<!-- Keep under ~2K tokens. Old handoffs live in SESSION_LOG.md. Do not let this file accumulate history. -->

# HANDOFF.md

**Last updated:** 2026-04-25 06:12 EDT

**Active task:** Restore green CI gate on `main` and lock it via branch protection. See [CURRENT_TASK.md](CURRENT_TASK.md).

**Branch:** `fix/ci-workflow-config`

## Current state

Previous session fixed the 54 real backend failures left after #149. The default backend suite is now green locally:

```bash
docker exec resolutionflow_backend bash -lc 'pytest --override-ini="addopts=" -q > /tmp/full-backend.log 2>&1; code=$?; tail -n 160 /tmp/full-backend.log; exit $code'
# 1076 passed, 35 deselected in 1347.41s (0:22:27)
```

Targeted validation also passed:

- `tests/test_session_resolutions_api.py tests/test_session_sharing.py tests/test_session_suggested_fixes_api.py tests/test_survey.py tests/test_tenant_isolation_p0.py tests/test_tree_sharing.py tests/test_trees.py::TestTrees::test_delete_tree_cleans_up_folder_and_tag_assignments tests/test_uploads.py::test_delete_upload_forbidden_for_non_owner` → `73 passed`
- PDF export tests → `3 passed`
- Prompt/PSA/resolution/script-builder subset → `14 passed`
- Admin/AI/branch subsets → `11 passed`

## What changed

Production fixes:

- CI/backend dev image now installs WeasyPrint system libraries.
- Public share-token and survey routes are mounted outside tenant auth; protected share management remains tenant-protected.
- Folder creation now persists `UserFolder.account_id`.
- Script Builder save-to-library now persists `ScriptTemplate.account_id`.
- Resolution output generation eager-loads `AISession.steps` to avoid async lazy-load `MissingGreenlet`.
- AI session model now declares the generated `search_vector` column already present in Alembic, so `create_all` test schemas match runtime migrations.
- Direct account-role update now rejects `"owner"`; ownership changes must use the transfer path.
- Assistant prompt marker examples no longer include a literal executable `create_spin_off_ticket` payload.

Test/harness fixes:

- Test seeds updated for tenant-scoped `account_id` columns on sessions, branches, resolution outputs, script templates, PSA connections, folders, schedules, and categories.
- Tests aligned with 404-not-403 resource-hiding policy.
- Disabled-AI tests now restore both Anthropic and Google key settings.
- Pytest harness closes pytest-asyncio's leftover clean loop and ignores known unclosed asyncio/asyncpg teardown ResourceWarnings that otherwise appear at arbitrary later setup points under `filterwarnings = error`.

## Immediate next steps

1. Commit current working tree if not already committed with trailer:
   `Co-Authored-By: Codex <noreply@openai.com>`.
2. Check PR #150 status on Gitea. If both `CI / backend (pull_request)` and `CI / frontend (pull_request)` are green, merge it.
3. After #150 merges, add `CI / backend (pull_request)` to required status checks on main:
   ```bash
   PATCH /repos/chihlasm/resolutionflow/branch_protections/main
   { "status_check_contexts": ["CI / frontend (pull_request)", "CI / backend (pull_request)"] }
   ```
   `$GITEA_TOKEN` is in `.claude/settings.local.json`.
4. Run/confirm frontend lint if needed for the final DoD item (`npm run lint` was already green after #149, but this session did not rerun it).

## Open questions

- PR #150 was not rechecked or merged in this session.
- Branch protection was not updated in this session.