generated from coulomb/repo-seed
Add trusted auto-approval migration inventory
This commit is contained in:
@@ -91,6 +91,9 @@ legacy path must be identifiable in review decisions and self-scoping
|
||||
assessment artifacts. They should be treated as review debt, not as evidence
|
||||
that deterministic approval is allowed.
|
||||
|
||||
The migration inventory and rebuild procedure are documented in
|
||||
`docs/migrations/trusted-auto-approval.md`.
|
||||
|
||||
## Quality Criteria Relationship
|
||||
|
||||
The quality criteria registry in `docs/quality-criteria/` defines the formal
|
||||
|
||||
62
docs/migrations/trusted-auto-approval.md
Normal file
62
docs/migrations/trusted-auto-approval.md
Normal file
@@ -0,0 +1,62 @@
|
||||
# Trusted Auto-Approval Migration
|
||||
|
||||
`trusted_auto_approve_candidate_graph` is historical migration behavior, not an
|
||||
allowed acceptance path. Deterministic analysis may generate facts and
|
||||
candidates, and deterministic quality gates may block or require review, but
|
||||
approval now requires human judgement or configured agentic review.
|
||||
|
||||
## Identify Historical Runs
|
||||
|
||||
Use the inventory surfaces before rebuilding a repository with approved maps:
|
||||
|
||||
```bash
|
||||
repo-scoping list-legacy-auto-approvals --format json
|
||||
```
|
||||
|
||||
The API exposes the same inventory at:
|
||||
|
||||
```text
|
||||
GET /review/migrations/trusted-auto-approvals
|
||||
```
|
||||
|
||||
Each record identifies the repository, analysis run, review decision, current
|
||||
approved ability count, scanner version when available, and the recommended next
|
||||
step. These records are derived from review decisions whose action is
|
||||
`trusted_auto_approve_candidate_graph`.
|
||||
|
||||
## Rebuild Without Losing Audit History
|
||||
|
||||
Historical review decisions are retained. Rebuilding characteristics creates a
|
||||
new analysis run and can clear the currently approved characteristic tree, but it
|
||||
does not delete the old review-decision audit trail.
|
||||
|
||||
1. Run a dry run:
|
||||
|
||||
```bash
|
||||
repo-scoping rebuild-characteristics --repo <repo-id> --dry-run --no-llm
|
||||
```
|
||||
|
||||
2. Inspect candidate output, quality-gate outcomes, and existing review
|
||||
decisions.
|
||||
|
||||
3. Confirm the rebuild only when ready:
|
||||
|
||||
```bash
|
||||
repo-scoping rebuild-characteristics --repo <repo-id> --confirm --agentic-review
|
||||
```
|
||||
|
||||
4. If no agentic reviewer is configured, complete human review through the
|
||||
candidate graph approval/edit/reject flow.
|
||||
|
||||
## Compatibility Notes
|
||||
|
||||
- `AnalysisRunCreate.trusted_auto_approve` remains as a deprecated API input
|
||||
for older callers, but requests are routed to agentic review and do not
|
||||
deterministically approve candidates.
|
||||
- The CLI does not expose deterministic trusted auto-approval. Use
|
||||
`--agentic-review` during rebuild or approve after human review.
|
||||
- The service method `trusted_auto_approve_candidate_graph()` is guarded by
|
||||
`allow_deprecated_migration_mode=True` and should only be used to replay or
|
||||
inspect historical migration behavior in controlled tests or migration tools.
|
||||
- Self-scoping assessment artifacts continue to flag
|
||||
`trusted_auto_approve_candidate_graph` as review debt.
|
||||
Reference in New Issue
Block a user