teleo-infrastructure/scripts/kb_apply_prereqs.sql
Fawaz 7bb6fc417b
Some checks are pending
CI / lint-and-test (push) Waiting to run
feat(kb): apply_proposal engine (stage 2 of KB apply pipeline) (#35)
* feat(kb): apply_proposal engine to land approved proposals into canonical

Stage 2 of the KB apply pipeline (approve -> APPLY -> render -> surface).
Turns an approved kb_stage.kb_proposals row into canonical public.* rows and
flips the ledger to 'applied' in one verified transaction.

- Connects as the narrow kb_apply role (never superuser): writes only
  strategies, strategy_nodes, claim_evidence, claim_edges + kb_proposals ledger.
  Enforces "agents propose, do not self-apply" at the DB boundary.
- Per-type handlers: revise_strategy (versioned strategy + node replace),
  add_edge, attach_evidence (requires existing source_id; source minting is
  intentionally out of scope for kb_apply's grants).
- Strict apply_payload contract (v1); freeform eval packets are normalized
  upstream, not applied directly.
- --dry-run prints exact SQL; idempotent (refuses non-approved / already-applied);
  transactional with an in-txn DO-block invariant check that rolls back on failure.
- Unit tests cover SQL builders, validation, dispatch, and status guards.

* fix(kb): rowcount=1 apply guard + real applied_by FK stamp

Closes the three draft-exit review items on the apply engine:

- Ledger flip now runs in a DO block asserting exactly one 'approved'
  row moved to 'applied' (GET DIAGNOSTICS row_count). Closes the
  concurrent double-apply race — load_proposal (read) and the flip
  (write) are separate statements, so a row lock cannot span them; only
  one concurrent apply can match status='approved', so rowcount=1 is the
  authoritative guard. A loser RAISEs and the whole txn rolls back.
- applied_by_agent_id is stamped as a real FK resolved from public.agents
  by handle, defaulting to the kb-apply service agent — no more NULL FK,
  no backfill needed.
- scripts/kb_apply_prereqs.sql: one-time superuser bootstrap — inserts the
  kb-apply service-agent row (kb_apply never gets INSERT on agents), grants
  kb_apply SELECT on public.agents, and ensures the one-active-strategy
  unique index (idempotent; already present on prod).

18/18 unit tests pass.

* fix(kb): hard-resolve applied_by handle, RAISE on NULL FK

Resolve applied_by into a variable and assert NOT NULL before the ledger
flip, instead of an inline subselect that silently stamps a NULL
applied_by_agent_id on an unresolved handle. Since the FK is ON DELETE SET
NULL, a bad handle (typo/unseeded agent) was a legal silent NULL -- the
perpetually-NULL FK we eliminated. Unresolved handle now hard-fails ->
rollback. Non-default --applied-by (operator, future drafters) is the path
that goes through the lookup and could strand NULL.
2026-07-04 19:57:49 -04:00

31 lines
1.5 KiB
PL/PgSQL

-- kb_apply prerequisites -- run ONCE as the postgres superuser at deploy time.
--
-- Stage 2 of the KB apply pipeline (scripts/apply_proposal.py) connects as the
-- narrow kb_apply role and stamps applied_by_agent_id as a real FK. The FK is
-- resolved from public.agents by handle, so before the first apply:
-- 1. a 'kb-apply' service-agent row must exist (one-time bootstrap fixture),
-- 2. kb_apply needs SELECT on public.agents to resolve it (never INSERT),
-- 3. the one-active-strategy invariant must be enforced by a unique index.
--
-- Every statement is idempotent; re-running the file is a no-op. It grants no
-- write on public.agents to kb_apply -- the service-agent row is written here,
-- once, by the superuser, and the runtime role only ever reads it.
begin;
-- 1. Service-agent fixture. This INSERT is the one-time superuser bootstrap;
-- kb_apply itself never gains INSERT on public.agents (SELECT only, below).
insert into public.agents (id, handle, kind)
values ('44444444-4444-4444-4444-444444444444', 'kb-apply', 'service')
on conflict (handle) do nothing;
-- 2. Allow the apply tool to resolve applied_by_agent_id. Read-only, no INSERT.
grant select on public.agents to kb_apply;
-- 3. Enforce "one active strategy per agent" at the database. Already present on
-- current prod as one_active_strategy_per_agent; IF NOT EXISTS documents and
-- guarantees the dependency for fresh environments (no-op where it exists).
create unique index if not exists one_active_strategy_per_agent
on public.strategies (agent_id) where active;
commit;