feat(l1): L1 workspace Phase 1 — role, seat enforcement, adhoc walker, audit #189

Merged

chihlasm merged 43 commits from feat/l1-workspace into main 2026-05-29 05:18:48 +00:00

Conversation 0 Commits 43 Files Changed 74 +13257 -98

chihlasm commented 2026-05-29 02:45:35 +00:00

Owner

Copy Link

Summary

Phase 1 of the L1 Workspace feature: a new l1_tech role between engineer and viewer for frontline workers handling first-call resolution. Engineers can optionally cover L1 work via a can_cover_l1 flag (orthogonal pattern, like is_team_admin). Tagged in audit logs as acting_as: l1_coverage so coverage activity is distinguishable from native L1 work.

Phase 1 ships only the adhoc walker variant (single-pane note-taking with debounced autosave). Tree-walker variant code is in place but unreachable from intake until Phase 2 wires match_or_build. AI-built trees, KB connectors (IT Glue / Hudu / Microsoft Graph), and the BuildAbortedNoKB UX are Phase 2/3 — see plan "Out of scope for Phase 1".

Spec: docs/superpowers/specs/2026-05-28-l1-workspace-design.md
Plan: docs/superpowers/plans/2026-05-28-l1-workspace-phase-1.md
Acceptance: docs/superpowers/specs/2026-05-28-l1-workspace-phase-1-acceptance.md

What changes (high level)

Schema + migrations

• New account_role value l1_tech (CHECK constraint extended)
• New users.can_cover_l1 boolean
• New internal_tickets table — no-PSA fallback ticket model, RLS-isolated
• New l1_walk_sessions table — per-session walked path / notes / resolution / escalation, target-consistency CHECK constraint, RLS
• New audit_logs.acting_as column — populated at session terminal events

Backend

• New deps: require_l1, require_l1_or_coverage, require_l1_or_above
• seat_enforcement service — enforces engineer + L1 seat limits at invite, accept-invite, and role-change
• internal_ticket_service — CRUD + status transitions + promote-to-PSA
• l1_session_service — start_flow/start_proposal/start_adhoc, record_step, update_notes, resolve, escalate, escalate_without_walk + _resolve_acting_as returning 'l1_coverage' for engineers
• 9 /l1/* endpoints (intake, queue, sessions/active, sessions/{id}, step, notes, resolve, escalate, escalate-without-walk)
• APScheduler hourly job flipping stale active sessions to abandoned after 24h
• 8 RLS regression tests (psycopg2 sync, against migrated DB)

Frontend

• usePermissions extensions: isL1Tech, canCoverL1, canUseL1Surface, canUseEngineerSurface
• Role-based sidebar nav + L1 post-login redirect
• /l1/* routes wrapped in L1RouteGuard + L1CoverageBanner
• L1 dashboard (greeting, intake, resume-in-progress, empty state)
• L1WalkPage that dispatches by session_kind to tree or adhoc variant
• Shared Resolve / Escalate modals
• 4 E2E Playwright tests with seeded l1@ and engineer-coverage@ users
• Toast + 402 invite error handling

Risk + rollback

New surface gated behind require_l1_or_coverage. No existing surface modified except role-based nav + invite seat enforcement. Rollback path: revert this PR (no destructive migrations needed — the tables are additive). Migration downgrade scripts ship but assume an empty DB (matches our convention).

Test plan

• Backend: 1329 passing (was 1325 before final review fixes; +4 audit log tests)
• L1-specific: 57/57 passing
• L1 RLS: 8/8 passing
• Frontend tsc + vite build clean
• Migration upgrade roundtrip clean
• Manual E2E flows seeded and passing
• CI green
• Manual smoke against staging once merged

## Summary Phase 1 of the L1 Workspace feature: a new `l1_tech` role between `engineer` and `viewer` for frontline workers handling first-call resolution. Engineers can optionally cover L1 work via a `can_cover_l1` flag (orthogonal pattern, like `is_team_admin`). Tagged in audit logs as `acting_as: l1_coverage` so coverage activity is distinguishable from native L1 work. Phase 1 ships only the **adhoc walker** variant (single-pane note-taking with debounced autosave). Tree-walker variant code is in place but **unreachable from intake** until Phase 2 wires `match_or_build`. AI-built trees, KB connectors (IT Glue / Hudu / Microsoft Graph), and the BuildAbortedNoKB UX are Phase 2/3 — see plan "Out of scope for Phase 1". Spec: [`docs/superpowers/specs/2026-05-28-l1-workspace-design.md`](../src/branch/feat/l1-workspace/docs/superpowers/specs/2026-05-28-l1-workspace-design.md) Plan: [`docs/superpowers/plans/2026-05-28-l1-workspace-phase-1.md`](../src/branch/feat/l1-workspace/docs/superpowers/plans/2026-05-28-l1-workspace-phase-1.md) Acceptance: [`docs/superpowers/specs/2026-05-28-l1-workspace-phase-1-acceptance.md`](../src/branch/feat/l1-workspace/docs/superpowers/specs/2026-05-28-l1-workspace-phase-1-acceptance.md) ## What changes (high level) **Schema + migrations** - New `account_role` value `l1_tech` (CHECK constraint extended) - New `users.can_cover_l1` boolean - New `internal_tickets` table — no-PSA fallback ticket model, RLS-isolated - New `l1_walk_sessions` table — per-session walked path / notes / resolution / escalation, target-consistency CHECK constraint, RLS - New `audit_logs.acting_as` column — populated at session terminal events **Backend** - New deps: `require_l1`, `require_l1_or_coverage`, `require_l1_or_above` - `seat_enforcement` service — enforces engineer + L1 seat limits at invite, accept-invite, and role-change - `internal_ticket_service` — CRUD + status transitions + promote-to-PSA - `l1_session_service` — `start_flow`/`start_proposal`/`start_adhoc`, `record_step`, `update_notes`, `resolve`, `escalate`, `escalate_without_walk` + `_resolve_acting_as` returning `'l1_coverage'` for engineers - 9 `/l1/*` endpoints (intake, queue, sessions/active, sessions/{id}, step, notes, resolve, escalate, escalate-without-walk) - APScheduler hourly job flipping stale active sessions to `abandoned` after 24h - 8 RLS regression tests (psycopg2 sync, against migrated DB) **Frontend** - `usePermissions` extensions: `isL1Tech`, `canCoverL1`, `canUseL1Surface`, `canUseEngineerSurface` - Role-based sidebar nav + L1 post-login redirect - `/l1/*` routes wrapped in `L1RouteGuard` + `L1CoverageBanner` - L1 dashboard (greeting, intake, resume-in-progress, empty state) - L1WalkPage that dispatches by `session_kind` to tree or adhoc variant - Shared Resolve / Escalate modals - 4 E2E Playwright tests with seeded `l1@` and `engineer-coverage@` users - Toast + 402 invite error handling ## Risk + rollback New surface gated behind `require_l1_or_coverage`. No existing surface modified except role-based nav + invite seat enforcement. Rollback path: revert this PR (no destructive migrations needed — the tables are additive). Migration downgrade scripts ship but assume an empty DB (matches our convention). ## Test plan - [x] Backend: 1329 passing (was 1325 before final review fixes; +4 audit log tests) - [x] L1-specific: 57/57 passing - [x] L1 RLS: 8/8 passing - [x] Frontend tsc + vite build clean - [x] Migration upgrade roundtrip clean - [x] Manual E2E flows seeded and passing - [ ] CI green - [ ] Manual smoke against staging once merged

chihlasm added 39 commits 2026-05-29 02:45:36 +00:00

docs(legal): add baseline legal documents (privacy, ToS, DPA, subprocessors, cookies) ... 41f5519916

Generated by the resolutionflow-legal skill from a code scan of the FastAPI
backend + React frontend on commit 0564646. Each document is a starting
point for attorney review, not legal advice.

Includes:
- privacy-policy.md, terms-of-service.md, cookie-policy.md (public-facing)
- dpa.md (contractual; signed with MSP customers)
- subprocessor-list.md (Railway, Anthropic, Voyage, Stripe, Resend, Sentry,
  PostHog, Google Fonts — confirmed live as of scan)
- data-inventory.md + classification.md (Phase 1/2 working files)
- attorney-review-checklist.md (consolidated [LEGAL REVIEW] punch list)
- implementation-verification.md (claim-by-claim audit vs. actual code)

Three blocking issues filed before public publication:
- #175 deletion-on-offboarding (or rewrite retention claims)
- #176 narrow Sentry send_default_pii + Session Replay config
- #177 EU/UK consent for PostHog + Google Fonts

Public-facing documents intentionally route physical-mail requests through
support@ rather than publishing the LLC's registered address.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs(design): L1 workspace feature spec ... d1cf77cd41

New seat tier between engineer and viewer. Dedicated /l1 surface
(dashboard + walker + drafts) for first-call helpdesk staff. Walk-in
intake + PSA queue both produce tickets. Match-or-build pipeline
prefers authored flows, then outcome-validated AI drafts, then builds
fresh from KB. Three KB connectors: IT Glue, Hudu, SharePoint/OneDrive.
Escalation via package + PSA reassign, picked up in chat. Engineer
coverage via per-user can_cover_l1 flag with audit-log tagging.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs(design): revise L1 spec after review (sessions, adhoc, OAuth, seat enforcement) ... 07a29f630a

Restructure walked_path off FlowProposal onto new l1_walk_sessions table
(each L1 walk has its own path; proposal carries only the validation bit).
Add adhoc walk variant for live calls when no KB content exists, with a
dedicated BuildAbortedNoKB screen offering ad-hoc/escalate/near-miss
options. Introduce SUGGEST_THRESHOLD below MATCH_THRESHOLD so near-miss
flows surface as suggestions instead of triggering a 10s build. Define
empty-state dashboard mode for first-run accounts. Spec the Microsoft
Graph OAuth flow concretely (multi-tenant app, redirect callback, token
refresh). Add seat enforcement for both L1 and engineer tracks via shared
helper (engineer enforcement was missing in current code). Make audit
policy explicit (resolve/escalate only, not per-step). Add session
lifecycle (concurrent sessions, browser-close recovery, 24h abandonment).
Clarify KB doc visibility is owner/engineer only (L1s see citations in
walker, not /account/kb directly). Acknowledge escalation notification
noise as v1 limitation with targeted notification deferred to v2.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs(plan): L1 workspace Phase 1 implementation plan ... d40cb834b1

26 bite-sized TDD tasks covering: l1_tech role + perms, seat enforcement
(L1 + engineer together), 5 migrations (role/columns, FlowProposal,
internal_tickets, l1_walk_sessions), seat_enforcement/internal_ticket/
l1_session services, full L1 endpoint surface (intake/queue/step/notes/
resolve/escalate/escalate-without-walk), APScheduler cleanup for 24h
abandoned sessions, frontend usePermissions/Sidebar/router updates,
L1Dashboard (active + empty state + resume widget), L1WalkPage with tree
and adhoc variants, coverage banner, seat counter widget, RLS regression
tests, E2E Playwright suite, acceptance walkthrough.

Phase 2 (AI build + KB documents) and Phase 3 (KB connectors) get
their own plan files. Phase 1 ships with adhoc walks as the default
intake; user-facing flow selection ships in Phase 2 alongside the AI
matcher. PSA close/reassign is a Phase 1 stub (deferred to Phase 2).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): add l1_tech role to permissions docstring ... 8cf6a66154

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): add L1 columns + extend account_role CHECK constraint ... c977196206

Adds users.can_cover_l1, accounts.l1_seats_purchased, subscriptions.l1_seat_limit,
audit_logs.acting_as. Rotates the users.account_role CHECK constraint to include
'l1_tech' (was: 'owner', 'admin', 'engineer', 'viewer').

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): add require_l1, require_l1_or_coverage, require_l1_or_above deps ... 8bad2fe945

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): extend FlowProposal with source/linked_ticket/validated_by_outcome ... c576c6609e

Adds source (NOT NULL, backfilled to 'manual_draft'), linked_ticket_id,
linked_ticket_kind, validated_by_outcome columns. CHECK constraints on
source values and linked_ticket_kind values. walked_path lives on the
new l1_walk_sessions table (Task 6) — NOT on FlowProposal.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): create internal_tickets table with RLS ... 394f729595

Tenant-scoped fallback ticket model for accounts without PSA integration.
Tracks customer-name, problem-statement, status lifecycle (open/walking/
resolved/escalated), and optional links to flow/proposal/ai_session/
assigned engineer + PSA promotion ID. Account-scoped RLS policy uses
app.current_account_id session setting.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): create l1_walk_sessions table with target-consistency check + RLS ... 960ea71a20

Per-session state for L1 walking a ticket. Supports flow/proposal/adhoc
session kinds; check constraint enforces target-consistency (flow_id set
iff kind=flow; flow_proposal_id set iff kind=proposal; both null iff
kind=adhoc). walked_path + walk_notes JSONB columns track step-by-step
progress; resolved/escalated/abandoned terminal statuses captured.
Account-scoped RLS matches the internal_tickets precedent (FORCE RLS +
tenant_isolation policy with COALESCE/NULLIF guard).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(l1): add index=True to L1WalkSession.last_step_at model column ... 874dee7263

Aligns the model with the migration (T6 review caught: migration creates
ix_l1_walk_sessions_last_step_at but model annotation was missing, causing
schema drift if Base.metadata.create_all is used in tests).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): seat_enforcement service for engineer + L1 seat limits ... 02fc47c832

Shared helper used by invite, accept-invite, and role-change endpoints
(integrated in T8). Counts active users by role against role-specific
seat limit on subscription (engineer → seat_limit, l1_tech → l1_seat_limit).
None limit = unlimited.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): enforce seat limits on invite, accept-invite, role-change ... 47ff8ad2b5

For engineer + l1_tech roles, check_seat_available is called at each
mutation point. Returns 402 Payment Required with structured detail
{code: 'seat_limit_exceeded', role, current, limit, upgrade_url} when
seats are full. Grandfathering: existing over-seated accounts keep
existing users; only new mutations are blocked.

Also updates AccountInviteCreate and AccountRoleUpdate schemas to
accept l1_tech as a valid role value.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(l1): T8 review fixes — oauth status const + bulk-invite structured error ... 8010da8745

- oauth.py: use status.HTTP_402_PAYMENT_REQUIRED constant (was raw 402)
- accounts.py bulk-invite: catch HTTPException separately to preserve
  structured detail dict in failed-row error (was stringified repr,
  unparseable by clients)
- Add bulk-invite per-row 402 test verifying structured error preserved

T8 code review identified these as Important issues. Functional change is
the bulk-invite fix; clients can now parse seat-limit errors from bulk
responses. 13/13 seat-enforcement tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): GET /accounts/me/seats endpoint for seat counter widget ... 7056ed9e6d

Returns {engineer: SeatCheckResult, l1_tech: SeatCheckResult} for the
authenticated engineer's account. Powers the SeatCounterWidget UI in the
admin/users + account/users surfaces. Engineer+ access only.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): PATCH /accounts/me/members/{id}/coverage for engineer L1-coverage flag ... e15897c76f

Owner-only endpoint to toggle can_cover_l1 on an engineer user. 422 if target
role is not engineer (owners/super_admins already see L1 surface; viewers/
l1_techs don't need this flag). 404 for cross-account targets.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): internal_ticket_service with CRUD + status transitions ... 7a36aeb410

create_ticket, update_status (sets resolved_at on resolve), get_ticket,
list_tickets_for_account (status filter, account-scoped), promote_to_psa.
Used by L1 intake when account has no PSA integration configured.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(l1): make get_ticket keyword-only for consistency ... 44a000a723

T11 review caught that get_ticket was the one function without the *, marker
all other functions in the module use. One-line fix, no caller impact.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): l1_session_service start_flow/proposal/adhoc ... 6e7c4afc7d

Three start_* functions creating L1WalkSession rows with appropriate
session_kind and target id. Engineers acting in L1 mode get
acting_as='l1_coverage' for audit; native l1_tech users get acting_as=None.

step/notes (T13) and resolve/escalate (T14) extend this file next.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): l1_session_service record_step + update_notes ... e803a78ded

record_step appends to walked_path JSONB and advances current_node_id
on flow/proposal walks; refuses adhoc sessions. update_notes replaces
walk_notes (used by adhoc walks for debounced autosave); 256KB size cap
to prevent unbounded JSONB growth. Both reject non-active sessions.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): l1_session_service resolve / escalate / escalate_without_walk ... 054e9da49b

resolve: sets status=resolved, helpful, resolution_notes, resolved_at;
flips FlowProposal.validated_by_outcome on helpful=True proposal walks;
closes linked internal ticket. PSA close is a Phase 2 stub.

escalate: marks session + internal ticket as escalated. PSA reassign
deferred to Phase 2.

escalate_without_walk: creates an immediately-escalated adhoc session
with no walked_path, used by the BuildAbortedNoKB → Escalate path.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): L1 endpoint surface (intake/queue/step/notes/resolve/escalate) ... 96973c7968

Mounts /api/v1/l1/* with require_l1_or_coverage on every route. Intake
creates an internal ticket and starts a flow OR adhoc session (PSA queue
merge follows in Phase 2). Step/notes/resolve/escalate delegate to
l1_session_service. escalate-without-walk creates an immediately-
escalated session for the BuildAbortedNoKB path.

ValueError from services → 400. Cross-account session access → 404.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): APScheduler hourly cleanup job for abandoned L1 sessions ... e5bcf3b28e

flip_stale_sessions flips L1WalkSession.status from 'active' to
'abandoned' for rows where last_step_at is older than 24h. Preserves the
row for audit; removes it from the L1 dashboard's 'Resume in progress'
widget. Runs hourly via APScheduler with max_instances=1 (Lesson 1).
Uses the admin session factory (no RLS context at startup).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(l1): RLS regression tests for internal_tickets + l1_walk_sessions ... 465b8ff880

Adds 8 synchronous psycopg2-based tests that connect as resolutionflow_app
and verify the tenant_isolation RLS policies (USING + WITH CHECK) on the two
new L1 Phase 1 tables block cross-tenant reads and reject cross-tenant INSERTs.

Uses psycopg2 (not asyncpg) to avoid the conftest pytest_runtest_teardown hook
that closes the asyncio event loop after every test — incompatible with
module-scoped asyncpg fixtures in pytest-asyncio 0.24.

conftest.py: extends _RLS_TEST_FILES set to include test_l1_rls.py so it is
excluded from the default create_all test suite (requires RUN_RLS_TESTS=1).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): usePermissions extensions for l1_tech + coverage flag ... 4586010b87

Adds 'l1_tech' to the AccountRole union, includes can_cover_l1 on the User
type, and exposes isL1Tech / canCoverL1 / canUseL1Surface /
canUseEngineerSurface from usePermissions. Existing isEngineer/isOwner/
etc. flags unchanged in semantics.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): role-based sidebar nav + L1 post-login redirect ... fbe25b3d68

L1 users see a focused sidebar with only their L1 surfaces (Workspace,
Tickets, My Drafts, Guides, Account). Engineers with can_cover_l1
(plus owners/super_admins) get an appended "L1 Workspace" entry in
their existing sidebar. ProtectedRoute redirects L1 users from / to /l1
on login.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): register /l1/* routes + L1RouteGuard + page stubs ... d0561be6a1

L1RouteGuard wraps the new routes and redirects users without
canUseL1Surface back to /. Page components are stubs in this task
(real UI in T21-T24): L1Dashboard, L1WalkPage, L1DraftsPage,
L1TicketsPage.

Routes: /l1, /l1/walk/:sessionId, /l1/drafts, /l1/tickets — all gated.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): real L1 dashboard with empty-state + resume widget ... 4e9610c252

Replaces the T20 stub. L1 dashboard renders greeting, "Describe the
problem" intake card (autofocus textarea, optional customer fields,
primary "Start walk" CTA), open-tickets queue (Phase 1: display-only),
and a "Resume in progress" widget listing the L1's active sessions
ordered by last_step_at DESC. Empty-state card shows on accounts with
no queue + no active sessions (first-run nudge to upload KB or auth flows).

Adds /api/l1.ts (full L1 API client surface) and /types/l1.ts.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): L1WalkPage tree variant with Resolve/Escalate modals ... c0bddc289e

Replaces the T20 stub. WalkPage dispatches by session_kind:
- 'flow' / 'proposal' → L1WalkTreeVariant (this commit)
- 'adhoc' → placeholder until T23

L1WalkTreeVariant: sticky header with back link + AI-built badge +
persistent Escalate/Resolve buttons; two-pane body (current step
yes/no card on left, walked-path transcript on right). ResolveModal
and EscalateModal extracted to shared WalkModals.tsx (T23 reuses).

Phase 1 caveat: this surface isn't reached by user-driven intake
(which creates adhoc sessions only). It's exercised via direct URL
or integration tests until Phase 2 wires match_or_build.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): adhoc walker variant with debounced notes autosave ... d3fd9143d7

The session variant that Phase 1 L1 users actually hit (intake creates
adhoc sessions when no flow_id is provided). Single-pane note-taking
surface with 300ms-debounced autosave to walk_notes. Shares header
shape + Resolve/Escalate modals with the tree variant. Splits the
notes textarea by paragraph and persists each as a structured
AdhocNote entry. Stops saving once status leaves 'active'.

L1WalkPage now dispatches both variants.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(l1): drafts + tickets pages + coverage banner + seat counter widget ... 1acc780359

L1DraftsPage is a Phase 1 placeholder (AI drafts arrive in Phase 2).
L1TicketsPage replaces the stub with a status-filterable internal-tickets
queue. L1CoverageBanner renders inside L1RouteGuard so every /l1/* page
shows it for engineer-coverers (hidden for native L1). SeatCounterWidget
+ /api/seats.ts surface engineer + L1 seat usage from the /accounts/me/
seats endpoint (T9).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(l1): E2E Playwright suite + seed L1 + coverage engineer test users ... 6937bcaabd

l1-workspace.spec.ts covers:
- L1 user lands on /l1, intakes a problem, takes notes (autosave), resolves
- L1 cannot access /pilot, /trees/new, /escalations (route guards)
- Engineer with can_cover_l1 sees the L1 Workspace nav + coverage banner
- escalate-without-walk path via direct API call returns escalated session

Seed script adds l1@resolutionflow.example.com (l1_tech) and
engineer-coverage@resolutionflow.example.com (engineer + can_cover_l1).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs(l1): Phase 1 acceptance validation report ... 10b5d4e9b0

Full backend suite (1325/1325 passing, xdist) + L1-specific tests
(57/57) + L1 RLS tests (8/8) + frontend build (tsc clean, vite clean)
+ migration roundtrip results. Per-line checklist against spec §15.
Known Phase 2/3 items explicitly deferred per plan scope section.

fix(test): RLS fixture users INSERT missing NOT NULL columns
  test_l1_rls.py and test_rls_isolation.py seeded users without the
  five NOT NULL columns added in prior migrations (is_super_admin,
  is_team_admin, is_service_account, must_change_password, timezone).
  Also adds DROP SCHEMA before alembic upgrade in _ensure_rls_schema
  to prevent DuplicateTable errors when create_all tables are present.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(l1): write audit_logs rows at resolve/escalate with acting_as ... 7882b4723b

Per spec §5.6.1, audit rows are written at session terminal events
(resolve, escalate, escalate_without_walk). log_audit gains an optional
acting_as parameter that propagates the session's acting_as tag
('l1_coverage' for engineer coverers, null for native L1 users).
Final code review flagged this as Important — column existed but was
never populated. Four new integration tests cover all three paths.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs(l1): document session-ownership policy in _get_session_or_404 ... e8ca15d245

Sessions are account-scoped (per spec §7.9), not user-scoped, to support
team coverage. Comment-only fix surfaced by final review.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs(l1): explain why L1 router uses _tenant_deps, not _pro_deps ... 457f77eeb0

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(l1): toast on intake failure in L1Dashboard ... f436def20e

Final review flagged silent failure on intake error. Adds a toast with
the backend detail message (or fallback) on catch.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(l1): handle 402 seat_limit_exceeded on invite ... b5d8e82f64

Catches the structured detail from the seat-enforcement 402 and surfaces
a clear toast with current/limit counts instead of a silent failure.
Modal-with-upgrade-link is a v2 polish — Phase 1 just ships a toast.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs(l1): post-final-review fixes addendum to acceptance report ... 2f2f4eea29

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

chihlasm referenced this pull request 2026-05-29 03:53:24 +00:00

integration: landing + ai-structured-outputs + l1-workspace (Phase 1 internal-only) #190

chihlasm added 1 commit 2026-05-29 04:05:55 +00:00

fix(l1): block L1 users from engineer-only AI routes (/pilot, /assistant) ... 83d1f4cecd

The post-login redirect pushes l1_tech users from / to /l1, but a
bookmark, browser back, or direct URL still landed L1 users on /pilot,
where the page tried to POST /api/v1/ai-sessions and got 403. Frontend
swallowed that as a generic 'Failed to start AI conversation' toast.

Add a route-level redirect in ProtectedRoute so L1 users hitting /pilot
or /assistant bounce to /l1 — turns the backend 403 into a clean UX path
that matches the spec's intent (L1 = walker, engineer = pilot).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

chihlasm added 1 commit 2026-05-29 04:24:56 +00:00

Merge branch 'main' into feat/l1-workspace ... 4c83cebfca

# Conflicts:
#	frontend/src/router.tsx

chihlasm added 1 commit 2026-05-29 04:48:16 +00:00

fix(l1): replace any casts with structural error types (eslint) ... aca1360164

Frontend CI failed on @typescript-eslint/no-explicit-any in three L1
post-review fix sites. Replace `(err as any).response...` with the
codebase's established structural cast
`(err as { response?: { data?: { detail?: string } } })`, matching
TicketPickerModal / FolderEditModal / ProceduralEditorPage. The
AccountSettingsPage 402 handler gets the fuller seat-limit detail shape.

tsc clean, eslint clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

chihlasm added 1 commit 2026-05-29 05:06:05 +00:00

fix(l1): confine L1 techs to their surface + accessible rail nav labels ... 890cb80bef

Two regressions surfaced by running the L1 e2e suite against current main
(which carries PR #174's /home routing migration):

1. L1 post-login redirect keyed off `pathname === '/'`, but the authed index
   moved to /home in #174 — so L1 users landed on the engineer dashboard
   instead of /l1. Replace the ad-hoc '/' and /pilot|/assistant checks with a
   single allowlist: l1_tech users may only reach /l1*, /guides, /account,
   /change-password; everything else (incl. /home, /pilot, /trees/*,
   /escalations) bounces to /l1. Runs before the requiredRole check so L1
   users never trip the engineer-route role logic.

2. Rail nav Links exposed only the truncated shortLabel as their accessible
   name (title= is not an accessible-name source when visible text exists), so
   the "L1 Workspace" coverage-engineer link was unreachable by role+name. Add
   aria-label={item.label} for an accurate accessible name on every rail link.

Fixes all 3 failing cases in e2e/l1-workspace.spec.ts. tsc + eslint clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

chihlasm merged commit 57d28ac08e into main 2026-05-29 05:18:48 +00:00

chihlasm referenced this issue from a commit 2026-05-29 05:18:48 +00:00

Merge PR (#189) feat(l1): L1 workspace Phase 1 (internal-only) into main

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

10x-analysis

From 10x product analysis

backend

FastAPI/Python work

bug

Something isn't working

collaboration

Team sharing, escalation, notifications

database

PostgreSQL/schema changes

documentation

Documentation updates

duplicate

This issue or pull request already exists

enhancement

Improvement to existing feature

feature

New functionality

frontend

React work

good first issue

Good for newcomers

help wanted

Extra attention is needed

integration

PSA, external service integrations

intelligence

Analytics, AI, data-driven features

invalid

This doesn't seem right

priority: high

Do this soon

priority: low

Nice to have

priority: medium

Important but not urgent

question

Further information is requested

quick-win

Low effort, high value

strategic

Long-term strategic bet

ux

User experience improvements

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

chihlasm

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: chihlasm/resolutionflow#189