operator-grade proof for a trait (C3) — verified_by='operator' AND
-- command_origin='operator' AND transport='none'. Subsumes the weaker
-- verified_by!=agent: helper-tool/transport are not authority to grant a trait.
CREATE TRIGGER participant_overlay_operator_grade_trait_insert
BEFORE INSERT ON participant_overlay
WHEN NEW.overlay_kind = 'trait'
AND NOT EXISTS (
SELECT 1 FROM audit_records a
WHERE a.audit_id = NEW.audit_id
AND a.verified_by = 'operator'
AND a.command_origin = 'operator'
AND a.transport = 'none'
)
BEGIN
SELECT RAISE(ABORT, 'an integrity trait requires an operator-grade proof (verified_by=operator, command_origin=operator, transport=none) (ADR 036 D3.3)');
END;
-- D3.4: canonical timestamp on created_at (the v4 GLOB pattern) — deterministic
-- ORDER BY without trusting the producer.
CREATE TRIGGER participant_overlay_ts_canonical_insert
BEFORE INSERT ON participant_overlay
WHEN NEW.created_at NOT GLOB '{glob}'
BEGIN
SELECT RAISE(ABORT, 'participant_overlay.created_at must be RFC3339 UTC seconds (Z) (ADR 036 D3.4)');
END;
-- D3.5: v10 sent-guard — a `participant-overlay` proof is non-transport operator
-- proof and must never be delivery_status=sent (the ADR 024 family). A NEW v10
-- trigger (apply_v9 stays immutable).
CREATE TRIGGER audit_records_no_sent_participant_overlay_insert
BEFORE INSERT ON audit_records
WHEN NEW.delivery_status = 'sent' AND NEW.record_type = 'participant-overlay'
BEGIN
SELECT RAISE(ABORT, 'a participant-overlay proof must not be delivery_status=sent (ADR 024 family / ADR 036 D3.5)');
END;
INSERT OR IGNORE INTO schema_migrations (version, name) VALUES (10, 'participant-overlay');"
))
.map_err(|error| CliError::failure(format!("failed to apply schema v10: {error}")))?;
Ok(())
}
#[derive(Debug)]
pub(crate) struct CustodyRow {
pub ciphertext: Vec<u8>,
pub nonce: Vec<u8>,
pub cipher_id: String,
pub key_version: i64,
}
pub(crate) fn project_custody_vault(
db_path: &Path,
audit_id: &str,
ciphertext: &[u8],
nonce: &[u8],
cipher_id: &str,
key_version: i64,
created_at: &str,
) -> CliResult<()> {
let connection = open_projection_database(db_path)?;
insert_custody_vault(
&connection,
audit_id,
ciphertext,
nonce,
cipher_id,
key_version,
created_at,
)
}
pub(crate) fn insert_custody_vault(
conn: &Connection,
audit_id: &str,
ciphertext: &[u8],
nonce: &[u8],
cipher_id: &str,
key_version: i64,
created_at: &str,
) -> CliResult<()> {
conn.execute(
"INSERT OR IGNORE INTO custody_vault
(audit_id, ciphertext, nonce, cipher_id, key_version, created_at)
VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
params![
audit_id,
ciphertext,
nonce,
cipher_id,
key_version,
created_at
],
)
.map_err(|error| CliError::failure(format!("failed to insert custody_vault row: {error}")))?;
Ok(())
}
pub(crate) fn read_custody_vault(
conn: &Connection,
audit_id: &str,
) -> CliResult<Option<CustodyRow>> {
conn.query_row(
"SELECT ciphertext, nonce, cipher_id, key_version
FROM custody_vault WHERE audit_id = ?1",
params![audit_id],
|row| {
Ok(CustodyRow {
ciphertext: row.get(0)?,
nonce: row.get(1)?,
cipher_id: row.get(2)?,
key_version: row.get(3)?,
})
},
)
.optional()
.map_err(|error| CliError::failure(format!("failed to read custody_vault row: {error}")))
}
pub(crate) fn read_reveal_target(
conn: &Connection,
audit_id: &str,
) -> CliResult<Option<(String, String)>> {
conn.query_row(
"SELECT session_id, payload_hash FROM audit_records WHERE audit_id = ?1",
params![audit_id],
|row| Ok((row.get(0)?, row.get(1)?)),
)
.optional()
.map_err(|error| CliError::failure(format!("failed to read audit record for reveal: {error}")))
}
fn backfill_status_content_hash(connection: &Connection) -> CliResult<()> {
let mut select = connection
.prepare(
"SELECT status_event_id, phase, mode, workflow_status,
completed_since_last_update, in_progress, next_action, blockers,
asks_for_zevs, risk_or_residual_uncertainty, expected_wait, event_text
FROM status_events
WHERE content_hash = ''",
)
.map_err(|error| {
CliError::failure(format!(
"failed to read status_events for backfill: {error}"
))
})?;
let rows = select
.query_map([], |row| {
let id: i64 = row.get(0)?;
let fields = (1..=11)
.map(|i| row.get::<_, String>(i))
.collect::<Result<Vec<_>, _>>()?;
Ok((id, fields))
})
.map_err(|error| {
CliError::failure(format!(
"failed to read status_events for backfill: {error}"
))
})?
.collect::<Result<Vec<_>, _>>()
.map_err(|error| {
CliError::failure(format!(
"failed to read status_events for backfill: {error}"
))
})?;
for (id, fields) in rows {
let refs: Vec<&str> = fields.iter().map(String::as_str).collect();
let hash = status_content_hash(&refs);
connection
.execute(
"UPDATE status_events SET content_hash = ?1 WHERE status_event_id = ?2",
params![hash, id],
)
.map_err(|error| {
CliError::failure(format!("failed to backfill content_hash: {error}"))
})?;
}
Ok(())
}
fn status_content_hash(fields: &[&str]) -> String {
let mut hasher = Sha256::new();
hasher.update(fields.join("\n").as_bytes());
format!("sha256:{:x}", hasher.finalize())
}
#[derive(Default)]
struct ImportSummary {
sessions_seen: usize,
warning_count: usize,
}
#[derive(Debug)]
pub(crate) struct ImportedStatus {
pub(crate) session_id: String,
pub(crate) last_update: String,
pub(crate) lead_agent: String,
pub(crate) phase: String,
pub(crate) mode: String,
pub(crate) artifact_ref: String,
pub(crate) workflow_status: String,
pub(crate) completed_since_last_update: String,
pub(crate) in_progress: String,
pub(crate) next_action: String,
pub(crate) blockers: String,
pub(crate) asks_for_zevs: String,
pub(crate) risk_or_residual_uncertainty: String,
pub(crate) expected_wait: String,
pub(crate) rolling_events: Vec<String>,
}
#[derive(Debug, Clone)]
pub(crate) struct ImportedAuditRecord {
pub(crate) audit_id: String,
pub(crate) previous_audit_id: Option<String>,
pub(crate) timestamp: String,
pub(crate) source_agent_id: Option<String>,
pub(crate) source_address: String,
pub(crate) target_agent_id: Option<String>,
pub(crate) target_address: String,
pub(crate) transport: String,
pub(crate) workspace_id: String,
pub(crate) session_id: String,
pub(crate) mid: String,
pub(crate) record_type: String,
pub(crate) command_origin: String,
pub(crate) mode: Option<String>,
pub(crate) r#ref: Option<String>,
pub(crate) re: Option<String>,
pub(crate) payload_hash: String,
pub(crate) payload_redaction_policy: String,
pub(crate) content_size: i64,
pub(crate) delivery_status: String,
pub(crate) observed_by: String,
pub(crate) verified_by: String,
pub(crate) due: Option<String>,
pub(crate) payload_excerpt: Option<String>,
}
#[derive(Debug, Clone)]
pub(crate) struct ImportedWorkEvent {
pub(crate) actor: String,
pub(crate) timestamp: String,
pub(crate) seq: usize,
pub(crate) payload: crate::work_event::WorkEventPayload,
}
enum ImportedAuditInsert {
Inserted,
Existing,
RebasedToRoot { original_error: String },
}
#[derive(Default)]
struct ExportSummary {
written: usize,
unchanged: usize,
}
#[derive(Debug, Clone)]
struct ExportedAuditRecord {
audit_id: String,
previous_audit_id: Option<String>,
timestamp: String,
source_agent: String,
source_address: String,
target_agent: String,
target_address: String,
transport: String,
workspace_id: String,
session_id: String,
mid: String,
record_type: String,
command_origin: String,
mode: Option<String>,
r#ref: Option<String>,
re: Option<String>,
payload_hash: String,
payload_redaction_policy: String,
content_size: i64,
delivery_status: String,
observed_by: String,
verified_by: String,
due: Option<String>,
}
fn export_outputs(path: &Path, args: &DbExportOutputsArgs) -> CliResult<ExportSummary> {
let connection = open_read_database(path)?;
let status = load_export_status(&connection, &args.session_id)?;
let events = load_export_status_events(&connection, &args.session_id)?;
let audit_records = load_export_audit_records(&connection, &args.session_id)?;
let session_dir = args.root.join("sessions").join(&args.session_id);
let exports = [
(
session_dir.join("status.md"),
render_export_status(&status, &events),
),
(
session_dir.join("audit.md"),
render_export_audit(&args.session_id, &audit_records),
),
];
let mut summary = ExportSummary::default();
for (path, content) in exports {
if write_if_changed(&path, &content)? {
summary.written += 1;
} else {
summary.unchanged += 1;
}
}
Ok(summary)
}
fn load_export_status(connection: &Connection, session_id: &str) -> CliResult<ImportedStatus> {
connection
.query_row(
"SELECT s.session_id,
COALESCE(se.timestamp, s.updated_at),
COALESCE(s.lead_agent_id, 'unknown'),
COALESCE(se.phase, s.phase),
-- ADR 033 M2b T3 (C3=b): the EXPORT intentionally stays status-only
-- (NO latest-writer across operator decisions, unlike the live/snapshot
-- dashboard reads). `status.md` is the agent-authored status artifact;
-- folding a decision-derived mode in here would fake the operator's
-- mode-switch into the agent status timeline — the exact provenance
-- conflation C3=b's rationale rejected. The operator decision is
-- exported separately via the audit chain, so the export's mode is by
-- design the status-authored mode.
COALESCE(se.mode, s.mode),
COALESCE(s.artifact_ref, 'unknown'),
COALESCE(se.workflow_status, s.workflow_status),
COALESCE(se.completed_since_last_update, 'unknown'),
COALESCE(se.in_progress, 'unknown'),
COALESCE(se.next_action, 'unknown'),
COALESCE(se.blockers, 'unknown'),
COALESCE(se.asks_for_zevs, 'unknown'),
COALESCE(se.risk_or_residual_uncertainty, 'unknown'),
COALESCE(se.expected_wait, 'unknown')
FROM sessions AS s
LEFT JOIN status_events AS se
ON se.status_event_id = (
SELECT status_event_id
FROM status_events
WHERE session_id = s.session_id
ORDER BY timestamp DESC, status_event_id DESC
LIMIT 1
)
WHERE s.session_id = ?1",
[session_id],
|row| {
Ok(ImportedStatus {
session_id: row.get(0)?,
last_update: row.get(1)?,
lead_agent: row.get(2)?,
phase: row.get(3)?,
mode: row.get(4)?,
artifact_ref: row.get(5)?,
workflow_status: row.get(6)?,
completed_since_last_update: row.get(7)?,
in_progress: row.get(8)?,
next_action: row.get(9)?,
blockers: row.get(10)?,
asks_for_zevs: row.get(11)?,
risk_or_residual_uncertainty: row.get(12)?,
expected_wait: row.get(13)?,
rolling_events: Vec::new(),
})
},
)
.optional()
.map_err(|error| CliError::failure(format!("failed to load session for export: {error}")))?
.ok_or_else(|| CliError::failure(format!("session not found: {session_id}")))
}
fn load_export_status_events(connection: &Connection, session_id: &str) -> CliResult<Vec<String>> {
let mut statement = connection
.prepare(
"SELECT timestamp, workflow_status, next_action, event_text
FROM status_events
WHERE session_id = ?1
ORDER BY timestamp DESC, status_event_id DESC
LIMIT 10",
)
.map_err(|error| CliError::failure(format!("failed to load status events: {error}")))?;
let events = statement
.query_map([session_id], |row| {
let timestamp: String = row.get(0)?;
let workflow_status: String = row.get(1)?;
let next_action: String = row.get(2)?;
let event_text: String = row.get(3)?;
let events = if event_text.trim().is_empty() {
vec![format!(
"{timestamp} - status={workflow_status}; next={next_action}"
)]
} else {
event_text
.lines()
.map(str::trim)
.filter(|line| !line.is_empty())
.map(str::to_string)
.collect()
};
Ok(events)
})
.map_err(|error| CliError::failure(format!("failed to load status events: {error}")))?
.collect::<Result<Vec<_>, _>>()
.map_err(|error| CliError::failure(format!("failed to read status events: {error}")))?;
let mut events = events.into_iter().flatten().collect::<Vec<_>>();
events.truncate(10);
Ok(events)
}
fn load_export_audit_records(
connection: &Connection,
session_id: &str,
) -> CliResult<Vec<ExportedAuditRecord>> {
let mut statement = connection
.prepare(
"SELECT audit_id, previous_audit_id, timestamp,
COALESCE(source_agent_id, 'unknown'), source_address,
COALESCE(target_agent_id, 'unknown'), target_address,
transport, workspace_id, session_id, mid, record_type,
command_origin, mode, ref, re, payload_hash,
payload_redaction_policy, content_size, delivery_status,
observed_by, verified_by, due
FROM audit_records
WHERE session_id = ?1
ORDER BY timestamp, audit_id",
)
.map_err(|error| CliError::failure(format!("failed to load audit records: {error}")))?;
let records = statement
.query_map([session_id], |row| {
Ok(ExportedAuditRecord {
audit_id: row.get(0)?,
previous_audit_id: row.get(1)?,
timestamp: row.get(2)?,
source_agent: row.get(3)?,
source_address: row.get(4)?,
target_agent: row.get(5)?,
target_address: row.get(6)?,
transport: row.get(7)?,
workspace_id: row.get(8)?,
session_id: row.get(9)?,
mid: row.get(10)?,
record_type: row.get(11)?,
command_origin: row.get(12)?,
mode: row.get(13)?,
r#ref: row.get(14)?,
re: row.get(15)?,
payload_hash: row.get(16)?,
payload_redaction_policy: row.get(17)?,
content_size: row.get(18)?,
delivery_status: row.get(19)?,
observed_by: row.get(20)?,
verified_by: row.get(21)?,
due: row.get(22)?,
})
})
.map_err(|error| CliError::failure(format!("failed to load audit records: {error}")))?
.collect::<Result<Vec<_>, _>>()
.map_err(|error| CliError::failure(format!("failed to read audit records: {error}")))?;
Ok(order_export_audit_records(records))
}
fn order_export_audit_records(records: Vec<ExportedAuditRecord>) -> Vec<ExportedAuditRecord> {
let mut roots = Vec::new();
let mut children: HashMap<String, Vec<ExportedAuditRecord>> = HashMap::new();
for record in records {
if let Some(previous_audit_id) = &record.previous_audit_id {
children
.entry(previous_audit_id.clone())
.or_default()
.push(record);
} else {
roots.push(record);
}
}
sort_audit_records(&mut roots);
let mut ordered = Vec::new();
let mut leftover = Vec::new();
for root in roots {
let mut current = Some(root);
while let Some(record) = current {
let audit_id = record.audit_id.clone();
ordered.push(record);
current = children.remove(&audit_id).and_then(|mut child_records| {
sort_audit_records(&mut child_records);
let mut child_records = child_records.into_iter();
let next = child_records.next();
leftover.extend(child_records);
next
});
}
}
leftover.extend(children.into_values().flatten());
sort_audit_records(&mut leftover);
ordered.extend(leftover);
ordered
}
fn sort_audit_records(records: &mut [ExportedAuditRecord]) {
records.sort_by(|left, right| {
left.timestamp
.cmp(&right.timestamp)
.then_with(|| left.audit_id.cmp(&right.audit_id))
});
}
fn render_export_status(status: &ImportedStatus, events: &[String]) -> String {
let event_lines = if events.is_empty() {
"No events recorded.".to_string()
} else {
events
.iter()
.enumerate()
.map(|(index, event)| format!("{}. {event}", index + 1))
.collect::<Vec<_>>()
.join("\n")
};
format!(
"# Session Status: {session_id}\n\n\
session_id: {session_id}\n\
last_update: {timestamp}\n\
lead_agent: {lead_agent}\n\
status: {status}\n\n\
## Current State\n\n\
- phase: {phase}\n\
- mode: {mode}\n\
- artifact_ref: {artifact_ref}\n\
- completed_since_last_update: {completed}\n\
- in_progress: {in_progress}\n\
- next_action: {next_action}\n\
- blockers: {blockers}\n\
- asks_for_Zevs: {asks_for_zevs}\n\
- risk_or_residual_uncertainty: {risk}\n\
- expected_wait: {expected_wait}\n\n\
## Rolling Events\n\n\
{event_lines}\n",
session_id = status.session_id,
timestamp = status.last_update,
lead_agent = status.lead_agent,
status = status.workflow_status,
phase = status.phase,
mode = status.mode,
artifact_ref = status.artifact_ref,
completed = status.completed_since_last_update,
in_progress = status.in_progress,
next_action = status.next_action,
blockers = status.blockers,
asks_for_zevs = status.asks_for_zevs,
risk = status.risk_or_residual_uncertainty,
expected_wait = status.expected_wait,
)
}
fn render_export_audit(session_id: &str, records: &[ExportedAuditRecord]) -> String {
let record_text = records
.iter()
.map(render_export_audit_record)
.collect::<Vec<_>>()
.join("\n");
format!(
"# Audit Trail: {session_id}\n\nsession_id: {session_id}\n\n## Records\n\n{record_text}\n"
)
}
fn render_export_audit_record(record: &ExportedAuditRecord) -> String {
let mut fields = vec![
("audit_id", record.audit_id.clone()),
(
"previous_audit_id",
record
.previous_audit_id
.clone()
.unwrap_or_else(|| "none".to_string()),
),
("timestamp", record.timestamp.clone()),
("source_agent", record.source_agent.clone()),
("source_address", record.source_address.clone()),
("target_agent", record.target_agent.clone()),
("target_address", record.target_address.clone()),
("transport", record.transport.clone()),
("workspace_id", record.workspace_id.clone()),
("session_id", record.session_id.clone()),
("mid", record.mid.clone()),
("type", record.record_type.clone()),
("command_origin", record.command_origin.clone()),
("payload_hash", record.payload_hash.clone()),
(
"payload_redaction_policy",
record.payload_redaction_policy.clone(),
),
("content_size", record.content_size.to_string()),
("delivery_status", record.delivery_status.clone()),
("observed_by", record.observed_by.clone()),
("verified_by", record.verified_by.clone()),
];
for (key, value) in [
("mode", record.mode.as_ref()),
("ref", record.r#ref.as_ref()),
("re", record.re.as_ref()),
("due", record.due.as_ref()),
] {
if let Some(value) = value {
fields.push((key, value.clone()));
}
}
let fields = fields
.into_iter()
.map(|(key, value)| format!("{key}={value}"))
.collect::<Vec<_>>()
.join("\n");
format!("```text\n{fields}\n```")
}
fn write_if_changed(path: &Path, content: &str) -> CliResult<bool> {
if path.exists() {
let existing = fs::read_to_string(path).map_err(|error| {
CliError::failure(format!("failed to read {}: {error}", path.display()))
})?;
if existing == content {
return Ok(false);
}
}
if let Some(parent) = path.parent() {
fs::create_dir_all(parent).map_err(|error| {
CliError::failure(format!("failed to create {}: {error}", parent.display()))
})?;
}
fs::write(path, content).map_err(|error| {
CliError::failure(format!("failed to write {}: {error}", path.display()))
})?;
Ok(true)
}
pub(crate) fn import_outputs_root(db_path: &Path, root: &Path) -> CliResult<()> {
import_outputs(
db_path,
&DbImportOutputsArgs {
root: root.to_path_buf(),
session_id: None,
timestamp: None,
},
)
.map(|_summary| ())
}
fn import_outputs(path: &Path, args: &DbImportOutputsArgs) -> CliResult<ImportSummary> {
let sessions_dir = args.root.join("sessions");
if !sessions_dir.exists() {
return Ok(ImportSummary::default());
}
let timestamp = match &args.timestamp {
Some(value) => normalize_arg_timestamp(value)?,
None => crate::timestamp::now_utc_seconds(),
};
let mut connection = open_database(path)?;
let mut summary = ImportSummary::default();
for entry in fs::read_dir(&sessions_dir).map_err(|error| {
CliError::failure(format!(
"failed to read {}: {error}",
sessions_dir.display()
))
})? {
let entry = entry
.map_err(|error| CliError::failure(format!("failed to read session entry: {error}")))?;
let session_dir = entry.path();
if !session_dir.is_dir() {
continue;
}
let Some(session_id) = session_dir
.file_name()
.and_then(|name| name.to_str())
.map(str::to_string)
else {
continue;
};
if args
.session_id
.as_ref()
.is_some_and(|requested| requested != &session_id)
{
continue;
}
summary.sessions_seen += 1;
let transaction = connection
.transaction_with_behavior(TransactionBehavior::Immediate)
.map_err(|error| {
CliError::failure(format!(
"failed to start SQLite import transaction: {error}"
))
})?;
let warnings = import_outputs_session(&transaction, &args.root, &session_dir, ×tamp)?;
summary.warning_count += warnings.len();
insert_import_row(
&transaction,
&session_dir,
&source_hash_for_session_dir(&session_dir)?,
×tamp,
&warnings,
)?;
transaction.commit().map_err(|error| {
CliError::failure(format!(
"failed to commit outputs import transaction: {error}"
))
})?;
}
Ok(summary)
}
fn import_outputs_session(
transaction: &Transaction<'_>,
root: &Path,
session_dir: &Path,
import_timestamp: &str,
) -> CliResult<Vec<String>> {
let mut warnings = Vec::new();
let fallback_session_id = session_dir
.file_name()
.and_then(|name| name.to_str())
.unwrap_or("unknown")
.to_string();
let status_path = session_dir.join("status.md");
let mut status = if status_path.exists() {
Some(parse_status_artifact(&status_path, &fallback_session_id)?)
} else {
None
};
if let Some(status) = status.as_mut() {
status.last_update =
crate::timestamp::canonicalize(&status.last_update).ok_or_else(|| {
CliError::failure(format!(
"invalid status timestamp in {}: {}",
status_path.display(),
status.last_update
))
})?;
}
let session_id = status
.as_ref()
.map(|status| status.session_id.clone())
.unwrap_or(fallback_session_id);
let project_id = import_project_id(root);
ensure_project(transaction, &project_id, root, import_timestamp)?;
if let Some(status) = &status {
if status.lead_agent != "unknown" {
ensure_agent(transaction, &status.lead_agent, import_timestamp)?;
}
let inserted = transaction
.execute(
"INSERT OR IGNORE INTO sessions (
session_id, project_id, title, phase, mode, workflow_status,
lead_agent_id, artifact_ref, created_at, updated_at
)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?9)",
params![
status.session_id,
project_id,
status.session_id,
status.phase,
status.mode,
status.workflow_status,
nullable_unknown(&status.lead_agent),
status.artifact_ref,
status.last_update,
],
)
.map_err(|error| CliError::failure(format!("failed to import session: {error}")))?;
if inserted == 0 {
warnings.push(format!("skipped existing session {}", status.session_id));
}
insert_status_event_if_missing(transaction, status)?;
} else {
transaction
.execute(
"INSERT OR IGNORE INTO sessions (
session_id, project_id, title, phase, mode, workflow_status,
created_at, updated_at
)
VALUES (?1, ?2, ?1, 'import', 'validate', 'idle', ?3, ?3)",
params![session_id, project_id, import_timestamp],
)
.map_err(|error| CliError::failure(format!("failed to import session: {error}")))?;
}
let mut decision_records: Vec<ImportedAuditRecord> = Vec::new();
let mut overlay_records: Vec<ImportedAuditRecord> = Vec::new();
let audit_path = session_dir.join("audit.md");
if audit_path.exists() {
let mut new_messages = HashSet::new();
for mut record in parse_audit_artifact(&audit_path, &session_id)? {
if record.verified_by.is_empty() {
warnings.push(format!(
"skipped audit_id {}: missing verified_by",
record.audit_id
));
continue;
}
match crate::timestamp::canonicalize(&record.timestamp) {
Some(canonical) => record.timestamp = canonical,
None => {
warnings.push(format!(
"skipped audit_id {}: invalid timestamp {}",
record.audit_id, record.timestamp
));
continue;
}
}
if let Some(due) = record.due.clone() {
match crate::timestamp::canonicalize(&due) {
Some(canonical) => record.due = Some(canonical),
None => {
warnings.push(format!(
"skipped audit_id {}: invalid due {due}",
record.audit_id
));
continue;
}
}
}
let is_decision =
crate::decision::DECISION_RECORD_TYPES.contains(&record.record_type.as_str());
let is_overlay = record.record_type == crate::overlay::OVERLAY_RECORD_TYPE;
if is_overlay {
let parse = record
.payload_excerpt
.as_deref()
.ok_or_else(|| {
CliError::usage(format!(
"no overlay payload in artifact for audit_id {}",
record.audit_id
))
})
.and_then(|payload| {
let overlay = crate::overlay::Overlay::from_storage(payload)?;
overlay.validate()?;
Ok(())
});
if let Err(error) = parse {
warnings.push(format!(
"skipped participant-overlay audit_id {}: {}",
record.audit_id, error.message
));
continue;
}
}
match insert_imported_audit_record(transaction, &record) {
Ok(ImportedAuditInsert::Inserted) => {
ensure_record_agents(transaction, &record)?;
if record.record_type != crate::overlay::OVERLAY_RECORD_TYPE {
insert_or_update_imported_message(transaction, &record, &mut new_messages)?;
}
if is_decision {
decision_records.push(record);
} else if is_overlay {
overlay_records.push(record);
}
}
Ok(ImportedAuditInsert::Existing) => {
warnings.push(format!("skipped existing audit_id {}", record.audit_id));
if is_decision {
decision_records.push(record);
} else if is_overlay {
overlay_records.push(record);
}
}
Ok(ImportedAuditInsert::RebasedToRoot { original_error }) => {
warnings.push(format!(
"rebased audit_id {} to chain root after insert failed: {}",
record.audit_id, original_error
));
ensure_record_agents(transaction, &record)?;
if record.record_type != crate::overlay::OVERLAY_RECORD_TYPE {
insert_or_update_imported_message(transaction, &record, &mut new_messages)?;
}
if is_decision {
decision_records.push(record);
} else if is_overlay {
overlay_records.push(record);
}
}
Err(error) => {
warnings.push(format!("skipped audit_id {}: {error}", record.audit_id))
}
}
}
}
let work_path = session_dir.join("work.md");
if work_path.exists() {
let (work_events, parse_warnings) = parse_work_artifact(&work_path, &session_id)?;
warnings.extend(parse_warnings);
for event in work_events {
let canonical_ts = match crate::timestamp::canonicalize(&event.timestamp) {
Some(value) => value,
None => {
warnings.push(format!(
"skipped work event: invalid timestamp {}",
event.timestamp
));
continue;
}
};
if let Err(error) = event.payload.validate() {
warnings.push(format!(
"skipped work event at {canonical_ts}: {}",
error.message
));
continue;
}
project_work_event(
transaction,
&session_id,
&event.actor,
&canonical_ts,
event.seq,
&event.payload,
)?;
if let crate::work_event::WorkEventPayload::Artifact { files } = &event.payload {
for file in files {
upsert_artifact(transaction, &session_id, &file.path, &canonical_ts)?;
}
}
}
}
for record in &decision_records {
if let Some(warning) = rebuild_imported_operator_decision(transaction, &session_id, record)?
{
warnings.push(warning);
}
}
rebuild_imported_participant_overlays(transaction, &overlay_records, &mut warnings)?;
Ok(warnings)
}
fn rebuild_imported_participant_overlays(
transaction: &Transaction<'_>,
records: &[ImportedAuditRecord],
warnings: &mut Vec<String>,
) -> CliResult<()> {
let mut parsed: Vec<(&ImportedAuditRecord, crate::overlay::Overlay)> = Vec::new();
for record in records {
let Some(payload) = record.payload_excerpt.as_deref() else {
warnings.push(format!(
"skipped participant_overlay rebuild for audit_id {}: no overlay payload in artifact",
record.audit_id
));
continue;
};
let overlay = match crate::overlay::Overlay::from_storage(payload) {
Ok(overlay) => overlay,
Err(error) => {
warnings.push(format!(
"skipped participant_overlay rebuild for audit_id {}: {}",
record.audit_id, error.message
));
continue;
}
};
if let Err(error) = overlay.validate() {
warnings.push(format!(
"skipped participant_overlay rebuild for audit_id {}: {}",
record.audit_id, error.message
));
continue;
}
parsed.push((record, overlay));
}
let order = chain_order(&parsed)?;
for index in order {
let (record, overlay) = &parsed[index];
let already: bool = transaction
.query_row(
"SELECT 1 FROM participant_overlay WHERE audit_id = ?1",
params![record.audit_id],
|_| Ok(()),
)
.optional()
.map_err(|error| {
CliError::failure(format!(
"failed to read participant_overlay on rebuild: {error}"
))
})?
.is_some();
if already {
continue;
}
insert_participant_overlay(transaction, record, overlay)?;
}
Ok(())
}
fn chain_order(
parsed: &[(&ImportedAuditRecord, crate::overlay::Overlay)],
) -> CliResult<Vec<usize>> {
use std::collections::HashMap;
let mut index_by_audit: HashMap<&str, usize> = HashMap::new();
for (index, (record, _)) in parsed.iter().enumerate() {
index_by_audit.insert(record.audit_id.as_str(), index);
}
let supersedes_index: Vec<Option<usize>> = parsed
.iter()
.map(|(_, overlay)| {
overlay
.supersedes()
.and_then(|prev| index_by_audit.get(prev).copied())
})
.collect();
let mut superseded_by: Vec<Option<usize>> = vec![None; parsed.len()];
for (index, prev) in supersedes_index.iter().enumerate() {
if let Some(prev) = prev {
if superseded_by[*prev].is_none() {
superseded_by[*prev] = Some(index);
}
}
}
let mut order: Vec<usize> = Vec::with_capacity(parsed.len());
let mut emitted = vec![false; parsed.len()];
for (index, prev) in supersedes_index.iter().enumerate() {
if prev.is_some() {
continue;
}
let mut cursor = Some(index);
while let Some(node) = cursor {
if emitted[node] {
break;
}
emitted[node] = true;
order.push(node);
cursor = superseded_by[node];
}
}
if let Some((index, _)) = emitted.iter().enumerate().find(|(_, done)| !**done) {
return Err(CliError::failure(format!(
"participant_overlay import has a supersede cycle (audit_id {} is unreachable from any chain root) — rejecting the import (ADR 036 D10)",
parsed[index].0.audit_id
)));
}
Ok(order)
}
fn parse_status_artifact(path: &Path, fallback_session_id: &str) -> CliResult<ImportedStatus> {
let content = fs::read_to_string(path).map_err(|error| {
CliError::failure(format!("failed to read {}: {error}", path.display()))
})?;
let values = parse_markdown_key_values(&content);
Ok(ImportedStatus {
session_id: value_or(&values, "session_id", fallback_session_id),
last_update: value_or(&values, "last_update", "1970-01-01T00:00:00Z"),
lead_agent: value_or(&values, "lead_agent", "unknown"),
phase: value_or(&values, "phase", "import"),
mode: value_or(&values, "mode", "validate"),
artifact_ref: value_or(&values, "artifact_ref", "unknown"),
workflow_status: value_or(&values, "status", "idle"),
completed_since_last_update: value_or(&values, "completed_since_last_update", "unknown"),
in_progress: value_or(&values, "in_progress", "unknown"),
next_action: value_or(&values, "next_action", "unknown"),
blockers: value_or(&values, "blockers", "unknown"),
asks_for_zevs: value_or(&values, "asks_for_Zevs", "unknown"),
risk_or_residual_uncertainty: value_or(&values, "risk_or_residual_uncertainty", "unknown"),
expected_wait: value_or(&values, "expected_wait", "unknown"),
rolling_events: parse_rolling_events(&content),
})
}
fn parse_audit_artifact(
path: &Path,
fallback_session_id: &str,
) -> CliResult<Vec<ImportedAuditRecord>> {
let content = fs::read_to_string(path).map_err(|error| {
CliError::failure(format!("failed to read {}: {error}", path.display()))
})?;
let mut records = Vec::new();
for values in parse_fenced_key_value_blocks(&content) {
let audit_id = value_or(&values, "audit_id", "");
if audit_id.is_empty() {
continue;
}
records.push(ImportedAuditRecord {
audit_id,
previous_audit_id: optional_audit_id(&value_or(&values, "previous_audit_id", "none")),
timestamp: value_or(&values, "timestamp", "1970-01-01T00:00:00Z"),
source_agent_id: nullable_unknown(&value_or(&values, "source_agent", "unknown")),
source_address: value_or(&values, "source_address", "unknown"),
target_agent_id: nullable_unknown(&value_or(&values, "target_agent", "unknown")),
target_address: value_or(&values, "target_address", "unknown"),
transport: value_or(&values, "transport", "unknown"),
workspace_id: value_or(&values, "workspace_id", "unknown"),
session_id: value_or(&values, "session_id", fallback_session_id),
mid: value_or(&values, "mid", "unknown"),
record_type: value_or(&values, "type", "unknown"),
command_origin: value_or(&values, "command_origin", "unknown"),
mode: optional_text(&value_or(&values, "mode", "")),
r#ref: optional_text(&value_or(&values, "ref", "")),
re: optional_text(&value_or(&values, "re", "")),
payload_hash: value_or(&values, "payload_hash", "sha256:unknown"),
payload_redaction_policy: value_or(&values, "payload_redaction_policy", "hash-only"),
content_size: value_or(&values, "content_size", "0").parse().unwrap_or(0),
delivery_status: value_or(&values, "delivery_status", "unknown"),
observed_by: value_or(&values, "observed_by", "unknown"),
verified_by: value_or(&values, "verified_by", ""),
due: optional_text(&value_or(&values, "due", "")),
payload_excerpt: optional_text(&value_or(&values, "payload_excerpt", "")),
});
}
Ok(records)
}
fn parse_work_artifact(
path: &Path,
session_id: &str,
) -> CliResult<(Vec<ImportedWorkEvent>, Vec<String>)> {
let content = fs::read_to_string(path).map_err(|error| {
CliError::failure(format!("failed to read {}: {error}", path.display()))
})?;
let mut events = Vec::new();
let mut warnings = Vec::new();
let blocks = split_work_blocks(&content);
for (index, block) in blocks.blocks.iter().enumerate() {
let block_index = index + 1; match parse_work_block(block) {
Ok(event) => events.push(event),
Err(reason) => warnings.push(format!(
"skipped work event in {} (block {block_index}, session {session_id}): {reason}",
path.display()
)),
}
}
if blocks.unterminated {
warnings.push(format!(
"unterminated work-event block in {} (session {session_id}): \
opening ```work-event fence at column 0 with no matching closing fence \
before EOF — block skipped",
path.display()
));
}
Ok((events, warnings))
}
struct WorkBlocks {
blocks: Vec<Vec<String>>,
unterminated: bool,
}
fn split_work_blocks(content: &str) -> WorkBlocks {
let mut blocks: Vec<Vec<String>> = Vec::new();
let mut current: Option<Vec<String>> = None; for line in content.lines() {
if current.is_none() {
if line == "```work-event" {
current = Some(Vec::new());
}
continue;
}
if line == "```" {
blocks.push(current.take().expect("block is open"));
continue;
}
current
.as_mut()
.expect("block is open")
.push(line.to_string());
}
let unterminated = current.is_some();
WorkBlocks {
blocks,
unterminated,
}
}
pub(crate) fn count_work_blocks(content: &str) -> usize {
split_work_blocks(content).blocks.len()
}
fn parse_work_block(lines: &[String]) -> Result<ImportedWorkEvent, String> {
let header_kind = lines
.first()
.and_then(|l| l.strip_prefix("kind="))
.ok_or_else(|| "missing or misplaced kind= header (expected line 1)".to_string())?
.trim()
.to_string();
let actor = lines
.get(1)
.and_then(|l| l.strip_prefix("actor="))
.ok_or_else(|| "missing or misplaced actor= header (expected line 2)".to_string())?
.trim()
.to_string();
if actor.is_empty() {
return Err("empty actor= header".to_string());
}
let timestamp = lines
.get(2)
.and_then(|l| l.strip_prefix("timestamp="))
.ok_or_else(|| "missing or misplaced timestamp= header (expected line 3)".to_string())?
.trim()
.to_string();
if timestamp.is_empty() {
return Err("empty timestamp= header".to_string());
}
let seq_raw = lines
.get(3)
.and_then(|l| l.strip_prefix("seq="))
.ok_or_else(|| "missing or misplaced seq= header (expected line 4)".to_string())?
.trim();
let seq: usize = seq_raw
.parse()
.map_err(|_| format!("seq= header must be a non-negative integer (got {seq_raw:?})"))?;
if lines.len() < 5 {
return Err("missing stored payload (block has no body after headers)".to_string());
}
let mut payload_body = String::new();
for line in &lines[4..] {
payload_body.push_str(line);
payload_body.push('\n');
}
let payload = crate::work_event::WorkEventPayload::from_storage(&payload_body)
.map_err(|error| format!("unparseable payload: {}", error.message))?;
if header_kind != payload.kind() {
return Err(format!(
"kind header {header_kind:?} disagrees with payload kind {:?}",
payload.kind()
));
}
Ok(ImportedWorkEvent {
actor,
timestamp,
seq,
payload,
})
}
fn parse_markdown_key_values(content: &str) -> BTreeMap<String, String> {
let mut values = BTreeMap::new();
for line in content.lines() {
let line = line.trim();
if let Some((key, value)) = line
.strip_prefix("- ")
.and_then(|line| line.split_once(": "))
{
values.insert(key.to_string(), value.to_string());
} else if let Some((key, value)) = line.split_once(": ") {
values.insert(key.to_string(), value.to_string());
}
}
values
}
fn parse_rolling_events(content: &str) -> Vec<String> {
let Some((_, events_text)) = content.split_once("## Rolling Events") else {
return Vec::new();
};
events_text
.lines()
.filter_map(|line| {
let line = line.trim();
let (prefix, entry) = line.split_once(". ")?;
prefix.parse::<usize>().ok()?;
Some(entry.to_string())
})
.collect()
}
fn parse_fenced_key_value_blocks(content: &str) -> Vec<BTreeMap<String, String>> {
const PAYLOAD_KEY: &str = "payload_excerpt";
let mut blocks = Vec::new();
let mut current: Option<BTreeMap<String, String>> = None;
let mut payload_capture: Option<Vec<String>> = None;
for raw_line in content.lines() {
if payload_capture.is_some() {
if raw_line == "```" {
if let (Some(values), Some(lines)) = (current.as_mut(), payload_capture.take()) {
values.insert(PAYLOAD_KEY.to_string(), lines.join("\n"));
}
if let Some(values) = current.take() {
blocks.push(values);
}
continue;
}
if let Some(lines) = payload_capture.as_mut() {
lines.push(raw_line.to_string());
}
continue;
}
let line = raw_line.trim();
if line == "```text" {
current = Some(BTreeMap::new());
continue;
}
if line == "```" {
if let Some(values) = current.take() {
blocks.push(values);
}
continue;
}
if current.is_some() {
if let Some((key, value)) = line.split_once('=') {
if key == PAYLOAD_KEY {
payload_capture = Some(vec![value.to_string()]);
} else {
if let Some(values) = current.as_mut() {
values.insert(key.to_string(), value.to_string());
}
}
}
}
}
blocks
}
fn ensure_project(
transaction: &Transaction<'_>,
project_id: &str,
root: &Path,
timestamp: &str,
) -> CliResult<()> {
transaction
.execute(
"INSERT OR IGNORE INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES (?1, ?2, ?3, ?4, ?4)",
params![
project_id,
root.file_name()
.and_then(|name| name.to_str())
.unwrap_or("outputs"),
root.display().to_string(),
timestamp,
],
)
.map_err(|error| CliError::failure(format!("failed to import project: {error}")))?;
Ok(())
}
fn ensure_agent(transaction: &Transaction<'_>, agent_id: &str, timestamp: &str) -> CliResult<()> {
transaction
.execute(
"INSERT OR IGNORE INTO agents (
agent_id, display_name, agent_kind, created_at, updated_at
)
VALUES (?1, ?1, 'imported', ?2, ?2)",
params![agent_id, timestamp],
)
.map_err(|error| CliError::failure(format!("failed to import agent: {error}")))?;
Ok(())
}
fn ensure_record_agents(
transaction: &Transaction<'_>,
record: &ImportedAuditRecord,
) -> CliResult<()> {
if let Some(agent_id) = &record.source_agent_id {
ensure_agent(transaction, agent_id, &record.timestamp)?;
}
if let Some(agent_id) = &record.target_agent_id {
ensure_agent(transaction, agent_id, &record.timestamp)?;
}
Ok(())
}
fn insert_status_event_if_missing(
transaction: &Transaction<'_>,
status: &ImportedStatus,
) -> CliResult<()> {
let event_text = status.rolling_events.join("\n");
let content_hash = status_content_hash(&[
&status.phase,
&status.mode,
&status.workflow_status,
&status.completed_since_last_update,
&status.in_progress,
&status.next_action,
&status.blockers,
&status.asks_for_zevs,
&status.risk_or_residual_uncertainty,
&status.expected_wait,
&event_text,
]);
let exists: Option<i64> = transaction
.query_row(
"SELECT status_event_id
FROM status_events
WHERE session_id = ?1 AND timestamp = ?2 AND content_hash = ?3
LIMIT 1",
params![status.session_id, status.last_update, content_hash],
|row| row.get(0),
)
.optional()
.map_err(|error| CliError::failure(format!("failed to read status events: {error}")))?;
if exists.is_some() {
return Ok(());
}
transaction
.execute(
"INSERT INTO status_events (
session_id, timestamp, phase, mode, workflow_status,
completed_since_last_update, in_progress, next_action, blockers,
asks_for_zevs, risk_or_residual_uncertainty, expected_wait, event_text,
content_hash
)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14)",
params![
status.session_id,
status.last_update,
status.phase,
status.mode,
status.workflow_status,
status.completed_since_last_update,
status.in_progress,
status.next_action,
status.blockers,
status.asks_for_zevs,
status.risk_or_residual_uncertainty,
status.expected_wait,
event_text,
content_hash,
],
)
.map_err(|error| CliError::failure(format!("failed to import status event: {error}")))?;
Ok(())
}
fn insert_imported_audit_record(
transaction: &Transaction<'_>,
record: &ImportedAuditRecord,
) -> Result<ImportedAuditInsert, String> {
let exists: Option<String> = transaction
.query_row(
"SELECT audit_id FROM audit_records WHERE audit_id = ?1",
[&record.audit_id],
|row| row.get(0),
)
.optional()
.map_err(|error| error.to_string())?;
if exists.is_some() {
return Ok(ImportedAuditInsert::Existing);
}
match execute_imported_audit_insert(transaction, record, record.previous_audit_id.as_deref()) {
Ok(_) => Ok(ImportedAuditInsert::Inserted),
Err(error) if record.previous_audit_id.is_some() => {
let original_error = error.to_string();
match execute_imported_audit_insert(transaction, record, None) {
Ok(_) => Ok(ImportedAuditInsert::RebasedToRoot { original_error }),
Err(fallback_error) => Err(format!(
"{original_error}; root fallback failed: {fallback_error}"
)),
}
}
Err(error) => Err(error.to_string()),
}
}
fn execute_imported_audit_insert(
transaction: &Transaction<'_>,
record: &ImportedAuditRecord,
previous_audit_id: Option<&str>,
) -> rusqlite::Result<usize> {
transaction.execute(
"INSERT INTO audit_records (
audit_id, previous_audit_id, session_id, source_agent_id, target_agent_id,
source_address, target_address, transport, workspace_id, mid, record_type,
command_origin, mode, ref, re, payload_hash, payload_redaction_policy,
content_size, delivery_status, observed_by, verified_by, timestamp, due
)
VALUES (
?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11,
?12, ?13, ?14, ?15, ?16, ?17, ?18, ?19, ?20, ?21, ?22, ?23
)",
params![
record.audit_id,
previous_audit_id,
record.session_id,
record.source_agent_id,
record.target_agent_id,
record.source_address,
record.target_address,
record.transport,
record.workspace_id,
record.mid,
record.record_type,
record.command_origin,
record.mode,
record.r#ref,
record.re,
record.payload_hash,
record.payload_redaction_policy,
record.content_size,
record.delivery_status,
record.observed_by,
record.verified_by,
record.timestamp,
record.due,
],
)
}
fn insert_or_update_imported_message(
transaction: &Transaction<'_>,
record: &ImportedAuditRecord,
new_messages: &mut HashSet<String>,
) -> CliResult<()> {
let message_id = message_id(&record.session_id, &record.mid);
let inserted = transaction
.execute(
"INSERT OR IGNORE INTO messages (
message_id, session_id, mid, source_agent_id, target_agent_id, message_type,
mode, ref, transport, payload_redaction_policy, payload_hash,
latest_delivery_status, latest_verified_by, latest_audit_id, timestamp,
payload_excerpt
)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16)",
params![
message_id,
record.session_id,
record.mid,
record.source_agent_id,
record.target_agent_id,
record.record_type,
record.mode,
record.r#ref,
record.transport,
record.payload_redaction_policy,
record.payload_hash,
record.delivery_status,
record.verified_by,
record.audit_id,
record.timestamp,
corpus_payload_excerpt(record),
],
)
.map_err(|error| CliError::failure(format!("failed to import message: {error}")))?;
if inserted == 1 {
new_messages.insert(message_id);
return Ok(());
}
if !new_messages.contains(&message_id) {
return Ok(());
}
transaction
.execute(
"UPDATE messages
SET source_agent_id = ?2,
target_agent_id = ?3,
message_type = ?4,
mode = ?5,
ref = ?6,
transport = ?7,
payload_redaction_policy = ?8,
payload_hash = ?9,
latest_delivery_status = ?10,
latest_verified_by = ?11,
latest_audit_id = ?12,
timestamp = ?13,
payload_excerpt = ?14
WHERE message_id = ?1",
params![
message_id,
record.source_agent_id,
record.target_agent_id,
record.record_type,
record.mode,
record.r#ref,
record.transport,
record.payload_redaction_policy,
record.payload_hash,
record.delivery_status,
record.verified_by,
record.audit_id,
record.timestamp,
corpus_payload_excerpt(record),
],
)
.map_err(|error| {
CliError::failure(format!("failed to update imported message: {error}"))
})?;
Ok(())
}
pub(crate) enum ProjectionTarget {
None,
Default(PathBuf),
Explicit(PathBuf),
}
impl ProjectionTarget {
pub(crate) fn into_path_and_mode(self) -> Option<(PathBuf, bool)> {
match self {
ProjectionTarget::None => None,
ProjectionTarget::Default(path) => Some((path, false)),
ProjectionTarget::Explicit(path) => Some((path, true)),
}
}
pub(crate) fn path_and_mode(&self) -> Option<(&Path, bool)> {
match self {
ProjectionTarget::None => None,
ProjectionTarget::Default(path) => Some((path.as_path(), false)),
ProjectionTarget::Explicit(path) => Some((path.as_path(), true)),
}
}
}
pub(crate) fn resolve_projection_target(db: Option<&Path>, no_db: bool) -> ProjectionTarget {
if no_db {
return ProjectionTarget::None;
}
match db {
Some(path) => ProjectionTarget::Explicit(path.to_path_buf()),
None => ProjectionTarget::Default(PathBuf::from(".zynk/zynk.db")),
}
}
fn ensure_zynk_gitignore(path: &Path) -> CliResult<()> {
let in_zynk_dir = path
.parent()
.and_then(|parent| parent.file_name())
.and_then(|name| name.to_str())
== Some(".zynk");
if !in_zynk_dir {
return Ok(());
}
let Some(dir) = path.parent() else {
return Ok(());
};
fs::create_dir_all(dir).map_err(|error| {
CliError::failure(format!("failed to create {}: {error}", dir.display()))
})?;
let gitignore = dir.join(".gitignore");
let has_star = |content: &str| content.lines().any(|line| line.trim() == "*");
match fs::read_to_string(&gitignore) {
Ok(content) if has_star(&content) => return Ok(()),
Ok(content) => {
let mut updated = content;
if !updated.is_empty() && !updated.ends_with('\n') {
updated.push('\n');
}
updated.push_str("*\n");
fs::write(&gitignore, updated).map_err(|error| {
CliError::failure(format!("failed to update {}: {error}", gitignore.display()))
})?;
}
Err(_) => {
fs::write(&gitignore, "*\n").map_err(|error| {
CliError::failure(format!(
"failed to write {} (is it a directory?): {error}",
gitignore.display()
))
})?;
}
}
let final_content = fs::read_to_string(&gitignore).map_err(|error| {
CliError::failure(format!("failed to verify {}: {error}", gitignore.display()))
})?;
if has_star(&final_content) {
Ok(())
} else {
Err(CliError::failure(format!(
"could not ensure a `*` rule in {}",
gitignore.display()
)))
}
}
fn open_projection_database(path: &Path) -> CliResult<Connection> {
let existed = path.exists();
ensure_zynk_gitignore(path)?;
let connection = open_database(path)?;
let in_zynk_dir = path
.parent()
.and_then(|parent| parent.file_name())
.and_then(|name| name.to_str())
== Some(".zynk");
if !existed && in_zynk_dir {
eprintln!(
"note: created {} for live state (+ .zynk/.gitignore); pass --no-db for file-only",
path.display()
);
}
Ok(connection)
}
pub(crate) fn project_status(
db_path: &Path,
root: &Path,
status: &ImportedStatus,
) -> CliResult<()> {
let mut connection = open_projection_database(db_path)?;
let transaction = connection
.transaction_with_behavior(TransactionBehavior::Immediate)
.map_err(|error| {
CliError::failure(format!("failed to start status projection: {error}"))
})?;
project_live_status(&transaction, root, status)?;
transaction.commit().map_err(|error| {
CliError::failure(format!("failed to commit status projection: {error}"))
})?;
Ok(())
}
fn project_live_status(
transaction: &Transaction<'_>,
root: &Path,
status: &ImportedStatus,
) -> CliResult<()> {
let project_id = import_project_id(root);
ensure_project(transaction, &project_id, root, &status.last_update)?;
if status.lead_agent != "unknown" {
ensure_agent(transaction, &status.lead_agent, &status.last_update)?;
}
transaction
.execute(
"INSERT INTO sessions (
session_id, project_id, title, phase, mode, workflow_status,
lead_agent_id, artifact_ref, created_at, updated_at
)
VALUES (?1, ?2, ?1, ?3, ?4, ?5, ?6, ?7, ?8, ?8)
ON CONFLICT(session_id) DO UPDATE SET
phase = excluded.phase,
mode = excluded.mode,
workflow_status = excluded.workflow_status,
lead_agent_id = excluded.lead_agent_id,
artifact_ref = excluded.artifact_ref,
updated_at = excluded.updated_at",
params![
status.session_id,
project_id,
status.phase,
status.mode,
status.workflow_status,
nullable_unknown(&status.lead_agent),
status.artifact_ref,
status.last_update,
],
)
.map_err(|error| CliError::failure(format!("failed to project session: {error}")))?;
insert_status_event_if_missing(transaction, status)?;
Ok(())
}
#[derive(Debug, PartialEq)]
pub(crate) enum LiveAuditProjection {
Projected,
AlreadyPresent,
Gap {
reason: String,
},
}
pub(crate) fn project_audit(
db_path: &Path,
root: &Path,
record: &ImportedAuditRecord,
) -> CliResult<LiveAuditProjection> {
let mut connection = open_projection_database(db_path)?;
let transaction = connection
.transaction_with_behavior(TransactionBehavior::Immediate)
.map_err(|error| CliError::failure(format!("failed to start audit projection: {error}")))?;
let outcome = project_live_audit_record(&transaction, root, record, None)?;
transaction.commit().map_err(|error| {
CliError::failure(format!("failed to commit audit projection: {error}"))
})?;
Ok(outcome)
}
fn rebuild_imported_operator_decision(
transaction: &Transaction<'_>,
session_id: &str,
record: &ImportedAuditRecord,
) -> CliResult<Option<String>> {
use crate::decision::Decision;
if !crate::decision::DECISION_RECORD_TYPES.contains(&record.record_type.as_str()) {
return Ok(None);
}
let Some(payload) = record.payload_excerpt.as_deref() else {
return Ok(Some(format!(
"skipped operator_decisions rebuild for audit_id {}: no decision payload in artifact",
record.audit_id
)));
};
let decision = match Decision::from_storage(payload) {
Ok(decision) => decision,
Err(error) => {
return Ok(Some(format!(
"skipped operator_decisions rebuild for audit_id {}: {}",
record.audit_id, error.message
)));
}
};
if let Err(error) = decision.validate() {
return Ok(Some(format!(
"skipped operator_decisions rebuild for audit_id {}: {}",
record.audit_id, error.message
)));
}
let expected_kind = match &decision {
Decision::Gate { .. } => Some("gate"),
Decision::Conflict { .. } => Some("conflict"),
Decision::Mode { .. } | Decision::Interrupt { .. } | Decision::Redirect { .. } => None,
};
if let (Some(expected_kind), Some(wid)) = (expected_kind, decision.target_work_event_id()) {
let actual_kind: Option<String> = transaction
.query_row(
"SELECT kind FROM work_events WHERE work_event_id = ?1 AND session_id = ?2",
params![wid, session_id],
|row| row.get(0),
)
.optional()
.map_err(|error| {
CliError::failure(format!("failed to read work_event kind on import: {error}"))
})?;
match actual_kind.as_deref() {
Some(kind) if kind == expected_kind => {}
Some(other) => {
return Ok(Some(format!(
"skipped operator_decisions rebuild for audit_id {}: --ref {wid} is a \
{other} work-event, not a {expected_kind}, in session",
record.audit_id
)));
}
None => {
return Ok(Some(format!(
"skipped operator_decisions rebuild for audit_id {}: --ref {wid} missing \
in session",
record.audit_id
)));
}
}
}
insert_operator_decision(transaction, record, &decision)?;
Ok(None)
}
pub(crate) fn project_decision(
db_path: &Path,
root: &Path,
record: &ImportedAuditRecord,
decision: &crate::decision::Decision,
) -> CliResult<()> {
let mut connection = open_projection_database(db_path)?;
let transaction = connection
.transaction_with_behavior(TransactionBehavior::Immediate)
.map_err(|error| {
CliError::failure(format!("failed to start decision projection: {error}"))
})?;
match project_live_audit_record(&transaction, root, record, None)? {
LiveAuditProjection::Projected | LiveAuditProjection::AlreadyPresent => {}
LiveAuditProjection::Gap { reason } => {
return Err(CliError::failure(format!(
"decision audit did not project (gap): {reason}"
)))
}
}
insert_operator_decision(&transaction, record, decision)?;
transaction.commit().map_err(|error| {
CliError::failure(format!("failed to commit decision projection: {error}"))
})?;
Ok(())
}
fn insert_operator_decision(
transaction: &Transaction<'_>,
record: &ImportedAuditRecord,
decision: &crate::decision::Decision,
) -> CliResult<()> {
use crate::decision::Decision;
let (verdict, resolution, mode_to, target_agent, reason, note) = match decision {
Decision::Gate { verdict, note, .. } => {
(Some(verdict.clone()), None, None, None, None, note.clone())
}
Decision::Conflict {
resolution, note, ..
} => (
None,
Some(resolution.clone()),
None,
None,
None,
note.clone(),
),
Decision::Mode { mode_to } => (None, None, Some(mode_to.clone()), None, None, None),
Decision::Interrupt { reason } => (None, None, None, None, reason.clone(), None),
Decision::Redirect {
target_agent,
reason,
} => (
None,
None,
None,
Some(target_agent.clone()),
reason.clone(),
None,
),
};
let created_at = crate::timestamp::canonicalize(&record.timestamp)
.unwrap_or_else(|| record.timestamp.clone());
transaction
.execute(
"INSERT OR IGNORE INTO operator_decisions
(audit_id, session_id, decision_type, target_work_event_id,
verdict, resolution, mode_to, target_agent, reason, note,
decision_status, notification_status, created_at)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, 'decided', 'not-requested', ?11)",
params![
record.audit_id,
record.session_id,
decision.record_type(),
decision.target_work_event_id(),
verdict,
resolution,
mode_to,
target_agent,
reason,
note,
created_at,
],
)
.map_err(|error| {
CliError::failure(format!("failed to insert operator_decision: {error}"))
})?;
Ok(())
}
pub(crate) fn project_overlay(
db_path: &Path,
root: &Path,
record: &ImportedAuditRecord,
overlay: &crate::overlay::Overlay,
) -> CliResult<()> {
let mut connection = open_projection_database(db_path)?;
let transaction = connection
.transaction_with_behavior(TransactionBehavior::Immediate)
.map_err(|error| {
CliError::failure(format!("failed to start overlay projection: {error}"))
})?;
match project_live_audit_record(&transaction, root, record, Some(overlay))? {
LiveAuditProjection::Projected | LiveAuditProjection::AlreadyPresent => {}
LiveAuditProjection::Gap { reason } => {
return Err(CliError::failure(format!(
"overlay audit did not project (gap): {reason}"
)))
}
}
transaction.commit().map_err(|error| {
CliError::failure(format!("failed to commit overlay projection: {error}"))
})?;
Ok(())
}
fn insert_participant_overlay(
transaction: &Transaction<'_>,
record: &ImportedAuditRecord,
overlay: &crate::overlay::Overlay,
) -> CliResult<()> {
use crate::overlay::Overlay;
let asserter_actor_id = record.source_agent_id.as_deref().ok_or_else(|| {
CliError::failure(format!(
"overlay proof {} has no source_agent_id (asserter) — cannot project a typed row",
record.audit_id
))
})?;
let actor_kind: Option<&str> = match overlay {
Overlay::ActorKind { actor_kind, .. } => Some(actor_kind.as_str()),
_ => None,
};
let role_id: Option<&str> = match overlay {
Overlay::Role { role_id, .. } => Some(role_id.as_str()),
_ => None,
};
let role_label: Option<&str> = match overlay {
Overlay::Role { role_label, .. } => Some(role_label.as_str()),
_ => None,
};
let trait_id: Option<&str> = match overlay {
Overlay::Trait { trait_id, .. } => Some(trait_id.as_str()),
_ => None,
};
let trait_value: Option<i64> = match overlay {
Overlay::Trait { value, .. } => Some(i64::from(*value)),
_ => None,
};
let created_at = crate::timestamp::canonicalize(&record.timestamp)
.unwrap_or_else(|| record.timestamp.clone());
if let Some(prev) = overlay.supersedes() {
let affected = transaction
.execute(
"UPDATE participant_overlay SET superseded_by_audit_id = ?1
WHERE audit_id = ?2
AND session_id = ?3
AND subject_actor_id = ?4
AND overlay_kind = ?5
AND (trait_id IS ?6)",
params![
record.audit_id,
prev,
record.session_id,
overlay.subject(),
overlay.overlay_kind(),
trait_id,
],
)
.map_err(|error| {
CliError::failure(format!(
"failed to mark superseded participant_overlay: {error}"
))
})?;
if affected != 1 {
return Err(CliError::failure(format!(
"supersedes {prev} is not the current row of this overlay slot \
(session={}, subject={}, kind={}) — a mis-pointed supersede is rejected (ADR 036 D10)",
record.session_id,
overlay.subject(),
overlay.overlay_kind(),
)));
}
}
transaction
.execute(
"INSERT INTO participant_overlay (
audit_id, session_id, subject_actor_id, overlay_kind,
actor_kind, role_id, role_label, trait_id, trait_value,
asserter_actor_id, asserter_kind, supersedes_audit_id,
superseded_by_audit_id, created_at
)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, NULL, ?13)",
params![
record.audit_id,
record.session_id,
overlay.subject(),
overlay.overlay_kind(),
actor_kind,
role_id,
role_label,
trait_id,
trait_value,
asserter_actor_id,
overlay.asserter_kind(),
overlay.supersedes(),
created_at,
],
)
.map_err(|error| {
CliError::failure(format!("failed to insert participant_overlay: {error}"))
})?;
Ok(())
}
pub(crate) fn update_decision_notification(
db_path: &Path,
decision_audit_id: &str,
status: &str,
notification_mid: Option<&str>,
notification_error: Option<&str>,
) -> CliResult<()> {
let connection = open_projection_database(db_path)?;
let notification_audit_id: Option<String> = match (status, notification_mid) {
("sent", Some(mid)) => connection
.query_row(
"SELECT audit_id FROM audit_records
WHERE mid = ?1 AND delivery_status = 'sent'
ORDER BY rowid DESC LIMIT 1",
params![mid],
|row| row.get(0),
)
.optional()
.map_err(|error| {
CliError::failure(format!("failed to resolve notification audit: {error}"))
})?,
_ => None,
};
let updated = connection
.execute(
"UPDATE operator_decisions
SET notification_status = ?1,
notification_mid = ?2,
notification_audit_id = ?3,
notification_error = ?4
WHERE audit_id = ?5",
params![
status,
notification_mid,
notification_audit_id,
notification_error,
decision_audit_id,
],
)
.map_err(|error| {
CliError::failure(format!("failed to update decision notification: {error}"))
})?;
if updated == 0 {
return Err(CliError::failure(format!(
"no operator_decisions row for audit_id {decision_audit_id} to record notification"
)));
}
Ok(())
}
pub(crate) fn work_event_kind(
db_path: &Path,
session_id: &str,
work_event_id: i64,
) -> CliResult<Option<String>> {
let connection = open_projection_database(db_path)?;
let kind: Option<String> = connection
.query_row(
"SELECT kind FROM work_events WHERE work_event_id = ?1 AND session_id = ?2",
params![work_event_id, session_id],
|row| row.get(0),
)
.optional()
.map_err(|error| CliError::failure(format!("failed to read work_event kind: {error}")))?;
Ok(kind)
}
pub(crate) fn current_overlay_audit_id(
db_path: &Path,
session_id: &str,
subject: &str,
overlay_kind: &str,
trait_id: Option<&str>,
) -> CliResult<Option<String>> {
let connection = open_projection_database(db_path)?;
let audit_id: Option<String> = match trait_id {
Some(trait_id) => connection
.query_row(
"SELECT audit_id FROM participant_overlay
WHERE session_id = ?1 AND subject_actor_id = ?2
AND overlay_kind = 'trait' AND trait_id = ?3
AND superseded_by_audit_id IS NULL
LIMIT 1",
params![session_id, subject, trait_id],
|row| row.get(0),
)
.optional(),
None => connection
.query_row(
"SELECT audit_id FROM participant_overlay
WHERE session_id = ?1 AND subject_actor_id = ?2
AND overlay_kind = ?3
AND superseded_by_audit_id IS NULL
LIMIT 1",
params![session_id, subject, overlay_kind],
|row| row.get(0),
)
.optional(),
}
.map_err(|error| {
CliError::failure(format!(
"failed to read current participant_overlay: {error}"
))
})?;
Ok(audit_id)
}
pub(crate) fn latest_mode_decision(
connection: &Connection,
session_id: &str,
) -> CliResult<Option<(String, String)>> {
connection
.query_row(
"SELECT a.timestamp, od.mode_to
FROM operator_decisions AS od
JOIN audit_records AS a ON a.audit_id = od.audit_id
WHERE od.session_id = ?1 AND od.decision_type = 'mode-switch'
ORDER BY a.timestamp DESC, od.audit_id DESC
LIMIT 1",
[session_id],
|row| Ok((row.get::<_, String>(0)?, row.get::<_, String>(1)?)),
)
.optional()
.map_err(|error| {
CliError::failure(format!(
"failed to read latest mode-switch decision: {error}"
))
})
}
pub(crate) fn project_work_event(
connection: &Connection,
session_id: &str,
actor: &str,
timestamp: &str,
seq: usize,
payload: &crate::work_event::WorkEventPayload,
) -> CliResult<()> {
payload.validate()?; let stored = payload.to_storage()?;
let content_hash = format!(
"sha256:{:x}",
Sha256::digest(format!("{seq}\n{actor}\n{timestamp}\n{stored}").as_bytes())
);
connection
.execute(
"INSERT OR IGNORE INTO work_events
(session_id, actor_agent_id, kind, timestamp, payload, content_hash, created_at)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?4)",
params![
session_id,
actor,
payload.kind(),
timestamp,
stored,
content_hash
],
)
.map_err(|error| CliError::failure(format!("failed to project work event: {error}")))?;
Ok(())
}
fn project_live_audit_record(
transaction: &Transaction<'_>,
root: &Path,
record: &ImportedAuditRecord,
overlay: Option<&crate::overlay::Overlay>,
) -> CliResult<LiveAuditProjection> {
let canonical_ts = match crate::timestamp::canonicalize(&record.timestamp) {
Some(value) => value,
None => {
return Ok(LiveAuditProjection::Gap {
reason: format!("non-canonical timestamp {}", record.timestamp),
})
}
};
let exists: Option<String> = transaction
.query_row(
"SELECT audit_id FROM audit_records WHERE audit_id = ?1",
[&record.audit_id],
|row| row.get(0),
)
.optional()
.map_err(|error| CliError::failure(format!("failed to read audit_records: {error}")))?;
if exists.is_some() {
return Ok(LiveAuditProjection::AlreadyPresent);
}
let project_id = import_project_id(root);
ensure_project(transaction, &project_id, root, &canonical_ts)?;
ensure_session_min(transaction, &project_id, &record.session_id, &canonical_ts)?;
let mut canonical_record = record.clone();
canonical_record.timestamp = canonical_ts;
match execute_imported_audit_insert(
transaction,
&canonical_record,
canonical_record.previous_audit_id.as_deref(),
) {
Ok(_) => {
ensure_record_agents(transaction, &canonical_record)?;
if canonical_record.record_type == crate::overlay::OVERLAY_RECORD_TYPE {
let parsed;
let overlay = match overlay {
Some(overlay) => overlay,
None => {
let payload = canonical_record.payload_excerpt.as_deref().ok_or_else(|| {
CliError::failure(format!(
"participant-overlay proof {} has no payload to project a typed row (ADR 036 D7)",
canonical_record.audit_id
))
})?;
parsed = crate::overlay::Overlay::from_storage(payload)?;
parsed.validate()?;
&parsed
}
};
insert_participant_overlay(transaction, &canonical_record, overlay)?;
} else {
upsert_message_latest(transaction, &canonical_record)?;
}
Ok(LiveAuditProjection::Projected)
}
Err(error) => Ok(LiveAuditProjection::Gap {
reason: error.to_string(),
}),
}
}
fn ensure_session_min(
transaction: &Transaction<'_>,
project_id: &str,
session_id: &str,
timestamp: &str,
) -> CliResult<()> {
transaction
.execute(
"INSERT OR IGNORE INTO sessions (
session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at
)
VALUES (?1, ?2, ?1, 'live', 'unknown', 'idle', ?3, ?3)",
params![session_id, project_id, timestamp],
)
.map_err(|error| CliError::failure(format!("failed to ensure session: {error}")))?;
Ok(())
}
pub(crate) fn project_report(
db_path: &Path,
root: &Path,
session_id: &str,
actor: &str,
timestamp: &str,
seq: usize,
payload: &crate::work_event::WorkEventPayload,
) -> CliResult<()> {
let mut connection = open_projection_database(db_path)?;
let transaction = connection
.transaction_with_behavior(TransactionBehavior::Immediate)
.map_err(|error| {
CliError::failure(format!("failed to start report projection: {error}"))
})?;
let project_id = import_project_id(root);
ensure_project(&transaction, &project_id, root, timestamp)?;
ensure_session_min(&transaction, &project_id, session_id, timestamp)?;
project_work_event(&transaction, session_id, actor, timestamp, seq, payload)?;
if let crate::work_event::WorkEventPayload::Artifact { files } = payload {
for file in files {
upsert_artifact(&transaction, session_id, &file.path, timestamp)?;
}
}
transaction.commit().map_err(|error| {
CliError::failure(format!("failed to commit report projection: {error}"))
})?;
Ok(())
}
pub(crate) fn upsert_artifact(
connection: &Connection,
session_id: &str,
path: &str,
ts: &str,
) -> CliResult<()> {
connection
.execute(
"INSERT INTO artifacts (session_id, kind, path, updated_at) VALUES (?1, 'file', ?2, ?3)
ON CONFLICT(session_id, path) DO UPDATE SET updated_at=excluded.updated_at",
params![session_id, path, ts],
)
.map_err(|e| CliError::failure(format!("failed to upsert artifact: {e}")))?;
Ok(())
}
fn corpus_payload_excerpt(record: &ImportedAuditRecord) -> Option<&str> {
if record.payload_redaction_policy == "hash-only" {
None
} else {
record.payload_excerpt.as_deref()
}
}
fn upsert_message_latest(
transaction: &Transaction<'_>,
record: &ImportedAuditRecord,
) -> CliResult<()> {
let message_id = message_id(&record.session_id, &record.mid);
transaction
.execute(
"INSERT INTO messages (
message_id, session_id, mid, source_agent_id, target_agent_id, message_type,
mode, ref, transport, payload_redaction_policy, payload_hash,
latest_delivery_status, latest_verified_by, latest_audit_id, timestamp,
payload_excerpt
)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16)
ON CONFLICT(session_id, mid) DO UPDATE SET
source_agent_id = excluded.source_agent_id,
target_agent_id = excluded.target_agent_id,
message_type = excluded.message_type,
mode = excluded.mode,
ref = excluded.ref,
transport = excluded.transport,
payload_redaction_policy = excluded.payload_redaction_policy,
payload_hash = excluded.payload_hash,
latest_delivery_status = excluded.latest_delivery_status,
latest_verified_by = excluded.latest_verified_by,
latest_audit_id = excluded.latest_audit_id,
timestamp = excluded.timestamp,
payload_excerpt = excluded.payload_excerpt",
params![
message_id,
record.session_id,
record.mid,
record.source_agent_id,
record.target_agent_id,
record.record_type,
record.mode,
record.r#ref,
record.transport,
record.payload_redaction_policy,
record.payload_hash,
record.delivery_status,
record.verified_by,
record.audit_id,
record.timestamp,
corpus_payload_excerpt(record),
],
)
.map_err(|error| CliError::failure(format!("failed to project message: {error}")))?;
Ok(())
}
fn insert_import_row(
transaction: &Transaction<'_>,
session_dir: &Path,
source_hash: &str,
imported_at: &str,
warnings: &[String],
) -> CliResult<()> {
let warning_summary = if warnings.is_empty() {
"none".to_string()
} else {
warnings.join("; ")
};
let result = if warnings.is_empty() {
"imported"
} else {
"imported-with-warnings"
};
transaction
.execute(
"INSERT INTO imports (
source_kind, source_path, source_hash, imported_at, result, warning_summary
)
VALUES ('outputs', ?1, ?2, ?3, ?4, ?5)",
params![
session_dir.display().to_string(),
source_hash,
imported_at,
result,
warning_summary,
],
)
.map_err(|error| CliError::failure(format!("failed to record import: {error}")))?;
Ok(())
}
fn normalize_arg_timestamp(value: &str) -> CliResult<String> {
crate::timestamp::canonicalize(value).ok_or_else(|| {
CliError::usage(format!(
"--timestamp must be RFC3339 (e.g. 2026-05-29T02:00:00Z): {value}"
))
})
}
fn append_audit_record(path: &Path, args: &DbAuditAppendArgs) -> CliResult<String> {
if args.payload.is_some() == args.payload_file.is_some() {
return Err(CliError::usage(
"exactly one of --payload or --payload-file is required",
));
}
if args.excerpt_chars < 1 {
return Err(CliError::usage("--excerpt-chars must be >= 1"));
}
if !matches!(
args.payload_redaction_policy.as_str(),
"hash-only" | "excerpt" | "full"
) {
return Err(CliError::usage(format!(
"invalid redaction policy: {}",
args.payload_redaction_policy
)));
}
if !matches!(
args.delivery_status.as_str(),
"drafted" | "sent" | "observed" | "failed" | "unknown"
) {
return Err(CliError::usage(format!(
"invalid delivery status: {}",
args.delivery_status
)));
}
if crate::decision::is_non_transport_proof_record_type(&args.record_type)
&& args.delivery_status == "sent"
{
return Err(CliError::usage(
"a non-transport operator proof (a decision record_type, `reveal`, or `participant-overlay`) must not be delivery_status=sent (ADR 024 §1a / ADR 034 D8 / ADR 036: an observed/operator event, not a delivered message)",
));
}
let timestamp = normalize_arg_timestamp(&args.timestamp)?;
let payload = payload_from_args(args)?;
let payload_bytes = payload.as_bytes();
let payload_hash = format!("sha256:{:x}", Sha256::digest(payload_bytes));
let payload_excerpt =
payload_excerpt(&payload, args.excerpt_chars, &args.payload_redaction_policy);
let message_id = message_id(&args.session_id, &args.mid);
let mut connection = open_database(path)?;
let transaction = connection
.transaction_with_behavior(TransactionBehavior::Immediate)
.map_err(|error| {
CliError::failure(format!("failed to start SQLite audit transaction: {error}"))
})?;
let previous_audit_id = tail_audit_id(&transaction, &args.session_id)?;
let audit_id = match &args.audit_id {
Some(audit_id) => audit_id.clone(),
None => generate_audit_id(&transaction)?,
};
transaction
.execute(
"INSERT INTO audit_records (
audit_id, previous_audit_id, session_id, source_agent_id, target_agent_id,
source_address, target_address, transport, workspace_id, mid, record_type,
command_origin, mode, ref, re, payload_hash, payload_redaction_policy,
content_size, delivery_status, observed_by, verified_by, timestamp
)
VALUES (
?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11,
?12, ?13, ?14, ?15, ?16, ?17, ?18, ?19, ?20, ?21, ?22
)",
params![
audit_id,
previous_audit_id,
args.session_id,
args.source_agent_id,
args.target_agent_id,
args.source_address,
args.target_address,
args.transport,
args.workspace_id,
args.mid,
args.record_type,
args.command_origin,
args.mode,
args.r#ref,
args.re,
payload_hash,
args.payload_redaction_policy,
payload_bytes.len() as i64,
args.delivery_status,
args.observed_by,
args.verified_by,
timestamp,
],
)
.map_err(|error| CliError::failure(format!("failed to append audit record: {error}")))?;
if args.record_type == crate::overlay::OVERLAY_RECORD_TYPE {
let overlay = crate::overlay::Overlay::from_storage(&payload)?;
overlay.validate()?;
let overlay_record = ImportedAuditRecord {
audit_id: audit_id.clone(),
previous_audit_id: previous_audit_id.clone(),
timestamp: timestamp.clone(),
source_agent_id: args.source_agent_id.clone(),
source_address: args.source_address.clone(),
target_agent_id: args.target_agent_id.clone(),
target_address: args.target_address.clone(),
transport: args.transport.clone(),
workspace_id: args.workspace_id.clone(),
session_id: args.session_id.clone(),
mid: args.mid.clone(),
record_type: args.record_type.clone(),
command_origin: args.command_origin.clone(),
mode: args.mode.clone(),
r#ref: args.r#ref.clone(),
re: args.re.clone(),
payload_hash: payload_hash.clone(),
payload_redaction_policy: args.payload_redaction_policy.clone(),
content_size: payload_bytes.len() as i64,
delivery_status: args.delivery_status.clone(),
observed_by: args.observed_by.clone(),
verified_by: args.verified_by.clone(),
due: None,
payload_excerpt: Some(payload.clone()),
};
insert_participant_overlay(&transaction, &overlay_record, &overlay)?;
} else {
transaction
.execute(
"INSERT INTO messages (
message_id, session_id, mid, source_agent_id, target_agent_id, message_type,
mode, ref, transport, transport_thread_id, payload_redaction_policy,
payload_excerpt, payload_hash, latest_delivery_status, latest_verified_by,
latest_audit_id, timestamp
)
VALUES (
?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17
)
ON CONFLICT(session_id, mid) DO UPDATE SET
source_agent_id = excluded.source_agent_id,
target_agent_id = excluded.target_agent_id,
message_type = excluded.message_type,
mode = excluded.mode,
ref = excluded.ref,
transport = excluded.transport,
transport_thread_id = excluded.transport_thread_id,
payload_redaction_policy = excluded.payload_redaction_policy,
payload_excerpt = excluded.payload_excerpt,
payload_hash = excluded.payload_hash,
latest_delivery_status = excluded.latest_delivery_status,
latest_verified_by = excluded.latest_verified_by,
latest_audit_id = excluded.latest_audit_id,
timestamp = excluded.timestamp",
params![
message_id,
args.session_id,
args.mid,
args.source_agent_id,
args.target_agent_id,
args.record_type,
args.mode,
args.r#ref,
args.transport,
args.transport_thread_id,
args.payload_redaction_policy,
payload_excerpt,
payload_hash,
args.delivery_status,
args.verified_by,
audit_id,
timestamp,
],
)
.map_err(|error| {
CliError::failure(format!("failed to update message state: {error}"))
})?;
}
transaction.commit().map_err(|error| {
CliError::failure(format!("failed to commit audit transaction: {error}"))
})?;
Ok(audit_id)
}
fn payload_from_args(args: &DbAuditAppendArgs) -> CliResult<String> {
if let Some(path) = &args.payload_file {
let mut payload = String::new();
fs::File::open(path)
.and_then(|mut file| file.read_to_string(&mut payload))
.map_err(|error| {
CliError::failure(format!(
"failed to read payload file {}: {error}",
path.display()
))
})?;
return Ok(payload);
}
Ok(args.payload.clone().unwrap_or_default())
}
fn payload_excerpt(payload: &str, chars: usize, policy: &str) -> Option<String> {
match policy {
"hash-only" => None,
"full" => Some(payload.to_string()),
_ => {
let count = payload.chars().count();
if count <= chars * 2 {
Some(payload.to_string())
} else {
let start = payload.chars().take(chars).collect::<String>();
let end = payload
.chars()
.rev()
.take(chars)
.collect::<String>()
.chars()
.rev()
.collect::<String>();
Some(format!("{start}...{end}"))
}
}
}
}
fn tail_audit_id(transaction: &Transaction<'_>, session_id: &str) -> CliResult<Option<String>> {
transaction
.query_row(
"SELECT record.audit_id
FROM audit_records AS record
WHERE record.session_id = ?1
AND NOT EXISTS (
SELECT 1
FROM audit_records AS child
WHERE child.session_id = record.session_id
AND child.previous_audit_id = record.audit_id
)
ORDER BY record.timestamp DESC, record.audit_id DESC
LIMIT 1",
[session_id],
|row| row.get(0),
)
.optional()
.map_err(|error| CliError::failure(format!("failed to read audit chain tail: {error}")))
}
fn generate_audit_id(transaction: &Transaction<'_>) -> CliResult<String> {
let mut statement = transaction
.prepare("SELECT audit_id FROM audit_records")
.map_err(|error| CliError::failure(format!("failed to read audit ids: {error}")))?;
let existing_ids = statement
.query_map([], |row| row.get::<_, String>(0))
.map_err(|error| CliError::failure(format!("failed to read audit ids: {error}")))?
.collect::<Result<HashSet<_>, _>>()
.map_err(|error| CliError::failure(format!("failed to read audit ids: {error}")))?;
const ALPHABET: &[u8] = b"abcdefghijklmnopqrstuvwxyz0123456789";
let mut rng = OsRng;
for _ in 0..100 {
let audit_id = (0..6)
.map(|_| {
let index = rng.gen_range(0..ALPHABET.len());
ALPHABET[index] as char
})
.collect::<String>();
if !existing_ids.contains(&audit_id) {
return Ok(audit_id);
}
}
Err(CliError::usage(
"could not generate unique audit_id after 100 attempts",
))
}
fn message_id(session_id: &str, mid: &str) -> String {
let digest = Sha256::digest(format!("{session_id}\0{mid}").as_bytes());
format!("msg-{digest:x}")
}
fn import_project_id(root: &Path) -> String {
let digest = Sha256::digest(root.display().to_string().as_bytes());
let hex = format!("{digest:x}");
format!("project-{}", &hex[..16])
}
fn source_hash_for_session_dir(session_dir: &Path) -> CliResult<String> {
let mut hasher = Sha256::new();
for file_name in ["status.md", "audit.md", "summary.md"] {
let path = session_dir.join(file_name);
if path.exists() {
hasher.update(file_name.as_bytes());
let content = fs::read(&path).map_err(|error| {
CliError::failure(format!("failed to read {}: {error}", path.display()))
})?;
hasher.update(content);
}
}
Ok(format!("sha256:{:x}", hasher.finalize()))
}
fn value_or(values: &BTreeMap<String, String>, key: &str, fallback: &str) -> String {
values
.get(key)
.filter(|value| !value.is_empty())
.cloned()
.unwrap_or_else(|| fallback.to_string())
}
fn optional_text(value: &str) -> Option<String> {
if value.is_empty() || value == "unknown" {
None
} else {
Some(value.to_string())
}
}
fn optional_audit_id(value: &str) -> Option<String> {
if matches!(value, "" | "none" | "unknown") {
None
} else {
Some(value.to_string())
}
}
fn nullable_unknown(value: &str) -> Option<String> {
if value.is_empty() || value == "unknown" {
None
} else {
Some(value.to_string())
}
}
fn table_has_column(connection: &Connection, table: &str, column: &str) -> CliResult<bool> {
let mut statement = connection
.prepare(&format!("PRAGMA table_info({table})"))
.map_err(|error| {
CliError::failure(format!("failed to inspect SQLite table {table}: {error}"))
})?;
let columns = statement
.query_map([], |row| row.get::<_, String>(1))
.map_err(|error| {
CliError::failure(format!("failed to inspect SQLite table {table}: {error}"))
})?
.collect::<Result<Vec<_>, _>>()
.map_err(|error| {
CliError::failure(format!("failed to inspect SQLite table {table}: {error}"))
})?;
Ok(columns.iter().any(|name| name == column))
}
#[cfg(test)]
mod tests {
use super::*;
fn open_v3(connection: &Connection) {
create_schema_migrations(connection).unwrap();
apply_v1(connection).unwrap();
apply_v2(connection).unwrap();
apply_v3(connection).unwrap();
connection.pragma_update(None, "user_version", 3).unwrap();
}
#[test]
fn v6_work_events_insert_and_read() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("z.db");
let conn = open_database(&db).unwrap();
let ts = "2026-05-31T00:00:00Z";
conn.execute(
"INSERT INTO projects (project_id,name,root_path,created_at,updated_at) VALUES ('p','p','/tmp',?1,?1)",
params![ts],
)
.unwrap();
conn.execute(
"INSERT INTO sessions (session_id,project_id,title,phase,mode,workflow_status,created_at,updated_at) VALUES ('s1','p','s1','live','unknown','idle',?1,?1)",
params![ts],
)
.unwrap();
let payload = crate::work_event::WorkEventPayload::Think {
text: "weighing options".into(),
};
project_work_event(&conn, "s1", "claude", "2026-05-31T00:00:00Z", 0, &payload).unwrap();
let (kind, stored): (String, String) = conn
.query_row(
"SELECT kind, payload FROM work_events WHERE session_id='s1'",
[],
|r| Ok((r.get(0)?, r.get(1)?)),
)
.unwrap();
assert_eq!(kind, "think");
assert_eq!(
crate::work_event::WorkEventPayload::from_storage(&stored).unwrap(),
payload
);
}
#[test]
fn v4_backfills_content_hash_for_legacy_status_event() {
let connection = Connection::open_in_memory().unwrap();
open_v3(&connection);
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/p', '2026-05-29T00:00:00Z', '2026-05-29T00:00:00Z')",
[],
)
.unwrap();
connection
.execute(
"INSERT INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES ('s', 'p', 's', 'tooling', 'review', 'working', '2026-05-29T00:00:00Z', '2026-05-29T00:00:00Z')",
[],
)
.unwrap();
connection
.execute(
"INSERT INTO status_events (session_id, timestamp, phase, mode, workflow_status,
completed_since_last_update, in_progress, next_action, blockers,
asks_for_zevs, risk_or_residual_uncertainty, expected_wait, event_text)
VALUES ('s', '2026-05-29T01:00:00Z', 'tooling', 'review', 'working',
'c', 'p', 'next-A', 'none', 'none', 'none', 'unknown', 'event one')",
[],
)
.unwrap();
apply_v4(&connection).unwrap();
let stored: String = connection
.query_row(
"SELECT content_hash FROM status_events WHERE session_id='s'",
[],
|row| row.get(0),
)
.unwrap();
let expected = status_content_hash(&[
"tooling",
"review",
"working",
"c",
"p",
"next-A",
"none",
"none",
"none",
"unknown",
"event one",
]);
assert_eq!(
stored, expected,
"legacy row must be backfilled with the canonical hash"
);
assert!(stored.starts_with("sha256:"));
}
#[test]
fn noncanonical_scan_counts_legacy_offset_rows() {
let connection = Connection::open_in_memory().unwrap();
open_v3(&connection);
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/p', '2026-05-29T00:00:00Z', '2026-05-29T00:00:00Z')",
[],
)
.unwrap();
connection
.execute(
"INSERT INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES ('s', 'p', 's', 'x', 'review', 'working', '2026-05-29T00:00:00Z', '2026-05-28T18:00:00+07:00')",
[],
)
.unwrap();
assert_eq!(noncanonical_timestamp_count(&connection).unwrap(), 1);
apply_v4(&connection).unwrap();
assert_eq!(noncanonical_timestamp_count(&connection).unwrap(), 1);
}
#[test]
fn migrated_legacy_status_row_dedups_on_reimport() {
let mut connection = Connection::open_in_memory().unwrap();
open_v3(&connection);
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/p', '2026-05-29T00:00:00Z', '2026-05-29T00:00:00Z')",
[],
)
.unwrap();
connection
.execute(
"INSERT INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES ('s', 'p', 's', 'tooling', 'review', 'working', '2026-05-29T00:00:00Z', '2026-05-29T00:00:00Z')",
[],
)
.unwrap();
connection
.execute(
"INSERT INTO status_events (session_id, timestamp, phase, mode, workflow_status,
completed_since_last_update, in_progress, next_action, blockers,
asks_for_zevs, risk_or_residual_uncertainty, expected_wait, event_text)
VALUES ('s', '2026-05-29T01:00:00Z', 'tooling', 'review', 'working',
'c', 'p', 'next-A', 'none', 'none', 'none', 'unknown', 'event one')",
[],
)
.unwrap();
apply_v4(&connection).unwrap();
let status = ImportedStatus {
session_id: "s".to_string(),
last_update: "2026-05-29T01:00:00Z".to_string(),
lead_agent: "codex".to_string(),
phase: "tooling".to_string(),
mode: "review".to_string(),
artifact_ref: "tools/x".to_string(),
workflow_status: "working".to_string(),
completed_since_last_update: "c".to_string(),
in_progress: "p".to_string(),
next_action: "next-A".to_string(),
blockers: "none".to_string(),
asks_for_zevs: "none".to_string(),
risk_or_residual_uncertainty: "none".to_string(),
expected_wait: "unknown".to_string(),
rolling_events: vec!["event one".to_string()],
};
let tx = connection.transaction().unwrap();
insert_status_event_if_missing(&tx, &status).unwrap();
tx.commit().unwrap();
let count: i64 = connection
.query_row(
"SELECT COUNT(*) FROM status_events WHERE session_id='s' AND timestamp='2026-05-29T01:00:00Z'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(
count, 1,
"re-import of a backfilled legacy row must dedup, not duplicate"
);
}
#[test]
fn schema_check_enums_match_canonical_values() {
let connection = Connection::open_in_memory().unwrap();
open_v3(&connection);
apply_v4(&connection).unwrap();
let table_sql = |name: &str| -> String {
connection
.query_row(
"SELECT sql FROM sqlite_master WHERE type='table' AND name=?1",
[name],
|row| row.get(0),
)
.unwrap()
};
let expectations: &[(&str, &str)] = &[
(
"sessions",
"workflow_status IN ('idle', 'working', 'blocked', 'waiting-for-operator', 'done')",
),
(
"status_events",
"workflow_status IN ('idle', 'working', 'blocked', 'waiting-for-operator', 'done')",
),
(
"agents",
"current_agent_status IN ('idle', 'working', 'blocked', 'done', 'unknown')",
),
(
"session_agents",
"agent_status IN ('idle', 'working', 'blocked', 'done', 'unknown')",
),
(
"audit_records",
"command_origin IN ('agent', 'operator', 'helper-tool', 'unknown')",
),
(
"audit_records",
"payload_redaction_policy IN ('hash-only', 'excerpt', 'full')",
),
(
"audit_records",
"delivery_status IN ('drafted', 'sent', 'observed', 'failed', 'unknown')",
),
(
"audit_records",
"verified_by IN ('transport', 'agent', 'operator', 'helper-tool')",
),
(
"messages",
"payload_redaction_policy IN ('hash-only', 'excerpt', 'full')",
),
(
"messages",
"latest_delivery_status IN ('drafted', 'sent', 'observed', 'failed', 'unknown')",
),
(
"messages",
"latest_verified_by IN ('transport', 'agent', 'operator', 'helper-tool')",
),
];
for (table, fragment) in expectations {
let sql = table_sql(table);
assert!(
sql.contains(fragment),
"{table} CHECK drifted from canonical enum; expected exact fragment: {fragment}"
);
}
}
fn open_v4(connection: &Connection) {
create_schema_migrations(connection).unwrap();
apply_v1(connection).unwrap();
apply_v2(connection).unwrap();
apply_v3(connection).unwrap();
apply_v4(connection).unwrap();
connection.pragma_update(None, "user_version", 4).unwrap();
}
fn seed_audit_session(connection: &Connection) {
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/p', '2026-05-29T00:00:00Z', '2026-05-29T00:00:00Z')",
[],
)
.unwrap();
connection
.execute(
"INSERT INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES ('s', 'p', 's', 'x', 'review', 'working', '2026-05-29T00:00:00Z', '2026-05-29T00:00:00Z')",
[],
)
.unwrap();
}
fn insert_audit_with_due(
connection: &Connection,
audit_id: &str,
due: Option<&str>,
) -> rusqlite::Result<usize> {
connection.execute(
"INSERT INTO audit_records (audit_id, previous_audit_id, session_id, source_address,
target_address, transport, workspace_id, mid, record_type, command_origin,
payload_hash, payload_redaction_policy, content_size, delivery_status, observed_by,
verified_by, timestamp, due)
VALUES (?1, NULL, 's', 'src', 'tgt', 'herdr', 'w', ?1, 'status-update', 'agent',
'sha256:x', 'hash-only', 0, 'observed', 'codex', 'helper-tool',
'2026-05-29T01:00:00Z', ?2)",
params![audit_id, due],
)
}
#[test]
fn v5_adds_due_column_and_preserves_existing_audit_rows() {
let connection = Connection::open_in_memory().unwrap();
open_v4(&connection);
seed_audit_session(&connection);
connection
.execute(
"INSERT INTO audit_records (audit_id, previous_audit_id, session_id, source_address,
target_address, transport, workspace_id, mid, record_type, command_origin,
payload_hash, payload_redaction_policy, content_size, delivery_status,
observed_by, verified_by, timestamp)
VALUES ('a1', NULL, 's', 'src', 'tgt', 'herdr', 'w', 'm1', 'status-update',
'agent', 'sha256:x', 'hash-only', 0, 'observed', 'codex', 'helper-tool',
'2026-05-29T01:00:00Z')",
[],
)
.unwrap();
assert!(!table_has_column(&connection, "audit_records", "due").unwrap());
apply_v5(&connection).unwrap();
assert!(table_has_column(&connection, "audit_records", "due").unwrap());
let due: Option<String> = connection
.query_row(
"SELECT due FROM audit_records WHERE audit_id='a1'",
[],
|row| row.get(0),
)
.unwrap();
assert!(
due.is_none(),
"existing audit row must read due=NULL after v5"
);
}
#[test]
fn v5_due_shape_trigger_accepts_null_and_canonical_rejects_malformed() {
let connection = Connection::open_in_memory().unwrap();
open_v4(&connection);
apply_v5(&connection).unwrap();
seed_audit_session(&connection);
insert_audit_with_due(&connection, "a1", None).expect("NULL due must be accepted");
insert_audit_with_due(&connection, "a2", Some("2026-06-01T12:00:00Z"))
.expect("canonical due must be accepted");
assert!(
insert_audit_with_due(&connection, "a3", Some("2026-06-01 12:00:00")).is_err(),
"shape-violating due (no T/Z) must be rejected by the trigger"
);
}
#[test]
fn migrate_advances_v4_db_to_v5_with_due_column() {
let mut connection = Connection::open_in_memory().unwrap();
open_v4(&connection);
assert!(!table_has_column(&connection, "audit_records", "due").unwrap());
migrate(&mut connection).unwrap();
let version: i64 = connection
.pragma_query_value(None, "user_version", |row| row.get(0))
.unwrap();
assert_eq!(version, CURRENT_SCHEMA_VERSION);
assert!(table_has_column(&connection, "audit_records", "due").unwrap());
let custody_vault_present: i64 = connection
.query_row(
"SELECT COUNT(*) FROM sqlite_master WHERE type = 'table' AND name = ?1",
["custody_vault"],
|row| row.get(0),
)
.unwrap();
assert_eq!(
custody_vault_present, 1,
"custody_vault table must exist after a v4->v8 migration"
);
let nontransport_trigger_present: i64 = connection
.query_row(
"SELECT count(*) FROM sqlite_master
WHERE type = 'trigger' AND name = ?1",
["audit_records_no_sent_nontransport_proof_insert"],
|row| row.get(0),
)
.unwrap();
assert_eq!(
nontransport_trigger_present, 1,
"audit_records_no_sent_nontransport_proof_insert trigger must exist after a v4->v9 migration"
);
migrate(&mut connection).unwrap();
let version_again: i64 = connection
.pragma_query_value(None, "user_version", |row| row.get(0))
.unwrap();
assert_eq!(version_again, CURRENT_SCHEMA_VERSION);
}
#[test]
fn live_status_projection_upserts_session_current_state() {
let mut connection = Connection::open_in_memory().unwrap();
open_v4(&connection);
apply_v5(&connection).unwrap();
let root = Path::new("outputs");
let make =
|phase: &str, status: &str, lead: &str, artifact: &str, ts: &str| ImportedStatus {
session_id: "s".to_string(),
last_update: ts.to_string(),
lead_agent: lead.to_string(),
phase: phase.to_string(),
mode: "build".to_string(),
artifact_ref: artifact.to_string(),
workflow_status: status.to_string(),
completed_since_last_update: "c".to_string(),
in_progress: "p".to_string(),
next_action: "n".to_string(),
blockers: "none".to_string(),
asks_for_zevs: "none".to_string(),
risk_or_residual_uncertainty: "none".to_string(),
expected_wait: "unknown".to_string(),
rolling_events: vec![format!("event-{phase}")],
};
{
let tx = connection.transaction().unwrap();
project_live_status(
&tx,
root,
&make("p1", "working", "claude", "a1", "2026-05-29T01:00:00Z"),
)
.unwrap();
tx.commit().unwrap();
}
{
let tx = connection.transaction().unwrap();
project_live_status(
&tx,
root,
&make("p2", "blocked", "codex", "a2", "2026-05-29T02:00:00Z"),
)
.unwrap();
tx.commit().unwrap();
}
let (phase, status, lead, artifact): (String, String, Option<String>, Option<String>) =
connection
.query_row(
"SELECT phase, workflow_status, lead_agent_id, artifact_ref
FROM sessions WHERE session_id='s'",
[],
|row| Ok((row.get(0)?, row.get(1)?, row.get(2)?, row.get(3)?)),
)
.unwrap();
assert_eq!(phase, "p2", "session phase must reflect the latest write");
assert_eq!(status, "blocked");
assert_eq!(lead.as_deref(), Some("codex"));
assert_eq!(artifact.as_deref(), Some("a2"));
let events: i64 = connection
.query_row(
"SELECT COUNT(*) FROM status_events WHERE session_id='s'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(events, 2, "two distinct status writes append two events");
}
fn open_v5(connection: &Connection) {
open_v4(connection);
apply_v5(connection).unwrap();
connection
.pragma_update(None, "foreign_keys", "ON")
.unwrap();
}
fn live_audit_record(audit_id: &str, previous: Option<&str>, ts: &str) -> ImportedAuditRecord {
ImportedAuditRecord {
audit_id: audit_id.to_string(),
previous_audit_id: previous.map(str::to_string),
timestamp: ts.to_string(),
source_agent_id: Some("claude".to_string()),
source_address: "w-1".to_string(),
target_agent_id: Some("codex".to_string()),
target_address: "w-2".to_string(),
transport: "herdr".to_string(),
workspace_id: "w".to_string(),
session_id: "s".to_string(),
mid: audit_id.to_string(),
record_type: "status-update".to_string(),
command_origin: "agent".to_string(),
mode: None,
r#ref: None,
re: None,
payload_hash: "sha256:x".to_string(),
payload_redaction_policy: "hash-only".to_string(),
content_size: 0,
delivery_status: "observed".to_string(),
observed_by: "codex".to_string(),
verified_by: "helper-tool".to_string(),
due: None,
payload_excerpt: None,
}
}
fn project_one_audit(
connection: &mut Connection,
record: &ImportedAuditRecord,
) -> LiveAuditProjection {
let tx = connection.transaction().unwrap();
let outcome = project_live_audit_record(&tx, Path::new("outputs"), record, None).unwrap();
tx.commit().unwrap();
outcome
}
#[test]
fn live_audit_projection_preserves_file_chain_identity() {
let mut connection = Connection::open_in_memory().unwrap();
open_v5(&connection);
assert_eq!(
project_one_audit(
&mut connection,
&live_audit_record("a1", None, "2026-05-29T01:00:00Z")
),
LiveAuditProjection::Projected
);
assert_eq!(
project_one_audit(
&mut connection,
&live_audit_record("a2", Some("a1"), "2026-05-29T02:00:00Z")
),
LiveAuditProjection::Projected
);
let previous: Option<String> = connection
.query_row(
"SELECT previous_audit_id FROM audit_records WHERE audit_id='a2'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(
previous.as_deref(),
Some("a1"),
"previous must be the file value verbatim, not DB-tail-derived"
);
}
#[test]
fn live_audit_projection_gap_on_missing_previous_without_rebase() {
let mut connection = Connection::open_in_memory().unwrap();
open_v5(&connection);
let outcome = project_one_audit(
&mut connection,
&live_audit_record("a9", Some("ghost"), "2026-05-29T03:00:00Z"),
);
assert!(
matches!(outcome, LiveAuditProjection::Gap { .. }),
"missing previous must be a Gap, got {outcome:?}"
);
let count: i64 = connection
.query_row(
"SELECT COUNT(*) FROM audit_records WHERE audit_id='a9'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(
count, 0,
"a gapped record must not be inserted (no live rebase)"
);
}
#[test]
fn live_audit_projection_is_idempotent_on_reprojection() {
let mut connection = Connection::open_in_memory().unwrap();
open_v5(&connection);
assert_eq!(
project_one_audit(
&mut connection,
&live_audit_record("a1", None, "2026-05-29T01:00:00Z")
),
LiveAuditProjection::Projected
);
assert_eq!(
project_one_audit(
&mut connection,
&live_audit_record("a1", None, "2026-05-29T01:00:00Z")
),
LiveAuditProjection::AlreadyPresent
);
let count: i64 = connection
.query_row(
"SELECT COUNT(*) FROM audit_records WHERE audit_id='a1'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(count, 1);
}
fn seed_session_and_gate_work_event(db: &Path, session_id: &str) {
let connection = open_projection_database(db).unwrap();
let ts = "2026-05-31T00:00:00Z";
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/tmp', ?1, ?1)",
params![ts],
)
.unwrap();
connection
.execute(
"INSERT INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES (?1, 'p', ?1, 'live', 'unknown', 'idle', ?2, ?2)",
params![session_id, ts],
)
.unwrap();
let payload = crate::work_event::WorkEventPayload::Gate {
title: "merge?".into(),
summary: "approve the merge".into(),
proposer: "claude".into(),
actions: vec!["merge".into()],
};
project_work_event(&connection, session_id, "claude", ts, 0, &payload).unwrap();
}
fn decision_audit_record_fixture(session_id: &str, audit_id: &str) -> ImportedAuditRecord {
ImportedAuditRecord {
audit_id: audit_id.to_string(),
previous_audit_id: None,
timestamp: "2026-05-31T01:00:00Z".to_string(),
source_agent_id: Some("operator".to_string()),
source_address: "operator".to_string(),
target_agent_id: None,
target_address: "none".to_string(),
transport: "none".to_string(),
workspace_id: "w".to_string(),
session_id: session_id.to_string(),
mid: audit_id.to_string(),
record_type: "gate-decision".to_string(),
command_origin: "operator".to_string(),
mode: None,
r#ref: Some("1".to_string()),
re: None,
payload_hash: "sha256:x".to_string(),
payload_redaction_policy: "hash-only".to_string(),
content_size: 0,
delivery_status: "observed".to_string(),
observed_by: "operator".to_string(),
verified_by: "operator".to_string(),
due: None,
payload_excerpt: None,
}
}
#[test]
fn project_decision_writes_audit_and_typed_row() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("zynk.db");
open_projection_database(&db).unwrap(); seed_session_and_gate_work_event(&db, "s1");
let record = decision_audit_record_fixture("s1", "dec-aud-1");
let decision = crate::decision::Decision::Gate {
target_work_event_id: 1,
verdict: "approve".into(),
note: None,
};
project_decision(&db, Path::new("outputs"), &record, &decision).unwrap();
let connection = open_database(&db).unwrap();
let audit_rows: i64 = connection
.query_row(
"SELECT COUNT(*) FROM audit_records WHERE audit_id='dec-aud-1'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(
audit_rows, 1,
"the decision audit proof row must be present"
);
let (dt, st, ns, twe, verdict): (String, String, String, i64, String) = connection
.query_row(
"SELECT decision_type, decision_status, notification_status,
target_work_event_id, verdict
FROM operator_decisions WHERE audit_id='dec-aud-1'",
[],
|row| {
Ok((
row.get(0)?,
row.get(1)?,
row.get(2)?,
row.get(3)?,
row.get(4)?,
))
},
)
.unwrap();
assert_eq!(dt, "gate-decision");
assert_eq!(st, "decided");
assert_eq!(ns, "not-requested");
assert_eq!(twe, 1, "the gate decision binds the target work-event");
assert_eq!(verdict, "approve");
}
#[test]
fn project_decision_rolls_back_audit_row_when_typed_insert_fails() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("zynk.db");
open_projection_database(&db).unwrap();
let connection = open_projection_database(&db).unwrap();
let ts = "2026-05-31T00:00:00Z";
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/tmp', ?1, ?1)",
params![ts],
)
.unwrap();
connection
.execute(
"INSERT INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES ('s1', 'p', 's1', 'live', 'unknown', 'idle', ?1, ?1)",
params![ts],
)
.unwrap();
drop(connection);
let record = decision_audit_record_fixture("s1", "dec-aud-2");
let decision = crate::decision::Decision::Gate {
target_work_event_id: 1, verdict: "approve".into(),
note: None,
};
let result = project_decision(&db, Path::new("outputs"), &record, &decision);
assert!(
result.is_err(),
"a dangling target_work_event_id FK must fail the projection"
);
let connection = open_database(&db).unwrap();
let audit_rows: i64 = connection
.query_row(
"SELECT COUNT(*) FROM audit_records WHERE audit_id='dec-aud-2'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(
audit_rows, 0,
"the audit proof row must roll back with the failed typed insert (atomic)"
);
}
#[test]
fn project_decision_gap_audit_yields_clear_error_no_typed_row() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("zynk.db");
open_projection_database(&db).unwrap();
seed_session_and_gate_work_event(&db, "s1");
let mut record = decision_audit_record_fixture("s1", "dec-aud-gap");
record.timestamp = "not-a-timestamp".to_string();
let decision = crate::decision::Decision::Gate {
target_work_event_id: 1,
verdict: "approve".into(),
note: None,
};
let err = project_decision(&db, Path::new("outputs"), &record, &decision)
.expect_err("a gapping decision audit must fail the projection");
assert!(
err.message.contains("gap"),
"the error must name the gap, not surface an opaque FK error: {}",
err.message
);
let connection = open_database(&db).unwrap();
let decisions: i64 = connection
.query_row("SELECT COUNT(*) FROM operator_decisions", [], |row| {
row.get(0)
})
.unwrap();
assert_eq!(
decisions, 0,
"no operator_decisions row may be written when the audit gaps"
);
let audit_rows: i64 = connection
.query_row(
"SELECT COUNT(*) FROM audit_records WHERE audit_id='dec-aud-gap'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(audit_rows, 0, "a gapping audit row is not projected");
}
fn seed_session_and_audit_record(
db: &Path,
session_id: &str,
audit_id: &str,
payload_hash: &str,
) {
let connection = open_projection_database(db).unwrap();
let ts = "2026-05-31T00:00:00Z";
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/tmp', ?1, ?1)",
params![ts],
)
.unwrap();
connection
.execute(
"INSERT INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES (?1, 'p', ?1, 'live', 'unknown', 'idle', ?2, ?2)",
params![session_id, ts],
)
.unwrap();
connection
.execute(
"INSERT INTO audit_records (
audit_id, previous_audit_id, session_id, source_agent_id,
target_agent_id, source_address, target_address, transport,
workspace_id, mid, record_type, command_origin, mode, ref, re,
payload_hash, payload_redaction_policy, content_size,
delivery_status, observed_by, verified_by, timestamp
)
VALUES (?1, NULL, ?2, 'claude', NULL, 'claude', 'none', 'none',
'w', ?1, 'note', 'agent', NULL, NULL, NULL,
?3, 'hash-only', 0, 'drafted', 'none', 'agent', ?4)",
params![audit_id, session_id, payload_hash, ts],
)
.unwrap();
}
#[test]
fn custody_vault_insert_and_read() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("zynk.db");
open_projection_database(&db).unwrap();
seed_session_and_audit_record(&db, "s1", "aud-1", "sha256:ab");
let conn = open_projection_database(&db).unwrap();
insert_custody_vault(
&conn,
"aud-1",
b"CIPHER",
b"NONCE-24-BYTES-FILLER-XX",
"xchacha20poly1305",
1,
"2026-05-31T00:00:00Z",
)
.unwrap();
let row = read_custody_vault(&conn, "aud-1")
.unwrap()
.expect("vault row");
assert_eq!(row.ciphertext, b"CIPHER");
assert_eq!(row.nonce, b"NONCE-24-BYTES-FILLER-XX");
assert_eq!(row.cipher_id, "xchacha20poly1305");
assert_eq!(row.key_version, 1);
assert_eq!(
read_reveal_target(&conn, "aud-1").unwrap(),
Some(("s1".to_string(), "sha256:ab".to_string()))
);
insert_custody_vault(
&conn,
"aud-1",
b"DIFFERENT",
b"OTHER-NONCE-24-BYTES-FILL",
"xchacha20poly1305",
1,
"2026-05-31T01:00:00Z",
)
.unwrap();
let again = read_custody_vault(&conn, "aud-1").unwrap().expect("row");
assert_eq!(
again.ciphertext, b"CIPHER",
"INSERT OR IGNORE keeps the original"
);
assert!(read_custody_vault(&conn, "missing").unwrap().is_none());
assert!(read_reveal_target(&conn, "missing").unwrap().is_none());
}
#[allow(clippy::too_many_arguments)]
fn migrated_db_with_overlay_proof(
audit_id: &str,
verified_by: &str,
command_origin: &str,
transport: &str,
session: &str,
source_agent: &str,
) -> Connection {
let connection = Connection::open_in_memory().unwrap();
let mut connection = connection;
configure_connection(&connection).unwrap();
migrate(&mut connection).unwrap();
let ts = "2026-06-02T00:00:00Z";
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/tmp', ?1, ?1)",
params![ts],
)
.unwrap();
connection
.execute(
"INSERT OR IGNORE INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES (?1, 'p', ?1, 'live', 'unknown', 'idle', ?2, ?2)",
params![session, ts],
)
.unwrap();
connection
.execute(
"INSERT INTO audit_records (
audit_id, previous_audit_id, session_id, source_agent_id,
target_agent_id, source_address, target_address, transport,
workspace_id, mid, record_type, command_origin, mode, ref, re,
payload_hash, payload_redaction_policy, content_size,
delivery_status, observed_by, verified_by, timestamp
)
VALUES (?1, NULL, ?2, ?3, NULL, 'cli', 'none:none', ?4,
'w', ?1, 'participant-overlay', ?5, NULL, NULL, NULL,
'sha256:x', 'full', 0, 'observed', 'operator', ?6, ?7)",
params![
audit_id,
session,
source_agent,
transport,
command_origin,
verified_by,
ts
],
)
.unwrap();
connection
}
#[allow(clippy::too_many_arguments)]
fn insert_overlay_trait_row(
connection: &Connection,
audit_id: &str,
session: &str,
subject: &str,
asserter: &str,
trait_id: &str,
trait_value: i64,
created_at: &str,
) -> rusqlite::Result<usize> {
connection.execute(
"INSERT INTO participant_overlay (
audit_id, session_id, subject_actor_id, overlay_kind,
actor_kind, role_id, role_label, trait_id, trait_value,
asserter_actor_id, asserter_kind, supersedes_audit_id,
superseded_by_audit_id, created_at
)
VALUES (?1, ?2, ?3, 'trait',
NULL, NULL, NULL, ?4, ?5,
?6, 'operator', NULL, NULL, ?7)",
params![
audit_id,
session,
subject,
trait_id,
trait_value,
asserter,
created_at
],
)
}
#[test]
fn v10_participant_overlay_table_and_triggers() {
let connection = Connection::open_in_memory().unwrap();
let mut connection = connection;
configure_connection(&connection).unwrap();
migrate(&mut connection).unwrap();
let table_present: i64 = connection
.query_row(
"SELECT COUNT(*) FROM sqlite_master WHERE type = 'table' AND name = ?1",
["participant_overlay"],
|row| row.get(0),
)
.unwrap();
assert_eq!(
table_present, 1,
"participant_overlay table must exist after migrate -> v10"
);
let version: i64 = connection
.pragma_query_value(None, "user_version", |row| row.get(0))
.unwrap();
assert_eq!(version, 10, "PRAGMA user_version must be 10 after migrate");
assert_eq!(CURRENT_SCHEMA_VERSION, 10);
}
#[test]
fn v10_trait_self_grant_aborts() {
let connection = migrated_db_with_overlay_proof(
"aud-self", "operator", "operator", "none", "s1", "claude",
);
let res = insert_overlay_trait_row(
&connection,
"aud-self",
"s1",
"claude", "claude", "independent",
1,
"2026-06-02T00:00:00Z",
);
let err = res.expect_err("a self-granted trait must abort");
assert!(
err.to_string().contains("self-grant"),
"abort message must name the self-grant rule: {err}"
);
}
#[test]
fn v10_trait_non_operator_grade_proof_aborts() {
let connection = migrated_db_with_overlay_proof(
"aud-helper",
"helper-tool",
"operator",
"none",
"s1",
"operator",
);
let res = insert_overlay_trait_row(
&connection,
"aud-helper",
"s1",
"claude",
"operator",
"independent",
1,
"2026-06-02T00:00:00Z",
);
let err = res.expect_err("a non-operator-grade trait proof must abort");
assert!(
err.to_string().contains("operator-grade"),
"abort message must name the operator-grade rule: {err}"
);
let conn_cmd = migrated_db_with_overlay_proof(
"aud-cmd", "operator", "agent", "none", "s1", "operator",
);
let res_cmd = insert_overlay_trait_row(
&conn_cmd,
"aud-cmd",
"s1",
"claude",
"operator",
"independent",
1,
"2026-06-02T00:00:00Z",
);
let err_cmd = res_cmd.expect_err("a non-operator command_origin trait proof must abort");
assert!(
err_cmd.to_string().contains("operator-grade"),
"abort must name the operator-grade rule on a non-operator command_origin: {err_cmd}"
);
let conn_tr = migrated_db_with_overlay_proof(
"aud-tr", "operator", "operator", "herdr", "s1", "operator",
);
let res_tr = insert_overlay_trait_row(
&conn_tr,
"aud-tr",
"s1",
"claude",
"operator",
"independent",
1,
"2026-06-02T00:00:00Z",
);
let err_tr = res_tr.expect_err("a transported trait proof must abort");
assert!(
err_tr.to_string().contains("operator-grade"),
"abort must name the operator-grade rule on a transported proof: {err_tr}"
);
}
#[test]
fn v10_provenance_binding_mismatch_aborts() {
let connection = migrated_db_with_overlay_proof(
"aud-prov", "operator", "operator", "none", "s1", "operator",
);
let res = insert_overlay_trait_row(
&connection,
"aud-prov",
"s1",
"claude",
"mallory", "independent",
1,
"2026-06-02T00:00:00Z",
);
let err = res.expect_err("an asserter disagreeing with the proof must abort");
assert!(
err.to_string().contains("provenance"),
"abort message must name the provenance-binding rule: {err}"
);
let res = insert_overlay_trait_row(
&connection,
"aud-prov",
"s1",
"claude",
"operator",
"independent",
1,
"2026-06-02T09:99:99Z", );
assert!(
res.is_err(),
"a created_at disagreeing with the proof must abort"
);
let res = insert_overlay_trait_row(
&connection,
"aud-prov",
"other-session",
"claude",
"operator",
"independent",
1,
"2026-06-02T00:00:00Z",
);
assert!(
res.is_err(),
"a session_id disagreeing with the proof must abort"
);
}
#[test]
fn v10_provenance_binding_aborts_on_null_source_proof() {
let connection = Connection::open_in_memory().unwrap();
let mut connection = connection;
configure_connection(&connection).unwrap();
migrate(&mut connection).unwrap();
let ts = "2026-06-02T00:00:00Z";
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/tmp', ?1, ?1)",
params![ts],
)
.unwrap();
connection
.execute(
"INSERT INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES ('s1', 'p', 's1', 'live', 'unknown', 'idle', ?1, ?1)",
params![ts],
)
.unwrap();
connection
.execute(
"INSERT INTO audit_records (
audit_id, previous_audit_id, session_id, source_agent_id,
target_agent_id, source_address, target_address, transport,
workspace_id, mid, record_type, command_origin, mode, ref, re,
payload_hash, payload_redaction_policy, content_size,
delivery_status, observed_by, verified_by, timestamp
)
VALUES ('aud-null', NULL, 's1', NULL, NULL, 'cli', 'none:none', 'none',
'w', 'aud-null', 'participant-overlay', 'operator', NULL, NULL, NULL,
'sha256:x', 'full', 0, 'observed', 'operator', 'operator', ?1)",
params![ts],
)
.unwrap();
let res = connection.execute(
"INSERT INTO participant_overlay (
audit_id, session_id, subject_actor_id, overlay_kind,
actor_kind, role_id, role_label, trait_id, trait_value,
asserter_actor_id, asserter_kind, supersedes_audit_id,
superseded_by_audit_id, created_at
)
VALUES ('aud-null', 's1', 'operator', 'actor-kind',
'human', NULL, NULL, NULL, NULL,
'operator', 'operator', NULL, NULL, ?1)",
params![ts],
);
let err = res.expect_err(
"an overlay over a NULL-source proof must abort (NULL-safe provenance binding)",
);
assert!(
err.to_string().contains("provenance"),
"abort message must name the provenance-binding rule: {err}"
);
}
#[test]
fn v10_sent_participant_overlay_audit_aborts() {
let connection = Connection::open_in_memory().unwrap();
let mut connection = connection;
configure_connection(&connection).unwrap();
migrate(&mut connection).unwrap();
let ts = "2026-06-02T00:00:00Z";
connection
.execute(
"INSERT INTO projects (project_id, name, root_path, created_at, updated_at)
VALUES ('p', 'p', '/tmp', ?1, ?1)",
params![ts],
)
.unwrap();
connection
.execute(
"INSERT INTO sessions (session_id, project_id, title, phase, mode, workflow_status, created_at, updated_at)
VALUES ('s1', 'p', 's1', 'live', 'unknown', 'idle', ?1, ?1)",
params![ts],
)
.unwrap();
let res = connection.execute(
"INSERT INTO audit_records (
audit_id, previous_audit_id, session_id, source_agent_id,
target_agent_id, source_address, target_address, transport,
workspace_id, mid, record_type, command_origin, mode, ref, re,
payload_hash, payload_redaction_policy, content_size,
delivery_status, observed_by, verified_by, timestamp
)
VALUES ('aud-sent', NULL, 's1', 'operator', NULL, 'cli', 'none:none', 'none',
'w', 'aud-sent', 'participant-overlay', 'operator', NULL, NULL, NULL,
'sha256:x', 'full', 0, 'sent', 'operator', 'operator', ?1)",
params![ts],
);
let err = res.expect_err("a sent participant-overlay proof must abort");
assert!(
err.to_string().contains("participant-overlay") || err.to_string().contains("sent"),
"abort message must name the sent participant-overlay rule: {err}"
);
}
#[test]
fn v10_two_current_trait_rows_one_slot_aborts() {
let connection = migrated_db_with_overlay_proof(
"aud-one", "operator", "operator", "none", "s1", "operator",
);
connection
.execute(
"INSERT INTO audit_records (
audit_id, previous_audit_id, session_id, source_agent_id,
target_agent_id, source_address, target_address, transport,
workspace_id, mid, record_type, command_origin, mode, ref, re,
payload_hash, payload_redaction_policy, content_size,
delivery_status, observed_by, verified_by, timestamp
)
VALUES ('aud-two', NULL, 's1', 'operator', NULL, 'cli', 'none:none', 'none',
'w', 'aud-two', 'participant-overlay', 'operator', NULL, NULL, NULL,
'sha256:y', 'full', 0, 'observed', 'operator', 'operator', '2026-06-02T00:00:00Z')",
[],
)
.unwrap();
insert_overlay_trait_row(
&connection,
"aud-one",
"s1",
"claude",
"operator",
"independent",
1,
"2026-06-02T00:00:00Z",
)
.expect("the first current trait row inserts");
let res = insert_overlay_trait_row(
&connection,
"aud-two",
"s1",
"claude",
"operator",
"independent",
1,
"2026-06-02T00:00:00Z",
);
assert!(
res.is_err(),
"a second CURRENT row in the same trait slot must be rejected by the partial-unique index"
);
}
#[test]
fn v10_canonical_ts_trigger_aborts_noncanonical_created_at() {
let connection = migrated_db_with_overlay_proof(
"aud-ts", "operator", "operator", "none", "s1", "operator",
);
connection
.execute_batch(
"DROP TRIGGER participant_overlay_provenance_binding_insert;
DROP TRIGGER participant_overlay_no_self_grant_trait_insert;
DROP TRIGGER participant_overlay_operator_grade_trait_insert;",
)
.unwrap();
let res = connection.execute(
"INSERT INTO participant_overlay (
audit_id, session_id, subject_actor_id, overlay_kind,
actor_kind, role_id, role_label, trait_id, trait_value,
asserter_actor_id, asserter_kind, supersedes_audit_id,
superseded_by_audit_id, created_at
)
VALUES ('aud-ts', 's1', 'claude', 'actor-kind',
'human', NULL, NULL, NULL, NULL,
'operator', 'operator', NULL, NULL, '2026-06-02T00:00:00+07:00')",
[],
);
let err = res.expect_err("a non-canonical created_at must abort (D3.4)");
assert!(
err.to_string().contains("RFC3339 UTC seconds") || err.to_string().contains("D3.4"),
"the abort must name the canonical-timestamp rule (D3.4): {err}"
);
}
#[test]
fn v10_two_current_kindrole_rows_one_slot_aborts() {
let connection = migrated_db_with_overlay_proof(
"aud-k1", "operator", "operator", "none", "s1", "operator",
);
connection
.execute(
"INSERT INTO audit_records (
audit_id, previous_audit_id, session_id, source_agent_id,
target_agent_id, source_address, target_address, transport,
workspace_id, mid, record_type, command_origin, mode, ref, re,
payload_hash, payload_redaction_policy, content_size,
delivery_status, observed_by, verified_by, timestamp
)
VALUES ('aud-k2', NULL, 's1', 'operator', NULL, 'cli', 'none:none', 'none',
'w', 'aud-k2', 'participant-overlay', 'operator', NULL, NULL, NULL,
'sha256:y', 'full', 0, 'observed', 'operator', 'operator', '2026-06-02T00:00:00Z')",
[],
)
.unwrap();
let insert_ak = |audit_id: &str| {
connection.execute(
"INSERT INTO participant_overlay (
audit_id, session_id, subject_actor_id, overlay_kind,
actor_kind, role_id, role_label, trait_id, trait_value,
asserter_actor_id, asserter_kind, supersedes_audit_id,
superseded_by_audit_id, created_at
)
VALUES (?1, 's1', 'claude', 'actor-kind',
'agent', NULL, NULL, NULL, NULL,
'operator', 'operator', NULL, NULL, '2026-06-02T00:00:00Z')",
params![audit_id],
)
};
insert_ak("aud-k1").expect("the first current actor-kind row inserts");
let res = insert_ak("aud-k2");
assert!(
res.is_err(),
"a second CURRENT actor-kind row in the same slot must be rejected by the partial-unique index"
);
}
#[test]
fn v10_row_shape_check_rejects_mixed_actor_kind() {
let connection = migrated_db_with_overlay_proof(
"aud-mix-ak",
"operator",
"operator",
"none",
"s1",
"operator",
);
let res = connection.execute(
"INSERT INTO participant_overlay (
audit_id, session_id, subject_actor_id, overlay_kind,
actor_kind, role_id, role_label, trait_id, trait_value,
asserter_actor_id, asserter_kind, supersedes_audit_id,
superseded_by_audit_id, created_at
)
VALUES ('aud-mix-ak', 's1', 'claude', 'actor-kind',
'agent', NULL, 'Smuggled Role', NULL, 1,
'operator', 'operator', NULL, NULL, '2026-06-02T00:00:00Z')",
[],
);
assert!(
res.is_err(),
"an actor-kind row carrying role_label/trait_value must be rejected by the row-shape CHECK"
);
}
#[test]
fn v10_row_shape_check_rejects_mixed_role() {
let connection = migrated_db_with_overlay_proof(
"aud-mix-role",
"operator",
"operator",
"none",
"s1",
"operator",
);
let res = connection.execute(
"INSERT INTO participant_overlay (
audit_id, session_id, subject_actor_id, overlay_kind,
actor_kind, role_id, role_label, trait_id, trait_value,
asserter_actor_id, asserter_kind, supersedes_audit_id,
superseded_by_audit_id, created_at
)
VALUES ('aud-mix-role', 's1', 'claude', 'role',
NULL, 'reviewer', 'Reviewer', NULL, 1,
'operator', 'operator', NULL, NULL, '2026-06-02T00:00:00Z')",
[],
);
assert!(
res.is_err(),
"a role row carrying trait_value must be rejected by the row-shape CHECK"
);
}
#[test]
fn v10_row_shape_check_rejects_mixed_trait() {
let connection = migrated_db_with_overlay_proof(
"aud-mix-trait",
"operator",
"operator",
"none",
"s1",
"operator",
);
let res = connection.execute(
"INSERT INTO participant_overlay (
audit_id, session_id, subject_actor_id, overlay_kind,
actor_kind, role_id, role_label, trait_id, trait_value,
asserter_actor_id, asserter_kind, supersedes_audit_id,
superseded_by_audit_id, created_at
)
VALUES ('aud-mix-trait', 's1', 'claude', 'trait',
NULL, NULL, 'Smuggled Role', 'independent', 1,
'operator', 'operator', NULL, NULL, '2026-06-02T00:00:00Z')",
[],
);
assert!(
res.is_err(),
"a trait row carrying role_label must be rejected by the row-shape CHECK"
);
}
fn overlay_audit_record_fixture(session_id: &str, audit_id: &str) -> ImportedAuditRecord {
ImportedAuditRecord {
audit_id: audit_id.to_string(),
previous_audit_id: None,
timestamp: "2026-06-02T01:00:00Z".to_string(),
source_agent_id: Some("operator".to_string()),
source_address: "operator".to_string(),
target_agent_id: None,
target_address: "none".to_string(),
transport: "none".to_string(),
workspace_id: "w".to_string(),
session_id: session_id.to_string(),
mid: audit_id.to_string(),
record_type: crate::overlay::OVERLAY_RECORD_TYPE.to_string(),
command_origin: "operator".to_string(),
mode: None,
r#ref: None,
re: None,
payload_hash: "sha256:x".to_string(),
payload_redaction_policy: "full".to_string(),
content_size: 0,
delivery_status: "observed".to_string(),
observed_by: "operator".to_string(),
verified_by: "operator".to_string(),
due: None,
payload_excerpt: None,
}
}
#[test]
fn project_overlay_writes_audit_and_typed_row() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("zynk.db");
open_projection_database(&db).unwrap(); let record = overlay_audit_record_fixture("s1", "ovl-aud-1");
let overlay = crate::overlay::Overlay::Trait {
subject: "claude".into(),
asserter: "operator".into(),
asserter_kind: "operator".into(),
trait_id: "independent".into(),
value: true,
supersedes: None,
};
project_overlay(&db, Path::new("outputs"), &record, &overlay).unwrap();
let connection = open_database(&db).unwrap();
let audit_rows: i64 = connection
.query_row(
"SELECT COUNT(*) FROM audit_records WHERE audit_id='ovl-aud-1'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(audit_rows, 1, "the overlay audit proof row must be present");
let (subject, kind, trait_id, trait_value, asserter, created_at): (
String,
String,
String,
i64,
String,
String,
) = connection
.query_row(
"SELECT subject_actor_id, overlay_kind, trait_id, trait_value,
asserter_actor_id, created_at
FROM participant_overlay WHERE audit_id='ovl-aud-1'",
[],
|row| {
Ok((
row.get(0)?,
row.get(1)?,
row.get(2)?,
row.get(3)?,
row.get(4)?,
row.get(5)?,
))
},
)
.unwrap();
assert_eq!(subject, "claude");
assert_eq!(kind, "trait");
assert_eq!(trait_id, "independent");
assert_eq!(trait_value, 1);
assert_eq!(asserter, "operator");
assert_eq!(
created_at, "2026-06-02T01:00:00Z",
"created_at must equal the proof timestamp (D3.1 provenance binding)"
);
}
#[test]
fn project_overlay_gap_yields_clear_error_no_typed_row() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("zynk.db");
open_projection_database(&db).unwrap();
let mut record = overlay_audit_record_fixture("s1", "ovl-aud-gap");
record.timestamp = "not-a-timestamp".to_string();
let overlay = crate::overlay::Overlay::Trait {
subject: "claude".into(),
asserter: "operator".into(),
asserter_kind: "operator".into(),
trait_id: "independent".into(),
value: true,
supersedes: None,
};
let err = project_overlay(&db, Path::new("outputs"), &record, &overlay)
.expect_err("a gapping overlay audit must fail the projection");
assert!(
err.message.contains("gap"),
"the error must name the gap, not surface an opaque FK error: {}",
err.message
);
let connection = open_database(&db).unwrap();
let overlays: i64 = connection
.query_row("SELECT COUNT(*) FROM participant_overlay", [], |row| {
row.get(0)
})
.unwrap();
assert_eq!(
overlays, 0,
"no participant_overlay row may be written when the audit gaps"
);
}
#[test]
fn project_overlay_supersede_sets_pointer() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("zynk.db");
open_projection_database(&db).unwrap();
let first = overlay_audit_record_fixture("s1", "ovl-a1");
let overlay1 = crate::overlay::Overlay::Trait {
subject: "claude".into(),
asserter: "operator".into(),
asserter_kind: "operator".into(),
trait_id: "independent".into(),
value: true,
supersedes: None,
};
project_overlay(&db, Path::new("outputs"), &first, &overlay1).unwrap();
let mut second = overlay_audit_record_fixture("s1", "ovl-a2");
second.timestamp = "2026-06-02T02:00:00Z".to_string();
let overlay2 = crate::overlay::Overlay::Trait {
subject: "claude".into(),
asserter: "operator".into(),
asserter_kind: "operator".into(),
trait_id: "independent".into(),
value: false,
supersedes: Some("ovl-a1".into()),
};
project_overlay(&db, Path::new("outputs"), &second, &overlay2).unwrap();
let connection = open_database(&db).unwrap();
let a1_superseded_by: Option<String> = connection
.query_row(
"SELECT superseded_by_audit_id FROM participant_overlay WHERE audit_id='ovl-a1'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(
a1_superseded_by.as_deref(),
Some("ovl-a2"),
"the prior row must point at the superseding audit"
);
let a2_superseded_by: Option<String> = connection
.query_row(
"SELECT superseded_by_audit_id FROM participant_overlay WHERE audit_id='ovl-a2'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(
a2_superseded_by, None,
"the superseding row is CURRENT (superseded_by NULL)"
);
}
#[test]
fn project_overlay_creates_no_messages_row() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("zynk.db");
open_projection_database(&db).unwrap();
let record = overlay_audit_record_fixture("s1", "ovl-aud-nomsg");
let overlay = crate::overlay::Overlay::ActorKind {
subject: "zevs".into(),
asserter: "operator".into(),
asserter_kind: "operator".into(),
actor_kind: "human".into(),
supersedes: None,
};
project_overlay(&db, Path::new("outputs"), &record, &overlay).unwrap();
let connection = open_database(&db).unwrap();
let messages: i64 = connection
.query_row(
"SELECT COUNT(*) FROM messages WHERE session_id='s1'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(
messages, 0,
"an overlay proof must NOT create a messages row (no-leak invariant)"
);
}
#[test]
fn supersede_rejects_cross_slot_predecessor() {
let dir = tempfile::tempdir().unwrap();
let db = dir.path().join("zynk.db");
open_projection_database(&db).unwrap();
let trait_rec = overlay_audit_record_fixture("s1", "ovl-trait");
let trait_overlay = crate::overlay::Overlay::Trait {
subject: "codex".into(),
asserter: "operator".into(),
asserter_kind: "operator".into(),
trait_id: "independent".into(),
value: true,
supersedes: None,
};
project_overlay(&db, Path::new("outputs"), &trait_rec, &trait_overlay).unwrap();
let mut ak_rec = overlay_audit_record_fixture("s1", "ovl-actorkind");
ak_rec.timestamp = "2026-06-02T02:00:00Z".to_string();
let ak_overlay = crate::overlay::Overlay::ActorKind {
subject: "codex".into(),
asserter: "operator".into(),
asserter_kind: "operator".into(),
actor_kind: "agent".into(),
supersedes: None,
};
project_overlay(&db, Path::new("outputs"), &ak_rec, &ak_overlay).unwrap();
let mut bad_rec = overlay_audit_record_fixture("s1", "ovl-trait-2");
bad_rec.timestamp = "2026-06-02T03:00:00Z".to_string();
let bad_overlay = crate::overlay::Overlay::Trait {
subject: "codex".into(),
asserter: "operator".into(),
asserter_kind: "operator".into(),
trait_id: "independent".into(),
value: false,
supersedes: Some("ovl-actorkind".into()), };
let err = project_overlay(&db, Path::new("outputs"), &bad_rec, &bad_overlay)
.expect_err("a cross-slot supersede must fail loud (not close the actor-kind row)");
assert!(
err.message.contains("not the current row")
|| err.message.contains("slot")
|| err.message.contains("supersede"),
"the error must name the mis-pointed supersede: {}",
err.message
);
let connection = open_database(&db).unwrap();
let ak_superseded_by: Option<String> = connection
.query_row(
"SELECT superseded_by_audit_id FROM participant_overlay WHERE audit_id='ovl-actorkind'",
[],
|row| row.get(0),
)
.unwrap();
assert_eq!(
ak_superseded_by, None,
"the unrelated actor-kind row must NOT be closed by a cross-slot supersede"
);
}
fn chain_pair(
audit_id: &str,
supersedes: Option<&str>,
) -> (ImportedAuditRecord, crate::overlay::Overlay) {
let record = overlay_audit_record_fixture("s1", audit_id);
let overlay = crate::overlay::Overlay::Trait {
subject: "codex".into(),
asserter: "operator".into(),
asserter_kind: "operator".into(),
trait_id: "independent".into(),
value: true,
supersedes: supersedes.map(|s| s.to_string()),
};
(record, overlay)
}
#[test]
fn chain_order_fails_loud_on_cycle() {
let a = chain_pair("A", Some("B"));
let b = chain_pair("B", Some("A"));
let parsed: Vec<(&ImportedAuditRecord, crate::overlay::Overlay)> =
vec![(&a.0, a.1.clone()), (&b.0, b.1.clone())];
let err = chain_order(&parsed).expect_err("a supersede cycle must fail loud");
assert!(
err.message.contains("cycle"),
"the error must name the supersede cycle: {}",
err.message
);
}
#[test]
fn chain_order_orders_by_supersede_not_input() {
let a = chain_pair("A", Some("B"));
let b = chain_pair("B", None);
let parsed: Vec<(&ImportedAuditRecord, crate::overlay::Overlay)> =
vec![(&a.0, a.1.clone()), (&b.0, b.1.clone())];
let order = chain_order(&parsed).expect("a clean chain must order");
assert_eq!(
order,
vec![1, 0],
"the root (B) must be emitted before the proof that supersedes it (A)"
);
}
}