teleo-infrastructure/docs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.json
twentyOne2x fed5cb0805 Add guarded canonical claim application
- Normalize rich proposals into atomic reviewed canonical graph bundles with exact row verification.
- Harden reviewer/apply roles, upgrade ACLs, and prove generic plus Helmer lifecycles in isolated PostgreSQL.
- Publish repo-native VPS/GCP/Cory skills and live-readonly GCP inventory without changing the live VPS runtime.

`.agents/skills/crabbox/SKILL.md`
`.agents/skills/teleo-gcp-parity-ops/SKILL.md`
`.agents/skills/teleo-kb-db-change-workflow/SKILL.md`
`.agents/skills/teleo-leo-onboarding/SKILL.md`
`.agents/skills/teleo-vps-runtime-ops/SKILL.md`
`.agents/skills/working-leo-cory-outcomes/SKILL.md`
`docs/reports/leo-working-state-20260709/approve-claim-clone-canary-current.json`
`docs/reports/leo-working-state-20260709/approve-claim-clone-canary-current.md`
`docs/reports/leo-working-state-20260709/current-truth-index.md`
`docs/reports/leo-working-state-20260709/gcp-cloud-sql-t3-live-readonly-current.json`
`docs/reports/leo-working-state-20260709/gcp-cloud-sql-t3-live-readonly-current.md`
`docs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.json`
`docs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.md`
`docs/reports/leo-working-state-20260709/gcp-parallel-delegation-current.json`
`docs/reports/leo-working-state-20260709/helmer-approve-claim-clone-canary-current.json`
`docs/reports/leo-working-state-20260709/helmer-approve-claim-normalization-current.json`
`docs/reports/leo-working-state-20260709/skill-pack-manifest.json`
`docs/reports/leo-working-state-20260709/skill-pack-readme.md`
`docs/reports/leo-working-state-20260709/working-leo-current-state-20260709.md`
`docs/reports/leo-working-state-20260709/working-leo-definition-20260709.md`
`docs/reports/leo-working-state-20260709/working-leo-execution-plan-current.md`
`scripts/apply_proposal.py`
`scripts/apply_worker.py`
`scripts/approve_proposal.py`
`scripts/kb_apply_prereqs.sql`
`scripts/kb_proposal_normalize.py`
`scripts/probe_gcp_db_parity.py`
`scripts/run_approve_claim_clone_canary.py`
`scripts/run_approve_claim_isolated_container_canary.sh`
`tests/test_apply_proposal.py`
`tests/test_apply_worker.py`
`tests/test_approve_proposal.py`
`tests/test_kb_apply_prereqs.py`
`tests/test_kb_proposal_normalize.py`
`tests/test_kb_proposal_routes.py`
`tests/test_probe_gcp_db_parity.py`
`tests/test_repo_skill_pack.py`
2026-07-10 17:49:37 +02:00

85 lines
4.6 KiB
JSON

{
"schema": "teleo.gcpCloudSqlStudioParityGate.v1",
"captured_at_utc": "2026-07-10T06:57:22.085Z",
"source_thread_id": "019f47af-f2cc-7c10-b928-a9283afa2621",
"current_canary": "Open Cloud SQL Studio for teleo-pgvector-standby with authuser=5, authenticate only with an already-authorized principal, execute a transaction-level read-only schema/count parity query, and roll it back.",
"required_tier": "T3_live_readonly",
"current_tier": "T0_spec",
"supporting_gate_evidence_tier": "T3_live_readonly",
"status": "blocked_with_artifact",
"strongest_claim_allowed": "The authenticated Cloud SQL Studio surface is live and reachable for teleo-pgvector-standby, but it did not expose an existing IAM database principal. The visible login flow required built-in database authentication with a password credential. No database session or SQL readback was established, so database contents and VPS parity remain unproven.",
"control_plane_evidence_source": "/Users/user/Documents/Codex/2026-07-10/leo-gcp-control-plane/outputs/gcp-cloud-sql-t3-live-readonly-current.json",
"target": {
"project": "teleo-501523",
"instance": "teleo-pgvector-standby",
"connection_name": "teleo-501523:europe-west6:teleo-pgvector-standby",
"engine": "PostgreSQL 16.14",
"private_endpoint": "10.61.0.3:5432",
"network": "teleo-staging-net",
"instance_iam_db_authentication_flag": "on",
"console_account": "b***@livingip.xyz"
},
"live_studio_readback": {
"studio_url_sanitized": "https://console.cloud.google.com/sql/instances/teleo-pgvector-standby/studio?authuser=5&project=teleo-501523",
"studio_loaded": true,
"login_dialog_visible": true,
"database_selector_visible": true,
"user_selector_visible": true,
"iam_database_authentication_option_visible": true,
"iam_database_authentication_option_enabled": false,
"built_in_database_authentication_selected": true,
"password_credential_required": true,
"password_value_retained": false,
"authenticate_clicked": false
},
"sql_execution": {
"database_session_established": false,
"begin_transaction_read_only_executed": false,
"current_database_read": false,
"current_user_read": false,
"transaction_read_only_read": false,
"catalog_or_table_selects_executed": false,
"rollback_executed": false,
"query_timestamp_utc": null
},
"parity_fields": {
"database_name": null,
"schemas": null,
"public.claims": null,
"public.sources": null,
"public.claim_evidence": null,
"public.claim_edges": null,
"kb_stage.kb_proposals": null,
"proposal_ids_and_statuses": null,
"selected_row_identities": null,
"gcp_vs_vps": null,
"ahead_behind_equal": null
},
"actions": [
"Opened the authenticated instance Overview URL with authuser=5 in an agent-created Chrome tab.",
"Discovered the exact Cloud SQL Studio href from the live instance navigation.",
"Opened Cloud SQL Studio and read the visible database-login state.",
"Stopped before authentication because the IAM option was disabled and the selected built-in flow required a password credential.",
"Did not open browser SSH because that path may create an ephemeral key.",
"Finalized Chrome and closed the agent-created tab."
],
"exact_gate": "Cloud SQL Studio exposes no enabled existing IAM database principal for this console session. Its selected built-in authentication path requires a raw database password, which this lane is forbidden to inspect, submit, recover, or replace.",
"why_autonomous_repair_stops": "Authenticating would require handling a raw password, or creating/granting a database or IAM principal. Both are explicit stop conditions, and the latter would mutate GCP or the database.",
"clear_CTA": "Using an already-existing authorized database principal, have an operator complete the Cloud SQL Studio database login without sharing credentials with Codex, then tell Codex the Studio editor is authenticated. Otherwise route IAM/user enablement to a separately authorized write lane.",
"next_non_user_action": "Once Studio is already authenticated with an existing principal, run only BEGIN TRANSACTION READ ONLY; identity/read-only checks; catalog/table/count SELECTs; and ROLLBACK, then retain the sanitized results.",
"cleanup_readback": {
"browser_finalized": true,
"agent_created_tab_closed": true,
"database_session_open": false,
"transaction_open": false,
"gcp_writes": 0,
"database_writes": 0,
"iam_changes": 0,
"credential_or_key_creation": 0,
"browser_ssh_opened": false,
"service_restarts": 0,
"deploys": 0,
"telegram_sends": 0
},
"secret_values_included": false
}