generated from coulomb/repo-seed
63 lines
2.2 KiB
Markdown
63 lines
2.2 KiB
Markdown
# Trusted Auto-Approval Migration
|
|
|
|
`trusted_auto_approve_candidate_graph` is historical migration behavior, not an
|
|
allowed acceptance path. Deterministic analysis may generate facts and
|
|
candidates, and deterministic quality gates may block or require review, but
|
|
approval now requires human judgement or configured agentic review.
|
|
|
|
## Identify Historical Runs
|
|
|
|
Use the inventory surfaces before rebuilding a repository with approved maps:
|
|
|
|
```bash
|
|
repo-scoping list-legacy-auto-approvals --format json
|
|
```
|
|
|
|
The API exposes the same inventory at:
|
|
|
|
```text
|
|
GET /review/migrations/trusted-auto-approvals
|
|
```
|
|
|
|
Each record identifies the repository, analysis run, review decision, current
|
|
approved ability count, scanner version when available, and the recommended next
|
|
step. These records are derived from review decisions whose action is
|
|
`trusted_auto_approve_candidate_graph`.
|
|
|
|
## Rebuild Without Losing Audit History
|
|
|
|
Historical review decisions are retained. Rebuilding characteristics creates a
|
|
new analysis run and can clear the currently approved characteristic tree, but it
|
|
does not delete the old review-decision audit trail.
|
|
|
|
1. Run a dry run:
|
|
|
|
```bash
|
|
repo-scoping rebuild-characteristics --repo <repo-id> --dry-run --no-llm
|
|
```
|
|
|
|
2. Inspect candidate output, quality-gate outcomes, and existing review
|
|
decisions.
|
|
|
|
3. Confirm the rebuild only when ready:
|
|
|
|
```bash
|
|
repo-scoping rebuild-characteristics --repo <repo-id> --confirm --agentic-review
|
|
```
|
|
|
|
4. If no agentic reviewer is configured, complete human review through the
|
|
candidate graph approval/edit/reject flow.
|
|
|
|
## Compatibility Notes
|
|
|
|
- `AnalysisRunCreate.trusted_auto_approve` remains as a deprecated API input
|
|
for older callers, but requests are routed to agentic review and do not
|
|
deterministically approve candidates.
|
|
- The CLI does not expose deterministic trusted auto-approval. Use
|
|
`--agentic-review` during rebuild or approve after human review.
|
|
- The service method `trusted_auto_approve_candidate_graph()` is guarded by
|
|
`allow_deprecated_migration_mode=True` and should only be used to replay or
|
|
inspect historical migration behavior in controlled tests or migration tools.
|
|
- Self-scoping assessment artifacts continue to flag
|
|
`trusted_auto_approve_candidate_graph` as review debt.
|